17 files changed, 21 insertions, 1 deletions
diff --git a/etc/apktool.profile b/etc/apktool.profile
index 58854df3b..0ca0ea0b0 100644
--- a/etc/apktool.profile
+++ b/etc/apktool.profile
@@ -24,6 +24,7 @@ protocol unix
 seccomp
 shell none
+private-bin apktool,bash,java,dirname,basename,expr
 private-dev
 noexec ${HOME}
diff --git a/etc/arm.profile b/etc/arm.profile
index a75130e4d..4e6bb9b1c 100644
--- a/etc/arm.profile
+++ b/etc/arm.profile
@@ -32,7 +32,7 @@ shell none
 tracelog
 disable-mnt
-# private-bin arm,tor,sh,python2,python2.7,ps,lsof,ldconfig
+# private-bin arm,tor,sh,bash,python2,python2.7,ps,lsof,ldconfig
 private-dev
 private-etc tor,passwd
 private-tmp
diff --git a/etc/baobab.profile b/etc/baobab.profile
index 5eef557bc..c67f01503 100644
--- a/etc/baobab.profile
+++ b/etc/baobab.profile
@@ -24,6 +24,7 @@ protocol unix
 seccomp
 shell none
+private-bin baobab
 private-dev
 private-tmp
diff --git a/etc/bless.profile b/etc/bless.profile
index 6da8187b1..8c7cc5fe5 100644
--- a/etc/bless.profile
+++ b/etc/bless.profile
@@ -25,6 +25,7 @@ protocol unix
 seccomp
 shell none
+# private-bin bless,sh,bash,mono
 private-dev
 private-etc fonts,mono
 private-tmp
diff --git a/etc/chromium.profile b/etc/chromium.profile
index 7637b8ea5..3ccc8e4cb 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -31,6 +31,7 @@ nogroups
 notv
 shell none
+# private-bin chromium,chromium-browser,chromedriver
 private-dev
 # private-tmp - problems with multiple browser sessions
diff --git a/etc/dex2jar.profile b/etc/dex2jar.profile
index a3a1c4ad5..fab7ccb13 100644
--- a/etc/dex2jar.profile
+++ b/etc/dex2jar.profile
@@ -25,6 +25,7 @@ protocol unix
 seccomp
 shell none
+private-bin dex2jar,java,sh,bash,expr,dirname,ls,uname,grep
 private-dev
 noexec ${HOME}
diff --git a/etc/gitg.profile b/etc/gitg.profile
index f28fbe03f..273cc006c 100644
--- a/etc/gitg.profile
+++ b/etc/gitg.profile
@@ -26,6 +26,7 @@ protocol unix,inet,inet6
 seccomp
 shell none
+private-bin gitg,git,ssh
 private-dev
 private-tmp
diff --git a/etc/hashcat.profile b/etc/hashcat.profile
index 677c47b13..189f364f8 100644
--- a/etc/hashcat.profile
+++ b/etc/hashcat.profile
@@ -7,8 +7,10 @@ include /etc/firejail/hashcat.local
 include /etc/firejail/globals.local
 noblacklist ${HOME}/.hashcat
+noblacklist /usr/include
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
@@ -25,6 +27,7 @@ seccomp
 shell none
 disable-mnt
+private-bin hashcat
 private-dev
 private-tmp
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile
index 2422d5b48..8df805895 100644
--- a/etc/jd-gui.profile
+++ b/etc/jd-gui.profile
@@ -26,6 +26,7 @@ protocol unix
 seccomp
 shell none
+private-bin jd-gui,sh,bash
 private-dev
 private-tmp
diff --git a/etc/meld.profile b/etc/meld.profile
index 92aefaf78..280004f49 100644
--- a/etc/meld.profile
+++ b/etc/meld.profile
@@ -25,6 +25,7 @@ protocol unix
 seccomp
 shell none
+# private-bin meld,python2,python2.7
 private-dev
 private-tmp
diff --git a/etc/multimc5.profile b/etc/multimc5.profile
index a51defafa..e99876447 100644
--- a/etc/multimc5.profile
+++ b/etc/multimc5.profile
@@ -32,6 +32,8 @@ protocol unix,inet,inet6
 shell none
 disable-mnt
+# private-bin works, but causes weirdness
+# private-bin multimc5,bash,mkdir,which,zenity,kdialog,ldd,chmod,valgrind,apt-file,pkgfile,dnf,yum,zypper,pfl,java,grep,sort,awk,readlink,dirname
 private-dev
 private-tmp
diff --git a/etc/obs.profile b/etc/obs.profile
index f7d7ac310..11c18e0b6 100644
--- a/etc/obs.profile
+++ b/etc/obs.profile
@@ -22,6 +22,7 @@ seccomp
 shell none
 tracelog
+private-bin obs
 private-dev
 private-tmp
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile
index 4dbc05413..e2fbd81ae 100644
--- a/etc/pdfsam.profile
+++ b/etc/pdfsam.profile
@@ -25,6 +25,7 @@ protocol unix
 seccomp
 shell none
+private-bin pdfsam,sh,bash,java,archlinux-java,grep,awk,dirname,uname,which,sort,find,readlink,expr,ls,java-config
 private-dev
 private-tmp
diff --git a/etc/peek.profile b/etc/peek.profile
index 0157ca9d4..e65d3f172 100644
--- a/etc/peek.profile
+++ b/etc/peek.profile
@@ -25,6 +25,7 @@ protocol unix
 seccomp
 shell none
+# private-bin breaks gif mode, mp4 and webm mode work fine however
 # private-bin peek,convert,ffmpeg
 private-dev
 private-tmp
diff --git a/etc/pithos.profile b/etc/pithos.profile
index be6e1b72a..2aaedd45e 100644
--- a/etc/pithos.profile
+++ b/etc/pithos.profile
@@ -25,6 +25,7 @@ seccomp
 shell none
 disable-mnt
+# private-bin pithos,python,python3,python3.6
 private-dev
 private-tmp
diff --git a/etc/sdat2img.profile b/etc/sdat2img.profile
index 06889be33..578f623f0 100644
--- a/etc/sdat2img.profile
+++ b/etc/sdat2img.profile
@@ -25,6 +25,7 @@ protocol unix
 seccomp
 shell none
+# private-bin sdat2img,env,python,python3,python3.6
 private-dev
 noexec ${HOME}
diff --git a/etc/strings.profile b/etc/strings.profile
index 28f5598cf..d102cd445 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -17,7 +17,9 @@ novideo
 shell none
 tracelog
+private-bin strings
 private-dev
+private-lib
 memory-deny-write-execute

diff --git a/etc/apktool.profile b/etc/apktool.profile index 58854df3b..0ca0ea0b0 100644 --- a/etc/apktool.profile +++ b/etc/apktool.profile
@@ -24,6 +24,7 @@ protocol unix
24	seccomp	24	seccomp
25	shell none	25	shell none
26		26
		27	private-bin apktool,bash,java,dirname,basename,expr
27	private-dev	28	private-dev
28		29
29	noexec ${HOME}	30	noexec ${HOME}


diff --git a/etc/arm.profile b/etc/arm.profile index a75130e4d..4e6bb9b1c 100644 --- a/etc/arm.profile +++ b/etc/arm.profile
@@ -32,7 +32,7 @@ shell none
32	tracelog	32	tracelog
33		33
34	disable-mnt	34	disable-mnt
35	# private-bin arm,tor,sh,python2,python2.7,ps,lsof,ldconfig	35	# private-bin arm,tor,sh,bash,python2,python2.7,ps,lsof,ldconfig
36	private-dev	36	private-dev
37	private-etc tor,passwd	37	private-etc tor,passwd
38	private-tmp	38	private-tmp


diff --git a/etc/baobab.profile b/etc/baobab.profile index 5eef557bc..c67f01503 100644 --- a/etc/baobab.profile +++ b/etc/baobab.profile
@@ -24,6 +24,7 @@ protocol unix
24	seccomp	24	seccomp
25	shell none	25	shell none
26		26
		27	private-bin baobab
27	private-dev	28	private-dev
28	private-tmp	29	private-tmp
29		30


diff --git a/etc/bless.profile b/etc/bless.profile index 6da8187b1..8c7cc5fe5 100644 --- a/etc/bless.profile +++ b/etc/bless.profile
@@ -25,6 +25,7 @@ protocol unix
25	seccomp	25	seccomp
26	shell none	26	shell none
27		27
		28	# private-bin bless,sh,bash,mono
28	private-dev	29	private-dev
29	private-etc fonts,mono	30	private-etc fonts,mono
30	private-tmp	31	private-tmp


diff --git a/etc/chromium.profile b/etc/chromium.profile index 7637b8ea5..3ccc8e4cb 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile
@@ -31,6 +31,7 @@ nogroups
31	notv	31	notv
32	shell none	32	shell none
33		33
		34	# private-bin chromium,chromium-browser,chromedriver
34	private-dev	35	private-dev
35	# private-tmp - problems with multiple browser sessions	36	# private-tmp - problems with multiple browser sessions
36		37


diff --git a/etc/dex2jar.profile b/etc/dex2jar.profile index a3a1c4ad5..fab7ccb13 100644 --- a/etc/dex2jar.profile +++ b/etc/dex2jar.profile
@@ -25,6 +25,7 @@ protocol unix
25	seccomp	25	seccomp
26	shell none	26	shell none
27		27
		28	private-bin dex2jar,java,sh,bash,expr,dirname,ls,uname,grep
28	private-dev	29	private-dev
29		30
30	noexec ${HOME}	31	noexec ${HOME}


diff --git a/etc/gitg.profile b/etc/gitg.profile index f28fbe03f..273cc006c 100644 --- a/etc/gitg.profile +++ b/etc/gitg.profile
@@ -26,6 +26,7 @@ protocol unix,inet,inet6
26	seccomp	26	seccomp
27	shell none	27	shell none
28		28
		29	private-bin gitg,git,ssh
29	private-dev	30	private-dev
30	private-tmp	31	private-tmp
31		32


diff --git a/etc/hashcat.profile b/etc/hashcat.profile index 677c47b13..189f364f8 100644 --- a/etc/hashcat.profile +++ b/etc/hashcat.profile
@@ -7,8 +7,10 @@ include /etc/firejail/hashcat.local
7	include /etc/firejail/globals.local	7	include /etc/firejail/globals.local
8		8
9	noblacklist ${HOME}/.hashcat	9	noblacklist ${HOME}/.hashcat
		10	noblacklist /usr/include
10		11
11	include /etc/firejail/disable-common.inc	12	include /etc/firejail/disable-common.inc
		13	include /etc/firejail/disable-devel.inc
12	include /etc/firejail/disable-passwdmgr.inc	14	include /etc/firejail/disable-passwdmgr.inc
13	include /etc/firejail/disable-programs.inc	15	include /etc/firejail/disable-programs.inc
14		16
@@ -25,6 +27,7 @@ seccomp
25	shell none	27	shell none
26		28
27	disable-mnt	29	disable-mnt
		30	private-bin hashcat
28	private-dev	31	private-dev
29	private-tmp	32	private-tmp
30		33


diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index 2422d5b48..8df805895 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile
@@ -26,6 +26,7 @@ protocol unix
26	seccomp	26	seccomp
27	shell none	27	shell none
28		28
		29	private-bin jd-gui,sh,bash
29	private-dev	30	private-dev
30	private-tmp	31	private-tmp
31		32


diff --git a/etc/meld.profile b/etc/meld.profile index 92aefaf78..280004f49 100644 --- a/etc/meld.profile +++ b/etc/meld.profile
@@ -25,6 +25,7 @@ protocol unix
25	seccomp	25	seccomp
26	shell none	26	shell none
27		27
		28	# private-bin meld,python2,python2.7
28	private-dev	29	private-dev
29	private-tmp	30	private-tmp
30		31


diff --git a/etc/multimc5.profile b/etc/multimc5.profile index a51defafa..e99876447 100644 --- a/etc/multimc5.profile +++ b/etc/multimc5.profile
@@ -32,6 +32,8 @@ protocol unix,inet,inet6
32	shell none	32	shell none
33		33
34	disable-mnt	34	disable-mnt
		35	# private-bin works, but causes weirdness
		36	# private-bin multimc5,bash,mkdir,which,zenity,kdialog,ldd,chmod,valgrind,apt-file,pkgfile,dnf,yum,zypper,pfl,java,grep,sort,awk,readlink,dirname
35	private-dev	37	private-dev
36	private-tmp	38	private-tmp
37		39


diff --git a/etc/obs.profile b/etc/obs.profile index f7d7ac310..11c18e0b6 100644 --- a/etc/obs.profile +++ b/etc/obs.profile
@@ -22,6 +22,7 @@ seccomp
22	shell none	22	shell none
23	tracelog	23	tracelog
24		24
		25	private-bin obs
25	private-dev	26	private-dev
26	private-tmp	27	private-tmp
27		28


diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile index 4dbc05413..e2fbd81ae 100644 --- a/etc/pdfsam.profile +++ b/etc/pdfsam.profile
@@ -25,6 +25,7 @@ protocol unix
25	seccomp	25	seccomp
26	shell none	26	shell none
27		27
		28	private-bin pdfsam,sh,bash,java,archlinux-java,grep,awk,dirname,uname,which,sort,find,readlink,expr,ls,java-config
28	private-dev	29	private-dev
29	private-tmp	30	private-tmp
30		31


diff --git a/etc/peek.profile b/etc/peek.profile index 0157ca9d4..e65d3f172 100644 --- a/etc/peek.profile +++ b/etc/peek.profile
@@ -25,6 +25,7 @@ protocol unix
25	seccomp	25	seccomp
26	shell none	26	shell none
27		27
		28	# private-bin breaks gif mode, mp4 and webm mode work fine however
28	# private-bin peek,convert,ffmpeg	29	# private-bin peek,convert,ffmpeg
29	private-dev	30	private-dev
30	private-tmp	31	private-tmp


diff --git a/etc/pithos.profile b/etc/pithos.profile index be6e1b72a..2aaedd45e 100644 --- a/etc/pithos.profile +++ b/etc/pithos.profile
@@ -25,6 +25,7 @@ seccomp
25	shell none	25	shell none
26		26
27	disable-mnt	27	disable-mnt
		28	# private-bin pithos,python,python3,python3.6
28	private-dev	29	private-dev
29	private-tmp	30	private-tmp
30		31


diff --git a/etc/sdat2img.profile b/etc/sdat2img.profile index 06889be33..578f623f0 100644 --- a/etc/sdat2img.profile +++ b/etc/sdat2img.profile
@@ -25,6 +25,7 @@ protocol unix
25	seccomp	25	seccomp
26	shell none	26	shell none
27		27
		28	# private-bin sdat2img,env,python,python3,python3.6
28	private-dev	29	private-dev
29		30
30	noexec ${HOME}	31	noexec ${HOME}


diff --git a/etc/strings.profile b/etc/strings.profile index 28f5598cf..d102cd445 100644 --- a/etc/strings.profile +++ b/etc/strings.profile
@@ -17,7 +17,9 @@ novideo
17	shell none	17	shell none
18	tracelog	18	tracelog
19		19
		20	private-bin strings
20	private-dev	21	private-dev
		22	private-lib
21		23
22	memory-deny-write-execute	24	memory-deny-write-execute
23		25