18 files changed, 104 insertions, 34 deletions
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 89f65d75e..a3b89def5 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -47,7 +47,7 @@ jobs:
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@d39d5d5c9707b926d517b1b292905ef4c03aa777
+      uses: github/codeql-action/init@75f07e7ab2ee63cba88752d8c696324e4df67466
      with:
        languages: ${{ matrix.language }}
        # If you wish to specify custom queries, you can do so here or in a config file.
@@ -58,7 +58,7 @@ jobs:
    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
    # If this step fails, then you should remove it and run the build manually (see below)
    - name: Autobuild
-      uses: github/codeql-action/autobuild@d39d5d5c9707b926d517b1b292905ef4c03aa777
+      uses: github/codeql-action/autobuild@75f07e7ab2ee63cba88752d8c696324e4df67466
    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 https://git.io/JvXDl
@@ -72,4 +72,4 @@ jobs:
    #   make release
    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@d39d5d5c9707b926d517b1b292905ef4c03aa777
+      uses: github/codeql-action/analyze@75f07e7ab2ee63cba88752d8c696324e4df67466
diff --git a/README.md b/README.md
index 16bfa812e..01d24db1b 100644
--- a/README.md
+++ b/README.md
@@ -259,4 +259,4 @@ Stats:
 ### New profiles:
-onionshare, onionshare-cli
+onionshare, onionshare-cli, opera-developer
diff --git a/configure b/configure
index 716418785..6611a8817 100755
--- a/configure
+++ b/configure
@@ -628,6 +628,7 @@ EGREP
 GREP
 CPP
 HAVE_LTS
+HAVE_ONLY_SYSCFG_PROFILES
 HAVE_FORCE_NONEWPRIVS
 HAVE_CONTRIB_INSTALL
 HAVE_GCOV
@@ -732,6 +733,7 @@ enable_busybox_workaround
 enable_gcov
 enable_contrib_install
 enable_force_nonewprivs
+enable_only_syscfg_profiles
 enable_lts
 '
      ac_precious_vars='build_alias
@@ -1395,6 +1397,8 @@ Optional Features:
                          install contrib scripts
  --enable-force-nonewprivs
                          enable force nonewprivs
+  --enable-only-syscfg-profiles
+                          disable profiles in $HOME/.config/firejail
  --enable-lts            enable long-term support software version (LTS)
 Some influential environment variables:
@@ -3830,6 +3834,19 @@ if test "x$enable_force_nonewprivs" = "xyes"; then :
 fi
+HAVE_ONLY_SYSCFG_PROFILES=""
+# Check whether --enable-only-syscfg-profiles was given.
+if test "${enable_only_syscfg_profiles+set}" = set; then :
+  enableval=$enable_only_syscfg_profiles;
+fi
+if test "x$enable_only_syscfg_profiles" = "xyes"; then :
+    HAVE_ONLY_SYSCFG_PROFILES="-DHAVE_ONLY_SYSCFG_PROFILES"
+fi
 HAVE_LTS=""
 # Check whether --enable-lts was given.
@@ -5497,6 +5514,7 @@ Configuration options:
   Install as a SUID executable: $HAVE_SUID
   LTS: $HAVE_LTS
   Always enforce filters: $HAVE_FORCE_NONEWPRIVS
+   Disable user profiles: $HAVE_ONLY_SYSCFG_PROFILES
 EOF
diff --git a/configure.ac b/configure.ac
index 0ae9362cc..4ca30e6d7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -237,6 +237,14 @@ AS_IF([test "x$enable_force_nonewprivs" = "xyes"], [
        HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS"
 ])
+HAVE_ONLY_SYSCFG_PROFILES=""
+AC_SUBST([HAVE_ONLY_SYSCFG_PROFILES])
+AC_ARG_ENABLE([only-syscfg-profiles],
+    [AS_HELP_STRING([--enable-only-syscfg-profiles], [disable profiles in $HOME/.config/firejail])])
+AS_IF([test "x$enable_only_syscfg_profiles" = "xyes"], [
+    HAVE_ONLY_SYSCFG_PROFILES="-DHAVE_ONLY_SYSCFG_PROFILES"
+])
 HAVE_LTS=""
 AC_SUBST([HAVE_LTS])
 AC_ARG_ENABLE([lts],
@@ -305,6 +313,7 @@ Configuration options:
   Install as a SUID executable: $HAVE_SUID
   LTS: $HAVE_LTS
   Always enforce filters: $HAVE_FORCE_NONEWPRIVS
+   Disable user profiles: $HAVE_ONLY_SYSCFG_PROFILES
 EOF
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 6b9747fb4..5078ec82f 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -177,6 +177,7 @@ blacklist ${HOME}/.cache/nvim
 blacklist ${HOME}/.cache/okular
 blacklist ${HOME}/.cache/opera
 blacklist ${HOME}/.cache/opera-beta
+blacklist ${HOME}/.cache/opera-developer
 blacklist ${HOME}/.cache/org.gabmus.gfeeds
 blacklist ${HOME}/.cache/org.gnome.Books
 blacklist ${HOME}/.cache/org.gnome.Maps
@@ -553,6 +554,7 @@ blacklist ${HOME}/.config/onlyoffice
 blacklist ${HOME}/.config/openmw
 blacklist ${HOME}/.config/opera
 blacklist ${HOME}/.config/opera-beta
+blacklist ${HOME}/.config/opera-developer
 blacklist ${HOME}/.config/orage
 blacklist ${HOME}/.config/org.gabmus.gfeeds.json
 blacklist ${HOME}/.config/org.gabmus.gfeeds.saved_articles
@@ -1040,6 +1042,7 @@ blacklist ${HOME}/.openshot_qt
 blacklist ${HOME}/.openttd
 blacklist ${HOME}/.opera
 blacklist ${HOME}/.opera-beta
+blacklist ${HOME}/.opera-developer
 blacklist ${HOME}/.ostrichriders
 blacklist ${HOME}/.paradoxinteractive
 blacklist ${HOME}/.parallelrealities/blobwars
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
index ac73f002f..b45f6e25e 100644
--- a/etc/profile-a-l/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -66,7 +66,7 @@ tracelog
 # disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,machine-id,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg
 private-tmp
 # encrypting and signing email
 writable-run-user
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile
index cececd9e9..221fbff01 100644
--- a/etc/profile-a-l/geary.profile
+++ b/etc/profile-a-l/geary.profile
@@ -13,7 +13,11 @@ noblacklist ${HOME}/.config/evolution
 noblacklist ${HOME}/.config/geary
 noblacklist ${HOME}/.local/share/evolution
 noblacklist ${HOME}/.local/share/geary
+noblacklist ${HOME}/.local/share/pki
 noblacklist ${HOME}/.mozilla
+noblacklist ${HOME}/.pki
+include allow-bin-sh.inc
 include disable-common.inc
 include disable-devel.inc
@@ -38,7 +42,9 @@ whitelist ${HOME}/.config/evolution
 whitelist ${HOME}/.config/geary
 whitelist ${HOME}/.local/share/evolution
 whitelist ${HOME}/.local/share/geary
+whitelist ${HOME}/.local/share/pki
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/.pki
 whitelist /usr/share/geary
 include whitelist-common.inc
 include whitelist-runuser-common.inc
@@ -47,7 +53,8 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
-machine-id
+#ipc-namespace - may cause issues with X11
+#machine-id
 netfilter
 no3d
 nodvd
@@ -55,7 +62,7 @@ nogroups
 noinput
 nonewprivs
 noroot
-nosound
+#nosound
 notv
 nou2f
 novideo
@@ -66,21 +73,22 @@ shell none
 tracelog
 # disable-mnt
-# Add 'ignore private-bin' to geary.local for hyperlink support
+#private-bin geary,sh
-private-bin geary
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,mailcap,mime.types,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg
 private-tmp
 dbus-user filter
 dbus-user.own org.gnome.Geary
 dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.Notifications
 dbus-user.talk org.freedesktop.secrets
 dbus-user.talk org.gnome.Contacts
 dbus-user.talk org.gnome.OnlineAccounts
 dbus-user.talk org.gnome.evolution.dataserver.AddressBook10
 dbus-user.talk org.gnome.evolution.dataserver.Sources5
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-system none
 read-only ${HOME}/.mozilla/firefox/profiles.ini
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile
index 2e28423f7..ed3dac10e 100644
--- a/etc/profile-m-z/man.profile
+++ b/etc/profile-m-z/man.profile
@@ -25,7 +25,6 @@ include disable-xdg.inc
 whitelist /usr/share/groff
 whitelist /usr/share/info
 whitelist /usr/share/lintian
-whitelist /usr/share/locale
 whitelist /usr/share/man
 whitelist /var/cache/man
 #include whitelist-common.inc
diff --git a/etc/profile-m-z/opera-beta.profile b/etc/profile-m-z/opera-beta.profile
index 551f1aba4..becd3f86c 100644
--- a/etc/profile-m-z/opera-beta.profile
+++ b/etc/profile-m-z/opera-beta.profile
@@ -5,18 +5,16 @@ include opera-beta.local
 # Persistent global definitions
 include globals.local
-# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus
+noblacklist ${HOME}/.cache/opera-beta
-ignore whitelist /usr/share/chromium
-ignore include whitelist-runuser-common.inc
-ignore include whitelist-usr-share-common.inc
-noblacklist ${HOME}/.cache/opera
 noblacklist ${HOME}/.config/opera-beta
+noblacklist ${HOME}/.opera-beta
-mkdir ${HOME}/.cache/opera
+mkdir ${HOME}/.cache/opera-beta
 mkdir ${HOME}/.config/opera-beta
-whitelist ${HOME}/.cache/opera
+mkdir ${HOME}/.opera-beta
+whitelist ${HOME}/.cache/opera-beta
 whitelist ${HOME}/.config/opera-beta
+whitelist ${HOME}/.opera-beta
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-m-z/opera-developer.profile b/etc/profile-m-z/opera-developer.profile
new file mode 100644
index 000000000..52c850227
--- /dev/null
+++ b/etc/profile-m-z/opera-developer.profile
@@ -0,0 +1,20 @@
+# Firejail profile for opera-developer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include opera-developer.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/opera-developer
+noblacklist ${HOME}/.config/opera-developer
+noblacklist ${HOME}/.opera-developer
+mkdir ${HOME}/.cache/opera-developer
+mkdir ${HOME}/.config/opera-developer
+mkdir ${HOME}/.opera-developer
+whitelist ${HOME}/.cache/opera-developer
+whitelist ${HOME}/.config/opera-developer
+whitelist ${HOME}/.opera-developer
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-m-z/opera.profile b/etc/profile-m-z/opera.profile
index 2c7c5fc35..b342b3961 100644
--- a/etc/profile-m-z/opera.profile
+++ b/etc/profile-m-z/opera.profile
@@ -6,11 +6,6 @@ include opera.local
 # Persistent global definitions
 include globals.local
-# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus
-ignore whitelist /usr/share/chromium
-ignore include whitelist-runuser-common.inc
-ignore include whitelist-usr-share-common.inc
 noblacklist ${HOME}/.cache/opera
 noblacklist ${HOME}/.config/opera
 noblacklist ${HOME}/.opera
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile
index b66b81fdf..1ac80bc9a 100644
--- a/etc/profile-m-z/thunderbird.profile
+++ b/etc/profile-m-z/thunderbird.profile
@@ -47,6 +47,7 @@ whitelist ${HOME}/.gnupg
 whitelist ${HOME}/.thunderbird
 whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
 whitelist /usr/share/mozilla
 whitelist /usr/share/thunderbird
 whitelist /usr/share/webext
diff --git a/src/common.mk.in b/src/common.mk.in
index c55c26f42..38c05bc69 100644
--- a/src/common.mk.in
+++ b/src/common.mk.in
@@ -28,6 +28,7 @@ HAVE_USERTMPFS=@HAVE_USERTMPFS@
 HAVE_OUTPUT=@HAVE_OUTPUT@
 HAVE_LTS=@HAVE_LTS@
 HAVE_FORCE_NONEWPRIVS=@HAVE_FORCE_NONEWPRIVS@
+HAVE_ONLY_SYSCFG_PROFILES=@HAVE_ONLY_SYSCFG_PROFILES@
 H_FILE_LIST       = $(sort $(wildcard *.h))
 C_FILE_LIST       = $(sort $(wildcard *.c))
@@ -37,7 +38,7 @@ BINOBJS =  $(foreach file, $(OBJS), $file)
 CFLAGS = @CFLAGS@
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
 CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'   -DVARDIR='"/var/lib/firejail"'
-MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS)
+MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES)
 CFLAGS += $(MANFLAGS)
 CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security
 LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c
index d434cb95e..408662907 100644
--- a/src/firecfg/desktop_files.c
+++ b/src/firecfg/desktop_files.c
@@ -24,11 +24,16 @@
 static int check_profile(const char *name, const char *homedir) {
        // build profile name
        char *profname1;
+#ifndef HAVE_ONLY_SYSCFG_PROFILES
        char *profname2;
+#endif
        if (asprintf(&profname1, "%s/%s.profile", SYSCONFDIR, name) == -1)
                errExit("asprintf");
+#ifndef HAVE_ONLY_SYSCFG_PROFILES
        if (asprintf(&profname2, "%s/.config/firejail/%s.profile", homedir, name) == -1)
                errExit("asprintf");
+#endif
        int rv = 0;
        if (access(profname1, R_OK) == 0) {
@@ -36,14 +41,18 @@ static int check_profile(const char *name, const char *homedir) {
                        printf("found %s\n", profname1);
                rv = 1;
        }
+#ifndef HAVE_ONLY_SYSCFG_PROFILES
        else if (access(profname2, R_OK) == 0) {
                if (arg_debug)
                        printf("found %s\n", profname2);
                rv = 1;
        }
+#endif
        free(profname1);
+#ifndef HAVE_ONLY_SYSCFG_PROFILES
        free(profname2);
+#endif
        return rv;
 }
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 21fcbe1f4..618093193 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -627,6 +627,7 @@ openstego
 openttd
 opera
 opera-beta
+opera-developer
 orage
 ostrichriders
 otter-browser
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 04ea715cd..c03cd7a12 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -825,11 +825,13 @@ void fs_proc_sys_dev_boot(void) {
 // disable firejail configuration in ~/.config/firejail
 void disable_config(void) {
        EUID_USER();
+#ifndef HAVE_ONLY_SYSCFG_PROFILES
        char *fname;
        if (asprintf(&fname, "%s/.config/firejail", cfg.homedir) == -1)
                errExit("asprintf");
        disable_file(BLACKLIST_FILE, fname);
        free(fname);
+#endif
        // disable run time information
        disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NETWORK_DIR);
diff --git a/src/firejail/macros.c b/src/firejail/macros.c
index 11385143a..0ba64e844 100644
--- a/src/firejail/macros.c
+++ b/src/firejail/macros.c
@@ -22,9 +22,11 @@
 #define MAXBUF 4098
 typedef struct macro_t {
-        char *name;     // macro name
+        char *name;             // macro name
        char *xdg;              // xdg line in ~/.config/user-dirs.dirs
-#define MAX_TRANSLATIONS 3      // several translations in case ~/.config/user-dirs.dirs not found
+        // several translations in case ~/.config/user-dirs.dirs not found:
+        // English, Russian, French, Italian, Spanish, Portuguese, German
+#define MAX_TRANSLATIONS 7
        char *translation[MAX_TRANSLATIONS];
 } Macro;
@@ -32,37 +34,37 @@ Macro macro[] = {
        {
                "${DOWNLOADS}",
                "XDG_DOWNLOAD_DIR=\"$HOME/",
-                { "Downloads", "Загрузки", "Téléchargement" }
+                { "Downloads", "Загрузки", "Téléchargement", "Scaricati", "Descargas", "Downloads", "Downloads" }
        },
        {
                "${MUSIC}",
                "XDG_MUSIC_DIR=\"$HOME/",
-                {"Music", "Музыка", "Musique"}
+                {"Music", "Музыка", "Musique", "Musica", "Música", "Música", "Musik" }
        },
        {
                "${VIDEOS}",
                "XDG_VIDEOS_DIR=\"$HOME/",
-                {"Videos", "Видео", "Vidéos"}
+                {"Videos", "Видео", "Vidéos", "Video", "Vídeos", "Vídeos", "Videos" }
        },
        {
                "${PICTURES}",
                "XDG_PICTURES_DIR=\"$HOME/",
-                {"Pictures", "Изображения", "Photos"}
+                {"Pictures", "Изображения", "Photos", "Immagini", "Imágenes", "Imagens", "Bilder" }
        },
        {
                "${DESKTOP}",
                "XDG_DESKTOP_DIR=\"$HOME/",
-                {"Desktop", "Рабочий стол", "Bureau"}
+                {"Desktop", "Рабочий стол", "Bureau", "Scrivania", "Escritorio", "Área de trabalho", "Schreibtisch" }
        },
        {
                "${DOCUMENTS}",
                "XDG_DOCUMENTS_DIR=\"$HOME/",
-                {"Documents", "Документы", "Documents"}
+                {"Documents", "Документы", "Documents", "Documenti", "Documentos", "Documentos", "Dokumente" }
        },
        { 0 }
@@ -154,7 +156,7 @@ static char *resolve_hardcoded(char *entries[]) {
        struct stat s;
        int i = 0;
-        while (entries[i] != NULL) {
+        while (i < MAX_TRANSLATIONS && entries[i] != NULL) {
                if (asprintf(&fname, "%s/%s", cfg.homedir, entries[i]) == -1)
                        errExit("asprintf");
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 0b258e6bb..5bc77263a 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -72,6 +72,7 @@ static int profile_find(const char *name, const char *dir, int add_ext) {
 // search and read the profile specified by name from firejail directories
 // return  1 if a profile was found
 int profile_find_firejail(const char *name, int add_ext) {
+#ifndef HAVE_ONLY_SYSCFG_PROFILES
        // look for a profile in ~/.config/firejail directory
        char *usercfgdir;
        if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1)
@@ -84,6 +85,9 @@ int profile_find_firejail(const char *name, int add_ext) {
                rv = profile_find(name, SYSCONFDIR, add_ext);
        return rv;
+#else
+        return profile_find(name, SYSCONFDIR, add_ext);
+#endif
 }
 //***************************************************