10 files changed, 16 insertions, 8 deletions

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index eb9c28345..9cf216492 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -88,7 +88,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@a34ca99b4610d924e04c68db79e503e1f79f9f02
+      uses: github/codeql-action/init@3ebbd71c74ef574dbc558c82f70e52732c8b44fe
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -99,7 +99,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@a34ca99b4610d924e04c68db79e503e1f79f9f02
+      uses: github/codeql-action/autobuild@3ebbd71c74ef574dbc558c82f70e52732c8b44fe
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -113,4 +113,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@a34ca99b4610d924e04c68db79e503e1f79f9f02
+      uses: github/codeql-action/analyze@3ebbd71c74ef574dbc558c82f70e52732c8b44fe
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml
index 403036f4f..66bba61f5 100644
--- a/.github/workflows/profile-checks.yml
+++ b/.github/workflows/profile-checks.yml
@@ -36,8 +36,9 @@ jobs:
     - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
     - name: sort.py
       run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
-    - name: private-etc-always-required.sh
-      run: ./ci/check/profiles/private-etc-always-required.sh etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
+# Currently broken (see #5610)
+#    - name: private-etc-always-required.sh
+#      run: ./ci/check/profiles/private-etc-always-required.sh etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
     - name: sort-disable-programs.sh
       run: ./ci/check/profiles/sort-disable-programs.sh etc/inc/disable-programs.inc
     - name: sort-firecfg.config.sh
diff --git a/etc/profile-a-l/atool.profile b/etc/profile-a-l/atool.profile
index 6399bc1a3..b2bc17c67 100644
--- a/etc/profile-a-l/atool.profile
+++ b/etc/profile-a-l/atool.profile
@@ -13,7 +13,7 @@ include allow-perl.inc
 noroot
 
 # without login.defs atool complains and uses UID/GID 1000 by default
-private-etc alternatives,group,ld.so.cache,ld.so.preload,login.defs,passwd
+private-etc alternatives,group,ld.so.cache,ld.so.preload,login.defs,passwd,resolv.conf
 private-tmp
 
 # Redirect
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile
index 3e5878574..88b29cfbd 100644
--- a/etc/profile-a-l/curl.profile
+++ b/etc/profile-a-l/curl.profile
@@ -54,6 +54,7 @@ tracelog
 private-cache
 private-dev
 # private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
+private-etc TLS-CA
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile
index 60d64736e..3365c0829 100644
--- a/etc/profile-a-l/firefox-common.profile
+++ b/etc/profile-a-l/firefox-common.profile
@@ -60,6 +60,7 @@ disable-mnt
 # private-etc below works fine on most distributions. There are some problems on CentOS.
 # Add it to your firefox-common.local if you want to enable it.
 #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-etc GUI,mailcap,mime.types,NETWORK,os-release,TLS-CA
 private-tmp
 
 blacklist ${PATH}/curl
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile
index 083b85a91..d9515c867 100644
--- a/etc/profile-a-l/gimp.profile
+++ b/etc/profile-a-l/gimp.profile
@@ -59,6 +59,7 @@ seccomp !mbind
 tracelog
 
 private-dev
+private-etc gcrypt,GUI,python*
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile
index 1034c225f..1e75781ab 100644
--- a/etc/profile-a-l/inkscape.profile
+++ b/etc/profile-a-l/inkscape.profile
@@ -54,6 +54,7 @@ tracelog
 # private-bin inkscape,potrace,python* - problems on Debian stretch
 private-cache
 private-dev
+private-etc ImageMagick*,inkscape: GUI,python*
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/qutebrowser.profile b/etc/profile-m-z/qutebrowser.profile
index 89f8b257a..ea0e2afa7 100644
--- a/etc/profile-m-z/qutebrowser.profile
+++ b/etc/profile-m-z/qutebrowser.profile
@@ -56,7 +56,7 @@ seccomp !chroot,!name_to_handle_at
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-m-z/warzone2100.profile b/etc/profile-m-z/warzone2100.profile
index 50c776412..6000bd98f 100644
--- a/etc/profile-m-z/warzone2100.profile
+++ b/etc/profile-m-z/warzone2100.profile
@@ -46,6 +46,7 @@ tracelog
 disable-mnt
 private-bin bash,dash,sh,warzone2100,which
 private-dev
+private-etc GAMES,GUI
 private-tmp
 
 restrict-namespaces
diff --git a/src/include/etc_groups.h b/src/include/etc_groups.h
index 066c97570..421837fbb 100644
--- a/src/include/etc_groups.h
+++ b/src/include/etc_groups.h
@@ -35,8 +35,10 @@ static char *etc_list[ETC_MAX + 1] = { // plus 1 for ending NULL pointer
         "locale.alias",
         "locale.conf",
         "localtime",
+        "login.defs", // firejail reading UID/GID MIN and MAX at startup
         "nsswitch.conf",
         "passwd",
+        "group",
         NULL
 };
 
@@ -77,6 +79,7 @@ static char *etc_group_gui[] = {
         "gtk-3.0",
         "kde4rc",
         "kde5rc",
+        "pango", // text rendering/internationalization
         NULL
 };
 
@@ -85,7 +88,6 @@ static char *etc_group_games[] = {
         "timidity", // MIDI
         "timidity.cfg",
         "openal", // 3D sound
-        "gcrypt", // GNU crypto library
         NULL
 };