26 files changed, 323 insertions, 17 deletions

diff --git a/etc/authenticator.profile b/etc/authenticator.profile
index f989ab1ba..5f1c64682 100644
--- a/etc/authenticator.profile
+++ b/etc/authenticator.profile
@@ -6,6 +6,7 @@ include authenticator.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.cache/Authenticator
 noblacklist ${HOME}/.config/Authenticator
 
 # Allow python (blacklisted by disable-interpreters.inc)
@@ -25,7 +26,7 @@ include disable-programs.inc
 
 # apparmor
 caps.drop all
-net none
+netfilter
 no3d
 # nodbus - makes settings immutable
 nodvd
@@ -36,15 +37,14 @@ nosound
 notv
 nou2f
 # novideo
-protocol unix
+protocol unix,inet,inet6
 seccomp
 shell none
 
 disable-mnt
-# private-bin authenticator
-private-cache
+# private-bin authenticator,python*
 private-dev
-private-etc alternatives,fonts,ld.so.cache
+private-etc alternatives,ca-certificates,fonts,ld.so.cache,ssl
 private-tmp
 
 # memory-deny-write-execute - breaks on Arch
diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile
index 3c7423316..63983d93b 100644
--- a/etc/chromium-common.profile
+++ b/etc/chromium-common.profile
@@ -7,7 +7,7 @@ include chromium-common.local
 #include globals.local
 
 # noexec ${HOME} breaks DRM binaries.
-ignore noexec ${HOME}
+?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
 
 noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index f37626a63..9d7a34bc5 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -247,12 +247,14 @@ read-only ${HOME}/.emacs
 read-only ${HOME}/.emacs.d
 read-only ${HOME}/.exrc
 read-only ${HOME}/.gvimrc
+read-only ${HOME}/.homesick
 read-only ${HOME}/.iscreenrc
 read-only ${HOME}/.mailcap
 read-only ${HOME}/.msmtprc
 read-only ${HOME}/.mutt/muttrc
 read-only ${HOME}/.muttrc
 read-only ${HOME}/.nano
+read-only ${HOME}/.pythonrc.py
 read-only ${HOME}/.reportbugrc
 read-only ${HOME}/.tmux.conf
 read-only ${HOME}/.vim
@@ -264,7 +266,6 @@ read-only ${HOME}/_exrc
 read-only ${HOME}/_gvimrc
 read-only ${HOME}/_vimrc
 read-only ${HOME}/dotfiles
-read-only ${HOME}/.homesick
 
 # Make directories commonly found in $PATH read-only
 read-only ${HOME}/.gem
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 96fd80daf..7e12b97b2 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -5,6 +5,7 @@ include disable-programs.local
 blacklist ${HOME}/Arduino
 blacklist ${HOME}/Monero/wallets
 blacklist ${HOME}/Nextcloud/Notes
+blacklist ${HOME}/SoftMaker
 blacklist ${HOME}/Standard Notes Backups
 blacklist ${HOME}/wallet.dat
 blacklist ${HOME}/.*coin
@@ -339,6 +340,7 @@ blacklist ${HOME}/.googleearth/Temp/
 blacklist ${HOME}/.googleearth/myplaces.backup.kml
 blacklist ${HOME}/.googleearth/myplaces.kml
 blacklist ${HOME}/.gradle
+blacklist ${HOME}/.gramps
 blacklist ${HOME}/.guayadeque
 blacklist ${HOME}/.hashcat
 blacklist ${HOME}/.hedgewars
@@ -549,6 +551,7 @@ blacklist ${HOME}/.multimc5
 blacklist ${HOME}/.nanorc
 blacklist ${HOME}/.netactview
 blacklist ${HOME}/.neverball
+blacklist ${HOME}/.newsboat
 blacklist ${HOME}/.nv
 blacklist ${HOME}/.nylas-mail
 blacklist ${HOME}/.opencity
@@ -625,6 +628,7 @@ blacklist /tmp/ssh-*
 # ${HOME}/.cache directory
 blacklist ${HOME}/.cache/0ad
 blacklist ${HOME}/.cache/8pecxstudios
+blacklist ${HOME}/.cache/Authenticator
 blacklist ${HOME}/.cache/Clementine
 blacklist ${HOME}/.cache/Enox
 blacklist ${HOME}/.cache/Franz
diff --git a/etc/electrum.profile b/etc/electrum.profile
index 88d27e47e..ffa0fb5f6 100644
--- a/etc/electrum.profile
+++ b/etc/electrum.profile
@@ -50,6 +50,6 @@ disable-mnt
 private-bin electrum,python*
 private-cache
 private-dev
-private-etc alternatives,fonts,dconf,ca-certificates,ssl,pki,crypto-policies,machine-id
+private-etc alternatives,fonts,dconf,ca-certificates,ssl,pki,crypto-policies,machine-id,resolv.conf
 private-tmp
 
diff --git a/etc/evince.profile b/etc/evince.profile
index b1f984784..1a429d673 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -43,7 +43,7 @@ private-bin evince,evince-previewer,evince-thumbnailer
 private-cache
 private-dev
 private-etc alternatives,fonts,group,machine-id,passwd
-private-lib evince,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,gconv
+private-lib evince,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*,gconv
 private-tmp
 
 # memory-deny-write-execute - might break application (https://github.com/netblue30/firejail/issues/1803)
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index a2a34f33f..080d9e81a 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -7,7 +7,7 @@ include firefox-common.local
 #include globals.local
 
 # noexec ${HOME} breaks DRM binaries.
-ignore noexec ${HOME}
+?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
 
 # Uncomment the following line to allow access to common programs/addons/plugins.
 #include firefox-common-addons.inc
diff --git a/etc/firejail.config b/etc/firejail.config
index b37edf7a5..497d9633e 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -5,9 +5,6 @@
 # Enable AppArmor functionality, default enabled.
 # apparmor yes
 
-# Disable U2F in browsers, default enabled.
-# browser-disable-u2f yes
-
 # Number of ARP probes sent when assigning an IP address for --net option,
 # default 2. This is a partial implementation of RFC 5227. A 0.5 seconds
 # timeout is implemented for each probe. Increase this number to 4 if your
@@ -18,6 +15,12 @@
 # Enable or disable bind support, default enabled.
 # bind yes
 
+# Allow (DRM) execution in browsers, default disabled.
+# browser-allow-drm no
+
+# Disable U2F in browsers, default enabled.
+# browser-disable-u2f yes
+
 # Enable or disable cgroup support, default enabled.
 # cgroup yes
 
diff --git a/etc/flacsplt.profile b/etc/flacsplt.profile
new file mode 100644
index 000000000..2efef0f22
--- /dev/null
+++ b/etc/flacsplt.profile
@@ -0,0 +1,6 @@
+# Firejail profile for flacsplt
+# This file is overwritten after every install/update
+include flacsplt.local
+
+# Redirect
+include mp3splt.profile
diff --git a/etc/freeoffice-planmaker.profile b/etc/freeoffice-planmaker.profile
new file mode 100644
index 000000000..8a53c63e3
--- /dev/null
+++ b/etc/freeoffice-planmaker.profile
@@ -0,0 +1,38 @@
+# Firejail profile for freeoffice-planmaker
+# This file is overwritten after every install/update
+# Persistent local customizations
+include freeoffice-planmaker.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/SoftMaker
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+# include disable-xdg.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-tmp
diff --git a/etc/freeoffice-presentations.profile b/etc/freeoffice-presentations.profile
new file mode 100644
index 000000000..63be4da7f
--- /dev/null
+++ b/etc/freeoffice-presentations.profile
@@ -0,0 +1,38 @@
+# Firejail profile for freeoffice-presentations
+# This file is overwritten after every install/update
+# Persistent local customizations
+include freeoffice-presentations.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/SoftMaker
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+# include disable-xdg.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-tmp
diff --git a/etc/freeoffice-textmaker.profile b/etc/freeoffice-textmaker.profile
new file mode 100644
index 000000000..4bca5a98c
--- /dev/null
+++ b/etc/freeoffice-textmaker.profile
@@ -0,0 +1,38 @@
+# Firejail profile for freeoffice-textmaker
+# This file is overwritten after every install/update
+# Persistent local customizations
+include freeoffice-textmaker.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/SoftMaker
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+# include disable-xdg.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-tmp
diff --git a/etc/gajim.profile b/etc/gajim.profile
index 36121c4b9..ee84a0994 100644
--- a/etc/gajim.profile
+++ b/etc/gajim.profile
@@ -42,7 +42,7 @@ nonewprivs
 noroot
 notv
 nou2f
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
 shell none
 tracelog
diff --git a/etc/gramps.profile b/etc/gramps.profile
new file mode 100644
index 000000000..764c14b60
--- /dev/null
+++ b/etc/gramps.profile
@@ -0,0 +1,53 @@
+# Firejail profile for gramps
+# Description: genealogy program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gramps.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.gramps
+
+# Allow python (blacklisted by disable-interpreters.inc)
+#noblacklist ${PATH}/python2*
+noblacklist ${PATH}/python3*
+#noblacklist /usr/lib/python2*
+noblacklist /usr/lib/python3*
+#noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.gramps
+whitelist ${HOME}/.gramps
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-cache
+private-dev
+private-tmp
diff --git a/etc/midori.profile b/etc/midori.profile
index d59a6a16b..e4d39cd70 100644
--- a/etc/midori.profile
+++ b/etc/midori.profile
@@ -14,7 +14,7 @@ noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
 
 # noexec ${HOME} breaks DRM binaries.
-ignore noexec ${HOME}
+?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/min.profile b/etc/min.profile
index eec81677d..c89df0a95 100644
--- a/etc/min.profile
+++ b/etc/min.profile
@@ -12,7 +12,7 @@ noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
 
 # noexec ${HOME} breaks DRM binaries.
-ignore noexec ${HOME}
+?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/mp3splt.profile b/etc/mp3splt.profile
new file mode 100644
index 000000000..6cf6f0409
--- /dev/null
+++ b/etc/mp3splt.profile
@@ -0,0 +1,48 @@
+# Firejail profile for mp3splt
+# Description: utility for mp3 splitting without decoding
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mp3splt.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin flacsplt,mp3splt,mp3wrap,oggsplt
+private-cache
+private-dev
+private-etc alternatives
+private-tmp
+
+memory-deny-write-execute
diff --git a/etc/mp3wrap.profile b/etc/mp3wrap.profile
new file mode 100644
index 000000000..2e7d97f72
--- /dev/null
+++ b/etc/mp3wrap.profile
@@ -0,0 +1,6 @@
+# Firejail profile for mp3wrap
+# This file is overwritten after every install/update
+include mp3wrap.local
+
+# Redirect
+include mp3splt.profile
diff --git a/etc/mpv.profile b/etc/mpv.profile
index c2ae9c6f9..34542b11b 100644
--- a/etc/mpv.profile
+++ b/etc/mpv.profile
@@ -1,6 +1,7 @@
 # Firejail profile for mpv
 # Description: Video player based on MPlayer/mplayer2
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include mpv.local
 # Persistent global definitions
@@ -44,4 +45,5 @@ shell none
 tracelog
 
 private-bin mpv,youtube-dl,python*,env
+private-cache
 private-dev
diff --git a/etc/newsboat.profile b/etc/newsboat.profile
new file mode 100644
index 000000000..e063abe53
--- /dev/null
+++ b/etc/newsboat.profile
@@ -0,0 +1,47 @@
+# Firejail profile for Newsboat
+# Description: RSS program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include newsboat.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.newsboat
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.newsboat
+whitelist ${HOME}/.newsboat
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-bin newsboat
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,terminfo
+private-tmp
+
+memory-deny-write-execute
diff --git a/etc/oggsplt.profile b/etc/oggsplt.profile
new file mode 100644
index 000000000..456412c30
--- /dev/null
+++ b/etc/oggsplt.profile
@@ -0,0 +1,6 @@
+# Firejail profile for oggsplt
+# This file is overwritten after every install/update
+include oggsplt.local
+
+# Redirect
+include mp3splt.profile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 097d03235..9f5f7a7a8 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -186,6 +186,7 @@ firefox-esr
 firefox-nightly
 firefox-wayland
 flameshot
+flacsplt
 flashpeak-slimjet
 flowblade
 font-manager
@@ -199,6 +200,9 @@ freeciv-gtk3
 freeciv-mp-gtk3
 freecol
 freemind
+freeoffice-planmaker
+freeoffice-presentations
+freeoffice-textmaker
 freshclam
 frozen-bubble
 gajim
@@ -255,6 +259,7 @@ gpa
 gpicview
 gpredict
 gradio
+gramps
 gthumb
 guayadeque
 gucharmap
@@ -358,6 +363,8 @@ midori
 min
 minetest
 mousepad
+mp3splt
+mp3wrap
 mpDris2
 mplayer
 mpsyt
@@ -384,6 +391,7 @@ netactview
 nethack
 netsurf
 neverball
+newsboat
 nheko
 nitroshare
 nitroshare-cli
@@ -396,6 +404,7 @@ nyx
 obs
 ocenaudio
 odt2txt
+oggsplt
 okular
 onionshare-gui
 open-invaders
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 54f6ea023..7ca72bf30 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -111,6 +111,7 @@ int checkcfg(int val) {
                         PARSE_YESNO(CFG_DISABLE_MNT, "disable-mnt")
                         PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach")
                         PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f")
+                        PARSE_YESNO(CFG_BROWSER_ALLOW_DRM, "browser-allow-drm")
 #undef PARSE_YESNO
 
                         // netfilter
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index b2c18d79f..2e04084e3 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -702,6 +702,7 @@ enum {
         CFG_ARP_PROBES,
         CFG_XPRA_ATTACH,
         CFG_BROWSER_DISABLE_U2F,
+        CFG_BROWSER_ALLOW_DRM,
         CFG_PRIVATE_LIB,
         CFG_APPARMOR,
         CFG_DBUS,
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 667b03652..c8619f7e2 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -151,10 +151,15 @@ static int check_disable_u2f(void) {
         return checkcfg(CFG_BROWSER_DISABLE_U2F) != 0;
 }
 
+static int check_allow_drm(void) {
+        return checkcfg(CFG_BROWSER_ALLOW_DRM) != 0;
+}
+
 Cond conditionals[] = {
         {"HAS_APPIMAGE", check_appimage},
         {"HAS_NODBUS", check_nodbus},
         {"BROWSER_DISABLE_U2F", check_disable_u2f},
+        {"BROWSER_ALLOW_DRM", check_allow_drm},
         { NULL, NULL }
 };
 
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index dde815d05..20b547355 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -94,7 +94,7 @@ Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir"
 
 This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line.
 
-Currently the only conditionals supported are HAS_APPIMAGE, HAS_NODBUS and BROWSER_DISABLE_U2F.
+Currently the only conditionals supported are HAS_APPIMAGE, HAS_NODBUS, BROWSER_DISABLE_U2F, and BROWSER_ALLOW_DRM.
 
 The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines.