From dd55390120efe17550ddcec1b336d8c1c44806a4 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sat, 23 Sep 2023 01:42:08 +0000 Subject: profiles: refactor log viewers (#5996) * profiles: refactor log viewers Introduces system-log-common.profile as a common profile for existing GUI log viewer applications. * system-log-common: enable no3d --- etc/profile-a-l/gnome-logs.profile | 42 ++------------- etc/profile-a-l/gnome-system-log.profile | 48 ++--------------- etc/profile-a-l/journal-viewer.profile | 50 ++---------------- .../profile-m-z/system-log-common.profile | 60 ++++++++++++++++++++++ 4 files changed, 72 insertions(+), 128 deletions(-) create mode 100644 etc/profile-m-z/profile-m-z/profile-m-z/system-log-common.profile diff --git a/etc/profile-a-l/gnome-logs.profile b/etc/profile-a-l/gnome-logs.profile index 61f4f4107..4d2681fbc 100644 --- a/etc/profile-a-l/gnome-logs.profile +++ b/etc/profile-a-l/gnome-logs.profile @@ -6,49 +6,15 @@ include gnome-logs.local # Persistent global definitions include globals.local -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-programs.inc -include disable-shell.inc -include disable-xdg.inc +whitelist /usr/share/gnome-logs -whitelist /var/log/journal -include whitelist-runuser-common.inc -include whitelist-usr-share-common.inc -include whitelist-var-common.inc - -apparmor -caps.drop all -ipc-namespace -net none -no3d -nodvd -noinput -nonewprivs -nosound -notv -nou2f -novideo -protocol unix -seccomp -tracelog - -disable-mnt private-bin gnome-logs -private-cache -private-dev -private-etc private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* -private-tmp -writable-var-log dbus-user filter dbus-user.own org.gnome.Logs dbus-user.talk ca.desrt.dconf -dbus-system none +ignore dbus-user none -# Add 'ignore read-only ${HOME}' to your gnome-logs.local if you export logs to a file under your ${HOME}. -read-only ${HOME} -restrict-namespaces +# Redirect +include system-log-common.profile diff --git a/etc/profile-a-l/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile index b3bc7499c..0d6116f4f 100644 --- a/etc/profile-a-l/gnome-system-log.profile +++ b/etc/profile-a-l/gnome-system-log.profile @@ -6,51 +6,13 @@ include gnome-system-log.local # Persistent global definitions include globals.local -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-programs.inc -include disable-shell.inc -include disable-xdg.inc +# 'net none' breaks dbus +ignore net none -whitelist /var/log -include whitelist-common.inc -include whitelist-usr-share-common.inc -include whitelist-var-common.inc - -apparmor -caps.drop all -ipc-namespace -#net none # breaks dbus -no3d -nodvd -# When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html), -# put 'ignore nogroups' and 'ignore noroot' in your gnome-system-log.local. -nogroups -noinput -nonewprivs -noroot -nosound -notv -nou2f -novideo -protocol unix -seccomp - -disable-mnt private-bin gnome-system-log -private-cache -private-dev -private-etc private-lib -private-tmp -writable-var-log - -#dbus-user none -#dbus-system none memory-deny-write-execute -# Add 'ignore read-only ${HOME}' to your gnome-system-log.local if you export logs to a file under your ${HOME}. -read-only ${HOME} -restrict-namespaces + +# Redirect +include system-log-common.profile diff --git a/etc/profile-a-l/journal-viewer.profile b/etc/profile-a-l/journal-viewer.profile index f73595fb1..eb007b765 100644 --- a/etc/profile-a-l/journal-viewer.profile +++ b/etc/profile-a-l/journal-viewer.profile @@ -9,60 +9,16 @@ include globals.local noblacklist ${HOME}/.cache/journal-viewer noblacklist ${HOME}/.local/share/com.vmingueza.journal-viewer -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-proc.inc -include disable-programs.inc -include disable-shell.inc -include disable-xdg.inc - mkdir ${HOME}/.cache/journal-viewer mkdir ${HOME}/.local/share/com.vmingueza.journal-viewer whitelist ${HOME}/.cache/journal-viewer whitelist ${HOME}/.local/share/com.vmingueza.journal-viewer -whitelist /run/log/journal -whitelist /var/log/journal -include whitelist-common.inc -include whitelist-run-common.inc -include whitelist-runuser-common.inc -include whitelist-usr-share-common.inc -include whitelist-var-common.inc - -apparmor -caps.drop all -ipc-namespace -net none -no3d -nodvd -nogroups -noinput -nonewprivs -noprinters -noroot -nosound -notv -nou2f -novideo -protocol unix -seccomp -seccomp.block-secondary -tracelog -disable-mnt private-bin journal-viewer -private-cache -private-dev -private-etc machine-id private-lib webkit2gtk-* -private-tmp -dbus-user none -dbus-system none - -restrict-namespaces -read-only ${HOME} read-write ${HOME}/.cache/journal-viewer read-write ${HOME}/.local/share/com.vmingueza.journal-viewer -writable-var-log + +# Redirect +include system-log-common.profile diff --git a/etc/profile-m-z/profile-m-z/profile-m-z/system-log-common.profile b/etc/profile-m-z/profile-m-z/profile-m-z/system-log-common.profile new file mode 100644 index 000000000..dda8bdc47 --- /dev/null +++ b/etc/profile-m-z/profile-m-z/profile-m-z/system-log-common.profile @@ -0,0 +1,60 @@ +# Firejail profile for system-log-common +# Description: Common profile for GUI system log viewers +# This file is overwritten after every install/update +# Persistent local customizations +include system-log-common.local +# Persistent global definitions +# added by caller profile +#include globals.local + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-proc.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +whitelist /run/log/journal +whitelist /var/log/journal +include whitelist-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +net none +no3d +nodvd +#nogroups +noinput +nonewprivs +noprinters +#noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +tracelog + +disable-mnt +private-cache +private-dev +private-etc machine-id +private-tmp + +dbus-user none +dbus-system none + +restrict-namespaces +# Add 'ignore read-only ${HOME}' to your system-log-common.local +# if you export logs to a file under your ${HOME}. +read-only ${HOME} +writable-var-log -- cgit v1.2.3-70-g09d2