New profile: qemu-common.profile

Add a common profile to deduplicate entries and make qemu-related profiles redirect to it. Relates to netblue30#6255.
kmk3 · Mar 23, 2024 · 49f4b7e · 49f4b7e
1 parent 96d66fa
commit 49f4b7e
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 50 deletions.
diff --git a/etc/profile-m-z/qemu-common.profile b/etc/profile-m-z/qemu-common.profile
@@ -0,0 +1,28 @@
+# Firejail profile for QEMU
+# Description: Machine & userspace emulator and virtualizer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qemu-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+include disable-common.inc
+include disable-programs.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6
+seccomp
+tracelog
+
+private-cache
+private-tmp
+
+noexec /tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/qemu-launcher.profile b/etc/profile-m-z/qemu-launcher.profile
@@ -7,22 +7,5 @@ include globals.local
 
 noblacklist ${HOME}/.qemu-launcher
 
-include disable-common.inc
-include disable-programs.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6
-seccomp
-tracelog
-
-private-cache
-private-tmp
-
-noexec /tmp
-restrict-namespaces
+# Redirect
+include qemu-common.profile
diff --git a/etc/profile-m-z/qemu-system-x86_64.profile b/etc/profile-m-z/qemu-system-x86_64.profile
@@ -6,22 +6,5 @@ include qemu-system-x86_64.local
 # Persistent global definitions
 include globals.local
 
-include disable-common.inc
-include disable-programs.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6
-seccomp
-tracelog
-
-private-cache
-private-tmp
-
-noexec /tmp
-restrict-namespaces
+# Redirect
+include qemu-common.profile
diff --git a/etc/profile-m-z/tqemu.profile b/etc/profile-m-z/tqemu.profile
@@ -6,21 +6,13 @@ include tqemu.local
 # Persistent global definitions
 include globals.local
 
-include disable-common.inc
-include disable-programs.inc
+# breaks app
+ignore restrict-namespaces
 
 # For host-only network sys_admin is needed.
 # See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630
 caps.keep net_raw,sys_nice
 #caps.keep net_raw,sys_admin
-netfilter
-nodvd
-notv
-tracelog
-
-private-cache
-private-tmp
 
-noexec /tmp
-# breaks app
-#restrict-namespaces
+# Redirect
+include qemu-common.profile