From b7bcc70d20a71daf5ba6dff670bbf90e7a09d2e4 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Tue, 21 Apr 2020 20:58:34 +0000 Subject: file managers refactoring (#3375) * refactor caja.profile * refactor dolphin.profile * Create file-manager-common.profile * refactor nautilus.profile * refactor nemo.profile * refactor pcmanfm.profile * refactor ranger.profile * refactor Thunar.profile --- etc/profile-a-l/caja.profile | 34 ++------------------ etc/profile-a-l/dolphin.profile | 34 ++------------------ etc/profile-a-l/file-manager-common.profile | 49 +++++++++++++++++++++++++++++ etc/profile-m-z/Thunar.profile | 27 ++-------------- etc/profile-m-z/nautilus.profile | 35 ++------------------- etc/profile-m-z/nemo.profile | 32 ++----------------- etc/profile-m-z/pcmanfm.profile | 29 ++--------------- etc/profile-m-z/ranger.profile | 38 ++-------------------- 8 files changed, 70 insertions(+), 208 deletions(-) create mode 100644 etc/profile-a-l/file-manager-common.profile (limited to 'etc') diff --git a/etc/profile-a-l/caja.profile b/etc/profile-a-l/caja.profile index 7bf901ae3..1af102ca8 100644 --- a/etc/profile-a-l/caja.profile +++ b/etc/profile-a-l/caja.profile @@ -9,35 +9,7 @@ include globals.local # Caja is started by systemd on most systems. Therefore it is not firejailed by default. Since there # is already a caja process running on MATE desktops firejail will have no effect. -noblacklist ${HOME}/.local/share/Trash -# noblacklist ${HOME}/.config/caja - disable-programs.inc is disabled, see below -# noblacklist ${HOME}/.local/share/caja-python +# Put 'ignore noroot' in your caja.local if you use MPV+Vulkan (see issue #3012) -# Allow python (blacklisted by disable-interpreters.inc) -include allow-python2.inc -include allow-python3.inc - -include disable-common.inc -include disable-devel.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -# include disable-programs.inc - -allusers -caps.drop all -netfilter -nodvd -nogroups -nonewprivs -noroot -notv -novideo -protocol unix -seccomp -shell none -tracelog - -# caja needs to be able to start arbitrary applications so we cannot blacklist their files -# private-bin caja -# private-dev -# private-tmp +# Redirect +include file-manager-common.profile diff --git a/etc/profile-a-l/dolphin.profile b/etc/profile-a-l/dolphin.profile index d264470af..e0300a577 100644 --- a/etc/profile-a-l/dolphin.profile +++ b/etc/profile-a-l/dolphin.profile @@ -6,37 +6,9 @@ include dolphin.local # Persistent global definitions include globals.local -noblacklist ${HOME}/.local/share/Trash -# noblacklist ${HOME}/.cache/dolphin - disable-programs.inc is disabled, see below -# noblacklist ${HOME}/.config/dolphinrc -# noblacklist ${HOME}/.local/share/dolphin +# Put 'ignore noroot' in your dolphin.local if you use MPV+Vulkan (see issue #3012) -# Allow lua (blacklisted by disable-interpreters.inc) -include allow-lua.inc - -include disable-common.inc -include disable-devel.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -# dolphin needs to be able to start arbitrary applications so we cannot blacklist their files -# include disable-programs.inc - -allusers -caps.drop all -# net none -netfilter -nodvd -nogroups -nonewprivs -# Comment the next line (or put 'ignore noroot' in your dolphin.local) if you use MPV+Vulkan (see issue #3012) -noroot -notv -novideo -protocol unix,inet,inet6,netlink -seccomp -shell none - -private-dev -# private-tmp +# Redirect +include file-manager-common.profile join-or-start dolphin diff --git a/etc/profile-a-l/file-manager-common.profile b/etc/profile-a-l/file-manager-common.profile new file mode 100644 index 000000000..8551e713d --- /dev/null +++ b/etc/profile-a-l/file-manager-common.profile @@ -0,0 +1,49 @@ +# Firejail profile for file managers +# Description: Common profile for GUI file managers +# This file is overwritten after every install/update +# Persistent local customizations +include file-manager-common.local +# Persistent global definitions +# added by caller profile +#include globals.local + +# File managers need to be able to see everything under ${HOME} +# and be able to start arbitrary applications + +ignore noexec ${HOME} + +# Allow lua (blacklisted by disable-interpreters.inc) +include allow-lua.inc + +# Allow perl +include allow-perl.inc + +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python2.inc +include allow-python3.inc + +#include disable-common.inc +include disable-devel.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +# include disable-programs.inc + +allusers +caps.drop all +netfilter +nodvd +nogroups +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6,netlink +seccomp +shell none +tracelog + +private-dev + +#dbus-user none +#dbus-system none diff --git a/etc/profile-m-z/Thunar.profile b/etc/profile-m-z/Thunar.profile index 761440ccc..28acb414b 100644 --- a/etc/profile-m-z/Thunar.profile +++ b/etc/profile-m-z/Thunar.profile @@ -6,28 +6,7 @@ include Thunar.local # Persistent global definitions include globals.local -noblacklist ${HOME}/.local/share/Trash -noblacklist ${HOME}/.config/Thunar -noblacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml +# Put 'ignore noroot' in your pcmanfm.local if you use MPV+Vulkan (see issue #3012) -include disable-common.inc -include disable-devel.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -# include disable-programs.inc - -allusers -caps.drop all -netfilter -no3d -nodvd -nogroups -nonewprivs -noroot -nosound -notv -novideo -protocol unix -seccomp -shell none -tracelog +# Redirect +include file-manager-common.profile diff --git a/etc/profile-m-z/nautilus.profile b/etc/profile-m-z/nautilus.profile index e003488de..e54bea228 100644 --- a/etc/profile-m-z/nautilus.profile +++ b/etc/profile-m-z/nautilus.profile @@ -9,36 +9,7 @@ include globals.local # Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there # is already a nautilus process running on gnome desktops firejail will have no effect. -noblacklist ${HOME}/.config/nautilus -noblacklist ${HOME}/.local/share/Trash -noblacklist ${HOME}/.local/share/nautilus -noblacklist ${HOME}/.local/share/nautilus-python +# Put 'ignore noroot' in your nautilus.local if you use MPV+Vulkan (see issue #3012) -# Allow python (blacklisted by disable-interpreters.inc) -include allow-python2.inc -include allow-python3.inc - -include disable-common.inc -include disable-devel.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -# include disable-programs.inc - -allusers -caps.drop all -netfilter -nodvd -nogroups -nonewprivs -noroot -notv -novideo -protocol unix -seccomp -shell none -tracelog - -# nautilus needs to be able to start arbitrary applications so we cannot blacklist their files -# private-bin nautilus -# private-dev -# private-tmp +# Redirect +include file-manager-common.profile diff --git a/etc/profile-m-z/nemo.profile b/etc/profile-m-z/nemo.profile index 6a62a3a0c..1b3333e8c 100644 --- a/etc/profile-m-z/nemo.profile +++ b/etc/profile-m-z/nemo.profile @@ -6,33 +6,7 @@ include nemo.local # Persistent global definitions include globals.local -noblacklist ${HOME}/.config/nemo -noblacklist ${HOME}/.local/share/Trash -noblacklist ${HOME}/.local/share/nemo -noblacklist ${HOME}/.local/share/nemo-python - -# Allow python (blacklisted by disable-interpreters.inc) -include allow-python2.inc -include allow-python3.inc - -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc - -allusers -caps.drop all -netfilter -no3d -nodvd -nogroups -nonewprivs -noroot -nosound -notv -novideo -protocol unix,inet,inet6 -seccomp -shell none +# Put 'ignore noroot' in your nemo.local if you use MPV+Vulkan (see issue #3012) +# Redirect +include file-manager-common.profile diff --git a/etc/profile-m-z/pcmanfm.profile b/etc/profile-m-z/pcmanfm.profile index 4e53f9d6e..5718ab164 100644 --- a/etc/profile-m-z/pcmanfm.profile +++ b/etc/profile-m-z/pcmanfm.profile @@ -6,30 +6,7 @@ include pcmanfm.local # Persistent global definitions include globals.local -noblacklist ${HOME}/.local/share/Trash -# noblacklist ${HOME}/.config/libfm - disable-programs.inc is disabled, see below -# noblacklist ${HOME}/.config/pcmanfm +# Put 'ignore noroot' in your pcmanfm.local if you use MPV+Vulkan (see issue #3012) -include disable-common.inc -include disable-devel.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -# include disable-programs.inc - -allusers -caps.drop all -# net none - see issue #1467, computer:/// location broken -no3d -nodvd -nonewprivs -noroot -nosound -notv -novideo -protocol unix -seccomp -shell none -tracelog - -# dbus-user none -# dbus-system none +# Redirect +include file-manager-common.profile diff --git a/etc/profile-m-z/ranger.profile b/etc/profile-m-z/ranger.profile index af033af1a..8b3fe97d8 100644 --- a/etc/profile-m-z/ranger.profile +++ b/etc/profile-m-z/ranger.profile @@ -6,39 +6,7 @@ include ranger.local # Persistent global definitions include globals.local -noblacklist ${HOME}/.config/nano -noblacklist ${HOME}/.config/ranger -noblacklist ${HOME}/.nanorc +# Put 'ignore noroot' in your ranger.local if you use MPV+Vulkan (see issue #3012) -# Allow python (blacklisted by disable-interpreters.inc) -include allow-python2.inc -include allow-python3.inc - -# Allow perl -include allow-perl.inc - -include disable-common.inc -include disable-devel.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc - -allusers -caps.drop all -net none -nodvd -nogroups -nonewprivs -noroot -nosound -notv -nou2f -novideo -protocol unix -seccomp -#x11 none - -private-dev - -dbus-user none -dbus-system none +# Redirect +include file-manager-common.profile -- cgit v1.2.3-70-g09d2