profile enhancements (mostly novideo)

57 files changed, 79 insertions, 28 deletions

diff --git a/etc/amarok.profile b/etc/amarok.profile
index e10cfbefe..478d5285c 100644
--- a/etc/amarok.profile
+++ b/etc/amarok.profile
@@ -17,6 +17,7 @@ nogroups
 nonewprivs
 noroot
 notv
+novideo
 protocol unix,inet,inet6
 # seccomp
 shell none
diff --git a/etc/audacious.profile b/etc/audacious.profile
index eddc100ca..bd2367fe0 100644
--- a/etc/audacious.profile
+++ b/etc/audacious.profile
@@ -24,8 +24,10 @@ seccomp
 shell none
 tracelog
 
-private-bin audacious
+# private-bin audacious
 private-dev
 private-tmp
 
 memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile
index bc045fb77..4ab49163b 100644
--- a/etc/claws-mail.profile
+++ b/etc/claws-mail.profile
@@ -22,6 +22,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/cmus.profile b/etc/cmus.profile
index cf0830475..2d6f2454b 100644
--- a/etc/cmus.profile
+++ b/etc/cmus.profile
@@ -17,6 +17,7 @@ netfilter
 nonewprivs
 noroot
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/cpio.profile b/etc/cpio.profile
index f082d2e40..4122e2c92 100644
--- a/etc/cpio.profile
+++ b/etc/cpio.profile
@@ -22,6 +22,7 @@ no3d
 nodvd
 nosound
 notv
+novideo
 seccomp
 shell none
 tracelog
diff --git a/etc/curl.profile b/etc/curl.profile
index af7eabf59..972bbe9cc 100644
--- a/etc/curl.profile
+++ b/etc/curl.profile
@@ -23,6 +23,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/cvlc.profile b/etc/cvlc.profile
index e0d32da0f..f095f487e 100644
--- a/etc/cvlc.profile
+++ b/etc/cvlc.profile
@@ -5,29 +5,8 @@ include /etc/firejail/cvlc.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-noblacklist ${HOME}/.config/vlc
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-# nogroups
-nonewprivs
-noroot
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-tracelog
-
 # clvc doesn't like private-bin
-# private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
-private-dev
-private-tmp
+ignore private-bin
 
-# mdwe is disabled due to breaking hardware accelerated decoding
-# memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
+# Redirect
+include /etc/firejail/vlc.profile
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index d82efef04..7d48905ee 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -17,6 +17,7 @@ no3d
 nodvd
 nosound
 notv
+novideo
 seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
 
 private
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile
index bf52a5d8a..0893dff35 100644
--- a/etc/dnsmasq.profile
+++ b/etc/dnsmasq.profile
@@ -20,6 +20,7 @@ nodvd
 nonewprivs
 nosound
 notv
+novideo
 protocol unix,inet,inet6,netlink
 seccomp
 
diff --git a/etc/dosbox.profile b/etc/dosbox.profile
index bec2960f1..fa9b26e82 100644
--- a/etc/dosbox.profile
+++ b/etc/dosbox.profile
@@ -19,6 +19,7 @@ nogroups
 nonewprivs
 noroot
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/enchant.profile b/etc/enchant.profile
index a7b549a4c..b7034b937 100644
--- a/etc/enchant.profile
+++ b/etc/enchant.profile
@@ -20,6 +20,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/evolution.profile b/etc/evolution.profile
index 2f7f25ff8..9f29b229b 100644
--- a/etc/evolution.profile
+++ b/etc/evolution.profile
@@ -29,6 +29,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/exiftool.profile b/etc/exiftool.profile
index 565212161..75e5be1b9 100644
--- a/etc/exiftool.profile
+++ b/etc/exiftool.profile
@@ -26,6 +26,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/fbreader.profile b/etc/fbreader.profile
index 19d45a1d8..01da2cafe 100644
--- a/etc/fbreader.profile
+++ b/etc/fbreader.profile
@@ -19,6 +19,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/feh.profile b/etc/feh.profile
index 61b456e34..7935b1354 100644
--- a/etc/feh.profile
+++ b/etc/feh.profile
@@ -13,17 +13,19 @@ include /etc/firejail/disable-programs.inc
 
 caps.drop all
 net none
+no3d
 nodvd
 nogroups
 nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
 
-private-bin feh
+private-bin feh,jpegexiforient,jpegtran
 private-dev
 private-etc feh
 private-tmp
diff --git a/etc/file.profile b/etc/file.profile
index 9a4dba7ef..f3b08e34b 100644
--- a/etc/file.profile
+++ b/etc/file.profile
@@ -30,3 +30,7 @@ x11 none
 private-bin file
 private-dev
 private-etc magic.mgc,magic,localtime
+
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/filezilla.profile b/etc/filezilla.profile
index 63bfd1e0d..866aaabca 100644
--- a/etc/filezilla.profile
+++ b/etc/filezilla.profile
@@ -19,6 +19,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 619fa1562..1bd45ebd1 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -10,7 +10,11 @@ noblacklist ~/.config/okularpartrc
 noblacklist ~/.config/okularrc
 noblacklist ~/.config/qpdfview
 noblacklist ~/.kde/share/apps/okular
+noblacklist ~/.kde/share/config/okularpartrc
+noblacklist ~/.kde/share/config/okularrc
 noblacklist ~/.kde4/share/apps/okular
+noblacklist ~/.kde4/share/config/okularpartrc
+noblacklist ~/.kde4/share/config/okularrc
 noblacklist ~/.local/share/gnome-shell/extensions
 noblacklist ~/.local/share/okular
 noblacklist ~/.local/share/qpdfview
@@ -34,7 +38,11 @@ whitelist ~/.config/pipelight-silverlight5.1
 whitelist ~/.config/pipelight-widevine
 whitelist ~/.config/qpdfview
 whitelist ~/.kde/share/apps/okular
+whitelist ~/.kde/share/config/okularpartrc
+whitelist ~/.kde/share/config/okularrc
 whitelist ~/.kde4/share/apps/okular
+whitelist ~/.kde4/share/config/okularpartrc
+whitelist ~/.kde4/share/config/okularrc
 whitelist ~/.keysnail.js
 whitelist ~/.lastpass
 whitelist ~/.local/share/gnome-shell/extensions
@@ -66,7 +74,6 @@ tracelog
 
 # private-bin firefox,which,sh,dbus-launch,dbus-send,env
 private-dev
-# private-dev might prevent video calls going out
 # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
 private-tmp
 
diff --git a/etc/galculator.profile b/etc/galculator.profile
index a2e855656..37f147f0f 100644
--- a/etc/galculator.profile
+++ b/etc/galculator.profile
@@ -24,6 +24,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/geeqie.profile b/etc/geeqie.profile
index c9f9d0074..a50fd4370 100644
--- a/etc/geeqie.profile
+++ b/etc/geeqie.profile
@@ -21,6 +21,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/git.profile b/etc/git.profile
index 92bf66b92..14fb55118 100644
--- a/etc/git.profile
+++ b/etc/git.profile
@@ -29,6 +29,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile
index 4921fb0c4..6547c73df 100644
--- a/etc/gnome-calculator.profile
+++ b/etc/gnome-calculator.profile
@@ -21,6 +21,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/gpa.profile b/etc/gpa.profile
index 58dfcd3e1..8d721e2c0 100644
--- a/etc/gpa.profile
+++ b/etc/gpa.profile
@@ -20,6 +20,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile
index 13bceaa5a..8fd2ce232 100644
--- a/etc/gpg-agent.profile
+++ b/etc/gpg-agent.profile
@@ -23,6 +23,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/gpg.profile b/etc/gpg.profile
index d99afdfe2..8c39f85e3 100644
--- a/etc/gpg.profile
+++ b/etc/gpg.profile
@@ -23,6 +23,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/gthumb.profile b/etc/gthumb.profile
index 63ad07894..287e214e1 100644
--- a/etc/gthumb.profile
+++ b/etc/gthumb.profile
@@ -21,6 +21,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/guayadeque.profile b/etc/guayadeque.profile
index 7713f216f..14662443c 100644
--- a/etc/guayadeque.profile
+++ b/etc/guayadeque.profile
@@ -18,6 +18,7 @@ nogroups
 nonewprivs
 noroot
 notv
+novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
diff --git a/etc/gzip.profile b/etc/gzip.profile
index 3f6ecec2c..0f04953d8 100644
--- a/etc/gzip.profile
+++ b/etc/gzip.profile
@@ -14,6 +14,7 @@ no3d
 nodvd
 nosound
 notv
+novideo
 shell none
 tracelog
 
diff --git a/etc/img2txt.profile b/etc/img2txt.profile
index bd454a2c8..943350484 100644
--- a/etc/img2txt.profile
+++ b/etc/img2txt.profile
@@ -19,6 +19,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/lynx.profile b/etc/lynx.profile
index db01a5b8f..d54bed564 100644
--- a/etc/lynx.profile
+++ b/etc/lynx.profile
@@ -21,6 +21,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile
index d6a55610f..e502269f7 100644
--- a/etc/mediainfo.profile
+++ b/etc/mediainfo.profile
@@ -21,6 +21,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/mupdf.profile b/etc/mupdf.profile
index c7bb458df..62527c17d 100644
--- a/etc/mupdf.profile
+++ b/etc/mupdf.profile
@@ -19,6 +19,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 # seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev
diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile
index 9f3be0d27..4937df51f 100644
--- a/etc/mupen64plus.profile
+++ b/etc/mupen64plus.profile
@@ -26,4 +26,5 @@ nodvd
 nonewprivs
 noroot
 notv
+novideo
 seccomp
diff --git a/etc/mutt.profile b/etc/mutt.profile
index 206edefae..aafa3d75d 100644
--- a/etc/mutt.profile
+++ b/etc/mutt.profile
@@ -44,6 +44,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/nylas.profile b/etc/nylas.profile
index 5d84d1326..d96c6b0d4 100644
--- a/etc/nylas.profile
+++ b/etc/nylas.profile
@@ -26,6 +26,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile
index da2d03635..e8c2d54c7 100644
--- a/etc/odt2txt.profile
+++ b/etc/odt2txt.profile
@@ -21,6 +21,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/pix.profile b/etc/pix.profile
index ed9298727..5440e4634 100644
--- a/etc/pix.profile
+++ b/etc/pix.profile
@@ -22,6 +22,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index ea635ab6e..86db5c26c 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -35,6 +35,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6,netlink
 seccomp
 # shell none
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile
index 7d69f38f9..2d1df0f72 100644
--- a/etc/qpdfview.profile
+++ b/etc/qpdfview.profile
@@ -32,3 +32,5 @@ private-dev
 private-tmp
 
 memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile
index a44d99e5b..c18a1b06c 100644
--- a/etc/rtorrent.profile
+++ b/etc/rtorrent.profile
@@ -18,6 +18,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/tar.profile b/etc/tar.profile
index 34a4f34d6..f14894c25 100644
--- a/etc/tar.profile
+++ b/etc/tar.profile
@@ -15,6 +15,7 @@ no3d
 nodvd
 nosound
 notv
+novideo
 shell none
 tracelog
 
diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile
index 5752c96f3..c7446ed68 100644
--- a/etc/transmission-cli.profile
+++ b/etc/transmission-cli.profile
@@ -20,6 +20,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index c4bf7a08d..0bb721c64 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -27,6 +27,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile
index 5351a1efa..08964bbab 100644
--- a/etc/transmission-qt.profile
+++ b/etc/transmission-qt.profile
@@ -27,6 +27,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile
index 130defc8e..0b09bffcb 100644
--- a/etc/transmission-show.profile
+++ b/etc/transmission-show.profile
@@ -20,6 +20,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile
index 877ad635b..56ff4f886 100644
--- a/etc/uget-gtk.profile
+++ b/etc/uget-gtk.profile
@@ -23,6 +23,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/unbound.profile b/etc/unbound.profile
index c1cb86893..4775a450d 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -17,6 +17,7 @@ no3d
 nodvd
 nosound
 notv
+novideo
 seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
 
 private
diff --git a/etc/unrar.profile b/etc/unrar.profile
index 6a3ac5527..12559a721 100644
--- a/etc/unrar.profile
+++ b/etc/unrar.profile
@@ -15,6 +15,7 @@ no3d
 nodvd
 nosound
 notv
+novideo
 shell none
 tracelog
 
diff --git a/etc/unzip.profile b/etc/unzip.profile
index bb30d74cd..9828fa9b4 100644
--- a/etc/unzip.profile
+++ b/etc/unzip.profile
@@ -15,6 +15,7 @@ no3d
 nodvd
 nosound
 notv
+novideo
 shell none
 tracelog
 
diff --git a/etc/uudeview.profile b/etc/uudeview.profile
index 192d13f80..b30cbaa2a 100644
--- a/etc/uudeview.profile
+++ b/etc/uudeview.profile
@@ -13,6 +13,7 @@ net none
 nodvd
 nosound
 notv
+novideo
 shell none
 tracelog
 
diff --git a/etc/viewnior.profile b/etc/viewnior.profile
index a02845885..af4a2d655 100644
--- a/etc/viewnior.profile
+++ b/etc/viewnior.profile
@@ -19,12 +19,14 @@ include /etc/firejail/disable-programs.inc
 
 caps.drop all
 net none
+no3d
 nodvd
 nogroups
 nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
@@ -34,3 +36,7 @@ private-bin viewnior
 private-dev
 private-etc fonts
 private-tmp
+
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/vim.profile b/etc/vim.profile
index 7b5566f5b..97ed06d96 100644
--- a/etc/vim.profile
+++ b/etc/vim.profile
@@ -20,5 +20,6 @@ nogroups
 nonewprivs
 noroot
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
diff --git a/etc/w3m.profile b/etc/w3m.profile
index b25e19135..0d3037b26 100644
--- a/etc/w3m.profile
+++ b/etc/w3m.profile
@@ -23,6 +23,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/xiphos.profile b/etc/xiphos.profile
index 38e568860..5a07d4b74 100644
--- a/etc/xiphos.profile
+++ b/etc/xiphos.profile
@@ -28,6 +28,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/xmms.profile b/etc/xmms.profile
index d2e6eddac..717c81fd0 100644
--- a/etc/xmms.profile
+++ b/etc/xmms.profile
@@ -18,6 +18,7 @@ no3d
 nonewprivs
 noroot
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/xreader.profile b/etc/xreader.profile
index dd09c8a92..c02b9a014 100644
--- a/etc/xreader.profile
+++ b/etc/xreader.profile
@@ -30,7 +30,7 @@ tracelog
 
 private-bin xreader,xreader-previewer,xreader-thumbnailer
 private-dev
-# private-etc fonts
+# private-etc fonts,ld.so.cache
 # xreader needs access to /tmp/mozilla* to work in firefox
 # private-tmp
 
diff --git a/etc/xzdec.profile b/etc/xzdec.profile
index 7f21f5d2f..d5c4ac6f0 100644
--- a/etc/xzdec.profile
+++ b/etc/xzdec.profile
@@ -14,6 +14,7 @@ no3d
 nodvd
 nosound
 notv
+novideo
 shell none
 tracelog