19 files changed, 36 insertions, 27 deletions

diff --git a/README.md b/README.md
index 22714930d..0623d9463 100644
--- a/README.md
+++ b/README.md
@@ -267,4 +267,4 @@ $ ./profstats *.profile
 
 ### New profiles:
 
-clion-eap, lifeograph, io.github.lainsce.Notejot, rednotebook, zim, microsoft-edge-beta, ncdu2
+clion-eap, lifeograph, io.github.lainsce.Notejot, rednotebook, zim, microsoft-edge-beta, ncdu2, gallery-dl, yt-dlp
diff --git a/RELNOTES b/RELNOTES
index 1374f0d58..86c4a6104 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -2,8 +2,12 @@ firejail (0.9.67) baseline; urgency=low
   * work in progress
   * deprecated --disable-whitelist at compile time
   * deprecated whitelist=yes/no in /etc/firejail/firejail.config
+  * remove (some) environment variables with auth-tokens
+  * new includes: whitelist-run-common.inc, disable-X11.inc
+  * removed includes: disable-passwordmgr.inc
   * new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim
-  * new profiles: io.github.lainsce.Notejot, rednotebook
+  * new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl
+  * new profiles: yt-dlp
  -- netblue30 <netblue30@yahoo.com>  Thu, 29 Jul 2021 09:00:00 -0500
 
 firejail (0.9.66) baseline; urgency=low
diff --git a/contrib/sort.py b/contrib/sort.py
index c7325facb..d7a2cd05d 100755
--- a/contrib/sort.py
+++ b/contrib/sort.py
@@ -24,7 +24,7 @@ Exit-Codes:
 
 # Requirements:
 #  python >= 3.6
-from sys import argv
+from sys import argv, exit as sys_exit
 
 
 def sort_alphabetical(raw_items):
@@ -105,4 +105,4 @@ def main(args):
 
 
 if __name__ == "__main__":
-    exit(main(argv[1:]))
+    sys_exit(main(argv[1:]))
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index a9dd4921f..ae84ee38a 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -420,6 +420,7 @@ blacklist ${HOME}/.local/share/keyrings
 blacklist ${HOME}/.local/share/kwalletd
 blacklist ${HOME}/.local/share/pki
 blacklist ${HOME}/.local/share/plasma-vault
+blacklist ${HOME}/.minisign
 blacklist ${HOME}/.msmtprc
 blacklist ${HOME}/.mutt
 blacklist ${HOME}/.muttrc
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 9de781fb5..444446156 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -794,6 +794,7 @@ blacklist ${HOME}/.local/share/wormux
 blacklist ${HOME}/.local/share/xplayer
 blacklist ${HOME}/.local/share/xreader
 blacklist ${HOME}/.local/share/zathura
+blacklist ${HOME}/.local/state/pipewire
 blacklist ${HOME}/.lv2
 blacklist ${HOME}/.lyx
 blacklist ${HOME}/.magicor
diff --git a/etc/inc/whitelist-run-common.inc b/etc/inc/whitelist-run-common.inc
index f47d8a7be..224d21064 100644
--- a/etc/inc/whitelist-run-common.inc
+++ b/etc/inc/whitelist-run-common.inc
@@ -6,5 +6,6 @@ whitelist /run/NetworkManager/resolv.conf
 whitelist /run/cups/cups.sock
 whitelist /run/dbus/system_bus_socket
 whitelist /run/media
+whitelist /run/resolvconf/resolv.conf
 whitelist /run/systemd/resolve/resolv.conf
 whitelist /run/systemd/resolve/stub-resolv.conf
diff --git a/etc/inc/whitelist-runuser-common.inc b/etc/inc/whitelist-runuser-common.inc
index 48309ffe3..a8cab8d07 100644
--- a/etc/inc/whitelist-runuser-common.inc
+++ b/etc/inc/whitelist-runuser-common.inc
@@ -10,7 +10,7 @@ whitelist ${RUNUSER}/gdm/Xauthority
 whitelist ${RUNUSER}/ICEauthority
 whitelist ${RUNUSER}/.mutter-Xwaylandauth.*
 whitelist ${RUNUSER}/pulse/native
-whitelist ${RUNUSER}/wayland-0
-whitelist ${RUNUSER}/wayland-1
+whitelist ${RUNUSER}/pipewire-?
+whitelist ${RUNUSER}/wayland-?
 whitelist ${RUNUSER}/xauth_*
 whitelist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]
diff --git a/etc/inc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc
index fe0097934..0049ce804 100644
--- a/etc/inc/whitelist-usr-share-common.inc
+++ b/etc/inc/whitelist-usr-share-common.inc
@@ -45,6 +45,7 @@ whitelist /usr/share/myspell
 whitelist /usr/share/p11-kit
 whitelist /usr/share/perl
 whitelist /usr/share/perl5
+whitelist /usr/share/pipewire
 whitelist /usr/share/pixmaps
 whitelist /usr/share/pki
 whitelist /usr/share/plasma
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index b35b6ae80..c42243e02 100644
--- a/etc/profile-a-l/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -37,10 +37,6 @@ include whitelist-var-common.inc
 # Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone.
 #include chromium-common-hardened.inc.profile
 
-# Add the next two lines to your chromium-common.local to allow screen sharing under wayland.
-#whitelist ${RUNUSER}/pipewire-0
-#whitelist /usr/share/pipewire/client.conf
-
 apparmor
 caps.keep sys_admin,sys_chroot
 netfilter
diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile
index d282f9a60..b2b7c362a 100644
--- a/etc/profile-a-l/firefox-common-addons.profile
+++ b/etc/profile-a-l/firefox-common-addons.profile
@@ -2,6 +2,7 @@
 # Persistent customizations should go in a .local file.
 include firefox-common-addons.local
 
+ignore whitelist ${RUNUSER}/*firefox*
 ignore include whitelist-runuser-common.inc
 ignore private-cache
 
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index 5a123d081..9138fed90 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -58,10 +58,8 @@ dbus-user.own org.mpris.MediaPlayer2.firefox.*
 #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
 #dbus-user.talk org.kde.JobViewServer
 #dbus-user.talk org.kde.kuiserver
-# Add the next three lines to your firefox.local to allow screen sharing under wayland.
-#whitelist ${RUNUSER}/pipewire-0
-#whitelist /usr/share/pipewire/client.conf
-#dbus-user.talk org.freedesktop.portal.*
+# Add the next line to your firefox.local to allow screen sharing under wayland.
+#dbus-user.talk org.freedesktop.portal.Desktop
 # Add the next line to your firefox.local if screen sharing sharing still does not work
 # with the above lines (might depend on the portal implementation).
 #ignore noroot
diff --git a/etc/profile-a-l/freetube.profile b/etc/profile-a-l/freetube.profile
index 4c28e2aff..7beb2bcba 100644
--- a/etc/profile-a-l/freetube.profile
+++ b/etc/profile-a-l/freetube.profile
@@ -8,12 +8,14 @@ include globals.local
 
 noblacklist ${HOME}/.config/FreeTube
 
+include allow-bin-sh.inc
+
 include disable-shell.inc
 
 mkdir ${HOME}/.config/FreeTube
 whitelist ${HOME}/.config/FreeTube
 
-private-bin electron,electron[0-9],electron[0-9][0-9],freetube
+private-bin electron,electron[0-9],electron[0-9][0-9],freetube,sh
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
 
 # Redirect
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile
index 0786da6df..df9c2ac7a 100644
--- a/etc/profile-a-l/gimp.profile
+++ b/etc/profile-a-l/gimp.profile
@@ -13,7 +13,6 @@ include globals.local
 #ignore net
 #protocol unix,inet,inet6
 
-
 # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory
 # If you are not using external plugins, you can add 'noexec ${HOME}' to your gimp.local.
 ignore noexec ${HOME}
@@ -26,6 +25,10 @@ noblacklist ${HOME}/.gimp*
 noblacklist ${DOCUMENTS}
 noblacklist ${PICTURES}
 
+# See issue #4367, gimp 2.10.22-3: gegl:introspect broken
+noblacklist /sbin
+noblacklist /usr/sbin
+
 include disable-common.inc
 include disable-exec.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gnote.profile b/etc/profile-a-l/gnote.profile
index b419a6231..2d4ce2437 100644
--- a/etc/profile-a-l/gnote.profile
+++ b/etc/profile-a-l/gnote.profile
@@ -21,6 +21,7 @@ mkdir ${HOME}/.config/gnote
 mkdir ${HOME}/.local/share/gnote
 whitelist ${HOME}/.config/gnote
 whitelist ${HOME}/.local/share/gnote
+whitelist /usr/libexec/webkit2gtk-4.0
 whitelist /usr/share/gnote
 include whitelist-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index a67ea8d67..b915f6202 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -37,16 +37,22 @@ include disable-xdg.inc
 #mkdir ${HOME}/Documents/KeePassXC
 #whitelist ${HOME}/Documents/KeePassXC
 # Needed for KeePassXC-Browser.
+#mkdir ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts
 #mkfile ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
 #whitelist ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
+#mkdir ${HOME}/.config/chromium/NativeMessagingHosts
 #mkfile ${HOME}/.config/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
 #whitelist ${HOME}/.config/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
+#mkdir ${HOME}/.config/google-chrome/NativeMessagingHosts
 #mkfile ${HOME}/.config/google-chrome/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
 #whitelist ${HOME}/.config/google-chrome/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
+#mkdir ${HOME}/.config/vivaldi/NativeMessagingHosts
 #mkfile ${HOME}/.config/vivaldi/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
 #whitelist ${HOME}/.config/vivaldi/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
+#mkdir ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts
 #mkfile ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
 #whitelist ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
+#mkdir ${HOME}/.mozilla/native-messaging-hosts
 #mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
 #whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
 #mkdir ${HOME}/.cache/keepassxc
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile
index da047357a..c9f5221f7 100644
--- a/etc/profile-a-l/librewolf.profile
+++ b/etc/profile-a-l/librewolf.profile
@@ -44,10 +44,8 @@ dbus-user filter
 #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
 #dbus-user.talk org.kde.JobViewServer
 #dbus-user.talk org.kde.kuiserver
-# Add the next three lines to your librewolf.local to allow screensharing under Wayland.
-#whitelist ${RUNUSER}/pipewire-0
-#whitelist /usr/share/pipewire/client.conf
-#dbus-user.talk org.freedesktop.portal.*
+# Add the next line to your librewolf.local to allow screensharing under Wayland.
+#dbus-user.talk org.freedesktop.portal.Desktop
 # Also add the next line to your librewolf.local if screensharing does not work with
 # the above lines (depends on the portal implementation).
 #ignore noroot
diff --git a/etc/profile-m-z/pngquant.profile b/etc/profile-m-z/pngquant.profile
index 275496496..0b3d2b44c 100644
--- a/etc/profile-m-z/pngquant.profile
+++ b/etc/profile-m-z/pngquant.profile
@@ -38,9 +38,8 @@ nosound
 notv
 nou2f
 novideo
-# protocol can be empty, but this is not yet supported see #639
-protocol inet
-seccomp
+# block the socket syscall to simulate an be empty protocol line, see #639
+seccomp socket
 shell none
 tracelog
 x11 none
diff --git a/etc/profile-m-z/xournalpp.profile b/etc/profile-m-z/xournalpp.profile
index 1ef789689..a23ad68df 100644
--- a/etc/profile-m-z/xournalpp.profile
+++ b/etc/profile-m-z/xournalpp.profile
@@ -13,7 +13,6 @@ noblacklist ${HOME}/.xournalpp
 
 include allow-lua.inc
 
-whitelist /usr/share/pipewire
 whitelist /usr/share/texlive
 whitelist /usr/share/xournalpp
 whitelist /var/lib/texmf
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 02dcefd35..e580a0c0c 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -102,8 +102,6 @@ include globals.local
 #include allow-ssh.inc
 
 ##blacklist PATH
-# Disable X11 (CLI only), see also 'x11 none' below
-#blacklist /tmp/.X11-unix
 # Disable Wayland
 #blacklist ${RUNUSER}/wayland-*
 # Disable RUNUSER (cli only; supersedes Disable Wayland)
@@ -174,7 +172,7 @@ include globals.local
 ##seccomp-error-action log (only for debugging seccomp issues)
 #shell none
 #tracelog
-# Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set
+# Prefer 'x11 none' instead of 'disable-X11.inc' if 'net none' is set
 ##x11 none
 
 #disable-mnt