From 63b306179fb3f57c96d036de665deb5ce7db3ab7 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Tue, 25 Jul 2023 19:32:12 +0000 Subject: [PATCH] profiles: Miscellaneous cleanups (#5918) --- etc/firejail.config | 4 ++-- etc/inc/disable-interpreters.inc | 3 +-- etc/profile-a-l/1password.profile | 2 +- etc/profile-a-l/brave.profile | 4 ++-- etc/profile-a-l/cachy-browser.profile | 4 ++-- etc/profile-a-l/discord-ptb.profile | 14 +++++++------- etc/profile-a-l/firefox.profile | 4 ++-- etc/profile-a-l/gnome-calendar.profile | 2 +- etc/profile-a-l/krunner.profile | 6 +++--- etc/profile-a-l/librewolf.profile | 4 ++-- etc/profile-m-z/minetest.profile | 5 +++-- etc/profile-m-z/mpv.profile | 2 +- etc/profile-m-z/nodejs-common.profile | 2 +- etc/profile-m-z/noprofile.profile | 15 +++++++-------- etc/profile-m-z/pingus.profile | 3 ++- etc/profile-m-z/rtin.profile | 2 +- etc/profile-m-z/steam.profile | 4 ++-- etc/profile-m-z/tin.profile | 4 ++-- 18 files changed, 42 insertions(+), 42 deletions(-) diff --git a/etc/firejail.config b/etc/firejail.config index e8bf45751..c3c355e3d 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -163,12 +163,12 @@ # Xpra server command extra parameters. None by default; this is an example. # xpra-extra-params --dpi 96 -# Screen size for --x11=xvfb, default 800x600x24. The third dimension is +# Screen size for --x11=xvfb, default 800x600x24. The third dimension is # color depth; use 24 unless you know exactly what you're doing. # xvfb-screen 640x480x24 # xvfb-screen 800x600x24 # xvfb-screen 1024x768x24 # xvfb-screen 1280x1024x24 -# Xvfb command extra parameters. None by default; this is an example. +# Xvfb command extra parameters. None by default; this is an example. # xvfb-extra-params -pixdepths 8 24 32 diff --git a/etc/inc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc index 4e3590fed..e4497f832 100644 --- a/etc/inc/disable-interpreters.inc +++ b/etc/inc/disable-interpreters.inc @@ -44,8 +44,7 @@ blacklist /usr/share/perl* # it is needed so that Firefox can run applications with Terminal=true in # their .desktop file (depending on what is installed). The reason is that # this is done via glib, which currently uses a hardcoded list of terminal -# emulators: -# https://gitlab.gnome.org/GNOME/glib/-/issues/338 +# emulators: https://gitlab.gnome.org/GNOME/glib/-/issues/338. # And in this list, rxvt comes before xterm. blacklist ${PATH}/rxvt diff --git a/etc/profile-a-l/1password.profile b/etc/profile-a-l/1password.profile index 690086099..63a04330b 100644 --- a/etc/profile-a-l/1password.profile +++ b/etc/profile-a-l/1password.profile @@ -13,7 +13,7 @@ whitelist ${HOME}/.config/1Password private-etc @tls-ca -# Needed for keychain things, talking to Firefox, possibly other things? Not sure how to narrow down +# Needed for keychain things, talking to Firefox, possibly other things? ignore dbus-user none # Redirect diff --git a/etc/profile-a-l/brave.profile b/etc/profile-a-l/brave.profile index 071a279b0..b3994c974 100644 --- a/etc/profile-a-l/brave.profile +++ b/etc/profile-a-l/brave.profile @@ -9,8 +9,8 @@ include globals.local # noexec /tmp is included in chromium-common.profile and breaks Brave ignore noexec /tmp # TOR is installed in ${HOME}. -# NOTE: chromium-common.profile enables apparmor. To keep that intact -# you will need to uncomment the 'brave + tor' rule in /etc/apparmor.d/local/firejail-default. +# Note: chromium-common.profile enables apparmor. To keep that intact, +# uncomment the 'brave + tor' rule in /etc/apparmor.d/local/firejail-default. # Alternatively you can add 'ignore apparmor' to your brave.local. ignore noexec ${HOME} # Causes slow starts (#4604) diff --git a/etc/profile-a-l/cachy-browser.profile b/etc/profile-a-l/cachy-browser.profile index 4b486913e..05e1a69f1 100644 --- a/etc/profile-a-l/cachy-browser.profile +++ b/etc/profile-a-l/cachy-browser.profile @@ -20,14 +20,14 @@ whitelist /usr/share/cachy-browser #whitelist ${HOME}/.mozilla # To enable KeePassXC Plugin add one of the following lines to your cachy-browser.local. -# NOTE: start KeePassXC before CachyBrowser and keep it open to allow communication between them. +# Note: Start KeePassXC before CachyBrowser and keep it open to allow communication between them. #whitelist ${RUNUSER}/kpxc_server #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer # Add the next line to your cachy-browser.local to enable private-bin (Arch Linux). #private-bin dbus-launch,dbus-send,cachy-browser,sh # Add the next line to your cachy-browser.local to enable private-etc. -# NOTE: private-etc must first be enabled in firefox-common.local. +# Note: private-etc must first be enabled in firefox-common.local. #private-etc cachy-browser dbus-user filter diff --git a/etc/profile-a-l/discord-ptb.profile b/etc/profile-a-l/discord-ptb.profile index c39c0d843..265bf5615 100644 --- a/etc/profile-a-l/discord-ptb.profile +++ b/etc/profile-a-l/discord-ptb.profile @@ -1,17 +1,17 @@ -# Firejail profile for discord-ptb +# Firejail profile for discord-ptb # This file is overwritten after every install/update # Persistent local customizations -include discord-ptb.local +include discord-ptb.local # Persistent global definitions include globals.local -noblacklist ${HOME}/.config/discordptb +noblacklist ${HOME}/.config/discordptb -mkdir ${HOME}/.config/discordptb -whitelist ${HOME}/.config/discordptb +mkdir ${HOME}/.config/discordptb +whitelist ${HOME}/.config/discordptb -private-bin discord-ptb,DiscordPTB -private-opt discord-ptb,DiscordPTB +private-bin discord-ptb,DiscordPTB +private-opt discord-ptb,DiscordPTB # Redirect include discord-common.profile diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index c5fb15f74..659519ca8 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile @@ -6,7 +6,7 @@ include firefox.local # Persistent global definitions include globals.local -# NOTE: sandboxing web browsers is as important as it is complex. Users might be +# Note: Sandboxing web browsers is as important as it is complex. Users might be # interested in creating custom profiles depending on use case (e.g. one for # general browsing, another for banking, ...). Consult our FAQ/issue tracker for more # info. Here are a few links to get you going. @@ -30,7 +30,7 @@ whitelist ${HOME}/.cache/mozilla/firefox whitelist ${HOME}/.mozilla # Add one of the following whitelist options to your firefox.local to enable KeePassXC Plugin support. -# NOTE: start KeePassXC before Firefox and keep it open to allow communication between them. +# Note: Start KeePassXC before Firefox and keep it open to allow communication between them. #whitelist ${RUNUSER}/kpxc_server #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile index 70a302138..ddfe57879 100644 --- a/etc/profile-a-l/gnome-calendar.profile +++ b/etc/profile-a-l/gnome-calendar.profile @@ -53,7 +53,7 @@ dbus-user.talk ca.desrt.dconf dbus-user.talk org.gnome.evolution.dataserver.* #dbus-user.talk org.gnome.OnlineAccounts #dbus-user.talk org.gnome.ControlCenter -# NOTE: dbus-system none fails, filter without rules works. +# Note: dbus-system none fails, filter without rules works. dbus-system filter #dbus-system.talk org.freedesktop.timedate1 #dbus-system.talk org.freedesktop.login1 diff --git a/etc/profile-a-l/krunner.profile b/etc/profile-a-l/krunner.profile index 27feccf40..a0244ef47 100644 --- a/etc/profile-a-l/krunner.profile +++ b/etc/profile-a-l/krunner.profile @@ -6,9 +6,9 @@ include krunner.local # Persistent global definitions include globals.local -# - programs started in krunner run with this generic profile -# - when a file is opened in krunner, the file viewer runs in its own sandbox -# with its own profile, if it is sandboxed automatically +# Programs started in krunner run with this generic profile. +# When a file is opened in krunner, the file viewer runs in its own sandbox +# with its own profile, if it is sandboxed automatically. # noblacklist ${HOME}/.cache/krunner # noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite* diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile index 7ddbda18c..65a4a3787 100644 --- a/etc/profile-a-l/librewolf.profile +++ b/etc/profile-a-l/librewolf.profile @@ -19,7 +19,7 @@ whitelist ${HOME}/.librewolf #whitelist ${HOME}/.mozilla # To enable KeePassXC Plugin add one of the following lines to your librewolf.local. -# NOTE: start KeePassXC before Librewolf and keep it open to allow communication between them. +# Note: Start KeePassXC before Librewolf and keep it open to allow communication between them. #whitelist ${RUNUSER}/kpxc_server #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer @@ -28,7 +28,7 @@ whitelist /usr/share/librewolf # Add the next line to your librewolf.local to enable private-bin (Arch Linux). #private-bin dbus-launch,dbus-send,librewolf,sh # Add the next line to your librewolf.local to enable private-etc. -# NOTE: private-etc must first be enabled in firefox-common.local. +# Note: private-etc must first be enabled in firefox-common.local. #private-etc librewolf dbus-user filter diff --git a/etc/profile-m-z/minetest.profile b/etc/profile-m-z/minetest.profile index 15474c96e..7b0135695 100644 --- a/etc/profile-m-z/minetest.profile +++ b/etc/profile-m-z/minetest.profile @@ -6,8 +6,9 @@ include minetest.local # Persistent global definitions include globals.local -# In order to save in-game screenshots to a persistent location edit ~/.minetest/minetest.conf: -# screenshot_path = /home//.minetest/screenshots +# In order to save in-game screenshots to a persistent location, +# edit ~/.minetest/minetest.conf: +# screenshot_path = /home//.minetest/screenshots noblacklist ${HOME}/.cache/minetest noblacklist ${HOME}/.minetest diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index bd01d4082..fd35483be 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile @@ -9,7 +9,7 @@ include globals.local # In order to save screenshots to a persistent location, # edit ~/.config/mpv/foobar.conf: -# screenshot-directory=~/Pictures +# screenshot-directory=~/Pictures # mpv has a powerful Lua API and some of the Lua scripts interact with # external resources which are blocked by firejail. In such cases you need to diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile index f3b0c8a49..4c463521c 100644 --- a/etc/profile-m-z/nodejs-common.profile +++ b/etc/profile-m-z/nodejs-common.profile @@ -7,7 +7,7 @@ include nodejs-common.local # added by caller profile #include globals.local -# NOTE: gulp, node-gyp, npm, npx, semver and yarn are all node scripts +# Note: gulp, node-gyp, npm, npx, semver and yarn are all node scripts # using the `#!/usr/bin/env node` shebang. By sandboxing node the full # node.js stack will be firejailed. The only exception is nvm, which is implemented # as a sourced shell function, not an executable binary. Hence it is not diff --git a/etc/profile-m-z/noprofile.profile b/etc/profile-m-z/noprofile.profile index db4113f94..7d0e01d98 100644 --- a/etc/profile-m-z/noprofile.profile +++ b/etc/profile-m-z/noprofile.profile @@ -1,17 +1,16 @@ # This is the weakest possible firejail profile. -# If a program still fail with this profile, it is incompatible with firejail. +# If a program still fails with this profile, it is incompatible with firejail. # (from https://gist.github.com/rusty-snake/bb234cb3e50e1e4e7429f29a7931cc72) # # Usage: -# 1. download -# 2. firejail --profile=noprofile.profile /path/to/program +# $ firejail --profile=noprofile.profile /path/to/program # Keep in mind that even with this profile some things are done -# which can break the program. -# - some env-vars are cleared -# - /etc/firejail/firejail.config can contain options such as 'force-nonewprivs yes' -# - a new private pid-namespace is created -# - a minimal hardcoded blacklist is applied +# which can break the program: +# - some env-vars are cleared; +# - /etc/firejail/firejail.config can contain options such as 'force-nonewprivs yes'; +# - a new private pid-namespace is created; +# - a minimal hardcoded blacklist is applied; # - ... noblacklist /sys/fs diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile index 3ff033e0b..e274b6443 100644 --- a/etc/profile-m-z/pingus.profile +++ b/etc/profile-m-z/pingus.profile @@ -23,8 +23,9 @@ include disable-xdg.inc mkdir ${HOME}/.pingus whitelist ${HOME}/.pingus +# Debian keeps games data under /usr/share/games +whitelist /usr/share/games/pingus whitelist /usr/share/pingus -whitelist /usr/share/games/pingus # Debian keeps games data under /usr/share/games include whitelist-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc diff --git a/etc/profile-m-z/rtin.profile b/etc/profile-m-z/rtin.profile index 87aa69bcb..b1acf8b2e 100644 --- a/etc/profile-m-z/rtin.profile +++ b/etc/profile-m-z/rtin.profile @@ -1,6 +1,6 @@ # Firejail profile for rtin # Description: ncurses-based Usenet newsreader -# symlink to tin, same as `tin -r` +# symlink to tin, same as `tin -r` # This file is overwritten after every install/update # Persistent local customizations include rtin.local diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index 63d629a32..99317c9dc 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile @@ -133,9 +133,9 @@ whitelist ${HOME}/.steampid include whitelist-common.inc include whitelist-var-common.inc -# NOTE: The following were intentionally left out as they are alternative +# Note: The following were intentionally left out as they are alternative # (i.e.: unnecessary and/or legacy) paths whose existence may potentially -# clobber other paths (see #4225). If you use any, either add the entry to +# clobber other paths (see #4225). If you use any, either add the entry to # steam.local or move the contents to a path listed above (or open an issue if # it's missing above). #mkdir ${HOME}/.config/RogueLegacyStorageContainer diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile index a03a6caa0..35ff14e88 100644 --- a/etc/profile-m-z/tin.profile +++ b/etc/profile-m-z/tin.profile @@ -24,8 +24,8 @@ include disable-xdg.inc mkdir ${HOME}/.tin mkfile ${HOME}/.newsrc # Note: files/directories directly in ${HOME} can't be whitelisted, as -# tin saves .newsrc by renaming a temporary file, which is not possible for -# bind-mounted files. +# tin saves .newsrc by renaming a temporary file, which is not possible for +# bind-mounted files. #whitelist ${HOME}/.newsrc #whitelist ${HOME}/.tin #include whitelist-common.inc