7 files changed, 110 insertions, 4 deletions

diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml
index 7340ce8ce..38cb25381 100644
--- a/.github/workflows/check-c.yml
+++ b/.github/workflows/check-c.yml
@@ -149,7 +149,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@6a28655e3dcb49cb0840ea372fd6d17733edd8a4
+      uses: github/codeql-action/init@ddccb873888234080b77e9bc2d4764d5ccaaccf9
       with:
         languages: cpp
 
@@ -160,4 +160,4 @@ jobs:
       run: make -j "$(nproc)"
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@6a28655e3dcb49cb0840ea372fd6d17733edd8a4
+      uses: github/codeql-action/analyze@ddccb873888234080b77e9bc2d4764d5ccaaccf9
diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml
index 5d4320809..c3236421a 100644
--- a/.github/workflows/check-python.yml
+++ b/.github/workflows/check-python.yml
@@ -49,9 +49,9 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@6a28655e3dcb49cb0840ea372fd6d17733edd8a4
+      uses: github/codeql-action/init@ddccb873888234080b77e9bc2d4764d5ccaaccf9
       with:
         languages: python
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@6a28655e3dcb49cb0840ea372fd6d17733edd8a4
+      uses: github/codeql-action/analyze@ddccb873888234080b77e9bc2d4764d5ccaaccf9
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 4d4673b34..f2a03764d 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -158,6 +158,7 @@ blacklist ${HOME}/.cache/ksplashqml
 blacklist ${HOME}/.cache/kube
 blacklist ${HOME}/.cache/kwin
 blacklist ${HOME}/.cache/lbry-viewer
+blacklist ${HOME}/.cache/lettura
 blacklist ${HOME}/.cache/libgweather
 blacklist ${HOME}/.cache/librewolf
 blacklist ${HOME}/.cache/liferea
@@ -386,6 +387,7 @@ blacklist ${HOME}/.config/borg
 blacklist ${HOME}/.config/brasero
 blacklist ${HOME}/.config/brave
 blacklist ${HOME}/.config/brave-flags.conf
+blacklist ${HOME}/.config/breezy
 blacklist ${HOME}/.config/caja
 blacklist ${HOME}/.config/calibre
 blacklist ${HOME}/.config/cantata
@@ -407,6 +409,7 @@ blacklist ${HOME}/.config/cliqz
 blacklist ${HOME}/.config/cmus
 blacklist ${HOME}/.config/cointop
 blacklist ${HOME}/.config/com.github.bleakgrey.tootle
+blacklist ${HOME}/.config/com.lettura.dev
 blacklist ${HOME}/.config/corebird
 blacklist ${HOME}/.config/coyim
 blacklist ${HOME}/.config/d-feet
@@ -835,6 +838,7 @@ blacklist ${HOME}/.klatexformula
 blacklist ${HOME}/.klei
 blacklist ${HOME}/.kodi
 blacklist ${HOME}/.lastpass
+blacklist ${HOME}/.lettura
 blacklist ${HOME}/.librewolf
 blacklist ${HOME}/.lincity-ng
 blacklist ${HOME}/.links
@@ -905,6 +909,7 @@ blacklist ${HOME}/.local/share/cdprojektred
 blacklist ${HOME}/.local/share/chatterino
 blacklist ${HOME}/.local/share/clipit
 blacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate
+blacklist ${HOME}/.local/share/com.lettura.dev
 blacklist ${HOME}/.local/share/com.vmingueza.journal-viewer
 blacklist ${HOME}/.local/share/contacts
 blacklist ${HOME}/.local/share/cor-games
diff --git a/etc/profile-a-l/brz.profile b/etc/profile-a-l/brz.profile
new file mode 100644
index 000000000..dcc7af54b
--- /dev/null
+++ b/etc/profile-a-l/brz.profile
@@ -0,0 +1,14 @@
+# Firejail profile for brz
+# Description: Distributed VCS with support for Bazaar and Git file formats
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include brz.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.config/breezy
+
+# Redirect
+include git.profile
diff --git a/etc/profile-a-l/bzr.profile b/etc/profile-a-l/bzr.profile
new file mode 100644
index 000000000..61c1aae38
--- /dev/null
+++ b/etc/profile-a-l/bzr.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for bzr
+# This file is overwritten after every install/update
+# Persistent local customizations
+include bzr.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include brz.profile
diff --git a/etc/profile-a-l/lettura.profile b/etc/profile-a-l/lettura.profile
new file mode 100644
index 000000000..94a455355
--- /dev/null
+++ b/etc/profile-a-l/lettura.profile
@@ -0,0 +1,76 @@
+# Firejail profile for lettura
+# Description: Another free and open-source feed reader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lettura.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/lettura
+noblacklist ${HOME}/.config/com.lettura.dev
+noblacklist ${HOME}/.lettura
+noblacklist ${HOME}/.local/share/com.lettura.dev
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/lettura
+mkdir ${HOME}/.config/com.lettura.dev
+mkdir ${HOME}/.lettura
+mkdir ${HOME}/.local/share/com.lettura.dev
+whitelist ${HOME}/.cache/lettura
+whitelist ${HOME}/.config/com.lettura.dev
+whitelist ${HOME}/.lettura
+whitelist ${HOME}/.local/share/com.lettura.dev
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+#nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+tracelog
+
+disable-mnt
+private-bin lettura
+private-cache
+private-dev
+private-etc @network,@sound,@tls-ca,@x11,mime.types
+private-tmp
+
+dbus-user filter
+dbus-user.talk org.freedesktop.Notifications
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+# allow D-Bus communication with firefox for opening links
+dbus-user.talk org.mozilla.*
+dbus-system none
+
+restrict-namespaces
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index ce606efc3..2fff32f4b 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -482,6 +482,7 @@ kwrite
 lbry-viewer
 leafpad
 #less # breaks man
+lettura
 librecad
 libreoffice
 librewolf