From 3e2a58f47a9cad1c903327cecd3ba7bf1c84ec1c Mon Sep 17 00:00:00 2001 From: Ted Robertson <10043369+tredondo@users.noreply.github.com> Date: Sat, 13 Mar 2021 20:01:46 -1000 Subject: Create bcompare.profile --- etc/profile-a-l/bcompare.profile | 65 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 etc/profile-a-l/bcompare.profile (limited to 'etc/profile-a-l') diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile new file mode 100644 index 000000000..8a166266d --- /dev/null +++ b/etc/profile-a-l/bcompare.profile @@ -0,0 +1,65 @@ +# Firejail profile for Scootersoft Beyond Compare +# Description: directory compare and file compare utility +# Disables the network, which only impacts checking for updates. +# This file is overwritten after every install/update + +# Persistent local customizations +include bcompare.local +# Persistent global definitions +include globals.local + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +# Allow comparing e.g. Firefox profile files +# include disable-programs.inc +# Uncommenting this breaks launch +# include disable-shell.inc +include disable-write-mnt.inc +include disable-xdg.inc + +# include whitelist-common.inc +# include whitelist-runuser-common.inc +# include whitelist-usr-share-common.inc +# include whitelist-var-common.inc + +#allusers +apparmor +caps.drop all +# ipc-namespace +machine-id +net none +no3d +# nodvd +nogroups +nonewprivs +noroot +# nosound +notv +nou2f +novideo +protocol unix +seccomp +# shell none +# tracelog + +# disable-mnt +# private +# private-bin program +private-cache +private-dev +# see /usr/share/doc/firejail/profile.template for more common private-etc paths. +# private-etc alternatives,fonts,machine-id +# private-lib +# private-opt none +# Necessary because of the `include disable-exec.inc` line. Prevents error "Error fstat: fs.c:504 fs_remount_simple: Transport endpoint is not connected ... cannot sync with peer: unexpected EOF Peer [...] unexpectedly exited with status 1" +private-tmp + +# dbus-user none +# dbus-system none + +# memory-deny-write-execute +noexec ${HOME} +# read-only ${HOME} -- cgit v1.2.3-54-g00ecf From 6e74079f8dd9c9343fd01d5864d10d7afc23b915 Mon Sep 17 00:00:00 2001 From: Ted Robertson <10043369+tredondo@users.noreply.github.com> Date: Sat, 13 Mar 2021 20:37:25 -1000 Subject: Allow comparing ${DOCUMENTS}, ${PICTURES} etc. --- etc/profile-a-l/bcompare.profile | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'etc/profile-a-l') diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile index 8a166266d..355c971dc 100644 --- a/etc/profile-a-l/bcompare.profile +++ b/etc/profile-a-l/bcompare.profile @@ -1,5 +1,5 @@ -# Firejail profile for Scootersoft Beyond Compare -# Description: directory compare and file compare utility +# Firejail profile for Beyond Compare by Scooter Software +# Description: directory and file compare utility # Disables the network, which only impacts checking for updates. # This file is overwritten after every install/update @@ -18,7 +18,8 @@ include disable-passwdmgr.inc # Uncommenting this breaks launch # include disable-shell.inc include disable-write-mnt.inc -include disable-xdg.inc +# Don't disable ${DOCUMENTS}, ${MUSIC}, ${PICTURES}, ${VIDEOS} +# include disable-xdg.inc # include whitelist-common.inc # include whitelist-runuser-common.inc -- cgit v1.2.3-54-g00ecf From cc1ef43da90e806983c10292ff98c62aa8640505 Mon Sep 17 00:00:00 2001 From: Ted Robertson <10043369+tredondo@users.noreply.github.com> Date: Sat, 13 Mar 2021 21:25:35 -1000 Subject: Allow opening images via context menu with Gwenview --- etc/profile-a-l/bcompare.profile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'etc/profile-a-l') diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile index 355c971dc..ece859691 100644 --- a/etc/profile-a-l/bcompare.profile +++ b/etc/profile-a-l/bcompare.profile @@ -8,12 +8,15 @@ include bcompare.local # Persistent global definitions include globals.local +# In case the user decides to include disable-programs.inc, still allow KDE's Gwenview to view images via right click -> Open With -> Associated Application +noblacklist ${HOME}/.config/gwenviewrc + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc -# Allow comparing e.g. Firefox profile files +# Allow comparing e.g. Firefox profile files, so don't disable access to programs # include disable-programs.inc # Uncommenting this breaks launch # include disable-shell.inc -- cgit v1.2.3-54-g00ecf From 2aea4a54f2b367b375df1de9b52efcff45138c1c Mon Sep 17 00:00:00 2001 From: Ted Robertson <10043369+tredondo@users.noreply.github.com> Date: Sat, 13 Mar 2021 22:37:41 -1000 Subject: Hard line wrap Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com> --- etc/profile-a-l/bcompare.profile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'etc/profile-a-l') diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile index ece859691..02cd260cd 100644 --- a/etc/profile-a-l/bcompare.profile +++ b/etc/profile-a-l/bcompare.profile @@ -8,7 +8,8 @@ include bcompare.local # Persistent global definitions include globals.local -# In case the user decides to include disable-programs.inc, still allow KDE's Gwenview to view images via right click -> Open With -> Associated Application +# In case the user decides to include disable-programs.inc, still allow +# KDE's Gwenview to view images via right click -> Open With -> Associated Application noblacklist ${HOME}/.config/gwenviewrc include disable-common.inc -- cgit v1.2.3-54-g00ecf From 05a5a1e46237aff051e74d52f1672301776fe637 Mon Sep 17 00:00:00 2001 From: Ted Robertson <10043369+tredondo@users.noreply.github.com> Date: Sat, 13 Mar 2021 22:40:22 -1000 Subject: noexec ${HOME} is in disable-exec.inc Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com> --- etc/profile-a-l/bcompare.profile | 4 ---- 1 file changed, 4 deletions(-) (limited to 'etc/profile-a-l') diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile index 02cd260cd..8ebd299eb 100644 --- a/etc/profile-a-l/bcompare.profile +++ b/etc/profile-a-l/bcompare.profile @@ -64,7 +64,3 @@ private-tmp # dbus-user none # dbus-system none - -# memory-deny-write-execute -noexec ${HOME} -# read-only ${HOME} -- cgit v1.2.3-54-g00ecf From b37887118e26c49dd061f3e5bdb6d2fe228cd666 Mon Sep 17 00:00:00 2001 From: Ted Robertson <10043369+tredondo@users.noreply.github.com> Date: Sat, 13 Mar 2021 22:44:17 -1000 Subject: No private-lib/opt Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com> --- etc/profile-a-l/bcompare.profile | 2 -- 1 file changed, 2 deletions(-) (limited to 'etc/profile-a-l') diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile index 8ebd299eb..3f0cded25 100644 --- a/etc/profile-a-l/bcompare.profile +++ b/etc/profile-a-l/bcompare.profile @@ -57,8 +57,6 @@ private-cache private-dev # see /usr/share/doc/firejail/profile.template for more common private-etc paths. # private-etc alternatives,fonts,machine-id -# private-lib -# private-opt none # Necessary because of the `include disable-exec.inc` line. Prevents error "Error fstat: fs.c:504 fs_remount_simple: Transport endpoint is not connected ... cannot sync with peer: unexpected EOF Peer [...] unexpectedly exited with status 1" private-tmp -- cgit v1.2.3-54-g00ecf From 9f8330f563706d6814f271b2e0f66ef70e80ab30 Mon Sep 17 00:00:00 2001 From: Ted Robertson <10043369+tredondo@users.noreply.github.com> Date: Sat, 13 Mar 2021 22:47:52 -1000 Subject: No blank line after before # Persistent local customizations Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com> --- etc/profile-a-l/bcompare.profile | 1 - 1 file changed, 1 deletion(-) (limited to 'etc/profile-a-l') diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile index 3f0cded25..b17474e53 100644 --- a/etc/profile-a-l/bcompare.profile +++ b/etc/profile-a-l/bcompare.profile @@ -2,7 +2,6 @@ # Description: directory and file compare utility # Disables the network, which only impacts checking for updates. # This file is overwritten after every install/update - # Persistent local customizations include bcompare.local # Persistent global definitions -- cgit v1.2.3-54-g00ecf From 17c40277e2f7e06bc50a485feb20f7caa8281bf9 Mon Sep 17 00:00:00 2001 From: Ted Robertson <10043369+tredondo@users.noreply.github.com> Date: Sat, 13 Mar 2021 22:57:46 -1000 Subject: No commented #allusers Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com> --- etc/profile-a-l/bcompare.profile | 1 - 1 file changed, 1 deletion(-) (limited to 'etc/profile-a-l') diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile index b17474e53..20114f9fb 100644 --- a/etc/profile-a-l/bcompare.profile +++ b/etc/profile-a-l/bcompare.profile @@ -29,7 +29,6 @@ include disable-write-mnt.inc # include whitelist-usr-share-common.inc # include whitelist-var-common.inc -#allusers apparmor caps.drop all # ipc-namespace -- cgit v1.2.3-54-g00ecf From 85ce95781047b549682e9f36aa36b3be9adeee6d Mon Sep 17 00:00:00 2001 From: Ted Robertson <10043369+tredondo@users.noreply.github.com> Date: Sat, 13 Mar 2021 22:58:17 -1000 Subject: No useless comments Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com> --- etc/profile-a-l/bcompare.profile | 3 --- 1 file changed, 3 deletions(-) (limited to 'etc/profile-a-l') diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile index 20114f9fb..9298b70c4 100644 --- a/etc/profile-a-l/bcompare.profile +++ b/etc/profile-a-l/bcompare.profile @@ -48,9 +48,6 @@ seccomp # shell none # tracelog -# disable-mnt -# private -# private-bin program private-cache private-dev # see /usr/share/doc/firejail/profile.template for more common private-etc paths. -- cgit v1.2.3-54-g00ecf From c10c7bef6c47f72442a42dd9e9a280f98ec9cffa Mon Sep 17 00:00:00 2001 From: Ted Robertson <10043369+tredondo@users.noreply.github.com> Date: Sat, 13 Mar 2021 22:59:01 -1000 Subject: Uncomment shell none, tracelog, dbus-* --- etc/profile-a-l/bcompare.profile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'etc/profile-a-l') diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile index 9298b70c4..1c42d43e3 100644 --- a/etc/profile-a-l/bcompare.profile +++ b/etc/profile-a-l/bcompare.profile @@ -45,8 +45,8 @@ nou2f novideo protocol unix seccomp -# shell none -# tracelog +shell none +tracelog private-cache private-dev @@ -55,5 +55,5 @@ private-dev # Necessary because of the `include disable-exec.inc` line. Prevents error "Error fstat: fs.c:504 fs_remount_simple: Transport endpoint is not connected ... cannot sync with peer: unexpected EOF Peer [...] unexpectedly exited with status 1" private-tmp -# dbus-user none -# dbus-system none +dbus-user none +dbus-system none -- cgit v1.2.3-54-g00ecf From 1552e314948e7cc1b6cb39c58a69ca9589ffee78 Mon Sep 17 00:00:00 2001 From: Ted Robertson <10043369+tredondo@users.noreply.github.com> Date: Sat, 13 Mar 2021 23:05:06 -1000 Subject: Follow meld convention for disable-programs.inc --- etc/profile-a-l/bcompare.profile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'etc/profile-a-l') diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile index 1c42d43e3..951957c2b 100644 --- a/etc/profile-a-l/bcompare.profile +++ b/etc/profile-a-l/bcompare.profile @@ -11,7 +11,8 @@ include globals.local # KDE's Gwenview to view images via right click -> Open With -> Associated Application noblacklist ${HOME}/.config/gwenviewrc -include disable-common.inc +# Uncomment the next line (or put it into your bcompare.local) if you don't need to compare files in disable-common.inc +#include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -- cgit v1.2.3-54-g00ecf From 1d6114d4286c9d4130a3908a28d433c7f180f57f Mon Sep 17 00:00:00 2001 From: Ted Robertson <10043369+tredondo@users.noreply.github.com> Date: Sat, 13 Mar 2021 23:07:35 -1000 Subject: noblacklist ${HOME}/.config/bcompare --- etc/profile-a-l/bcompare.profile | 1 + 1 file changed, 1 insertion(+) (limited to 'etc/profile-a-l') diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile index 951957c2b..595340d1b 100644 --- a/etc/profile-a-l/bcompare.profile +++ b/etc/profile-a-l/bcompare.profile @@ -7,6 +7,7 @@ include bcompare.local # Persistent global definitions include globals.local +noblacklist ${HOME}/.config/bcompare # In case the user decides to include disable-programs.inc, still allow # KDE's Gwenview to view images via right click -> Open With -> Associated Application noblacklist ${HOME}/.config/gwenviewrc -- cgit v1.2.3-54-g00ecf From 92fc7216b8453ec6c04d277399dde56530a636e8 Mon Sep 17 00:00:00 2001 From: Ted Robertson <10043369+tredondo@users.noreply.github.com> Date: Sat, 13 Mar 2021 23:08:13 -1000 Subject: No # ipc-namespace Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com> --- etc/profile-a-l/bcompare.profile | 1 - 1 file changed, 1 deletion(-) (limited to 'etc/profile-a-l') diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile index 595340d1b..378eba52c 100644 --- a/etc/profile-a-l/bcompare.profile +++ b/etc/profile-a-l/bcompare.profile @@ -33,7 +33,6 @@ include disable-write-mnt.inc apparmor caps.drop all -# ipc-namespace machine-id net none no3d -- cgit v1.2.3-54-g00ecf From dca23fed43eaa5794195e21fbcfd1c8363d5fc9b Mon Sep 17 00:00:00 2001 From: Ted Robertson <10043369+tredondo@users.noreply.github.com> Date: Sat, 13 Mar 2021 23:22:24 -1000 Subject: Allow external applications to paly sound files --- etc/profile-a-l/bcompare.profile | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'etc/profile-a-l') diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile index 378eba52c..489fa4389 100644 --- a/etc/profile-a-l/bcompare.profile +++ b/etc/profile-a-l/bcompare.profile @@ -33,14 +33,16 @@ include disable-write-mnt.inc apparmor caps.drop all -machine-id +# Uncommenting might break Pulse Audio +#machine-id net none no3d -# nodvd +#nodvd nogroups nonewprivs noroot -# nosound +# Allow applications launched on sound files to play them +#nosound notv nou2f novideo -- cgit v1.2.3-54-g00ecf From a99b2d2fcece213361a8a681a987da13f3f27942 Mon Sep 17 00:00:00 2001 From: Ted Robertson <10043369+tredondo@users.noreply.github.com> Date: Sun, 14 Mar 2021 13:43:00 -1000 Subject: Uncomment nodvd, reuse "uncomment next" msg --- etc/profile-a-l/bcompare.profile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'etc/profile-a-l') diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile index 489fa4389..178e2dc9f 100644 --- a/etc/profile-a-l/bcompare.profile +++ b/etc/profile-a-l/bcompare.profile @@ -18,8 +18,8 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc -# Allow comparing e.g. Firefox profile files, so don't disable access to programs -# include disable-programs.inc +# Uncomment the next line (or put it into your bcompare.local) if you don't need to compare files in disable-programs.inc +#include disable-programs.inc # Uncommenting this breaks launch # include disable-shell.inc include disable-write-mnt.inc @@ -37,7 +37,7 @@ caps.drop all #machine-id net none no3d -#nodvd +nodvd nogroups nonewprivs noroot -- cgit v1.2.3-54-g00ecf