New profiles: qpdf and redirects (#5675)

* Create qpdf.profile and redirects qpdf (CLI) provides PDF metadata cleaning. See privacy-handbuch.de[1] for details. The site offers pdf-meta-clean.sh[2], which works very well with firejailed qpdf. [1] https://www.privacy-handbuch.de/handbuch_43a.htm [2] https://www.privacy-handbuch.de/download/pdf-meta-clean.sh * RELNOTES: add qpdf and redirects to new profiles section * firecfg.config: add qpdf and redirects * qpdf: use 'seccomp socket' instead of 'protocol unix' See #639. Thanks @rusty-snake in code review.
netblue30 · Feb 23, 2023 · 7ed7d6d · 7ed7d6d
1 parent 7ca54d2
commit 7ed7d6d
Show file tree

Hide file tree

Showing 5 changed files with 98 additions and 0 deletions.
diff --git a/RELNOTES b/RELNOTES
@@ -17,6 +17,7 @@ firejail (0.9.73) baseline; urgency=low
     support (#5589)
   * docs: selinux.c: Split Copyright notice & use same license as upstream
     (#5667)
+  * new profiles: fix-qdf, qpdf, zlib-flate 
  -- netblue30 <[email protected]>  Mon, 16 Jan 2023 09:00:00 -0500
 
 firejail (0.9.72) baseline; urgency=low

diff --git a/etc/profile-a-l/fix-qdf.profile b/etc/profile-a-l/fix-qdf.profile
@@ -0,0 +1,13 @@
+# Firejail profile for fix-qdf
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include fix-qdf.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+private-bin fix-qdf
+
+# Redirect
+include qpdf.profile
diff --git a/etc/profile-m-z/qpdf.profile b/etc/profile-m-z/qpdf.profile
@@ -0,0 +1,68 @@
+# Firejail profile for qpdf
+# Description: A Content-Preserving PDF Transformation System
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include qpdf.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-X11.inc
+include disable-xdg.inc
+
+whitelist ${DOCUMENTS}
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+hostname qpdf
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+nosound
+notv
+nou2f
+novideo
+# block the socket syscall to simulate an be empty protocol line, see #639
+seccomp socket
+tracelog
+x11 none
+
+private-bin qpdf
+private-cache
+private-dev
+private-etc
+private-lib libqpdf.so.*
+#private-tmp # breaks on Arch Linux
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+restrict-namespaces
+read-only ${HOME}
+read-write ${DOCUMENTS}
+read-write ${DOWNLOADS}
diff --git a/etc/profile-m-z/zlib-flate.profile b/etc/profile-m-z/zlib-flate.profile
@@ -0,0 +1,13 @@
+# Firejail profile for zlib-flate
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include zlib-flate.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+private-bin zlib-flate
+
+# Redirect
+include qpdf.profile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
@@ -260,6 +260,7 @@ firefox-nightly
 firefox-wayland
 firefox-x11
 five-or-more
+fix-qdf
 flacsplt
 flameshot
 flashpeak-slimjet
@@ -694,6 +695,7 @@ qgis
 qlipper
 qmmp
 qnapi
+qpdf
 qpdfview
 qq
 qt-faststart
@@ -957,6 +959,7 @@ zart
 zathura
 zeal
 zim
+zlib-flate
 zoom
 # zpaq - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 # zstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)