17 files changed, 173 insertions, 7 deletions

diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index 29817211d..2d81f2e42 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -3,6 +3,7 @@
 name: Build-extra
 
 on:
+  workflow_dispatch:
   push:
     branches-ignore:
       - 'dependabot/**'
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 0577cb962..0a4da2cc3 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -5,6 +5,7 @@ name: Build
 
 # Note: Keep this list in sync with DISTFILES in ../../Makefile.
 on:
+  workflow_dispatch:
   push:
     branches-ignore:
       - 'dependabot/**'
diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml
index 7340ce8ce..946fd24f8 100644
--- a/.github/workflows/check-c.yml
+++ b/.github/workflows/check-c.yml
@@ -3,6 +3,7 @@
 name: Check-C
 
 on:
+  workflow_dispatch:
   push:
     branches-ignore:
       - 'dependabot/**'
@@ -149,7 +150,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@6a28655e3dcb49cb0840ea372fd6d17733edd8a4
+      uses: github/codeql-action/init@ddccb873888234080b77e9bc2d4764d5ccaaccf9
       with:
         languages: cpp
 
@@ -160,4 +161,4 @@ jobs:
       run: make -j "$(nproc)"
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@6a28655e3dcb49cb0840ea372fd6d17733edd8a4
+      uses: github/codeql-action/analyze@ddccb873888234080b77e9bc2d4764d5ccaaccf9
diff --git a/.github/workflows/check-profiles.yml b/.github/workflows/check-profiles.yml
index e05eed664..38a7bc487 100644
--- a/.github/workflows/check-profiles.yml
+++ b/.github/workflows/check-profiles.yml
@@ -3,6 +3,7 @@
 name: Check-Profiles
 
 on:
+  workflow_dispatch:
   push:
     branches-ignore:
       - 'dependabot/**'
diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml
index 5d4320809..62f5b1ce6 100644
--- a/.github/workflows/check-python.yml
+++ b/.github/workflows/check-python.yml
@@ -3,6 +3,7 @@
 name: Check-Python
 
 on:
+  workflow_dispatch:
   push:
     branches-ignore:
       - 'dependabot/**'
@@ -49,9 +50,9 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@6a28655e3dcb49cb0840ea372fd6d17733edd8a4
+      uses: github/codeql-action/init@ddccb873888234080b77e9bc2d4764d5ccaaccf9
       with:
         languages: python
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@6a28655e3dcb49cb0840ea372fd6d17733edd8a4
+      uses: github/codeql-action/analyze@ddccb873888234080b77e9bc2d4764d5ccaaccf9
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
index 380abe248..9e4ed3e9e 100644
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -3,6 +3,7 @@
 name: Codespell
 
 on:
+  workflow_dispatch:
   push:
     branches-ignore:
       - 'dependabot/**'
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 921245801..842b8bcb5 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -3,6 +3,7 @@
 name: Test
 
 on:
+  workflow_dispatch:
   push:
     branches-ignore:
       - 'dependabot/**'
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index b688647b5..8dae97fe9 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -610,6 +610,8 @@ blacklist /tmp/.lxterminal-socket*
 blacklist /tmp/tmux-*
 
 # disable terminals running as server resulting in sandbox escape
+blacklist ${PATH}/foot
+blacklist ${PATH}/footserver
 blacklist ${PATH}/gnome-terminal
 blacklist ${PATH}/gnome-terminal.wrapper
 blacklist ${PATH}/kgx
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 36033224a..f2a03764d 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -112,6 +112,7 @@ blacklist ${HOME}/.cache/falkon
 blacklist ${HOME}/.cache/feedreader
 blacklist ${HOME}/.cache/firedragon
 blacklist ${HOME}/.cache/flaska.net/trojita
+blacklist ${HOME}/.cache/floorp
 blacklist ${HOME}/.cache/folks
 blacklist ${HOME}/.cache/font-manager
 blacklist ${HOME}/.cache/fossamail
@@ -157,6 +158,7 @@ blacklist ${HOME}/.cache/ksplashqml
 blacklist ${HOME}/.cache/kube
 blacklist ${HOME}/.cache/kwin
 blacklist ${HOME}/.cache/lbry-viewer
+blacklist ${HOME}/.cache/lettura
 blacklist ${HOME}/.cache/libgweather
 blacklist ${HOME}/.cache/librewolf
 blacklist ${HOME}/.cache/liferea
@@ -385,6 +387,7 @@ blacklist ${HOME}/.config/borg
 blacklist ${HOME}/.config/brasero
 blacklist ${HOME}/.config/brave
 blacklist ${HOME}/.config/brave-flags.conf
+blacklist ${HOME}/.config/breezy
 blacklist ${HOME}/.config/caja
 blacklist ${HOME}/.config/calibre
 blacklist ${HOME}/.config/cantata
@@ -406,6 +409,7 @@ blacklist ${HOME}/.config/cliqz
 blacklist ${HOME}/.config/cmus
 blacklist ${HOME}/.config/cointop
 blacklist ${HOME}/.config/com.github.bleakgrey.tootle
+blacklist ${HOME}/.config/com.lettura.dev
 blacklist ${HOME}/.config/corebird
 blacklist ${HOME}/.config/coyim
 blacklist ${HOME}/.config/d-feet
@@ -718,6 +722,7 @@ blacklist ${HOME}/.etr
 blacklist ${HOME}/.factorio
 blacklist ${HOME}/.filezilla
 blacklist ${HOME}/.firedragon
+blacklist ${HOME}/.floorp
 blacklist ${HOME}/.flowblade
 blacklist ${HOME}/.fltk
 blacklist ${HOME}/.fossamail
@@ -833,6 +838,7 @@ blacklist ${HOME}/.klatexformula
 blacklist ${HOME}/.klei
 blacklist ${HOME}/.kodi
 blacklist ${HOME}/.lastpass
+blacklist ${HOME}/.lettura
 blacklist ${HOME}/.librewolf
 blacklist ${HOME}/.lincity-ng
 blacklist ${HOME}/.links
@@ -903,6 +909,7 @@ blacklist ${HOME}/.local/share/cdprojektred
 blacklist ${HOME}/.local/share/chatterino
 blacklist ${HOME}/.local/share/clipit
 blacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate
+blacklist ${HOME}/.local/share/com.lettura.dev
 blacklist ${HOME}/.local/share/com.vmingueza.journal-viewer
 blacklist ${HOME}/.local/share/contacts
 blacklist ${HOME}/.local/share/cor-games
diff --git a/etc/profile-a-l/brz.profile b/etc/profile-a-l/brz.profile
new file mode 100644
index 000000000..dcc7af54b
--- /dev/null
+++ b/etc/profile-a-l/brz.profile
@@ -0,0 +1,14 @@
+# Firejail profile for brz
+# Description: Distributed VCS with support for Bazaar and Git file formats
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include brz.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.config/breezy
+
+# Redirect
+include git.profile
diff --git a/etc/profile-a-l/bzr.profile b/etc/profile-a-l/bzr.profile
new file mode 100644
index 000000000..61c1aae38
--- /dev/null
+++ b/etc/profile-a-l/bzr.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for bzr
+# This file is overwritten after every install/update
+# Persistent local customizations
+include bzr.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include brz.profile
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile
index b32f7595c..cc1a290ef 100644
--- a/etc/profile-a-l/file-roller.profile
+++ b/etc/profile-a-l/file-roller.profile
@@ -6,6 +6,8 @@ include file-roller.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${PATH}/dpkg*
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -40,7 +42,7 @@ seccomp
 seccomp.block-secondary
 tracelog
 
-private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,unzstd,xz,xzdec,zip,zoo,zstd
+private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dpkg*,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,unzstd,xz,xzdec,zip,zoo,zstd
 private-cache
 private-dev
 private-etc @x11
diff --git a/etc/profile-a-l/floorp.profile b/etc/profile-a-l/floorp.profile
new file mode 100644
index 000000000..49caed107
--- /dev/null
+++ b/etc/profile-a-l/floorp.profile
@@ -0,0 +1,45 @@
+# Firejail profile for floorp
+# Description: A customisable Firefox fork with excellent privacy protection
+# This file is overwritten after every install/update
+# Persistent local customizations
+include floorp.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/floorp
+noblacklist ${HOME}/.floorp
+
+mkdir ${HOME}/.cache/floorp
+mkdir ${HOME}/.floorp
+whitelist ${HOME}/.cache/floorp
+whitelist ${HOME}/.floorp
+
+# Add the next lines to your floorp.local if you want to use the migration wizard.
+#noblacklist ${HOME}/.mozilla
+#whitelist ${HOME}/.mozilla
+
+# To enable KeePassXC Plugin add one of the following lines to your floorp.local.
+# Note: Start KeePassXC before floorp and keep it open to allow communication between them.
+#whitelist ${RUNUSER}/kpxc_server
+#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
+
+dbus-user filter
+dbus-user.own org.mozilla.floorp.*
+# Add the next line to your floorp.local to enable native notifications.
+#dbus-user.talk org.freedesktop.Notifications
+# Add the next line to your floorp.local to allow inhibiting screensavers.
+#dbus-user.talk org.freedesktop.ScreenSaver
+# Add the next lines to your floorp.local for plasma browser integration.
+#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
+#dbus-user.talk org.kde.JobViewServer
+#dbus-user.talk org.kde.kuiserver
+# Add the next line to your floorp.local to allow screensharing under Wayland.
+#dbus-user.talk org.freedesktop.portal.Desktop
+# Also add the next line to your floorp.local if screensharing does not work with
+# the above lines (depends on the portal implementation).
+#ignore noroot
+ignore apparmor
+ignore dbus-user none
+
+# Redirect
+include firefox-common.profile
diff --git a/etc/profile-a-l/freemind.profile b/etc/profile-a-l/freemind.profile
index 9bf5a14be..80958d305 100644
--- a/etc/profile-a-l/freemind.profile
+++ b/etc/profile-a-l/freemind.profile
@@ -9,6 +9,8 @@ include globals.local
 noblacklist ${DOCUMENTS}
 noblacklist ${HOME}/.freemind
 
+noblacklist ${PATH}/dpkg*
+
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
 
@@ -40,7 +42,7 @@ seccomp
 tracelog
 
 disable-mnt
-private-bin bash,cp,dirname,dpkg,echo,freemind,grep,java,lsb_release,mkdir,readlink,rpm,sed,sh,uname,which
+private-bin bash,cp,dirname,dpkg*,echo,freemind,grep,java,lsb_release,mkdir,readlink,rpm,sed,sh,uname,which
 private-cache
 private-dev
 #private-etc alternatives,fonts,java*
diff --git a/etc/profile-a-l/lettura.profile b/etc/profile-a-l/lettura.profile
new file mode 100644
index 000000000..94a455355
--- /dev/null
+++ b/etc/profile-a-l/lettura.profile
@@ -0,0 +1,76 @@
+# Firejail profile for lettura
+# Description: Another free and open-source feed reader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lettura.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/lettura
+noblacklist ${HOME}/.config/com.lettura.dev
+noblacklist ${HOME}/.lettura
+noblacklist ${HOME}/.local/share/com.lettura.dev
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/lettura
+mkdir ${HOME}/.config/com.lettura.dev
+mkdir ${HOME}/.lettura
+mkdir ${HOME}/.local/share/com.lettura.dev
+whitelist ${HOME}/.cache/lettura
+whitelist ${HOME}/.config/com.lettura.dev
+whitelist ${HOME}/.lettura
+whitelist ${HOME}/.local/share/com.lettura.dev
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+#nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+tracelog
+
+disable-mnt
+private-bin lettura
+private-cache
+private-dev
+private-etc @network,@sound,@tls-ca,@x11,mime.types
+private-tmp
+
+dbus-user filter
+dbus-user.talk org.freedesktop.Notifications
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+# allow D-Bus communication with firefox for opening links
+dbus-user.talk org.mozilla.*
+dbus-system none
+
+restrict-namespaces
diff --git a/etc/profile-m-z/youtubemusic-nativefier.profile b/etc/profile-m-z/youtubemusic-nativefier.profile
index d1bc4d5a2..e98d84329 100644
--- a/etc/profile-m-z/youtubemusic-nativefier.profile
+++ b/etc/profile-m-z/youtubemusic-nativefier.profile
@@ -2,7 +2,7 @@
 # Description: Unofficial electron based desktop wrapper for YouTube Music
 # This file is overwritten after every install/update
 # Persistent local customizations
-include youtube.local
+include youtubemusic-nativefier.local
 # Persistent global definitions
 include globals.local
 
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 63db4bba5..e9b97ad11 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -482,6 +482,7 @@ kwrite
 lbry-viewer
 leafpad
 #less # breaks man
+lettura
 librecad
 libreoffice
 librewolf