* blacklist .local/share/kxmlgui5
KDE programs use this to store their toolbar config.
* noblacklist .local/share/kxmlgui5 in the relevant KDE applications.
* Whitelist kxmlgui file for okular.
* Use a glob to blacklist subfolders instead of the parent folder.
noblacklisting individual subdirectories works only if we do it this way
(tested by launching bash in the kate profile).
* Make directory, not file.
* noblacklist relevant subdirs for more KDE applications
* Whitelist some config files used by Okular.
These files are used to store the toolbar configurations.
* Whitelist files required for okular in firefox-common-addons.inc
Without this, okular does not follow the user configuration for toolbars
and keyboard shortcuts when launched inside the firefox sandbox (for
eg., while opening a downloaded PDF).
* Alphabetical sort
* Remove noblacklist for files which are not actually blacklisted.
I have blacklisted them in a separate pull request.
* clarify writing to /var/mail and /var/spool/mail in apparmor
Thunderbird seems to be our only mail client profile that enables the `apparmor` option. Users need this when they follow instructions on how to allow reading local mail.
* fix mail clients rule in firejail-default
Backporting fixes for Atom 1.48 to firejail 0.9.52, 0.9.58, and 0.9.60
Summary:
- remove nonewprivs, noroot, protocol, and seccomp
- update caps filter to keep sys_admin and sys_chroot
Without these changes Atom 1.48 breaks and refuses to start (due to
Electron sandboxing)
Atom 1.48 requires a looser sandbox and no longer works with
noroot, nonewprivs, protocol, and seccomp
caps filter needed adjusting to keep sys_admin and sys_chroot
* enable apparmor support by default in update_deb.sh
* Add fix for Debian bug 916920
This should bring the script in sync with packages installed from PPA.
* Add strawberry profile
* Fix comment
* Add to disable-programs.inc & firecfg.config
* Add /home/amin/.local/share/strawberry to profile and disable-programs
* Various hardening for strawberry profile
Signed-off-by: Amin Vakil <info@aminvakil.com>
* Change nodbus to dbus-system none in strawberry profile
* Add dbus-user none to strawberry profile
* Add whitelist-var-common, sort private-etc
* Sort, Add wruc, Add netlink to protocol in strawberry profile
* Remove dbus-user none to allow using gnome functions for various usage in strawberry profile
