From 5d741795c3bb2060730e282a8f512b999418e098 Mon Sep 17 00:00:00 2001
From: Fred Barclay <Fred-Barclay@users.noreply.github.com>
Date: Sat, 15 Aug 2020 17:27:10 -0500
Subject: Use whitelisting for video players (#3472)

* Use whitelisting for video players

See https://github.com/netblue30/firejail/pull/3469

* Update media player whitelists

See reviews at https://github.com/netblue30/firejail/pull/3472

Block $DOCUMENTS

Make $DESKTOP read-only

* Review fixes: include read-only Desktop in whitelist
---
 etc/profile-m-z/mpv.profile | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

(limited to 'etc/profile-m-z/mpv.profile')

diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index 2fc027257..8f99e4b74 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -7,6 +7,10 @@ include mpv.local
 # Persistent global definitions
 include globals.local
 
+# In order to save screenshots to a persistent location,
+# edit ~/.config/mpv/foobar.conf:
+#    screenshot-directory=~/Pictures
+
 noblacklist ${HOME}/.config/mpv
 noblacklist ${HOME}/.config/youtube-dl
 noblacklist ${HOME}/.netrc
@@ -17,10 +21,6 @@ include allow-lua.inc
 include allow-python2.inc
 include allow-python3.inc
 
-noblacklist ${MUSIC}
-noblacklist ${PICTURES}
-noblacklist ${VIDEOS}
-
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -28,8 +28,20 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
-include disable-xdg.inc
 
+read-only ${DESKTOP}
+mkdir ${HOME}/.config/mpv
+mkdir ${HOME}/.config/youtube-dl
+mkdir ${HOME}/.netrc
+whitelist ${HOME}/.config/mpv
+whitelist ${HOME}/.config/youtube-dl
+whitelist ${HOME}/.netrc
+whitelist ${DESKTOP}
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+whitelist ${PICTURES}
+whitelist ${VIDEOS}
+include whitelist-common.inc
 whitelist /usr/share/lua
 whitelist /usr/share/lua*
 whitelist /usr/share/vulkan
-- 
cgit v1.2.3-70-g09d2