15 files changed, 23 insertions, 8 deletions

diff --git a/etc/chromium.profile b/etc/chromium.profile
index 071c8a18a..ff51f6976 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -24,6 +24,7 @@ whitelist ~/.config/chromium-flags.conf
 
 include /etc/firejail/whitelist-common.inc
 
+caps.keep sys_chroot,sys_admin
 ipc-namespace
 netfilter
 nogroups
diff --git a/etc/clementine.profile b/etc/clementine.profile
index f92413a36..d9ce4c9c8 100644
--- a/etc/clementine.profile
+++ b/etc/clementine.profile
@@ -12,4 +12,5 @@ caps.drop all
 nonewprivs
 noroot
 protocol unix,inet,inet6
-seccomp
+# Clementine makes ioprio_set system calls, which are blacklisted by default.
+seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 7a5e8bf5b..c78640cd7 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -6,6 +6,7 @@ include /etc/firejail/disable-common.local
 blacklist-nolog ${HOME}/.history
 blacklist-nolog ${HOME}/.*_history
 blacklist-nolog ${HOME}/.bash_history
+blacklist-nolog ${HOME}/.local/share/fish/fish_history
 blacklist-nolog ${HOME}/.adobe
 blacklist-nolog ${HOME}/.macromedia
 
@@ -142,6 +143,8 @@ read-only ${HOME}/.zsh_files
 read-only ${HOME}/.tcshrc
 read-only ${HOME}/.cshrc
 read-only ${HOME}/.csh_files
+read-only ${HOME}/.config/fish
+read-only ${HOME}/.local/share/fish
 read-only ${HOME}/.profile
 read-only ${HOME}/.forward
 read-only ${HOME}/.login
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 0ee47a89e..a4fdbd0a9 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -10,6 +10,9 @@ blacklist ${HOME}/.LuminanceHDR
 blacklist ${HOME}/.Mathematica
 blacklist ${HOME}/.Natron
 blacklist ${HOME}/.Skype
+blacklist ${HOME}/.Steam
+blacklist ${HOME}/.Steampath
+blacklist ${HOME}/.Steampid
 blacklist ${HOME}/.TelegramDesktop
 blacklist ${HOME}/.VirtualBox
 blacklist ${HOME}/.Wolfram Research
diff --git a/etc/eog.profile b/etc/eog.profile
index e7a84993c..33628bbe3 100644
--- a/etc/eog.profile
+++ b/etc/eog.profile
@@ -4,6 +4,7 @@ include /etc/firejail/eog.local
 
 # eog (gnome image viewer) profile
 noblacklist ~/.config/eog
+noblacklist ~/.Steam
 noblacklist ~/.steam
 
 include /etc/firejail/disable-common.inc
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile
index eb9027ca4..67610abea 100644
--- a/etc/gnome-calculator.profile
+++ b/etc/gnome-calculator.profile
@@ -16,7 +16,6 @@ include /etc/firejail/whitelist-common.inc
 
 #Options
 caps.drop all
-ipc-namespace
 netfilter
 #net none                                     
 no3d
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile
index 38feb12a5..9cfafdb82 100644
--- a/etc/google-chrome.profile
+++ b/etc/google-chrome.profile
@@ -13,6 +13,7 @@ include /etc/firejail/disable-programs.inc
 # include /etc/firejail/disable-devel.inc
 #
 
+caps.keep sys_chroot,sys_admin
 netfilter
 
 whitelist ${DOWNLOADS}
diff --git a/etc/gthumb.profile b/etc/gthumb.profile
index 3fd1880bf..31d7a8fd4 100644
--- a/etc/gthumb.profile
+++ b/etc/gthumb.profile
@@ -4,6 +4,7 @@ include /etc/firejail/gthumb.local
 
 # gthumb profile
 noblacklist ${HOME}/.config/gthumb
+noblacklist ~/.Steam
 noblacklist ~/.steam
 
 include /etc/firejail/disable-common.inc
diff --git a/etc/pix.profile b/etc/pix.profile
index 5aa706a2a..f505c8a3f 100644
--- a/etc/pix.profile
+++ b/etc/pix.profile
@@ -5,6 +5,7 @@ include /etc/firejail/pix.local
 # Firejail profile for pix
 noblacklist ${HOME}/.config/pix
 noblacklist ${HOME}/.local/share/pix
+noblacklist ~/.Steam
 noblacklist ~/.steam
 
 include /etc/firejail/disable-common.inc
diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile
index 3f5cb60c0..9a588f8b3 100644
--- a/etc/qupzilla.profile
+++ b/etc/qupzilla.profile
@@ -5,10 +5,10 @@ include /etc/firejail/qupzilla.local
 # Firejail profile for Qupzilla web browser
 noblacklist ${HOME}/.config/qupzilla
 noblacklist ${HOME}/.cache/qupzilla
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
 caps.drop all
 seccomp
 protocol unix,inet,inet6,netlink
@@ -22,5 +22,3 @@ include /etc/firejail/whitelist-common.inc
 
 # experimental features
 #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
-
-
diff --git a/etc/ristretto.profile b/etc/ristretto.profile
index c70ae55a8..9931813d9 100644
--- a/etc/ristretto.profile
+++ b/etc/ristretto.profile
@@ -3,6 +3,7 @@
 include /etc/firejail/risretto.local
 
 noblacklist ${HOME}/.config/ristretto
+noblacklist ~/.Steam
 noblacklist ~/.steam
 
 include /etc/firejail/disable-common.inc
@@ -17,7 +18,7 @@ protocol unix,inet,inet6
 seccomp
 
 #
-# depending on your usage, you can enable some of the commands below: 
+# depending on your usage, you can enable some of the commands below:
 #
 nogroups
 shell none
@@ -25,4 +26,3 @@ shell none
 # private-etc none
 private-dev
 # private-tmp
-
diff --git a/etc/steam.profile b/etc/steam.profile
index eef91a0d5..fc7717115 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -3,7 +3,9 @@
 include /etc/firejail/steam.local
 
 # Steam profile (applies to games/apps launched from Steam as well)
+noblacklist ${HOME}/.Steam
 noblacklist ${HOME}/.steam
+noblacklist ${HOME}/.local/share/Steam
 noblacklist ${HOME}/.local/share/steam
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/viewnior.profile b/etc/viewnior.profile
index 87bb07938..ba6548892 100644
--- a/etc/viewnior.profile
+++ b/etc/viewnior.profile
@@ -4,6 +4,7 @@ include /etc/firejail/viewnior.local
 
 # Firejail profile for viewnior
 noblacklist ~/.config/viewnior
+noblacklist ~/.Steam
 noblacklist ~/.steam
 
 include /etc/firejail/disable-common.inc
diff --git a/etc/wine.profile b/etc/wine.profile
index c732d6edf..2b44ff2c6 100644
--- a/etc/wine.profile
+++ b/etc/wine.profile
@@ -3,7 +3,9 @@
 include /etc/firejail/wine.local
 
 # wine profile
+noblacklist ${HOME}/.Steam
 noblacklist ${HOME}/.steam
+noblacklist ${HOME}/.local/share/Steam
 noblacklist ${HOME}/.local/share/steam
 noblacklist ${HOME}/.wine
 
diff --git a/etc/xviewer.profile b/etc/xviewer.profile
index 9ccd148ad..43dba1b35 100644
--- a/etc/xviewer.profile
+++ b/etc/xviewer.profile
@@ -4,6 +4,7 @@ include /etc/firejail/xviewer.local
 
 # xviewer profile
 noblacklist ~/.config/xviewer
+noblacklist ~/.Steam
 noblacklist ~/.steam
 
 include /etc/firejail/disable-common.inc