From e1fc59bb144e2c68b6349dbd0a3d147b8e8d1daf Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Fri, 11 Aug 2017 05:03:35 +0200
Subject: Add TuxGuitar profile (#1453)

* add tuxguitar profile

tested for versions < 1.3

* blacklist tuxguitar

* add tuxguitar

* add tuxguitar

* add support for tuxguitar > 1.2

higher versions fail to launch without protocol=inet,inet6 and with noexec=~. Yet, net=none seems to be still tolerated, which comes handy to block talk with internet and dbus.

* unbreak tuxguitar Internet access

versions >= 1.3 actually run fine with net=none enabled, if the built-in internet dependent feature is not used
---
 etc/disable-programs.inc   |  1 +
 etc/tuxguitar.profile      | 30 ++++++++++++++++++++++++++++++
 platform/debian/conffiles  |  1 +
 src/firecfg/firecfg.config |  1 +
 4 files changed, 33 insertions(+)
 create mode 100644 etc/tuxguitar.profile

diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 470a607d9..a54d2a739 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -357,6 +357,7 @@ blacklist ${HOME}/.tconn
 blacklist ${HOME}/.thunderbird
 blacklist ${HOME}/.tooling
 blacklist ${HOME}/.ts3client
+blacklist ${HOME}/.tuxguitar*
 blacklist ${HOME}/.unknow-horizons
 blacklist ${HOME}/.viking
 blacklist ${HOME}/.viking-maps
diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile
new file mode 100644
index 000000000..e3f4239f5
--- /dev/null
+++ b/etc/tuxguitar.profile
@@ -0,0 +1,30 @@
+# Firejail profile for tuxguitar
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/tuxguitar.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+noblacklist ~/.java
+noblacklist ~/.tuxguitar*
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.drop all
+# net none - breaks internet for tuxguitar versions 1.3 and higher
+no3d
+nonewprivs
+noroot
+novideo
+protocol unix,inet,inet6
+seccomp
+tracelog
+
+private-dev
+private-tmp
+
+# noexec ${HOME} - tuxguitar versions 1.3 and higher might fail to launch
+noexec /tmp
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index afd22c041..360ac8921 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -298,6 +298,7 @@
 /etc/firejail/transmission-qt.profile
 /etc/firejail/transmission-show.profile
 /etc/firejail/truecraft.profile
+/etc/firejail/tuxguitar.profile
 /etc/firejail/uget-gtk.profile
 /etc/firejail/unbound.profile
 /etc/firejail/unknown-horizons.profile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index cd821aa69..d66b026b0 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -268,6 +268,7 @@ transmission-gtk
 transmission-qt
 transmission-show
 truecraft
+tuxguitar
 uget-gtk
 unbound
 unknown-horizons
-- 
cgit v1.2.3-54-g00ecf