17 files changed, 139 insertions, 57 deletions

diff --git a/RELNOTES b/RELNOTES
index 91d814b3f..3309e4438 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -17,6 +17,7 @@ firejail (0.9.73) baseline; urgency=low
     support (#5589)
   * docs: selinux.c: Split Copyright notice & use same license as upstream
     (#5667)
+  * new profiles: fix-qdf, qpdf, zlib-flate 
  -- netblue30 <netblue30@yahoo.com>  Mon, 16 Jan 2023 09:00:00 -0500
 
 firejail (0.9.72) baseline; urgency=low
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 81f417232..65159b951 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -168,8 +168,10 @@ blacklist ${HOME}/.local/share/systemd
 blacklist ${PATH}/systemctl
 blacklist ${PATH}/systemd-run
 blacklist ${RUNUSER}/systemd
+blacklist /etc/credstore*
 blacklist /etc/systemd/network
 blacklist /etc/systemd/system
+blacklist /run/credentials
 blacklist /var/lib/systemd
 # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf
 #blacklist /var/run/systemd
diff --git a/etc/profile-a-l/apostrophe.profile b/etc/profile-a-l/apostrophe.profile
index 4ad6ac6bc..0655c2e6f 100644
--- a/etc/profile-a-l/apostrophe.profile
+++ b/etc/profile-a-l/apostrophe.profile
@@ -35,7 +35,6 @@ whitelist /usr/share/apostrophe
 whitelist /usr/share/texlive
 whitelist /usr/share/texmf
 whitelist /usr/share/pandoc-*
-whitelist /usr/share/perl5
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile
index 392b189f8..c2a482b61 100644
--- a/etc/profile-a-l/audacity.profile
+++ b/etc/profile-a-l/audacity.profile
@@ -50,7 +50,7 @@ tracelog
 
 private-bin audacity
 private-dev
-private-etc @tls-ca,@x11
+private-etc @x11
 private-tmp
 
 # problems on Fedora 27
diff --git a/etc/profile-a-l/fix-qdf.profile b/etc/profile-a-l/fix-qdf.profile
new file mode 100644
index 000000000..2dbb44e1d
--- /dev/null
+++ b/etc/profile-a-l/fix-qdf.profile
@@ -0,0 +1,13 @@
+# Firejail profile for fix-qdf
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include fix-qdf.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+private-bin fix-qdf
+
+# Redirect
+include qpdf.profile
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile
index 717519112..6f350f8ac 100644
--- a/etc/profile-a-l/gimp.profile
+++ b/etc/profile-a-l/gimp.profile
@@ -59,7 +59,7 @@ seccomp !mbind
 tracelog
 
 private-dev
-private-etc @tls-ca,@x11,python*
+private-etc @x11,python*
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/iagno.profile b/etc/profile-a-l/iagno.profile
index e16f3f1d5..82cba7887 100644
--- a/etc/profile-a-l/iagno.profile
+++ b/etc/profile-a-l/iagno.profile
@@ -13,6 +13,13 @@ include disable-interpreters.inc
 include disable-programs.inc
 include disable-shell.inc
 
+whitelist ${HOME}/.local/share/glib-2.0/schemas
+include whitelist-common.inc
+
+include whitelist-runuser-common.inc
+whitelist /usr/share/iagno
+whitelist /usr/share/gdm
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
@@ -28,11 +35,12 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 
 disable-mnt
-private
 private-bin iagno
 private-dev
+private-etc @x11,gconf
 private-tmp
 
 # dbus-user none
diff --git a/etc/profile-m-z/qpdf.profile b/etc/profile-m-z/qpdf.profile
new file mode 100644
index 000000000..0c1e09e92
--- /dev/null
+++ b/etc/profile-m-z/qpdf.profile
@@ -0,0 +1,68 @@
+# Firejail profile for qpdf
+# Description: A Content-Preserving PDF Transformation System
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include qpdf.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-X11.inc
+include disable-xdg.inc
+
+whitelist ${DOCUMENTS}
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+hostname qpdf
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+nosound
+notv
+nou2f
+novideo
+# block the socket syscall to simulate an be empty protocol line, see #639
+seccomp socket
+tracelog
+x11 none
+
+private-bin qpdf
+private-cache
+private-dev
+private-etc
+private-lib libqpdf.so.*
+#private-tmp # breaks on Arch Linux
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+restrict-namespaces
+read-only ${HOME}
+read-write ${DOCUMENTS}
+read-write ${DOWNLOADS}
diff --git a/etc/profile-m-z/rhythmbox.profile b/etc/profile-m-z/rhythmbox.profile
index dccd93429..77c032a53 100644
--- a/etc/profile-m-z/rhythmbox.profile
+++ b/etc/profile-m-z/rhythmbox.profile
@@ -51,6 +51,7 @@ tracelog
 private-bin rhythmbox,rhythmbox-client
 private-cache
 private-dev
+private-etc @tls-ca,@x11,python*
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile
index e21d37040..a4cb49171 100644
--- a/etc/profile-m-z/totem.profile
+++ b/etc/profile-m-z/totem.profile
@@ -51,7 +51,7 @@ private-bin totem
 # totem needs access to ~/.cache/tracker or it exits
 #private-cache
 private-dev
-# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
+private-etc @tls-ca,@x11,python*
 private-tmp
 
 # makes settings immutable
diff --git a/etc/profile-m-z/zlib-flate.profile b/etc/profile-m-z/zlib-flate.profile
new file mode 100644
index 000000000..48a2c9845
--- /dev/null
+++ b/etc/profile-m-z/zlib-flate.profile
@@ -0,0 +1,13 @@
+# Firejail profile for zlib-flate
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include zlib-flate.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+private-bin zlib-flate
+
+# Redirect
+include qpdf.profile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index db73dd1f6..45457fb47 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -260,6 +260,7 @@ firefox-nightly
 firefox-wayland
 firefox-x11
 five-or-more
+fix-qdf
 flacsplt
 flameshot
 flashpeak-slimjet
@@ -694,6 +695,7 @@ qgis
 qlipper
 qmmp
 qnapi
+qpdf
 qpdfview
 qq
 qt-faststart
@@ -957,6 +959,7 @@ zart
 zathura
 zeal
 zim
+zlib-flate
 zoom
 # zpaq - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 # zstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
diff --git a/src/include/etc_groups.h b/src/include/etc_groups.h
index 0ed5d4e32..9e24256c0 100644
--- a/src/include/etc_groups.h
+++ b/src/include/etc_groups.h
@@ -28,6 +28,10 @@
 static char *etc_list[ETC_MAX + 1] = { // plus 1 for ending NULL pointer
         "alternatives",
         "fonts",
+        "gcrypt",       // GNU crypto library - it contains configuration for specialized encryption
+                // and random number generators hardware.
+                // The directory is not installed in Debian. On Fedora it is an empty directory.
+                // The defaults in glibc cover the regular PC.
         "group",
         "ld.so.cache",
         "ld.so.conf",
@@ -49,7 +53,6 @@ static char *etc_group_games[] = {
         "openal", // 3D sound
         "timidity", // MIDI
         "timidity.cfg",
-        "vulkan", // next generation OpenGL stack
         NULL
 };
 
@@ -75,8 +78,6 @@ static char *etc_group_sound[] = {
 static char *etc_group_tls_ca[] = {
         "ca-certificates",
         "crypto-policies",
-        "gcrypt", // GNU crypto library - contains hardware config for various encryption schemes
-                // and random number generators. The file is not installed by Debian.
         "pki",
         "ssl",
         NULL
@@ -95,6 +96,7 @@ static char *etc_group_x11[] = {
         "nvidia", // 3D
         "pango", // text rendering/internationalization
         "Trolltech.conf", // old QT config file
+        "vulkan", // next generation OpenGL stack
         "X11",
         "xdg",
         NULL
diff --git a/test/sysutils/less.exp b/test/sysutils/less.exp
index 9e19af83a..182e259e1 100755
--- a/test/sysutils/less.exp
+++ b/test/sysutils/less.exp
@@ -7,17 +7,19 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail less sysutils.sh\r"
+send -- "rm -f /tmp/tt\r"
+after 500
+
+send -- "firejail less sysutils.sh > /tmp/t\r"
+sleep 1
+
+send -- "cat /tmp/t | grep Authors\r"
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "(press RETURN)" {puts "TESTING SKIP: terminal is not fully functional - 1.1\n";exit}
-        "Press RETURN to continue" {puts "TESTING SKIP: terminal is not fully functional - 1.2\n";exit}
+        timeout {puts "TESTING ERROR 0\n";exit}
         "Firejail Authors"
 }
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "MALLOC_CHECK"
-}
-
 after 100
+
+send -- "rm -f /tmp/t\r"
+after 500
 puts "\nall done\n"
diff --git a/test/sysutils/man.exp b/test/sysutils/man.exp
index f4fc5aa2c..0386b2e92 100755
--- a/test/sysutils/man.exp
+++ b/test/sysutils/man.exp
@@ -7,12 +7,19 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail man firejail\r"
+send -- "rm -f /tmp/t\r"
+after 500
+
+send -- "firejail man firejail > /tmp/t\r"
+sleep 1
+
+send -- "cat /tmp/t\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "(press RETURN)" {puts "TESTING SKIP: terminal is not fully functional - 1.1\n";exit}
-        "Press RETURN to continue" {puts "TESTING SKIP: terminal is not fully functional - 1.2\n";exit}
         "NAME"
 }
 after 100
+
+send -- "rm -f /tmp/t\r"
+after 500
 puts "\nall done\n"
diff --git a/test/sysutils/sysutils.sh b/test/sysutils/sysutils.sh
index 34acca07d..231f5afa8 100755
--- a/test/sysutils/sysutils.sh
+++ b/test/sysutils/sysutils.sh
@@ -47,14 +47,6 @@ else
         echo "TESTING SKIP: gzip not found"
 fi
 
-if command -v xzdec
-then
-        echo "TESTING: xzdec"
-        ./xzdec.exp
-else
-        echo "TESTING SKIP: xzdec not found"
-fi
-
 if command -v xz
 then
         echo "TESTING: xz"
diff --git a/test/sysutils/xzdec.exp b/test/sysutils/xzdec.exp
deleted file mode 100755
index 62cc1c225..000000000
--- a/test/sysutils/xzdec.exp
+++ /dev/null
@@ -1,29 +0,0 @@
-#!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2023 Firejail Authors
-# License GPL v2
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-send -- "/usr/bin/xz -c /usr/bin/firejail > firejail_t3\r"
-sleep 1
-
-send -- "/usr/bin/xzdec -c firejail_t3 > firejail_t1\r"
-sleep 1
-
-send -- "firejail /usr/bin/xzdec -c firejail_t3 > firejail_t2\r"
-sleep 1
-
-send -- "diff -s firejail_t1 firejail_t2\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "firejail_t1 and firejail_t2 are identical"
-}
-
-send -- "rm firejail_t*\r"
-sleep 1
-
-
-puts "\nall done\n"