Merge pull request netblue30#6219 from haplo/ledger-live-desktop

Profile for Ledger Live desktop app

etc/profile-a-l/ledger-live-desktop.profile

@@ -0,0 +1,61 @@
+# Firejail profile for Ledger Live desktop app
+# Description: Cryptocurrency wallet by the makers of Ledger hardware wallets
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ledger-live-desktop.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Ledger Live
+
+# Added by disable-exec.inc, breaks hardware wallet manager
+ignore noexec /tmp
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/Ledger Live
+whitelist ${HOME}/.config/Ledger Live
+whitelist ${DOWNLOADS}
+whitelist /opt/ledger-live
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noprinters
+noroot
+nosound
+notv
+novideo
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+tracelog
+
+disable-mnt
+private-cache
+# enabling private-dev blocks USB hardware wallets, if you don't need access to
+# USB devices you can add private-dev to your ledger-live-desktop.local
+#private-dev
+private-etc @network,@tls-ca,@x11,host.conf,rpc
+private-lib
+private-tmp
+
+# app attempts to connect to dbus but seems to work fine when blocked
+dbus-user none
+dbus-system none