7 files changed, 257 insertions, 0 deletions
diff --git a/etc/dconf-editor.profile b/etc/dconf-editor.profile
new file mode 100644
index 000000000..72b4f7a77
--- /dev/null
+++ b/etc/dconf-editor.profile
@@ -0,0 +1,47 @@
+# Firejail profile for dconf-editor
+# Description: dconf configuration editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dconf-editor.local
+# Persistent global definitions
+include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+# nodbus - DBUS is needed to commit changes to dconf
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin dconf-editor
+private-cache
+private-dev
+private-etc alternatives,fonts
+private-lib
+private-tmp
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index aa1acbb88..0c7a8b020 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -93,6 +93,7 @@ blacklist ${HOME}/.config/Rocket.Chat
 blacklist ${HOME}/.config/Signal
 blacklist ${HOME}/.config/Slack
 blacklist ${HOME}/.config/Standard Notes
+blacklist ${HOME}/.config/SubDownloader
 blacklist ${HOME}/.config/Thunar
 blacklist ${HOME}/.config/VirtualBox
 blacklist ${HOME}/.config/Wire
@@ -144,8 +145,10 @@ blacklist ${HOME}/.config/evolution
 blacklist ${HOME}/.config/falkon
 blacklist ${HOME}/.config/filezilla
 blacklist ${HOME}/.config/flowblade
+blacklist ${HOME}/.config/font-manager
 blacklist ${HOME}/.config/gajim
 blacklist ${HOME}/.config/galculator
+blacklist ${HOME}/.config/gconf
 blacklist ${HOME}/.config/geany
 blacklist ${HOME}/.config/gedit
 blacklist ${HOME}/.config/geeqie
@@ -512,6 +515,7 @@ blacklist ${HOME}/.pingus
 blacklist ${HOME}/.purple
 blacklist ${HOME}/.qemu-launcher
 blacklist ${HOME}/.qmmp
+blacklist ${HOME}/.quodlibet
 blacklist ${HOME}/.redeclipse
 blacklist ${HOME}/.remmina
 blacklist ${HOME}/.repo_.gitconfig.json
diff --git a/etc/exfalso.profile b/etc/exfalso.profile
new file mode 100644
index 000000000..58fd1b3b2
--- /dev/null
+++ b/etc/exfalso.profile
@@ -0,0 +1,52 @@
+# Firejail profile for exfalso
+# Description: GTK audio tag editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include exfalso.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.quodlibet
+noblacklist ${MUSIC}
+# Allow python (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python2*
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python2*
+noblacklist /usr/lib/python3*
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+caps.drop all
+# machine-id breaks audio; it should work fine in setups where sound is not required
+machine-id
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+private-bin exfalso,python*
+private-cache
+private-dev
+private-etc alternatives,fonts,group,passwd
+private-lib libatk-1.0.so.*,libgdk-3.so.*,libgdk_pixbuf-2.0.so.*,libgirepository-1.0.so.*,libgstreamer-1.0.so.*,libgtk-3.so.*,libgtksourceview-3.0.so.*,libpango-1.0.so.*,libpython*,libreadline.so.*,libsoup-2.4.so.*,libssl.so.1.*,python2*,python3*
+private-tmp
+# memory-deny-write-execute - Breaks on Arch
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/font-manager.profile b/etc/font-manager.profile
new file mode 100644
index 000000000..fa5ee6105
--- /dev/null
+++ b/etc/font-manager.profile
@@ -0,0 +1,54 @@
+# Firejail profile for font-manager
+# Description: A simple font management application for GTK desktop environments
+# This file is overwritten after every install/update
+# Persistent local customizations
+include font-manager.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/font-manager
+whitelist ${HOME}/.config/font-manager
+# Allow python (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python2*
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python2*
+noblacklist /usr/lib/python3*
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.cache/font-manager
+whitelist ${HOME}/.cache/font-manager
+include whitelist-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin font-manager,python*,yelp
+private-dev
+private-tmp
+#memory-deny-write-execute - Breaks on Arch
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/gconf-editor.profile b/etc/gconf-editor.profile
new file mode 100644
index 000000000..a5132e937
--- /dev/null
+++ b/etc/gconf-editor.profile
@@ -0,0 +1,49 @@
+# Firejail profile for gconf-editor
+# Description: Graphical gconf registry editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gconf-editor.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/gconf
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+# nodbus - DBUS is needed to commit changes to gconf
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin gconf-editor
+private-cache
+private-dev
+private-etc alternatives,fonts
+private-lib
+private-tmp
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/subdownloader.profile b/etc/subdownloader.profile
new file mode 100644
index 000000000..009cf65df
--- /dev/null
+++ b/etc/subdownloader.profile
@@ -0,0 +1,46 @@
+# Firejail profile for subdownloader
+# Description: Automatic download/upload of subtitles using fast hashing
+# This file is overwritten after every install/update
+# Persistent local customizations
+include subdownloader.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/SubDownloader
+noblacklist ${VIDEOS}
+# Allow python (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python2*
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python2*
+noblacklist /usr/lib/python3*
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+apparmor
+caps.drop all
+netfilter
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+private-cache
+private-dev
+private-etc alternatives,fonts
+private-tmp
+# memory-deny-write-execute - Breaks on Arch
+noexec ${HOME}
+noexec /tmp
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 8713aeaa4..be42684d3 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -99,6 +99,7 @@ crow
 cvlc
 cyberfox
 darktable
+dconf-editor
 deadbeef
 deluge
 dex2jar
@@ -139,6 +140,7 @@ evince
 evince-previewer
 evince-thumbnailer
 evolution
+exfalso
 exiftool
 falkon
 fbreader
@@ -155,6 +157,7 @@ firefox-wayland
 flameshot
 flashpeak-slimjet
 flowblade
+font-manager
 fontforge
 franz
 freecad
@@ -164,6 +167,7 @@ frozen-bubble
 gajim
 galculator
 gcloud
+gconf-editor
 geany
 geary
 gedit
@@ -412,6 +416,7 @@ steam
 steam-native
 stellarium
 strings
+subdownloader
 supertux2
 supertuxkart
 surf

diff --git a/etc/dconf-editor.profile b/etc/dconf-editor.profile new file mode 100644 index 000000000..72b4f7a77 --- /dev/null +++ b/etc/dconf-editor.profile
@@ -0,0 +1,47 @@
		1	# Firejail profile for dconf-editor
		2	# Description: dconf configuration editor
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include dconf-editor.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	include disable-common.inc
		10	include disable-devel.inc
		11	include disable-interpreters.inc
		12	include disable-passwdmgr.inc
		13	include disable-programs.inc
		14	include disable-xdg.inc
		15
		16	include whitelist-common.inc
		17
		18	apparmor
		19	caps.drop all
		20	machine-id
		21	net none
		22	no3d
		23	# nodbus - DBUS is needed to commit changes to dconf
		24	nodvd
		25	nogroups
		26	nonewprivs
		27	noroot
		28	nosound
		29	notv
		30	nou2f
		31	novideo
		32	protocol unix
		33	seccomp
		34	shell none
		35	tracelog
		36
		37	disable-mnt
		38	private-bin dconf-editor
		39	private-cache
		40	private-dev
		41	private-etc alternatives,fonts
		42	private-lib
		43	private-tmp
		44
		45	memory-deny-write-execute
		46	noexec ${HOME}
		47	noexec /tmp


diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index aa1acbb88..0c7a8b020 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc
@@ -93,6 +93,7 @@ blacklist ${HOME}/.config/Rocket.Chat
93	blacklist ${HOME}/.config/Signal	93	blacklist ${HOME}/.config/Signal
94	blacklist ${HOME}/.config/Slack	94	blacklist ${HOME}/.config/Slack
95	blacklist ${HOME}/.config/Standard Notes	95	blacklist ${HOME}/.config/Standard Notes
		96	blacklist ${HOME}/.config/SubDownloader
96	blacklist ${HOME}/.config/Thunar	97	blacklist ${HOME}/.config/Thunar
97	blacklist ${HOME}/.config/VirtualBox	98	blacklist ${HOME}/.config/VirtualBox
98	blacklist ${HOME}/.config/Wire	99	blacklist ${HOME}/.config/Wire
@@ -144,8 +145,10 @@ blacklist ${HOME}/.config/evolution
144	blacklist ${HOME}/.config/falkon	145	blacklist ${HOME}/.config/falkon
145	blacklist ${HOME}/.config/filezilla	146	blacklist ${HOME}/.config/filezilla
146	blacklist ${HOME}/.config/flowblade	147	blacklist ${HOME}/.config/flowblade
		148	blacklist ${HOME}/.config/font-manager
147	blacklist ${HOME}/.config/gajim	149	blacklist ${HOME}/.config/gajim
148	blacklist ${HOME}/.config/galculator	150	blacklist ${HOME}/.config/galculator
		151	blacklist ${HOME}/.config/gconf
149	blacklist ${HOME}/.config/geany	152	blacklist ${HOME}/.config/geany
150	blacklist ${HOME}/.config/gedit	153	blacklist ${HOME}/.config/gedit
151	blacklist ${HOME}/.config/geeqie	154	blacklist ${HOME}/.config/geeqie
@@ -512,6 +515,7 @@ blacklist ${HOME}/.pingus
512	blacklist ${HOME}/.purple	515	blacklist ${HOME}/.purple
513	blacklist ${HOME}/.qemu-launcher	516	blacklist ${HOME}/.qemu-launcher
514	blacklist ${HOME}/.qmmp	517	blacklist ${HOME}/.qmmp
		518	blacklist ${HOME}/.quodlibet
515	blacklist ${HOME}/.redeclipse	519	blacklist ${HOME}/.redeclipse
516	blacklist ${HOME}/.remmina	520	blacklist ${HOME}/.remmina
517	blacklist ${HOME}/.repo_.gitconfig.json	521	blacklist ${HOME}/.repo_.gitconfig.json


diff --git a/etc/exfalso.profile b/etc/exfalso.profile new file mode 100644 index 000000000..58fd1b3b2 --- /dev/null +++ b/etc/exfalso.profile
@@ -0,0 +1,52 @@
		1	# Firejail profile for exfalso
		2	# Description: GTK audio tag editor
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include exfalso.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	noblacklist ${HOME}/.quodlibet
		10	noblacklist ${MUSIC}
		11
		12	# Allow python (blacklisted by disable-interpreters.inc)
		13	noblacklist ${PATH}/python2*
		14	noblacklist ${PATH}/python3*
		15	noblacklist /usr/lib/python2*
		16	noblacklist /usr/lib/python3*
		17
		18	include disable-common.inc
		19	include disable-devel.inc
		20	include disable-interpreters.inc
		21	include disable-passwdmgr.inc
		22	include disable-programs.inc
		23	include disable-xdg.inc
		24
		25	caps.drop all
		26	# machine-id breaks audio; it should work fine in setups where sound is not required
		27	machine-id
		28	netfilter
		29	no3d
		30	nodbus
		31	nodvd
		32	nogroups
		33	nonewprivs
		34	noroot
		35	nosound
		36	notv
		37	nou2f
		38	novideo
		39	protocol unix,inet,inet6
		40	seccomp
		41	shell none
		42
		43	private-bin exfalso,python*
		44	private-cache
		45	private-dev
		46	private-etc alternatives,fonts,group,passwd
		47	private-lib libatk-1.0.so.,libgdk-3.so.,libgdk_pixbuf-2.0.so.,libgirepository-1.0.so.,libgstreamer-1.0.so.,libgtk-3.so.,libgtksourceview-3.0.so.,libpango-1.0.so.,libpython,libreadline.so.,libsoup-2.4.so.,libssl.so.1.,python2,python3
		48	private-tmp
		49
		50	# memory-deny-write-execute - Breaks on Arch
		51	noexec ${HOME}
		52	noexec /tmp


diff --git a/etc/font-manager.profile b/etc/font-manager.profile new file mode 100644 index 000000000..fa5ee6105 --- /dev/null +++ b/etc/font-manager.profile
@@ -0,0 +1,54 @@
		1	# Firejail profile for font-manager
		2	# Description: A simple font management application for GTK desktop environments
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include font-manager.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	noblacklist ${HOME}/.config/font-manager
		10	whitelist ${HOME}/.config/font-manager
		11
		12	# Allow python (blacklisted by disable-interpreters.inc)
		13	noblacklist ${PATH}/python2*
		14	noblacklist ${PATH}/python3*
		15	noblacklist /usr/lib/python2*
		16	noblacklist /usr/lib/python3*
		17
		18	include disable-common.inc
		19	include disable-devel.inc
		20	include disable-interpreters.inc
		21	include disable-passwdmgr.inc
		22	include disable-programs.inc
		23	include disable-xdg.inc
		24
		25	mkdir ${HOME}/.cache/font-manager
		26	whitelist ${HOME}/.cache/font-manager
		27	include whitelist-common.inc
		28
		29	apparmor
		30	caps.drop all
		31	machine-id
		32	net none
		33	no3d
		34	nodvd
		35	nogroups
		36	nonewprivs
		37	noroot
		38	nosound
		39	notv
		40	nou2f
		41	novideo
		42	protocol unix
		43	seccomp
		44	shell none
		45	tracelog
		46
		47	disable-mnt
		48	private-bin font-manager,python*,yelp
		49	private-dev
		50	private-tmp
		51
		52	#memory-deny-write-execute - Breaks on Arch
		53	noexec ${HOME}
		54	noexec /tmp


diff --git a/etc/gconf-editor.profile b/etc/gconf-editor.profile new file mode 100644 index 000000000..a5132e937 --- /dev/null +++ b/etc/gconf-editor.profile
@@ -0,0 +1,49 @@
		1	# Firejail profile for gconf-editor
		2	# Description: Graphical gconf registry editor
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include gconf-editor.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	noblacklist ${HOME}/.config/gconf
		10
		11	include disable-common.inc
		12	include disable-devel.inc
		13	include disable-interpreters.inc
		14	include disable-passwdmgr.inc
		15	include disable-programs.inc
		16	include disable-xdg.inc
		17
		18	include whitelist-common.inc
		19
		20	apparmor
		21	caps.drop all
		22	machine-id
		23	net none
		24	no3d
		25	# nodbus - DBUS is needed to commit changes to gconf
		26	nodvd
		27	nogroups
		28	nonewprivs
		29	noroot
		30	nosound
		31	notv
		32	nou2f
		33	novideo
		34	protocol unix
		35	seccomp
		36	shell none
		37	tracelog
		38
		39	disable-mnt
		40	private-bin gconf-editor
		41	private-cache
		42	private-dev
		43	private-etc alternatives,fonts
		44	private-lib
		45	private-tmp
		46
		47	memory-deny-write-execute
		48	noexec ${HOME}
		49	noexec /tmp


diff --git a/etc/subdownloader.profile b/etc/subdownloader.profile new file mode 100644 index 000000000..009cf65df --- /dev/null +++ b/etc/subdownloader.profile
@@ -0,0 +1,46 @@
		1	# Firejail profile for subdownloader
		2	# Description: Automatic download/upload of subtitles using fast hashing
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include subdownloader.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	noblacklist ${HOME}/.config/SubDownloader
		10	noblacklist ${VIDEOS}
		11
		12	# Allow python (blacklisted by disable-interpreters.inc)
		13	noblacklist ${PATH}/python2*
		14	noblacklist ${PATH}/python3*
		15	noblacklist /usr/lib/python2*
		16	noblacklist /usr/lib/python3*
		17
		18	include disable-common.inc
		19	include disable-devel.inc
		20	include disable-interpreters.inc
		21	include disable-passwdmgr.inc
		22	include disable-programs.inc
		23	include disable-xdg.inc
		24
		25	apparmor
		26	caps.drop all
		27	netfilter
		28	nodbus
		29	nodvd
		30	nogroups
		31	nonewprivs
		32	noroot
		33	notv
		34	nou2f
		35	protocol unix,inet,inet6
		36	seccomp
		37	shell none
		38
		39	private-cache
		40	private-dev
		41	private-etc alternatives,fonts
		42	private-tmp
		43
		44	# memory-deny-write-execute - Breaks on Arch
		45	noexec ${HOME}
		46	noexec /tmp


diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 8713aeaa4..be42684d3 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config
@@ -99,6 +99,7 @@ crow
99	cvlc	99	cvlc
100	cyberfox	100	cyberfox
101	darktable	101	darktable
		102	dconf-editor
102	deadbeef	103	deadbeef
103	deluge	104	deluge
104	dex2jar	105	dex2jar
@@ -139,6 +140,7 @@ evince
139	evince-previewer	140	evince-previewer
140	evince-thumbnailer	141	evince-thumbnailer
141	evolution	142	evolution
		143	exfalso
142	exiftool	144	exiftool
143	falkon	145	falkon
144	fbreader	146	fbreader
@@ -155,6 +157,7 @@ firefox-wayland
155	flameshot	157	flameshot
156	flashpeak-slimjet	158	flashpeak-slimjet
157	flowblade	159	flowblade
		160	font-manager
158	fontforge	161	fontforge
159	franz	162	franz
160	freecad	163	freecad
@@ -164,6 +167,7 @@ frozen-bubble
164	gajim	167	gajim
165	galculator	168	galculator
166	gcloud	169	gcloud
		170	gconf-editor
167	geany	171	geany
168	geary	172	geary
169	gedit	173	gedit
@@ -412,6 +416,7 @@ steam
412	steam-native	416	steam-native
413	stellarium	417	stellarium
414	strings	418	strings
		419	subdownloader
415	supertux2	420	supertux2
416	supertuxkart	421	supertuxkart
417	surf	422	surf