Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

profiles: refactor electron.profile and electron-based programs #3807

Merged
merged 9 commits into from
Dec 17, 2020
32 changes: 14 additions & 18 deletions etc/profile-a-l/atom.profile
Original file line number Diff line number Diff line change
Expand Up @@ -6,31 +6,27 @@ include atom.local
# Persistent global definitions
include globals.local

# Disabled until someone reported positive feedback
ignore include disable-devel.inc
ignore include disable-interpreters.inc
ignore include disable-xdg.inc
ignore whitelist ${DOWNLOADS}
ignore include whitelist-common.inc
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
ignore include whitelist-var-common.inc
ignore apparmor
ignore disable-mnt

noblacklist ${HOME}/.atom
noblacklist ${HOME}/.config/Atom

# Allows files commonly used by IDEs
include allow-common-devel.inc

include disable-common.inc
include disable-exec.inc
include disable-passwdmgr.inc
include disable-programs.inc

caps.keep sys_admin,sys_chroot
# net none
netfilter
nodvd
nogroups
nosound
notv
nou2f
novideo
shell none

private-cache
private-dev
private-tmp

dbus-user none
dbus-system none
# Redirect
include electron.profile
21 changes: 15 additions & 6 deletions etc/profile-a-l/beaker.profile
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,26 @@
# Persistent local customizations
include beaker.local
# Persistent global definitions
# added by included profile
#include globals.local
include globals.local

noblacklist ${HOME}/.config/Beaker Browser
# Disabled until someone reported positive feedback
ignore include disable-exec.inc
ignore include disable-xdg.inc
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
ignore include whitelist-var-common.inc
ignore nou2f
ignore novideo
ignore shell none
ignore disable-mnt
ignore private-cache
ignore private-dev
ignore private-tmp

include disable-devel.inc
include disable-interpreters.inc
noblacklist ${HOME}/.config/Beaker Browser

mkdir ${HOME}/.config/Beaker Browser
whitelist ${HOME}/.config/Beaker Browser
include whitelist-common.inc

# Redirect
include electron.profile
37 changes: 14 additions & 23 deletions etc/profile-a-l/discord-common.profile
Original file line number Diff line number Diff line change
Expand Up @@ -6,33 +6,24 @@ include discord-common.local
# added by caller profile
#include globals.local

ignore noexec ${HOME}
# Disabled until someone reported positive feedback
ignore include disable-interpreters.inc
ignore include disable-xdg.inc
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
ignore apparmor
ignore disable-mnt
ignore private-cache
ignore dbus-user none
ignore dbus-system none

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-passwdmgr.inc
include disable-programs.inc
ignore noexec ${HOME}

whitelist ${DOWNLOADS}
whitelist ${HOME}/.config/BetterDiscord
whitelist ${HOME}/.local/share/betterdiscordctl
include whitelist-common.inc
include whitelist-var-common.inc

caps.drop all
netfilter
nodvd
nogroups
nonewprivs
noroot
notv
nou2f
novideo
protocol unix,inet,inet6,netlink
seccomp !chroot

private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
private-dev
private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl
private-tmp

# Redirect
include electron.profile
28 changes: 21 additions & 7 deletions etc/profile-a-l/electron.profile
Original file line number Diff line number Diff line change
Expand Up @@ -3,25 +3,39 @@
# This file is overwritten after every install/update
# Persistent local customizations
include electron.local
# Persistent global definitions
include globals.local

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc

whitelist ${DOWNLOADS}
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

# Uncomment the next line (or add it to your chromium-common.local)
# if your kernel allows unprivileged userns clone.
#include chromium-common-hardened.inc

apparmor
caps.drop all
caps.keep sys_admin,sys_chroot
netfilter
nodvd
nogroups
nonewprivs
noroot
notv
protocol unix,inet,inet6,netlink
seccomp
nou2f
novideo
shell none

disable-mnt
private-cache
private-dev
private-tmp

dbus-user none
dbus-system none
11 changes: 0 additions & 11 deletions etc/profile-a-l/freetube.profile
Original file line number Diff line number Diff line change
Expand Up @@ -8,24 +8,13 @@ include globals.local

noblacklist ${HOME}/.config/FreeTube

include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-shell.inc
include disable-xdg.inc

mkdir ${HOME}/.config/FreeTube
whitelist ${HOME}/.config/FreeTube

seccomp !chroot
shell none

disable-mnt
private-bin freetube
private-cache
private-dev
private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
private-tmp

# Redirect
include electron.profile
46 changes: 19 additions & 27 deletions etc/profile-a-l/github-desktop.profile
Original file line number Diff line number Diff line change
Expand Up @@ -6,43 +6,35 @@ include github-desktop.local
# Persistent global definitions
include globals.local

# Note: On debian-based distributions the binary might be located in
# /opt/GitHub Desktop/github-desktop, and therefore not be in PATH.
# If that's the case you can start GitHub Desktop with firejail via
# `firejail "/opt/GitHub Desktop/github-desktop"`.

# Disabled until someone reported positive feedback
ignore include disable-xdg.inc
ignore whitelist ${DOWNLOADS}
ignore include whitelist-common.inc
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
ignore include whitelist-var-common.inc
ignore apparmor
ignore dbus-user none
ignore dbus-system none

noblacklist ${HOME}/.config/GitHub Desktop
noblacklist ${HOME}/.config/git
noblacklist ${HOME}/.gitconfig
noblacklist ${HOME}/.git-credentials

include disable-common.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc

caps.drop all
netfilter
# no3d
nodvd
nogroups
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix,inet,inet6,netlink
seccomp !chroot

# Note: On debian-based distributions the binary might be located in
# /opt/GitHub Desktop/github-desktop, and therefore not be in PATH.
# If that's the case you can start GitHub Desktop with firejail via
# `firejail "/opt/GitHub Desktop/github-desktop"`.

disable-mnt
# private-bin github-desktop
private-cache
?HAS_APPIMAGE: ignore private-dev
private-dev
# private-lib
private-tmp

# memory-deny-write-execute

# Redirect
include electron.profile
22 changes: 5 additions & 17 deletions etc/profile-a-l/jitsi-meet-desktop.profile
Original file line number Diff line number Diff line change
Expand Up @@ -6,34 +6,22 @@ include jitsi-meet-desktop.local
# Persistent global definitions
include globals.local

# Disabled until someone reported positive feedback
ignore nou2f
ignore novideo
ignore shell none

ignore noexec /tmp

noblacklist ${HOME}/.config/Jitsi Meet

include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-xdg.inc

nowhitelist ${DOWNLOADS}

mkdir ${HOME}/.config/Jitsi Meet

whitelist ${HOME}/.config/Jitsi Meet

include whitelist-common.inc
include whitelist-usr-share-common.inc
include whitelist-runuser-common.inc
include whitelist-var-common.inc

seccomp !chroot

disable-mnt
private-bin bash,jitsi-meet-desktop
private-cache
private-dev
private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
private-tmp

# Redirect
include electron.profile
15 changes: 0 additions & 15 deletions etc/profile-m-z/nuclear.profile
Original file line number Diff line number Diff line change
Expand Up @@ -10,31 +10,16 @@ ignore dbus-user

noblacklist ${HOME}/.config/nuclear

include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-shell.inc
include disable-xdg.inc

mkdir ${HOME}/.config/nuclear
whitelist ${HOME}/.config/nuclear
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

no3d
nou2f
novideo
shell none

disable-mnt
# private-bin nuclear
private-cache
private-dev
private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
private-opt nuclear
private-tmp

# Redirect
include electron.profile
2 changes: 0 additions & 2 deletions etc/profile-m-z/riot-desktop.profile
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,5 @@ include riot-desktop.local
# added by included profile
#include globals.local

seccomp !chroot

# Redirect
include riot-web.profile
8 changes: 5 additions & 3 deletions etc/profile-m-z/riot-web.profile
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,16 @@
# Persistent local customizations
include riot-web.local
# Persistent global definitions
# added by included profile
#include globals.local
include globals.local

ignore noexec /tmp

noblacklist ${HOME}/.config/Riot

mkdir ${HOME}/.config/Riot
whitelist ${HOME}/.config/Riot
include whitelist-common.inc
whitelist /usr/share/chromium
whitelist /usr/share/webapps/element

# Redirect
include electron.profile
20 changes: 17 additions & 3 deletions etc/profile-m-z/rocketchat.profile
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,28 @@
# Persistent local customizations
include rocketchat.local
# Persistent global definitions
# added by included profile
#include globals.local
include globals.local

# Disabled until someone reported positive feedback
ignore include disable-devel.inc
ignore include disable-exec.inc
ignore include disable-interpreters.inc
ignore include disable-xdg.inc
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
ignore include whitelist-var-common.inc
ignore nou2f
ignore novideo
ignore shell none
ignore disable-mnt
ignore private-cache
ignore private-dev
ignore private-tmp

noblacklist ${HOME}/.config/Rocket.Chat

mkdir ${HOME}/.config/Rocket.Chat
whitelist ${HOME}/.config/Rocket.Chat
include whitelist-common.inc

# Redirect
include electron.profile
Loading