From c542881105c2126f7665b2e6ffbccc50045bddf2 Mon Sep 17 00:00:00 2001 From: kortewegdevries Date: Wed, 2 Sep 2020 10:49:32 +0000 Subject: [PATCH] New profile for man,psi,smuxi; fix pidgin (#3590) * Profile for Psi * Fix pidgin buddy icon * Profile for man * Add profile for smuxi * Comment man in firecfg * Add pinentry programs * Update etc/profile-m-z/psi.profile Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com> --- etc/inc/disable-programs.inc | 9 +++ etc/profile-m-z/man.profile | 66 +++++++++++++++++ etc/profile-m-z/pidgin.profile | 2 + etc/profile-m-z/psi.profile | 78 ++++++++++++++++++++ etc/profile-m-z/smuxi-frontend-gnome.profile | 55 ++++++++++++++ src/firecfg/firecfg.config | 3 + 6 files changed, 213 insertions(+) create mode 100644 etc/profile-m-z/man.profile create mode 100644 etc/profile-m-z/psi.profile create mode 100644 etc/profile-m-z/smuxi-frontend-gnome.profile diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 6b0c16d5f74..1264caf30b1 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -285,6 +285,7 @@ blacklist ${HOME}/.config/liferea blacklist ${HOME}/.config/lugaru blacklist ${HOME}/.config/lximage-qt blacklist ${HOME}/.config/mailtransports +blacklist ${HOME}/.local/share/man blacklist ${HOME}/.config/mana blacklist ${HOME}/.config/mate-calc blacklist ${HOME}/.config/mate/eom @@ -337,6 +338,7 @@ blacklist ${HOME}/.config/pluma blacklist ${HOME}/.config/ppsspp blacklist ${HOME}/.config/pragha blacklist ${HOME}/.config/profanity +blacklist ${HOME}/.config/psi blacklist ${HOME}/.config/psi+ blacklist ${HOME}/.config/qBittorrent blacklist ${HOME}/.config/qBittorrentrc @@ -356,6 +358,7 @@ blacklist ${HOME}/.config/skypeforlinux blacklist ${HOME}/.config/slimjet blacklist ${HOME}/.config/smplayer blacklist ${HOME}/.config/smtube +blacklist ${HOME}/.config/smuxi blacklist ${HOME}/.config/snox blacklist ${HOME}/.config/sound-juicer blacklist ${HOME}/.config/specialmailcollectionsrc @@ -547,6 +550,7 @@ blacklist ${HOME}/.local/share/Kingsoft blacklist ${HOME}/.local/share/Mendeley Ltd. blacklist ${HOME}/.local/share/Mumble blacklist ${HOME}/.local/share/PBE +blacklist ${HOME}/.local/share/Psi blacklist ${HOME}/.local/share/QGIS blacklist ${HOME}/.local/share/QMediathekView blacklist ${HOME}/.local/share/QuiteRss @@ -664,6 +668,7 @@ blacklist ${HOME}/.local/share/Paradox Interactive blacklist ${HOME}/.local/share/pix blacklist ${HOME}/.local/share/plasma_notes blacklist ${HOME}/.local/share/profanity +blacklist ${HOME}/.local/share/psi blacklist ${HOME}/.local/share/psi+ blacklist ${HOME}/.local/share/quadrapassel blacklist ${HOME}/.local/share/qpdfview @@ -673,6 +678,7 @@ blacklist ${HOME}/.local/share/rhythmbox blacklist ${HOME}/.local/share/rtv blacklist ${HOME}/.local/share/scribus blacklist ${HOME}/.local/share/signal-cli +blacklist ${HOME}/.local/share/smuxi blacklist ${HOME}/.local/share/spotify blacklist ${HOME}/.local/share/steam blacklist ${HOME}/.local/share/strawberry @@ -832,6 +838,7 @@ blacklist ${HOME}/.cache/INRIA blacklist ${HOME}/.cache/MusicBrainz blacklist ${HOME}/.cache/NewsFlashGTK blacklist ${HOME}/.cache/Otter +blacklist ${HOME}/.cache/Psi blacklist ${HOME}/.cache/QuiteRss blacklist ${HOME}/.cache/Quotient/quaternion blacklist ${HOME}/.cache/Shortwave @@ -932,12 +939,14 @@ blacklist ${HOME}/.cache/peek blacklist ${HOME}/.cache/pip blacklist ${HOME}/.cache/plasmashell blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite* +blacklist ${HOME}/.cache/psi blacklist ${HOME}/.cache/qBittorrent blacklist ${HOME}/.cache/qupzilla blacklist ${HOME}/.cache/qutebrowser blacklist ${HOME}/.cache/rhythmbox blacklist ${HOME}/.cache/simple-scan blacklist ${HOME}/.cache/slimjet +blacklist ${HOME}/.cache/smuxi blacklist ${HOME}/.cache/snox blacklist ${HOME}/.cache/spotify blacklist ${HOME}/.cache/strawberry diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile new file mode 100644 index 00000000000..c62d797ea87 --- /dev/null +++ b/etc/profile-m-z/man.profile @@ -0,0 +1,66 @@ +# Firejail profile for man +# Description: manpage viewer +quiet +# This file is overwritten after every install/update +# Persistent local customizations +include man.local +# Persistent global definitions +include globals.local + +blacklist ${RUNUSER} + +noblacklist ${HOME}/.local/share/man + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +mkdir ${HOME}/.local/share/man +whitelist ${HOME}/.local/share/man +whitelist ${HOME}/.manpath +whitelist /usr/share/groff +whitelist /usr/share/info +whitelist /usr/share/lintian +whitelist /usr/share/locale +whitelist /usr/share/man +whitelist /var/cache/man +include whitelist-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +net none +no3d +nodvd +nogroups +nonewprivs +noroot +nosound +notv +novideo +nou2f +protocol unix +seccomp +shell none +tracelog +x11 none + +disable-mnt +private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff, +zcat,zsoelim +private-cache +private-dev +private-etc alternatives,fonts,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg +private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute diff --git a/etc/profile-m-z/pidgin.profile b/etc/profile-m-z/pidgin.profile index 2e421574451..e81e78ca7b6 100644 --- a/etc/profile-m-z/pidgin.profile +++ b/etc/profile-m-z/pidgin.profile @@ -21,6 +21,8 @@ include disable-xdg.inc mkdir ${HOME}/.purple whitelist ${HOME}/.purple +whitelist ${DOWNLOADS} +whitelist ${PICTURES} include whitelist-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc diff --git a/etc/profile-m-z/psi.profile b/etc/profile-m-z/psi.profile new file mode 100644 index 00000000000..d3112ae9501 --- /dev/null +++ b/etc/profile-m-z/psi.profile @@ -0,0 +1,78 @@ +# Firejail profile for psi +# Description: Native XMPP client with GPG support +# This file is overwritten after every install/update +# Persistent local customizations +include psi.local +# Persistent global definitions +include globals.local + +# Uncomment for GPG +# noblacklist ${HOME}/.gnupg +noblacklist ${HOME}/.cache/psi +noblacklist ${HOME}/.cache/Psi +noblacklist ${HOME}/.config/psi +noblacklist ${HOME}/.local/share/psi +noblacklist ${HOME}/.local/share/Psi + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +# Uncomment for GPG +# mkdir ${HOME}/.gnupg +mkdir ${HOME}/.cache/psi +mkdir ${HOME}/.cache/Psi +mkdir ${HOME}/.config/psi +mkdir ${HOME}/.local/share/psi +mkdir ${HOME}/.local/share/Psi +# Uncomment for GPG +# whitelist ${HOME}/.gnupg +whitelist ${HOME}/.cache/psi +whitelist ${HOME}/.cache/Psi +whitelist ${HOME}/.config/psi +whitelist ${HOME}/.local/share/psi +whitelist ${HOME}/.local/share/Psi +whitelist ${DOWNLOADS} +# Uncomment for GPG +# whitelist /usr/share/gnupg +# whitelist /usr/share/gnupg2 +whitelist /usr/share/psi +# Uncomment for GPG +# whitelist ${RUNUSER}/gnupg +# whitelist ${RUNUSER}/keyring +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +netfilter +nodvd +nogroups +nonewprivs +noroot +notv +novideo +nou2f +protocol unix,inet,inet6,netlink +seccomp !chroot +shell none +# breaks on Arch +# tracelog + +disable-mnt +# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for GPG +private-bin getopt,psi +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gcrypt,group,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-m-z/smuxi-frontend-gnome.profile b/etc/profile-m-z/smuxi-frontend-gnome.profile new file mode 100644 index 00000000000..541e5a1c4e5 --- /dev/null +++ b/etc/profile-m-z/smuxi-frontend-gnome.profile @@ -0,0 +1,55 @@ +# Firejail profile for smuxi-frontend-gnome +# Description: Multi protocol chat client with Twitter support +# This file is overwritten after every install/update +# Persistent local customizations +include smuxi-frontend-gnome.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/smuxi +noblacklist ${HOME}/.config/smuxi +noblacklist ${HOME}/.local/share/smuxi + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +mkdir ${HOME}/.cache/smuxi +mkdir ${HOME}/.config/smuxi +mkdir ${HOME}/.local/share/smuxi +whitelist ${HOME}/.cache/smuxi +whitelist ${HOME}/.config/smuxi +whitelist ${HOME}/.local/share/smuxi +whitelist ${DOWNLOADS} +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +netfilter +nodvd +nogroups +nonewprivs +noroot +notv +nou2f +protocol unix,inet,inet6,netlink +seccomp +shell none +tracelog + +disable-mnt +private-bin bash,mono,mono-sgen,sh,smuxi-frontend-gnome +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,mono,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg +private-tmp + +dbus-user none +dbus-system none diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 62b27aa0685..54c568f27c9 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -439,6 +439,7 @@ lynx lyx macrofusion magicor +# man manaplus masterpdfeditor masterpdfeditor4 @@ -591,6 +592,7 @@ pragha presentations18 presentations18free profanity +psi psi-plus pybitmessage # pycharm-community - FB note: may enable later @@ -654,6 +656,7 @@ slack slashem smplayer smtube +smuxi-frontend-gnome snox soffice sol