From 807ec197d34c90500fe2f81e777c207c2a8d6e8e Mon Sep 17 00:00:00 2001 From: Irvine Date: Tue, 19 Sep 2017 10:28:36 -0400 Subject: [PATCH 1/2] Add a profile for Conky --- README.md | 3 ++- etc/conky.profile | 35 +++++++++++++++++++++++++++++++++++ src/firecfg/firecfg.config | 1 + 3 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 etc/conky.profile diff --git a/README.md b/README.md index 91bba52d2..7d0bccc14 100644 --- a/README.md +++ b/README.md @@ -178,4 +178,5 @@ amule, ardour4, ardour5, brackets, calligra, calligraauthor, calligraconverter, calligraflow, calligraplan, calligraplanwork, calligrasheets, calligrastage, calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd, google-earth, imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion, mpd, natron, Natron, -ricochet, shotcut, teamspeak3, tor, tor-browser-en, Viber, x-terminal-emulator, zart +ricochet, shotcut, teamspeak3, tor, tor-browser-en, Viber, x-terminal-emulator, zart, +conky diff --git a/etc/conky.profile b/etc/conky.profile new file mode 100644 index 000000000..4ee25f099 --- /dev/null +++ b/etc/conky.profile @@ -0,0 +1,35 @@ +# Firejail profile for conky +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/conky.local +# Persistent global definitions +include /etc/firejail/globals.local + + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +caps.drop all +ipc-namespace +netfilter +no3d +nodvd +nogroups +nonewprivs +noroot +nosound +notv +novideo +protocol unix,inet,inet6 +seccomp +shell none + +disable-mnt +private-dev +private-tmp + +memory-deny-write-execute +noexec ${HOME} +noexec /tmp diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 5d6afe68b..95fc14d04 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -65,6 +65,7 @@ clementine clipit cmus conkeror +conky corebird cvlc cyberfox From 53465691164405830513de7c701411a56adaf8eb Mon Sep 17 00:00:00 2001 From: Tad Date: Tue, 19 Sep 2017 10:38:50 -0400 Subject: [PATCH 2/2] Update README --- README | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/README b/README index e3169e161..239cd26b0 100644 --- a/README +++ b/README @@ -112,6 +112,10 @@ creideiki (https://github.com/creideiki) - make the sandbox process reap all children chiraag-nataraj (https://github.com/chiraag-nataraj) - support for newer Xpra versions (2.1+) + - added Viber, amule, ardour5, brackets, calligra, cin, fetchmail profiles + - added freecad, google-earth, imagej, kdenlive, linphone, lmms profiles + - added macrofusion, mpd, natron, ricochet, shotcut, tor-browser-en profiles + - added tor, x-terminal-emulator, zart profiles Christian Stadelmann (https://github.com/genodeftest) - profile fixes - evolution profile fix @@ -241,6 +245,8 @@ Impyy (https://github.com/Impyy) - added mumble profile irregulator (https://github.com/irregulator) - thunderbird profile fixes for debian stretch +Irvine (https://github.com/Irvinehimself) + - added conky profile Ivan Kozik (https://github.com/ivan) - speed up sandbox exit Jaykishan Mutkawoa (https://github.com/jmutkawoa) @@ -307,6 +313,8 @@ Mattias Wadman (https://github.com/wader) - seccomp errno filter support Matthew Gyurgyik (https://github.com/pyther) - rpm spec and several fixes +melvinvermeeren (https://github.com/melvinvermeeren) + - added teamspeak3 profile Michael Haas (https://github.com/mhaas) - bugfixes Mike Frysinger (vapier@gentoo.org) @@ -320,6 +328,8 @@ n1trux (https://github.com/n1trux) netblue30 (netblue30@yahoo.com) Niklas Haas (https://github.com/haasn) - blacklisting for keybase.io's client +nyancat18 (https://github.com/nyancat18) + - added ardour4, dooble, karbon, krita profiles Ondra Nekola (https://github.com/satai) - allow firefox theming with non-global themes Panzerfather (https://github.com/Panzerfather)