From 5ae3e801d91f386ab36dbe8fc3d8b50cd30004db Mon Sep 17 00:00:00 2001
From: Your Name <you@example.com>
Date: Sat, 24 Mar 2018 19:59:50 -0400
Subject: fix

---
 etc/blender-2.8.profile      | 30 ++++++++++++++++++++++++++++++
 etc/thunderbird-beta.profile | 35 +++++++++++++++++++++++++++++++++++
 2 files changed, 65 insertions(+)
 create mode 100644 etc/blender-2.8.profile
 create mode 100644 etc/thunderbird-beta.profile

(limited to 'etc')

diff --git a/etc/blender-2.8.profile b/etc/blender-2.8.profile
new file mode 100644
index 000000000..29df27759
--- /dev/null
+++ b/etc/blender-2.8.profile
@@ -0,0 +1,30 @@
+# Firejail profile for blender
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/blender.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+noblacklist ${HOME}/.config/blender
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/thunderbird-beta.profile b/etc/thunderbird-beta.profile
new file mode 100644
index 000000000..fb1ee46e2
--- /dev/null
+++ b/etc/thunderbird-beta.profile
@@ -0,0 +1,35 @@
+# Firejail profile for thunderbird
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/thunderbird.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+# Users have thunderbird set to open a browser by clicking a link in an email
+# We are not allowed to blacklist browser-specific directories
+whitelist /opt/thunderbird-beta
+noblacklist ${HOME}/.cache/thunderbird
+noblacklist ${HOME}/.gnupg
+# noblacklist ${HOME}/.icedove
+noblacklist ${HOME}/.thunderbird
+
+mkdir ${HOME}/.cache/thunderbird
+mkdir ${HOME}/.gnupg
+# mkdir ${HOME}/.icedove
+mkdir ${HOME}/.thunderbird
+whitelist ${HOME}/.cache/thunderbird
+whitelist ${HOME}/.gnupg
+# whitelist ${HOME}/.icedove
+whitelist ${HOME}/.thunderbird
+
+# We need the real /tmp for data exchange when xdg-open handles email attachments on KDE
+ignore private-tmp
+# machine-id breaks audio in browsers; enable it when sound is not required
+# machine-id
+read-only ${HOME}/.config/mimeapps.list
+# writable-run-user is needed for signing and encrypting emails
+writable-run-user
+
+# allow browsers
+# Redirect
+include /etc/firejail/firefox.profile
-- 
cgit v1.2.3-54-g00ecf