new profiles

netblue30 · May 20, 2021 · eb30ce5 · eb30ce5
1 parent b79e441
commit eb30ce5
Show file tree

Hide file tree

Showing 9 changed files with 175 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -335,4 +335,4 @@ pcsxr, PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, bcompare, b2sum, c
 sha256sum, sha384sum, sha512sum, sum, librewold-nightly, Quodlibet, tmux, sway, alienarena, alienarena-wrapper,
 ballbuster, ballbuster-wrapper, colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium, glaxium-wrapper,
 pinball, pinball-wrapper, etr-wrapper, neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, firedragon
-neochat, node, nvm, cargo
+neochat, node, nvm, cargo, LibreCAD, blobby, funnyboat
diff --git a/RELNOTES b/RELNOTES
@@ -29,7 +29,7 @@ firejail (0.9.65) baseline; urgency=low
   * colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium,
   * glaxium-wrapper, pinball, pinball-wrapper, etr-wrapper, firedragon
   * neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, neochat,
-  * cargo
+  * cargo, LibreCAD, blobby, funnyboat
  -- netblue30 <netblue30@yahoo.com>  Tue, 9 Feb 2021 09:00:00 -0500
 
 firejail (0.9.64.4) baseline; urgency=low

diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
@@ -57,6 +57,7 @@ blacklist ${HOME}/.balsa
 blacklist ${HOME}/.bcast5
 blacklist ${HOME}/.bibletime
 blacklist ${HOME}/.bitcoin
+blacklist ${HOME}/.blobby
 blacklist ${HOME}/.bogofilter
 blacklist ${HOME}/.bzf
 blacklist ${HOME}/.cargo/advisory-db
@@ -109,6 +110,7 @@ blacklist ${HOME}/.config/Jitsi Meet
 blacklist ${HOME}/.config/KDE/neochat
 blacklist ${HOME}/.config/Kid3
 blacklist ${HOME}/.config/Kingsoft
+blacklist ${HOME}/.config/LibreCAD
 blacklist ${HOME}/.config/Loop_Hero
 blacklist ${HOME}/.config/Luminance
 blacklist ${HOME}/.config/LyX
@@ -494,6 +496,7 @@ blacklist ${HOME}/.freecol
 blacklist ${HOME}/.freemind
 blacklist ${HOME}/.frogatto
 blacklist ${HOME}/.frozen-bubble
+blacklist ${HOME}/.funnyboat
 blacklist ${HOME}/.gimp*
 blacklist ${HOME}/.gist
 blacklist ${HOME}/.gitconfig
@@ -606,6 +609,7 @@ blacklist ${HOME}/.local/share/Flavio Tordini
 blacklist ${HOME}/.local/share/JetBrains
 blacklist ${HOME}/.local/share/KDE/neochat
 blacklist ${HOME}/.local/share/Kingsoft
+blacklist ${HOME}/.local/share/LibreCAD
 blacklist ${HOME}/.local/share/Mendeley Ltd.
 blacklist ${HOME}/.local/share/Mumble
 blacklist ${HOME}/.local/share/Nextcloud

diff --git a/etc/profile-a-l/blobby.profile b/etc/profile-a-l/blobby.profile
@@ -0,0 +1,52 @@
+# Firejail profile for blobby
+# Persistent local customizations
+include blobby.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.blobby
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.blobby
+whitelist ${HOME}/.blobby
+include whitelist-common.inc
+whitelist /usr/share/blobby
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,netlink,
+netfilter
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin blobby,
+private-lib
+private-dev
+private-etc hosts,group,asound.conf,alsa,machine-id,pulse,drirc,login.defs,passwd,
+private-tmp
+
+dbus-user none
+dbus-system none
+memory-deny-write-execute
diff --git a/etc/profile-a-l/etr.profile b/etc/profile-a-l/etr.profile
@@ -20,6 +20,8 @@ include disable-xdg.inc
 mkdir ${HOME}/.etr
 whitelist ${HOME}/.etr
 whitelist /usr/share/etr
+# Debian version
+whitelist /usr/share/games/etr
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc

diff --git a/etc/profile-a-l/funnyboat.profile b/etc/profile-a-l/funnyboat.profile
@@ -0,0 +1,57 @@
+# Firejail profile for default
+# This file is overwritten after every install/update
+# Persistent local customizations
+include funnyboat.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.funnyboat
+
+include disable-common.inc
+include disable-devel.inc
+ignore noexec /dev/shm
+include disable-exec.inc
+include allow-python2.inc
+include allow-python3.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+# include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.funnyboat
+whitelist ${HOME}/.funnyboat
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+whitelist /usr/share/funnyboat
+# Debian:
+whitelist /usr/share/games/funnyboat
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+# tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/librecad.profile b/etc/profile-a-l/librecad.profile
@@ -0,0 +1,50 @@
+# Firejail profile for librecad
+# Persistent local customizations
+include librecad.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/LibreCAD
+noblacklist ${HOME}/.local/share/LibreCAD
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/librecad
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+#nogroups
+#noinput
+nonewprivs
+noroot
+notv
+#nou2f
+novideo
+protocol unix,inet,inet6,
+netfilter
+seccomp
+shell none
+#tracelog
+
+#disable-mnt
+private-bin librecad,
+#private-lib
+private-dev
+# private-etc cups,drirc,fonts,xdg,passwd,
+private-tmp
+
+dbus-user none
+dbus-system none
+memory-deny-write-execute
diff --git a/src/fbuilder/main.c b/src/fbuilder/main.c
@@ -39,7 +39,7 @@ printf("\n");
 	int i;
 	int prog_index = 0;
 	FILE *fp = stdout;
-	int prof_file = 0;
+	char *prof_file = NULL;
 
 	// parse arguments and extract program index
 	for (i = 1; i < argc; i++) {
@@ -70,8 +70,7 @@ printf("\n");
 				fprintf(stderr, "Error: cannot open profile file.\n");
 				exit(1);
 			}
-			prof_file = 1;
-			// do nothing, this is passed down from firejail
+			prof_file = argv[i] + 8;
 		}
 		else {
 			if (*argv[i] == '-') {
@@ -87,8 +86,11 @@ printf("\n");
 	if (prog_index == 0) {
 		fprintf(stderr, "Error : program and arguments required\n");
 		usage();
-		if (prof_file)
+		if (prof_file) {
 			fclose(fp);
+			int rv = unlink(prof_file);
+			(void) rv;
+		}
 		exit(1);
 	}
 

diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
@@ -271,6 +271,7 @@ freetube
 freshclam
 frogatto
 frozen-bubble
+funnyboat
 gajim
 gajim-history-manager
 galculator
@@ -443,6 +444,7 @@ kube
 kwrite
 leafpad
 # less - breaks man
+librecad
 libreoffice
 librewolf
 librewolf-nightly