From c4eff47fbd62d5c9518a6436494881c324b379b8 Mon Sep 17 00:00:00 2001 From: jc_gargma Date: Wed, 9 Feb 2022 13:36:31 -0800 Subject: Updated for firejail 0.9.68 --- PKGBUILD | 4 +- profiles/abook.profile | 1 - profiles/amfora.profile | 63 ----------------------------- profiles/calcurse.profile | 1 - profiles/firefox-common.local | 1 - profiles/generic-game.inc | 1 - profiles/generic-wine-game.inc | 1 - profiles/git.local | 2 +- profiles/hg.profile | 71 --------------------------------- profiles/kmymoney.profile | 1 - profiles/konqueror.profile | 1 - profiles/kristall.profile | 1 - profiles/legend-of-grimrock.profile | 18 --------- profiles/lgogdownloader.profile | 1 - profiles/nyamp.profile | 57 -------------------------- profiles/objects-in-space.profile | 22 ---------- profiles/poi.profile | 1 - profiles/qimv.profile | 54 ------------------------- profiles/strawberry.local | 14 ------- profiles/toxic.profile | 1 - profiles/weechat.local | 1 - profiles/wine.local | 2 - unmaintained/aa_readme.txt | 1 + unmaintained/amfora.profile | 62 ++++++++++++++++++++++++++++ unmaintained/hg.profile | 70 ++++++++++++++++++++++++++++++++ unmaintained/legend-of-grimrock.profile | 18 +++++++++ unmaintained/nyamp.profile | 56 ++++++++++++++++++++++++++ unmaintained/objects-in-space.profile | 22 ++++++++++ unmaintained/qimv.profile | 53 ++++++++++++++++++++++++ unmaintained/strawberry.local | 14 +++++++ 30 files changed, 299 insertions(+), 316 deletions(-) delete mode 100644 profiles/amfora.profile delete mode 100644 profiles/hg.profile delete mode 100644 profiles/legend-of-grimrock.profile delete mode 100644 profiles/nyamp.profile delete mode 100644 profiles/objects-in-space.profile delete mode 100644 profiles/qimv.profile delete mode 100644 profiles/strawberry.local create mode 100644 unmaintained/aa_readme.txt create mode 100644 unmaintained/amfora.profile create mode 100644 unmaintained/hg.profile create mode 100644 unmaintained/legend-of-grimrock.profile create mode 100644 unmaintained/nyamp.profile create mode 100644 unmaintained/objects-in-space.profile create mode 100644 unmaintained/qimv.profile create mode 100644 unmaintained/strawberry.local diff --git a/PKGBUILD b/PKGBUILD index aa8006a..ad2aefe 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -1,7 +1,7 @@ # Maintainer: jc_gargma pkgname=firejail-profiles -pkgver=20211202 +pkgver=20220209 pkgrel=1 pkgdesc="Additional firejail profiles and locals" arch=('any') @@ -9,7 +9,7 @@ url="https://library.iserlohn-fortress.net/firejail-profiles.git" license=('GPLv3') depends=('firejail' 'hardened-malloc') source=(profiles.tar.gz) -b2sums=('031b892e6552e54390f89d441b25a77a96301fb344ceff490bd1fb339b53e385ff3bc420c7e748ebbf3168cc8c360093c8f86be5ed551295060b3cf66becc839') +b2sums=('8efe93f490d3980a4463b31d2ba730ed395550e95f3e2a8f74eed12fa394f68ce38eec7245f55cdd972e7433f6647ecaef20c9485264d4e1cc39ba4efc770009') package() { install --directory ${pkgdir}/etc/firejail diff --git a/profiles/abook.profile b/profiles/abook.profile index 5ebcd86..5e697aa 100644 --- a/profiles/abook.profile +++ b/profiles/abook.profile @@ -13,7 +13,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-write-mnt.inc include disable-xdg.inc diff --git a/profiles/amfora.profile b/profiles/amfora.profile deleted file mode 100644 index 65da794..0000000 --- a/profiles/amfora.profile +++ /dev/null @@ -1,63 +0,0 @@ -# Firejail profile for amfora -# This file is overwritten after every install/update -quiet -# Persistent local customizations -include amfora.local -# Persistent global definitions -include globals.local - - -noblacklist ${HOME}/.config/amfora -noblacklist ${HOME}/.local/share/amfora - -blacklist /tmp/.X11-unix -blacklist ${RUNUSER}/wayland-* - -include disable-common.inc -include disable-devel.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc -include disable-write-mnt.inc -include disable-xdg.inc - -mkdir ${HOME}/.config/amfora -mkdir ${HOME}/.local/share/amfora - -whitelist ${HOME}/.config/amfora -whitelist ${HOME}/.local/share/amfora -include whitelist-runuser-common.inc - -caps.drop all -machine-id -netfilter -no3d -nodvd -nogroups -noinput -nonewprivs -noroot -nosound -notv -nou2f -novideo -protocol inet,inet6 -seccomp -shell none -tracelog - -disable-mnt -private-bin amfora -private-cache -private-dev -private-etc ca-certificates,resolv.conf,ssl -private-tmp - -dbus-user none -dbus-system none - -noexec ${HOME} -noexec /tmp - -# # Use with hardened-malloc package -env LD_PRELOAD=/usr/lib/libhardened_malloc.so diff --git a/profiles/calcurse.profile b/profiles/calcurse.profile index 250f153..5f4504e 100644 --- a/profiles/calcurse.profile +++ b/profiles/calcurse.profile @@ -8,7 +8,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-write-mnt.inc include disable-xdg.inc diff --git a/profiles/firefox-common.local b/profiles/firefox-common.local index e6fdada..fe08e8d 100644 --- a/profiles/firefox-common.local +++ b/profiles/firefox-common.local @@ -1,4 +1,3 @@ -include disable-passwdmgr.inc include disable-shell.inc include disable-write-mnt.inc include disable-xdg.inc diff --git a/profiles/generic-game.inc b/profiles/generic-game.inc index 43e72a0..554f910 100644 --- a/profiles/generic-game.inc +++ b/profiles/generic-game.inc @@ -6,7 +6,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-write-mnt.inc diff --git a/profiles/generic-wine-game.inc b/profiles/generic-wine-game.inc index 27dc93a..fe72355 100644 --- a/profiles/generic-wine-game.inc +++ b/profiles/generic-wine-game.inc @@ -14,7 +14,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-write-mnt.inc include disable-xdg.inc diff --git a/profiles/git.local b/profiles/git.local index 0d64d0d..21fa3b5 100644 --- a/profiles/git.local +++ b/profiles/git.local @@ -21,4 +21,4 @@ whitelist ${HOME}/workspace protocol inet,inet6 -private-bin git,less +private-bin git,less,grep diff --git a/profiles/hg.profile b/profiles/hg.profile deleted file mode 100644 index c72365f..0000000 --- a/profiles/hg.profile +++ /dev/null @@ -1,71 +0,0 @@ -# Firejail profile for hg -# This file is overwritten after every install/update -quiet -# Persistent local customizations -include hg.local -# Persistent global definitions -include globals.local - -noblacklist ${HOME}/.config/nano -noblacklist ${HOME}/.emacs -noblacklist ${HOME}/.emacs.d -noblacklist ${HOME}/.hgrc -#noblacklist ${HOME}/.gnupg -noblacklist ${HOME}/.nanorc -noblacklist ${HOME}/.oh-my-zsh -#noblacklist ${HOME}/.ssh -noblacklist ${HOME}/.vim -noblacklist ${HOME}/.viminfo - -# Allow ssh (blacklisted by disable-common.inc) -include allow-ssh.inc - -blacklist /tmp/.X11-unix -blacklist ${RUNUSER}/wayland-* - -include disable-common.inc -include disable-exec.inc -include disable-passwdmgr.inc -include disable-programs.inc - -whitelist ${HOME}/.config/nano -whitelist ${HOME}/.emacs -whitelist ${HOME}/.emacs.d -whitelist ${HOME}/.hgrc -#whitelist ${HOME}/.gnupg -#read-only ${HOME}/.gnupg -whitelist ${HOME}/.nanorc -read-only ${HOME}/.nanorc -whitelist ${HOME}/.oh-my-zsh -#whitelist ${HOME}/.ssh -#read-only ${HOME}/.ssh -whitelist ${HOME}/.vim -whitelist ${HOME}/.viminfo -whitelist ${HOME}/build -whitelist ${HOME}/workspace - -caps.drop all -ipc-namespace -machine-id -netfilter -no3d -nodvd -nogroups -noinput -nonewprivs -noroot -nosound -notv -nou2f -novideo -protocol inet,inet6 -#protocol unix,inet,inet6 -seccomp -shell none - -private-bin hg,python2 -private-cache -private-dev - -memory-deny-write-execute - diff --git a/profiles/kmymoney.profile b/profiles/kmymoney.profile index 05c75ce..257e574 100644 --- a/profiles/kmymoney.profile +++ b/profiles/kmymoney.profile @@ -13,7 +13,6 @@ noblacklist ${HOME}/.local/share/kmymoney include disable-common.inc include disable-devel.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-write-mnt.inc diff --git a/profiles/konqueror.profile b/profiles/konqueror.profile index 0c3cb07..d6081ce 100644 --- a/profiles/konqueror.profile +++ b/profiles/konqueror.profile @@ -20,7 +20,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-write-mnt.inc diff --git a/profiles/kristall.profile b/profiles/kristall.profile index b7e3691..6a8d565 100644 --- a/profiles/kristall.profile +++ b/profiles/kristall.profile @@ -13,7 +13,6 @@ noblacklist ${HOME}/.config/xqTechnologies include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-interpreters.inc -include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-shell.inc include /etc/firejail/disable-write-mnt.inc diff --git a/profiles/legend-of-grimrock.profile b/profiles/legend-of-grimrock.profile deleted file mode 100644 index 7921296..0000000 --- a/profiles/legend-of-grimrock.profile +++ /dev/null @@ -1,18 +0,0 @@ -# This file is overwritten after every install/update -# Persistent local customizations -include legend-of-grimrock.local -# Persistent global definitions -include globals.local - -noblacklist ${HOME}/.local/share/Almost Human -noblacklist ${HOME}/.local/share/Almost Human/Legend of Grimrock - -mkdir ${HOME}/.local/share/Almost Human -mkdir ${HOME}/.local/share/Almost Human/Legend of Grimrock -whitelist ${HOME}/.local/share/Almost Human/Legend of Grimrock -whitelist ${HOME}/games/Legend of Grimrock -read-only ${HOME}/games/Legend of Grimrock - -ignore memory-deny-write-execute - -include generic-game.inc diff --git a/profiles/lgogdownloader.profile b/profiles/lgogdownloader.profile index e78e347..b06497d 100644 --- a/profiles/lgogdownloader.profile +++ b/profiles/lgogdownloader.profile @@ -15,7 +15,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-write-mnt.inc diff --git a/profiles/nyamp.profile b/profiles/nyamp.profile deleted file mode 100644 index a0fd602..0000000 --- a/profiles/nyamp.profile +++ /dev/null @@ -1,57 +0,0 @@ -# This file is overwritten after every install/update -# Persistent local customizations -include nyamp.local -# Persistent global definitions -include globals.local - -noblacklist ${HOME}/.config/iserlohn-fortress.net/nyamp -noblacklist ${MUSIC} - -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc -include disable-shell.inc -include disable-write-mnt.inc -include disable-xdg.inc - -mkdir ${HOME}/.config/iserlohn-fortress.net -mkdir ${HOME}/.config/iserlohn-fortress.net/nyamp - -whitelist ${HOME}/.config/iserlohn-fortress.net/nyamp -whitelist ${MUSIC} -read-only ${MUSIC} -include whitelist-common.inc - - -caps.drop all -# machine-id -net none -no3d -nodvd -nogroups -noinput -nonewprivs -noroot -notv -nou2f -novideo -protocol unix -seccomp -shell none -tracelog - -disable-mnt -private-bin bash,nyamp -private-cache -private-dev -private-etc fonts,machine-id -# private-etc asound.conf,fonts,machine-id,pulse -private-tmp - -memory-deny-write-execute - -dbus-user none -dbus-system none diff --git a/profiles/objects-in-space.profile b/profiles/objects-in-space.profile deleted file mode 100644 index c8d89ef..0000000 --- a/profiles/objects-in-space.profile +++ /dev/null @@ -1,22 +0,0 @@ -# This file is overwritten after every install/update -# Persistent local customizations -include objects-in-space.local -# Persistent global definitions -include globals.local - -noblacklist ${HOME}/Documents -noblacklist ${HOME}/Documents/ObjectsInSpace - -mkdir ${HOME}/Documents -mkdir ${HOME}/Documents/ObjectsInSpace -whitelist ${HOME}/Documents/ObjectsInSpace -whitelist ${HOME}/games/Objects In Space -read-only ${HOME}/games/Objects In Space - -private-etc asound.conf,group,localtime,machine-id,passwd,pulse - -ignore memory-deny-write-execute - -ignore noexec ${HOME} - -include generic-game.inc diff --git a/profiles/poi.profile b/profiles/poi.profile index 6b133ae..84038e8 100644 --- a/profiles/poi.profile +++ b/profiles/poi.profile @@ -13,7 +13,6 @@ noblacklist ${HOME}/.local/share/smolbote include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-interpreters.inc -include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-shell.inc include /etc/firejail/disable-write-mnt.inc diff --git a/profiles/qimv.profile b/profiles/qimv.profile deleted file mode 100644 index f243b20..0000000 --- a/profiles/qimv.profile +++ /dev/null @@ -1,54 +0,0 @@ -# Firejail profile for qimv -# Description: Image viewer -# This file is overwritten after every install/update -# Persistent local customizations -include qimv.local -# Persistent global definitions -include globals.local - -# Comment in these two lines to enable testing the binary from ${HOME} -#ignore noexec ${HOME} -#ignore private-bin qimv,imv - -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc -include disable-shell.inc -include disable-write-mnt.inc - -#include whitelist-common.inc -#include whitelist-var-common.inc - -apparmor -caps.drop all -machine-id -net none -# no3d -nodvd -nogroups -noinput -nonewprivs -noroot -nosound -notv -nou2f -novideo -protocol unix -seccomp -shell none -tracelog - -# disable-mnt -private-bin qimv,imv -private-cache -private-dev -private-etc fonts,machine-id,localtime,passwd -private-tmp - -memory-deny-write-execute - -dbus-user none -dbus-system none diff --git a/profiles/strawberry.local b/profiles/strawberry.local deleted file mode 100644 index a605392..0000000 --- a/profiles/strawberry.local +++ /dev/null @@ -1,14 +0,0 @@ -whitelist ${HOME}/.cache/strawberry -whitelist ${HOME}/.config/strawberry -whitelist ${HOME}/.local/share/strawberry -whitelist ${MUSIC} - -include disable-shell.inc -include disable-write-mnt.inc - -include whitelist-common.inc - -#net none -protocol unix,inet,inet6 - -private-etc asound.conf,group,localtime,machine-id,pulse,resolv.conf diff --git a/profiles/toxic.profile b/profiles/toxic.profile index 33d0cde..f6e862e 100644 --- a/profiles/toxic.profile +++ b/profiles/toxic.profile @@ -11,7 +11,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-write-mnt.inc include disable-xdg.inc diff --git a/profiles/weechat.local b/profiles/weechat.local index 38d8565..ac3d428 100644 --- a/profiles/weechat.local +++ b/profiles/weechat.local @@ -11,7 +11,6 @@ noblacklist /usr/share/python3* include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-write-mnt.inc include disable-xdg.inc diff --git a/profiles/wine.local b/profiles/wine.local index ebad424..3f2be46 100644 --- a/profiles/wine.local +++ b/profiles/wine.local @@ -1,8 +1,6 @@ noblacklist ${HOME}/.config/q4wine noblacklist ${HOME}/.local/share/wineprefixes -include disable-passwdmgr.inc - mkdir ${HOME}/.wine mkdir ${HOME}/.config/q4wine mkdir ${HOME}/.local/share/wineprefixes diff --git a/unmaintained/aa_readme.txt b/unmaintained/aa_readme.txt new file mode 100644 index 0000000..8d1c8b6 --- /dev/null +++ b/unmaintained/aa_readme.txt @@ -0,0 +1 @@ + diff --git a/unmaintained/amfora.profile b/unmaintained/amfora.profile new file mode 100644 index 0000000..411a4ff --- /dev/null +++ b/unmaintained/amfora.profile @@ -0,0 +1,62 @@ +# Firejail profile for amfora +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include amfora.local +# Persistent global definitions +include globals.local + + +noblacklist ${HOME}/.config/amfora +noblacklist ${HOME}/.local/share/amfora + +blacklist /tmp/.X11-unix +blacklist ${RUNUSER}/wayland-* + +include disable-common.inc +include disable-devel.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-write-mnt.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/amfora +mkdir ${HOME}/.local/share/amfora + +whitelist ${HOME}/.config/amfora +whitelist ${HOME}/.local/share/amfora +include whitelist-runuser-common.inc + +caps.drop all +machine-id +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol inet,inet6 +seccomp +shell none +tracelog + +disable-mnt +private-bin amfora +private-cache +private-dev +private-etc ca-certificates,resolv.conf,ssl +private-tmp + +dbus-user none +dbus-system none + +noexec ${HOME} +noexec /tmp + +# # Use with hardened-malloc package +env LD_PRELOAD=/usr/lib/libhardened_malloc.so diff --git a/unmaintained/hg.profile b/unmaintained/hg.profile new file mode 100644 index 0000000..57eb45b --- /dev/null +++ b/unmaintained/hg.profile @@ -0,0 +1,70 @@ +# Firejail profile for hg +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include hg.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/nano +noblacklist ${HOME}/.emacs +noblacklist ${HOME}/.emacs.d +noblacklist ${HOME}/.hgrc +#noblacklist ${HOME}/.gnupg +noblacklist ${HOME}/.nanorc +noblacklist ${HOME}/.oh-my-zsh +#noblacklist ${HOME}/.ssh +noblacklist ${HOME}/.vim +noblacklist ${HOME}/.viminfo + +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc + +blacklist /tmp/.X11-unix +blacklist ${RUNUSER}/wayland-* + +include disable-common.inc +include disable-exec.inc +include disable-programs.inc + +whitelist ${HOME}/.config/nano +whitelist ${HOME}/.emacs +whitelist ${HOME}/.emacs.d +whitelist ${HOME}/.hgrc +#whitelist ${HOME}/.gnupg +#read-only ${HOME}/.gnupg +whitelist ${HOME}/.nanorc +read-only ${HOME}/.nanorc +whitelist ${HOME}/.oh-my-zsh +#whitelist ${HOME}/.ssh +#read-only ${HOME}/.ssh +whitelist ${HOME}/.vim +whitelist ${HOME}/.viminfo +whitelist ${HOME}/build +whitelist ${HOME}/workspace + +caps.drop all +ipc-namespace +machine-id +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol inet,inet6 +#protocol unix,inet,inet6 +seccomp +shell none + +private-bin hg,python2 +private-cache +private-dev + +memory-deny-write-execute + diff --git a/unmaintained/legend-of-grimrock.profile b/unmaintained/legend-of-grimrock.profile new file mode 100644 index 0000000..7921296 --- /dev/null +++ b/unmaintained/legend-of-grimrock.profile @@ -0,0 +1,18 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include legend-of-grimrock.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.local/share/Almost Human +noblacklist ${HOME}/.local/share/Almost Human/Legend of Grimrock + +mkdir ${HOME}/.local/share/Almost Human +mkdir ${HOME}/.local/share/Almost Human/Legend of Grimrock +whitelist ${HOME}/.local/share/Almost Human/Legend of Grimrock +whitelist ${HOME}/games/Legend of Grimrock +read-only ${HOME}/games/Legend of Grimrock + +ignore memory-deny-write-execute + +include generic-game.inc diff --git a/unmaintained/nyamp.profile b/unmaintained/nyamp.profile new file mode 100644 index 0000000..2b3ffa8 --- /dev/null +++ b/unmaintained/nyamp.profile @@ -0,0 +1,56 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include nyamp.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/iserlohn-fortress.net/nyamp +noblacklist ${MUSIC} + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-write-mnt.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/iserlohn-fortress.net +mkdir ${HOME}/.config/iserlohn-fortress.net/nyamp + +whitelist ${HOME}/.config/iserlohn-fortress.net/nyamp +whitelist ${MUSIC} +read-only ${MUSIC} +include whitelist-common.inc + + +caps.drop all +# machine-id +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog + +disable-mnt +private-bin bash,nyamp +private-cache +private-dev +private-etc fonts,machine-id +# private-etc asound.conf,fonts,machine-id,pulse +private-tmp + +memory-deny-write-execute + +dbus-user none +dbus-system none diff --git a/unmaintained/objects-in-space.profile b/unmaintained/objects-in-space.profile new file mode 100644 index 0000000..c8d89ef --- /dev/null +++ b/unmaintained/objects-in-space.profile @@ -0,0 +1,22 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include objects-in-space.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/Documents +noblacklist ${HOME}/Documents/ObjectsInSpace + +mkdir ${HOME}/Documents +mkdir ${HOME}/Documents/ObjectsInSpace +whitelist ${HOME}/Documents/ObjectsInSpace +whitelist ${HOME}/games/Objects In Space +read-only ${HOME}/games/Objects In Space + +private-etc asound.conf,group,localtime,machine-id,passwd,pulse + +ignore memory-deny-write-execute + +ignore noexec ${HOME} + +include generic-game.inc diff --git a/unmaintained/qimv.profile b/unmaintained/qimv.profile new file mode 100644 index 0000000..02d7962 --- /dev/null +++ b/unmaintained/qimv.profile @@ -0,0 +1,53 @@ +# Firejail profile for qimv +# Description: Image viewer +# This file is overwritten after every install/update +# Persistent local customizations +include qimv.local +# Persistent global definitions +include globals.local + +# Comment in these two lines to enable testing the binary from ${HOME} +#ignore noexec ${HOME} +#ignore private-bin qimv,imv + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-write-mnt.inc + +#include whitelist-common.inc +#include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +net none +# no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog + +# disable-mnt +private-bin qimv,imv +private-cache +private-dev +private-etc fonts,machine-id,localtime,passwd +private-tmp + +memory-deny-write-execute + +dbus-user none +dbus-system none diff --git a/unmaintained/strawberry.local b/unmaintained/strawberry.local new file mode 100644 index 0000000..a605392 --- /dev/null +++ b/unmaintained/strawberry.local @@ -0,0 +1,14 @@ +whitelist ${HOME}/.cache/strawberry +whitelist ${HOME}/.config/strawberry +whitelist ${HOME}/.local/share/strawberry +whitelist ${MUSIC} + +include disable-shell.inc +include disable-write-mnt.inc + +include whitelist-common.inc + +#net none +protocol unix,inet,inet6 + +private-etc asound.conf,group,localtime,machine-id,pulse,resolv.conf -- cgit v1.2.1