From 891f3a8fba4568bb5bdf17709da72b4d76ea78c8 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sat, 23 Mar 2024 05:08:01 -0300 Subject: [PATCH] New profile: qemu-common.profile Add a common profile to deduplicate entries and make qemu-related profiles redirect to it. Relates to #6255. --- etc/profile-m-z/qemu-common.profile | 28 ++++++++++++++++++++++ etc/profile-m-z/qemu-launcher.profile | 21 ++-------------- etc/profile-m-z/qemu-system-x86_64.profile | 21 ++-------------- etc/profile-m-z/tqemu.profile | 17 ++++--------- 4 files changed, 37 insertions(+), 50 deletions(-) create mode 100644 etc/profile-m-z/qemu-common.profile diff --git a/etc/profile-m-z/qemu-common.profile b/etc/profile-m-z/qemu-common.profile new file mode 100644 index 00000000000..bf8c2b977be --- /dev/null +++ b/etc/profile-m-z/qemu-common.profile @@ -0,0 +1,28 @@ +# Firejail profile for QEMU +# Description: Machine & userspace emulator and virtualizer +# This file is overwritten after every install/update +# Persistent local customizations +include qemu-common.local +# Persistent global definitions +# added by caller profile +#include globals.local + +include disable-common.inc +include disable-programs.inc + +caps.drop all +netfilter +nodvd +nogroups +nonewprivs +noroot +notv +protocol unix,inet,inet6 +seccomp +tracelog + +private-cache +private-tmp + +noexec /tmp +restrict-namespaces diff --git a/etc/profile-m-z/qemu-launcher.profile b/etc/profile-m-z/qemu-launcher.profile index 8484d37052d..5eab480dcdb 100644 --- a/etc/profile-m-z/qemu-launcher.profile +++ b/etc/profile-m-z/qemu-launcher.profile @@ -7,22 +7,5 @@ include globals.local noblacklist ${HOME}/.qemu-launcher -include disable-common.inc -include disable-programs.inc - -caps.drop all -netfilter -nodvd -nogroups -nonewprivs -noroot -notv -protocol unix,inet,inet6 -seccomp -tracelog - -private-cache -private-tmp - -noexec /tmp -restrict-namespaces +# Redirect +include qemu-common.profile diff --git a/etc/profile-m-z/qemu-system-x86_64.profile b/etc/profile-m-z/qemu-system-x86_64.profile index 495c469f7fe..27dd31af1f3 100644 --- a/etc/profile-m-z/qemu-system-x86_64.profile +++ b/etc/profile-m-z/qemu-system-x86_64.profile @@ -6,22 +6,5 @@ include qemu-system-x86_64.local # Persistent global definitions include globals.local -include disable-common.inc -include disable-programs.inc - -caps.drop all -netfilter -nodvd -nogroups -nonewprivs -noroot -notv -protocol unix,inet,inet6 -seccomp -tracelog - -private-cache -private-tmp - -noexec /tmp -restrict-namespaces +# Redirect +include qemu-common.profile diff --git a/etc/profile-m-z/tqemu.profile b/etc/profile-m-z/tqemu.profile index cf83202f712..d46cf15d955 100644 --- a/etc/profile-m-z/tqemu.profile +++ b/etc/profile-m-z/tqemu.profile @@ -6,21 +6,14 @@ include tqemu.local # Persistent global definitions include globals.local -include disable-common.inc -include disable-programs.inc +# breaks app +ignore restrict-namespaces # For host-only network sys_admin is needed. # See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630 +ignore caps.drop all caps.keep net_raw,sys_nice #caps.keep net_raw,sys_admin -netfilter -nodvd -notv -tracelog - -private-cache -private-tmp -noexec /tmp -# breaks app -#restrict-namespaces +# Redirect +include qemu-common.profile