7 files changed, 13 insertions, 6 deletions

diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 1dd500c12..5b66de4b7 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -8,6 +8,7 @@ blacklist-nolog ${HOME}/.adobe
 blacklist-nolog ${HOME}/.cache/greenclip*
 blacklist-nolog ${HOME}/.history
 blacklist-nolog ${HOME}/.local/share/fish/fish_history
+blacklist-nolog ${HOME}/.local/share/klipper
 blacklist-nolog ${HOME}/.macromedia
 blacklist-nolog /tmp/clipmenu*
 
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 6a8e580a3..7e20b040b 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -483,6 +483,7 @@ blacklist ${HOME}/.cache/chromium
 blacklist ${HOME}/.cache/chromium-dev
 blacklist ${HOME}/.cache/cliqz
 blacklist ${HOME}/.cache/darktable
+blacklist ${HOME}/.cache/discover
 blacklist ${HOME}/.cache/epiphany
 blacklist ${HOME}/.cache/evolution
 blacklist ${HOME}/.cache/fossamail
@@ -496,6 +497,7 @@ blacklist ${HOME}/.cache/icedove
 blacklist ${HOME}/.cache/INRIA/Natron
 blacklist ${HOME}/.cache/inox
 blacklist ${HOME}/.cache/iridium
+blacklist ${HOME}/.cache/krunner
 blacklist ${HOME}/.cache/kscreenlocker_greet
 blacklist ${HOME}/.cache/ksmserver-logout-greeter
 blacklist ${HOME}/.cache/ksplashqml
diff --git a/etc/gwenview.profile b/etc/gwenview.profile
index 8ad3ac5f3..b6304c812 100644
--- a/etc/gwenview.profile
+++ b/etc/gwenview.profile
@@ -39,7 +39,7 @@ tracelog
 
 private-bin gwenview,gimp*,kbuildsycoca4,kdeinit4
 private-dev
-# private-etc X11
+# private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg
 
 # memory-deny-write-execute
 noexec ${HOME}
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile
index 871706b02..4d34c82d3 100644
--- a/etc/kdenlive.profile
+++ b/etc/kdenlive.profile
@@ -25,7 +25,7 @@ shell none
 
 private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper
 private-dev
-# private-etc fonts,alternatives,X11,pulse,passwd
+# private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,xdg,X11
 
 # noexec ${HOME}
 noexec /tmp
diff --git a/etc/krunner.profile b/etc/krunner.profile
index 606b67677..1e97f4290 100644
--- a/etc/krunner.profile
+++ b/etc/krunner.profile
@@ -5,12 +5,15 @@ include /etc/firejail/krunner.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-# start a program in krunner: program will run with this generic profile
-# open a file in krunner: file viewer will run with its own profile (if firejailed automatically)
+# - programs started in krunner run with this generic profile.
+# - when a file is opened in krunner, the file viewer runs in its own sandbox
+#   with its own profile, if it is sandboxed automatically.
 
+# noblacklist ${HOME}/.cache/krunner
 noblacklist ${HOME}/.config/krunnerrc
 noblacklist ${HOME}/.kde/share/config/krunnerrc
 noblacklist ${HOME}/.kde4/share/config/krunnerrc
+# noblacklist ${HOME}/.local/share/baloo
 
 include /etc/firejail/disable-common.inc
 # include /etc/firejail/disable-devel.inc
@@ -21,6 +24,7 @@ include /etc/firejail/whitelist-var-common.inc
 
 caps.drop all
 netfilter
+nogroups
 nonewprivs
 noroot
 protocol unix,inet,inet6
diff --git a/etc/kwin_x11.profile b/etc/kwin_x11.profile
index 92d2e38ae..534e7cd51 100644
--- a/etc/kwin_x11.profile
+++ b/etc/kwin_x11.profile
@@ -34,7 +34,7 @@ tracelog
 disable-mnt
 private-bin kwin_x11
 private-dev
-private-etc drirc,fonts,ld.so.cache,machine-id,xdg
+private-etc drirc,fonts,kde5rc,ld.so.cache,machine-id,xdg
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/okular.profile b/etc/okular.profile
index 31b773852..da82d2622 100644
--- a/etc/okular.profile
+++ b/etc/okular.profile
@@ -42,7 +42,7 @@ tracelog
 
 private-bin okular,kbuildsycoca4,kdeinit4,lpr
 private-dev
-private-etc alternatives,cups,fonts,ld.so.cache,machine-id
+private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg
 # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients
 
 # memory-deny-write-execute