From f3056a862a6eb9ccbd08760c1b8d7fa769f90e9f Mon Sep 17 00:00:00 2001
From: kortewegdevries <62639087+kortewegdevries@users.noreply.github.com>
Date: Wed, 16 Dec 2020 18:12:48 +0000
Subject: New profiles for alacarte,tootle,photoflare (#3816)

* New profiles for alacarte,tootle,photoflare

* Fix dbus

Co-authored-by: kortewegdevries <kortewegdevries@protonmail.ch>
---
 etc/inc/disable-programs.inc                       |  1 +
 etc/profile-a-l/alacarte.profile                   | 64 ++++++++++++++++++++++
 .../com.github.bleakgrey.tootle.profile            | 55 +++++++++++++++++++
 etc/profile-m-z/photoflare.profile                 | 50 +++++++++++++++++
 src/firecfg/firecfg.config                         |  3 +
 5 files changed, 173 insertions(+)
 create mode 100644 etc/profile-a-l/alacarte.profile
 create mode 100644 etc/profile-a-l/com.github.bleakgrey.tootle.profile
 create mode 100644 etc/profile-m-z/photoflare.profile

diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 9b098f43c..59bd28f95 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -188,6 +188,7 @@ blacklist ${HOME}/.config/chromium-flags.conf
 blacklist ${HOME}/.config/clipit
 blacklist ${HOME}/.config/cliqz
 blacklist ${HOME}/.config/cmus
+blacklist ${HOME}/.config/com.github.bleakgrey.tootle
 blacklist ${HOME}/.config/corebird
 blacklist ${HOME}/.config/cower
 blacklist ${HOME}/.config/darktable
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile
new file mode 100644
index 000000000..5fabf8283
--- /dev/null
+++ b/etc/profile-a-l/alacarte.profile
@@ -0,0 +1,64 @@
+# Firejail profile for alacarte
+# Description: Create desktop and menu launchers easily
+# This file is overwritten after every install/update
+# Persistent local customizations
+include alacarte.local
+# Persistent global definitions
+include globals.local
+
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc 
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-passwdmgr.inc
+include disable-xdg.inc
+
+# Whitelist your system icon directory,varies by distro
+whitelist /usr/share/alacarte
+whitelist /usr/share/app-info
+whitelist /usr/share/desktop-directories
+whitelist /usr/share/icons
+whitelist /var/lib/app-info/icons
+whitelist /var/lib/flatpak/exports/share/applications
+whitelist /var/lib/flatpak/exports/share/icons
+include whitelist-runuser-common.inc 
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+no3d
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin alacarte,bash,python*,sh
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
+
+read-write ${HOME}/.config/menus
+read-write ${HOME}/.gnome/apps
+read-write ${HOME}/.local/share/applications
+read-write ${HOME}/.local/share/flatpak/exports
diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
new file mode 100644
index 000000000..4de7eb497
--- /dev/null
+++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
@@ -0,0 +1,55 @@
+# Firejail profile for com.github.bleakgrey.tootle
+# Description: Gtk Mastodon client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include com.github.bleakgrey.tootle.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/com.github.bleakgrey.tootle
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/com.github.bleakgrey.tootle
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/com.github.bleakgrey.tootle
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin com.github.bleakgrey.tootle
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
+private-tmp
+
+# Settings are immutable
+# dbus-user filter
+# dbus-user.own com.github.bleakgrey.tootle
+# dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-m-z/photoflare.profile b/etc/profile-m-z/photoflare.profile
new file mode 100644
index 000000000..d9df3e3b3
--- /dev/null
+++ b/etc/profile-m-z/photoflare.profile
@@ -0,0 +1,50 @@
+# Firejail profile for photoflare
+# Description: Simple painting and editing program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include photoflare.local
+# Persistent global definitions
+include photoflare.local
+
+noblacklist ${PICTURES}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc 
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-runuser-common.inc 
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+no3d
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin photoflare
+private-cache
+private-dev
+private-etc alternatives,fonts,locale,locale.alias,locale.conf,mime.types,X11
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index fe6990229..3f1591cbd 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -34,6 +34,7 @@ abiword
 abrowser
 akonadi_control
 akregator
+alacarte
 amarok
 amule
 amuled
@@ -140,6 +141,7 @@ cmus
 code
 code-oss
 cola
+com.github.bleakgrey.tootle
 com.github.dahenson.agenda
 com.github.johnfactotum.Foliate
 com.gitlab.newsflash
@@ -582,6 +584,7 @@ pdfsam
 pdftotext
 peek
 penguin-command
+photoflare
 picard
 pidgin
 #ping - disabled until we fix  #1912
-- 
cgit v1.2.3-54-g00ecf