From ca4106207e954934125206a263fcf34a222ee79c Mon Sep 17 00:00:00 2001 From: Konstantin1722 Date: Wed, 17 Apr 2024 15:57:42 +0300 Subject: [PATCH 01/13] profiles: add a profile for obsidian --- etc/profile-m-z/obsidian.profile | 88 ++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) create mode 100644 etc/profile-m-z/obsidian.profile diff --git a/etc/profile-m-z/obsidian.profile b/etc/profile-m-z/obsidian.profile new file mode 100644 index 00000000000..05efd0699b0 --- /dev/null +++ b/etc/profile-m-z/obsidian.profile @@ -0,0 +1,88 @@ +# Firejail profile for obsidian +# Description: Obsidian is the private and flexible writing app that adapts to the way you think. +# This file is overwritten after every install/update +# Persistent local customizations +include obsidian.local +# Persistent global definitions +include globals.local + +### Basic Blacklisting ### +include disable-common.inc # dangerous directories like ~/.ssh and ~/.gnupg +include disable-devel.inc # development tools such as gcc and gdb +include disable-exec.inc # non-executable directories such as /var, /tmp, and /home +include disable-interpreters.inc # perl, python, lua etc. +include disable-programs.inc # user configuration for programs such as firefox, vlc etc. +include disable-xdg.inc # standard user directories: Documents, Pictures, Videos, Music + +### Home Directory Whitelisting ### +whitelist ${HOME}/.gitconfig # for the git plugin +whitelist ${HOME}/.config/git # for the git plugin +whitelist ${HOME}/.pki/nssdb +whitelist ${HOME}/.cache/AMD +whitelist ${HOME}/.cache/nvidia +whitelist ${HOME}/.local/share/vulkan +whitelist ${HOME}/.local/share/vulkan/implicit_layer.d +whitelist ${HOME}/.config/vulkan +whitelist ${HOME}/.local/share/vulkan/loader_settings.d +whitelist ${HOME}/.config/kdedefaults +whitelist ${HOME}/.Xdefaults-desktop-pc +whitelist ${HOME}/.config/kdedefaults/gtk-3.0 +whitelist ${HOME}/.cache/mesa_shader_cache +whitelist ${HOME}/.local/share/applnk +whitelist ${HOME}/.config/obsidian + +include whitelist-common.inc + +### Filesystem Whitelisting ### +whitelist /run/systemd/machines/api.obsidian.md +whitelist /run/systemd/resolve/io.systemd.Resolve +whitelist /run/systemd/machines/raw.githubusercontent.com +whitelist /run/udev/control + +include whitelist-run-common.inc +include whitelist-runuser-common.inc + +whitelist /usr/share/applnk + +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +#apparmor # if you have AppArmor running, try this one! + +caps.drop all +ipc-namespace + +#no3d # disable 3D acceleration +#nodvd # disable DVD and CD devices +#nogroups # disable supplementary user groups +#noinput # disable input devices +#novideo # disable video capture devices + +nonewprivs +noroot +?HAS_APPIMAGE: notv # disable DVB TV devices +?HAS_APPIMAGE: nou2f # disable U2F devices + +protocol unix,inet,inet6,netlink, + +# If you need networking, enable the firewall and disable "net none" +#net none # disable network +netfilter # enable default firewall in sandbox + +seccomp !chroot # allowing chroot, just in case this is an Electron app +shell none + +#tracelog # send blacklist violations to syslog + +disable-mnt # no access to /mnt, /media, /run/mount and /run/media + +private-bin git,cat,gawk,tr,realpath,cut,grep,basename,bash,obsidian,electron28 +private-dev +private-etc gitattributes,gitconfig,ca-certificates,libva.conf,vulkan,ati,nsswitch.conf,hosts,xdg,gtk-3.0,drirc,fonts,gnutls, + +?HAS_APPIMAGE: private-lib +?HAS_APPIMAGE: private-tmp + +#dbus-user none +#dbus-system none +dbus-user filter From 7a935a4468284877a7f3be249ed6e43aea18484d Mon Sep 17 00:00:00 2001 From: Konstantin1722 Date: Tue, 23 Apr 2024 16:03:02 +0300 Subject: [PATCH 02/13] profiles: update obsidian profile file --- etc/inc/disable-programs.inc | 1 + etc/profile-m-z/obsidian-wayland.profile | 51 ++++++++++++++ etc/profile-m-z/obsidian.profile | 88 ------------------------ 3 files changed, 52 insertions(+), 88 deletions(-) create mode 100644 etc/profile-m-z/obsidian-wayland.profile delete mode 100644 etc/profile-m-z/obsidian.profile diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 631cc4175c8..a124b2f8cec 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -1254,3 +1254,4 @@ blacklist /var/games/slashem blacklist /var/games/vulturesclaw blacklist /var/games/vultureseye blacklist /var/lib/games/Maelstrom-Scores +blacklist ${HOME}/.config/obsidian diff --git a/etc/profile-m-z/obsidian-wayland.profile b/etc/profile-m-z/obsidian-wayland.profile new file mode 100644 index 00000000000..e06252b1599 --- /dev/null +++ b/etc/profile-m-z/obsidian-wayland.profile @@ -0,0 +1,51 @@ +# Firejail profile for obsidian-wayland +# Description: Personal knowledge base and note-taking with Markdown files. +# This file is overwritten after every install/update +# Persistent local customizations +include obsidian-wayland.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/AMD +noblacklist ${HOME}/.cache/nvidia +noblacklist ${HOME}/.cache/mesa_shader_cache +noblacklist ${HOME}/.local/share/applnk +noblacklist ${HOME}/.local/share/vulkan +noblacklist ${HOME}/.local/share/vulkan +noblacklist ${HOME}/.config/vulkan +noblacklist ${HOME}/.config/kdedefaults +noblacklist ${HOME}/.config/obsidian + +whitelist ${HOME}/.cache/AMD +whitelist ${HOME}/.cache/nvidia +whitelist ${HOME}/.cache/mesa_shader_cache +whitelist ${HOME}/.local/share/applnk +whitelist ${HOME}/.local/share/vulkan +whitelist ${HOME}/.local/share/vulkan +whitelist ${HOME}/.config/vulkan +whitelist ${HOME}/.config/kdedefaults +whitelist ${HOME}/.config/obsidian + +ipc-namespace +nonewprivs +noroot + +protocol unix,inet,inet6,netlink, + +# If you need net disable "net none" and uncomment the rest in this block +net none +# +#noblacklist ${HOME}/.pki/nssdb +#whitelist ${HOME}/.pki/nssdb +# +#private-etc ca-certificates,nsswitch.conf,hosts,gnutls, + +private-bin cat,gawk,tr,realpath,cut,grep,basename,bash,obsidian,electron28, +private-etc libva.conf,vulkan,ati,xdg,gtk-3.0,drirc,fonts, + +?HAS_APPIMAGE: private-lib + +read-only ${HOME}/.config/vulkan +read-only ${HOME}/.config/kdedefaults + +include electron-common.profile diff --git a/etc/profile-m-z/obsidian.profile b/etc/profile-m-z/obsidian.profile deleted file mode 100644 index 05efd0699b0..00000000000 --- a/etc/profile-m-z/obsidian.profile +++ /dev/null @@ -1,88 +0,0 @@ -# Firejail profile for obsidian -# Description: Obsidian is the private and flexible writing app that adapts to the way you think. -# This file is overwritten after every install/update -# Persistent local customizations -include obsidian.local -# Persistent global definitions -include globals.local - -### Basic Blacklisting ### -include disable-common.inc # dangerous directories like ~/.ssh and ~/.gnupg -include disable-devel.inc # development tools such as gcc and gdb -include disable-exec.inc # non-executable directories such as /var, /tmp, and /home -include disable-interpreters.inc # perl, python, lua etc. -include disable-programs.inc # user configuration for programs such as firefox, vlc etc. -include disable-xdg.inc # standard user directories: Documents, Pictures, Videos, Music - -### Home Directory Whitelisting ### -whitelist ${HOME}/.gitconfig # for the git plugin -whitelist ${HOME}/.config/git # for the git plugin -whitelist ${HOME}/.pki/nssdb -whitelist ${HOME}/.cache/AMD -whitelist ${HOME}/.cache/nvidia -whitelist ${HOME}/.local/share/vulkan -whitelist ${HOME}/.local/share/vulkan/implicit_layer.d -whitelist ${HOME}/.config/vulkan -whitelist ${HOME}/.local/share/vulkan/loader_settings.d -whitelist ${HOME}/.config/kdedefaults -whitelist ${HOME}/.Xdefaults-desktop-pc -whitelist ${HOME}/.config/kdedefaults/gtk-3.0 -whitelist ${HOME}/.cache/mesa_shader_cache -whitelist ${HOME}/.local/share/applnk -whitelist ${HOME}/.config/obsidian - -include whitelist-common.inc - -### Filesystem Whitelisting ### -whitelist /run/systemd/machines/api.obsidian.md -whitelist /run/systemd/resolve/io.systemd.Resolve -whitelist /run/systemd/machines/raw.githubusercontent.com -whitelist /run/udev/control - -include whitelist-run-common.inc -include whitelist-runuser-common.inc - -whitelist /usr/share/applnk - -include whitelist-usr-share-common.inc -include whitelist-var-common.inc - -#apparmor # if you have AppArmor running, try this one! - -caps.drop all -ipc-namespace - -#no3d # disable 3D acceleration -#nodvd # disable DVD and CD devices -#nogroups # disable supplementary user groups -#noinput # disable input devices -#novideo # disable video capture devices - -nonewprivs -noroot -?HAS_APPIMAGE: notv # disable DVB TV devices -?HAS_APPIMAGE: nou2f # disable U2F devices - -protocol unix,inet,inet6,netlink, - -# If you need networking, enable the firewall and disable "net none" -#net none # disable network -netfilter # enable default firewall in sandbox - -seccomp !chroot # allowing chroot, just in case this is an Electron app -shell none - -#tracelog # send blacklist violations to syslog - -disable-mnt # no access to /mnt, /media, /run/mount and /run/media - -private-bin git,cat,gawk,tr,realpath,cut,grep,basename,bash,obsidian,electron28 -private-dev -private-etc gitattributes,gitconfig,ca-certificates,libva.conf,vulkan,ati,nsswitch.conf,hosts,xdg,gtk-3.0,drirc,fonts,gnutls, - -?HAS_APPIMAGE: private-lib -?HAS_APPIMAGE: private-tmp - -#dbus-user none -#dbus-system none -dbus-user filter From dc3a42c99663fa6f77c800114bd59b0325005972 Mon Sep 17 00:00:00 2001 From: Konstantin1722 Date: Wed, 24 Apr 2024 14:00:22 +0300 Subject: [PATCH 03/13] profiles: rename obsidian profile file --- etc/profile-m-z/{obsidian-wayland.profile => obsidian.profile} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename etc/profile-m-z/{obsidian-wayland.profile => obsidian.profile} (100%) diff --git a/etc/profile-m-z/obsidian-wayland.profile b/etc/profile-m-z/obsidian.profile similarity index 100% rename from etc/profile-m-z/obsidian-wayland.profile rename to etc/profile-m-z/obsidian.profile From bb8c9d0216477c967410fe908f4c0ec70f40633d Mon Sep 17 00:00:00 2001 From: Konstantin1722 Date: Thu, 25 Apr 2024 14:55:24 +0300 Subject: [PATCH 04/13] profiles: fix obsidian profile flaws --- etc/profile-m-z/obsidian.profile | 29 ++++++++++------------------- 1 file changed, 10 insertions(+), 19 deletions(-) diff --git a/etc/profile-m-z/obsidian.profile b/etc/profile-m-z/obsidian.profile index e06252b1599..15273268966 100644 --- a/etc/profile-m-z/obsidian.profile +++ b/etc/profile-m-z/obsidian.profile @@ -7,45 +7,36 @@ include obsidian-wayland.local include globals.local noblacklist ${HOME}/.cache/AMD -noblacklist ${HOME}/.cache/nvidia noblacklist ${HOME}/.cache/mesa_shader_cache +noblacklist ${HOME}/.cache/nvidia noblacklist ${HOME}/.local/share/applnk noblacklist ${HOME}/.local/share/vulkan noblacklist ${HOME}/.local/share/vulkan -noblacklist ${HOME}/.config/vulkan noblacklist ${HOME}/.config/kdedefaults noblacklist ${HOME}/.config/obsidian +noblacklist ${HOME}/.config/vulkan whitelist ${HOME}/.cache/AMD -whitelist ${HOME}/.cache/nvidia whitelist ${HOME}/.cache/mesa_shader_cache +whitelist ${HOME}/.cache/nvidia whitelist ${HOME}/.local/share/applnk whitelist ${HOME}/.local/share/vulkan whitelist ${HOME}/.local/share/vulkan -whitelist ${HOME}/.config/vulkan whitelist ${HOME}/.config/kdedefaults whitelist ${HOME}/.config/obsidian +whitelist ${HOME}/.config/vulkan ipc-namespace nonewprivs noroot +protocol unix,inet,inet6 +#net none -protocol unix,inet,inet6,netlink, - -# If you need net disable "net none" and uncomment the rest in this block -net none -# -#noblacklist ${HOME}/.pki/nssdb -#whitelist ${HOME}/.pki/nssdb -# -#private-etc ca-certificates,nsswitch.conf,hosts,gnutls, - -private-bin cat,gawk,tr,realpath,cut,grep,basename,bash,obsidian,electron28, -private-etc libva.conf,vulkan,ati,xdg,gtk-3.0,drirc,fonts, +private-bin bash,basename,cat,cut,electron28,gawk,grep,obsidian,realpath,tr +private-etc @network,@tls-ca,gnutls,nsswitch.conf, +private-etc @x11,fonts,libva.conf -?HAS_APPIMAGE: private-lib - -read-only ${HOME}/.config/vulkan read-only ${HOME}/.config/kdedefaults +read-only ${HOME}/.config/vulkan include electron-common.profile From 6969eca5ea1a6c57f77d1962a92d5aad9b4d0f2b Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Thu, 25 Apr 2024 22:39:41 +0000 Subject: [PATCH 05/13] Update etc/profile-m-z/obsidian.profile Co-authored-by: Kelvin M. Klann --- etc/profile-m-z/obsidian.profile | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/etc/profile-m-z/obsidian.profile b/etc/profile-m-z/obsidian.profile index 15273268966..0276c0034d3 100644 --- a/etc/profile-m-z/obsidian.profile +++ b/etc/profile-m-z/obsidian.profile @@ -6,15 +6,10 @@ include obsidian-wayland.local # Persistent global definitions include globals.local -noblacklist ${HOME}/.cache/AMD -noblacklist ${HOME}/.cache/mesa_shader_cache -noblacklist ${HOME}/.cache/nvidia -noblacklist ${HOME}/.local/share/applnk -noblacklist ${HOME}/.local/share/vulkan -noblacklist ${HOME}/.local/share/vulkan -noblacklist ${HOME}/.config/kdedefaults +noblacklist ${DOCUMENTS} +noblacklist ${HOME}/.config/git noblacklist ${HOME}/.config/obsidian -noblacklist ${HOME}/.config/vulkan +noblacklist ${HOME}/.gitconfig whitelist ${HOME}/.cache/AMD whitelist ${HOME}/.cache/mesa_shader_cache From 0583908f6a70f4cd6a33223d4f7749e5162237ae Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Thu, 25 Apr 2024 22:40:05 +0000 Subject: [PATCH 06/13] Update etc/profile-m-z/obsidian.profile Co-authored-by: Kelvin M. Klann --- etc/profile-m-z/obsidian.profile | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/etc/profile-m-z/obsidian.profile b/etc/profile-m-z/obsidian.profile index 0276c0034d3..d9b209a374c 100644 --- a/etc/profile-m-z/obsidian.profile +++ b/etc/profile-m-z/obsidian.profile @@ -11,16 +11,6 @@ noblacklist ${HOME}/.config/git noblacklist ${HOME}/.config/obsidian noblacklist ${HOME}/.gitconfig -whitelist ${HOME}/.cache/AMD -whitelist ${HOME}/.cache/mesa_shader_cache -whitelist ${HOME}/.cache/nvidia -whitelist ${HOME}/.local/share/applnk -whitelist ${HOME}/.local/share/vulkan -whitelist ${HOME}/.local/share/vulkan -whitelist ${HOME}/.config/kdedefaults -whitelist ${HOME}/.config/obsidian -whitelist ${HOME}/.config/vulkan - ipc-namespace nonewprivs noroot From 5e24befa5c813896ee2a355883c9bd9b18fd3634 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Thu, 25 Apr 2024 22:40:42 +0000 Subject: [PATCH 07/13] Update etc/profile-m-z/obsidian.profile --- etc/profile-m-z/obsidian.profile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/etc/profile-m-z/obsidian.profile b/etc/profile-m-z/obsidian.profile index d9b209a374c..1143cef3556 100644 --- a/etc/profile-m-z/obsidian.profile +++ b/etc/profile-m-z/obsidian.profile @@ -18,8 +18,7 @@ protocol unix,inet,inet6 #net none private-bin bash,basename,cat,cut,electron28,gawk,grep,obsidian,realpath,tr -private-etc @network,@tls-ca,gnutls,nsswitch.conf, -private-etc @x11,fonts,libva.conf +private-etc @network,@tls-ca,@x11,gnutls,libva.conf read-only ${HOME}/.config/kdedefaults read-only ${HOME}/.config/vulkan From 50331214e23feb3e34435aec1b563cccff9fe4cb Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Thu, 25 Apr 2024 22:41:08 +0000 Subject: [PATCH 08/13] Update etc/profile-m-z/obsidian.profile Co-authored-by: Kelvin M. Klann --- etc/profile-m-z/obsidian.profile | 3 --- 1 file changed, 3 deletions(-) diff --git a/etc/profile-m-z/obsidian.profile b/etc/profile-m-z/obsidian.profile index 1143cef3556..b419f1db0cd 100644 --- a/etc/profile-m-z/obsidian.profile +++ b/etc/profile-m-z/obsidian.profile @@ -20,7 +20,4 @@ protocol unix,inet,inet6 private-bin bash,basename,cat,cut,electron28,gawk,grep,obsidian,realpath,tr private-etc @network,@tls-ca,@x11,gnutls,libva.conf -read-only ${HOME}/.config/kdedefaults -read-only ${HOME}/.config/vulkan - include electron-common.profile From cbfa80f5bfbce6aef9caa6ec206a224eb6d4ecb0 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Thu, 25 Apr 2024 22:41:25 +0000 Subject: [PATCH 09/13] Update etc/profile-m-z/obsidian.profile Co-authored-by: Kelvin M. Klann --- etc/profile-m-z/obsidian.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/profile-m-z/obsidian.profile b/etc/profile-m-z/obsidian.profile index b419f1db0cd..e88f9e848a4 100644 --- a/etc/profile-m-z/obsidian.profile +++ b/etc/profile-m-z/obsidian.profile @@ -20,4 +20,5 @@ protocol unix,inet,inet6 private-bin bash,basename,cat,cut,electron28,gawk,grep,obsidian,realpath,tr private-etc @network,@tls-ca,@x11,gnutls,libva.conf +# Redirect include electron-common.profile From d90938789b9ea1cbf841b499d4b1d266cd06e0cf Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Thu, 25 Apr 2024 22:42:42 +0000 Subject: [PATCH 10/13] Update etc/profile-m-z/obsidian.profile --- etc/profile-m-z/obsidian.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/profile-m-z/obsidian.profile b/etc/profile-m-z/obsidian.profile index e88f9e848a4..18a4929bbcd 100644 --- a/etc/profile-m-z/obsidian.profile +++ b/etc/profile-m-z/obsidian.profile @@ -17,7 +17,7 @@ noroot protocol unix,inet,inet6 #net none -private-bin bash,basename,cat,cut,electron28,gawk,grep,obsidian,realpath,tr +private-bin basename,bash,cat,cut,electron,electron[0-9],electron[0-9][0-9],gawk,grep,obsidian,realpath,tr private-etc @network,@tls-ca,@x11,gnutls,libva.conf # Redirect From 2cb07956f45bc0300e292ca0966caf2f24550ebf Mon Sep 17 00:00:00 2001 From: Konstantin1722 Date: Sun, 28 Apr 2024 17:09:23 +0300 Subject: [PATCH 11/13] Update etc/profile-m-z/obsidian.profile --- etc/profile-m-z/obsidian.profile | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/etc/profile-m-z/obsidian.profile b/etc/profile-m-z/obsidian.profile index 18a4929bbcd..5d3fb1f50d4 100644 --- a/etc/profile-m-z/obsidian.profile +++ b/etc/profile-m-z/obsidian.profile @@ -1,15 +1,13 @@ -# Firejail profile for obsidian-wayland +# Firejail profile for obsidian # Description: Personal knowledge base and note-taking with Markdown files. # This file is overwritten after every install/update # Persistent local customizations -include obsidian-wayland.local +include obsidian.local # Persistent global definitions include globals.local noblacklist ${DOCUMENTS} -noblacklist ${HOME}/.config/git noblacklist ${HOME}/.config/obsidian -noblacklist ${HOME}/.gitconfig ipc-namespace nonewprivs From 1ca7a84a8c27270f267d4f7b0ee7271e7e6324d5 Mon Sep 17 00:00:00 2001 From: Konstantin1722 Date: Sun, 28 Apr 2024 18:59:04 +0300 Subject: [PATCH 12/13] Update etc/profile-m-z/obsidian.profile --- etc/inc/disable-programs.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index a124b2f8cec..5e985311e7f 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -588,6 +588,7 @@ blacklist ${HOME}/.config/nomacs blacklist ${HOME}/.config/nuclear blacklist ${HOME}/.config/nvim blacklist ${HOME}/.config/obs-studio +blacklist ${HOME}/.config/obsidian blacklist ${HOME}/.config/okularpartrc blacklist ${HOME}/.config/okularrc blacklist ${HOME}/.config/onboard @@ -1254,4 +1255,3 @@ blacklist /var/games/slashem blacklist /var/games/vulturesclaw blacklist /var/games/vultureseye blacklist /var/lib/games/Maelstrom-Scores -blacklist ${HOME}/.config/obsidian From e2f683dcbfe506fcc5f213593c1fea41c937f0de Mon Sep 17 00:00:00 2001 From: Konstantin1722 Date: Sun, 5 May 2024 11:34:38 +0300 Subject: [PATCH 13/13] Update etc/profile-m-z/obsidian.profile --- etc/profile-m-z/obsidian.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/profile-m-z/obsidian.profile b/etc/profile-m-z/obsidian.profile index 5d3fb1f50d4..80ca334ba88 100644 --- a/etc/profile-m-z/obsidian.profile +++ b/etc/profile-m-z/obsidian.profile @@ -13,7 +13,7 @@ ipc-namespace nonewprivs noroot protocol unix,inet,inet6 -#net none +#net none # networking is needed to download/update plugins private-bin basename,bash,cat,cut,electron,electron[0-9],electron[0-9][0-9],gawk,grep,obsidian,realpath,tr private-etc @network,@tls-ca,@x11,gnutls,libva.conf