From 9fa9d088874427ebcf8e45e9334102bd337475be Mon Sep 17 00:00:00 2001 From: NetSysFire <59517351+NetSysFire@users.noreply.github.com> Date: Tue, 7 Feb 2023 11:35:47 +0100 Subject: New profile: parsecd --- etc/inc/disable-programs.inc | 1 + etc/profile-m-z/parsecd.profile | 44 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100644 etc/profile-m-z/parsecd.profile diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index e2e97f458..2a7e1a898 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -1077,6 +1077,7 @@ blacklist ${HOME}/.ostrichriders blacklist ${HOME}/.paradoxinteractive blacklist ${HOME}/.paradoxlauncher blacklist ${HOME}/.parallelrealities/blobwars +blacklist ${HOME}/.parsec blacklist ${HOME}/.pcsxr blacklist ${HOME}/.penguin-command blacklist ${HOME}/.pine-crash diff --git a/etc/profile-m-z/parsecd.profile b/etc/profile-m-z/parsecd.profile new file mode 100644 index 000000000..398af7f80 --- /dev/null +++ b/etc/profile-m-z/parsecd.profile @@ -0,0 +1,44 @@ +# Firejail profile for Parsec +# Description: Remote desktop application focused on gaming and other 3D applications +# This file is overwritten after every install/update +# Persistent local customizations +include parsecd.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.parsec + +mkdir ${HOME}/.parsec +whitelist ${HOME}/.parsec +whitelist /usr/share/parsec +include whitelist-common.inc +include whitelist-usr-share-common.inc + +# Due to the nature of parsec, the following directives will not work: +# - no3d +# - novideo +# - nosound +# - noinput (it does remote passthrough stuff for gamepads) +# - private-dev (because of the above) +apparmor +caps.drop all +nodvd +nogroups +nonewprivs +notv +nou2f +noroot +# Will fail to start with mty_evdev_create: 'udev_monitor_new_from_netlink' failed without netlink +protocol unix,inet,inet6,netlink +seccomp !tgkill +seccomp.block-secondary + +# Will not start with zenity missing +private-bin parsecd,zenity +private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute +restrict-namespaces -- cgit v1.2.3-54-g00ecf From 6202f58ad0b67fcad5db46a070cf40581bc828e4 Mon Sep 17 00:00:00 2001 From: NetSysFire <59517351+NetSysFire@users.noreply.github.com> Date: Fri, 24 Feb 2023 16:24:49 +0100 Subject: parsecd.profile: more white and blacklisting --- etc/profile-m-z/parsecd.profile | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/etc/profile-m-z/parsecd.profile b/etc/profile-m-z/parsecd.profile index 398af7f80..249d475cf 100644 --- a/etc/profile-m-z/parsecd.profile +++ b/etc/profile-m-z/parsecd.profile @@ -7,12 +7,25 @@ include parsecd.local include globals.local noblacklist ${HOME}/.parsec +ignore noexec ${HOME} + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-proc.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc mkdir ${HOME}/.parsec whitelist ${HOME}/.parsec whitelist /usr/share/parsec include whitelist-common.inc include whitelist-usr-share-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc +include whitelist-var-common.inc # Due to the nature of parsec, the following directives will not work: # - no3d -- cgit v1.2.3-54-g00ecf