Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor electron.profile and electron based programs #3807

Merged
merged 9 commits into from
Dec 17, 2020
Merged

Refactor electron.profile and electron based programs #3807

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
570d56b
Refactor electron.profile and electron based programs (1)
rusty-snake Dec 10, 2020
eea9e58
Refactor electron.profile and electron based programs (2) [skip ci]
rusty-snake Dec 10, 2020
da8feda
Refactor electron.profile and electron based programs (3)
rusty-snake Dec 10, 2020
8e9f3b9
Refactor electron.profile and electron based programs (4)
rusty-snake Dec 11, 2020
6362944
Refactor electron.profile and electron based programs (5)
rusty-snake Dec 11, 2020
47a0018
Refactor electron.profile and electron based programs (6)
rusty-snake Dec 11, 2020
89a9a24
Refactor electron.profile and electron based programs (7)
rusty-snake Dec 11, 2020
c1e9eb7
Refactor electron.profile and electron based programs (8)
rusty-snake Dec 12, 2020
723fad7
Merge branch 'master' into refactor-electron
rusty-snake Dec 16, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 14 additions & 18 deletions etc/profile-a-l/atom.profile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,31 +6,27 @@ include atom.local
# Persistent global definitions
include globals.local

# Disabled until someone reported positive feedback
ignore include disable-devel.inc
ignore include disable-interpreters.inc
ignore include disable-xdg.inc
ignore whitelist ${DOWNLOADS}
ignore include whitelist-common.inc
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
ignore include whitelist-var-common.inc
ignore apparmor
ignore disable-mnt

noblacklist ${HOME}/.atom
noblacklist ${HOME}/.config/Atom

# Allows files commonly used by IDEs
include allow-common-devel.inc

include disable-common.inc
include disable-exec.inc
include disable-passwdmgr.inc
include disable-programs.inc

caps.keep sys_admin,sys_chroot
# net none
netfilter
nodvd
nogroups
nosound
notv
nou2f
novideo
shell none

private-cache
private-dev
private-tmp

dbus-user none
dbus-system none
# Redirect
include electron.profile
21 changes: 15 additions & 6 deletions etc/profile-a-l/beaker.profile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,26 @@
# Persistent local customizations
include beaker.local
# Persistent global definitions
# added by included profile
#include globals.local
include globals.local

noblacklist ${HOME}/.config/Beaker Browser
# Disabled until someone reported positive feedback
ignore include disable-exec.inc
ignore include disable-xdg.inc
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
ignore include whitelist-var-common.inc
ignore nou2f
ignore novideo
ignore shell none
ignore disable-mnt
ignore private-cache
ignore private-dev
ignore private-tmp

include disable-devel.inc
include disable-interpreters.inc
noblacklist ${HOME}/.config/Beaker Browser

mkdir ${HOME}/.config/Beaker Browser
whitelist ${HOME}/.config/Beaker Browser
include whitelist-common.inc

# Redirect
include electron.profile
37 changes: 14 additions & 23 deletions etc/profile-a-l/discord-common.profile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,33 +6,24 @@ include discord-common.local
# added by caller profile
#include globals.local

ignore noexec ${HOME}
# Disabled until someone reported positive feedback
ignore include disable-interpreters.inc
ignore include disable-xdg.inc
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
ignore apparmor
ignore disable-mnt
ignore private-cache
ignore dbus-user none
ignore dbus-system none

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-passwdmgr.inc
include disable-programs.inc
ignore noexec ${HOME}

whitelist ${DOWNLOADS}
whitelist ${HOME}/.config/BetterDiscord
whitelist ${HOME}/.local/share/betterdiscordctl
include whitelist-common.inc
include whitelist-var-common.inc

caps.drop all
netfilter
nodvd
nogroups
nonewprivs
noroot
notv
nou2f
novideo
protocol unix,inet,inet6,netlink
seccomp !chroot

private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
private-dev
private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl
private-tmp

# Redirect
include electron.profile
28 changes: 21 additions & 7 deletions etc/profile-a-l/electron.profile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,25 +3,39 @@
# This file is overwritten after every install/update
# Persistent local customizations
include electron.local
# Persistent global definitions
include globals.local

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc

whitelist ${DOWNLOADS}
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

# Uncomment the next line (or add it to your chromium-common.local)
# if your kernel allows unprivileged userns clone.
#include chromium-common-hardened.inc

apparmor
caps.drop all
caps.keep sys_admin,sys_chroot
netfilter
nodvd
nogroups
nonewprivs
noroot
notv
protocol unix,inet,inet6,netlink
seccomp
nou2f
novideo
shell none

disable-mnt
private-cache
private-dev
private-tmp

dbus-user none
dbus-system none
11 changes: 0 additions & 11 deletions etc/profile-a-l/freetube.profile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,24 +8,13 @@ include globals.local

noblacklist ${HOME}/.config/FreeTube

include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-shell.inc
include disable-xdg.inc

mkdir ${HOME}/.config/FreeTube
whitelist ${HOME}/.config/FreeTube

seccomp !chroot
shell none

disable-mnt
private-bin freetube
private-cache
private-dev
private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
private-tmp

# Redirect
include electron.profile
46 changes: 19 additions & 27 deletions etc/profile-a-l/github-desktop.profile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,43 +6,35 @@ include github-desktop.local
# Persistent global definitions
include globals.local

# Note: On debian-based distributions the binary might be located in
# /opt/GitHub Desktop/github-desktop, and therefore not be in PATH.
# If that's the case you can start GitHub Desktop with firejail via
# `firejail "/opt/GitHub Desktop/github-desktop"`.

# Disabled until someone reported positive feedback
ignore include disable-xdg.inc
ignore whitelist ${DOWNLOADS}
ignore include whitelist-common.inc
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
ignore include whitelist-var-common.inc
ignore apparmor
ignore dbus-user none
ignore dbus-system none

noblacklist ${HOME}/.config/GitHub Desktop
noblacklist ${HOME}/.config/git
noblacklist ${HOME}/.gitconfig
noblacklist ${HOME}/.git-credentials

include disable-common.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc

caps.drop all
netfilter
# no3d
nodvd
nogroups
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix,inet,inet6,netlink
seccomp !chroot

# Note: On debian-based distributions the binary might be located in
# /opt/GitHub Desktop/github-desktop, and therefore not be in PATH.
# If that's the case you can start GitHub Desktop with firejail via
# `firejail "/opt/GitHub Desktop/github-desktop"`.

disable-mnt
# private-bin github-desktop
private-cache
?HAS_APPIMAGE: ignore private-dev
private-dev
# private-lib
private-tmp

# memory-deny-write-execute

# Redirect
include electron.profile
22 changes: 5 additions & 17 deletions etc/profile-a-l/jitsi-meet-desktop.profile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,34 +6,22 @@ include jitsi-meet-desktop.local
# Persistent global definitions
include globals.local

# Disabled until someone reported positive feedback
ignore nou2f
ignore novideo
ignore shell none

ignore noexec /tmp

noblacklist ${HOME}/.config/Jitsi Meet

include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-xdg.inc

nowhitelist ${DOWNLOADS}

mkdir ${HOME}/.config/Jitsi Meet

whitelist ${HOME}/.config/Jitsi Meet

include whitelist-common.inc
include whitelist-usr-share-common.inc
include whitelist-runuser-common.inc
include whitelist-var-common.inc

seccomp !chroot

disable-mnt
private-bin bash,jitsi-meet-desktop
private-cache
private-dev
private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
private-tmp

# Redirect
include electron.profile
15 changes: 0 additions & 15 deletions etc/profile-m-z/nuclear.profile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,31 +10,16 @@ ignore dbus-user

noblacklist ${HOME}/.config/nuclear

include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-shell.inc
include disable-xdg.inc

mkdir ${HOME}/.config/nuclear
whitelist ${HOME}/.config/nuclear
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

no3d
nou2f
novideo
shell none

disable-mnt
# private-bin nuclear
private-cache
private-dev
private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
private-opt nuclear
private-tmp

# Redirect
include electron.profile
2 changes: 0 additions & 2 deletions etc/profile-m-z/riot-desktop.profile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,5 @@ include riot-desktop.local
# added by included profile
#include globals.local

seccomp !chroot

# Redirect
include riot-web.profile
8 changes: 5 additions & 3 deletions etc/profile-m-z/riot-web.profile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,16 @@
# Persistent local customizations
include riot-web.local
# Persistent global definitions
# added by included profile
#include globals.local
include globals.local

ignore noexec /tmp

noblacklist ${HOME}/.config/Riot

mkdir ${HOME}/.config/Riot
whitelist ${HOME}/.config/Riot
include whitelist-common.inc
whitelist /usr/share/chromium
whitelist /usr/share/webapps/element

# Redirect
include electron.profile
20 changes: 17 additions & 3 deletions etc/profile-m-z/rocketchat.profile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,28 @@
# Persistent local customizations
include rocketchat.local
# Persistent global definitions
# added by included profile
#include globals.local
include globals.local

# Disabled until someone reported positive feedback
ignore include disable-devel.inc
ignore include disable-exec.inc
ignore include disable-interpreters.inc
ignore include disable-xdg.inc
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
ignore include whitelist-var-common.inc
ignore nou2f
ignore novideo
ignore shell none
ignore disable-mnt
ignore private-cache
ignore private-dev
ignore private-tmp

noblacklist ${HOME}/.config/Rocket.Chat

mkdir ${HOME}/.config/Rocket.Chat
whitelist ${HOME}/.config/Rocket.Chat
include whitelist-common.inc

# Redirect
include electron.profile
Loading