Merge remote-tracking branch 'upstream/master'

author: hawkeye116477 <hawkeye116477@gmail.com> 2017-06-22 19:26:28 +0200
committer: hawkeye116477 <hawkeye116477@gmail.com> 2017-06-22 19:26:28 +0200
commit: 4ccb35df264267e00c38953f93dddd1dc9581fa5 (patch)
tree: 0700fd4306ef514d8f28ce11138c1a1ff1a29c87 /etc
parent: Update profile for Cyberfox (diff)
parent: Merge pull request #1343 from BafDyce/fix-example-typo (diff)
download: firejail-4ccb35df264267e00c38953f93dddd1dc9581fa5.tar.gz
firejail-4ccb35df264267e00c38953f93dddd1dc9581fa5.tar.zst
firejail-4ccb35df264267e00c38953f93dddd1dc9581fa5.zip
69 files changed, 372 insertions, 45 deletions
diff --git a/etc/0ad.profile b/etc/0ad.profile
index 596cb845a..e946c1418 100644
--- a/etc/0ad.profile
+++ b/etc/0ad.profile
@@ -29,6 +29,7 @@ netfilter
 nogroups
 nonewprivs
 noroot
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/7z.profile b/etc/7z.profile
index f36735303..c7c857dc8 100644
--- a/etc/7z.profile
+++ b/etc/7z.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/7z.local
 # 7zip crompression tool profile
-quiet
 ignore noroot
 include /etc/firejail/default.profile
@@ -15,6 +15,8 @@ blacklist /tmp/.X11-unix
 tracelog
 net none
+nosound
+novideo
 shell none
 private-dev
 nosound
diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile
index 5a42e28e8..367aa5672 100644
--- a/etc/atom-beta.profile
+++ b/etc/atom-beta.profile
@@ -19,6 +19,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
diff --git a/etc/atom.profile b/etc/atom.profile
index fc9e49eab..726682617 100644
--- a/etc/atom.profile
+++ b/etc/atom.profile
@@ -19,6 +19,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
diff --git a/etc/atool.profile b/etc/atool.profile
index 3f4b60312..a66b4b1c5 100644
--- a/etc/atool.profile
+++ b/etc/atool.profile
@@ -16,6 +16,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 netfilter
diff --git a/etc/atril.profile b/etc/atril.profile
index a9199f512..0abad494a 100644
--- a/etc/atril.profile
+++ b/etc/atril.profile
@@ -18,6 +18,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/audacity.profile b/etc/audacity.profile
index 67b625f2b..5b38d84e8 100644
--- a/etc/audacity.profile
+++ b/etc/audacity.profile
@@ -21,6 +21,7 @@ no3d
 nogroups
 nonewprivs
 noroot
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/aweather.profile b/etc/aweather.profile
index 73bf1cc5a..9d8e336cd 100644
--- a/etc/aweather.profile
+++ b/etc/aweather.profile
@@ -22,6 +22,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile
index 9caef7508..2fe6d1927 100644
--- a/etc/baloo_file.profile
+++ b/etc/baloo_file.profile
@@ -22,6 +22,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 # Baloo makes ioprio_set system calls, which are blacklisted by default.
 seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old
diff --git a/etc/bibletime.profile b/etc/bibletime.profile
index 9b205456a..2162151a1 100644
--- a/etc/bibletime.profile
+++ b/etc/bibletime.profile
@@ -29,6 +29,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile
index 40c7a5c83..345dd119a 100644
--- a/etc/bleachbit.profile
+++ b/etc/bleachbit.profile
@@ -20,6 +20,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/bless.profile b/etc/bless.profile
index 436c06a15..c9ccfc02e 100644
--- a/etc/bless.profile
+++ b/etc/bless.profile
@@ -28,6 +28,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/brasero.profile b/etc/brasero.profile
index ac9ea8a7c..d013e0b8e 100644
--- a/etc/brasero.profile
+++ b/etc/brasero.profile
@@ -20,9 +20,9 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
-netfilter
 shell none
 tracelog
diff --git a/etc/calibre.profile b/etc/calibre.profile
new file mode 100644
index 000000000..b75e0c276
--- /dev/null
+++ b/etc/calibre.profile
@@ -0,0 +1,35 @@
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/calibre.local
+noblacklist ~/.config/calibre
+noblacklist ~/.cache/calibre
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+#include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+#ipc-namespace
+netfilter
+no3d
+nogroups
+nonewprivs
+noroot
+nosound
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+#private-bin
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/catfish.profile b/etc/catfish.profile
new file mode 100644
index 000000000..0deaca1b5
--- /dev/null
+++ b/etc/catfish.profile
@@ -0,0 +1,32 @@
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/catfish.local
+# Firejail profile for catfish
+noblacklist ~/.config/catfish
+# We can't blacklist much since catfish
+# is for finding files/content
+include /etc/firejail/disable-devel.inc
+caps.drop all
+net none
+no3d
+nogroups
+nonewprivs
+noroot
+nosound
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+# These options work but are disabled in case
+# a users wants to search in these directories.
+#private-bin bash,catfish,env,locate,ls,mlocate,python,python2,python2.7,python3,python3.5,python3.5m,python3m
+#private-dev
+#private-tmp
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile
index 258be50d6..0ac71ca3c 100644
--- a/etc/cherrytree.profile
+++ b/etc/cherrytree.profile
@@ -20,6 +20,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 seccomp
 protocol unix,inet,inet6,netlink
 tracelog
diff --git a/etc/chromium.profile b/etc/chromium.profile
index 7e73634ec..2728bf74a 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -34,7 +34,7 @@ nogroups
 shell none
 private-dev
-private-tmp
+#private-tmp - problems with multiple browser sessions
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/clementine.profile b/etc/clementine.profile
index 0f585e43e..ccacc632d 100644
--- a/etc/clementine.profile
+++ b/etc/clementine.profile
@@ -14,6 +14,7 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 nonewprivs
 noroot
+novideo
 protocol unix,inet,inet6
 # Clementine makes ioprio_set system calls, which are blacklisted by default.
 seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old
diff --git a/etc/clipit.profile b/etc/clipit.profile
index cd744a022..b671b253b 100644
--- a/etc/clipit.profile
+++ b/etc/clipit.profile
@@ -15,6 +15,7 @@ caps.drop all
 netfilter
 nonewprivs
 noroot
+novideo
 protocol unix,inet,inet6
 seccomp
diff --git a/etc/cpio.profile b/etc/cpio.profile
index f38e0a6ce..fe1dc0408 100644
--- a/etc/cpio.profile
+++ b/etc/cpio.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
@@ -8,7 +9,6 @@ include /etc/firejail/cpio.local
 # cpio profile
 # /sbin and /usr/sbin are visible inside the sandbox
 # /boot is not visible and /var is heavily modified
-quiet
 noblacklist /sbin
 noblacklist /usr/sbin
 include /etc/firejail/disable-common.inc
diff --git a/etc/curl.profile b/etc/curl.profile
new file mode 100644
index 000000000..58b5f050a
--- /dev/null
+++ b/etc/curl.profile
@@ -0,0 +1,35 @@
+quiet
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/curl.local
+# curl profile
+noblacklist ~/.curlrc
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+#ipc-namespace
+netfilter
+no3d
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+blacklist /tmp/.X11-unix
+# private-bin curl
+private-dev
+# private-etc resolv.conf
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile
index 8d50dedda..486df1d99 100644
--- a/etc/deadbeef.profile
+++ b/etc/deadbeef.profile
@@ -20,6 +20,7 @@ no3d
 nogroups
 nonewprivs
 noroot
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/deluge.profile b/etc/deluge.profile
index db2d339c7..4e7d90e53 100644
--- a/etc/deluge.profile
+++ b/etc/deluge.profile
@@ -24,6 +24,7 @@ netfilter
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix,inet,inet6
 seccomp
diff --git a/etc/dia.profile b/etc/dia.profile
index fc564b96d..4e009afd7 100644
--- a/etc/dia.profile
+++ b/etc/dia.profile
@@ -14,6 +14,7 @@ caps.drop all
 netfilter
 nonewprivs
 noroot
+novideo
 protocol unix,inet,inet6
 seccomp
diff --git a/etc/digikam.profile b/etc/digikam.profile
new file mode 100644
index 000000000..fd19953a0
--- /dev/null
+++ b/etc/digikam.profile
@@ -0,0 +1,33 @@
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/digikam.local
+noblacklist ${HOME}/.kde4/share/apps/digikam
+noblacklist ${HOME}/.kde/share/apps/digikam
+noblacklist ${HOME}/.config/digikamrc
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-devel.inc
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+# This is a seccomp whitelist profile for  Debian jessie, Kubuntu 17.04.
+# Uncomment seccomp.keep line and try it out. By default only the regular seccomp blacklist profile is enabled.
+#seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group
+seccomp
+nogroups
+shell none
+# private-bin program
+# private-etc none
+# private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device
+private-tmp
diff --git a/etc/dino.profile b/etc/dino.profile
index a979cad7c..6d63e894e 100644
--- a/etc/dino.profile
+++ b/etc/dino.profile
@@ -26,6 +26,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index af0bbfce6..7a3ca37ed 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -62,6 +62,8 @@ blacklist ${HOME}/.config/borg
 blacklist ${HOME}/.config/brasero
 blacklist ${HOME}/.config/brave
 blacklist ${HOME}/.config/caja
+blacklist ${HOME}/.config/calibre
+blacklist ${HOME}/.config/catfish
 blacklist ${HOME}/.config/cherrytree
 blacklist ${HOME}/.config/chromium
 blacklist ${HOME}/.config/chromium-dev
@@ -71,6 +73,7 @@ blacklist ${HOME}/.config/cmus
 blacklist ${HOME}/.config/darktable
 blacklist ${HOME}/.config/deadbeef
 blacklist ${HOME}/.config/deluge
+blacklist ${HOME}/.config/digikam
 blacklist ${HOME}/.config/dolphinrc
 blacklist ${HOME}/.config/dragonplayerrc
 blacklist ${HOME}/.config/enchant
@@ -85,11 +88,12 @@ blacklist ${HOME}/.config/galculator
 blacklist ${HOME}/.config/geany
 blacklist ${HOME}/.config/geeqie
 blacklist ${HOME}/.config/gedit
+blacklist ${HOME}/.config/ghb
 blacklist ${HOME}/.config/globaltime
 blacklist ${HOME}/.config/google-chrome
 blacklist ${HOME}/.config/google-chrome-beta
 blacklist ${HOME}/.config/google-chrome-unstable
-blacklist ${HOME}./config/gpicview
+blacklist ${HOME}/.config/gpicview
 blacklist ${HOME}/.config/gthumb
 blacklist ${HOME}/.config/gwenviewrc
 blacklist ${HOME}/.config/hexchat
@@ -103,6 +107,7 @@ blacklist ${HOME}/.config/katesyntaxhighlightingrc
 blacklist ${HOME}/.config/katevirc
 blacklist ${HOME}/.config/kdeconnect
 blacklist ${HOME}/.config/knotesrc
+blacklist ${HOME}/.config/ktorrentrc
 blacklist ${HOME}/.config/leafpad
 blacklist ${HOME}/.config/libreoffice
 blacklist ${HOME}/.config/lximage-qt
@@ -136,6 +141,7 @@ blacklist ${HOME}/.config/redshift.conf
 blacklist ${HOME}/.config/scribus
 blacklist ${HOME}/.config/skypeforlinux
 blacklist ${HOME}/.config/slimjet
+blacklist ${HOME}/.config/smplayer
 blacklist ${HOME}/.config/spotify
 blacklist ${HOME}/.config/stellarium
 blacklist ${HOME}/.config/synfig
@@ -166,6 +172,7 @@ blacklist ${HOME}/.config/xviewer
 blacklist ${HOME}/.config/zathura
 blacklist ${HOME}/.config/zoomus.conf
 blacklist ${HOME}/.conkeror.mozdev.org
+blacklist ${HOME}/.curlrc
 blacklist ${HOME}/.dia
 blacklist ${HOME}/.dillo
 blacklist ${HOME}/.dosbox
@@ -200,6 +207,7 @@ blacklist ${HOME}/.kde4/share/apps/okular
 blacklist ${HOME}/.kde4/share/config/baloofilerc
 blacklist ${HOME}/.kde4/share/config/baloorc
 blacklist ${HOME}/.kde4/share/config/gwenviewrc
+blacklist ${HOME}/.kde4/share/config/digikam
 blacklist ${HOME}/.kde4/share/config/k3brc
 blacklist ${HOME}/.kde4/share/config/kcookiejarrc
 blacklist ${HOME}/.kde4/share/config/khtmlrc
@@ -217,6 +225,7 @@ blacklist ${HOME}/.kde/share/apps/konqueror
 blacklist ${HOME}/.kde/share/apps/okular
 blacklist ${HOME}/.kde/share/config/baloofilerc
 blacklist ${HOME}/.kde/share/config/baloorc
+blacklist ${HOME}/.kde/share/config/digikam
 blacklist ${HOME}/.kde/share/config/gwenviewrc
 blacklist ${HOME}/.kde/share/config/k3brc
 blacklist ${HOME}/.kde/share/config/kcookiejarrc
@@ -253,7 +262,7 @@ blacklist ${HOME}/.local/share/caja-python
 blacklist ${HOME}/.local/share/cdprojektred
 blacklist ${HOME}/.local/share/clipit
 blacklist ${HOME}/.local/share/data/Mumble
-blacklist ${HOME}./local/share/dino
+blacklist ${HOME}/.local/share/dino
 blacklist ${HOME}/.local/share/dolphin
 blacklist ${HOME}/.local/share/epiphany
 blacklist ${HOME}/.local/share/evolution
@@ -265,6 +274,7 @@ blacklist ${HOME}/.local/share/gnome-chess
 blacklist ${HOME}/.local/share/gnome-music
 blacklist ${HOME}/.local/share/gnome-photos
 blacklist ${HOME}/.local/share/kate
+blacklist ${HOME}/.local/share/ktorrentrc
 blacklist ${HOME}/.local/share/lollypop
 blacklist ${HOME}/.local/share/meld
 blacklist ${HOME}/.local/share/multimc5
@@ -298,6 +308,7 @@ blacklist ${HOME}/.mcabberrc
 blacklist ${HOME}/.mediathek3
 blacklist ${HOME}/.mozilla
 blacklist ${HOME}/.mpdconf
+blacklist ${HOME}/.mplayer
 blacklist ${HOME}/.msmtprc
 blacklist ${HOME}/.multimc5
 blacklist ${HOME}/.mutt
@@ -332,6 +343,7 @@ blacklist ${HOME}/.vst
 blacklist ${HOME}/.w3m
 blacklist ${HOME}/.warzone2100-3.*
 blacklist ${HOME}/.weechat
+blacklist ${HOME}/.wgetrc
 blacklist ${HOME}/.wine
 blacklist ${HOME}/.wine64
 blacklist ${HOME}/.xiphos
@@ -350,6 +362,7 @@ blacklist ${HOME}/.cache/INRIA
 blacklist ${HOME}/.cache/QuiteRss
 blacklist ${HOME}/.cache/attic
 blacklist ${HOME}/.cache/borg
+blacklist ${HOME}/.cache/calibre
 blacklist ${HOME}/.cache/champlain
 blacklist ${HOME}/.cache/chromium
 blacklist ${HOME}/.cache/qupzilla
diff --git a/etc/dragon.profile b/etc/dragon.profile
index 661f663c3..d099f1d9d 100644
--- a/etc/dragon.profile
+++ b/etc/dragon.profile
@@ -18,6 +18,7 @@ netfilter
 nogroups
 nonewprivs
 noroot
+novideo
 shell none
 seccomp
 protocol unix,inet,inet6
diff --git a/etc/dropbox.profile b/etc/dropbox.profile
index e0097a8ea..19076704b 100644
--- a/etc/dropbox.profile
+++ b/etc/dropbox.profile
@@ -14,6 +14,7 @@ include /etc/firejail/disable-passwdmgr.inc
 caps
 nonewprivs
 noroot
+novideo
 protocol unix,inet,inet6
 seccomp
diff --git a/etc/ebook-viewer.profile b/etc/ebook-viewer.profile
new file mode 100644
index 000000000..ba28e3550
--- /dev/null
+++ b/etc/ebook-viewer.profile
@@ -0,0 +1,10 @@
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/ebook-viewer.local
+# Firejail profile for ebook-viewer (Calibre)
+include /etc/firejail/calibre.profile
+net none
diff --git a/etc/elinks.profile b/etc/elinks.profile
index 76a7e6b94..597e43fb8 100644
--- a/etc/elinks.profile
+++ b/etc/elinks.profile
@@ -14,11 +14,12 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
+no3d
 nogroups
 nonewprivs
 noroot
 nosound
-no3d
+novideo
 protocol unix,inet,inet6
 seccomp
 netfilter
diff --git a/etc/engrampa.profile b/etc/engrampa.profile
index f409a8dd4..081a5f6b0 100644
--- a/etc/engrampa.profile
+++ b/etc/engrampa.profile
@@ -16,6 +16,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 netfilter
diff --git a/etc/eog.profile b/etc/eog.profile
index 447a41a86..1b9926ec9 100644
--- a/etc/eog.profile
+++ b/etc/eog.profile
@@ -24,6 +24,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/eom.profile b/etc/eom.profile
index d2622ebcf..b5eedd989 100644
--- a/etc/eom.profile
+++ b/etc/eom.profile
@@ -19,6 +19,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/evince.profile b/etc/evince.profile
index 51ed3fbf3..6719244da 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -22,6 +22,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/file.profile b/etc/file.profile
index a757dce5a..915bf1088 100644
--- a/etc/file.profile
+++ b/etc/file.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/file.local
 # file profile
-quiet
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 9d047db97..70b41a240 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -13,7 +13,10 @@ noblacklist ~/.local/share/qpdfview
 noblacklist ~/.kde4/share/apps/okular
 noblacklist ~/.kde/share/apps/okular
 noblacklist ~/.local/share/okular
+noblacklist ~/.config/okularpartrc
+noblacklist ~/.config/okularrc
 noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
@@ -48,6 +51,8 @@ whitelist ~/.pki
 whitelist ~/.lastpass
 whitelist ~/.config/qpdfview
 whitelist ~/.local/share/qpdfview
+whitelist ~/.config/okularrc
+whitelist ~/.config/okularpartrc
 whitelist ~/.kde4/share/apps/okular
 whitelist ~/.kde/share/apps/okular
 whitelist ~/.local/share/okular
diff --git a/etc/ghb.profile b/etc/ghb.profile
new file mode 100644
index 000000000..2068c3136
--- /dev/null
+++ b/etc/ghb.profile
@@ -0,0 +1,9 @@
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/ghb.local
+# HandBrake
+include /etc/firejail/handbrake.profile
diff --git a/etc/gimp-2.8.profile b/etc/gimp-2.8.profile
index 1902fac72..ce6cee7a5 100644
--- a/etc/gimp-2.8.profile
+++ b/etc/gimp-2.8.profile
@@ -1,4 +1,8 @@
 # Persistent global definitions go here
 include /etc/firejail/globals.local
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gimp-2.8.local
 include /etc/firejail/gimp.profile
diff --git a/etc/git.profile b/etc/git.profile
index a8e7bf882..5fa3ef95e 100644
--- a/etc/git.profile
+++ b/etc/git.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/git.local
 # git profile
-quiet
 noblacklist ~/.gitconfig
 noblacklist ~/.ssh
 noblacklist ~/.gnupg
diff --git a/etc/gtar.profile b/etc/gtar.profile
index cd15b7156..9a4325082 100644
--- a/etc/gtar.profile
+++ b/etc/gtar.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
@@ -6,5 +7,4 @@ include /etc/firejail/globals.local
 include /etc/firejail/gtar.local
 # gtar profile
-quiet
 include /etc/firejail/tar.profile
diff --git a/etc/gzip.profile b/etc/gzip.profile
index 2ba4e0b58..5a2a5d26e 100644
--- a/etc/gzip.profile
+++ b/etc/gzip.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/gzip.local
 # gzip profile
-quiet
 ignore noroot
 include /etc/firejail/default.profile
diff --git a/etc/handbrake-gtk.profile b/etc/handbrake-gtk.profile
new file mode 100644
index 000000000..a162352de
--- /dev/null
+++ b/etc/handbrake-gtk.profile
@@ -0,0 +1,9 @@
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/handbrake-gtk.local
+# HandBrake
+include /etc/firejail/handbrake.profile
diff --git a/etc/handbrake.profile b/etc/handbrake.profile
new file mode 100644
index 000000000..0f3f32250
--- /dev/null
+++ b/etc/handbrake.profile
@@ -0,0 +1,30 @@
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/handbrake.local
+noblacklist ~/.config/ghb
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nonewprivs
+noroot
+# netlink required!
+protocol unix,inet,inet6,netlink
+seccomp
+#
+# depending on your usage, you can enable some of the commands below:
+#
+nogroups
+shell none
+# private-bin program
+# private-etc none
+#private-dev
+private-tmp
+nosound
diff --git a/etc/keepassx.profile b/etc/keepassx.profile
index 9aeed0057..34e260f8f 100644
--- a/etc/keepassx.profile
+++ b/etc/keepassx.profile
@@ -17,6 +17,7 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
+machine-id
 net none
 no3d
 nogroups
@@ -28,8 +29,8 @@ seccomp
 shell none
 tracelog
-private-bin keepassx
+private-bin keepassx,keepassx2
-private-etc fonts
+private-etc fonts,machine-id
 private-dev
 private-tmp
diff --git a/etc/ktorrent.profile b/etc/ktorrent.profile
index 5b7e5e667..59c2827cd 100644
--- a/etc/ktorrent.profile
+++ b/etc/ktorrent.profile
@@ -8,6 +8,8 @@ include /etc/firejail/ktorrent.local
 ################################
 # Generic GUI application profile
 ################################
+noblacklist ~/.config/ktorrentrc
+noblacklist ~/.local/share/ktorrent
 noblacklist ~/.kde/share/config/ktorrentrc
 noblacklist ~/.kde4/share/config/ktorrentrc
 noblacklist ~/.kde/share/apps/ktorrent
@@ -16,7 +18,10 @@ include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
+mkfile ~/.config/ktorrentrc
+whitelist ~/.config/ktorrentrc
+mkdir ~/.local/share/ktorrent
+whitelist ~/.local/share/ktorrent
 mkdir ~/.kde/share/config/ktorrentrc
 whitelist ~/.kde/share/config/ktorrentrc
 mkdir ~/.kde4/share/config/ktorrentrc
diff --git a/etc/less.profile b/etc/less.profile
index 273b47a7a..dd63d3e2e 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/less.local
 # less profile
-quiet
 ignore noroot
 include /etc/firejail/default.profile
diff --git a/etc/mate-calculator.profile b/etc/mate-calculator.profile
index 67a9f244e..acc687b81 100644
--- a/etc/mate-calculator.profile
+++ b/etc/mate-calculator.profile
@@ -1,4 +1,8 @@
 # Persistent global definitions go here
 include /etc/firejail/globals.local
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/mate-calculator.local
 #include /etc/firejail/mate-calc.profile
diff --git a/etc/mplayer.profile b/etc/mplayer.profile
new file mode 100644
index 000000000..879223e1a
--- /dev/null
+++ b/etc/mplayer.profile
@@ -0,0 +1,31 @@
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/mplayer.local
+# mplayer profile
+noblacklist ${HOME}/.mplayer
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+#ipc-namespace
+netfilter
+# nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+private-dev
+private-tmp
+private-bin mplayer
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile
index 1fe0a1f63..97bd2b0b1 100644
--- a/etc/qpdfview.profile
+++ b/etc/qpdfview.profile
@@ -6,7 +6,7 @@ include /etc/firejail/globals.local
 include /etc/firejail/qpdfview.local
 # qpdfview profile
-noblacklist ${HOME}./config/qt5ct
+noblacklist ${HOME}/.config/qt5ct
 noblacklist ${HOME}/.config/qpdfview
 noblacklist ${HOME}/.local/share/qpdfview
diff --git a/etc/server.profile b/etc/server.profile
index 31a81b88f..2d79fa1c8 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -18,6 +18,7 @@ blacklist /tmp/.X11-unix
 no3d
 nosound
 seccomp
+caps
 private
 private-dev
diff --git a/etc/smplayer.profile b/etc/smplayer.profile
new file mode 100644
index 000000000..6a5c115b7
--- /dev/null
+++ b/etc/smplayer.profile
@@ -0,0 +1,32 @@
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/smplayer.local
+# smplayer profile
+noblacklist ${HOME}/.config/smplayer
+noblacklist ${HOME}/.mplayer
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+#ipc-namespace
+netfilter
+# nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+private-dev
+private-tmp
+private-bin smplayer,mplayer
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile
index bbb0baade..ab47067f1 100644
--- a/etc/ssh-agent.profile
+++ b/etc/ssh-agent.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/ssh-agent.local
 # ssh-agent
-quiet
 noblacklist ~/.ssh
 noblacklist /tmp/ssh-*
 noblacklist /etc/ssh
diff --git a/etc/ssh.profile b/etc/ssh.profile
index 7ea78535d..e592841a1 100644
--- a/etc/ssh.profile
+++ b/etc/ssh.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/ssh.local
 # ssh client
-quiet
 noblacklist ~/.ssh
 noblacklist /tmp/ssh-*
 noblacklist /etc/ssh
diff --git a/etc/strings.profile b/etc/strings.profile
index b12c42f0d..a9301c652 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/strings.local
 # strings profile
-quiet
 ignore noroot
 include /etc/firejail/default.profile
diff --git a/etc/tar.profile b/etc/tar.profile
index 0661286b4..577e795f8 100644
--- a/etc/tar.profile
+++ b/etc/tar.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/tar.local
 # tar profile
-quiet
 ignore noroot
 include /etc/firejail/default.profile
diff --git a/etc/thunar.profile b/etc/thunar.profile
index cd84acf39..d8389ebc8 100644
--- a/etc/thunar.profile
+++ b/etc/thunar.profile
@@ -1,4 +1,8 @@
 # Persistent global definitions go here
 include /etc/firejail/globals.local
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/thunar.local
 include /etc/firejail/Thunar.profile
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile
index 8a5bf1f7b..c693a53b3 100644
--- a/etc/thunderbird.profile
+++ b/etc/thunderbird.profile
@@ -25,6 +25,11 @@ noblacklist ~/.cache/thunderbird
 mkdir ~/.cache/thunderbird
 whitelist ~/.cache/thunderbird
+whitelist ~/.config/mimeapps.list
+read-only ~/.config/mimeapps.list
+whitelist ~/.local/share/applications
+read-only ~/.local/share/applications
 # allow browsers
 ignore private-tmp
 include /etc/firejail/firefox.profile
diff --git a/etc/unrar.profile b/etc/unrar.profile
index 1375c9b48..62d6665ec 100644
--- a/etc/unrar.profile
+++ b/etc/unrar.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/unrar.local
 # unrar profile
-quiet
 ignore noroot
 include /etc/firejail/default.profile
diff --git a/etc/unzip.profile b/etc/unzip.profile
index 581d65167..130e57ae9 100644
--- a/etc/unzip.profile
+++ b/etc/unzip.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/unzip.local
 # unzip profile
-quiet
 ignore noroot
 include /etc/firejail/default.profile
 blacklist /tmp/.X11-unix
diff --git a/etc/uudeview.profile b/etc/uudeview.profile
index c795619a0..46f28179b 100644
--- a/etc/uudeview.profile
+++ b/etc/uudeview.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/uudeview.local
 # uudeview profile
-quiet
 ignore noroot
 include /etc/firejail/default.profile
diff --git a/etc/vivaldi-beta.profile b/etc/vivaldi-beta.profile
index 51954c643..f2c2f4cc0 100644
--- a/etc/vivaldi-beta.profile
+++ b/etc/vivaldi-beta.profile
@@ -6,4 +6,4 @@ include /etc/firejail/globals.local
 include /etc/firejail/vivaldi-beta.local
 # Vivaldi Beta browser profile
-include /etc/firejail/vivaldi-stable.profile
+include /etc/firejail/vivaldi.profile
diff --git a/etc/vivaldi-stable.profile b/etc/vivaldi-stable.profile
index a57b2dd78..9b2ccd4f3 100644
--- a/etc/vivaldi-stable.profile
+++ b/etc/vivaldi-stable.profile
@@ -4,19 +4,5 @@ include /etc/firejail/globals.local
 # This file is overwritten during software install.
 # Persistent customizations should go in a .local file.
 include /etc/firejail/vivaldi.local
-noblacklist ~/.cache/vivaldi
-# Vivaldi browser profile
+include /etc/firejail/vivaldi.profile
-noblacklist ~/.config/vivaldi
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
-include /etc/firejail/disable-devel.inc
-netfilter
-whitelist ${DOWNLOADS}
-mkdir ~/.config/vivaldi
-whitelist ~/.config/vivaldi
-mkdir ~/.cache/vivaldi
-whitelist ~/.cache/vivaldi
-include /etc/firejail/whitelist-common.inc
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile
index c01c6d608..25d78439d 100644
--- a/etc/vivaldi.profile
+++ b/etc/vivaldi.profile
@@ -6,4 +6,19 @@ include /etc/firejail/globals.local
 include /etc/firejail/vivaldi.local
 # Vivaldi browser profile
-include /etc/firejail/vivaldi-stable.profile
+noblacklist ~/.cache/vivaldi
+# Vivaldi browser profile
+noblacklist ~/.config/vivaldi
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+netfilter
+whitelist ${DOWNLOADS}
+mkdir ~/.config/vivaldi
+whitelist ~/.config/vivaldi
+mkdir ~/.cache/vivaldi
+whitelist ~/.cache/vivaldi
+include /etc/firejail/whitelist-common.inc
diff --git a/etc/vlc.profile b/etc/vlc.profile
index efd6d04a6..b36e844ff 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -24,7 +24,7 @@ seccomp
 shell none
 private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
-# private-dev
+private-dev
 private-tmp
 noexec ${HOME}
diff --git a/etc/wget.profile b/etc/wget.profile
index 562c7bbf1..801e034ea 100644
--- a/etc/wget.profile
+++ b/etc/wget.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
@@ -6,7 +7,7 @@ include /etc/firejail/globals.local
 include /etc/firejail/wget.local
 # wget profile
-quiet
+noblacklist ~/.wgetrc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
diff --git a/etc/xz.profile b/etc/xz.profile
index f01906610..a3c1ab3ca 100644
--- a/etc/xz.profile
+++ b/etc/xz.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
@@ -6,5 +7,4 @@ include /etc/firejail/globals.local
 include /etc/firejail/xz.local
 # xz profile
-quiet
 include /etc/firejail/cpio.profile
diff --git a/etc/xzdec.profile b/etc/xzdec.profile
index 21cb15556..2a84bf0ee 100644
--- a/etc/xzdec.profile
+++ b/etc/xzdec.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/xzdec.local
 # xzdec profile
-quiet
 ignore noroot
 include /etc/firejail/default.profile
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile
index 8d925a354..e1ed3ccab 100644
--- a/etc/youtube-dl.profile
+++ b/etc/youtube-dl.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
@@ -24,7 +25,6 @@ protocol unix,inet,inet6
 seccomp
 shell none
 tracelog
-quiet
 private-dev
author	hawkeye116477 <hawkeye116477@gmail.com>	2017-06-22 19:26:28 +0200
committer	hawkeye116477 <hawkeye116477@gmail.com>	2017-06-22 19:26:28 +0200
commit	4ccb35df264267e00c38953f93dddd1dc9581fa5 (patch)
tree	0700fd4306ef514d8f28ce11138c1a1ff1a29c87 /etc
parent	Update profile for Cyberfox (diff)
parent	Merge pull request #1343 from BafDyce/fix-example-typo (diff)
download	firejail-4ccb35df264267e00c38953f93dddd1dc9581fa5.tar.gz firejail-4ccb35df264267e00c38953f93dddd1dc9581fa5.tar.zst firejail-4ccb35df264267e00c38953f93dddd1dc9581fa5.zip