added akregator, kcalc and ktorrent profiles

7 files changed, 264 insertions, 190 deletions

diff --git a/README.md b/README.md
index 5a0be0a7b..06f7c1c6f 100644
--- a/README.md
+++ b/README.md
@@ -196,4 +196,4 @@ simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show,
 xed, pluma, Cryptocat, Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5,
 PDFSam, Pithos, Xonotic, wireshark, keepassx2, QupZilla, FossaMail, Uzbl browser, xmms, iridium browser,
 Kino, Thunar, Geeqie, Engrampa, Scribus, mousepad, gpicview, keepassxc, cvlc, MediathekView, baloo_file,
-Nylas, dino, BibleTime, viewnior, Kodi, viking, youtube-dl, meld, Arduino
+Nylas, dino, BibleTime, viewnior, Kodi, viking, youtube-dl, meld, Arduino, akregator, kcalc, ktorrent
diff --git a/etc/akregator.profile b/etc/akregator.profile
new file mode 100644
index 000000000..c99153450
--- /dev/null
+++ b/etc/akregator.profile
@@ -0,0 +1,30 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/akregator.local
+
+################################
+# Generic GUI application profile
+################################
+noblacklist ${HOME}/.config/akregatorrc
+noblacklist ${HOME}/.local/share/akregator
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+
+#
+# depending on you usage, you can enable some of the commands below: 
+#
+# nogroups
+# shell none
+# private-bin program
+# private-etc none
+# private-dev
+# private-tmp
+
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 32adac298..fbe614b0d 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -21,6 +21,7 @@ blacklist ${HOME}/.bcast5
 blacklist ${HOME}/.bibletime
 blacklist ${HOME}/.claws-mail
 blacklist ${HOME}/.config/0ad
+blacklist ${HOME}/.config/akregatorrc
 blacklist ${HOME}/.config/Atom
 blacklist ${HOME}/.config/Audaciousrc
 blacklist ${HOME}/.config/Brackets
@@ -179,6 +180,7 @@ blacklist ${HOME}/.kde4/share/config/konqsidebartngrc
 blacklist ${HOME}/.kde4/share/config/konquerorrc
 blacklist ${HOME}/.kde4/share/config/okularpartrc
 blacklist ${HOME}/.kde4/share/config/okularrc
+blacklist ${HOME}/.kde4/share/config/ktorrentrc
 blacklist ${HOME}/.kde/share/apps/gwenview
 blacklist ${HOME}/.kde/share/apps/kcookiejar
 blacklist ${HOME}/.kde/share/apps/khtml
@@ -196,6 +198,7 @@ blacklist ${HOME}/.kde/share/config/konqsidebartngrc
 blacklist ${HOME}/.kde/share/config/konquerorrc
 blacklist ${HOME}/.kde/share/config/okularpartrc
 blacklist ${HOME}/.kde/share/config/okularrc
+blacklist ${HOME}/.kde/share/config/ktorrentrc
 blacklist ${HOME}/.killingfloor
 blacklist ${HOME}/.kino-history
 blacklist ${HOME}/.kinorc
@@ -207,6 +210,7 @@ blacklist ${HOME}/.local/.share/maps-places.json
 blacklist ${HOME}/.local/lib/python2.7/site-packages
 blacklist ${HOME}/.local/share/0ad
 blacklist ${HOME}/.local/share/3909/PapersPlease
+blacklist ${HOME}/.local/share/akregator
 blacklist ${HOME}/.local/share/Empathy
 blacklist ${HOME}/.local/share/Mumble
 blacklist ${HOME}/.local/share/QuiteRss
diff --git a/etc/kcalc.profile b/etc/kcalc.profile
new file mode 100644
index 000000000..88f84fdf6
--- /dev/null
+++ b/etc/kcalc.profile
@@ -0,0 +1,29 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/kcalc.local
+
+################################
+# Generic GUI application profile
+################################
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+
+#
+# depending on you usage, you can enable some of the commands below: 
+#
+private
+nogroups
+shell none
+# private-bin program
+# private-etc none
+private-dev
+private-tmp
+
diff --git a/etc/ktorrent.profile b/etc/ktorrent.profile
new file mode 100644
index 000000000..f1a5d995d
--- /dev/null
+++ b/etc/ktorrent.profile
@@ -0,0 +1,30 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/ktorrent.local
+
+################################
+# Generic GUI application profile
+################################
+blacklist ${HOME}/.kde/share/config/ktorrentrc
+blacklist ${HOME}/.kde4/share/config/ktorrentrc
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+
+#
+# depending on you usage, you can enable some of the commands below: 
+#
+nogroups
+shell none
+# private-bin program
+# private-etc none
+private-dev
+# private-tmp
+
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index 011f52657..4169184df 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -268,3 +268,6 @@
 /etc/firejail/engrampa.profile
 /etc/firejail/scribus.profile
 /etc/firejail/mediathekview.profile
+/etc/firejail/akregator.profile
+/etc/firejail/kcalc.profile
+/etc/firejail/ktorrent.profile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 21c9ceec1..2569c36ef 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -1,245 +1,223 @@
 # /usr/lib/firejail/firecfg.config - firecfg utility configuration file
-# This is the list of programs handled by firecfg utility
+# This is the list of programs in alfabetical order handled by firecfg utility
 #
-
-# astronomy
-gpredict
-stellarium
-
-# bittorrent/ftp
-deluge
-dropbox
-filezilla
-qbittorrent
-rtorrent
-transmission-gtk
-transmission-qt
-transmission-cli
-transmission-show
-uget-gtk
-youtube-dl
-
-# browsers/email
-abrowser
-brave
-chromium
-chromium-browser
-claws-mail
-conkeror
-cyberfox
-firefox
-firefox-esr
-flashpeak-slimjet
-epiphany
-dillo
-google-chrome
-google-chrome-beta
-google-chrome-stable
-google-chrome-unstable
-iceweasel
-icecat
-icedove
-inox
-iridium
-iridium-browser
-kmail
-midori
-mutt
-netsurf
-nylas
-opera-beta
-opera
-palemoon
-qutebrowser
-start-tor-browser
-seamonkey
-seamonkey-bin
-thunderbird
-vivaldi
-vivaldi-beta
-vivaldi-stable
-evolution
-elinks
-lynx
-w3m
-
-# chat/messaging
-bitlbee
-corebird
-# Cryptocat is added but commented since isn't installed to a */bin... keep an eye on this
-dino
-empathy
-gajim
-gitter
-hexchat
-jitsi
-konversation
-mumble
-pidgin
-polari
-psi-plus
-qtox
-quassel
-skype
-skypeforlinux
-slack
-telegram
-weechat
-weechat-curses
-wire
-xchat
-
-# dns
-dnscrypt-proxy
-dnsmasq
-unbound
-
-# emulators/compatibility layers
-mupen64plus
-wine
-dosbox
-virtualbox
-qemu-launcher
-#qemu-system-x86_64
-
-# games
 0ad
-gnome-2048
-gnome-chess
-hedgewars
-multimc5
-steam
-wesnot
-warzone2100
-xonotic-glx
-xonotic-sdl
-
-# Media
+abrowser
+akregator
 amarok
+arduino
+ark
+atom
+atom-beta
+atool
+atril
 audacious
 audacity
+aweather
+baloo_file
+bibletime
+bitlbee
 bleachbit
+bless
 brasero
+brave
+cherrytree
+chromium
+chromium-browser
+claws-mail
 clementine
 cmus
+conkeror
+corebird
+# Cryptocat is added but commented since isn't installed to a */bin... keep an eye on this
 cvlc
+cyberfox
 deadbeef
+deluge
+dillo
+dino
 display
+dnscrypt-proxy
+dnsmasq
 dolphin
+dosbox
 dragon
+dropbox
+elinks
+empathy
+eog
+eom
+epiphany
+evince
+evolution
 exiftool
+fbreader
 feh
+file-roller
+filezilla
+firefox
+firefox-esr
+flashpeak-slimjet
+flowblade
+gajim
+gedit
 geeqie
+gimp
+gitter
 gjs
+gnome-2048
 gnome-books
+gnome-calculator
+gnome-chess
 gnome-clocks
-gnome-photos
 gnome-documents
 gnome-maps
 gnome-mplayer
 gnome-music
+gnome-photos
+gnome-weather
 goobox
+google-chrome
+google-chrome-beta
+google-chrome-stable
+google-chrome-unstable
 google-play-music-desktop-player
 gpicview
-img2txt
-k3b
-kodi
-lollypop
-mediainfo
-mediathekview
-mpv
-nautilus
-parole
-pithos
-rhythmbox
-simple-scan
-skanlite
-spotify
-totem
-viewnior
-vlc
-xfburn
-xmms
-xplayer
-xviewer
-eom
-
-# news readers
-quiterss
-
-# office
-atril
-cherrytree
-evince
-fbreader
-gedit
-gimp
+gpredict
 gthumb
 gwenview
+hedgewars
+hexchat
 highlight
+icecat
+icedove
+iceweasel
+img2txt
 inkscape
+inox
+iridium
+iridium-browser
+jd-gui
+jitsi
+k3b
 kate
+kcalc
+keepass
+keepass2
+keepassx
+keepassx2
+keepassxc
+kmail
+kodi
+konversation
+ktorrent
 libreoffice
 localc
 lodraw
 loffice
 lofromtemplate
 loimpress
+lollypop
 lomath
 loweb
 lowriter
 luminance-hdr
-mupdf
-pdfsam
-qpdfview
-scribus
-soffice
-synfigstudio
-Mathematica
+lynx
 mathematica
+Mathematica
+mediainfo
+mediathekview
+meld
+midori
+mousepad
+mpv
+multimc5
+mumble
+mupdf
+mupen64plus
+mutt
+nautilus
+netsurf
+nylas
 odt2txt
 okular
+openshot
+opera
+opera-beta
+palemoon
+parole
+pdfsam
 pdftotext
+pidgin
+pithos
 pix
-xpdf
-xreader
-zathura
-openshot
-flowblade
-eog
-
-# other
-arduino
-atom
-atom-beta
-baloo_file
-bless
-bibletime
-gnome-calculator
-jd-gui
-keepass
-keepass2
-keepassx
-keepassx2
-keepassxc
-meld
-mousepad
 pluma
+polari
+psi-plus
+qbittorrent
+qemu-launcher
+#qemu-system-x86_64
+qpdfview
+qtox
+quassel
+quiterss
+qutebrowser
 ranger
+rhythmbox
+rtorrent
+scribus
+seamonkey
+seamonkey-bin
+simple-scan
+skanlite
+skype
+skypeforlinux
+slack
+soffice
+spectacle
+spotify
 ssh
-Thunar
+start-tor-browser
+steam
+stellarium
+synfigstudio
+telegram
 thunar
+Thunar
+thunderbird
+totem
 tracker
+transmission-cli
+transmission-gtk
+transmission-qt
+transmission-show
+uget-gtk
+unbound
+viewnior
 viking
+virtualbox
+vivaldi
+vivaldi-beta
+vivaldi-stable
+vlc
+w3m
+warzone2100
+weechat
+weechat-curses
+wesnot
+wine
+wire
 wireshark
-xiphos
+xchat
 xed
-
-# weather/climate
-aweather
-gnome-weather
-
-# compressing tools
-ark
-atool
-file-roller
+xfburn
+xiphos
+xmms
+xonotic-glx
+xonotic-sdl
+xpdf
+xplayer
+xreader
+xviewer
+youtube-dl
+zathura