Add profile for links and xlinks (#2734)

* Add profile for links and xlinks * Add profile for links and xlinks * (X)links changes from review xlinks redirects to links Add basic private-etc line and a commented, extended private-etc * Add alternatives to private-etc
2026-05-15 14:16:14 -06:00 · 2019-06-02 13:13:58 +02:00 · 2019-06-02 13:13:58 +02:00 · cdc23478db
commit cdc23478db
parent 9cb5eba80b
4 changed files with 85 additions and 0 deletions
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@ -430,6 +430,7 @@ blacklist ${HOME}/.kodi
 blacklist ${HOME}/.lincity-ng
 blacklist ${HOME}/.linphone-history.db
 blacklist ${HOME}/.linphonerc
+blacklist ${HOME}/.links
 blacklist ${HOME}/.lmmsrc.xml
 blacklist ${HOME}/.local/lib/vivaldi
 blacklist ${HOME}/.local/share/0ad
--- a/etc/links.profile
+++ b/etc/links.profile
@ -0,0 +1,64 @@
+# Firejail profile for links
+# Description: Text WWW browser
+# This file is overwritten after every install/update
+# Persistent local customizations
+include links.local
+# Persistent global definitions
+include globals.local
+
+blacklist /tmp/.X11-unix
+
+noblacklist ${HOME}/.links
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+# you may want to noblacklist files/directories blacklisted in
+# disable-programs.inc and used as associated programs
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.links
+whitelist ${HOME}/.links
+whitelist ${DOWNLOADS}
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+# comment machine-id (or put 'ignore machine-id' in your links.local) if you want
+# to allow access only to user-configured associated media player
+machine-id
+netfilter
+# comment no3d (or put 'ignore no3d' in your links.local) if you want
+# to allow access only to user-configured associated media player
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+# comment nosound (or put 'ignore nosound' in your links.local) if you want
+# to allow access only to user-configured associated media player
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' to your links.local
+# or append 'PROGRAM1,PROGRAM2' to this private-bin line
+private-bin links,sh
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+# Uncomment the following line (or put it in your links.local) allow external
+# media players
+# private-etc alsa,asound.conf,machine-id,openal,pulse
+private-tmp
+
+memory-deny-write-execute
--- a/etc/xlinks.profile
+++ b/etc/xlinks.profile
@ -0,0 +1,18 @@
+# Firejail profile for xlinks
+# Description: Text WWW browser (X11)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xlinks.local
+
+noblacklist /tmp/.X11-unix
+noblacklist ${HOME}/.links
+
+include whitelist-common.inc
+
+# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2'
+# to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line
+private-bin xlinks
+private-etc fonts
+
+# Redirect
+include links.profile
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@ -322,6 +322,7 @@ less
 libreoffice
 liferea
 lincity-ng
+links
 linphone
 lmms
 lobase
@ -622,6 +623,7 @@ xfce4-dict
 xfce4-mixer
 xfce4-notes
 xiphos
+xlinks
 xmms
 xmr-stak
 xonotic