file managers refactoring (#3375)

* refactor caja.profile

* refactor dolphin.profile

* Create file-manager-common.profile

* refactor nautilus.profile

* refactor nemo.profile

* refactor pcmanfm.profile

* refactor ranger.profile

* refactor Thunar.profile

3 files changed, 55 insertions, 62 deletions

diff --git a/etc/profile-a-l/caja.profile b/etc/profile-a-l/caja.profile
index 7bf901ae3..1af102ca8 100644
--- a/etc/profile-a-l/caja.profile
+++ b/etc/profile-a-l/caja.profile
@@ -9,35 +9,7 @@ include globals.local
 # Caja is started by systemd on most systems. Therefore it is not firejailed by default. Since there
 # is already a caja process running on MATE desktops firejail will have no effect.
 
-noblacklist ${HOME}/.local/share/Trash
-# noblacklist ${HOME}/.config/caja - disable-programs.inc is disabled, see below
-# noblacklist ${HOME}/.local/share/caja-python
+# Put 'ignore noroot' in your caja.local if you use MPV+Vulkan (see issue #3012)
 
-# Allow python (blacklisted by disable-interpreters.inc)
-include allow-python2.inc
-include allow-python3.inc
-
-include disable-common.inc
-include disable-devel.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-# include disable-programs.inc
-
-allusers
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-# caja needs to be able to start arbitrary applications so we cannot blacklist their files
-# private-bin caja
-# private-dev
-# private-tmp
+# Redirect
+include file-manager-common.profile
diff --git a/etc/profile-a-l/dolphin.profile b/etc/profile-a-l/dolphin.profile
index d264470af..e0300a577 100644
--- a/etc/profile-a-l/dolphin.profile
+++ b/etc/profile-a-l/dolphin.profile
@@ -6,37 +6,9 @@ include dolphin.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/Trash
-# noblacklist ${HOME}/.cache/dolphin - disable-programs.inc is disabled, see below
-# noblacklist ${HOME}/.config/dolphinrc
-# noblacklist ${HOME}/.local/share/dolphin
+# Put 'ignore noroot' in your dolphin.local if you use MPV+Vulkan (see issue #3012)
 
-# Allow lua (blacklisted by disable-interpreters.inc)
-include allow-lua.inc
-
-include disable-common.inc
-include disable-devel.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-# dolphin needs to be able to start arbitrary applications so we cannot blacklist their files
-# include disable-programs.inc
-
-allusers
-caps.drop all
-# net none
-netfilter
-nodvd
-nogroups
-nonewprivs
-# Comment the next line (or put 'ignore noroot' in your dolphin.local) if you use MPV+Vulkan (see issue #3012)
-noroot
-notv
-novideo
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-
-private-dev
-# private-tmp
+# Redirect
+include file-manager-common.profile
 
 join-or-start dolphin
diff --git a/etc/profile-a-l/file-manager-common.profile b/etc/profile-a-l/file-manager-common.profile
new file mode 100644
index 000000000..8551e713d
--- /dev/null
+++ b/etc/profile-a-l/file-manager-common.profile
@@ -0,0 +1,49 @@
+# Firejail profile for file managers
+# Description: Common profile for GUI file managers
+# This file is overwritten after every install/update
+# Persistent local customizations
+include file-manager-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+# File managers need to be able to see everything under ${HOME}
+# and be able to start arbitrary applications
+
+ignore noexec ${HOME}
+
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
+# Allow perl
+include allow-perl.inc
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+#include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+# include disable-programs.inc
+
+allusers
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+private-dev
+
+#dbus-user none
+#dbus-system none