From 4c35ba3d383e1b749a61f245425cdf29812c1e0e Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Wed, 28 Mar 2018 22:24:20 -0400
Subject: Add a profile for ncdu, enable private-etc in Steam again, and fixup
 gnome-recipes

---
 etc/gnome-recipes.profile |  2 +-
 etc/ncdu.profile          | 29 +++++++++++++++++++++++++++++
 etc/steam.profile         |  8 +++++---
 3 files changed, 35 insertions(+), 4 deletions(-)
 create mode 100644 etc/ncdu.profile

(limited to 'etc')

diff --git a/etc/gnome-recipes.profile b/etc/gnome-recipes.profile
index 2392440a6..2f7657c0c 100644
--- a/etc/gnome-recipes.profile
+++ b/etc/gnome-recipes.profile
@@ -35,7 +35,7 @@ shell none
 disable-mnt
 private-bin gnome-recipes,tar
 private-dev
-private-etc ca-certificates,fonts,ssl
+private-etc ca-certificates,fonts,ssl,crypto-policies,pki
 # private-lib works for me with Gnome Shell 3.26.2, Mutter WM (Arch Linux)
 # not widely tested though, leaving it to devs discretion to enable it later
 #private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.4,libgnutls.so.30,libjpeg.so.8,libp11-kit.so.0,libproxy.so.1,librsvg-2.so.2
diff --git a/etc/ncdu.profile b/etc/ncdu.profile
new file mode 100644
index 000000000..ab79a325e
--- /dev/null
+++ b/etc/ncdu.profile
@@ -0,0 +1,29 @@
+# Firejail profile for ncdu
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/ncdu.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+caps.drop all
+ipc-namespace
+nodbus
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix
+seccomp
+shell none
+
+private-dev
+# private-tmp
+
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/steam.profile b/etc/steam.profile
index 4965d3a54..e6449aa97 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -32,7 +32,9 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-var-common.inc
 
 caps.drop all
+#ipc-namespace
 netfilter
+#nodbus
 nodvd
 nogroups
 nonewprivs
@@ -44,10 +46,10 @@ protocol unix,inet,inet6,netlink
 seccomp
 shell none
 # tracelog disabled as it breaks integrated browser
-# tracelog
+#tracelog
 
 # private-dev should be commented for controllers
 private-dev
-# private-etc breaks some games
-#private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,pki,services,crypto-policies
+# private-etc breaks a small selection of games on some systems, comment to support those
+private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,pki,services,crypto-policies,alternatives
 private-tmp
-- 
cgit v1.2.3-54-g00ecf