From 40a51e179d90f54a20c539567adeed1ea0b94d78 Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Tue, 8 Aug 2017 21:31:50 +0200
Subject: various little profile fixes and enhancements (#1442)

* add novideo

* add novideo

* add novideo

* put noexec last

* blacklist Clementine configuration and database

* blacklist Clementine configuration and database

* add novideo

* add novideo, permit access to ~/.java

* add novideo

* spoof machine-id

* mimeapps.list is already in whitelist-common.inc

* ~/.local/share/applications is already read-only

see disable-common.inc

* mimeapps.list is already in whitelist-common.inc

* ~/.local/share/applications is already read-only

see disable-common.inc

* drop machine-id option

private-etc hides it anyway
---
 etc/ark.profile           | 1 +
 etc/audacious.profile     | 1 +
 etc/baloo_file.profile    | 2 +-
 etc/clementine.profile    | 1 +
 etc/disable-programs.inc  | 1 +
 etc/geary.profile         | 2 --
 etc/gwenview.profile      | 1 +
 etc/mediathekview.profile | 2 ++
 etc/okular.profile        | 1 +
 etc/scribus.profile       | 3 ++-
 etc/thunderbird.profile   | 2 --
 11 files changed, 11 insertions(+), 6 deletions(-)

(limited to 'etc')

diff --git a/etc/ark.profile b/etc/ark.profile
index 7c8574973..4884b4a0f 100644
--- a/etc/ark.profile
+++ b/etc/ark.profile
@@ -18,6 +18,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/audacious.profile b/etc/audacious.profile
index 15bf6c013..0300f6777 100644
--- a/etc/audacious.profile
+++ b/etc/audacious.profile
@@ -17,6 +17,7 @@ caps.drop all
 netfilter
 nonewprivs
 noroot
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile
index 9c2909b0f..66c552dd6 100644
--- a/etc/baloo_file.profile
+++ b/etc/baloo_file.profile
@@ -36,6 +36,6 @@ noexec /tmp
 
 # Make home directory read-only and allow writing only to ~/.local/share
 # Note: Baloo will not be able to update the "first run" key in its configuration files.
-# noexec     ${HOME}/.local/share
 # read-only  ${HOME}
 # read-write ${HOME}/.local/share
+# noexec     ${HOME}/.local/share
diff --git a/etc/clementine.profile b/etc/clementine.profile
index 13a14af3b..adcf9414a 100644
--- a/etc/clementine.profile
+++ b/etc/clementine.profile
@@ -5,6 +5,7 @@ include /etc/firejail/clementine.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+noblacklist ~/.config/Clementine
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index c67a0b378..0868fa10b 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -32,6 +32,7 @@ blacklist ${HOME}/.config/akregatorrc
 blacklist ${HOME}/.config/Atom
 blacklist ${HOME}/.config/Audaciousrc
 blacklist ${HOME}/.config/Brackets
+blacklist ${HOME}/.config/Clementine
 blacklist ${HOME}/.config/Cryptocat
 blacklist ${HOME}/.config/Franz
 blacklist ${HOME}/.config/Gitter
diff --git a/etc/geary.profile b/etc/geary.profile
index 3f9faf058..353d00124 100644
--- a/etc/geary.profile
+++ b/etc/geary.profile
@@ -13,7 +13,6 @@ noblacklist ~/.local/share/geary
 
 mkdir ~/.gnupg
 mkdir ~/.local/share/geary
-whitelist ~/.config/mimeapps.list
 whitelist ~/.gnupg
 whitelist ~/.local/share/applications
 whitelist ~/.local/share/geary
@@ -22,7 +21,6 @@ include /etc/firejail/whitelist-common.inc
 ignore private-tmp
 
 read-only ~/.config/mimeapps.list
-read-only ~/.local/share/applications
 
 # allow browsers
 include /etc/firejail/firefox.profile
diff --git a/etc/gwenview.profile b/etc/gwenview.profile
index 0f2be604b..0bc47d301 100644
--- a/etc/gwenview.profile
+++ b/etc/gwenview.profile
@@ -23,6 +23,7 @@ caps.drop all
 nogroups
 nonewprivs
 noroot
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/mediathekview.profile b/etc/mediathekview.profile
index 5e980909b..bebe95a72 100644
--- a/etc/mediathekview.profile
+++ b/etc/mediathekview.profile
@@ -6,6 +6,7 @@ include /etc/firejail/mediathekview.local
 include /etc/firejail/globals.local
 
 noblacklist ~/.config/vlc
+noblacklist ~/.java
 noblacklist ~/.mediathek3
 
 include /etc/firejail/disable-common.inc
@@ -17,6 +18,7 @@ caps.drop all
 netfilter
 nonewprivs
 noroot
+novideo
 protocol unix,inet,inet6
 seccomp
 tracelog
diff --git a/etc/okular.profile b/etc/okular.profile
index 331b625b8..cf747417c 100644
--- a/etc/okular.profile
+++ b/etc/okular.profile
@@ -26,6 +26,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/scribus.profile b/etc/scribus.profile
index 7e117dcd1..2ccb5126b 100644
--- a/etc/scribus.profile
+++ b/etc/scribus.profile
@@ -5,7 +5,7 @@ include /etc/firejail/scribus.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-# Support for PDF readers (Scribus 1.5 and higher)
+# Support for PDF readers comes with Scribus 1.5 and higher
 noblacklist ~/.config/okularpartrc
 noblacklist ~/.config/okularrc
 noblacklist ~/.config/scribus
@@ -30,6 +30,7 @@ caps.drop all
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 tracelog
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile
index d3b7ee871..c3dc0366b 100644
--- a/etc/thunderbird.profile
+++ b/etc/thunderbird.profile
@@ -18,7 +18,6 @@ mkdir ~/.gnupg
 mkdir ~/.icedove
 mkdir ~/.thunderbird
 whitelist ~/.cache/thunderbird
-whitelist ~/.config/mimeapps.list
 whitelist ~/.gnupg
 whitelist ~/.icedove
 whitelist ~/.local/share/applications
@@ -28,7 +27,6 @@ include /etc/firejail/whitelist-common.inc
 ignore private-tmp
 
 read-only ~/.config/mimeapps.list
-read-only ~/.local/share/applications
 
 # allow browsers
 include /etc/firejail/firefox.profile
-- 
cgit v1.2.3-54-g00ecf