new profile: pi (#7136)

https://github.com/badlogic/pi-mono/tree/main/packages/coding-agent
2026-05-15 14:16:14 -06:00 · 2026-05-01 14:45:35 +03:30 · 2026-05-01 14:45:35 +03:30 · 938bd0cd62
commit 938bd0cd62
parent 84b6ebfc93
4 changed files with 77 additions and 0 deletions
--- a/1
+++ b/1
@ -163,6 +163,7 @@ Amin Vakil (https://github.com/aminvakil)
 	- disable seccomp in wireshark profile
 	- new profile: gemini (#6936)
 	- new profile: opencode (#7135)
+	- new profile: pi (#7136)
 Ammon Smith (https://github.com/ammongit)
 	- Add DBus filter rules specific to firefox-developer-edition
 Andreas Hunkeler (https://github.com/Karneades)
--- a/1
+++ b/1
@ -14,6 +14,7 @@ firejail (0.9.81) baseline; urgency=low
  * profiles: disable-common: add xfce clipman path (#7120)
  * new profile: gemini (#6936)
  * new profile: opencode (#7135)
+  * new profile: pi (#7136)
 -- netblue30 <netblue30@yahoo.com>  Sat, 14 Mar 2026 08:00:00 -0500

 firejail (0.9.80) baseline; urgency=low
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@ -28,6 +28,7 @@ blacklist ${HOME}/.ZAP
 blacklist ${HOME}/.aMule
 blacklist ${HOME}/.abook
 blacklist ${HOME}/.addressbook
+blacklist ${HOME}/.agents
 blacklist ${HOME}/.alienblaster
 blacklist ${HOME}/.alienblaster_highscore
 blacklist ${HOME}/.alpine-smime
@ -1186,6 +1187,7 @@ blacklist ${HOME}/.parallelrealities/blobwars
 blacklist ${HOME}/.parsec
 blacklist ${HOME}/.pcsxr
 blacklist ${HOME}/.penguin-command
+blacklist ${HOME}/.pi
 blacklist ${HOME}/.pine-crash
 blacklist ${HOME}/.pine-debug1
 blacklist ${HOME}/.pine-debug2
--- a/etc/profile-m-z/pi.profile
+++ b/etc/profile-m-z/pi.profile
@ -0,0 +1,73 @@
+# Firejail profile for pi
+# Description: AI agent toolkit: coding agent CLI, unified LLM API, TUI & web UI libraries, Slack bot, vLLM pods
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include pi.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.agents
+noblacklist ${HOME}/.pi
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
+
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-x11.inc
+include disable-xdg.inc
+
+# Add the following lines to pi.local to enable whitelisting in `${HOME}`.
+#mkdir ${HOME}/.agents
+#mkdir ${HOME}/.pi
+#whitelist ${HOME}/.agents
+#whitelist ${HOME}/.config/git
+#whitelist ${HOME}/.gitconfig
+#whitelist ${HOME}/.pi
+#include whitelist-common.inc
+
+whitelist ${RUNUSER}/openssh_agent
+include whitelist-run-common.inc
+#include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+seccomp.block-secondary
+tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-etc @network,@tls-ca
+private-tmp
+
+dbus-user none
+dbus-system none
+
+restrict-namespaces