Merge branch 'master' into whitelist-ro

8 files changed, 138 insertions, 1 deletions

diff --git a/etc/profile-a-l/cachy-browser.profile b/etc/profile-a-l/cachy-browser.profile
new file mode 100644
index 000000000..7a14d9464
--- /dev/null
+++ b/etc/profile-a-l/cachy-browser.profile
@@ -0,0 +1,56 @@
+# Firejail profile for Cachy-Browser
+# Description: Librewolf fork based on enhanced privacy with gentoo patchset
+# This file is overwritten after every install/update
+# Persistent local customizations
+include cachy-browser.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/cachy
+noblacklist ${HOME}/.cachy
+
+mkdir ${HOME}/.cache/cachy
+mkdir ${HOME}/.cachy
+whitelist ${HOME}/.cache/cachy
+whitelist ${HOME}/.cachy
+
+# Add the next lines to your cachy-browser.local if you want to use the migration wizard.
+#noblacklist ${HOME}/.mozilla
+#whitelist ${HOME}/.mozilla
+
+# To enable KeePassXC Plugin add one of the following lines to your cachy-browser.local.
+# NOTE: start KeePassXC before CachyBrowser and keep it open to allow communication between them.
+#whitelist ${RUNUSER}/kpxc_server
+#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
+
+whitelist /usr/share/doc
+whitelist /usr/share/gtk-doc/html
+whitelist /usr/share/mozilla
+whitelist /usr/share/webext
+include whitelist-usr-share-common.inc
+
+# Add the next line to your cachy-browser.local to enable private-bin (Arch Linux).
+#private-bin dbus-launch,dbus-send,cachy-browser,sh
+# Add the next line to your cachy-browser.local to enable private-etc.
+# NOTE: private-etc must first be enabled in firefox-common.local.
+#private-etc cachy-browser
+
+dbus-user filter
+dbus-user.own org.mozilla.cachybrowser.*
+# Add the next line to your cachy-browser.local to enable native notifications.
+#dbus-user.talk org.freedesktop.Notifications
+# Add the next line to your cachy-browser.local to allow inhibiting screensavers.
+#dbus-user.talk org.freedesktop.ScreenSaver
+# Add the next lines to your cachy-browser.local for plasma browser integration.
+#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
+#dbus-user.talk org.kde.JobViewServer
+#dbus-user.talk org.kde.kuiserver
+# Add the next line to your cachy-browser.local to allow screensharing under Wayland.
+#dbus-user.talk org.freedesktop.portal.Desktop
+# Also add the next line to your cachy-browser.local if screensharing does not work with
+# the above lines (depends on the portal implementation).
+#ignore noroot
+ignore dbus-user none
+
+# Redirect
+include firefox-common.profile
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index 7bfb61688..2992a2d6f 100644
--- a/etc/profile-a-l/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -53,6 +53,9 @@ private-cache
 ?BROWSER_DISABLE_U2F: private-dev
 #private-tmp - issues when using multiple browser sessions
 
+blacklist ${PATH}/curl
+blacklist ${PATH}/wget
+
 #dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector.
 dbus-system none
 
diff --git a/etc/profile-a-l/clipgrab.profile b/etc/profile-a-l/clipgrab.profile
index f3c77fa77..084f0ccad 100644
--- a/etc/profile-a-l/clipgrab.profile
+++ b/etc/profile-a-l/clipgrab.profile
@@ -6,10 +6,14 @@ include clipgrab.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.config/ClipGrab
 noblacklist ${HOME}/.config/Philipp Schmieder
 noblacklist ${HOME}/.pki
 noblacklist ${VIDEOS}
 
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/com.github.tchx84.Flatseal.profile b/etc/profile-a-l/com.github.tchx84.Flatseal.profile
new file mode 100644
index 000000000..a095104f0
--- /dev/null
+++ b/etc/profile-a-l/com.github.tchx84.Flatseal.profile
@@ -0,0 +1,65 @@
+# Firejail profile for flatseal
+# This file is overwritten after every install/update
+# Persistent local customizations
+include com.github.tchx84.Flatseal.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/flatpak/overrides
+noblacklist /var/lib/flatpak/app
+
+# Allow gjs (blacklisted by disable-interpreters.inc)
+include allow-gjs.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.local/share/flatpak/overrides
+whitelist ${HOME}/.local/share/flatpak/overrides
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin com.github.tchx84.Flatseal,gjs
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload
+private-tmp
+
+dbus-user filter
+dbus-user.own com.github.tchx84.Flatseal
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.impl.portal.PermissionStore
+dbus-user.talk org.gnome.Software
+dbus-system none
+
+read-write ${HOME}/.local/share/flatpak/overrides
diff --git a/etc/profile-a-l/dino.profile b/etc/profile-a-l/dino.profile
index b1a9550f1..3c5a64215 100644
--- a/etc/profile-a-l/dino.profile
+++ b/etc/profile-a-l/dino.profile
@@ -32,7 +32,7 @@ nonewprivs
 noroot
 notv
 nou2f
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
 seccomp.block-secondary
 shell none
diff --git a/etc/profile-a-l/elinks.profile b/etc/profile-a-l/elinks.profile
index 5a29eb24b..a3596bb5e 100644
--- a/etc/profile-a-l/elinks.profile
+++ b/etc/profile-a-l/elinks.profile
@@ -9,6 +9,9 @@ include globals.local
 
 noblacklist ${HOME}/.elinks
 
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
 mkdir ${HOME}/.elinks
 whitelist ${HOME}/.elinks
 
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile
index ef647b5a0..e7d438b46 100644
--- a/etc/profile-a-l/firefox-common.profile
+++ b/etc/profile-a-l/firefox-common.profile
@@ -59,6 +59,9 @@ disable-mnt
 #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-tmp
 
+blacklist ${PATH}/curl
+blacklist ${PATH}/wget
+
 # 'dbus-user none' breaks various desktop integration features like global menus, native notifications,
 # Gnome connector, KDE connect and power management on KDE Plasma.
 dbus-user none
diff --git a/etc/profile-a-l/highlight.profile b/etc/profile-a-l/highlight.profile
index 0145f7ceb..97f190723 100644
--- a/etc/profile-a-l/highlight.profile
+++ b/etc/profile-a-l/highlight.profile
@@ -8,6 +8,9 @@ include globals.local
 
 blacklist ${RUNUSER}
 
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc