From f4f6767458208a127084e4c0103fab88761d9056 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Thu, 17 Dec 2020 08:45:35 +0000 Subject: Refactor electron.profile and electron based programs (#3807) * Refactor electron.profile and electron based programs (1) * Refactor electron.profile and electron based programs (2) * Refactor electron.profile and electron based programs (3) * Refactor electron.profile and electron based programs (4) * Refactor electron.profile and electron based programs (5) * Refactor electron.profile and electron based programs (6) * Refactor electron.profile and electron based programs (7) * Refactor electron.profile and electron based programs (8) --- etc/profile-a-l/atom.profile | 32 +++++++++------------ etc/profile-a-l/beaker.profile | 21 ++++++++++---- etc/profile-a-l/discord-common.profile | 37 +++++++++--------------- etc/profile-a-l/electron.profile | 28 +++++++++++++----- etc/profile-a-l/freetube.profile | 11 ------- etc/profile-a-l/github-desktop.profile | 46 ++++++++++++------------------ etc/profile-a-l/jitsi-meet-desktop.profile | 22 ++++---------- 7 files changed, 88 insertions(+), 109 deletions(-) (limited to 'etc/profile-a-l') diff --git a/etc/profile-a-l/atom.profile b/etc/profile-a-l/atom.profile index cf0a5a42b..f21a5febf 100644 --- a/etc/profile-a-l/atom.profile +++ b/etc/profile-a-l/atom.profile @@ -6,31 +6,27 @@ include atom.local # Persistent global definitions include globals.local +# Disabled until someone reported positive feedback +ignore include disable-devel.inc +ignore include disable-interpreters.inc +ignore include disable-xdg.inc +ignore whitelist ${DOWNLOADS} +ignore include whitelist-common.inc +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc +ignore include whitelist-var-common.inc +ignore apparmor +ignore disable-mnt + noblacklist ${HOME}/.atom noblacklist ${HOME}/.config/Atom # Allows files commonly used by IDEs include allow-common-devel.inc -include disable-common.inc -include disable-exec.inc -include disable-passwdmgr.inc -include disable-programs.inc - -caps.keep sys_admin,sys_chroot # net none netfilter -nodvd -nogroups nosound -notv -nou2f -novideo -shell none - -private-cache -private-dev -private-tmp -dbus-user none -dbus-system none +# Redirect +include electron.profile diff --git a/etc/profile-a-l/beaker.profile b/etc/profile-a-l/beaker.profile index cc1886a49..f3a9568bd 100644 --- a/etc/profile-a-l/beaker.profile +++ b/etc/profile-a-l/beaker.profile @@ -3,17 +3,26 @@ # Persistent local customizations include beaker.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local -noblacklist ${HOME}/.config/Beaker Browser +# Disabled until someone reported positive feedback +ignore include disable-exec.inc +ignore include disable-xdg.inc +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc +ignore include whitelist-var-common.inc +ignore nou2f +ignore novideo +ignore shell none +ignore disable-mnt +ignore private-cache +ignore private-dev +ignore private-tmp -include disable-devel.inc -include disable-interpreters.inc +noblacklist ${HOME}/.config/Beaker Browser mkdir ${HOME}/.config/Beaker Browser whitelist ${HOME}/.config/Beaker Browser -include whitelist-common.inc # Redirect include electron.profile diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile index 35bea4aaa..e6edbd7eb 100644 --- a/etc/profile-a-l/discord-common.profile +++ b/etc/profile-a-l/discord-common.profile @@ -6,33 +6,24 @@ include discord-common.local # added by caller profile #include globals.local -ignore noexec ${HOME} +# Disabled until someone reported positive feedback +ignore include disable-interpreters.inc +ignore include disable-xdg.inc +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc +ignore apparmor +ignore disable-mnt +ignore private-cache +ignore dbus-user none +ignore dbus-system none -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-passwdmgr.inc -include disable-programs.inc +ignore noexec ${HOME} -whitelist ${DOWNLOADS} whitelist ${HOME}/.config/BetterDiscord whitelist ${HOME}/.local/share/betterdiscordctl -include whitelist-common.inc -include whitelist-var-common.inc - -caps.drop all -netfilter -nodvd -nogroups -nonewprivs -noroot -notv -nou2f -novideo -protocol unix,inet,inet6,netlink -seccomp !chroot private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh -private-dev private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl -private-tmp + +# Redirect +include electron.profile diff --git a/etc/profile-a-l/electron.profile b/etc/profile-a-l/electron.profile index 9b99c7ffb..d3be07c9d 100644 --- a/etc/profile-a-l/electron.profile +++ b/etc/profile-a-l/electron.profile @@ -3,25 +3,39 @@ # This file is overwritten after every install/update # Persistent local customizations include electron.local -# Persistent global definitions -include globals.local include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +include disable-xdg.inc whitelist ${DOWNLOADS} +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +# Uncomment the next line (or add it to your chromium-common.local) +# if your kernel allows unprivileged userns clone. +#include chromium-common-hardened.inc apparmor -caps.drop all +caps.keep sys_admin,sys_chroot netfilter nodvd nogroups -nonewprivs -noroot notv -protocol unix,inet,inet6,netlink -seccomp +nou2f +novideo +shell none + +disable-mnt +private-cache +private-dev +private-tmp dbus-user none dbus-system none diff --git a/etc/profile-a-l/freetube.profile b/etc/profile-a-l/freetube.profile index 91f0caf87..20a5d609e 100644 --- a/etc/profile-a-l/freetube.profile +++ b/etc/profile-a-l/freetube.profile @@ -8,24 +8,13 @@ include globals.local noblacklist ${HOME}/.config/FreeTube -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc include disable-shell.inc -include disable-xdg.inc mkdir ${HOME}/.config/FreeTube whitelist ${HOME}/.config/FreeTube -seccomp !chroot -shell none - -disable-mnt private-bin freetube -private-cache -private-dev private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg -private-tmp # Redirect include electron.profile diff --git a/etc/profile-a-l/github-desktop.profile b/etc/profile-a-l/github-desktop.profile index 152396553..325c54ced 100644 --- a/etc/profile-a-l/github-desktop.profile +++ b/etc/profile-a-l/github-desktop.profile @@ -6,43 +6,35 @@ include github-desktop.local # Persistent global definitions include globals.local +# Note: On debian-based distributions the binary might be located in +# /opt/GitHub Desktop/github-desktop, and therefore not be in PATH. +# If that's the case you can start GitHub Desktop with firejail via +# `firejail "/opt/GitHub Desktop/github-desktop"`. + +# Disabled until someone reported positive feedback +ignore include disable-xdg.inc +ignore whitelist ${DOWNLOADS} +ignore include whitelist-common.inc +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc +ignore include whitelist-var-common.inc +ignore apparmor +ignore dbus-user none +ignore dbus-system none + noblacklist ${HOME}/.config/GitHub Desktop noblacklist ${HOME}/.config/git noblacklist ${HOME}/.gitconfig noblacklist ${HOME}/.git-credentials -include disable-common.inc -include disable-passwdmgr.inc -include disable-programs.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc - -caps.drop all -netfilter # no3d -nodvd -nogroups -nonewprivs -noroot nosound -notv -nou2f -novideo -protocol unix,inet,inet6,netlink -seccomp !chroot -# Note: On debian-based distributions the binary might be located in -# /opt/GitHub Desktop/github-desktop, and therefore not be in PATH. -# If that's the case you can start GitHub Desktop with firejail via -# `firejail "/opt/GitHub Desktop/github-desktop"`. - -disable-mnt # private-bin github-desktop -private-cache ?HAS_APPIMAGE: ignore private-dev -private-dev # private-lib -private-tmp # memory-deny-write-execute + +# Redirect +include electron.profile diff --git a/etc/profile-a-l/jitsi-meet-desktop.profile b/etc/profile-a-l/jitsi-meet-desktop.profile index c4121d835..e5beb741a 100644 --- a/etc/profile-a-l/jitsi-meet-desktop.profile +++ b/etc/profile-a-l/jitsi-meet-desktop.profile @@ -6,34 +6,22 @@ include jitsi-meet-desktop.local # Persistent global definitions include globals.local +# Disabled until someone reported positive feedback +ignore nou2f +ignore novideo +ignore shell none + ignore noexec /tmp noblacklist ${HOME}/.config/Jitsi Meet -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-xdg.inc - nowhitelist ${DOWNLOADS} mkdir ${HOME}/.config/Jitsi Meet - whitelist ${HOME}/.config/Jitsi Meet -include whitelist-common.inc -include whitelist-usr-share-common.inc -include whitelist-runuser-common.inc -include whitelist-var-common.inc - -seccomp !chroot - -disable-mnt private-bin bash,jitsi-meet-desktop -private-cache -private-dev private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg -private-tmp # Redirect include electron.profile -- cgit v1.2.3-70-g09d2