-
Notifications
You must be signed in to change notification settings - Fork 557
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #4519 from rusty-snake/build-systems
Add profiles for build-systems (/package-managers)
- Loading branch information
Showing
11 changed files
with
159 additions
and
54 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,3 +4,4 @@ include allow-ruby.local | |
|
||
noblacklist ${PATH}/ruby | ||
noblacklist /usr/lib/ruby | ||
noblacklist /usr/lib64/ruby |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
# Firejail profile for build-systems-common | ||
# This file is overwritten after every install/update | ||
# Persistent local customizations | ||
include build-systems-common.local | ||
# Persistent global definitions | ||
# added by caller profile | ||
#include globals.local | ||
|
||
ignore noexec ${HOME} | ||
ignore noexec /tmp | ||
|
||
# Allow /bin/sh (blacklisted by disable-shell.inc) | ||
include allow-bin-sh.inc | ||
|
||
# Allows files commonly used by IDEs | ||
include allow-common-devel.inc | ||
|
||
# Allow ssh (blacklisted by disable-common.inc) | ||
#include allow-ssh.inc | ||
|
||
blacklist ${RUNUSER} | ||
|
||
include disable-common.inc | ||
include disable-exec.inc | ||
include disable-interpreters.inc | ||
include disable-programs.inc | ||
include disable-shell.inc | ||
include disable-X11.inc | ||
include disable-xdg.inc | ||
|
||
#whitelist ${HOME}/Projects | ||
#include whitelist-common.inc | ||
|
||
whitelist /usr/share/pkgconfig | ||
include whitelist-run-common.inc | ||
include whitelist-usr-share-common.inc | ||
include whitelist-var-common.inc | ||
|
||
caps.drop all | ||
ipc-namespace | ||
machine-id | ||
# net none | ||
netfilter | ||
no3d | ||
nodvd | ||
nogroups | ||
noinput | ||
nonewprivs | ||
noroot | ||
nosound | ||
notv | ||
nou2f | ||
novideo | ||
protocol unix,inet,inet6 | ||
seccomp | ||
seccomp.block-secondary | ||
shell none | ||
tracelog | ||
|
||
disable-mnt | ||
private-cache | ||
private-dev | ||
private-tmp | ||
|
||
dbus-user none | ||
dbus-system none |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
# Firejail profile for bundle | ||
# Description: Ruby Dependency Management | ||
# This file is overwritten after every install/update | ||
quiet | ||
# Persistent local customizations | ||
include bundle.local | ||
# Persistent global definitions | ||
include globals.local | ||
|
||
noblacklist ${HOME}/.bundle | ||
|
||
# Allow ruby (blacklisted by disable-interpreters.inc) | ||
include allow-ruby.inc | ||
|
||
#whitelist ${HOME}/.bundle | ||
#whitelist ${HOME}/.gem | ||
#whitelist ${HOME}/.local/share/gem | ||
whitelist /usr/share/gems | ||
whitelist /usr/share/ruby | ||
whitelist /usr/share/rubygems | ||
|
||
# Redirect | ||
include build-systems-common.profile |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# Firejail profile for cargo | ||
# Description: The Rust package manager | ||
# This file is overwritten after every install/update | ||
quiet | ||
# Persistent local customizations | ||
include cargo.local | ||
# Persistent global definitions | ||
include globals.local | ||
|
||
memory-deny-write-execute | ||
|
||
# Redirect | ||
include build-systems-common.profile |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# Firejail profile for make | ||
# Description: GNU make utility to maintain groups of programs | ||
# This file is overwritten after every install/update | ||
quiet | ||
# Persistent local customizations | ||
include make.local | ||
# Persistent global definitions | ||
include globals.local | ||
|
||
memory-deny-write-execute | ||
|
||
# Redirect | ||
include build-systems-common.profile |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
# Firejail profile for meson | ||
# Description: A high productivity build system | ||
# This file is overwritten after every install/update | ||
quiet | ||
# Persistent local customizations | ||
include meson.local | ||
# Persistent global definitions | ||
include globals.local | ||
|
||
# Allow python3 (blacklisted by disable-interpreters.inc) | ||
include allow-python3.inc | ||
|
||
# Redirect | ||
include build-systems-common.profile |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
# Firejail profile for pip | ||
# Description: package manager for Python packages | ||
# This file is overwritten after every install/update | ||
quiet | ||
# Persistent local customizations | ||
include meson.local | ||
# Persistent global definitions | ||
include globals.local | ||
|
||
ignore read-only ${HOME}/.local/lib | ||
|
||
# Allow python3 (blacklisted by disable-interpreters.inc) | ||
include allow-python3.inc | ||
|
||
#whitelist ${HOME}/.local/lib/python* | ||
|
||
# Redirect | ||
include build-systems-common.profile |