private-etc: moved group names to @group syntax; GUI group renamed as @…

…X11 group; added nvidia and X11 directories to @X11 group.

README.md

@@ -184,32 +184,31 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 
 ### private-etc rework
 `````
-       --private-etc, --private-etc=file,directory
+       --private-etc, --private-etc=file,directory,@group
               The files installed by --private-etc are copies of the  original
               system  files  from  /etc  directory.   By  default, the command
               brings in a skeleton of files and directories used by most  con‐
               sole tools:
 
               $ firejail --private-etc dig debian.org
 
-              For X11/GTK/QT/Gnome/KDE  programs add GUI group as a parameter.
-              Example:
+              For  X11/GTK/QT/Gnome/KDE   programs add @x11 group as a parame‐
+              ter. Example:
 
-              $ firejail --private-etc=GUI,python* gimp
+              $ firejail --private-etc=@x11,gcrypt,python* gimp
 
-              /etc/python* directories are not part of the generic GUI  group.
-              These directories are reuqired by Gimp plugin system. File glob‐
-              bing is supported.
+              gcrypt and /etc/python* directories are not part of the  generic
+              @x11 group.  File globbing is supported.
 
-              For games, add GAMES group:
+              For games, add @games group:
 
-              $ firejail --private-etc=GUI,GAMES warzone2100
+              $ firejail --private-etc=@games,@x11 warzone2100
 
-              Sound and networking files are  included  automatically,  unless
-              --nosound  or  --net=none  are  specified.   Files for encrypted
-              TLS/SSL protocol are in TLS-CA group.
+              Sound  and  networking  files are included automatically, unless
+              --nosound or --net=none  are  specified.   Files  for  encrypted
+              TLS/SSL protocol are in @tls-ca group.
 
-              $ firejail --private-etc=TLS-CA,wgetrc wget https://debian.org
+              $ firejail --private-etc=@tls-ca,wgetrc wget https://debian.org
 
               Note: The easiest way to extract the list of /etc files accessed
               by your program is using strace utility:

etc/profile-a-l/curl.profile

@@ -54,7 +54,7 @@ tracelog
 private-cache
 private-dev
 # private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
-private-etc TLS-CA
+private-etc @tls-ca
 private-tmp
 
 dbus-user none

etc/profile-a-l/firefox-common.profile

@@ -60,7 +60,7 @@ disable-mnt
 # private-etc below works fine on most distributions. There are some problems on CentOS.
 # Add it to your firefox-common.local if you want to enable it.
 #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
-private-etc GUI,mailcap,mime.types,NETWORK,os-release,TLS-CA
+private-etc @tls-ca,@x11,mailcap,mime.types,os-release
 private-tmp
 
 blacklist ${PATH}/curl

etc/profile-a-l/gimp.profile

@@ -59,7 +59,7 @@ seccomp !mbind
 tracelog
 
 private-dev
-private-etc gcrypt,GUI,python*
+private-etc @x11,gcrypt,python*
 private-tmp
 
 dbus-user none

etc/profile-a-l/inkscape.profile

@@ -54,7 +54,7 @@ tracelog
 # private-bin inkscape,potrace,python* - problems on Debian stretch
 private-cache
 private-dev
-private-etc ImageMagick*,inkscape: GUI,python*
+private-etc @x11,ImageMagick*,python*
 private-tmp
 
 dbus-user none

etc/profile-m-z/warzone2100.profile

@@ -46,7 +46,7 @@ tracelog
 disable-mnt
 private-bin bash,dash,sh,warzone2100,which
 private-dev
-private-etc GAMES,GUI
+private-etc @games,@x11
 private-tmp
 
 restrict-namespaces

src/firejail/fs_etc.c

@@ -77,15 +77,15 @@ char *fs_etc_build(char *str) {
 		char* ptr = strtok(str, ",");
 		while (ptr) {
 			// look for standard groups
-			if (strcmp(ptr, "TLS-CA") == 0)
+			if (strcmp(ptr, "@tls-ca") == 0)
 				etc_copy_group(&etc_group_tls_ca[0]);
-			if (strcmp(ptr, "GUI") == 0)
-				etc_copy_group(&etc_group_gui[0]);
-			if (strcmp(ptr, "SOUND") == 0)
+			if (strcmp(ptr, "@x11") == 0)
+				etc_copy_group(&etc_group_x11[0]);
+			if (strcmp(ptr, "@sound") == 0)
 				etc_copy_group(&etc_group_sound[0]);
-			if (strcmp(ptr, "NETWORK") == 0)
+			if (strcmp(ptr, "@network") == 0)
 				etc_copy_group(&etc_group_network[0]);
-			if (strcmp(ptr, "GAMES") == 0)
+			if (strcmp(ptr, "@games") == 0)
 				etc_copy_group(&etc_group_games[0]);
 			else
 				etc_add(ptr);

src/include/etc_groups.h

@@ -23,7 +23,7 @@
 
 #define ETC_MAX 256
 
-// DEFAULT
+// @default
 static char *etc_list[ETC_MAX + 1] = { // plus 1 for ending NULL pointer
 	"alternatives",
 	"fonts",
@@ -42,7 +42,7 @@ static char *etc_list[ETC_MAX + 1] = { // plus 1 for ending NULL pointer
 	NULL
 };
 
-// SOUND
+// @sound
 static char *etc_group_sound[] = {
 	"alsa",
 	"asound.conf",
@@ -51,7 +51,7 @@ static char *etc_group_sound[] = {
 	NULL
 };
 
-// NETWORK
+// @network
 static char*etc_group_network[] = {
 	"hostname",
 	"hosts",
@@ -60,7 +60,7 @@ static char*etc_group_network[] = {
 	NULL
 };
 
-// TLS-CA
+// @tls-ca
 static char *etc_group_tls_ca[] = {
 	"ca-certificates",
 	"crypto-policies",
@@ -70,8 +70,8 @@ static char *etc_group_tls_ca[] = {
 	NULL
 };
 
-// GUI
-static char *etc_group_gui[] = {
+// @x11
+static char *etc_group_x11[] = {
 	"xdg",
 	"drirc",
 	"dconf",
@@ -80,10 +80,12 @@ static char *etc_group_gui[] = {
 	"kde4rc",
 	"kde5rc",
 	"pango", // text rendering/internationalization
+	"nvidia",
+	"X11",
 	NULL
 };
 
-// GAMES
+// @games
 static char *etc_group_games[] = {
 	"timidity", // MIDI
 	"timidity.cfg",

src/man/firejail.txt

@@ -2127,27 +2127,27 @@ cdrom  cdrw  dri  dvd  dvdrw  full  log  null  ptmx  pts  random  shm  snd  sr0
 .br
 $
 .TP
-\fB\-\-private-etc, \-\-private-etc=file,directory
+\fB\-\-private-etc, \-\-private-etc=file,directory,@group
 The files installed by \-\-private-etc are copies of the original system files from /etc directory.
 By default, the command brings in a skeleton of files and directories used by most console tools:
 
 $ firejail --private-etc dig debian.org
 
-For X11/GTK/QT/Gnome/KDE  programs add GUI group as a parameter. Example:
+For X11/GTK/QT/Gnome/KDE  programs add @x11 group as a parameter. Example:
 
-$ firejail --private-etc=GUI,python* gimp
+$ firejail --private-etc=@x11,gcrypt,python* gimp
 
-/etc/python* directories are not part of the generic GUI group.
-These directories are reuqired by Gimp plugin system. File globbing is supported.
+gcrypt and /etc/python* directories are not part of the generic @x11 group.
+File globbing is supported.
 
-For games, add GAMES group:
+For games, add @games group:
 
-$ firejail --private-etc=GUI,GAMES warzone2100
+$ firejail --private-etc=@games,@x11 warzone2100
 
 Sound and networking files are included automatically, unless \-\-nosound or \-\-net=none are specified.
-Files for encrypted TLS/SSL protocol are in TLS-CA group.
+Files for encrypted TLS/SSL protocol are in @tls-ca group.
 
-$ firejail --private-etc=TLS-CA,wgetrc wget https://debian.org
+$ firejail --private-etc=@tls-ca,wgetrc wget https://debian.org
 
 
 Note: The easiest way to extract the list of /etc files accessed by your program is using strace utility: