Use whitelisting for video players (#3472)

* Use whitelisting for video players

See https://github.com/netblue30/firejail/pull/3469

* Update media player whitelists

See reviews at https://github.com/netblue30/firejail/pull/3472

Block $DOCUMENTS

Make $DESKTOP read-only

* Review fixes: include read-only Desktop in whitelist

1 files changed, 13 insertions, 3 deletions

diff --git a/etc/profile-m-z/vlc.profile b/etc/profile-m-z/vlc.profile
index 0069ebeae..07a1b5fc0 100644
--- a/etc/profile-m-z/vlc.profile
+++ b/etc/profile-m-z/vlc.profile
@@ -9,8 +9,6 @@ include globals.local
 noblacklist ${HOME}/.cache/vlc
 noblacklist ${HOME}/.config/vlc
 noblacklist ${HOME}/.local/share/vlc
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +16,20 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-include disable-xdg.inc
 
+read-only ${DESKTOP}
+mkdir ${HOME}/.cache/vlc
+mkdir ${HOME}/.config/vlc
+mkdir ${HOME}/.local/share/vlc
+whitelist ${HOME}/.cache/vlc
+whitelist ${HOME}/.config/vlc
+whitelist ${HOME}/.local/share/vlc
+whitelist ${DESKTOP}
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+whitelist ${PICTURES}
+whitelist ${VIDEOS}
+include whitelist-common.inc
 include whitelist-var-common.inc
 
 #apparmor - on Ubuntu 18.04 it refuses to start without dbus access