New profile: Quodlibet

[Bundy01]

No description provided.

[rusty-snake]

Looks good so far, some nitpicks and future hardening suggestion below.

It should also be added to firecfg.config so that firecfg creates symlinks for it.

[rusty-snake]

Add blacklists in disable-programs.inc

[Bundy01]

add read-only ${HOME} ?
I don't know.

Breaks pulseaudio, remove.
What should I remove, because on my side it's functional.

Does it need D-Bus access or can be add dbus-user none?
Quodlibet needs to communicate with my DE (Cinnamon).

[Bundy01]

Sorry, I don't know how to use sort.py :(

[rusty-snake]

python3 /path/to/sort.py /path/to/quodlibet.profile

However this gave me the idea to print the fixed lines when running in the check in GitHub Actions, so everyone can just copy it from there if they can't use it for any reasons. PR will come.

[Bundy01]

python3 /path/to/sort.py /path/to/quodlibet.profile

Thanks.

[glitsj16]

More a reminder note than anything else. We already have a profile for exfalso, which is part of the quodlibet sources IIRC. In that context it might be worthwhile to consider refactoring this (or exfalso.profile) as a redirect. If it's too much trouble in this PR, we can always look at it later.

[Bundy01]

Hello,
sorry for the late response. I can try to rewrite Exfalso's profile which redirects to Quodlibet but it will take me a few days to test the changes.

[glitsj16]

@Bundy01 Great! Take your time. I've been using exfalso for ages and can always test from this side to assist.

[Bundy01]

I would like to add private-lib in quodlibet's profile but I'm breaking my teeth on it. Help would be welcome, otherwise I finished the profile.

[glitsj16]

I would like to add private-lib in quodlibet's profile but I'm breaking my teeth on it. Help would be welcome, otherwise I finished the profile.

Can you show us what you've put together already? Sidenote: private-lib is notoriously difficult with media players. They can have a busload of extra plugins to support extra formats etcetera. IMO that's the main reason why none of our player apps like amarok, ffmpeg, mpv, mplayer, vlc, totem, ... has private-lib. So don't worry about it too much. But we can give it a try.

[rusty-snake]

Quodlibet is written in python. We can not add private-lib until #3236 is fixed, because it will not work for every system/distro.

[Bundy01]

Ok, so much for private-lib.
Here are the profiles I modified, if it suits you I do the PR.

# Firejail profile for quodlibet
# Description: Music player and music library manager
# This file is overwritten after every install/update
# Persistent local customizations
include quodlibet.local
# Persistent global definitions
include globals.local

noblacklist ${MUSIC}

# Allow python (blacklisted by disable-interpreters.inc)
include allow-python2.inc
include allow-python3.inc

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-write-mnt.inc
include disable-xdg.inc

mkdir ${HOME}/.cache/quodlibet
mkdir ${HOME}/.config/quodlibet
mkdir ${HOME}/.quodlibet

whitelist ${MUSIC}
whitelist ${HOME}/.cache/quodlibet
whitelist ${HOME}/.config/quodlibet
whitelist ${HOME}/.quodlibet

include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

apparmor
caps.drop all
ipc-namespace
netfilter
no3d
nodvd
nogroups
nonewprivs
noroot
notv
nou2f
novideo
protocol unix,inet,inet6
seccomp
seccomp.block-secondary
shell none
tracelog

private-bin exfalso,operon,python*,quodlibet,sh
private-cache
private-dev
private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pki,pulse,resolv.conf,ssl
private-tmp

dbus-system none

#memory-deny-write-execute - breaks on Arch (see issue #1803)

# Firejail profile for exfalso
# Description: GTK audio tag editor
# This file is overwritten after every install/update
# Persistent local customizations
include exfalso.local
# Persistent global definitions
include globals.local

private-lib libatk-1.0.so.*,libgdk-3.so.*,libgdk_pixbuf-2.0.so.*,libgirepository-1.0.so.*,libgstreamer-1.0.so.*,libgtk-3.so.*,libgtksourceview-3.0.so.*,libpango-1.0.so.*,libpython*,libreadline.so.*,libsoup-2.4.so.*,libssl.so.1.*,python2*,python3*

dbus-user none

include quodlibet.profile

[rusty-snake]

• Remove ipc-namespace, it may cause issues under X11
• The mdwe note can be removed too.
• We could add include allow-bin-sh.inc with include disable-shell.inc too.

[rusty-snake]

Suggested change

	whitelist ${MUSIC}
	whitelist ${MUSIC}
	whitelist ${DOWNLOADS}

[Bundy01]

I liked the idea of allowing only the MUSIC folder, but I'll make the changes.

[rusty-snake]

I remarked it because exfalso had it, and without it we break something that was working w/o significant security win. Alternative we could add/keep whitelist ${DOWNLOADS} only in exfalso.

[glitsj16]

The private-etc that is included from quodlibet.profile does not have group and passwd. Did you test exfalso with these removed? If not we should keep this line intact.

[Bundy01]

Hi,
for private-etc, I quickly tested exfalso without any apparent problem, hence my modification. If I need to, I can add the problem line.
Is there anything else to expect because I would like it to be the last PR :)
Thanks for the answer.

[rusty-snake]

@Bundy01 @glitsj16 what's the state here?

[Bundy01]

@rusty-snake:
On my side, it's OK.

[glitsj16]

Put whitelist ${DOWNLOADS} above whitelist ${MUSIC} to keep things alphabetically ordered.

[glitsj16]

See my newly added comments.

[Bundy01]

Hi,
I was not able to use sort.py with the command: python3 /path/to/sort.py /path/to/profile :(

Edit: the output of the command: sort.py: checking 1 profile...
python version: Python 3.9.2

[rusty-snake]

Just some blank lines.

I was not able to use sort.py with the command: python3 /path/to/sort.py /path/to/profile :(

What was the error? What shows python3 --version? However the sort.py CI is passing for your latest commit.

[rusty-snake]

Suggested change

remove both, don't know why only shows 31 in the suggestion.

[Bundy01]

@rusty-snake: Do you suggest I remove the space between mkdir and whitelist?

[rusty-snake]

yes.

Do it now or I merge it anyway.

[glitsj16]

Unblocking this so it can be merged when @rusty-snake is happy with it. We can always work out any kinks later.

[rusty-snake]

@glitsj16 FYI you can dismiss your review if you don't want to block a PR but also don't want to approve it.
IDK why this is hidden behind 3 clicks.

[rusty-snake]

merged, thanks.

[glitsj16]

FYI you can dismiss your review if you don't want to block a PR but also don't want to approve it. IDK why this is hidden behind 3 clicks.

@rusty-snake Aha, I didn't see that option. Good to know, thanks for the info! Glad to see this merged, now I can start to double-check all my local overrides for exfalso. Thanks @Bundy01 for pursuing this!