14 files changed, 74 insertions, 19 deletions

diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index fe0f96857..7ab11e620 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -303,6 +303,7 @@ blacklist ${HOME}/.config/mana
 blacklist ${HOME}/.config/mate-calc
 blacklist ${HOME}/.config/mate/eom
 blacklist ${HOME}/.config/mate/mate-dictionary
+blacklist ${HOME}/.config/matrix-mirage
 blacklist ${HOME}/.config/meld
 blacklist ${HOME}/.config/meteo-qt
 blacklist ${HOME}/.config/menulibre.cfg
@@ -673,6 +674,7 @@ blacklist ${HOME}/.local/share/lugaru
 blacklist ${HOME}/.local/share/lutris
 blacklist ${HOME}/.local/share/mana
 blacklist ${HOME}/.local/share/maps-places.json
+blacklist ${HOME}/.local/share/matrix-mirage
 blacklist ${HOME}/.local/share/meld
 blacklist ${HOME}/.local/share/midori
 blacklist ${HOME}/.local/share/mirage
@@ -946,6 +948,7 @@ blacklist ${HOME}/.cache/librewolf
 blacklist ${HOME}/.cache/liferea
 blacklist ${HOME}/.cache/lutris
 blacklist ${HOME}/.cache/Mendeley Ltd.
+blacklist ${HOME}/.cache/matrix-mirage
 blacklist ${HOME}/.cache/microsoft-edge-dev
 blacklist ${HOME}/.cache/midori
 blacklist ${HOME}/.cache/minetest
@@ -962,7 +965,7 @@ blacklist ${HOME}/.cache/ms-skype-online
 blacklist ${HOME}/.cache/ms-word-online
 blacklist ${HOME}/.cache/mutt
 blacklist ${HOME}/.cache/mypaint
-blacklist ${HOME}/.cache/nheko/nheko
+blacklist ${HOME}/.cache/nheko
 blacklist ${HOME}/.cache/netsurf
 blacklist ${HOME}/.cache/okular
 blacklist ${HOME}/.cache/opera
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile
index 8f7640ffe..98188d2a7 100644
--- a/etc/profile-a-l/alacarte.profile
+++ b/etc/profile-a-l/alacarte.profile
@@ -49,7 +49,7 @@ shell none
 tracelog
 
 disable-mnt
-private-bin alacarte,bash,python*,sh
+# private-bin alacarte,bash,python*,sh
 private-cache
 private-dev
 private-etc alternatives,dconf,fonts,gtk-3.0,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg
diff --git a/etc/profile-a-l/element-desktop.profile b/etc/profile-a-l/element-desktop.profile
index 2d56369cd..48a826f2e 100644
--- a/etc/profile-a-l/element-desktop.profile
+++ b/etc/profile-a-l/element-desktop.profile
@@ -7,6 +7,8 @@ include element-desktop.local
 # added by included profile
 #include globals.local
 
+ignore dbus-user none
+
 noblacklist ${HOME}/.config/Element
 
 mkdir ${HOME}/.config/Element
@@ -15,5 +17,8 @@ whitelist /opt/Element
 
 private-opt Element
 
+dbus-user filter
+dbus-user.talk org.freedesktop.secrets
+
 # Redirect
 include riot-desktop.profile
diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile
index 3ee07e559..8ac7755de 100644
--- a/etc/profile-a-l/feh.profile
+++ b/etc/profile-a-l/feh.profile
@@ -1,6 +1,7 @@
 # Firejail profile for feh
 # Description: imlib2 based image viewer
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include feh.local
 # Persistent global definitions
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index 58db056b2..456f1820d 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -73,12 +73,11 @@ dbus-user.talk org.freedesktop.login1.Session
 dbus-user.talk org.gnome.ScreenSaver
 dbus-user.talk org.gnome.SessionManager
 dbus-user.talk org.gnome.SessionManager.Presence
-# Uncomment or add to your keepassxc.local to allow Notifications/Tray.
+# Uncomment or add to your keepassxc.local to allow Notifications.
 #dbus-user.talk org.freedesktop.Notifications
+# Uncomment or add to your keepassxc.local to allow Tray.
 #dbus-user.talk org.kde.StatusNotifierWatcher
-# These numbers seems to be not stable, see #3713. Play around with them.
-#dbus-user.own org.kde.StatusNotifierItem-2-2
-#dbus-user.own org.kde.StatusNotifierItem-10-2
+#dbus-user.own org.kde.*
 dbus-system none
 
 # Mutex is stored in /tmp by default, which is broken by private-tmp
diff --git a/etc/profile-a-l/links.profile b/etc/profile-a-l/links.profile
index b2f94d3cf..ccc77f274 100644
--- a/etc/profile-a-l/links.profile
+++ b/etc/profile-a-l/links.profile
@@ -1,6 +1,7 @@
 # Firejail profile for links
 # Description: Text WWW browser
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include links.local
 # Persistent global definitions
diff --git a/etc/profile-a-l/lynx.profile b/etc/profile-a-l/lynx.profile
index dbd0a61e5..76a0e7ed0 100644
--- a/etc/profile-a-l/lynx.profile
+++ b/etc/profile-a-l/lynx.profile
@@ -1,6 +1,7 @@
 # Firejail profile for lynx
 # Description: Classic non-graphical (text-mode) web browser
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include lynx.local
 # Persistent global definitions
diff --git a/etc/profile-m-z/matrix-mirage.profile b/etc/profile-m-z/matrix-mirage.profile
new file mode 100644
index 000000000..b3080df88
--- /dev/null
+++ b/etc/profile-m-z/matrix-mirage.profile
@@ -0,0 +1,24 @@
+# Firejail profile for matrix-mirage
+# Description: Debian name for mirage binary/package
+# This file is overwritten after every install/update
+# Persistent local customizations
+include matrix-mirage.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.cache/matrix-mirage
+noblacklist ${HOME}/.config/matrix-mirage
+noblacklist ${HOME}/.local/share/matrix-mirage
+
+mkdir ${HOME}/.cache/matrix-mirage
+mkdir ${HOME}/.config/matrix-mirage
+mkdir ${HOME}/.local/share/matrix-mirage
+whitelist ${HOME}/.cache/matrix-mirage
+whitelist ${HOME}/.config/matrix-mirage
+whitelist ${HOME}/.local/share/matrix-mirage
+
+private-bin matrix-mirage
+
+# Redirect
+include mirage.profile
diff --git a/etc/profile-m-z/mirage.profile b/etc/profile-m-z/mirage.profile
index 55c11be29..7130267e8 100644
--- a/etc/profile-m-z/mirage.profile
+++ b/etc/profile-m-z/mirage.profile
@@ -9,6 +9,7 @@ include globals.local
 noblacklist ${HOME}/.cache/mirage
 noblacklist ${HOME}/.config/mirage
 noblacklist ${HOME}/.local/share/mirage
+noblacklist /sbin
 
 include allow-python2.inc
 include allow-python3.inc
@@ -49,7 +50,7 @@ shell none
 tracelog
 
 disable-mnt
-private-bin mirage
+private-bin ldconfig,mirage
 private-cache
 private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
diff --git a/etc/profile-m-z/nheko.profile b/etc/profile-m-z/nheko.profile
index 701098f4b..42e7e92fc 100644
--- a/etc/profile-m-z/nheko.profile
+++ b/etc/profile-m-z/nheko.profile
@@ -7,7 +7,7 @@ include nheko.local
 include globals.local
 
 noblacklist ${HOME}/.config/nheko
-noblacklist ${HOME}/.cache/nheko/nheko
+noblacklist ${HOME}/.cache/nheko
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,14 +16,19 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.config/nheko
 mkdir ${HOME}/.cache/nheko/nheko
 whitelist ${HOME}/.config/nheko
-whitelist ${HOME}/.cache/nheko/nheko
+whitelist ${HOME}/.cache/nheko
 whitelist ${DOWNLOADS}
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 nodvd
@@ -38,5 +43,14 @@ tracelog
 
 disable-mnt
 private-bin nheko
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-tmp
 
+dbus-user none
+# Comment the above line and uncomment below lines for notification popups
+# dbus-user filter
+# dbus-user.talk org.freedesktop.Notifications
+# dbus-user.talk org.kde.StatusNotifierWatcher
+dbus-system none
diff --git a/etc/profile-m-z/spectral.profile b/etc/profile-m-z/spectral.profile
index 66e917432..093661d8c 100644
--- a/etc/profile-m-z/spectral.profile
+++ b/etc/profile-m-z/spectral.profile
@@ -50,4 +50,8 @@ private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,
 private-tmp
 
 dbus-user none
+# Comment the above line and uncomment below lines for notification popups
+# dbus-user filter
+# dbus-user.talk org.freedesktop.Notifications
+# dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-system none
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 9cec07e57..23b1e364a 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -463,6 +463,7 @@ mate-calculator
 mate-color-select
 mate-dictionary
 mathematica
+matrix-mirage
 mattermost-desktop
 mcabber
 mediainfo
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index 01df77ee6..d7426f6ae 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -204,11 +204,12 @@ void run_no_sandbox(int argc, char **argv) {
                         break;
                 }
         }
-        // if shell is /usr/bin/firejail, replace it with /bin/bash
-        if (strcmp(cfg.shell, PATH_FIREJAIL) == 0) {
-                cfg.shell = "/bin/bash";
-                prog_index = 0;
-        }
+
+// if shell is /usr/bin/firejail, replace it with /bin/bash
+//      if (strcmp(cfg.shell, PATH_FIREJAIL) == 0) {
+//              cfg.shell = "/bin/bash";
+//              prog_index = 0;
+//      }
 
         if (prog_index == 0) {
                 cfg.command_line = cfg.shell;
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 562b3eda3..347e2b31b 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -76,10 +76,10 @@ If an appropriate profile is not found, Firejail will use a default profile.
 The default profile is quite restrictive. In case the application doesn't work, use --noprofile option
 to disable it. For more information, please see \fBSECURITY PROFILES\fR section below.
 .PP
-If a program argument is not specified, Firejail starts /bin/bash shell.
+If a program argument is not specified, Firejail starts the user's preferred shell.
 Examples:
 .PP
-$ firejail [OPTIONS]                # starting a /bin/bash shell
+$ firejail [OPTIONS]                # starting the program specified in $SHELL, usually /bin/bash
 .PP
 $ firejail [OPTIONS] firefox        # starting Mozilla Firefox
 .PP
@@ -2476,7 +2476,7 @@ $ firejail \-\-shell=none script.sh
 \fB\-\-shell=program
 Set default user shell. Use this shell to run the application using \-c shell option.
 For example "firejail \-\-shell=/bin/dash firefox" will start Mozilla Firefox as "/bin/dash \-c firefox".
-By default Bash shell (/bin/bash) is used.
+By default the user's preferred shell is used.
 .br
 
 .br
@@ -3023,7 +3023,7 @@ We provide a tool that automates all this integration, please see \&\flfirecfg\f
 .SH EXAMPLES
 .TP
 \f\firejail
-Sandbox a regular /bin/bash session.
+Sandbox a regular shell session.
 .TP
 \f\firejail firefox
 Start Mozilla Firefox.
@@ -3043,7 +3043,7 @@ Start Firefox in a new network namespace. An IP address is
 assigned automatically.
 .TP
 \f\firejail \-\-net=br0 \-\-ip=10.10.20.5 \-\-net=br1 \-\-net=br2
-Start a /bin/bash session in a new network namespace and connect it
+Start a shell session in a new network namespace and connect it
 to br0, br1, and br2 host bridge devices. IP addresses are assigned
 automatically for the interfaces connected to br1 and b2
 #endif