Add chromium, modify common.inc, modify multiple profiles, fix README…

… typo

README.md

@@ -1,4 +1,4 @@
-# firejail-profile
+# firejail-profiles
 Tight Firejail profiles
 
 This is a collection of tighter firejail (https://github.com/netblue30/firejail) profiles for certain applications. These may or may not work on your computer since some of them use seccomp filters, which may depend on architecture and OS. These were designed on Debian sid/experimental x86_64.

Viber.profile

@@ -1,5 +1,7 @@
 ignore private-dev
 ignore private-opt
+ignore nodbus
+ignore net
 
 include ${HOME}/.config/firejail/common.inc
 

chromium.profile

@@ -0,0 +1,35 @@
+ignore noroot
+ignore seccomp
+ignore seccomp.block-secondary
+ignore nonewprivs
+ignore caps.drop
+ignore net
+
+include ${HOME}/.config/firejail/common.inc
+
+whitelist ${HOME}/.config/chromium
+whitelist ${HOME}/.themes
+whitelist ${HOME}/.gtkrc-2.0
+
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/PDF
+
+# private-bin seems to only work with firejail /usr/lib/chromium/chromium on
+# Debian... Kept it enabled since other platforms may be different
+private-bin chromium,bash,readlink,dirname,cat,uname,mktemp,sed,man,grep,expr
+private-etc fonts,alternatives,X11,pulse,resolv.conf,localtime,chromium.d
+
+# whitelist /dev/dri
+# whitelist /dev/full
+# whitelist /dev/null
+# whitelist /dev/ptmx
+# whitelist /dev/pts
+# whitelist /dev/random
+# whitelist /dev/shm
+# whitelist /dev/snd
+# whitelist /dev/tty
+# whitelist /dev/urandom
+# whitelist /dev/video0
+# whitelist /dev/zero
+
+caps.keep sys_chroot,sys_admin

common.inc

@@ -21,3 +21,4 @@ ipc-namespace
 nodbus
 nou2f
 nogroups
+net none

dia.profile

@@ -1,35 +1,12 @@
-# Firejail profile for dia
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/dia.local
-# Persistent global definitions
-include /etc/firejail/globals.local
+include ${HOME}/.config/firejail/common.inc
 
-blacklist /boot
-blacklist /media
-blacklist /mnt
-blacklist /opt
-
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.dia
 whitelist ${HOME}/.gtkrc-2.0
-whitelist ${HOME}/.icons
 whitelist ${HOME}/.themes
-whitelist ${HOME}/Documents
-include /etc/firejail/whitelist-common.inc
+whitelist ${HOME}/.icons
+whitelist ${HOME}/.dia
 
-caps.drop all
-ipc-namespace
-net none
-nogroups
-noroot
-seccomp
-shell none
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/Documents
 
 private-bin dia
-private-dev
 private-etc fonts,X11
-private-tmp
-
-noexec /home
-noexec /tmp

emacs.profile

@@ -21,8 +21,6 @@ whitelist ${HOME}/texmf
 mkdir ${HOME}/emacs_tmp/
 whitelist ${HOME}/emacs_tmp
 
-net none
-protocol unix
 memory-deny-write-execute
 keep-var-tmp
 writable-var

fetchmail.profile

@@ -1,3 +1,5 @@
+ignore net
+
 include ${HOME}/.config/firejail/common.inc
 
 whitelist ${HOME}/Mail

firefox.profile

@@ -1,5 +1,6 @@
 ignore private-dev
 ignore nou2f
+ignore net
 
 include ${HOME}/.config/firejail/common.inc
 
@@ -13,12 +14,11 @@ whitelist ${HOME}/.gtkrc-2.0
 whitelist ${HOME}/.gtkrc.mine
 whitelist ${HOME}/.themes
 whitelist ${HOME}/.Xauthority
-# whitelist ${HOME}/PDF/
 
 # Private directories
 
 private-bin firefox,which,sh,env
-private-etc hosts,passwd,mime.types,fonts,mailcap,firefox,xdg,gtk-3.0,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf
+private-etc hosts,passwd,mime.types,fonts,mailcap,firefox,xdg,gtk-3.0,X11,pulse,alternatives,localtime,nsswitch.conf
 
 # whitelist /dev/dri
 # whitelist /dev/full

flowblade.profile

@@ -1,36 +1,12 @@
-# Firejail profile for flowblade
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/flowblade.local
-# Persistent global definitions
-include /etc/firejail/globals.local
+include ${HOME}/.config/firejail/common.inc
 
-blacklist /boot
-blacklist /media
-blacklist /mnt
-blacklist /opt
-blacklist /usr/local/bin
-
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.config/flowblade
-whitelist ${HOME}/.config/gtk-3.0
 whitelist ${HOME}/.flowblade
 whitelist ${HOME}/.themes
-whitelist ${HOME}/Videos
-whitelist /tmp/.X11-unix/
-include /etc/firejail/whitelist-common.inc
+whitelist ${HOME}/.config/gtk-3.0
+whitelist ${HOME}/.config/flowblade
 
-caps.drop all
-ipc-namespace
-net none
-nogroups
-noroot
-seccomp
-shell none
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/Videos
 
 private-bin python,flowblade
-private-dev
 private-etc pulse,fonts,alternatives,X11
-
-noexec /home
-noexec /tmp

freecad.profile

@@ -1,37 +1,8 @@
-# Firejail profile for freecad
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/freecad.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-blacklist /boot
-blacklist /media
-blacklist /mnt
-blacklist /opt
-
-blacklist /usr/local/bin
-blacklist /usr/local/sbin
+include ${HOME}/.config/firejail/common.inc
 
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.config/FreeCAD
 whitelist ${HOME}/Documents
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-ipc-namespace
-net none
-nogroups
-noroot
-nosound
-protocol unix
-seccomp
-shell none
 
 private-bin freecad,freecadcmd
-private-dev
 private-etc fonts,passwd,alternatives,X11
-private-tmp
-
-noexec ${HOME}
-noexec /tmp

gimp.profile

@@ -1,36 +1,12 @@
-# Firejail profile for gimp
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/gimp.local
-# Persistent global definitions
-include /etc/firejail/globals.local
+include ${HOME}/.config/firejail/common.inc
 
-blacklist /boot
-blacklist /media
-blacklist /mnt
-blacklist /opt
-
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.fonts
-whitelist ${HOME}/.gimp-2.8
+whitelist ${HOME}/.config/GIMP
 whitelist ${HOME}/.gtkrc-2.0
 whitelist ${HOME}/.themes
-whitelist ${HOME}/Pictures
-whitelist /tmp/.X11-unix
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-ipc-namespace
-net none
-nogroups
-noroot
-nosound
-seccomp
-shell none
+whitelist ${HOME}/.fonts
 
-private-bin gimp,gimp-2.8,gimp-console,gimp-console-2.8,python2.7
-private-dev
-private-etc gimp,fonts
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/Pictures
 
-noexec /home
-noexec /tmp
+private-bin gimp,gimp-2.10,gimp-console,gimp-console-2.10,python2.7
+private-etc gimp,fonts,alternatives

hugin.profile

@@ -1,38 +1,15 @@
-# Firejail profile for hugin
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/hugin.local
-# Persistent global definitions
-include /etc/firejail/globals.local
+include ${HOME}/.config/firejail/common.inc
 
-blacklist /boot
-blacklist /media
-blacklist /mnt
-blacklist /opt
+# Stupid errors about being unable to update configuration file.
+# I personally deal with this by running it once without a sandbox
+# and setting my options then.
 
-blacklist /usr/local/bin
-blacklist /usr/local/sbin
-
-# whitelist ${DOWNLOADS}
-# whitelist ${HOME}/.gtkrc-2.0
-# whitelist ${HOME}/.gtkrc.mine
-# whitelist ${HOME}/.hugin
-# whitelist ${HOME}/.themes
-# whitelist ${HOME}/Pictures
-whitelist /tmp/.X11-unix
-# DBus is forced to use an ordinary unix socket
-whitelist /tmp/dbus_session_socket
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-ipc-namespace
-net none
-nogroups
-nonewprivs
-noroot
-seccomp
-shell none
+whitelist ${HOME}/.gtkrc-2.0
+whitelist ${HOME}/.gtkrc.mine
+whitelist ${HOME}/.themes
+whitelist ${HOME}/.hugin
+whitelist ${HOME}/Pictures
+whitelist ${DOWNLOADS}
 
 private-bin PTBatcherGUI,calibrate_lens_gui,hugin,hugin_stitch_project,align_image_stack,autooptimiser,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,fulla,geocpset,hugin_executor,hugin_hdrmerge,hugin_lensdb,icpfind,linefind,nona,pano_modify,pano_trafo,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,tca_correct,verdandi,vig_optimize,enblend
-private-dev
-private-etc fonts
+private-etc fonts,alternatives

mpd.profile

@@ -10,7 +10,3 @@ read-only ${HOME}/Music/
 private-bin mpd,bash
 private-etc emp
 private-lib
-
-net none
-# protocol unix
-x11 none

mutt.profile

@@ -1,5 +1,6 @@
 ignore private-tmp
 ignore private-dev
+ignore net
 
 include ${HOME}/.config/firejail/common.inc
 

signal-desktop.profile

@@ -1,6 +1,7 @@
 ignore private-opt
 ignore noroot
 ignore nodbus
+ignore net
 
 include ${HOME}/.config/firejail/common.inc
 

virtualbox.profile

@@ -4,6 +4,7 @@ ignore apparmor
 ignore noroot
 ignore nonewprivs
 ignore private-dev
+ignore net
 
 include ${HOME}/.config/firejail/common.inc
 

x-terminal-emulator.profile

@@ -6,8 +6,5 @@ ignore nou2f
 
 include ${HOME}/.config/firejail/common.inc
 
-netfilter
-net none
-
 whitelist /tmp/user/1000
-whitelist /tmp/.X11-unix/X0
+whitelist /tmp/.X11-unix/X0

youtube-dl.profile

@@ -1,29 +1,11 @@
-# Firejail profile for youtube-dl
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/youtube-dl.local
-# Persistent global definitions
-include /etc/firejail/globals.local
+ignore net
 
-blacklist /boot
-blacklist /media
-blacklist /mnt
-blacklist /opt
-blacklist /usr/local/bin
-blacklist /usr/local/sbin
+include ${HOME}/.config/firejail/common.inc
 
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/Videos
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-nogroups
-noroot
-nosound
-seccomp
-shell none
+whitelist ${DOWNLOADS}
 
 private-bin python3,python3.6,youtube-dl
-private-dev
 private-etc hosts,resolv.conf,ssl
-private-tmp
+
+nosound