From 8d9b12d1c61000af20eb3ff39af712939ca8788a Mon Sep 17 00:00:00 2001
From: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
Date: Mon, 14 Sep 2020 12:23:34 +0200
Subject: New profiles + fixes + hardening

- blacklist ~/.rustup in disable-devel.inc
- add note to mpv (See #3628)
- harden warsow
- update relnotes
- new profile qrencode, dbus-send, notify-send
---
 etc/profile-m-z/mpv.profile         | 13 ++++++++
 etc/profile-m-z/notify-send.profile | 60 +++++++++++++++++++++++++++++++++++++
 etc/profile-m-z/qrencode.profile    | 58 +++++++++++++++++++++++++++++++++++
 etc/profile-m-z/warsow.profile      |  3 ++
 4 files changed, 134 insertions(+)
 create mode 100644 etc/profile-m-z/notify-send.profile
 create mode 100644 etc/profile-m-z/qrencode.profile

(limited to 'etc/profile-m-z')

diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index 7ca57334d..08318d08e 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -11,6 +11,19 @@ include globals.local
 # edit ~/.config/mpv/foobar.conf:
 #    screenshot-directory=~/Pictures
 
+# Mpv has a powerfull lua-API, some off these lua-scripts interact
+# with external resources which are blocked by firejail. In such cases
+# you need to allow these resources by
+#  - adding additional binaries to private-bin
+#  - whitelisting additional paths
+#  - noblacklisting paths
+#  - weaking the dbus-policy
+#  - ...
+#
+# Often these scripts require a shell:
+#noblacklist ${PATH}/sh
+#private-bin sh
+
 noblacklist ${HOME}/.config/mpv
 noblacklist ${HOME}/.config/youtube-dl
 noblacklist ${HOME}/.netrc
diff --git a/etc/profile-m-z/notify-send.profile b/etc/profile-m-z/notify-send.profile
new file mode 100644
index 000000000..ff292f409
--- /dev/null
+++ b/etc/profile-m-z/notify-send.profile
@@ -0,0 +1,60 @@
+# Firejail profile for notify-send
+# Description: a program to send desktop notifications
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include notify-send.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+disable-mnt
+private
+private-bin notify-send
+private-cache
+private-dev
+private-etc none
+private-tmp
+
+dbus-user filter
+dbus-user.talk org.freedesktop.Notifications
+dbus-system none
+
+memory-deny-write-execute
+read-only ${HOME}
diff --git a/etc/profile-m-z/qrencode.profile b/etc/profile-m-z/qrencode.profile
new file mode 100644
index 000000000..5e49a342a
--- /dev/null
+++ b/etc/profile-m-z/qrencode.profile
@@ -0,0 +1,58 @@
+# Firejail profile for qrencode
+# Description: Encode input data in a QR Code and save as a PNG or EPS image.
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include qrencode.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+disable-mnt
+private-bin qrencode
+private-cache
+private-dev
+private-etc none
+private-lib libpcre2-8.so.0
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/warsow.profile b/etc/profile-m-z/warsow.profile
index d8cd5557e..178e0c7b1 100644
--- a/etc/profile-m-z/warsow.profile
+++ b/etc/profile-m-z/warsow.profile
@@ -24,7 +24,10 @@ mkdir ${HOME}/.cache/warsow-2.1
 mkdir ${HOME}/.local/share/warsow-2.1
 whitelist ${HOME}/.cache/warsow-2.1
 whitelist ${HOME}/.local/share/warsow-2.1
+whitelist /usr/share/warsow
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
-- 
cgit v1.2.3-54-g00ecf