From c8f9a60085d99476fc737c2de98e2b04c5221430 Mon Sep 17 00:00:00 2001 From: Gabriel Date: Sun, 14 Jul 2024 13:50:29 -0700 Subject: [PATCH 01/12] add irssi --- etc/profile-a-l/irssi.profile | 67 +++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 etc/profile-a-l/irssi.profile diff --git a/etc/profile-a-l/irssi.profile b/etc/profile-a-l/irssi.profile new file mode 100644 index 000000000..bee225260 --- /dev/null +++ b/etc/profile-a-l/irssi.profile @@ -0,0 +1,67 @@ +# Firejail profile for irssi +# Description: IRC client +# This file is overwritten after every install/update +# Persistent local customizations +include irssi.local + +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.irssi/ + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-proc.inc +include disable-programs.inc +include disable-shell.inc +include disable-write-mnt.inc +include disable-X11.inc +include disable-xdg.inc + +mkdir ${HOME}/.irssi/ +whitelist ${HOME}/.irssi/ + +#include whitelist-usr-share-common.inc +#include whitelist-var-common.inc + +caps.drop all +netfilter +no3d +nodvd +nogroups +nonewprivs +noprinters +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +# NOTE: comments here are things that can be improved, if you can spare the time. +##seccomp.drop SYSCALLS (see syscalls.txt) +##seccomp-error-action log (only for debugging seccomp issues) +#shell none +#tracelog +disable-mnt +##private-opt NAME +#private-tmp +##writable-run-user +##writable-var +##writable-var-log + +dbus-user none +dbus-system none + +# NOTE: almost sure this thing uses perl, but all seems to work without allowing it. + +##deterministic-shutdown +##env VAR=VALUE +##join-or-start NAME +#memory-deny-write-execute +##noexec PATH +##read-only ${HOME} +##read-write ${HOME} +restrict-namespaces From 6e3b817c47937148da5969bfcc0178f87a737202 Mon Sep 17 00:00:00 2001 From: Gabriel Date: Mon, 18 Nov 2024 20:03:24 +0000 Subject: [PATCH 02/12] reviewer suggestion Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com> --- etc/profile-a-l/irssi.profile | 1 - 1 file changed, 1 deletion(-) diff --git a/etc/profile-a-l/irssi.profile b/etc/profile-a-l/irssi.profile index bee225260..91a393ff2 100644 --- a/etc/profile-a-l/irssi.profile +++ b/etc/profile-a-l/irssi.profile @@ -3,7 +3,6 @@ # This file is overwritten after every install/update # Persistent local customizations include irssi.local - # Persistent global definitions include globals.local From dc3bad9087ba4700b4d960271f643dace32e6772 Mon Sep 17 00:00:00 2001 From: Gabriel Date: Mon, 18 Nov 2024 20:03:36 +0000 Subject: [PATCH 03/12] reviewer suggestion Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com> --- etc/profile-a-l/irssi.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/profile-a-l/irssi.profile b/etc/profile-a-l/irssi.profile index 91a393ff2..2b2c0dc61 100644 --- a/etc/profile-a-l/irssi.profile +++ b/etc/profile-a-l/irssi.profile @@ -6,7 +6,7 @@ include irssi.local # Persistent global definitions include globals.local -noblacklist ${HOME}/.irssi/ +noblacklist ${HOME}/.irssi include disable-common.inc include disable-devel.inc From b2d2934a50fc53b5f29df2799a08f68c71faa0fd Mon Sep 17 00:00:00 2001 From: Gabriel Date: Mon, 18 Nov 2024 20:03:48 +0000 Subject: [PATCH 04/12] reviewer suggestion Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com> --- etc/profile-a-l/irssi.profile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/profile-a-l/irssi.profile b/etc/profile-a-l/irssi.profile index 2b2c0dc61..469a7aca9 100644 --- a/etc/profile-a-l/irssi.profile +++ b/etc/profile-a-l/irssi.profile @@ -19,8 +19,8 @@ include disable-write-mnt.inc include disable-X11.inc include disable-xdg.inc -mkdir ${HOME}/.irssi/ -whitelist ${HOME}/.irssi/ +mkdir ${HOME}/.irssi +whitelist ${HOME}/.irssi #include whitelist-usr-share-common.inc #include whitelist-var-common.inc From d74e17a6aefe728a76b86e9b1c1e5fc6cd38000a Mon Sep 17 00:00:00 2001 From: gcb <56283+gcb@users.noreply.github.com> Date: Mon, 18 Nov 2024 20:15:15 +0000 Subject: [PATCH 05/12] address reviewer comments --- etc/profile-a-l/irssi.profile | 13 ++++++------- src/firecfg/firecfg.config | 1 + 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/etc/profile-a-l/irssi.profile b/etc/profile-a-l/irssi.profile index 469a7aca9..cc5bbb68f 100644 --- a/etc/profile-a-l/irssi.profile +++ b/etc/profile-a-l/irssi.profile @@ -6,7 +6,7 @@ include irssi.local # Persistent global definitions include globals.local -noblacklist ${HOME}/.irssi +blacklist ${RUNUSER}/wayland-* include disable-common.inc include disable-devel.inc @@ -15,13 +15,13 @@ include disable-interpreters.inc include disable-proc.inc include disable-programs.inc include disable-shell.inc -include disable-write-mnt.inc include disable-X11.inc include disable-xdg.inc -mkdir ${HOME}/.irssi -whitelist ${HOME}/.irssi +mkdir ${HOME}/.irssi/ +whitelist ${HOME}/.irssi/ +include whitelist-common.inc #include whitelist-usr-share-common.inc #include whitelist-var-common.inc @@ -45,11 +45,10 @@ seccomp #shell none #tracelog disable-mnt +private-cache +private-dev ##private-opt NAME #private-tmp -##writable-run-user -##writable-var -##writable-var-log dbus-user none dbus-system none diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index e0c6256b5..49f750e9b 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -449,6 +449,7 @@ ipcalc ipcalc-ng iridium iridium-browser +irssi jami jd-gui jdownloader From ce307ddd6d02ae4bb8c800f3dcf9bafdb25ca350 Mon Sep 17 00:00:00 2001 From: gcb <56283+gcb@users.noreply.github.com> Date: Mon, 18 Nov 2024 20:29:48 +0000 Subject: [PATCH 06/12] default whitelists --- etc/profile-a-l/irssi.profile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/etc/profile-a-l/irssi.profile b/etc/profile-a-l/irssi.profile index cc5bbb68f..2594e5730 100644 --- a/etc/profile-a-l/irssi.profile +++ b/etc/profile-a-l/irssi.profile @@ -22,8 +22,8 @@ mkdir ${HOME}/.irssi/ whitelist ${HOME}/.irssi/ include whitelist-common.inc -#include whitelist-usr-share-common.inc -#include whitelist-var-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc caps.drop all netfilter @@ -53,7 +53,7 @@ private-dev dbus-user none dbus-system none -# NOTE: almost sure this thing uses perl, but all seems to work without allowing it. +# NOTE: almost sure irssi uses perl, but all seems to work without allowing it. ##deterministic-shutdown ##env VAR=VALUE From 2c050099dc25badfe2db05be2a04669f5085a1e7 Mon Sep 17 00:00:00 2001 From: gcb <56283+gcb@users.noreply.github.com> Date: Mon, 18 Nov 2024 20:36:26 +0000 Subject: [PATCH 07/12] reviewer improvements --- etc/profile-a-l/irssi.profile | 17 +++-------------- 1 file changed, 3 insertions(+), 14 deletions(-) diff --git a/etc/profile-a-l/irssi.profile b/etc/profile-a-l/irssi.profile index 2594e5730..b51d20a4a 100644 --- a/etc/profile-a-l/irssi.profile +++ b/etc/profile-a-l/irssi.profile @@ -39,27 +39,16 @@ nou2f novideo protocol unix,inet,inet6 seccomp -# NOTE: comments here are things that can be improved, if you can spare the time. -##seccomp.drop SYSCALLS (see syscalls.txt) -##seccomp-error-action log (only for debugging seccomp issues) -#shell none -#tracelog +seccomp.block-secondary + disable-mnt private-cache private-dev -##private-opt NAME -#private-tmp +private-tmp dbus-user none dbus-system none # NOTE: almost sure irssi uses perl, but all seems to work without allowing it. -##deterministic-shutdown -##env VAR=VALUE -##join-or-start NAME -#memory-deny-write-execute -##noexec PATH -##read-only ${HOME} -##read-write ${HOME} restrict-namespaces From 0a5466f09fe4e90f6a7765b7a75fdb21359b9003 Mon Sep 17 00:00:00 2001 From: gcb <56283+gcb@users.noreply.github.com> Date: Tue, 19 Nov 2024 12:31:48 +0000 Subject: [PATCH 08/12] no tpm,input --- etc/profile-a-l/irssi.profile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/profile-a-l/irssi.profile b/etc/profile-a-l/irssi.profile index b51d20a4a..0382a10ef 100644 --- a/etc/profile-a-l/irssi.profile +++ b/etc/profile-a-l/irssi.profile @@ -30,10 +30,12 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noprinters noroot nosound +notpm notv nou2f novideo From a27ffa4e1fa440f5ba3406fdb1c5941452361777 Mon Sep 17 00:00:00 2001 From: gcb <56283+gcb@users.noreply.github.com> Date: Tue, 19 Nov 2024 12:45:46 +0000 Subject: [PATCH 09/12] irssi programs, reviewer comments --- etc/inc/disable-programs.inc | 1 + etc/profile-a-l/irssi.profile | 12 +++++++----- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 0f8a2e7e3..e83cf99fc 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -777,6 +777,7 @@ blacklist ${HOME}/.i2p blacklist ${HOME}/.icedove blacklist ${HOME}/.imagej blacklist ${HOME}/.inkscape +blacklist ${HOME}/.irssi/ blacklist ${HOME}/.itch blacklist ${HOME}/.ivy2 blacklist ${HOME}/.jack-server diff --git a/etc/profile-a-l/irssi.profile b/etc/profile-a-l/irssi.profile index 0382a10ef..7ac2c34a0 100644 --- a/etc/profile-a-l/irssi.profile +++ b/etc/profile-a-l/irssi.profile @@ -6,6 +6,11 @@ include irssi.local # Persistent global definitions include globals.local +noblacklist ${HOME}/.irssi + +# add next line to irssi.local if you use perl scripting +#include allow-perl.inc + blacklist ${RUNUSER}/wayland-* include disable-common.inc @@ -18,9 +23,8 @@ include disable-shell.inc include disable-X11.inc include disable-xdg.inc -mkdir ${HOME}/.irssi/ -whitelist ${HOME}/.irssi/ - +mkdir ${HOME}/.irssi +whitelist ${HOME}/.irssi include whitelist-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -51,6 +55,4 @@ private-tmp dbus-user none dbus-system none -# NOTE: almost sure irssi uses perl, but all seems to work without allowing it. - restrict-namespaces From 7dacdf95e6b795ce0a4f0f19d3ce7d1331a18464 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Tue, 19 Nov 2024 17:54:01 +0000 Subject: [PATCH 10/12] Update etc/inc/disable-programs.inc --- etc/inc/disable-programs.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index e83cf99fc..e7834a933 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -777,7 +777,7 @@ blacklist ${HOME}/.i2p blacklist ${HOME}/.icedove blacklist ${HOME}/.imagej blacklist ${HOME}/.inkscape -blacklist ${HOME}/.irssi/ +blacklist ${HOME}/.irssi blacklist ${HOME}/.itch blacklist ${HOME}/.ivy2 blacklist ${HOME}/.jack-server From c19692f443f354277906aaabee9d4284f0d6584d Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 25 Nov 2024 00:05:51 -0300 Subject: [PATCH 11/12] profiles: irssi: improve description --- etc/profile-a-l/irssi.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/profile-a-l/irssi.profile b/etc/profile-a-l/irssi.profile index 7ac2c34a0..51e6fbab8 100644 --- a/etc/profile-a-l/irssi.profile +++ b/etc/profile-a-l/irssi.profile @@ -1,5 +1,5 @@ # Firejail profile for irssi -# Description: IRC client +# Description: TUI IRC client # This file is overwritten after every install/update # Persistent local customizations include irssi.local From f83f81bf5639b59da5deb2afc02b9b4170376ae5 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sun, 24 Nov 2024 23:57:52 -0300 Subject: [PATCH 12/12] profiles: irssi: improve allow-perl comment --- etc/profile-a-l/irssi.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/profile-a-l/irssi.profile b/etc/profile-a-l/irssi.profile index 51e6fbab8..50a931ded 100644 --- a/etc/profile-a-l/irssi.profile +++ b/etc/profile-a-l/irssi.profile @@ -8,7 +8,7 @@ include globals.local noblacklist ${HOME}/.irssi -# add next line to irssi.local if you use perl scripting +# Add the next line to irssi.local if you use perl scripting. #include allow-perl.inc blacklist ${RUNUSER}/wayland-*