From 9b99215a1eb2ac5ff8fddeff3e43b725fee18ca2 Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Mon, 25 Sep 2017 15:57:50 +0200
Subject: various profile enhancements

* okular needs kdeinit4 for open file dialog since recently
* memory-deny-write-execute should be a safe addition for
  desktop use of dnscrypt and unbound
* cleanup works
---
 etc/baloo_file.profile     |  4 ++++
 etc/disable-programs.inc   |  1 +
 etc/dnscrypt-proxy.profile |  3 +--
 etc/dnsmasq.profile        |  1 -
 etc/evince.profile         |  2 +-
 etc/ffmpeg.profile         | 12 +++++++-----
 etc/okular.profile         |  2 +-
 etc/unbound.profile        |  3 +--
 8 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile
index 4e603971f..2c2d70c00 100644
--- a/etc/baloo_file.profile
+++ b/etc/baloo_file.profile
@@ -17,6 +17,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+include /etc/firejail/whitelist-var-common.inc
+
 caps.drop all
 no3d
 nodvd
@@ -29,8 +31,10 @@ novideo
 protocol unix
 # Baloo makes ioprio_set system calls, which are blacklisted by default.
 seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
+shell none
 x11 xorg
 
+private-bin baloo_file,baloo_file_extractor,kbuildsycoca4
 private-dev
 private-tmp
 
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index ad589890c..4779b0aae 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -378,6 +378,7 @@ blacklist ${HOME}/.synfig
 blacklist ${HOME}/.tconn
 blacklist ${HOME}/.thunderbird
 blacklist ${HOME}/.tooling
+blacklist ${HOME}/.tor-browser-en
 blacklist ${HOME}/.ts3client
 blacklist ${HOME}/.tuxguitar*
 blacklist ${HOME}/.unknow-horizons
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index 86af9c7b3..6d4f6349a 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -9,7 +9,6 @@ blacklist /tmp/.X11-unix
 
 noblacklist /sbin
 noblacklist /usr/sbin
-noblacklist /var/log
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
@@ -31,4 +30,4 @@ private
 private-dev
 
 # mdwe can break modules/plugins
-# memory-deny-write-execute
+memory-deny-write-execute
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile
index d4cd0530e..2a1302adb 100644
--- a/etc/dnsmasq.profile
+++ b/etc/dnsmasq.profile
@@ -9,7 +9,6 @@ blacklist /tmp/.X11-unix
 
 noblacklist /sbin
 noblacklist /usr/sbin
-noblacklist /var/log
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/evince.profile b/etc/evince.profile
index 2c7c754d8..466260c49 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-var-common.inc
 
 caps.drop all
+# net none breaks AppArmor on Ubuntu systems
 netfilter
 no3d
 nodvd
@@ -28,7 +29,6 @@ protocol unix
 seccomp
 shell none
 tracelog
-# net none breaks AppArmor on Ubuntu systems
 
 private-bin evince,evince-previewer,evince-thumbnailer
 private-dev
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile
index e098c95e3..5db39cf61 100644
--- a/etc/ffmpeg.profile
+++ b/etc/ffmpeg.profile
@@ -1,4 +1,4 @@
-# Firejail profile for default
+# Firejail profile for ffmpeg
 # This file is overwritten after every install/update
 quiet
 # Persistent local customizations
@@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+include /etc/firejail/whitelist-var-common.inc
+
 caps.drop all
 net none
 no3d
@@ -23,11 +25,11 @@ noroot
 # protocol none - needs to be implemented!
 seccomp
 # seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom
-# memory-deny-write-execute - it breaks old versions of ffmpeg
 shell none
 tracelog
 
-private-tmp
-private-dev
 private-bin ffmpeg
-include /etc/firejail/whitelist-var-common.inc
+private-dev
+private-tmp
+
+# memory-deny-write-execute - it breaks old versions of ffmpeg
diff --git a/etc/okular.profile b/etc/okular.profile
index 94736fbae..60390e4d8 100644
--- a/etc/okular.profile
+++ b/etc/okular.profile
@@ -36,7 +36,7 @@ seccomp
 shell none
 tracelog
 
-# private-bin okular,kbuildsycoca4,lpr
+# private-bin okular,kbuildsycoca4,kdeinit4,lpr
 private-dev
 # private-etc fonts,X11
 private-tmp
diff --git a/etc/unbound.profile b/etc/unbound.profile
index 2a38aa7c6..d380b5698 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -9,7 +9,6 @@ blacklist /tmp/.X11-unix
 
 noblacklist /sbin
 noblacklist /usr/sbin
-noblacklist /var/log
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
@@ -31,4 +30,4 @@ private
 private-dev
 
 # mdwe can break modules/plugins
-# memory-deny-write-execute
+memory-deny-write-execute
-- 
cgit v1.2.3-70-g09d2