Add strawberry profile

[aminvakil]

Strawberry is a music player and music collection organizer. It is a fork of Clementine released in 2018 aimed at music collectors and audiophiles. It's written in C++ using the Qt 5 framework.

Website: https://www.strawberrymusicplayer.org/
Github: https://github.com/strawberrymusicplayer/strawberry

I just copied clementine profile, changed all clementine(s) to strawberry, I checked and everything's fine.

[rusty-snake]

Add it to src/firecfg/firecfg.config

We could do some future hardening.

[rusty-snake]

Some hardening ideas, you need to try if they break something.

[rusty-snake]

I'm fine with it, but leave it open for now so others have time to comment too.

Two things left:

1. If you want, you can try whitelist-runuser-common.inc. Just copy it from here and remove the whitelist ${RUNUSER}/.mutter-Xwaylandauth.* line.
2. What is strawberry-tagreader, would it make sense to add a redirect profile for it?

[aminvakil]

I see this error every few seconds, but fetching lyrics, getting tags, etc. works as expected, is this OK?

ERROR unknown                          Could not create AF_NETLINK socket (Operation not supported)

[rusty-snake]

strawberry is written in Qt, right?

is this OK?

If your 100% sure nothing is broken, IMHO yes.
If you are unsure, add protocol unix,inet,inet6,netlink.

[aminvakil]

If you are unsure, add protocol unix,inet,inet6,netlink.

Adding netlink fixes the issue.

[aminvakil]

2. What is `strawberry-tagreader`, would it make sense to add a redirect profile for it?

Taken from its man page:

This program is used internally by Strawberry to parse tags in music files without exposing the whole application to crashes caused by malformed files. It is not meant to be run on its own.

I would try adding a profile for it too, should I open a new PR for it later, or add it to current PR?

[rusty-snake]

. It is not meant to be run on its own.

Then we don't need one. The instances started by a firejailed strawberry run in its sandbox.

[aminvakil]

. It is not meant to be run on its own.

Then we don't need one. The instances started by a firejailed strawberry run in its sandbox.

I meant this exactly, prevent running strawberry-tagreader on its own by firejail.

[rusty-snake]

I meant this exactly, prevent running strawberry-tagreader on its own by firejail.

You mean writing a profile that breaks strawberry-tagreader? I'm not for it.

[aminvakil]

I meant this exactly, prevent running strawberry-tagreader on its own by firejail.

You mean writing a profile that breaks strawberry-tagreader? I'm not for it.

Yes:)

But if you think it's unnecessary no then.

[rusty-snake]

Merged, Thanks.

[aminvakil]

I don't know if I should have added strawberry to new profiles on README.MD or should I do it now or don't do it or anythine else?

[Fred-Barclay]

@aminvakil feel free to open an new PR with it added to README.md, and also to add it to the RELNOTES and add "added profile for strawberry" to https://github.com/netblue30/firejail/blob/master/README#L98 😄