17 files changed, 305 insertions, 9 deletions
diff --git a/etc/authenticator.profile b/etc/authenticator.profile
index f989ab1ba..5f1c64682 100644
--- a/etc/authenticator.profile
+++ b/etc/authenticator.profile
@@ -6,6 +6,7 @@ include authenticator.local
 # Persistent global definitions
 include globals.local
+noblacklist ${HOME}/.cache/Authenticator
 noblacklist ${HOME}/.config/Authenticator
 # Allow python (blacklisted by disable-interpreters.inc)
@@ -25,7 +26,7 @@ include disable-programs.inc
 # apparmor
 caps.drop all
-net none
+netfilter
 no3d
 # nodbus - makes settings immutable
 nodvd
@@ -36,15 +37,14 @@ nosound
 notv
 nou2f
 # novideo
-protocol unix
+protocol unix,inet,inet6
 seccomp
 shell none
 disable-mnt
-# private-bin authenticator
+# private-bin authenticator,python*
-private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache
+private-etc alternatives,ca-certificates,fonts,ld.so.cache,ssl
 private-tmp
 # memory-deny-write-execute - breaks on Arch
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index f37626a63..9d7a34bc5 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -247,12 +247,14 @@ read-only ${HOME}/.emacs
 read-only ${HOME}/.emacs.d
 read-only ${HOME}/.exrc
 read-only ${HOME}/.gvimrc
+read-only ${HOME}/.homesick
 read-only ${HOME}/.iscreenrc
 read-only ${HOME}/.mailcap
 read-only ${HOME}/.msmtprc
 read-only ${HOME}/.mutt/muttrc
 read-only ${HOME}/.muttrc
 read-only ${HOME}/.nano
+read-only ${HOME}/.pythonrc.py
 read-only ${HOME}/.reportbugrc
 read-only ${HOME}/.tmux.conf
 read-only ${HOME}/.vim
@@ -264,7 +266,6 @@ read-only ${HOME}/_exrc
 read-only ${HOME}/_gvimrc
 read-only ${HOME}/_vimrc
 read-only ${HOME}/dotfiles
-read-only ${HOME}/.homesick
 # Make directories commonly found in $PATH read-only
 read-only ${HOME}/.gem
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 96fd80daf..7e12b97b2 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -5,6 +5,7 @@ include disable-programs.local
 blacklist ${HOME}/Arduino
 blacklist ${HOME}/Monero/wallets
 blacklist ${HOME}/Nextcloud/Notes
+blacklist ${HOME}/SoftMaker
 blacklist ${HOME}/Standard Notes Backups
 blacklist ${HOME}/wallet.dat
 blacklist ${HOME}/.*coin
@@ -339,6 +340,7 @@ blacklist ${HOME}/.googleearth/Temp/
 blacklist ${HOME}/.googleearth/myplaces.backup.kml
 blacklist ${HOME}/.googleearth/myplaces.kml
 blacklist ${HOME}/.gradle
+blacklist ${HOME}/.gramps
 blacklist ${HOME}/.guayadeque
 blacklist ${HOME}/.hashcat
 blacklist ${HOME}/.hedgewars
@@ -549,6 +551,7 @@ blacklist ${HOME}/.multimc5
 blacklist ${HOME}/.nanorc
 blacklist ${HOME}/.netactview
 blacklist ${HOME}/.neverball
+blacklist ${HOME}/.newsboat
 blacklist ${HOME}/.nv
 blacklist ${HOME}/.nylas-mail
 blacklist ${HOME}/.opencity
@@ -625,6 +628,7 @@ blacklist /tmp/ssh-*
 # ${HOME}/.cache directory
 blacklist ${HOME}/.cache/0ad
 blacklist ${HOME}/.cache/8pecxstudios
+blacklist ${HOME}/.cache/Authenticator
 blacklist ${HOME}/.cache/Clementine
 blacklist ${HOME}/.cache/Enox
 blacklist ${HOME}/.cache/Franz
diff --git a/etc/electrum.profile b/etc/electrum.profile
index 88d27e47e..ffa0fb5f6 100644
--- a/etc/electrum.profile
+++ b/etc/electrum.profile
@@ -50,6 +50,6 @@ disable-mnt
 private-bin electrum,python*
 private-cache
 private-dev
-private-etc alternatives,fonts,dconf,ca-certificates,ssl,pki,crypto-policies,machine-id
+private-etc alternatives,fonts,dconf,ca-certificates,ssl,pki,crypto-policies,machine-id,resolv.conf
 private-tmp
diff --git a/etc/evince.profile b/etc/evince.profile
index b1f984784..1a429d673 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -43,7 +43,7 @@ private-bin evince,evince-previewer,evince-thumbnailer
 private-cache
 private-dev
 private-etc alternatives,fonts,group,machine-id,passwd
-private-lib evince,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,gconv
+private-lib evince,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*,gconv
 private-tmp
 # memory-deny-write-execute - might break application (https://github.com/netblue30/firejail/issues/1803)
diff --git a/etc/flacsplt.profile b/etc/flacsplt.profile
new file mode 100644
index 000000000..2efef0f22
--- /dev/null
+++ b/etc/flacsplt.profile
@@ -0,0 +1,6 @@
+# Firejail profile for flacsplt
+# This file is overwritten after every install/update
+include flacsplt.local
+# Redirect
+include mp3splt.profile
diff --git a/etc/freeoffice-planmaker.profile b/etc/freeoffice-planmaker.profile
new file mode 100644
index 000000000..8a53c63e3
--- /dev/null
+++ b/etc/freeoffice-planmaker.profile
@@ -0,0 +1,38 @@
+# Firejail profile for freeoffice-planmaker
+# This file is overwritten after every install/update
+# Persistent local customizations
+include freeoffice-planmaker.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/SoftMaker
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+# include disable-xdg.inc
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-cache
+private-dev
+private-tmp
diff --git a/etc/freeoffice-presentations.profile b/etc/freeoffice-presentations.profile
new file mode 100644
index 000000000..63be4da7f
--- /dev/null
+++ b/etc/freeoffice-presentations.profile
@@ -0,0 +1,38 @@
+# Firejail profile for freeoffice-presentations
+# This file is overwritten after every install/update
+# Persistent local customizations
+include freeoffice-presentations.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/SoftMaker
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+# include disable-xdg.inc
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-cache
+private-dev
+private-tmp
diff --git a/etc/freeoffice-textmaker.profile b/etc/freeoffice-textmaker.profile
new file mode 100644
index 000000000..4bca5a98c
--- /dev/null
+++ b/etc/freeoffice-textmaker.profile
@@ -0,0 +1,38 @@
+# Firejail profile for freeoffice-textmaker
+# This file is overwritten after every install/update
+# Persistent local customizations
+include freeoffice-textmaker.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/SoftMaker
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+# include disable-xdg.inc
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-cache
+private-dev
+private-tmp
diff --git a/etc/gajim.profile b/etc/gajim.profile
index 36121c4b9..ee84a0994 100644
--- a/etc/gajim.profile
+++ b/etc/gajim.profile
@@ -42,7 +42,7 @@ nonewprivs
 noroot
 notv
 nou2f
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
 shell none
 tracelog
diff --git a/etc/gramps.profile b/etc/gramps.profile
new file mode 100644
index 000000000..764c14b60
--- /dev/null
+++ b/etc/gramps.profile
@@ -0,0 +1,53 @@
+# Firejail profile for gramps
+# Description: genealogy program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gramps.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.gramps
+# Allow python (blacklisted by disable-interpreters.inc)
+#noblacklist ${PATH}/python2*
+noblacklist ${PATH}/python3*
+#noblacklist /usr/lib/python2*
+noblacklist /usr/lib/python3*
+#noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.gramps
+whitelist ${HOME}/.gramps
+include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+disable-mnt
+private-cache
+private-dev
+private-tmp
diff --git a/etc/mp3splt.profile b/etc/mp3splt.profile
new file mode 100644
index 000000000..6cf6f0409
--- /dev/null
+++ b/etc/mp3splt.profile
@@ -0,0 +1,48 @@
+# Firejail profile for mp3splt
+# Description: utility for mp3 splitting without decoding
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mp3splt.local
+# Persistent global definitions
+include globals.local
+noblacklist ${MUSIC}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin flacsplt,mp3splt,mp3wrap,oggsplt
+private-cache
+private-dev
+private-etc alternatives
+private-tmp
+memory-deny-write-execute
diff --git a/etc/mp3wrap.profile b/etc/mp3wrap.profile
new file mode 100644
index 000000000..2e7d97f72
--- /dev/null
+++ b/etc/mp3wrap.profile
@@ -0,0 +1,6 @@
+# Firejail profile for mp3wrap
+# This file is overwritten after every install/update
+include mp3wrap.local
+# Redirect
+include mp3splt.profile
diff --git a/etc/mpv.profile b/etc/mpv.profile
index c2ae9c6f9..34542b11b 100644
--- a/etc/mpv.profile
+++ b/etc/mpv.profile
@@ -1,6 +1,7 @@
 # Firejail profile for mpv
 # Description: Video player based on MPlayer/mplayer2
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include mpv.local
 # Persistent global definitions
@@ -44,4 +45,5 @@ shell none
 tracelog
 private-bin mpv,youtube-dl,python*,env
+private-cache
 private-dev
diff --git a/etc/newsboat.profile b/etc/newsboat.profile
new file mode 100644
index 000000000..e063abe53
--- /dev/null
+++ b/etc/newsboat.profile
@@ -0,0 +1,47 @@
+# Firejail profile for Newsboat
+# Description: RSS program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include newsboat.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.newsboat
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.newsboat
+whitelist ${HOME}/.newsboat
+include whitelist-common.inc
+include whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+shell none
+disable-mnt
+private-bin newsboat
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,terminfo
+private-tmp
+memory-deny-write-execute
diff --git a/etc/oggsplt.profile b/etc/oggsplt.profile
new file mode 100644
index 000000000..456412c30
--- /dev/null
+++ b/etc/oggsplt.profile
@@ -0,0 +1,6 @@
+# Firejail profile for oggsplt
+# This file is overwritten after every install/update
+include oggsplt.local
+# Redirect
+include mp3splt.profile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 7aec0f82a..44e8dc571 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -184,6 +184,7 @@ firefox-esr
 firefox-nightly
 firefox-wayland
 flameshot
+flacsplt
 flashpeak-slimjet
 flowblade
 font-manager
@@ -197,6 +198,9 @@ freeciv-gtk3
 freeciv-mp-gtk3
 freecol
 freemind
+freeoffice-planmaker
+freeoffice-presentations
+freeoffice-textmaker
 freshclam
 frozen-bubble
 gajim
@@ -253,6 +257,7 @@ gpa
 gpicview
 gpredict
 gradio
+gramps
 gthumb
 guayadeque
 gucharmap
@@ -356,6 +361,8 @@ midori
 min
 minetest
 mousepad
+mp3splt
+mp3wrap
 mpDris2
 mplayer
 mpsyt
@@ -382,6 +389,7 @@ netactview
 nethack
 netsurf
 neverball
+newsboat
 nheko
 nitroshare
 nitroshare-cli
@@ -394,6 +402,7 @@ nyx
 obs
 ocenaudio
 odt2txt
+oggsplt
 okular
 onionshare-gui
 open-invaders

diff --git a/etc/authenticator.profile b/etc/authenticator.profile index f989ab1ba..5f1c64682 100644 --- a/etc/authenticator.profile +++ b/etc/authenticator.profile
@@ -6,6 +6,7 @@ include authenticator.local
6	# Persistent global definitions	6	# Persistent global definitions
7	include globals.local	7	include globals.local
8		8
		9	noblacklist ${HOME}/.cache/Authenticator
9	noblacklist ${HOME}/.config/Authenticator	10	noblacklist ${HOME}/.config/Authenticator
10		11
11	# Allow python (blacklisted by disable-interpreters.inc)	12	# Allow python (blacklisted by disable-interpreters.inc)
@@ -25,7 +26,7 @@ include disable-programs.inc
25		26
26	# apparmor	27	# apparmor
27	caps.drop all	28	caps.drop all
28	net none	29	netfilter
29	no3d	30	no3d
30	# nodbus - makes settings immutable	31	# nodbus - makes settings immutable
31	nodvd	32	nodvd
@@ -36,15 +37,14 @@ nosound
36	notv	37	notv
37	nou2f	38	nou2f
38	# novideo	39	# novideo
39	protocol unix	40	protocol unix,inet,inet6
40	seccomp	41	seccomp
41	shell none	42	shell none
42		43
43	disable-mnt	44	disable-mnt
44	# private-bin authenticator	45	# private-bin authenticator,python*
45	private-cache
46	private-dev	46	private-dev
47	private-etc alternatives,fonts,ld.so.cache	47	private-etc alternatives,ca-certificates,fonts,ld.so.cache,ssl
48	private-tmp	48	private-tmp
49		49
50	# memory-deny-write-execute - breaks on Arch	50	# memory-deny-write-execute - breaks on Arch


diff --git a/etc/disable-common.inc b/etc/disable-common.inc index f37626a63..9d7a34bc5 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc
@@ -247,12 +247,14 @@ read-only ${HOME}/.emacs
247	read-only ${HOME}/.emacs.d	247	read-only ${HOME}/.emacs.d
248	read-only ${HOME}/.exrc	248	read-only ${HOME}/.exrc
249	read-only ${HOME}/.gvimrc	249	read-only ${HOME}/.gvimrc
		250	read-only ${HOME}/.homesick
250	read-only ${HOME}/.iscreenrc	251	read-only ${HOME}/.iscreenrc
251	read-only ${HOME}/.mailcap	252	read-only ${HOME}/.mailcap
252	read-only ${HOME}/.msmtprc	253	read-only ${HOME}/.msmtprc
253	read-only ${HOME}/.mutt/muttrc	254	read-only ${HOME}/.mutt/muttrc
254	read-only ${HOME}/.muttrc	255	read-only ${HOME}/.muttrc
255	read-only ${HOME}/.nano	256	read-only ${HOME}/.nano
		257	read-only ${HOME}/.pythonrc.py
256	read-only ${HOME}/.reportbugrc	258	read-only ${HOME}/.reportbugrc
257	read-only ${HOME}/.tmux.conf	259	read-only ${HOME}/.tmux.conf
258	read-only ${HOME}/.vim	260	read-only ${HOME}/.vim
@@ -264,7 +266,6 @@ read-only ${HOME}/_exrc
264	read-only ${HOME}/_gvimrc	266	read-only ${HOME}/_gvimrc
265	read-only ${HOME}/_vimrc	267	read-only ${HOME}/_vimrc
266	read-only ${HOME}/dotfiles	268	read-only ${HOME}/dotfiles
267	read-only ${HOME}/.homesick
268		269
269	# Make directories commonly found in $PATH read-only	270	# Make directories commonly found in $PATH read-only
270	read-only ${HOME}/.gem	271	read-only ${HOME}/.gem


diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 96fd80daf..7e12b97b2 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc
@@ -5,6 +5,7 @@ include disable-programs.local
5	blacklist ${HOME}/Arduino	5	blacklist ${HOME}/Arduino
6	blacklist ${HOME}/Monero/wallets	6	blacklist ${HOME}/Monero/wallets
7	blacklist ${HOME}/Nextcloud/Notes	7	blacklist ${HOME}/Nextcloud/Notes
		8	blacklist ${HOME}/SoftMaker
8	blacklist ${HOME}/Standard Notes Backups	9	blacklist ${HOME}/Standard Notes Backups
9	blacklist ${HOME}/wallet.dat	10	blacklist ${HOME}/wallet.dat
10	blacklist ${HOME}/.*coin	11	blacklist ${HOME}/.*coin
@@ -339,6 +340,7 @@ blacklist ${HOME}/.googleearth/Temp/
339	blacklist ${HOME}/.googleearth/myplaces.backup.kml	340	blacklist ${HOME}/.googleearth/myplaces.backup.kml
340	blacklist ${HOME}/.googleearth/myplaces.kml	341	blacklist ${HOME}/.googleearth/myplaces.kml
341	blacklist ${HOME}/.gradle	342	blacklist ${HOME}/.gradle
		343	blacklist ${HOME}/.gramps
342	blacklist ${HOME}/.guayadeque	344	blacklist ${HOME}/.guayadeque
343	blacklist ${HOME}/.hashcat	345	blacklist ${HOME}/.hashcat
344	blacklist ${HOME}/.hedgewars	346	blacklist ${HOME}/.hedgewars
@@ -549,6 +551,7 @@ blacklist ${HOME}/.multimc5
549	blacklist ${HOME}/.nanorc	551	blacklist ${HOME}/.nanorc
550	blacklist ${HOME}/.netactview	552	blacklist ${HOME}/.netactview
551	blacklist ${HOME}/.neverball	553	blacklist ${HOME}/.neverball
		554	blacklist ${HOME}/.newsboat
552	blacklist ${HOME}/.nv	555	blacklist ${HOME}/.nv
553	blacklist ${HOME}/.nylas-mail	556	blacklist ${HOME}/.nylas-mail
554	blacklist ${HOME}/.opencity	557	blacklist ${HOME}/.opencity
@@ -625,6 +628,7 @@ blacklist /tmp/ssh-*
625	# ${HOME}/.cache directory	628	# ${HOME}/.cache directory
626	blacklist ${HOME}/.cache/0ad	629	blacklist ${HOME}/.cache/0ad
627	blacklist ${HOME}/.cache/8pecxstudios	630	blacklist ${HOME}/.cache/8pecxstudios
		631	blacklist ${HOME}/.cache/Authenticator
628	blacklist ${HOME}/.cache/Clementine	632	blacklist ${HOME}/.cache/Clementine
629	blacklist ${HOME}/.cache/Enox	633	blacklist ${HOME}/.cache/Enox
630	blacklist ${HOME}/.cache/Franz	634	blacklist ${HOME}/.cache/Franz


diff --git a/etc/electrum.profile b/etc/electrum.profile index 88d27e47e..ffa0fb5f6 100644 --- a/etc/electrum.profile +++ b/etc/electrum.profile
@@ -50,6 +50,6 @@ disable-mnt
50	private-bin electrum,python*	50	private-bin electrum,python*
51	private-cache	51	private-cache
52	private-dev	52	private-dev
53	private-etc alternatives,fonts,dconf,ca-certificates,ssl,pki,crypto-policies,machine-id	53	private-etc alternatives,fonts,dconf,ca-certificates,ssl,pki,crypto-policies,machine-id,resolv.conf
54	private-tmp	54	private-tmp
55		55


diff --git a/etc/evince.profile b/etc/evince.profile index b1f984784..1a429d673 100644 --- a/etc/evince.profile +++ b/etc/evince.profile
@@ -43,7 +43,7 @@ private-bin evince,evince-previewer,evince-thumbnailer
43	private-cache	43	private-cache
44	private-dev	44	private-dev
45	private-etc alternatives,fonts,group,machine-id,passwd	45	private-etc alternatives,fonts,group,machine-id,passwd
46	private-lib evince,gdk-pixbuf-2.,gio,gvfs/libgvfscommon.so,libdjvulibre.so.,libgconf-2.so.,libpoppler-glib.so.,librsvg-2.so.*,gconv	46	private-lib evince,gdk-pixbuf-2.,gio,gvfs/libgvfscommon.so,libdjvulibre.so.,libgconf-2.so.,libpoppler-glib.so.,librsvg-2.so.,libspectre.so.,gconv
47	private-tmp	47	private-tmp
48		48
49	# memory-deny-write-execute - might break application (https://github.com/netblue30/firejail/issues/1803)	49	# memory-deny-write-execute - might break application (https://github.com/netblue30/firejail/issues/1803)


diff --git a/etc/flacsplt.profile b/etc/flacsplt.profile new file mode 100644 index 000000000..2efef0f22 --- /dev/null +++ b/etc/flacsplt.profile
@@ -0,0 +1,6 @@
		1	# Firejail profile for flacsplt
		2	# This file is overwritten after every install/update
		3	include flacsplt.local
		4
		5	# Redirect
		6	include mp3splt.profile


diff --git a/etc/freeoffice-planmaker.profile b/etc/freeoffice-planmaker.profile new file mode 100644 index 000000000..8a53c63e3 --- /dev/null +++ b/etc/freeoffice-planmaker.profile
@@ -0,0 +1,38 @@
		1	# Firejail profile for freeoffice-planmaker
		2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include freeoffice-planmaker.local
		5	# Persistent global definitions
		6	include globals.local
		7
		8	noblacklist ${HOME}/SoftMaker
		9
		10	include disable-common.inc
		11	include disable-devel.inc
		12	include disable-exec.inc
		13	include disable-interpreters.inc
		14	include disable-passwdmgr.inc
		15	include disable-programs.inc
		16	# include disable-xdg.inc
		17
		18	apparmor
		19	caps.drop all
		20	ipc-namespace
		21	netfilter
		22	no3d
		23	nodbus
		24	nodvd
		25	nogroups
		26	nonewprivs
		27	noroot
		28	notv
		29	nou2f
		30	novideo
		31	protocol unix,inet,inet6
		32	seccomp
		33	shell none
		34	tracelog
		35
		36	private-cache
		37	private-dev
		38	private-tmp


diff --git a/etc/freeoffice-presentations.profile b/etc/freeoffice-presentations.profile new file mode 100644 index 000000000..63be4da7f --- /dev/null +++ b/etc/freeoffice-presentations.profile
@@ -0,0 +1,38 @@
		1	# Firejail profile for freeoffice-presentations
		2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include freeoffice-presentations.local
		5	# Persistent global definitions
		6	include globals.local
		7
		8	noblacklist ${HOME}/SoftMaker
		9
		10	include disable-common.inc
		11	include disable-devel.inc
		12	include disable-exec.inc
		13	include disable-interpreters.inc
		14	include disable-passwdmgr.inc
		15	include disable-programs.inc
		16	# include disable-xdg.inc
		17
		18	apparmor
		19	caps.drop all
		20	ipc-namespace
		21	netfilter
		22	no3d
		23	nodbus
		24	nodvd
		25	nogroups
		26	nonewprivs
		27	noroot
		28	notv
		29	nou2f
		30	novideo
		31	protocol unix,inet,inet6
		32	seccomp
		33	shell none
		34	tracelog
		35
		36	private-cache
		37	private-dev
		38	private-tmp


diff --git a/etc/freeoffice-textmaker.profile b/etc/freeoffice-textmaker.profile new file mode 100644 index 000000000..4bca5a98c --- /dev/null +++ b/etc/freeoffice-textmaker.profile
@@ -0,0 +1,38 @@
		1	# Firejail profile for freeoffice-textmaker
		2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include freeoffice-textmaker.local
		5	# Persistent global definitions
		6	include globals.local
		7
		8	noblacklist ${HOME}/SoftMaker
		9
		10	include disable-common.inc
		11	include disable-devel.inc
		12	include disable-exec.inc
		13	include disable-interpreters.inc
		14	include disable-passwdmgr.inc
		15	include disable-programs.inc
		16	# include disable-xdg.inc
		17
		18	apparmor
		19	caps.drop all
		20	ipc-namespace
		21	netfilter
		22	no3d
		23	nodbus
		24	nodvd
		25	nogroups
		26	nonewprivs
		27	noroot
		28	notv
		29	nou2f
		30	novideo
		31	protocol unix,inet,inet6
		32	seccomp
		33	shell none
		34	tracelog
		35
		36	private-cache
		37	private-dev
		38	private-tmp


diff --git a/etc/gajim.profile b/etc/gajim.profile index 36121c4b9..ee84a0994 100644 --- a/etc/gajim.profile +++ b/etc/gajim.profile
@@ -42,7 +42,7 @@ nonewprivs
42	noroot	42	noroot
43	notv	43	notv
44	nou2f	44	nou2f
45	protocol unix,inet,inet6	45	protocol unix,inet,inet6,netlink
46	seccomp	46	seccomp
47	shell none	47	shell none
48	tracelog	48	tracelog


diff --git a/etc/gramps.profile b/etc/gramps.profile new file mode 100644 index 000000000..764c14b60 --- /dev/null +++ b/etc/gramps.profile
@@ -0,0 +1,53 @@
		1	# Firejail profile for gramps
		2	# Description: genealogy program
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include gramps.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	noblacklist ${HOME}/.gramps
		10
		11	# Allow python (blacklisted by disable-interpreters.inc)
		12	#noblacklist ${PATH}/python2*
		13	noblacklist ${PATH}/python3*
		14	#noblacklist /usr/lib/python2*
		15	noblacklist /usr/lib/python3*
		16	#noblacklist /usr/local/lib/python2*
		17	noblacklist /usr/local/lib/python3*
		18
		19	include disable-common.inc
		20	include disable-devel.inc
		21	include disable-exec.inc
		22	include disable-interpreters.inc
		23	include disable-passwdmgr.inc
		24	include disable-programs.inc
		25	include disable-xdg.inc
		26
		27	mkdir ${HOME}/.gramps
		28	whitelist ${HOME}/.gramps
		29	include whitelist-common.inc
		30	include whitelist-var-common.inc
		31
		32	apparmor
		33	caps.drop all
		34	ipc-namespace
		35	netfilter
		36	no3d
		37	nodbus
		38	nodvd
		39	nogroups
		40	nonewprivs
		41	noroot
		42	nosound
		43	notv
		44	nou2f
		45	novideo
		46	protocol unix,inet,inet6
		47	seccomp
		48	shell none
		49
		50	disable-mnt
		51	private-cache
		52	private-dev
		53	private-tmp


diff --git a/etc/mp3splt.profile b/etc/mp3splt.profile new file mode 100644 index 000000000..6cf6f0409 --- /dev/null +++ b/etc/mp3splt.profile
@@ -0,0 +1,48 @@
		1	# Firejail profile for mp3splt
		2	# Description: utility for mp3 splitting without decoding
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include mp3splt.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	noblacklist ${MUSIC}
		10
		11	include disable-common.inc
		12	include disable-devel.inc
		13	include disable-exec.inc
		14	include disable-interpreters.inc
		15	include disable-passwdmgr.inc
		16	include disable-programs.inc
		17	include disable-xdg.inc
		18
		19	include whitelist-var-common.inc
		20
		21	apparmor
		22	caps.drop all
		23	ipc-namespace
		24	machine-id
		25	net none
		26	no3d
		27	nodbus
		28	nodvd
		29	nogroups
		30	nonewprivs
		31	noroot
		32	nosound
		33	notv
		34	nou2f
		35	novideo
		36	protocol unix
		37	seccomp
		38	shell none
		39	tracelog
		40
		41	disable-mnt
		42	private-bin flacsplt,mp3splt,mp3wrap,oggsplt
		43	private-cache
		44	private-dev
		45	private-etc alternatives
		46	private-tmp
		47
		48	memory-deny-write-execute


diff --git a/etc/mp3wrap.profile b/etc/mp3wrap.profile new file mode 100644 index 000000000..2e7d97f72 --- /dev/null +++ b/etc/mp3wrap.profile
@@ -0,0 +1,6 @@
		1	# Firejail profile for mp3wrap
		2	# This file is overwritten after every install/update
		3	include mp3wrap.local
		4
		5	# Redirect
		6	include mp3splt.profile


diff --git a/etc/mpv.profile b/etc/mpv.profile index c2ae9c6f9..34542b11b 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile
@@ -1,6 +1,7 @@
1	# Firejail profile for mpv	1	# Firejail profile for mpv
2	# Description: Video player based on MPlayer/mplayer2	2	# Description: Video player based on MPlayer/mplayer2
3	# This file is overwritten after every install/update	3	# This file is overwritten after every install/update
		4	quiet
4	# Persistent local customizations	5	# Persistent local customizations
5	include mpv.local	6	include mpv.local
6	# Persistent global definitions	7	# Persistent global definitions
@@ -44,4 +45,5 @@ shell none
44	tracelog	45	tracelog
45		46
46	private-bin mpv,youtube-dl,python*,env	47	private-bin mpv,youtube-dl,python*,env
		48	private-cache
47	private-dev	49	private-dev


diff --git a/etc/newsboat.profile b/etc/newsboat.profile new file mode 100644 index 000000000..e063abe53 --- /dev/null +++ b/etc/newsboat.profile
@@ -0,0 +1,47 @@
		1	# Firejail profile for Newsboat
		2	# Description: RSS program
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include newsboat.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	noblacklist ${HOME}/.newsboat
		10
		11	include disable-common.inc
		12	include disable-devel.inc
		13	include disable-exec.inc
		14	include disable-interpreters.inc
		15	include disable-passwdmgr.inc
		16	include disable-programs.inc
		17	include disable-xdg.inc
		18
		19	mkdir ${HOME}/.newsboat
		20	whitelist ${HOME}/.newsboat
		21	include whitelist-common.inc
		22	include whitelist-var-common.inc
		23
		24	caps.drop all
		25	ipc-namespace
		26	netfilter
		27	no3d
		28	nodbus
		29	nodvd
		30	nogroups
		31	nonewprivs
		32	noroot
		33	notv
		34	nou2f
		35	novideo
		36	protocol inet,inet6
		37	seccomp
		38	shell none
		39
		40	disable-mnt
		41	private-bin newsboat
		42	private-cache
		43	private-dev
		44	private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,terminfo
		45	private-tmp
		46
		47	memory-deny-write-execute


diff --git a/etc/oggsplt.profile b/etc/oggsplt.profile new file mode 100644 index 000000000..456412c30 --- /dev/null +++ b/etc/oggsplt.profile
@@ -0,0 +1,6 @@
		1	# Firejail profile for oggsplt
		2	# This file is overwritten after every install/update
		3	include oggsplt.local
		4
		5	# Redirect
		6	include mp3splt.profile


diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 7aec0f82a..44e8dc571 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config
@@ -184,6 +184,7 @@ firefox-esr
184	firefox-nightly	184	firefox-nightly
185	firefox-wayland	185	firefox-wayland
186	flameshot	186	flameshot
		187	flacsplt
187	flashpeak-slimjet	188	flashpeak-slimjet
188	flowblade	189	flowblade
189	font-manager	190	font-manager
@@ -197,6 +198,9 @@ freeciv-gtk3
197	freeciv-mp-gtk3	198	freeciv-mp-gtk3
198	freecol	199	freecol
199	freemind	200	freemind
		201	freeoffice-planmaker
		202	freeoffice-presentations
		203	freeoffice-textmaker
200	freshclam	204	freshclam
201	frozen-bubble	205	frozen-bubble
202	gajim	206	gajim
@@ -253,6 +257,7 @@ gpa
253	gpicview	257	gpicview
254	gpredict	258	gpredict
255	gradio	259	gradio
		260	gramps
256	gthumb	261	gthumb
257	guayadeque	262	guayadeque
258	gucharmap	263	gucharmap
@@ -356,6 +361,8 @@ midori
356	min	361	min
357	minetest	362	minetest
358	mousepad	363	mousepad
		364	mp3splt
		365	mp3wrap
359	mpDris2	366	mpDris2
360	mplayer	367	mplayer
361	mpsyt	368	mpsyt
@@ -382,6 +389,7 @@ netactview
382	nethack	389	nethack
383	netsurf	390	netsurf
384	neverball	391	neverball
		392	newsboat
385	nheko	393	nheko
386	nitroshare	394	nitroshare
387	nitroshare-cli	395	nitroshare-cli
@@ -394,6 +402,7 @@ nyx
394	obs	402	obs
395	ocenaudio	403	ocenaudio
396	odt2txt	404	odt2txt
		405	oggsplt
397	okular	406	okular
398	onionshare-gui	407	onionshare-gui
399	open-invaders	408	open-invaders