From 255697b15aff5c6b57cb77b2dbedf6cffb366efe Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Mon, 23 Mar 2020 14:32:49 -0400
Subject: apparmor

---
 etc/gnome-books.profile       |  2 ++
 etc/gnome-characters.profile  |  1 +
 etc/gnome-font-viewer.profile |  2 ++
 etc/gnome-music.profile       |  6 ++++--
 etc/gnome-photos.profile      |  1 +
 etc/gnome-recipes.profile     |  3 ++-
 etc/kmplayer.profile          | 41 +++++++++++++++++++++++++++++++++++++++++
 etc/pitivi.profile            |  2 ++
 etc/rhythmbox.profile         |  4 ++--
 etc/ristretto.profile         |  4 ++++
 etc/shellcheck.profile        |  1 +
 etc/simutrans.profile         |  3 +++
 etc/smtube.profile            |  1 +
 etc/widelands.profile         |  1 +
 etc/xcalc.profile             |  1 +
 15 files changed, 68 insertions(+), 5 deletions(-)
 create mode 100644 etc/kmplayer.profile

(limited to 'etc')

diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile
index 84e38d0e1..2dc1173a4 100644
--- a/etc/gnome-books.profile
+++ b/etc/gnome-books.profile
@@ -23,7 +23,9 @@ include disable-xdg.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
+net none
 netfilter
 no3d
 nodvd
diff --git a/etc/gnome-characters.profile b/etc/gnome-characters.profile
index 2d4724610..f02fe13f6 100644
--- a/etc/gnome-characters.profile
+++ b/etc/gnome-characters.profile
@@ -22,6 +22,7 @@ include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 machine-id
 net none
diff --git a/etc/gnome-font-viewer.profile b/etc/gnome-font-viewer.profile
index 468ef0401..3f186b90b 100644
--- a/etc/gnome-font-viewer.profile
+++ b/etc/gnome-font-viewer.profile
@@ -17,7 +17,9 @@ include disable-xdg.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
+net none
 netfilter
 no3d
 nodvd
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile
index ad3fa1753..7b27eb333 100644
--- a/etc/gnome-music.profile
+++ b/etc/gnome-music.profile
@@ -23,6 +23,7 @@ include disable-xdg.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 no3d
@@ -37,8 +38,9 @@ seccomp
 shell none
 tracelog
 
-private-bin env,gio-launch-desktop,gnome-music,python*,yelp
+# private-bin calls a file manager - whatever is installed!
+#private-bin env,gio-launch-desktop,gnome-music,python*,yelp
 private-dev
-private-etc alternatives,asound.conf,fonts,machine-id,pulse
+private-etc alternatives,asound.conf,fonts,machine-id,pulse,fonts,xdg,gtk-3.0,dconf,selinux,
 private-tmp
 
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile
index aa0b7dbe3..c28217efb 100644
--- a/etc/gnome-photos.profile
+++ b/etc/gnome-photos.profile
@@ -19,6 +19,7 @@ include disable-programs.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/gnome-recipes.profile b/etc/gnome-recipes.profile
index b4791afc5..45a359624 100644
--- a/etc/gnome-recipes.profile
+++ b/etc/gnome-recipes.profile
@@ -26,7 +26,8 @@ include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
-caps.drop all
+apparmor
+aps.drop all
 ipc-namespace
 machine-id
 netfilter
diff --git a/etc/kmplayer.profile b/etc/kmplayer.profile
new file mode 100644
index 000000000..7eabde61d
--- /dev/null
+++ b/etc/kmplayer.profile
@@ -0,0 +1,41 @@
+# Firejail profile for mplayer
+# Description: mplayer KDE GUI (movie player)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kmplayer.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/kmplayerrc
+noblacklist ${HOME}/.kde/share/config/kmplayerrc
+noblacklist ${HOME}/.local/share/kmplayer
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+# private-bin kmplayer,mplayer
+private-cache
+private-dev
+private-tmp
+
diff --git a/etc/pitivi.profile b/etc/pitivi.profile
index 89a6a020b..faa19f27a 100644
--- a/etc/pitivi.profile
+++ b/etc/pitivi.profile
@@ -22,8 +22,10 @@ include disable-programs.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 ipc-namespace
+net none
 netfilter
 nodvd
 nogroups
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile
index ad8b1015e..aff8b08e3 100644
--- a/etc/rhythmbox.profile
+++ b/etc/rhythmbox.profile
@@ -28,7 +28,7 @@ whitelist /usr/share/libquvi-scripts
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
-# apparmor - makes settings immutable
+apparmor
 caps.drop all
 netfilter
 # nodbus - makes settings immutable
@@ -38,7 +38,7 @@ noroot
 notv
 nou2f
 novideo
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
 shell none
 tracelog
diff --git a/etc/ristretto.profile b/etc/ristretto.profile
index 8fcbb203c..a1cbdf16c 100644
--- a/etc/ristretto.profile
+++ b/etc/ristretto.profile
@@ -17,7 +17,11 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-var-common.inc
+
+apparmor
 caps.drop all
+net none
 netfilter
 no3d
 nodvd
diff --git a/etc/shellcheck.profile b/etc/shellcheck.profile
index f8744bdf8..7b4041222 100644
--- a/etc/shellcheck.profile
+++ b/etc/shellcheck.profile
@@ -23,6 +23,7 @@ whitelist /usr/share/shellcheck
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 ipc-namespace
 machine-id
diff --git a/etc/simutrans.profile b/etc/simutrans.profile
index c6f5f70b0..73093a259 100644
--- a/etc/simutrans.profile
+++ b/etc/simutrans.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.simutrans
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -17,7 +18,9 @@ include disable-programs.inc
 mkdir ${HOME}/.simutrans
 whitelist ${HOME}/.simutrans
 include whitelist-common.inc
+include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 net none
 nodbus
diff --git a/etc/smtube.profile b/etc/smtube.profile
index 98e0229ce..79bc02979 100644
--- a/etc/smtube.profile
+++ b/etc/smtube.profile
@@ -28,6 +28,7 @@ whitelist /usr/share/smtube
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/widelands.profile b/etc/widelands.profile
index c6b5f27da..dd956fa28 100644
--- a/etc/widelands.profile
+++ b/etc/widelands.profile
@@ -21,6 +21,7 @@ whitelist ${HOME}/.widelands
 include whitelist-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 ipc-namespace
 netfilter
diff --git a/etc/xcalc.profile b/etc/xcalc.profile
index a096f803c..a644af351 100644
--- a/etc/xcalc.profile
+++ b/etc/xcalc.profile
@@ -15,6 +15,7 @@ include disable-xdg.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 net none
 no3d
-- 
cgit v1.2.3-54-g00ecf