new profile: gemini (#6936)

https://github.com/google-gemini/gemini-cli

README

@@ -161,6 +161,7 @@ Amin Vakil (https://github.com/aminvakil)
 	- added profile for strawberry
 	- w3m profile fix
 	- disable seccomp in wireshark profile
+	- new profile: gemini (#6936)
 Ammon Smith (https://github.com/ammongit)
 	- Add DBus filter rules specific to firefox-developer-edition
 Andreas Hunkeler (https://github.com/Karneades)

RELNOTES

@@ -12,6 +12,7 @@ firejail (0.9.81) baseline; urgency=low
   * profiles: disable-exec: add mount paths (#7112)
   * profiles: mumble: include whitelist-runuser-common (#7084)
   * profiles: disable-common: add xfce clipman path (#7120)
+  * new profile: gemini (#6936)
 -- netblue30 <netblue30@yahoo.com>  Sat, 14 Mar 2026 08:00:00 -0500
 
 firejail (0.9.80) baseline; urgency=low

etc/inc/disable-programs.inc

@@ -784,6 +784,7 @@ blacklist ${HOME}/.g8
 blacklist ${HOME}/.gallery-dl.conf
 blacklist ${HOME}/.gdfuse
 blacklist ${HOME}/.geekbench5
+blacklist ${HOME}/.gemini
 blacklist ${HOME}/.gimp*
 blacklist ${HOME}/.gist
 blacklist ${HOME}/.gitconfig

etc/profile-a-l/gemini.profile

@@ -0,0 +1,72 @@
+# Firejail profile for gemini
+# Description: An open-source AI agent that brings the power of Gemini directly into your terminal
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gemini.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.gemini
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
+
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-x11.inc
+include disable-xdg.inc
+
+# Add the following lines to gemini.local to enable whitelisting in `${HOME}`.
+#whitelist ${HOME}/.config/git
+#whitelist ${HOME}/.gemini
+#whitelist ${HOME}/.git-credential-cache
+#whitelist ${HOME}/.git-credentials
+#whitelist ${HOME}/.gitconfig
+#include whitelist-common.inc
+
+whitelist ${RUNUSER}/openssh_agent
+include whitelist-run-common.inc
+#include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+seccomp.block-secondary
+tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-etc @network,@tls-ca
+private-tmp
+
+dbus-user none
+dbus-system none
+
+env NO_BROWSER=true
+restrict-namespaces