diff --git a/rpm/harbour-storeman.spec b/rpm/harbour-storeman.spec index 31d26729..3837db43 100644 --- a/rpm/harbour-storeman.spec +++ b/rpm/harbour-storeman.spec @@ -100,3 +100,5 @@ ssu ur %{_datadir}/icons/hicolor/*/apps/%{name}.png %{_datadir}/mapplauncherd/privileges.d/%{name} %{_datadir}/dbus-1/services/harbour.storeman.service +%{_sysconfdir}/sailjail/permissions/%{name}.profile +%{_sysconfdir}/firejail/%{name}.local diff --git a/sailjail/harbour-storeman-debug.desktop b/sailjail/harbour-storeman-debug.desktop new file mode 100644 index 00000000..4dec9629 --- /dev/null +++ b/sailjail/harbour-storeman-debug.desktop @@ -0,0 +1,18 @@ +[Desktop Entry] +Type=Application +X-Nemo-Application-Type=silica-qt5 +Icon=harbour-storeman +Exec=/usr/bin/sailjail --trace=/tmp/storeman-trace -p harbour-storeman.desktop /usr/bin/harbour-storeman +Name=Storeman +X-Maemo-Service=harbour.storeman.service +X-Maemo-Object-Path=/harbour/storeman/service +X-Maemo-Method=harbour.storeman.service.openPage + +[X-Sailjail] +Sandboxing=enabled +Permissions=Base;Internet;Notifications;Secrets;Connman;ApplicationInstallation +OrganizationName=harbour-storeman +#ApplicationName=Storeman +#DataDirectory=harbour-storeman +ApplicationName=harbour-storeman +ExecDBus=/usr/bin/sailjail --trace=/tmp/storeman-dbus-trace -p harbour-storeman.desktop /usr/bin/harbour-storeman diff --git a/sailjail/harbour-storeman.desktop b/sailjail/harbour-storeman.desktop new file mode 100644 index 00000000..e7a62656 --- /dev/null +++ b/sailjail/harbour-storeman.desktop @@ -0,0 +1,22 @@ +[Desktop Entry] +Type=Application +X-Nemo-Application-Type=silica-qt5 +Icon=harbour-storeman +Exec=harbour-storeman +Name=Storeman +X-Maemo-Service=harbour.storeman.service +X-Maemo-Object-Path=/harbour/storeman/service +X-Maemo-Method=harbour.storeman.service.openPage + +[X-Sailjail] +Sandboxing=enabled +Permissions=Internet;Notifications;Secrets;Connman;ApplicationInstallation;MediaIndexing;Downloads +OrganizationName=harbour-storeman +ApplicationName=Storeman +DataDirectory=harbour-storeman +#ApplicationName=harbour-storeman +ExecDBus=/usr/bin/harbour-storeman + +[X-HarbourBackup] +BackupPathList=.config/harbour-storeman/:.local/share/harbour-storeman/ + diff --git a/sailjail/harbour-storeman.local b/sailjail/harbour-storeman.local new file mode 100644 index 00000000..392df89d --- /dev/null +++ b/sailjail/harbour-storeman.local @@ -0,0 +1,8 @@ +allusers +read-only /home/.zypp-cache/* +read-only /home/.zypp-cache/solv/* +read-only /home/.zypp-cache/solv/@System/* +read-only /home/.zypp-cache/solv/harbour-storeman-obs/* +read-only /home/.zypp-cache/solv/openrepos-*/* + +read-only /etc/ssu/ssu.ini diff --git a/sailjail/harbour-storeman.profile b/sailjail/harbour-storeman.profile new file mode 100644 index 00000000..c578a116 --- /dev/null +++ b/sailjail/harbour-storeman.profile @@ -0,0 +1,79 @@ +# -*- mode: sh -*- + +# x-sailjail-translation-catalog = harbour-storeman +# x-sailjail-translation-key-description = permission-la-data +# x-sailjail-description = Storeman permissions +# x-sailjail-translation-key-long-description = permission-la-data_description +# x-sailjail-long-description = Access necessary ressources for Storeman to work + +private-bin /usr/bin/harbour-storeman + +writable-run-user + +# we need to be able to read +# /home/.zypp-cache/solv/@System/solv +# but no stanza in sailjail will make it work. +# but doing it in firejail config works +# +# use bare name without path here! it will look files in /etc/firejail +include harbour-storeman.local +# the same is true for: /etc/ssu/ssu.ini + +# for some reason the Secrets permission does not work for this: +whitelist ${RUNUSER}/sailfishsecretsd/p2pSocket + + +### D-Bus +### BEG D-Bus SESSION things +dbus-user filter + +dbus-user.talk org.freedesktop.DBus +dbus-user.call org.freedesktop.DBus=org.freedesktop.DBus@/* +dbus-user.broadcast org.freedesktop.DBus=org.freedesktop.DBus@/* + +# BEG dbus session service +dbus-user.own harbour.storeman.service +dbus-user.own harbour.storeman.service.* +dbus-user.talk harbour.storeman.service +dbus-user.call harbour.storeman.service=harbour.storeman.service@/* +dbus-user.call *=harbour.storeman.service.openPage@/* +dbus-user.call *=harbour.storeman.service.updateAll@/* +dbus-user.call *=harbour.storeman.service.updateRepos@/* +# END dbus session service +# +# BEG dbus service PackageKit +dbus-user.talk org.freedesktop.PackageKit +dbus-user.call org.freedesktop.PackageKit=org.freedesktop.PackageKit@/* +dbus-user.call *=org.freedesktop.PackageKit.CreateTransaction@/* +# END dbus service PackageKit + +# BEG dbus service Tracker +# org.freedesktop.Tracker3.Miner.Files call org.freedesktop.DBus.Peer.Ping at /org/freedesktop/Tracker3/Endpoin +# MediaIndexing permission should grant this already +# dbus-user.talk org.freedesktop.Tracker3 +# dbus-user.call org.freedesktop.Tracker3=org.freedesktop.Tracker3@/* +# dbus-user.call *=org.freedesktop.Tracker3.Miner.Files@/* +# END dbus service Tracker +### END D-Bus SESSION things + + +### BEG D-Bus SYSTEM things +dbus-system filter + +# BEG dbus service ssu +dbus-system.talk org.nemo.ssu +dbus-system.call org.nemo.ssu=org.nemo.ssu@/* +dbus-system.call *=org.nemo.ssu.addRepo@/* +dbus-system.call *=org.nemo.ssu.modifyRepo@/* +# END dbus service ssu + +# BEG dbus system service +#dbus-system filter +#dbus-system.own harbour.storeman.service +#dbus-system.talk harbour.storeman.service +#dbus-system.call harbour.storeman.service=harbour.storeman.service@/* +#dbus-system.call *=harbour.storeman.service.openPage@/* +#dbus-system.call *=harbour.storeman.service.updateAll@/* +# END dbus system service + +### END D-Bus SYSTEM things diff --git a/sailjail/sailjail.pro b/sailjail/sailjail.pro new file mode 100644 index 00000000..606d5d20 --- /dev/null +++ b/sailjail/sailjail.pro @@ -0,0 +1,15 @@ +TEMPLATE = aux + +OTHER_FILES += \ + harbour-storeman.desktop \ + harbour-storeman-debug.desktop \ + harbour-storeman.profile \ + harbour-storeman.local \ + +INSTALLS += desktop sjprofile fjprofile + +sjprofile.files = harbour-storeman.profile +sjprofile.path = $$INSTALL_ROOT/etc/sailjail/permissions + +fjprofile.files = harbour-storeman.local +fjprofile.path = $$INSTALL_ROOT/etc/firejail