From 0e133dc034543291a00151f28bca4dc73ba64ce4 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Fri, 9 Dec 2022 12:36:28 +0000 Subject: New profile: tesseract (#5516) * Add firecfg support for tesseract * Add tesseract to 'New profiles' section in README.md * Create tesseract.profile * tesseract: fix private-etc * tesseract: fix XDG black/whitelisting * tesseract: use 'seccomp socket' instead of 'protocol unix' As kindly suggested by @rusty-snake. * tesseract: add 'restrict-namespaces' As kindly suggested by @rusty-snake. * tesseract: use full seccomp filtering The tesseract application works fine without 'protocol' or 'seccomp socket'. --- etc/profile-m-z/tesseract.profile | 65 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 etc/profile-m-z/tesseract.profile (limited to 'etc/profile-m-z/tesseract.profile') diff --git a/etc/profile-m-z/tesseract.profile b/etc/profile-m-z/tesseract.profile new file mode 100644 index 000000000..11a21c471 --- /dev/null +++ b/etc/profile-m-z/tesseract.profile @@ -0,0 +1,65 @@ +# Firejail profile for tesseract +# Description: An OCR program +# This file is overwritten after every install/update +# Persistent local customizations +include tesseract.local +# Persistent global definitions +include globals.local + +blacklist ${RUNUSER} + +noblacklist ${DOCUMENTS} +noblacklist ${PICTURES} +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-proc.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +whitelist ${DOCUMENTS} +whitelist ${DOWNLOADS} +whitelist ${PICTURES} +include whitelist-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc +whitelist /usr/share/tessdata +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +hostname tesseract +ipc-namespace +machine-id +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noprinters +noroot +nosound +notv +nou2f +novideo +seccomp +tracelog +x11 none + +#disable-mnt +private-bin ambiguous_words,classifier_tester,cntraining,combine_lang_model,combine_tessdata,dawg2wordlist,lstmeval,lstmtraining,merge_unicharsets,mftraining,set_unicharset_properties,shapeclustering,tesseract,text2image,unicharset_extractor,wordlist2dawg +private-cache +private-dev +private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload +#private-lib libtesseract.so.* +private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute +restrict-namespaces -- cgit v1.2.3-70-g09d2