From df1c73a00f68b3ee2503b75d3220e65f99a7f760 Mon Sep 17 00:00:00 2001 From: rusty-snake Date: Mon, 10 Feb 2020 09:18:57 +0100 Subject: Add a lot of profiles --- README.md | 2 +- RELNOTES | 10 +++-- etc/com.github.johnfactotum.Foliate.profile | 62 +++++++++++++++++++++++++++++ etc/desktopeditors.profile | 43 ++++++++++++++++++++ etc/disable-common.inc | 1 + etc/disable-programs.inc | 4 ++ etc/freeoffice-planmaker.profile | 36 ++--------------- etc/freeoffice-presentations.profile | 36 ++--------------- etc/freeoffice-textmaker.profile | 37 ++--------------- etc/impressive.profile | 55 +++++++++++++++++++++++++ etc/mupdf-gl.profile | 13 ++++++ etc/mupdf-x11-curl.profile | 18 +++++++++ etc/mupdf-x11.profile | 14 +++++++ etc/mupdf.profile | 6 +-- etc/muraster.profile | 11 +++++ etc/mutool.profile | 11 +++++ etc/planmaker18.profile | 10 +++++ etc/planmaker18free.profile | 10 +++++ etc/presentations18.profile | 10 +++++ etc/presentations18free.profile | 10 +++++ etc/softmaker-common.inc | 44 ++++++++++++++++++++ etc/textmaker18.profile | 10 +++++ etc/textmaker18free.profile | 10 +++++ src/firecfg/firecfg.config | 14 +++++++ 24 files changed, 370 insertions(+), 107 deletions(-) create mode 100644 etc/com.github.johnfactotum.Foliate.profile create mode 100644 etc/desktopeditors.profile create mode 100644 etc/impressive.profile create mode 100644 etc/mupdf-gl.profile create mode 100644 etc/mupdf-x11-curl.profile create mode 100644 etc/mupdf-x11.profile create mode 100644 etc/muraster.profile create mode 100644 etc/mutool.profile create mode 100644 etc/planmaker18.profile create mode 100644 etc/planmaker18free.profile create mode 100644 etc/presentations18.profile create mode 100644 etc/presentations18free.profile create mode 100644 etc/softmaker-common.inc create mode 100644 etc/textmaker18.profile create mode 100644 etc/textmaker18free.profile diff --git a/README.md b/README.md index 8d2fb534b..4391ac331 100644 --- a/README.md +++ b/README.md @@ -151,4 +151,4 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe ### New profiles: -gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et, multimc, gnome-hexgl +gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et, multimc, gnome-hexgl, com.github.johnfactotum.Foliate, desktopeditors, impressive, mupdf-gl, mupdf-x11, mupdf-x11-curl, muraster, mutool, planmaker18, planmaker18free, presentations18, presentations18free, textmaker18, textmaker18free diff --git a/RELNOTES b/RELNOTES index 09e43e090..6e75b28a0 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,10 +1,12 @@ firejail (0.9.63) baseline; urgency=low * work in progress * DHCP client support - * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab - * new profiles: gnome-passwordsafe, bibtex, gummi, latex - * new profiles: pdflatex, tex, wpp, wpspdf, wps, et, multimc - * new profiles: gnome-hexgl + * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster + * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl + * new profiles: pdflatex, tex, wpp, wpspdf, wps, et, multimc, mupdf-x11 + * new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl, mutool + * new profiles: desktopeditors, impressive, planmaker18, planmaker18free + * new profiles: presentations18, presentations18free, textmaker18, textmaker18free firejail (0.9.62) baseline; urgency=low * added file-copy-limit in /etc/firejail/firejail.config diff --git a/etc/com.github.johnfactotum.Foliate.profile b/etc/com.github.johnfactotum.Foliate.profile new file mode 100644 index 000000000..39a9a360d --- /dev/null +++ b/etc/com.github.johnfactotum.Foliate.profile @@ -0,0 +1,62 @@ +# Firejail profile for foliate +# Description: Simple and modern GTK eBook reader +# This file is overwritten after every install/update +# Persistent local customizations +include foliate.local +# Persistent global definitions +include globals.local + +noblacklist ${DOCUMENTS} +noblacklist ${HOME}/.cache/com.github.johnfactotum.Foliate +noblacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate + +# Allow gjs (blacklisted by disable-interpreters.inc) +include allow-gjs.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +mkdir ${HOME}/.cache/com.github.johnfactotum.Foliate +mkdir ${HOME}/.local/share/com.github.johnfactotum.Foliate +whitelist ${HOME}/.cache/com.github.johnfactotum.Foliate +whitelist ${HOME}/.local/share/com.github.johnfactotum.Foliate +whitelist ${DOCUMENTS} +whitelist ${DOWNLOADS} +whitelist /usr/share/com.github.johnfactotum.Foliate +whitelist /usr/share/hyphen +include whitelist-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +net none +nodvd +nogroups +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog + +disable-mnt +private-bin com.github.johnfactotum.Foliate,gjs +private-cache +private-dev +private-etc dconf,fonts,gconf,gtk-3.0 +private-tmp + +read-only ${HOME} +read-write ${HOME}/.cache/com.github.johnfactotum.Foliate +read-write ${HOME}/.local/share/com.github.johnfactotum.Foliate diff --git a/etc/desktopeditors.profile b/etc/desktopeditors.profile new file mode 100644 index 000000000..d0c727c5c --- /dev/null +++ b/etc/desktopeditors.profile @@ -0,0 +1,43 @@ +# Firejail profile for desktopeditors +# Description: ONLYOFFICE DesktopEditors +# This file is overwritten after every install/update +# Persistent local customizations +include desktopeditors.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/onlyoffice +noblacklist ${HOME}/.local/share/onlyoffice +noblacklist ${HOME}/.pki + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc + +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +netfilter +nodbus +nodvd +nogroups +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6,netlink +seccomp +shell none +tracelog + +private-bin desktopeditors,sh +private-cache +private-dev +private-tmp diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 9f351a673..bf29cd137 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -18,6 +18,7 @@ blacklist-nolog ${HOME}/.kde4/share/apps/klipper blacklist-nolog ${HOME}/.local/share/fish/fish_history blacklist-nolog ${HOME}/.local/share/klipper blacklist-nolog ${HOME}/.macromedia +blacklist-nolog ${HOME}/.mupdf.history blacklist-nolog ${HOME}/.python-history blacklist-nolog ${HOME}/.python_history blacklist-nolog ${HOME}/.pythonhist diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 02751a818..7e4947e6f 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -267,6 +267,7 @@ blacklist ${HOME}/.config/obs-studio blacklist ${HOME}/.config/okularpartrc blacklist ${HOME}/.config/okularrc blacklist ${HOME}/.config/onionshare +blacklist ${HOME}/.config/onlyoffice blacklist ${HOME}/.config/opera blacklist ${HOME}/.config/opera-beta blacklist ${HOME}/.config/orage @@ -503,6 +504,7 @@ blacklist ${HOME}/.local/share/caja-python blacklist ${HOME}/.local/share/cantata blacklist ${HOME}/.local/share/cdprojektred blacklist ${HOME}/.local/share/clipit +blacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate blacklist ${HOME}/.local/share/contacts blacklist ${HOME}/.local/share/data/Mendeley Ltd. blacklist ${HOME}/.local/share/data/Mumble @@ -571,6 +573,7 @@ blacklist ${HOME}/.local/share/nomacs blacklist ${HOME}/.local/share/notes blacklist ${HOME}/.local/share/ocenaudio blacklist ${HOME}/.local/share/okular +blacklist ${HOME}/.local/share/onlyoffice blacklist ${HOME}/.local/share/orage blacklist ${HOME}/.local/share/org.kde.gwenview blacklist ${HOME}/.local/share/pix @@ -734,6 +737,7 @@ blacklist ${HOME}/.cache/champlain blacklist ${HOME}/.cache/chromium blacklist ${HOME}/.cache/chromium-dev blacklist ${HOME}/.cache/cliqz +blacklist ${HOME}/.cache/com.github.johnfactotum.Foliate blacklist ${HOME}/.cache/darktable blacklist ${HOME}/.cache/discover blacklist ${HOME}/.cache/dnox diff --git a/etc/freeoffice-planmaker.profile b/etc/freeoffice-planmaker.profile index 8a53c63e3..b6ca167eb 100644 --- a/etc/freeoffice-planmaker.profile +++ b/etc/freeoffice-planmaker.profile @@ -1,38 +1,10 @@ -# Firejail profile for freeoffice-planmaker +# Firejail profile alias for freeoffice-planmaker +# Description: SoftMaker FreeOffice - spreadsheet program # This file is overwritten after every install/update # Persistent local customizations include freeoffice-planmaker.local # Persistent global definitions include globals.local -noblacklist ${HOME}/SoftMaker - -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc -# include disable-xdg.inc - -apparmor -caps.drop all -ipc-namespace -netfilter -no3d -nodbus -nodvd -nogroups -nonewprivs -noroot -notv -nou2f -novideo -protocol unix,inet,inet6 -seccomp -shell none -tracelog - -private-cache -private-dev -private-tmp +# Redirect +include softmaker-common.profile diff --git a/etc/freeoffice-presentations.profile b/etc/freeoffice-presentations.profile index 63be4da7f..43661028c 100644 --- a/etc/freeoffice-presentations.profile +++ b/etc/freeoffice-presentations.profile @@ -1,38 +1,10 @@ -# Firejail profile for freeoffice-presentations +# Firejail profile alias for freeoffice-presentations +# Description: SoftMaker FreeOffice - presentations software # This file is overwritten after every install/update # Persistent local customizations include freeoffice-presentations.local # Persistent global definitions include globals.local -noblacklist ${HOME}/SoftMaker - -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc -# include disable-xdg.inc - -apparmor -caps.drop all -ipc-namespace -netfilter -no3d -nodbus -nodvd -nogroups -nonewprivs -noroot -notv -nou2f -novideo -protocol unix,inet,inet6 -seccomp -shell none -tracelog - -private-cache -private-dev -private-tmp +# Redirect +include softmaker-common.profile diff --git a/etc/freeoffice-textmaker.profile b/etc/freeoffice-textmaker.profile index 4bca5a98c..f7d30eaed 100644 --- a/etc/freeoffice-textmaker.profile +++ b/etc/freeoffice-textmaker.profile @@ -1,38 +1,9 @@ -# Firejail profile for freeoffice-textmaker +# Firejail profile alias for freeoffice-textmaker +# Description: SoftMaker Office - word processor # This file is overwritten after every install/update -# Persistent local customizations include freeoffice-textmaker.local # Persistent global definitions include globals.local -noblacklist ${HOME}/SoftMaker - -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc -# include disable-xdg.inc - -apparmor -caps.drop all -ipc-namespace -netfilter -no3d -nodbus -nodvd -nogroups -nonewprivs -noroot -notv -nou2f -novideo -protocol unix,inet,inet6 -seccomp -shell none -tracelog - -private-cache -private-dev -private-tmp +# Redirect +include softmaker-common.profile diff --git a/etc/impressive.profile b/etc/impressive.profile new file mode 100644 index 000000000..0bfe5de5a --- /dev/null +++ b/etc/impressive.profile @@ -0,0 +1,55 @@ +# Firejail profile for impressive +# Description: presentation tool with eye candy +# This file is overwritten after every install/update +# Persistent local customizations +include impressive.local +# Persistent global definitions +#include globals.local + +noblacklist ${DOCUMENTS} +noblacklist /sbin +noblacklist /usr/sbin + +# Allow python (blacklisted by disable-interpreters.inc) +#include allow-python2.inc +include allow-python3.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +mkdir ${HOME}/.cache/mesa_shader_cache +whitelist /usr/share/opengl-games-utils +whitelist /usr/share/zenity +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +net none +nodbus +nodvd +nogroups +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog + +private-cache +private-dev +private-tmp + +read-only ${HOME} +read-write ${HOME}/.cache/mesa_shader_cache diff --git a/etc/mupdf-gl.profile b/etc/mupdf-gl.profile new file mode 100644 index 000000000..be94a9083 --- /dev/null +++ b/etc/mupdf-gl.profile @@ -0,0 +1,13 @@ +# Firejail profile for mupdf-gl +# Description: Lightweight PDF viewer +# This file is overwritten after every install/update +# Persistent local customizations +include mupdf-gl.local +# Persistent global definitions +# added by included profile +#include globals.local + +noblacklist ${HOME}/.mupdf.history + +# Redirect +include mupdf.profile diff --git a/etc/mupdf-x11-curl.profile b/etc/mupdf-x11-curl.profile new file mode 100644 index 000000000..a04d386a2 --- /dev/null +++ b/etc/mupdf-x11-curl.profile @@ -0,0 +1,18 @@ +# Firejail profile for mupdf-x11-curl +# Description: Lightweight PDF viewer +# This file is overwritten after every install/update +# Persistent local customizations +include mupdf-x11-curl.local +# Persistent global definitions +# added by included profile +#include globals.local + +ignore net none + +netfilter +protocol unix,inet,inet6 + +private-etc ca-certificates,crypto-policies,hosts,nsswitch.conf,pki,resolv.conf,ssl + +# Redirect +include mupdf.profile diff --git a/etc/mupdf-x11.profile b/etc/mupdf-x11.profile new file mode 100644 index 000000000..256201d0c --- /dev/null +++ b/etc/mupdf-x11.profile @@ -0,0 +1,14 @@ +# Firejail profile for mupdf-x11 +# Description: Lightweight PDF viewer +# This file is overwritten after every install/update +# Persistent local customizations +include mupdf-x11.local +# Persistent global definitions +# added by included profile +#include globals.local + +memory-deny-write-execute +read-only ${HOME} + +# Redirect +include mupdf.profile diff --git a/etc/mupdf.profile b/etc/mupdf.profile index 99945bdc9..43afbc859 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile @@ -4,7 +4,7 @@ # Persistent local customizations include mupdf.local # Persistent global definitions -include globals.local +#include globals.local noblacklist ${DOCUMENTS} @@ -35,10 +35,6 @@ seccomp shell none tracelog -# private-bin mupdf,rm,sh,tempfile private-dev private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload private-tmp - -# memory-deny-write-execute -read-only ${HOME} diff --git a/etc/muraster.profile b/etc/muraster.profile new file mode 100644 index 000000000..90e3f2050 --- /dev/null +++ b/etc/muraster.profile @@ -0,0 +1,11 @@ +# Firejail profile for muraster +# Description: Lightweight PDF viewer +# This file is overwritten after every install/update +# Persistent local customizations +include muraster.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include mupdf.profile diff --git a/etc/mutool.profile b/etc/mutool.profile new file mode 100644 index 000000000..e61f4665d --- /dev/null +++ b/etc/mutool.profile @@ -0,0 +1,11 @@ +# Firejail profile for mutool +# Description: Lightweight PDF viewer +# This file is overwritten after every install/update +# Persistent local customizations +include mutool.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include mupdf.profile diff --git a/etc/planmaker18.profile b/etc/planmaker18.profile new file mode 100644 index 000000000..4cf1efb7f --- /dev/null +++ b/etc/planmaker18.profile @@ -0,0 +1,10 @@ +# Firejail profile for planmaker18 +# Description: SoftMaker Office - spreadsheet program +# This file is overwritten after every install/update +# Persistent local customizations +include planmaker18.local +# Persistent global definitions +include globals.local + +# Redirect +include softmaker-common.profile diff --git a/etc/planmaker18free.profile b/etc/planmaker18free.profile new file mode 100644 index 000000000..bb85f1fc7 --- /dev/null +++ b/etc/planmaker18free.profile @@ -0,0 +1,10 @@ +# Firejail profile for planmaker18free +# Description: SoftMaker FreeOffice - spreadsheet program +# This file is overwritten after every install/update +# Persistent local customizations +include planmaker18free.local +# Persistent global definitions +include globals.local + +# Redirect +include softmaker-common.profile diff --git a/etc/presentations18.profile b/etc/presentations18.profile new file mode 100644 index 000000000..ac844d1af --- /dev/null +++ b/etc/presentations18.profile @@ -0,0 +1,10 @@ +# Firejail profile for presentations18 +# Description: SoftMaker Office - presentations software +# This file is overwritten after every install/update +# Persistent local customizations +include presentations18.local +# Persistent global definitions +include globals.local + +# Redirect +include softmaker-common.profile diff --git a/etc/presentations18free.profile b/etc/presentations18free.profile new file mode 100644 index 000000000..218747224 --- /dev/null +++ b/etc/presentations18free.profile @@ -0,0 +1,10 @@ +# Firejail profile for presentations18free +# Description: SoftMaker FreeOffice - presentations software +# This file is overwritten after every install/update +# Persistent local customizations +include presentations18free.local +# Persistent global definitions +include globals.local + +# Redirect +include softmaker-common.profile diff --git a/etc/softmaker-common.inc b/etc/softmaker-common.inc new file mode 100644 index 000000000..6eaadee12 --- /dev/null +++ b/etc/softmaker-common.inc @@ -0,0 +1,44 @@ +# Firejail profile for softmaker-common +# This file is overwritten after every install/update +# Persistent local customizations +include softmaker-common.local +# Persistent global definitions +# added by caller profile +#include globals.local + +noblacklist ${HOME}/SoftMaker + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc + +whitelist /usr/share/office2018 +whitelist /usr/share/freeoffice2018 +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +netfilter +nodbus +nodvd +nogroups +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-bin freeoffice-planmaker,freeoffice-presentations,freeoffice-textmaker,planmaker18,planmaker18free,presentations18,presentations18free,sh,textmaker18,textmaker18free +private-cache +private-dev +private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,SoftMaker,ssl +private-tmp diff --git a/etc/textmaker18.profile b/etc/textmaker18.profile new file mode 100644 index 000000000..8284df791 --- /dev/null +++ b/etc/textmaker18.profile @@ -0,0 +1,10 @@ +# Firejail profile for textmaker18 +# Description: SoftMaker Office - word processor +# This file is overwritten after every install/update +# Persistent local customizations +include textmaker18.local +# Persistent global definitions +include globals.local + +# Redirect +include softmaker-common.profile diff --git a/etc/textmaker18free.profile b/etc/textmaker18free.profile new file mode 100644 index 000000000..ad945ca55 --- /dev/null +++ b/etc/textmaker18free.profile @@ -0,0 +1,10 @@ +# Firejail profile for textmaker18free +# Description: SoftMaker Office - word processor +# This file is overwritten after every install/update +# Persistent local customizations +include textmaker18free.local +# Persistent global definitions +include globals.local + +# Redirect +include softmaker-common.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 51ec06402..5fdc60af6 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -128,6 +128,7 @@ clocks cmus code code-oss +com.github.johnfactotum.Foliate conkeror conky conplay @@ -143,6 +144,7 @@ dconf-editor ddgtk deadbeef deluge +desktopeditors devhelp dex2jar dia @@ -310,6 +312,7 @@ ideaIC idea.sh imagej img2txt +impressive inkscape inkview inox @@ -436,9 +439,14 @@ multimc multimc5 mumble mupdf +mupdf-gl +mupdf-x11 +mupdf-x11-curl mupen64plus +muraster musescore musixmatch +mutool mutt mypaint mypaint-ora-thumbnailer @@ -500,12 +508,16 @@ pioneer pithos pitivi pix +planmaker18 +planmaker18free playonlinux pluma pngquant polari ppsspp pragha +presentations18 +presentations18free profanity psi-plus pybitmessage @@ -593,6 +605,8 @@ teeworlds telegram telegram-desktop terasology +textmaker18 +textmaker18free thunderbird thunderbird-beta thunderbird-wayland -- cgit v1.2.3-54-g00ecf