add application profile for SailJail

Contributes-To: storeman-developers#236

rpm/harbour-storeman.spec

@@ -100,3 +100,5 @@ ssu ur
 %{_datadir}/icons/hicolor/*/apps/%{name}.png
 %{_datadir}/mapplauncherd/privileges.d/%{name}
 %{_datadir}/dbus-1/services/harbour.storeman.service
+%{_sysconfdir}/sailjail/permissions/%{name}.profile
+%{_sysconfdir}/firejail/%{name}.local

sailjail/harbour-storeman-debug.desktop

@@ -0,0 +1,18 @@
+[Desktop Entry]
+Type=Application
+X-Nemo-Application-Type=silica-qt5
+Icon=harbour-storeman
+Exec=/usr/bin/sailjail --trace=/tmp/storeman-trace -p harbour-storeman.desktop /usr/bin/harbour-storeman
+Name=Storeman
+X-Maemo-Service=harbour.storeman.service
+X-Maemo-Object-Path=/harbour/storeman/service
+X-Maemo-Method=harbour.storeman.service.openPage
+
+[X-Sailjail]
+Sandboxing=enabled
+Permissions=Base;Internet;Notifications;Secrets;Connman;ApplicationInstallation
+OrganizationName=harbour-storeman
+#ApplicationName=Storeman
+#DataDirectory=harbour-storeman
+ApplicationName=harbour-storeman
+ExecDBus=/usr/bin/sailjail --trace=/tmp/storeman-dbus-trace -p harbour-storeman.desktop /usr/bin/harbour-storeman

sailjail/harbour-storeman.desktop

@@ -0,0 +1,22 @@
+[Desktop Entry]
+Type=Application
+X-Nemo-Application-Type=silica-qt5
+Icon=harbour-storeman
+Exec=harbour-storeman
+Name=Storeman
+X-Maemo-Service=harbour.storeman.service
+X-Maemo-Object-Path=/harbour/storeman/service
+X-Maemo-Method=harbour.storeman.service.openPage
+
+[X-Sailjail]
+Sandboxing=enabled
+Permissions=Internet;Notifications;Secrets;Connman;ApplicationInstallation;MediaIndexing;Downloads
+OrganizationName=harbour-storeman
+ApplicationName=Storeman
+DataDirectory=harbour-storeman
+#ApplicationName=harbour-storeman
+ExecDBus=/usr/bin/harbour-storeman
+
+[X-HarbourBackup]
+BackupPathList=.config/harbour-storeman/:.local/share/harbour-storeman/
+

sailjail/harbour-storeman.local

@@ -0,0 +1,8 @@
+allusers
+read-only /home/.zypp-cache/*
+read-only /home/.zypp-cache/solv/*
+read-only /home/.zypp-cache/solv/@System/*
+read-only /home/.zypp-cache/solv/harbour-storeman-obs/*
+read-only /home/.zypp-cache/solv/openrepos-*/*
+
+read-only /etc/ssu/ssu.ini

sailjail/harbour-storeman.profile

@@ -0,0 +1,79 @@
+# -*- mode: sh -*-
+
+# x-sailjail-translation-catalog = harbour-storeman
+# x-sailjail-translation-key-description = permission-la-data
+# x-sailjail-description = Storeman permissions
+# x-sailjail-translation-key-long-description = permission-la-data_description
+# x-sailjail-long-description = Access necessary ressources for Storeman to work
+
+private-bin /usr/bin/harbour-storeman
+
+writable-run-user
+
+# we need to be able to read
+# /home/.zypp-cache/solv/@System/solv
+# but no stanza in sailjail will make it work.
+# but doing it in firejail config works
+#
+# use bare name without path here! it will look files in /etc/firejail
+include harbour-storeman.local
+# the same is true for: /etc/ssu/ssu.ini
+
+# for some reason the Secrets permission does not work for this:
+whitelist ${RUNUSER}/sailfishsecretsd/p2pSocket
+
+
+### D-Bus
+### BEG D-Bus SESSION things
+dbus-user filter
+
+dbus-user.talk org.freedesktop.DBus
+dbus-user.call org.freedesktop.DBus=org.freedesktop.DBus@/*
+dbus-user.broadcast org.freedesktop.DBus=org.freedesktop.DBus@/*
+
+# BEG dbus session service
+dbus-user.own harbour.storeman.service
+dbus-user.own harbour.storeman.service.*
+dbus-user.talk harbour.storeman.service
+dbus-user.call harbour.storeman.service=harbour.storeman.service@/*
+dbus-user.call *=harbour.storeman.service.openPage@/*
+dbus-user.call *=harbour.storeman.service.updateAll@/*
+dbus-user.call *=harbour.storeman.service.updateRepos@/*
+# END dbus session service
+#
+# BEG dbus service PackageKit
+dbus-user.talk org.freedesktop.PackageKit
+dbus-user.call org.freedesktop.PackageKit=org.freedesktop.PackageKit@/*
+dbus-user.call *=org.freedesktop.PackageKit.CreateTransaction@/*
+# END dbus service PackageKit
+
+# BEG dbus service Tracker
+# org.freedesktop.Tracker3.Miner.Files call org.freedesktop.DBus.Peer.Ping at /org/freedesktop/Tracker3/Endpoin
+# MediaIndexing permission should grant this already
+# dbus-user.talk org.freedesktop.Tracker3
+# dbus-user.call org.freedesktop.Tracker3=org.freedesktop.Tracker3@/*
+# dbus-user.call *=org.freedesktop.Tracker3.Miner.Files@/*
+# END dbus service Tracker
+### END D-Bus SESSION things
+
+
+### BEG D-Bus SYSTEM things
+dbus-system filter
+
+# BEG dbus service ssu
+dbus-system.talk org.nemo.ssu
+dbus-system.call org.nemo.ssu=org.nemo.ssu@/*
+dbus-system.call *=org.nemo.ssu.addRepo@/*
+dbus-system.call *=org.nemo.ssu.modifyRepo@/*
+# END dbus service ssu
+
+# BEG dbus system service
+#dbus-system filter
+#dbus-system.own harbour.storeman.service
+#dbus-system.talk harbour.storeman.service
+#dbus-system.call harbour.storeman.service=harbour.storeman.service@/*
+#dbus-system.call *=harbour.storeman.service.openPage@/*
+#dbus-system.call *=harbour.storeman.service.updateAll@/*
+# END dbus system service
+
+### END D-Bus SYSTEM things

sailjail/sailjail.pro

@@ -0,0 +1,15 @@
+TEMPLATE = aux
+
+OTHER_FILES += \
+    harbour-storeman.desktop \
+    harbour-storeman-debug.desktop \
+    harbour-storeman.profile \
+    harbour-storeman.local \
+
+INSTALLS += desktop sjprofile fjprofile
+
+sjprofile.files = harbour-storeman.profile
+sjprofile.path = $$INSTALL_ROOT/etc/sailjail/permissions
+
+fjprofile.files = harbour-storeman.local
+fjprofile.path = $$INSTALL_ROOT/etc/firejail