From 9a0db13e12516efcbbd0d72ce25e8e111f5d3319 Mon Sep 17 00:00:00 2001 From: Tavi Date: Tue, 30 Apr 2024 14:35:14 -0400 Subject: [PATCH] profiles: add loupe Signed-off-by: Tavi --- etc/profile-a-l/loupe.profile | 50 +++++++++++++++++++++++++++++++++++ src/firecfg/firecfg.config | 1 + 2 files changed, 51 insertions(+) create mode 100644 etc/profile-a-l/loupe.profile diff --git a/etc/profile-a-l/loupe.profile b/etc/profile-a-l/loupe.profile new file mode 100644 index 0000000000..5d39341f55 --- /dev/null +++ b/etc/profile-a-l/loupe.profile @@ -0,0 +1,50 @@ +# Firejail profile for loupe +# Description: GNOME's modern Image Viewer program +# This file is overwritten after every install/update +# Persistent local customizations +include loupe.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.local/share/Trash +noblacklist ${HOME}/.Steam +noblacklist ${HOME}/.steam + +#include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-write-mnt.inc + +#whitelist /usr/share/glycin-loaders +include whitelist-runuser-common.inc +#include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +net none +nodvd +nogroups +noinput +nonewprivs +noprinters +noroot +nosound +notv +nou2f +novideo +protocol unix,netlink +#loupe decodes all images in their own sandbox via glycin +#https://gitlab.gnome.org/sophie-h/glycin#sandboxing-and-inner-workings +#seccomp +seccomp.block-secondary +tracelog + +private-cache +private-dev +private-etc @x11 +private-tmp diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 43554cc1ef..fbba63bca6 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -525,6 +525,7 @@ lofromtemplate loimpress lollypop lomath +loupe loweb lowriter #lrunzip # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)