New profiles for balsa,trojita,kube (#3603)

* Added minecraft-launcher-profile Initial * Changed minecraft-launcher profile Added space,tracelog,nodvd * New profiles for balsa,trojita,kube * Switch to whitelisting * Enable gpg,firefox uniformity between other clients * Hyperlinks * Fix Co-authored-by: kortewegdevries <[email protected]>
netblue30 · Sep 3, 2020 · 7df28c1 · 7df28c1
1 parent a68725f
commit 7df28c1
Show file tree

Hide file tree

Showing 5 changed files with 234 additions and 0 deletions.
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
@@ -37,6 +37,7 @@ blacklist ${HOME}/.VirtualBox
 blacklist ${HOME}/.WebStorm*
 blacklist ${HOME}/.Wolfram Research
 blacklist ${HOME}/.ZAP
+blacklist ${HOME}/.abook
 blacklist ${HOME}/.aMule
 blacklist ${HOME}/.android
 blacklist ${HOME}/.anydesk
@@ -49,6 +50,7 @@ blacklist ${HOME}/.asunder_album_title
 blacklist ${HOME}/.atom
 blacklist ${HOME}/.attic
 blacklist ${HOME}/.audacity-data
+blacklist ${HOME}/.balsa
 blacklist ${HOME}/.bcast5
 blacklist ${HOME}/.bibletime
 blacklist ${HOME}/.bitcoin
@@ -209,6 +211,7 @@ blacklist ${HOME}/.config/evince
 blacklist ${HOME}/.config/evolution
 blacklist ${HOME}/.config/falkon
 blacklist ${HOME}/.config/filezilla
+blacklist ${HOME}/.config/flaska.net
 blacklist ${HOME}/.config/flowblade
 blacklist ${HOME}/.config/font-manager
 blacklist ${HOME}/.config/freecol
@@ -278,6 +281,7 @@ blacklist ${HOME}/.config/konversation.notifyrc
 blacklist ${HOME}/.config/kritarc
 blacklist ${HOME}/.config/ktorrentrc
 blacklist ${HOME}/.config/ktouch2rc
+blacklist ${HOME}/.config/kube
 blacklist ${HOME}/.config/kwriterc
 blacklist ${HOME}/.config/leafpad
 blacklist ${HOME}/.config/libreoffice
@@ -354,6 +358,7 @@ blacklist ${HOME}/.config/rtv
 blacklist ${HOME}/.config/scribus
 blacklist ${HOME}/.config/scribusrc
 blacklist ${HOME}/.config/sinew.in
+blacklist ${HOME}/.config/sink
 blacklist ${HOME}/.config/skypeforlinux
 blacklist ${HOME}/.config/slimjet
 blacklist ${HOME}/.config/smplayer
@@ -636,6 +641,7 @@ blacklist ${HOME}/.local/share/krita
 blacklist ${HOME}/.local/share/ktorrent
 blacklist ${HOME}/.local/share/ktorrentrc
 blacklist ${HOME}/.local/share/ktouch
+blacklist ${HOME}/.local/share/kube
 blacklist ${HOME}/.local/share/kwrite
 blacklist ${HOME}/.local/share/kxmlgui5/*
 blacklist ${HOME}/.local/share/liferea
@@ -678,6 +684,7 @@ blacklist ${HOME}/.local/share/rhythmbox
 blacklist ${HOME}/.local/share/rtv
 blacklist ${HOME}/.local/share/scribus
 blacklist ${HOME}/.local/share/signal-cli
+blacklist ${HOME}/.local/share/sink
 blacklist ${HOME}/.local/share/smuxi
 blacklist ${HOME}/.local/share/spotify
 blacklist ${HOME}/.local/share/steam
@@ -868,6 +875,7 @@ blacklist ${HOME}/.cache/epiphany
 blacklist ${HOME}/.cache/evolution
 blacklist ${HOME}/.cache/falkon
 blacklist ${HOME}/.cache/feedreader
+blacklist ${HOME}/.cache/flaska.net/trojita
 blacklist ${HOME}/.cache/font-manager
 blacklist ${HOME}/.cache/fossamail
 blacklist ${HOME}/.cache/fractal
@@ -907,6 +915,7 @@ blacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
 blacklist ${HOME}/.cache/kscreenlocker_greet
 blacklist ${HOME}/.cache/ksmserver-logout-greeter
 blacklist ${HOME}/.cache/ksplashqml
+blacklist ${HOME}/.cache/kube
 blacklist ${HOME}/.cache/kwin
 blacklist ${HOME}/.cache/libgweather
 blacklist ${HOME}/.cache/liferea

diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile
@@ -0,0 +1,78 @@
+# Firejail profile for balsa
+# Description: GNOME mail client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include balsa.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.balsa
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.mozilla
+noblacklist ${HOME}/mail
+noblacklist /var/mail
+noblacklist /var/spool/mail
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.balsa
+mkdir ${HOME}/.gnupg
+mkdir ${HOME}/mail
+whitelist ${HOME}/.balsa
+whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/mail
+whitelist ${RUNUSER}/gnupg
+whitelist /usr/share/balsa
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+whitelist /var/mail
+whitelist /var/spool/mail
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+# disable-mnt
+# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg 
+# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
+private-bin balsa,balsa-ab
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg
+private-tmp
+writable-run-user
+writable-var
+
+dbus-user filter
+dbus-user.own org.desktop.Balsa
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.freedesktop.Notifications
+dbus-system none
+
+read-only ${HOME}/.mozilla/firefox/profiles.ini
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile
@@ -0,0 +1,81 @@
+# Firejail profile for kube
+# Description: Qt mail client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kube.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.mozilla
+noblacklist ${HOME}/.cache/kube
+noblacklist ${HOME}/.config/kube
+noblacklist ${HOME}/.config/sink
+noblacklist ${HOME}/.local/share/kube
+noblacklist ${HOME}/.local/share/sink
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.gnupg
+mkdir ${HOME}/.cache/kube
+mkdir ${HOME}/.config/kube
+mkdir ${HOME}/.config/sink
+mkdir ${HOME}/.local/share/kube
+mkdir ${HOME}/.local/share/sink
+whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/.cache/kube
+whitelist ${HOME}/.config/kube
+whitelist ${HOME}/.config/sink
+whitelist ${HOME}/.local/share/kube
+whitelist ${HOME}/.local/share/sink
+whitelist ${RUNUSER}/gnupg
+whitelist /usr/share/kube
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+# disable-mnt
+# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg 
+# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
+private-bin kube,sink_synchronizer
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gcrypt,gtk-2.0,gtk-3.0,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg
+private-tmp
+writable-run-user
+
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.freedesktop.Notifications
+dbus-system none
+
+read-only ${HOME}/.mozilla/firefox/profiles.ini
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile
@@ -0,0 +1,63 @@
+# Firejail profile for trojita
+# Description: Qt mail client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include trojita.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.abook
+noblacklist ${HOME}/.mozilla
+noblacklist ${HOME}/.cache/flaska.net/trojita
+noblacklist ${HOME}/.config/flaska.net
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.abook
+mkdir ${HOME}/.cache/flaska.net/trojita
+mkdir ${HOME}/.config/flaska.net
+whitelist ${HOME}/.abook
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/.cache/flaska.net/trojita
+whitelist ${HOME}/.config/flaska.net
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+# disable-mnt
+# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
+private-bin trojita
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
+
+read-only ${HOME}/.mozilla/firefox/profiles.ini
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
@@ -70,6 +70,7 @@ autokey-shell
 aweather
 baloo_file
 baloo_filemetadata_temp_extractor
+balsa
 baobab
 barrier
 basilisk
@@ -405,6 +406,7 @@ krita
 # krunner
 ktorrent
 ktouch
+kube
 # kwin_x11
 kwrite
 leafpad
@@ -748,6 +750,7 @@ transmission-remote-cli
 transmission-remote-gtk
 transmission-show
 tremulous
+trojita
 truecraft
 tshark
 tuxguitar