From dc3a1afb419977b5504f60a8ea60c9f5c85a3f0a Mon Sep 17 00:00:00 2001
From: jc_gargma <jc_gargma@iserlohn-fortress.net>
Date: Sun, 12 Apr 2020 20:29:15 -0700
Subject: Add calcurse profile Update smolbote profile

---
 PKGBUILD                  |   4 +-
 profiles/calcurse.profile |  39 ++++++++++++++++
 profiles/poi.local        |   9 ----
 profiles/poi.profile      | 111 ++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 152 insertions(+), 11 deletions(-)
 create mode 100644 profiles/calcurse.profile
 delete mode 100644 profiles/poi.local
 create mode 100644 profiles/poi.profile

diff --git a/PKGBUILD b/PKGBUILD
index 4c3b629..7d01c98 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -1,7 +1,7 @@
 # Maintainer: jc_gargma <jc_gargma@iserlohn-fortress.net>
 
 pkgname=firejail-profiles
-pkgver=20200331
+pkgver=20200412
 pkgrel=1
 pkgdesc="Additional firejail profiles and locals"
 arch=('any')
@@ -9,7 +9,7 @@ url="https://library.iserlohn-fortress.net/jc_gargma"
 license=('GPLv3')
 depends=('firejail' 'hardened-malloc')
 source=(profiles.tar.gz)
-b2sums=('31d5a061c7dd203ee55dd9448469bd61ac44aa7f8704e59c6d4bcf9eb88c85040d55c3c508b0f6f59df10ac46348c80d622a5e873450095756199c166671b83a')
+b2sums=('9446b4cce3cd588c811de558b062fee22a2520b6ee62da39e214694e1ce101adb48493c55bc54c87f61e4a3b6268309b06221b7e69af965929b2f5d9e7c48389')
 
 package() {
   install --directory ${pkgdir}/etc/firejail
diff --git a/profiles/calcurse.profile b/profiles/calcurse.profile
new file mode 100644
index 0000000..55efe09
--- /dev/null
+++ b/profiles/calcurse.profile
@@ -0,0 +1,39 @@
+# This file is overwritten after every install/update
+# Persistent local customizations
+include calcurse.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/calcurse
+noblacklist ${HOME}/.local/share/calcurse
+mkdir ${HOME}/.config/calcurse
+mkdir ${HOME}/.local/share/calcurse
+whitelist ${HOME}/.config/calcurse
+whitelist ${HOME}/.local/share/calcurse
+
+caps.drop all
+ipc-namespace
+machine-id
+net none
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin calcurse,calcurse-caldav,calcurse-vdir,calcurse-upgrade,nano,rnano,sh,less
+private-cache
+private-dev
+private-etc localtime
+private-tmp
diff --git a/profiles/poi.local b/profiles/poi.local
deleted file mode 100644
index 4efe315..0000000
--- a/profiles/poi.local
+++ /dev/null
@@ -1,9 +0,0 @@
-nou2f
-shell none
-
-# memory-deny-write-execute
-private-bin poi,bash
-
-# # Use with hardened-malloc package
-# # Breaks smolbote
-# env LD_PRELOAD=/usr/lib/libhardened_malloc.so
diff --git a/profiles/poi.profile b/profiles/poi.profile
new file mode 100644
index 0000000..43e3739
--- /dev/null
+++ b/profiles/poi.profile
@@ -0,0 +1,111 @@
+# Firejail profile for poi
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/poi.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+# noblacklist: exclude from blacklist
+noblacklist ${HOME}/.cache/smolbote
+noblacklist ${HOME}/.config/smolbote
+noblacklist ${HOME}/.local/share/smolbote
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-xdg.inc
+
+mkdir ${HOME}/.cache/smolbote
+mkdir ${HOME}/.config/smolbote
+mkdir ${HOME}/.local/share/smolbote
+
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/smolbote
+whitelist ${HOME}/.config/smolbote
+whitelist ${HOME}/.local/share/smolbote
+include /etc/firejail/whitelist-common.inc
+
+
+## caps.drop all - Removes the ability to call programs usually run only by root. Ex - chown, setuid
+caps.drop all
+
+## ipc-namespace - Enable a new IPC namespace if the sandbox was started as a regular user.
+# Breaks audio
+# ipc-namespace
+
+## machine-id - Generates a random machine-id each time the program is run, rather than using the static system machine-id.
+# Breaks audio
+# machine-id
+
+## netfilter - Creates a simple but restrictive iptables firewall for any --net device created. Does nothing if --net is not used.
+netfilter
+
+## nodbus - Disable access to dbus.
+nodbus
+
+## nodvd - Disable access to optical disk drives.
+nodvd
+
+## nogroups - The program can only see the current user's main group. Always applied if the program is run as root.
+nogroups
+
+##  nownewprivs - Prevents Child processes from requesting additional priviledges. If --seccomp is enabled, --nonewprivs is redundant.
+nonewprivs
+
+## noroot - The program can only see the current user. Requires kernel 3.8 or higher. Mutually exclusive with --chroot or --overlay or running as root.
+noroot
+
+## notv - Disable access to DVB TV devices.
+notv
+
+## nou2f - Disable access to U2F devices.
+nou2f
+
+# novideo - Disable access to video devices.
+novideo
+
+## protocol - Only allows sockets of the following types. Not supported on i386 architecture.
+protocol unix,inet,inet6,netlink
+
+## seccomp - Blacklists a large swath of syscalls from being accessible.
+# QtWebEngine require chroot syscall on AMD CPUS and/or ATI Graphics for some bizarre reason
+seccomp !name_to_handle_at,!chroot
+
+## shell - Run the program directly, without a user shell.
+# breaks secondary instances when using join-or-start after shell=none
+shell none
+
+## tracelog - Log all viloations to syslog.
+# tracelog segfaults QtWebEngine on AMD CPUS and/or ATI Graphics for some bizarre reason
+#tracelog
+
+## disable-mnt - Deny access to /mnt, /media, /run/mount, and /run/media
+disable-mnt
+
+## private-bin - Creates a virtual /bin directory containing only temporary copies of the following executables.
+# bash required to launch from kde kickoff menu
+# breaks if installed to /usr/local
+private-bin bash,poi
+
+## private-dev - Create a virtual /dev directory. Only dri,  null,  full,  zero,  tty,  pts, ptmx, random, snd, urandom, video, log and shm devices are available.
+private-dev
+
+## private-etc - Creates a virtual /etc directory containing only temporary copies of the following files and directories.
+# Experimental support for only fonts, alsa audio, and dns resolution.
+private-etc fonts,group,machine-id,resolv.conf
+
+## private-tmp - Creates a virtual /tmp directory to prevent the program from accessing the /tmp files from other programs.
+# breaks SingleApplication without join-or-start set
+private-tmp
+
+
+## noexec - Prevent execution of files in the specified locations
+noexec ${HOME}
+noexec /tmp
+
+
+# join-or-start - Join the sandbox identified by name or start a new one
+join-or-start poi
+
-- 
cgit v1.2.1