8 files changed, 63 insertions, 18 deletions

diff --git a/RELNOTES b/RELNOTES
index d780cc823..ff8c9eba9 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -8,6 +8,7 @@ firejail (0.9.59) baseline; urgency=low
   * new profiles: sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings
   * new profiles: code-oss, pragha
   * memory-deny-write-execute now also blocks memfd_create
+  * drop support for flatpak/snap packages
 
 firejail (0.9.58,2) baseline; urgency=low
   * cgroup flag in /etc/firejail/firejail.config file
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index e2eaea38b..976c3610e 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -6,7 +6,6 @@ blacklist ${HOME}/Arduino
 blacklist ${HOME}/Monero/wallets
 blacklist ${HOME}/Nextcloud/Notes
 blacklist ${HOME}/Standard Notes Backups
-blacklist ${HOME}/snap
 blacklist ${HOME}/wallet.dat
 blacklist ${HOME}/.*coin
 blacklist ${HOME}/.8pecxstudios
diff --git a/etc/pycharm-community.profile b/etc/pycharm-community.profile
index bfe8b614e..3caaacf09 100644
--- a/etc/pycharm-community.profile
+++ b/etc/pycharm-community.profile
@@ -5,7 +5,6 @@ include pycharm-community.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/snap
 noblacklist ${HOME}/.PyCharmCE*
 noblacklist ${HOME}/.python-history
 noblacklist ${HOME}/.java
diff --git a/etc/seahorse-daemon.profile b/etc/seahorse-daemon.profile
new file mode 100644
index 000000000..1beb0edc6
--- /dev/null
+++ b/etc/seahorse-daemon.profile
@@ -0,0 +1,15 @@
+# Firejail profile for seahorse-daemon
+# Description: PGP encryption and signing
+# This file is overwritten after every install/update
+# Persistent local customizations
+include seahorse-daemon.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+blacklist /tmp/.X11-unix
+
+memory-deny-write-execute
+
+# Redirect
+include seahorse.profile
diff --git a/etc/seahorse-tool.profile b/etc/seahorse-tool.profile
index 2e792c8e0..96f365a4b 100644
--- a/etc/seahorse-tool.profile
+++ b/etc/seahorse-tool.profile
@@ -7,20 +7,11 @@ include seahorse-tool.local
 # added by included profile
 #include globals.local
 
-# dconf
-noblacklist ${HOME}/.config/dconf
+noblacklist ${DOWNLOADS}
 
-include disable-exec.inc
-include disable-xdg.inc
-include whitelist-var-common.inc
-
-apparmor
-ipc-namespace
-
-disable-mnt
 private-tmp
 
 memory-deny-write-execute
 
 # Redirect
-include gpg.profile
+include seahorse.profile
diff --git a/etc/seahorse.profile b/etc/seahorse.profile
index 83aeb6aec..cd9f6c767 100644
--- a/etc/seahorse.profile
+++ b/etc/seahorse.profile
@@ -4,22 +4,57 @@
 # Persistent local customizations
 include seahorse.local
 # Persistent global definitions
-# added by included profile
-#include globals.local
+include globals.local
 
 # dconf
 noblacklist ${HOME}/.config/dconf
+whitelist ${HOME}/.config/dconf
+
+# gpg
+mkdir ${HOME}/.gnupg
+noblacklist ${HOME}/.gnupg
+whitelist ${HOME}/.gnupg
 
 # ssh
+whitelist /etc/ld.so.preload
 noblacklist /etc/ssh
+whitelist /etc/ssh
 noblacklist /tmp/ssh-*
+whitelist /tmp/ssh-*
+mkdir ${HOME}/.ssh
 noblacklist ${HOME}/.ssh
+whitelist ${HOME}/.ssh
 
+include disable-common.inc
+include disable-devel.inc
 include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-common.inc
 include whitelist-var-common.inc
 
 apparmor
-ipc-namespace
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+# shell none - causes gpg to hang
+tracelog
+
+disable-mnt
+private-cache
+private-dev
 
-# Redirect
-include gpg.profile
+writable-run-user
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index f1be8bfd9..7531206f5 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -432,6 +432,7 @@ scallion
 scribus
 sdat2img
 seahorse
+seahorse-daemon
 seahorse-tool
 seamonkey
 seamonkey-bin
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 8146d1a2e..048db098c 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -48,6 +48,10 @@ Firejail allows the user to manage application security using security profiles.
 Each profile defines a set of permissions for a specific application or group
 of applications. The software includes security profiles for a number of more common
 Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.
+.PP
+Alternative sandbox technologies like snap (https://snapcraft.io/) and flatpak (https://flatpak.org/)
+are not supported. Snap and flatpak packages have their own native management tools and will
+not work when sandboxed with Firejail.
 
 .SH USAGE
 Without any options, the sandbox consists of a filesystem build in a new mount namespace,