################################
# Based on the Generic GUI application profile
################################
noblacklist ~/.cache/smolbote
noblacklist ~/.local/share/smolbote
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-devel.inc

whitelist ${DOWNLOADS}
mkdir ~/.cache/smolbote
whitelist ~/.cache/smolbote
mkdir ~/.local/share/smolbote
whitelist ~/.local/share/smolbote

## caps.drop all - Removes the ability to call programs usually run only by root. Ex - chown, setuid
caps.drop all

## netfilter - Creates a simple but restrictive iptables firewall for any --net device created. Does nothing if --net is not used.
## Commented out because netfliter somehow breaks smolbote if used alone.
#netfilter

##  newnewprivs - Prevents Child processes from requesting additional priviledges. If --seccomp is enabled, --nonewprivs is redundant.
nonewprivs

## noroot - The program can only see the current user. Requires kernel 3.8 or higher. Mutually exclusive with --chroot or --overlay or running as root.
noroot

## nogroups - The program can only see the current user's main group. Always applied if the program is run as root.
nogroups

## protocol - Only allows sockets of the following types. Not supported on i386 architecture.
protocol unix,inet,inet6

## seccomp - Blacklists a large swath of syscalls from being accessible.
seccomp

## private-bin - Creates a virtual /bin directory containing only temporary copies of the following executables.
## Commened out until an actually package is made.
#private-bin poi

## private-etc - Creates a virtual /etc directory containing only temporary copies of the following files and directories.
private-etc nsswitch.conf,resolv.conf

## private-tmp - Creates a virtual /tmp directory to prevent the program from accessing the /tmp files from other programs.
private-tmp

## tracelog - Log all viloations to syslog
tracelog

include /etc/firejail/whitelist-common.inc