New profile: device-flasher.linux

[lucasmz-dev]

The CalyxOS CLI device flasher. Has to be run under certain exceptions but works fine regardless.

[lucasmz-dev]

Added this only because of rusty-snake's kyst, works fine so might as well keep it?
I'm not entirely sure what /opt and /srv are for.

[kmk3]

Added this only because of rusty-snake's kyst, works fine so might as well
keep it?

Seems fine.

I'm not entirely sure what /opt and /srv are for.

/opt is sometimes used for putting the entire installation files of third-party
programs into (as with Program Files in Windows).

/srv is used by things like HTTP servers.

[kmk3]

Suggested change

	# Firejail profile for device-flasher.linux
	# Description: CalyxOS' device flasher
	# This file is overwritten after every install/update
	# Usage: run firejail ./device-flasher.linux in the folder with it and your factory image.
	# Warning!
	# ADB does not work under this sandbox, this is not a problem however, it just means you need to
	# reboot the device into bootloader mode first. To do this, hold Volume Down + Power until you get
	# into a screen with an Android robot being repaired. You'll need OEM Unlocking beforehand.
	# Fedora: you may need to manually install a third-party resource for udev rules, as Fedora ships broken ones on android-tools.
	quiet
	include device-flasher.linux.local
	# Persistent local customizations
	include globals.local
	# Persistent global definitions
	# Firejail profile for device-flasher.linux
	# Description: CalyxOS' device flasher
	# This file is overwritten after every install/update
	quiet
	# Persistent local customizations
	include device-flasher.linux.local
	# Persistent global definitions
	include globals.local
	# Usage: Run firejail ./device-flasher.linux in the folder with it and your
	# factory image.
	# Warning: ADB does not work with this profile, so you need to reboot the
	# device into bootloader mode first. To do this, hold Volume Down + Power until
	# you get into a screen with an Android robot being repaired. You'll need OEM
	# Unlocking beforehand.
	# Fedora: You may need to manually install a third-party resource for udev
	# rules, as Fedora ships broken ones on android-tools.

Sort/format/reword.

[kmk3]

Suggested change

	include allow-bin-sh.inc
	# Allow /bin/sh (blacklisted by disable-shell.inc)
	include allow-bin-sh.inc

[kmk3]

Suggested change

	blacklist /opt
	blacklist /srv
	blacklist ${RUNUSER}
	blacklist /usr/libexec
	blacklist ${RUNUSER}
	blacklist /opt
	blacklist /srv
	blacklist /usr/libexec

Sort.

[kmk3]

Suggested change

	whitelist ${DOWNLOADS}
	# The Downloads folder is the only folder available to the flasher, use it or manually whitelist another.
	# Preferably use a sub-folder such as Downloads/CalyxOS/ to prevent issues.
	include whitelist-run-common.inc
	whitelist ${DOWNLOADS}
	include whitelist-common.inc
	include whitelist-run-common.inc

The comment is kind of redundant, as it generally applies to any profile with
whitelist ${DOWNLOADS} (or another XDG user directory).

Usually whitelist-common.inc is included when whitelist ${HOME}/... is used.

[lucasmz-dev]

I don't see much reason to use whitelist-common.inc, it isn't needed at all, especially being a CLI tool.

(I'll go ahead soon enough and apply the changes requested, I'd like to confirm flashing works, this is the only one I don't see why use whitelist-common in specific, removing the comments is fine)

[kmk3]

Suggested change

	include landlock-common.inc

Not currently used.

[kmk3]

Suggested change

	private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,xdg
	private-etc @network,@tls-ca,host.conf,mime.types,rpc,services,xdg

Use new private-etc groups (see #6400).

[rusty-snake]

Suggested change

	dbus-system none
	dbus-user none

[rusty-snake]

Suggested change

	dbus-user none
	dbus-system none