Merge branch 'master' of https://github.com/netblue30/firejail

Makefile.in

@@ -169,6 +169,8 @@ realinstall:
 	install -c -m 0644 .etc/okular.profile $(DESTDIR)/$(sysconfdir)/firejail/.
 	install -c -m 0644 .etc/gwenview.profile $(DESTDIR)/$(sysconfdir)/firejail/.
 	install -c -m 0644 .etc/gpredict.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+	install -c -m 0644 .etc/aweather.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+	install -c -m 0644 .etc/stellarium.profile $(DESTDIR)/$(sysconfdir)/firejail/.
 	sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
 	sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
 	rm -fr .etc

README

@@ -19,9 +19,9 @@ Firejail Authors:
 
 netblue30 (netblue30@yahoo.com)
 curiosity-seeker (https://github.com/curiosity-seeker)
-        - tightening unbound and dnscrypt-proxy profiles
-        - dnsmasq profile
-        - okular and gwenview profiles
+    - tightening unbound and dnscrypt-proxy profiles
+    - dnsmasq profile
+    - okular and gwenview profiles
 Matthew Gyurgyik (https://github.com/pyther)
 	- rpm spec and several fixes
 Joan Figueras (https://github.com/figue)
@@ -35,6 +35,7 @@ Fred-Barclay (https://github.com/Fred-Barclay)
 	- added Warzone2100 profile
 	- blacklisted VeraCrypt
 	- added Gpredict profile
+	- added Aweather, Stellarium profiles
 avoidr (https://github.com/avoidr)
 	- whitelist fix
 	- recently-used.xbel fix

README.md

@@ -282,5 +282,5 @@ $ man firejail-profile
 ## New security profiles
 lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox,
 OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf,
-Warzone2100, okular, gwenview, Gpredict
+Warzone2100, okular, gwenview, Gpredict, Aweather, Stellarium
 

etc/aweather.profile

@@ -0,0 +1,23 @@
+# Firejail profile for aweather.
+
+# Noblacklist
+noblacklist ~/.config/aweather
+
+# Include
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+# Call these options
+caps.drop all
+netfilter
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
+
+# Whitelist
+mkdir ~/.config
+mkdir ~/.config/aweather
+whitelist ~/.config/aweather

etc/disable-programs.inc

@@ -5,10 +5,13 @@ blacklist ${HOME}/.FBReader
 blacklist ${HOME}/.wine
 blacklist ${HOME}/.Mathematica
 blacklist ${HOME}/.Wolfram Research
+blacklist ${HOME}/.stellarium
 blacklist ${HOME}/.config/mupen64plus
 blacklist ${HOME}/.config/transmission
 blacklist ${HOME}/.config/uGet
 blacklist ${HOME}/.config/Gpredict
+blacklist ${HOME}/.config/aweather
+blacklist ${HOME}/.config/stellarium
 blacklist ~/.kde/share/apps/okular
 blacklist ~/.kde/share/config/okularrc
 blacklist ~/.kde/share/config/okularpartrc

etc/google-play-music-desktop-player.profile

@@ -0,0 +1,16 @@
+# Google Play Music desktop player profile
+noblacklist ~/.config/Google Play Music Desktop Player
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+seccomp
+protocol unix,inet,inet6,netlink
+noroot
+
+#whitelist ~/.pulse
+#whitelist ~/.config/pulse
+whitelist ~/.config/Google Play Music Desktop Player

etc/stellarium.profile

@@ -0,0 +1,27 @@
+# Firejail profile for Stellarium.
+
+# Noblacklist
+noblacklist ~/.stellarium
+noblacklist ~/.config/stellarium
+
+# Include
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+# Call these options
+caps.drop all
+netfilter
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
+
+# Whitelist
+mkdir ~/.stellarium
+whitelist ~/.stellarium
+
+mkdir ~/.config
+mkdir ~/.config/stellarium
+whitelist ~/.config/stellarium

platform/debian/conffiles

@@ -88,3 +88,5 @@
 /etc/firejail/okular.profile
 /etc/firejail/gwenview.profile
 /etc/firejail/gpredict.profile
+/etc/firejail/aweather.profile
+/etc/firejail/stellarium.profile

src/firecfg/firecfg.config

@@ -4,6 +4,10 @@
 
 # astronomy
 gpredict
+stellarium
+
+# weather/climate
+aweather
 
 # browsers/email
 firefox
@@ -78,6 +82,7 @@ quassel
 xchat
 
 # games
+0ad
 hedgewars
 wesnot
 warzone2100

src/firejail/fs.c

@@ -726,7 +726,16 @@ static void disable_firejail_config(void) {
 // build a basic read-only filesystem
 void fs_basic_fs(void) {
 	if (arg_debug)
-		printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var\n");
+		printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr");
+	if (!arg_writable_etc) {
+		fs_rdonly("/etc");
+		if (arg_debug) printf(", /etc");
+	}
+	if (!arg_writable_var) {
+		fs_rdonly("/var");
+		if (arg_debug) printf(", /var");
+	}
+	if (arg_debug) printf("\n");
 	fs_rdonly("/bin");
 	fs_rdonly("/sbin");
 	fs_rdonly("/lib");
@@ -734,10 +743,6 @@ void fs_basic_fs(void) {
 	fs_rdonly("/lib32");
 	fs_rdonly("/libx32");
 	fs_rdonly("/usr");
-	if (!arg_writable_etc)
-		fs_rdonly("/etc");
-	if (!arg_writable_var)
-		fs_rdonly("/var");
 
 	// update /var directory in order to support multiple sandboxes running on the same root directory
 	if (!arg_private_dev)