diff --git a/README.md b/README.md index e9e8f8c3707..c524a328d34 100644 --- a/README.md +++ b/README.md @@ -335,4 +335,4 @@ pcsxr, PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, bcompare, b2sum, c sha256sum, sha384sum, sha512sum, sum, librewold-nightly, Quodlibet, tmux, sway, alienarena, alienarena-wrapper, ballbuster, ballbuster-wrapper, colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium, glaxium-wrapper, pinball, pinball-wrapper, etr-wrapper, neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, firedragon -neochat, node, nvm, cargo +neochat, node, nvm, cargo, LibreCAD, blobby, funnyboat diff --git a/RELNOTES b/RELNOTES index 117a019e328..91d99012ce3 100644 --- a/RELNOTES +++ b/RELNOTES @@ -29,7 +29,7 @@ firejail (0.9.65) baseline; urgency=low * colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium, * glaxium-wrapper, pinball, pinball-wrapper, etr-wrapper, firedragon * neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, neochat, - * cargo + * cargo, LibreCAD, blobby, funnyboat -- netblue30 Tue, 9 Feb 2021 09:00:00 -0500 firejail (0.9.64.4) baseline; urgency=low diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 90abe1d3e20..fddd782c275 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -57,6 +57,7 @@ blacklist ${HOME}/.balsa blacklist ${HOME}/.bcast5 blacklist ${HOME}/.bibletime blacklist ${HOME}/.bitcoin +blacklist ${HOME}/.blobby blacklist ${HOME}/.bogofilter blacklist ${HOME}/.bzf blacklist ${HOME}/.cargo/advisory-db @@ -109,6 +110,7 @@ blacklist ${HOME}/.config/Jitsi Meet blacklist ${HOME}/.config/KDE/neochat blacklist ${HOME}/.config/Kid3 blacklist ${HOME}/.config/Kingsoft +blacklist ${HOME}/.config/LibreCAD blacklist ${HOME}/.config/Loop_Hero blacklist ${HOME}/.config/Luminance blacklist ${HOME}/.config/LyX @@ -494,6 +496,7 @@ blacklist ${HOME}/.freecol blacklist ${HOME}/.freemind blacklist ${HOME}/.frogatto blacklist ${HOME}/.frozen-bubble +blacklist ${HOME}/.funnyboat blacklist ${HOME}/.gimp* blacklist ${HOME}/.gist blacklist ${HOME}/.gitconfig @@ -606,6 +609,7 @@ blacklist ${HOME}/.local/share/Flavio Tordini blacklist ${HOME}/.local/share/JetBrains blacklist ${HOME}/.local/share/KDE/neochat blacklist ${HOME}/.local/share/Kingsoft +blacklist ${HOME}/.local/share/LibreCAD blacklist ${HOME}/.local/share/Mendeley Ltd. blacklist ${HOME}/.local/share/Mumble blacklist ${HOME}/.local/share/Nextcloud diff --git a/etc/profile-a-l/blobby.profile b/etc/profile-a-l/blobby.profile new file mode 100644 index 00000000000..9bb097b7e8d --- /dev/null +++ b/etc/profile-a-l/blobby.profile @@ -0,0 +1,52 @@ +# Firejail profile for blobby +# Persistent local customizations +include blobby.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.blobby + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.blobby +whitelist ${HOME}/.blobby +include whitelist-common.inc +whitelist /usr/share/blobby +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,netlink, +netfilter +seccomp +shell none +tracelog + +disable-mnt +private-bin blobby, +private-lib +private-dev +private-etc hosts,group,asound.conf,alsa,machine-id,pulse,drirc,login.defs,passwd, +private-tmp + +dbus-user none +dbus-system none +memory-deny-write-execute diff --git a/etc/profile-a-l/etr.profile b/etc/profile-a-l/etr.profile index b970b0dfd85..d44d419c141 100644 --- a/etc/profile-a-l/etr.profile +++ b/etc/profile-a-l/etr.profile @@ -20,6 +20,8 @@ include disable-xdg.inc mkdir ${HOME}/.etr whitelist ${HOME}/.etr whitelist /usr/share/etr +# Debian version +whitelist /usr/share/games/etr include whitelist-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc diff --git a/etc/profile-a-l/funnyboat.profile b/etc/profile-a-l/funnyboat.profile new file mode 100644 index 00000000000..e4d9b018e3c --- /dev/null +++ b/etc/profile-a-l/funnyboat.profile @@ -0,0 +1,57 @@ +# Firejail profile for default +# This file is overwritten after every install/update +# Persistent local customizations +include funnyboat.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.funnyboat + +include disable-common.inc +include disable-devel.inc +ignore noexec /dev/shm +include disable-exec.inc +include allow-python2.inc +include allow-python3.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +# include disable-shell.inc +include disable-write-mnt.inc +include disable-xdg.inc + +mkdir ${HOME}/.funnyboat +whitelist ${HOME}/.funnyboat +include whitelist-common.inc +include whitelist-runuser-common.inc +whitelist /usr/share/funnyboat +# Debian: +whitelist /usr/share/games/funnyboat +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +notv +novideo +protocol unix,inet,inet6 +seccomp +shell none +# tracelog + +disable-mnt +private-cache +private-dev +private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute diff --git a/etc/profile-a-l/librecad.profile b/etc/profile-a-l/librecad.profile new file mode 100644 index 00000000000..431caf91465 --- /dev/null +++ b/etc/profile-a-l/librecad.profile @@ -0,0 +1,50 @@ +# Firejail profile for librecad +# Persistent local customizations +include librecad.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/LibreCAD +noblacklist ${HOME}/.local/share/LibreCAD + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +whitelist /usr/share/librecad +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +netfilter +nodvd +#nogroups +#noinput +nonewprivs +noroot +notv +#nou2f +novideo +protocol unix,inet,inet6, +netfilter +seccomp +shell none +#tracelog + +#disable-mnt +private-bin librecad, +#private-lib +private-dev +# private-etc cups,drirc,fonts,xdg,passwd, +private-tmp + +dbus-user none +dbus-system none +memory-deny-write-execute diff --git a/src/fbuilder/main.c b/src/fbuilder/main.c index 35ec495199e..6c9fc507cdc 100644 --- a/src/fbuilder/main.c +++ b/src/fbuilder/main.c @@ -39,7 +39,7 @@ printf("\n"); int i; int prog_index = 0; FILE *fp = stdout; - int prof_file = 0; + char *prof_file = NULL; // parse arguments and extract program index for (i = 1; i < argc; i++) { @@ -70,8 +70,7 @@ printf("\n"); fprintf(stderr, "Error: cannot open profile file.\n"); exit(1); } - prof_file = 1; - // do nothing, this is passed down from firejail + prof_file = argv[i] + 8; } else { if (*argv[i] == '-') { @@ -87,8 +86,11 @@ printf("\n"); if (prog_index == 0) { fprintf(stderr, "Error : program and arguments required\n"); usage(); - if (prof_file) + if (prof_file) { fclose(fp); + int rv = unlink(prof_file); + (void) rv; + } exit(1); } diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 474904ebfd6..f408f064009 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -271,6 +271,7 @@ freetube freshclam frogatto frozen-bubble +funnyboat gajim gajim-history-manager galculator @@ -443,6 +444,7 @@ kube kwrite leafpad # less - breaks man +librecad libreoffice librewolf librewolf-nightly