From a7e1430a9692547c55544aedcfa8c361029659e8 Mon Sep 17 00:00:00 2001 From: gcb <56283+gcb@users.noreply.github.com> Date: Fri, 8 Nov 2024 15:07:08 +0000 Subject: [PATCH 1/2] initial syncthing support --- etc/profile-m-z/syncthing.profile | 47 +++++++++++++++++++++++++++++++ src/firecfg/firecfg.config | 1 + 2 files changed, 48 insertions(+) create mode 100644 etc/profile-m-z/syncthing.profile diff --git a/etc/profile-m-z/syncthing.profile b/etc/profile-m-z/syncthing.profile new file mode 100644 index 0000000000..902dedc4e8 --- /dev/null +++ b/etc/profile-m-z/syncthing.profile @@ -0,0 +1,47 @@ +# Firejail profile for syncthing +# This file is overwritten after every install/update +# Persistent local customizations +include syncthing.local +# Persistent global definitions +include globals.local + +# NOTE: this assumes a ~/Sync directory to be shared. + + +# Allow python3 (blacklisted by disable-interpreters.inc) +include allow-python3.inc + +include disable-common.inc +include disable-devel.inc +include disable-interpreters.inc +include disable-programs.inc + +mkdir ${HOME}/.local/state/syncthing +noblacklist ${HOME}/.local/state/syncthing +whitelist ${HOME}/.local/state/syncthing + +mkdir ${HOME}/Sync +whitelist ${HOME}/Sync + +include whitelist-common.inc + +caps.drop all +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp + +private-dev +private-tmp + +#noexec /tmp +#restrict-namespaces diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index e0c6256b59..79602245f9 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -851,6 +851,7 @@ surf sushi swell-foop sylpheed +syncthing synfigstudio sysprof sysprof-cli From e986d0b59a28b668ca573a07e46c6f4443b3232d Mon Sep 17 00:00:00 2001 From: gcb <56283+gcb@users.noreply.github.com> Date: Fri, 8 Nov 2024 15:35:36 +0000 Subject: [PATCH 2/2] used the template --- etc/profile-m-z/syncthing.profile | 83 ++++++++++++++++++++++++++++--- 1 file changed, 76 insertions(+), 7 deletions(-) diff --git a/etc/profile-m-z/syncthing.profile b/etc/profile-m-z/syncthing.profile index 902dedc4e8..6ac09fcbd1 100644 --- a/etc/profile-m-z/syncthing.profile +++ b/etc/profile-m-z/syncthing.profile @@ -1,47 +1,116 @@ # Firejail profile for syncthing +# Description: File synchronization using public networks # This file is overwritten after every install/update + +##quiet # Persistent local customizations include syncthing.local # Persistent global definitions include globals.local -# NOTE: this assumes a ~/Sync directory to be shared. +noblacklist ${HOME}/.local/state/syncthing +# NOTE: this assumes a ~/Sync directory to be shared by default. Maybe leave a requirement to edit local file to set dirs? +noblacklist ${HOME}/Sync + +# NOTE: will cause WARNING: Failed to lower process +# priority: set I/O priority: operation not permitted +# So, we try to preemptively set it here: +nice 2 +# no allow-*.inc -# Allow python3 (blacklisted by disable-interpreters.inc) -include allow-python3.inc +##blacklist PATH +# Disable Wayland +blacklist ${RUNUSER}/wayland-* +# Disable RUNUSER (cli only; supersedes Disable Wayland) +blacklist ${RUNUSER} +# Remove the next blacklist if your system has no /usr/libexec dir, +# otherwise try to add it. +blacklist /usr/libexec +# disable-*.inc includes include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc +include disable-proc.inc include disable-programs.inc +include disable-shell.inc +#include disable-write-mnt.inc # we set disable-mnt +#include disable-x11.inc # this causes an error... +include disable-xdg.inc + mkdir ${HOME}/.local/state/syncthing -noblacklist ${HOME}/.local/state/syncthing whitelist ${HOME}/.local/state/syncthing +# see note above about this dir! mkdir ${HOME}/Sync whitelist ${HOME}/Sync include whitelist-common.inc + +# Landlock commands +##landlock.fs.read PATH +##landlock.fs.write PATH +##landlock.fs.makeipc PATH +##landlock.fs.makedev PATH +##landlock.fs.execute PATH +#include landlock-common.inc + +##allusers +#apparmor caps.drop all +# CLI only +##ipc-namespace +# breaks audio and sometimes dbus related functions +#machine-id netfilter no3d nodvd nogroups noinput nonewprivs +noprinters noroot nosound +#notpm # this line causes error notv nou2f novideo protocol unix,inet,inet6 seccomp +##seccomp !chroot +##seccomp.drop SYSCALLS (see syscalls.txt) +#seccomp.block-secondary +##seccomp-error-action log (only for debugging seccomp issues) +#tracelog +#x11 none # desirable but too complex to add +disable-mnt +#private-bin PROGRAMS +private-cache private-dev -private-tmp +#private-etc +# Networking: ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl +##private-lib LIBS +#private-tmp +##writable-etc +##writable-run-user +##writable-var +##writable-var-log + +dbus-user none +dbus-system none + +# Note: read-only entries should usually go in disable-common.inc (especially +# entries for configuration files that allow arbitrary command execution). +##deterministic-shutdown +##env VAR=VALUE +# NOTE: there's no env to avoid starting the browser, but it will err out just "fine". +##join-or-start NAME +#memory-deny-write-execute +##read-write ${HOME} +restrict-namespaces -#noexec /tmp -#restrict-namespaces