New profiles: apostrophe & quadrapassel

README.md

@@ -196,4 +196,4 @@ gnome-screenshot, ripperX, sound-juicer, iagno, com.github.dahenson.agenda, gnom
 penguin-command, x2goclient, frogatto, gnome-mines, gnome-nibbles, lightsoff, ts3client_runscript.sh, warmux, ferdi, abiword,
 four-in-a-row, gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin, gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars,
 hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless, mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers,
-seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more, swell-foop, fdns, jitsi-meet-desktop, nicontine, steam-runtime
+seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more, swell-foop, fdns, jitsi-meet-desktop, nicontine, steam-runtime, apostrophe, quadrapassel, dino-im

RELNOTES

@@ -10,9 +10,11 @@ firejail (0.9.63) baseline; urgency=low
     With this version Nodbus is deprecated, in favor of dbus-user none and
     dbus-system none and will be removed in a future version.
   * DHCP client support
+  * firecfg only fix dektop-files if started with sudo
   * SELinux labeling support
   * custom 32-bit seccomp filter support
   * restrict ${RUNUSER} in several profiles
+  * blacklist shells such as bash in several profiles
   * whitelist globbing
   * mkdir and mkfile support for /run/user directory
   * new condition: HAS_NOSOUND
@@ -33,7 +35,7 @@ firejail (0.9.63) baseline; urgency=low
   * new profiles: mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers
   * new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski
   * new profiles: swell-foop, fdns, five-or-more, steam-runtime, jitsi-meet-desktop
-  * new profiles: nicotine, plv, mocp
+  * new profiles: nicotine, plv, mocp, apostrophe, quadrapassel, dino-im
  -- netblue30 <netblue30@yahoo.com>  Tue, 21 Apr 2020 08:00:00 -0500
 
 firejail (0.9.62) baseline; urgency=low

etc/inc/disable-programs.inc

@@ -636,6 +636,7 @@ blacklist ${HOME}/.local/share/pix
 blacklist ${HOME}/.local/share/plasma_notes
 blacklist ${HOME}/.local/share/profanity
 blacklist ${HOME}/.local/share/psi+
+blacklist ${HOME}/.local/share/quadrapassel
 blacklist ${HOME}/.local/share/qpdfview
 blacklist ${HOME}/.local/share/qutebrowser
 blacklist ${HOME}/.local/share/remmina

etc/profile-a-l/apostrophe.profile

@@ -0,0 +1,69 @@
+# Firejail profile for apostrophe
+# Description: Distraction free Markdown editor for GNU/Linux made with GTK+
+# This file is overwritten after every install/update
+# Persistent local customizations
+include apostrophe.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${DOCUMENTS}
+noblacklist ${PICTURES}
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/apostrophe
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin apostrophe,python3*
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11
+# private-etc templates (see also #1734, #2093)
+#  Common: alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg
+#    Extra: magic,magic.mgc,passwd,group
+#  Networking: ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf,hosts,host.conf,hostname,protocols,services,rpc
+#    Extra: proxychains.conf,gai.conf
+#  Sound: alsa,asound.conf,pulse,machine-id
+#  GUI: fonts,pango,X11
+#  GTK: dconf,gconf,gtk-2.0,gtk-3.0
+#  Qt: Trolltech.conf
+#  KDE: kde4rc,kde5rc
+#  3D: drirc,glvnd,bumblebee,nvidia
+#  D-Bus: dbus-1,machine-id
+private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.gitlab.somas.Apostrophe
+dbus-user.talk ca.desrt.dconf
+dbus-system none

etc/profile-a-l/emacs.profile

@@ -19,10 +19,6 @@ include disable-common.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-# Comment out if you want an immutable configuration
-read-write ${HOME}/.emacs
-read-write ${HOME}/.emacs.d
-
 caps.drop all
 netfilter
 nodvd
@@ -33,3 +29,6 @@ notv
 novideo
 protocol unix,inet,inet6
 seccomp
+
+read-write ${HOME}/.emacs
+read-write ${HOME}/.emacs.d

etc/profile-a-l/file-roller.profile

@@ -42,3 +42,5 @@ private-cache
 private-dev
 private-etc dconf,fonts,gtk-3.0,xdg
 # private-tmp
+
+dbus-system none

etc/profile-m-z/quadrapassel.profile

@@ -0,0 +1,20 @@
+# Firejail profile for quadrapassel
+# Description: Tetris-like game for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include quadrapassel.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/quadrapassel
+
+mkdir ${HOME}/.local/share/quadrapassel
+whitelist ${HOME}/.local/share/quadrapassel
+whitelist /usr/share/quadrapassel
+
+private-bin quadrapassel
+
+dbus-user.own org.gnome.Quadrapassel
+
+# Redirect
+include gnome_games-common.profile

etc/profile-m-z/yelp.profile

@@ -51,6 +51,8 @@ private-dev
 private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,gtk-3.0,machine-id,openal,os-release,pulse,sgml,xml
 private-tmp
 
+dbus-system none
+
 # read-only ${HOME} breaks some not necesarry featrues, comment it if
 # you need them or put 'ignore read-only ${HOME}' into your yelp.local.
 # broken features:

src/firecfg/firecfg.config

@@ -38,6 +38,7 @@ amule
 amuled
 android-studio
 anydesk
+apostrophe
 apktool
 # ar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 arch-audit
@@ -572,6 +573,7 @@ qmmp
 qpdfview
 qt-faststart
 qtox
+quadrapassel
 quassel
 quiterss
 qupzilla