36 files changed, 153 insertions, 27 deletions

diff --git a/README.md b/README.md
index dd616f8a4..6f1c892aa 100644
--- a/README.md
+++ b/README.md
@@ -214,4 +214,4 @@ IntelliJ IDEA, Android Studio, electron, riot-web,
 Extreme Tux Racer, Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux,
 telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg, hashcat, obs, picard,
 remmina, sdat2img, soundconverter, sqlitebrowse, truecraft, gnome-twitch, tuxguitar,
-musescore
+musescore, neverball
diff --git a/RELNOTES b/RELNOTES
index 7b0f13737..b50904b4e 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -25,7 +25,7 @@ firejail (0.9.49) baseline; urgency=low
   * new profiles: Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux
   * new profiles: telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg,
   * new profiles: hashcat, obs, picard, remmina, sdat2img, soundconverter, sqlitebrowse,
-  * new profiles: truecraft, gnome-twitch, tuxguitar, musescore
+  * new profiles: truecraft, gnome-twitch, tuxguitar, musescore, neverball
   * bugfixes
  -- netblue30 <netblue30@yahoo.com>  Mon, 12 Jun 2017 20:00:00 -0500
 
diff --git a/etc/atril.profile b/etc/atril.profile
index 7109d343e..6b0eed2db 100644
--- a/etc/atril.profile
+++ b/etc/atril.profile
@@ -14,6 +14,7 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps.drop all
+no3d
 nodvd
 nogroups
 nonewprivs
@@ -28,4 +29,10 @@ tracelog
 
 private-bin atril, atril-previewer, atril-thumbnailer
 private-dev
-private-tmp
+private-etc fonts
+# atril needs access to /tmp/mozilla* to work in firefox
+# private-tmp
+
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/audacious.profile b/etc/audacious.profile
index 3baa0ddba..eddc100ca 100644
--- a/etc/audacious.profile
+++ b/etc/audacious.profile
@@ -25,4 +25,7 @@ shell none
 tracelog
 
 private-bin audacious
+private-dev
 private-tmp
+
+memory-deny-write-execute
diff --git a/etc/audacity.profile b/etc/audacity.profile
index b5a15b04c..9fbc2b16d 100644
--- a/etc/audacity.profile
+++ b/etc/audacity.profile
@@ -30,5 +30,6 @@ private-bin audacity
 private-dev
 private-tmp
 
+memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile
index 0b61e7b9f..1b7b2c258 100644
--- a/etc/bitlbee.profile
+++ b/etc/bitlbee.profile
@@ -7,6 +7,7 @@ include /etc/firejail/globals.local
 
 noblacklist /sbin
 noblacklist /usr/sbin
+noblacklist /var/log
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/cvlc.profile b/etc/cvlc.profile
index 460966321..e0d32da0f 100644
--- a/etc/cvlc.profile
+++ b/etc/cvlc.profile
@@ -14,7 +14,7 @@ include /etc/firejail/disable-programs.inc
 
 caps.drop all
 netfilter
-nogroups
+# nogroups
 nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
@@ -27,4 +27,7 @@ tracelog
 private-dev
 private-tmp
 
-memory-deny-write-execute
+# mdwe is disabled due to breaking hardware accelerated decoding
+# memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index c220b9c50..294ff6bcb 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -107,15 +107,27 @@ blacklist ${PATH}/zuluCrypt-cli
 blacklist ${PATH}/zuluMount-cli
 
 # var
+blacklist /var/cache/apt
+blacklist /var/cache/pacman
+blacklist /var/lib/apt
+blacklist /var/lib/clamav
+blacklist /var/lib/dkms
 blacklist /var/lib/mysql/mysql.sock
 blacklist /var/lib/mysqld/mysql.sock
+blacklist /var/lib/pacman
+blacklist /var/lib/systemd
+blacklist /var/lib/upower
+blacklist /var/log
 blacklist /var/mail
+blacklist /var/opt
 blacklist /var/run/acpid.socket
 blacklist /var/run/docker.sock
 blacklist /var/run/minissdpd.sock
 blacklist /var/run/mysql/mysqld.sock
 blacklist /var/run/mysqld/mysqld.sock
 blacklist /var/run/rpcbind.sock
+blacklist /var/run/screens
+blacklist /var/run/systemd
 blacklist /var/spool/anacron
 blacklist /var/spool/cron
 
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 7b0e6e9eb..d02377036 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -334,6 +334,7 @@ blacklist ${HOME}/.multimc5
 blacklist ${HOME}/.mutt
 blacklist ${HOME}/.mutt/muttrc
 blacklist ${HOME}/.muttrc
+blacklist ${HOME}/.neverball
 blacklist ${HOME}/.nv
 blacklist ${HOME}/.nylas-mail
 blacklist ${HOME}/.openinvaders
diff --git a/etc/engrampa.profile b/etc/engrampa.profile
index e10fd6084..7bc5e7481 100644
--- a/etc/engrampa.profile
+++ b/etc/engrampa.profile
@@ -12,7 +12,8 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps.drop all
-netfilter
+# net none - makes settings immutable
+no3d
 nodvd
 nogroups
 nonewprivs
@@ -29,3 +30,7 @@ tracelog
 private-dev
 # private-etc fonts
 # private-tmp
+
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/eog.profile b/etc/eog.profile
index 54d5a1a88..e5161b313 100644
--- a/etc/eog.profile
+++ b/etc/eog.profile
@@ -16,7 +16,7 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps.drop all
-net none
+# net none - makes settings immutable
 no3d
 nodvd
 nogroups
diff --git a/etc/eom.profile b/etc/eom.profile
index 6fd069b5c..3fb1fcaf4 100644
--- a/etc/eom.profile
+++ b/etc/eom.profile
@@ -16,6 +16,8 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps.drop all
+# net none - makes settings immutable
+no3d
 nodvd
 nogroups
 nonewprivs
@@ -30,7 +32,9 @@ tracelog
 
 private-bin eom
 private-dev
+private-etc fonts
 private-tmp
 
+memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/file-roller.profile b/etc/file-roller.profile
index 1ecb3c632..8484aa162 100644
--- a/etc/file-roller.profile
+++ b/etc/file-roller.profile
@@ -12,7 +12,7 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps.drop all
-net none
+# net none - makes settings immutable
 no3d
 nodvd
 nogroups
diff --git a/etc/fossamail.profile b/etc/fossamail.profile
index 74073d8d1..cef522c53 100644
--- a/etc/fossamail.profile
+++ b/etc/fossamail.profile
@@ -17,7 +17,6 @@ whitelist ~/.fossamail
 whitelist ~/.gnupg
 include /etc/firejail/whitelist-common.inc
 
-nodvd
-notv
-
+# allow browsers
+# Redirect
 include /etc/firejail/firefox.profile
diff --git a/etc/gedit.profile b/etc/gedit.profile
index 418575e09..3d7af1496 100644
--- a/etc/gedit.profile
+++ b/etc/gedit.profile
@@ -15,7 +15,7 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps.drop all
-net none
+# net none - makes settings immutable
 no3d
 nodvd
 nogroups
@@ -23,6 +23,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/goobox.profile b/etc/goobox.profile
index 9bedaa431..60ffe0594 100644
--- a/etc/goobox.profile
+++ b/etc/goobox.profile
@@ -13,11 +13,11 @@ include /etc/firejail/disable-programs.inc
 
 caps.drop all
 netfilter
-nodvd
 nogroups
 nonewprivs
 noroot
 notv
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/handbrake.profile b/etc/handbrake.profile
index 2b32abca6..2b33051e2 100644
--- a/etc/handbrake.profile
+++ b/etc/handbrake.profile
@@ -18,7 +18,6 @@ nogroups
 nonewprivs
 noroot
 nosound
-notv
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
diff --git a/etc/konversation.profile b/etc/konversation.profile
index 212aa8817..1a08c3d83 100644
--- a/etc/konversation.profile
+++ b/etc/konversation.profile
@@ -23,4 +23,5 @@ protocol unix,inet,inet6
 seccomp
 tracelog
 
+private-dev
 private-tmp
diff --git a/etc/mediathekview.profile b/etc/mediathekview.profile
index b90e21e66..1cda5022d 100644
--- a/etc/mediathekview.profile
+++ b/etc/mediathekview.profile
@@ -9,8 +9,10 @@ noblacklist ~/.config/mpv
 noblacklist ~/.config/smplayer
 noblacklist ~/.config/totem
 noblacklist ~/.config/vlc
+noblacklist ~/.config/xplayer
 noblacklist ~/.java
 noblacklist ~/.local/share/totem
+noblacklist ~/.local/share/xplayer
 noblacklist ~/.mediathek3
 noblacklist ~/.mplayer
 
@@ -22,6 +24,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 netfilter
 nodvd
+nogroups
 nonewprivs
 noroot
 notv
diff --git a/etc/neverball.profile b/etc/neverball.profile
new file mode 100644
index 000000000..6a9a3a577
--- /dev/null
+++ b/etc/neverball.profile
@@ -0,0 +1,37 @@
+# Firejail profile for neverball
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/neverball.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+noblacklist ${HOME}/.neverball
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+mkdir ${HOME}/.neverball
+whitelist ${HOME}/.neverball
+include /etc/firejail/whitelist-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,netlink
+seccomp
+shell none
+
+disable-mnt
+private-bin neverball
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/pluma.profile b/etc/pluma.profile
index d17a64d1d..718dee440 100644
--- a/etc/pluma.profile
+++ b/etc/pluma.profile
@@ -13,17 +13,24 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps.drop all
-net none
+# net none - makes settings immutable
+no3d
 nodvd
 nogroups
 nonewprivs
 noroot
 nosound
 notv
+novideo
+protocol unix
 seccomp
 shell none
 tracelog
 
 private-bin pluma
 private-dev
+# private-etc fonts
 private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile
index 2c652c688..7d69f38f9 100644
--- a/etc/qpdfview.profile
+++ b/etc/qpdfview.profile
@@ -21,6 +21,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
@@ -29,3 +30,5 @@ tracelog
 private-bin qpdfview
 private-dev
 private-tmp
+
+memory-deny-write-execute
diff --git a/etc/scribus.profile b/etc/scribus.profile
index acd6b2239..e4c88be49 100644
--- a/etc/scribus.profile
+++ b/etc/scribus.profile
@@ -28,6 +28,7 @@ include /etc/firejail/disable-programs.inc
 
 caps.drop all
 nodvd
+nogroups
 nonewprivs
 noroot
 nosound
diff --git a/etc/server.profile b/etc/server.profile
index 04ef555de..edd4666e1 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -13,6 +13,8 @@ blacklist /tmp/.X11-unix
 
 noblacklist /sbin
 noblacklist /usr/sbin
+# noblacklist /var/log
+# noblacklist /var/opt
 
 include /etc/firejail/disable-common.inc
 # include /etc/firejail/disable-devel.inc
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile
index de43f2a56..edd4db861 100644
--- a/etc/simple-scan.profile
+++ b/etc/simple-scan.profile
@@ -20,7 +20,7 @@ nonewprivs
 noroot
 nosound
 notv
-novideo
+# novideo
 protocol unix,inet,inet6,netlink
 # simple-scan makes ioperm system calls, which are blacklisted by default.
 seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
diff --git a/etc/skanlite.profile b/etc/skanlite.profile
index 1d590a142..1a53cc71c 100644
--- a/etc/skanlite.profile
+++ b/etc/skanlite.profile
@@ -20,7 +20,7 @@ nonewprivs
 noroot
 nosound
 notv
-novideo
+# novideo
 protocol unix,netlink
 # skanlite makes ioperm system calls, which are blacklisted by default.
 seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
diff --git a/etc/steam.profile b/etc/steam.profile
index 96899038a..227162e1f 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -5,12 +5,17 @@ include /etc/firejail/steam.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-noblacklist ${HOME}/.Steam
-noblacklist ${HOME}/.Steampath
-noblacklist ${HOME}/.Steampid
 noblacklist ${HOME}/.java
+noblacklist ${HOME}/.killingfloor
+noblacklist ${HOME}/.local/share/3909/PapersPlease
+noblacklist ${HOME}/.local/share/aspyr-media
+noblacklist ${HOME}/.local/share/cdprojektred
+noblacklist ${HOME}/.local/share/feral-interactive
 noblacklist ${HOME}/.local/share/Steam
-noblacklist ${HOME}/.local/share/steam
+noblacklist ${HOME}/.local/share/SuperHexagon
+noblacklist ${HOME}/.local/share/Terraria
+noblacklist ${HOME}/.local/share/vpltd
+noblacklist ${HOME}/.local/share/vulkan
 noblacklist ${HOME}/.steam
 noblacklist ${HOME}/.steampath
 noblacklist ${HOME}/.steampid
@@ -29,12 +34,15 @@ nogroups
 nonewprivs
 noroot
 notv
-# novideo
+# novideo should be commented for VR
+novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
 # tracelog disabled as it breaks integrated browser
 # tracelog
 
+# private-dev should be commented for controllers
 private-dev
+private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl
 private-tmp
diff --git a/etc/vlc.profile b/etc/vlc.profile
index a41f367dd..bccde7a3d 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -25,5 +25,7 @@ private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
 private-dev
 private-tmp
 
+# mdwe is disabled due to breaking hardware accelerated decoding
+# memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/xed.profile b/etc/xed.profile
index 758fb5526..42a42ef5f 100644
--- a/etc/xed.profile
+++ b/etc/xed.profile
@@ -13,17 +13,24 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps.drop all
-net none
+# net none - makes settings immutable
+no3d
 nodvd
 nogroups
 nonewprivs
 noroot
 nosound
 notv
+novideo
+protocol unix
 seccomp
 shell none
 tracelog
 
 private-bin xed
 private-dev
+# private-etc fonts
 private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/xfburn.profile b/etc/xfburn.profile
index e80685f0e..ec1aca75f 100644
--- a/etc/xfburn.profile
+++ b/etc/xfburn.profile
@@ -14,12 +14,12 @@ include /etc/firejail/disable-programs.inc
 
 caps.drop all
 netfilter
-nodvd
 nogroups
 nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/xonotic.profile b/etc/xonotic.profile
index c7db00daf..fefeac76b 100644
--- a/etc/xonotic.profile
+++ b/etc/xonotic.profile
@@ -31,6 +31,7 @@ shell none
 disable-mnt
 private-bin xonotic-sdl,xonotic-glx,blind-id
 private-dev
+private-etc asound.conf,ca-certificates,drirc,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,pulse,resolv.conf,ssl
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/xplayer.profile b/etc/xplayer.profile
index 0722768d1..5c845e977 100644
--- a/etc/xplayer.profile
+++ b/etc/xplayer.profile
@@ -18,7 +18,6 @@ netfilter
 nogroups
 nonewprivs
 noroot
-notv
 protocol unix,inet,inet6
 seccomp
 shell none
@@ -26,4 +25,8 @@ tracelog
 
 private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer
 private-dev
+# private-etc fonts
 private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/xreader.profile b/etc/xreader.profile
index 107cefe5e..dd09c8a92 100644
--- a/etc/xreader.profile
+++ b/etc/xreader.profile
@@ -15,17 +15,25 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps.drop all
+no3d
 nodvd
 nogroups
 nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
 tracelog
 
-private-bin xreader, xreader-previewer, xreader-thumbnailer
+private-bin xreader,xreader-previewer,xreader-thumbnailer
 private-dev
-private-tmp
+# private-etc fonts
+# xreader needs access to /tmp/mozilla* to work in firefox
+# private-tmp
+
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/xviewer.profile b/etc/xviewer.profile
index 70ad3b895..b9ff3948a 100644
--- a/etc/xviewer.profile
+++ b/etc/xviewer.profile
@@ -16,12 +16,15 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps.drop all
+# net none - makes settings immutable
+no3d
 nodvd
 nogroups
 nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
@@ -29,7 +32,9 @@ tracelog
 
 private-bin xviewer
 private-dev
+private-etc fonts
 private-tmp
 
+memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index 6473c6fef..e7eab20a2 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -220,6 +220,7 @@
 /etc/firejail/mutt.profile
 /etc/firejail/nautilus.profile
 /etc/firejail/nemo.profile
+/etc/firejail/neverball.profile
 /etc/firejail/netsurf.profile
 /etc/firejail/nolocal.net
 /etc/firejail/nylas.profile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 15e95b9a7..6bdeaab77 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -197,6 +197,7 @@ musescore
 mutt
 nautilus
 netsurf
+neverball
 nylas
 obs
 odt2txt