10 files changed, 81 insertions, 14 deletions

diff --git a/Makefile.in b/Makefile.in
index 65dd430b5..8cbba12e9 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -89,7 +89,7 @@ distclean: clean
         for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \
                 $(MAKE) -C $$dir distclean; \
         done
-        rm -fr Makefile autom4te.cache config.log config.status config.h src/common.mk
+        rm -fr Makefile autom4te.cache config.log config.status config.h src/common.mk mkdeb.sh
 
 realinstall:
         # firejail executable
@@ -176,7 +176,9 @@ DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcop
 
 dist:
         mv config.status config.status.old
+        mv mkdeb.sh mkdeb.sh.old
         make distclean
+        mv mkdeb.sh.old mkdeb.sh
         mv config.status.old config.status
         rm -fr $(NAME)-$(VERSION) $(NAME)-$(VERSION).tar.xz
         mkdir -p $(NAME)-$(VERSION)/test
@@ -269,7 +271,7 @@ test-travis: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sy
 
 ##########################################
 # Individual tests, some of them require root access
-# The tests are very intrussive, by the time you are done
+# The tests are very intrusive, by the time you are done
 # with them you will need to restart your computer.
 ##########################################
 
@@ -294,7 +296,7 @@ test-network:
 test-stress:
         cd test/stress; ./stress.sh | grep TESTING
 
-# Tesets running a root user
+# Tests running a root user
 test-root:
         cd test/root; su -c ./root.sh | grep TESTING
 
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index f72394810..f033371f8 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -237,6 +237,7 @@ blacklist ${HOME}/.config/gthumb
 blacklist ${HOME}/.config/gummi
 blacklist ${HOME}/.config/gwenviewrc
 blacklist ${HOME}/.config/hexchat
+blacklist ${HOME}/.config/homebank
 blacklist ${HOME}/.config/i2p
 blacklist ${HOME}/.config/inkscape
 blacklist ${HOME}/.config/inox
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile
index cbeef798f..35bea4aaa 100644
--- a/etc/profile-a-l/discord-common.profile
+++ b/etc/profile-a-l/discord-common.profile
@@ -32,7 +32,7 @@ novideo
 protocol unix,inet,inet6,netlink
 seccomp !chroot
 
-private-bin bash,cut,echo,egrep,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
+private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl
 private-tmp
diff --git a/etc/profile-a-l/gnome-calculator.profile b/etc/profile-a-l/gnome-calculator.profile
index bc6626598..ceb01f2a0 100644
--- a/etc/profile-a-l/gnome-calculator.profile
+++ b/etc/profile-a-l/gnome-calculator.profile
@@ -25,7 +25,7 @@ apparmor
 caps.drop all
 ipc-namespace
 machine-id
-# net none
+#net none -- breaks currency conversion
 netfilter
 no3d
 nodvd
@@ -39,6 +39,7 @@ novideo
 protocol unix,inet,inet6
 seccomp
 shell none
+tracelog
 
 disable-mnt
 private-bin gnome-calculator
@@ -47,8 +48,7 @@ private-dev
 #private-lib gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*,libgnutls.so.*,libproxy.so.*,librsvg-2.so.*,libxml2.so.*
 private-tmp
 
-# makes settings immutable
-# dbus-user none
-# dbus-system none
-
-# memory-deny-write-execute
+dbus-user filter
+dbus-user.own org.gnome.Calculator
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/gnome-pomodoro.profile b/etc/profile-a-l/gnome-pomodoro.profile
index 2a5d2a231..a46e47759 100644
--- a/etc/profile-a-l/gnome-pomodoro.profile
+++ b/etc/profile-a-l/gnome-pomodoro.profile
@@ -50,7 +50,9 @@ private-tmp
 dbus-user filter
 dbus-user.own org.gnome.Pomodoro
 dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.gnome.Mutter.IdleMonitor
 dbus-user.talk org.gnome.Shell
+dbus-user.talk org.freedesktop.Notifications
 dbus-system none
 
 read-only ${HOME}
diff --git a/etc/profile-a-l/homebank.profile b/etc/profile-a-l/homebank.profile
new file mode 100644
index 000000000..8e600a2d7
--- /dev/null
+++ b/etc/profile-a-l/homebank.profile
@@ -0,0 +1,59 @@
+# Firejail profile for homebank
+# Description: Personal finance manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include homebank.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/homebank
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc 
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-passwdmgr.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/homebank
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/homebank
+whitelist /usr/share/homebank
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+# net none
+netfilter
+nodvd
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin homebank
+private-cache
+private-dev
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11
+private-tmp
+
+dbus-user none
+dbus-system none
+
+# memory-deny-write-execute
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile
index 5d9225705..b51a86e7d 100644
--- a/etc/profile-m-z/signal-desktop.profile
+++ b/etc/profile-m-z/signal-desktop.profile
@@ -34,10 +34,12 @@ nodvd
 nogroups
 notv
 nou2f
+novideo
 shell none
 
 disable-mnt
 private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/teams.profile b/etc/profile-m-z/teams.profile
index 326b97e4b..bd7faa80a 100644
--- a/etc/profile-m-z/teams.profile
+++ b/etc/profile-m-z/teams.profile
@@ -1,14 +1,14 @@
 # Firejail profile for teams
 # Description: Official Microsoft Teams client for Linux using Electron.
 # This file is overwritten after every install/update
-# Known issues:
-#  * if Teams crashes on startup try using "ignore apparmor" in your local config
 # Persistent local customizations
 include teams.local
 # Persistent global definitions
 # added by included profile
 #include globals.local
 
+# see #3404
+ignore apparmor
 ignore dbus-user none
 ignore dbus-system none
 
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile
index e3af5600a..8e0741458 100644
--- a/etc/profile-m-z/telegram.profile
+++ b/etc/profile-m-z/telegram.profile
@@ -25,5 +25,5 @@ seccomp
 
 disable-mnt
 private-cache
+private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
-
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 9f144f11e..3ae6e4729 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -333,6 +333,7 @@ hedgewars
 hexchat
 highlight
 hitori
+homebank
 host
 hugin
 hyperrogue
@@ -537,7 +538,7 @@ orage
 ostrichriders
 out123
 palemoon
-pandoc
+#pandoc
 parole
 patch
 pavucontrol