24 files changed, 271 insertions, 26 deletions
diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml
index 49c9b38a7..3fd8a3051 100644
--- a/.github/workflows/check-c.yml
+++ b/.github/workflows/check-c.yml
@@ -161,7 +161,7 @@ jobs:
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@47b3d888fe66b639e431abf22ebca059152f1eea
+      uses: github/codeql-action/init@8a470fddafa5cbb6266ee11b37ef4d8aae19c571
      with:
        languages: cpp
@@ -172,4 +172,4 @@ jobs:
      run: make -j "$(nproc)"
    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@47b3d888fe66b639e431abf22ebca059152f1eea
+      uses: github/codeql-action/analyze@8a470fddafa5cbb6266ee11b37ef4d8aae19c571
diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml
index 85b75a126..54145e49a 100644
--- a/.github/workflows/check-python.yml
+++ b/.github/workflows/check-python.yml
@@ -51,9 +51,9 @@ jobs:
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@47b3d888fe66b639e431abf22ebca059152f1eea
+      uses: github/codeql-action/init@8a470fddafa5cbb6266ee11b37ef4d8aae19c571
      with:
        languages: python
    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@47b3d888fe66b639e431abf22ebca059152f1eea
+      uses: github/codeql-action/analyze@8a470fddafa5cbb6266ee11b37ef4d8aae19c571
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index aa83691eb..047c8441d 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -482,6 +482,7 @@ blacklist ${HOME}/.config/google-chrome-beta
 blacklist ${HOME}/.config/google-chrome-unstable
 blacklist ${HOME}/.config/gpicview
 blacklist ${HOME}/.config/gramps
+blacklist ${HOME}/.config/green-recorder
 blacklist ${HOME}/.config/gthumb
 blacklist ${HOME}/.config/gummi
 blacklist ${HOME}/.config/guvcview2
@@ -1239,6 +1240,7 @@ blacklist ${RUNUSER}/qutebrowser
 blacklist /etc/ssmtp
 blacklist /tmp/.wine-*
 blacklist /tmp/akonadi-*
+blacklist /tmp/lwjgl_*
 blacklist /var/games/nethack
 blacklist /var/games/slashem
 blacklist /var/games/vulturesclaw
diff --git a/etc/inc/landlock-common.inc b/etc/inc/landlock-common.inc
index e147963a6..7ff6448e2 100644
--- a/etc/inc/landlock-common.inc
+++ b/etc/inc/landlock-common.inc
@@ -16,17 +16,9 @@ landlock.fs.write /tmp
 # exec access
 ## misc
+landlock.fs.execute ${PATH}
 landlock.fs.execute /opt
 landlock.fs.execute /run/firejail # appimage and various firejail features
-## bin
-landlock.fs.execute /bin
-landlock.fs.execute /sbin
-landlock.fs.execute /usr/bin
-landlock.fs.execute /usr/sbin
-landlock.fs.execute /usr/games
-landlock.fs.execute /usr/local/bin
-landlock.fs.execute /usr/local/sbin
-landlock.fs.execute /usr/local/games
 ## lib
 landlock.fs.execute /lib
 landlock.fs.execute /lib32
diff --git a/etc/profile-a-l/archiver-common.profile b/etc/profile-a-l/archiver-common.profile
index 487e0c5f8..deaf5df4c 100644
--- a/etc/profile-a-l/archiver-common.profile
+++ b/etc/profile-a-l/archiver-common.profile
@@ -43,7 +43,7 @@ x11 none
 private-cache
 private-dev
-private-etc
+private-etc mkinitcpio*
 dbus-user none
 dbus-system none
diff --git a/etc/profile-a-l/atool.profile b/etc/profile-a-l/atool.profile
index 672286087..091a2f59f 100644
--- a/etc/profile-a-l/atool.profile
+++ b/etc/profile-a-l/atool.profile
@@ -12,8 +12,6 @@ include allow-perl.inc
 noroot
-# without login.defs atool complains and uses UID/GID 1000 by default
-private-etc
 private-tmp
 # Redirect
diff --git a/etc/profile-a-l/bsdtar.profile b/etc/profile-a-l/bsdtar.profile
index c5c2e33eb..f78d4bdff 100644
--- a/etc/profile-a-l/bsdtar.profile
+++ b/etc/profile-a-l/bsdtar.profile
@@ -6,7 +6,5 @@ include bsdtar.local
 # Persistent global definitions
 include globals.local
-private-etc
 # Redirect
 include archiver-common.profile
diff --git a/etc/profile-a-l/enchant-2.profile b/etc/profile-a-l/enchant-2.profile
index 32cc0e691..c87dbd948 100644
--- a/etc/profile-a-l/enchant-2.profile
+++ b/etc/profile-a-l/enchant-2.profile
@@ -1,5 +1,6 @@
 # Firejail profile for enchant-2
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include enchant-2.local
 # Persistent global definitions
diff --git a/etc/profile-a-l/gnome-boxes.profile b/etc/profile-a-l/gnome-boxes.profile
index b16ffa142..d026fec88 100644
--- a/etc/profile-a-l/gnome-boxes.profile
+++ b/etc/profile-a-l/gnome-boxes.profile
@@ -6,6 +6,8 @@ include gnome-boxes.local
 # Persistent global definitions
 include globals.local
+blacklist /usr/libexec
 noblacklist ${HOME}/.cache/gnome-boxes
 noblacklist ${HOME}/.config/gnome-boxes
 noblacklist ${HOME}/.local/share/gnome-boxes
diff --git a/etc/profile-a-l/green-recoder.profile b/etc/profile-a-l/green-recoder.profile
new file mode 100644
index 000000000..77c980daa
--- /dev/null
+++ b/etc/profile-a-l/green-recoder.profile
@@ -0,0 +1,72 @@
+# Firejail profile for green-recorder
+# Description: A simple screen recorder for Linux desktop (supports Wayland & Xorg)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include green-recorder.local
+# Persistent global definitions
+include globals.local
+blacklist /usr/libexec
+noblacklist ${HOME}/.config/green-recorder
+# Allow python 3 (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+noblacklist ${VIDEOS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/green-recorder
+whitelist ${HOME}/.config/green-recorder
+whitelist ${DOWNLOADS}
+whitelist ${VIDEOS}
+whitelist /usr/share/ffmpeg
+whitelist /usr/share/green-recorder
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+notv
+nou2f
+novideo
+protocol unix
+# allow set_mempolicy, which is required to encode using libx265
+seccomp !set_mempolicy
+seccomp.block-secondary
+tracelog
+disable-mnt
+private-bin awk,bash,convert,ffmpeg,green-recorder,grep,mv,pactl,ps,python*,sh,sleep,xdg-open,xdpyinfo,xwininfo
+private-cache
+private-dev
+private-etc @x11
+private-tmp
+dbus-user filter
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.gnome.Shell.*
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/iagno.profile b/etc/profile-a-l/iagno.profile
index 47c341333..7129c70bb 100644
--- a/etc/profile-a-l/iagno.profile
+++ b/etc/profile-a-l/iagno.profile
@@ -14,11 +14,10 @@ include disable-programs.inc
 include disable-shell.inc
 whitelist ${HOME}/.local/share/glib-2.0/schemas
+whitelist /usr/share/gdm
+whitelist /usr/share/iagno
 include whitelist-common.inc
 include whitelist-runuser-common.inc
-whitelist /usr/share/iagno
-whitelist /usr/share/gdm
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/lz4.profile b/etc/profile-a-l/lz4.profile
new file mode 100644
index 000000000..5e4e416f1
--- /dev/null
+++ b/etc/profile-a-l/lz4.profile
@@ -0,0 +1,11 @@
+# Firejail profile for lz4
+# Description: Compress or decompress .lz4 files
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lz4.local
+# Persistent global definitions
+include globals.local
+# Redirect
+include archiver-common.profile
diff --git a/etc/profile-a-l/lz4c.profile b/etc/profile-a-l/lz4c.profile
new file mode 100644
index 000000000..b05a81de1
--- /dev/null
+++ b/etc/profile-a-l/lz4c.profile
@@ -0,0 +1,11 @@
+# Firejail profile for lz4c
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lz4c.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include lz4.profile
diff --git a/etc/profile-a-l/lz4cat.profile b/etc/profile-a-l/lz4cat.profile
new file mode 100644
index 000000000..90e056b1b
--- /dev/null
+++ b/etc/profile-a-l/lz4cat.profile
@@ -0,0 +1,11 @@
+# Firejail profile for lz4cat
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lz4cat.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include lz4.profile
diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile
index b6afbad59..49e84dedb 100644
--- a/etc/profile-m-z/makepkg.profile
+++ b/etc/profile-m-z/makepkg.profile
@@ -35,8 +35,8 @@ include disable-exec.inc
 include disable-programs.inc
 caps.drop all
-machine-id
 ipc-namespace
+machine-id
 netfilter
 no3d
 nodvd
diff --git a/etc/profile-m-z/qt5ct.profile b/etc/profile-m-z/qt5ct.profile
new file mode 100644
index 000000000..83d22c2cd
--- /dev/null
+++ b/etc/profile-m-z/qt5ct.profile
@@ -0,0 +1,65 @@
+# Firejail profile for qt5ct
+# Description: Qt5 Configuration Utility
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qt5ct.local
+# Persistent global definitions
+include globals.local
+blacklist /usr/libexec
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/qt5ct
+mkdir ${HOME}/.local/share/qt5ct
+whitelist ${HOME}/.config/qt5ct
+whitelist ${HOME}/.local/share/qt5ct
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+tracelog
+disable-mnt
+private-bin qt5ct
+private-cache
+private-dev
+private-etc dbus-1,machine-id
+private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute
+read-only ${HOME}
+read-write ${HOME}/.config/qt5ct
+read-write ${HOME}/.local/share/qt5ct
+restrict-namespaces
diff --git a/etc/profile-m-z/qt6ct.profile b/etc/profile-m-z/qt6ct.profile
new file mode 100644
index 000000000..5667c98a3
--- /dev/null
+++ b/etc/profile-m-z/qt6ct.profile
@@ -0,0 +1,65 @@
+# Firejail profile for qt6ct
+# Description: Qt6 Configuration Utility
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qt6ct.local
+# Persistent global definitions
+include globals.local
+blacklist /usr/libexec
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/qt6ct
+mkdir ${HOME}/.local/share/qt6ct
+whitelist ${HOME}/.config/qt6ct
+whitelist ${HOME}/.local/share/qt6ct
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+tracelog
+disable-mnt
+private-bin qt6ct
+private-cache
+private-dev
+private-etc dbus-1,machine-id
+private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute
+read-only ${HOME}
+read-write ${HOME}/.config/qt6ct
+read-write ${HOME}/.local/share/qt6ct
+restrict-namespaces
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
index fde85be64..62efa28db 100644
--- a/etc/profile-m-z/ssh.profile
+++ b/etc/profile-m-z/ssh.profile
@@ -18,6 +18,7 @@ include disable-common.inc
 include disable-exec.inc
 include disable-programs.inc
+whitelist ${RUNUSER}/gcr/ssh
 whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh
 whitelist ${RUNUSER}/keyring/ssh
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile
index da3b4f782..ca1234db0 100644
--- a/etc/profile-m-z/tar.profile
+++ b/etc/profile-m-z/tar.profile
@@ -17,7 +17,6 @@ ignore include disable-shell.inc
 # all capabilities this is automatically read-only.
 noblacklist /var/lib/pacman
-private-etc
 #private-lib libfakeroot,liblzma.so.*,libreadline.so.*
 # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
 writable-var
diff --git a/etc/profile-m-z/unlz4.profile b/etc/profile-m-z/unlz4.profile
new file mode 100644
index 000000000..00e7496e4
--- /dev/null
+++ b/etc/profile-m-z/unlz4.profile
@@ -0,0 +1,11 @@
+# Firejail profile for unlz4
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include unlz4.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include lz4.profile
diff --git a/etc/profile-m-z/unrar.profile b/etc/profile-m-z/unrar.profile
index 43d5dae5e..ed2acb12d 100644
--- a/etc/profile-m-z/unrar.profile
+++ b/etc/profile-m-z/unrar.profile
@@ -8,7 +8,6 @@ include unrar.local
 include globals.local
 private-bin unrar
-private-etc
 private-tmp
 # Redirect
diff --git a/etc/profile-m-z/unzip.profile b/etc/profile-m-z/unzip.profile
index 9fefe6ad3..88341a3ad 100644
--- a/etc/profile-m-z/unzip.profile
+++ b/etc/profile-m-z/unzip.profile
@@ -10,7 +10,5 @@ include globals.local
 # GNOME Shell integration (chrome-gnome-shell)
 noblacklist ${HOME}/.local/share/gnome-shell
-private-etc
 # Redirect
 include archiver-common.profile
diff --git a/etc/profile-m-z/virt-manager.profile b/etc/profile-m-z/virt-manager.profile
index 86fe63ef9..a93d873a8 100644
--- a/etc/profile-m-z/virt-manager.profile
+++ b/etc/profile-m-z/virt-manager.profile
@@ -6,6 +6,8 @@ include virt-manager.local
 # Persistent global definitions
 include globals.local
+blacklist /usr/libexec
 noblacklist ${HOME}/.cache/virt-manager
 noblacklist ${RUNUSER}/libvirt
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index abaec3036..78f41e0a6 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -274,6 +274,7 @@ fix-qdf
 flacsplt
 flameshot
 flashpeak-slimjet
+floorp
 flowblade
 fluffychat
 font-manager
@@ -391,6 +392,7 @@ gpredict
 gradio
 gramps
 gravity-beams-and-evaporating-stars
+green-recorder
 gthumb
 gtk-lbry-viewer
 gtk-pipe-viewer
@@ -522,6 +524,9 @@ lximage-qt
 lxmusic
 lynx
 lyx
+#lz4 # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#lz4c # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#lz4cat # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 macrofusion
 magicor
 man
@@ -724,6 +729,8 @@ qpdf
 qpdfview
 qq
 qt-faststart
+qt5ct
+qt6ct
 qtox
 quadrapassel
 quassel
@@ -903,6 +910,7 @@ uget-gtk
 unbound
 unf
 unknown-horizons
+#unlz4 # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 #unzstd # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 url-eater
 utox

diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml index 49c9b38a7..3fd8a3051 100644 --- a/.github/workflows/check-c.yml +++ b/.github/workflows/check-c.yml
@@ -161,7 +161,7 @@ jobs:
161		161
162	# Initializes the CodeQL tools for scanning.	162	# Initializes the CodeQL tools for scanning.
163	- name: Initialize CodeQL	163	- name: Initialize CodeQL
164	uses: github/codeql-action/init@47b3d888fe66b639e431abf22ebca059152f1eea	164	uses: github/codeql-action/init@8a470fddafa5cbb6266ee11b37ef4d8aae19c571
165	with:	165	with:
166	languages: cpp	166	languages: cpp
167		167
@@ -172,4 +172,4 @@ jobs:
172	run: make -j "$(nproc)"	172	run: make -j "$(nproc)"
173		173
174	- name: Perform CodeQL Analysis	174	- name: Perform CodeQL Analysis
175	uses: github/codeql-action/analyze@47b3d888fe66b639e431abf22ebca059152f1eea	175	uses: github/codeql-action/analyze@8a470fddafa5cbb6266ee11b37ef4d8aae19c571


diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml index 85b75a126..54145e49a 100644 --- a/.github/workflows/check-python.yml +++ b/.github/workflows/check-python.yml
@@ -51,9 +51,9 @@ jobs:
51		51
52	# Initializes the CodeQL tools for scanning.	52	# Initializes the CodeQL tools for scanning.
53	- name: Initialize CodeQL	53	- name: Initialize CodeQL
54	uses: github/codeql-action/init@47b3d888fe66b639e431abf22ebca059152f1eea	54	uses: github/codeql-action/init@8a470fddafa5cbb6266ee11b37ef4d8aae19c571
55	with:	55	with:
56	languages: python	56	languages: python
57		57
58	- name: Perform CodeQL Analysis	58	- name: Perform CodeQL Analysis
59	uses: github/codeql-action/analyze@47b3d888fe66b639e431abf22ebca059152f1eea	59	uses: github/codeql-action/analyze@8a470fddafa5cbb6266ee11b37ef4d8aae19c571


diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index aa83691eb..047c8441d 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc
@@ -482,6 +482,7 @@ blacklist ${HOME}/.config/google-chrome-beta
482	blacklist ${HOME}/.config/google-chrome-unstable	482	blacklist ${HOME}/.config/google-chrome-unstable
483	blacklist ${HOME}/.config/gpicview	483	blacklist ${HOME}/.config/gpicview
484	blacklist ${HOME}/.config/gramps	484	blacklist ${HOME}/.config/gramps
		485	blacklist ${HOME}/.config/green-recorder
485	blacklist ${HOME}/.config/gthumb	486	blacklist ${HOME}/.config/gthumb
486	blacklist ${HOME}/.config/gummi	487	blacklist ${HOME}/.config/gummi
487	blacklist ${HOME}/.config/guvcview2	488	blacklist ${HOME}/.config/guvcview2
@@ -1239,6 +1240,7 @@ blacklist ${RUNUSER}/qutebrowser
1239	blacklist /etc/ssmtp	1240	blacklist /etc/ssmtp
1240	blacklist /tmp/.wine-*	1241	blacklist /tmp/.wine-*
1241	blacklist /tmp/akonadi-*	1242	blacklist /tmp/akonadi-*
		1243	blacklist /tmp/lwjgl_*
1242	blacklist /var/games/nethack	1244	blacklist /var/games/nethack
1243	blacklist /var/games/slashem	1245	blacklist /var/games/slashem
1244	blacklist /var/games/vulturesclaw	1246	blacklist /var/games/vulturesclaw


diff --git a/etc/inc/landlock-common.inc b/etc/inc/landlock-common.inc index e147963a6..7ff6448e2 100644 --- a/etc/inc/landlock-common.inc +++ b/etc/inc/landlock-common.inc
@@ -16,17 +16,9 @@ landlock.fs.write /tmp
16		16
17	# exec access	17	# exec access
18	## misc	18	## misc
		19	landlock.fs.execute ${PATH}
19	landlock.fs.execute /opt	20	landlock.fs.execute /opt
20	landlock.fs.execute /run/firejail # appimage and various firejail features	21	landlock.fs.execute /run/firejail # appimage and various firejail features
21	## bin
22	landlock.fs.execute /bin
23	landlock.fs.execute /sbin
24	landlock.fs.execute /usr/bin
25	landlock.fs.execute /usr/sbin
26	landlock.fs.execute /usr/games
27	landlock.fs.execute /usr/local/bin
28	landlock.fs.execute /usr/local/sbin
29	landlock.fs.execute /usr/local/games
30	## lib	22	## lib
31	landlock.fs.execute /lib	23	landlock.fs.execute /lib
32	landlock.fs.execute /lib32	24	landlock.fs.execute /lib32


diff --git a/etc/profile-a-l/archiver-common.profile b/etc/profile-a-l/archiver-common.profile index 487e0c5f8..deaf5df4c 100644 --- a/etc/profile-a-l/archiver-common.profile +++ b/etc/profile-a-l/archiver-common.profile
@@ -43,7 +43,7 @@ x11 none
43		43
44	private-cache	44	private-cache
45	private-dev	45	private-dev
46	private-etc	46	private-etc mkinitcpio*
47		47
48	dbus-user none	48	dbus-user none
49	dbus-system none	49	dbus-system none


diff --git a/etc/profile-a-l/atool.profile b/etc/profile-a-l/atool.profile index 672286087..091a2f59f 100644 --- a/etc/profile-a-l/atool.profile +++ b/etc/profile-a-l/atool.profile
@@ -12,8 +12,6 @@ include allow-perl.inc
12		12
13	noroot	13	noroot
14		14
15	# without login.defs atool complains and uses UID/GID 1000 by default
16	private-etc
17	private-tmp	15	private-tmp
18		16
19	# Redirect	17	# Redirect


diff --git a/etc/profile-a-l/bsdtar.profile b/etc/profile-a-l/bsdtar.profile index c5c2e33eb..f78d4bdff 100644 --- a/etc/profile-a-l/bsdtar.profile +++ b/etc/profile-a-l/bsdtar.profile
@@ -6,7 +6,5 @@ include bsdtar.local
6	# Persistent global definitions	6	# Persistent global definitions
7	include globals.local	7	include globals.local
8		8
9	private-etc
10
11	# Redirect	9	# Redirect
12	include archiver-common.profile	10	include archiver-common.profile


diff --git a/etc/profile-a-l/enchant-2.profile b/etc/profile-a-l/enchant-2.profile index 32cc0e691..c87dbd948 100644 --- a/etc/profile-a-l/enchant-2.profile +++ b/etc/profile-a-l/enchant-2.profile
@@ -1,5 +1,6 @@
1	# Firejail profile for enchant-2	1	# Firejail profile for enchant-2
2	# This file is overwritten after every install/update	2	# This file is overwritten after every install/update
		3	quiet
3	# Persistent local customizations	4	# Persistent local customizations
4	include enchant-2.local	5	include enchant-2.local
5	# Persistent global definitions	6	# Persistent global definitions


diff --git a/etc/profile-a-l/gnome-boxes.profile b/etc/profile-a-l/gnome-boxes.profile index b16ffa142..d026fec88 100644 --- a/etc/profile-a-l/gnome-boxes.profile +++ b/etc/profile-a-l/gnome-boxes.profile
@@ -6,6 +6,8 @@ include gnome-boxes.local
6	# Persistent global definitions	6	# Persistent global definitions
7	include globals.local	7	include globals.local
8		8
		9	blacklist /usr/libexec
		10
9	noblacklist ${HOME}/.cache/gnome-boxes	11	noblacklist ${HOME}/.cache/gnome-boxes
10	noblacklist ${HOME}/.config/gnome-boxes	12	noblacklist ${HOME}/.config/gnome-boxes
11	noblacklist ${HOME}/.local/share/gnome-boxes	13	noblacklist ${HOME}/.local/share/gnome-boxes


diff --git a/etc/profile-a-l/green-recoder.profile b/etc/profile-a-l/green-recoder.profile new file mode 100644 index 000000000..77c980daa --- /dev/null +++ b/etc/profile-a-l/green-recoder.profile
@@ -0,0 +1,72 @@
		1	# Firejail profile for green-recorder
		2	# Description: A simple screen recorder for Linux desktop (supports Wayland & Xorg)
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include green-recorder.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	blacklist /usr/libexec
		10
		11	noblacklist ${HOME}/.config/green-recorder
		12
		13	# Allow python 3 (blacklisted by disable-interpreters.inc)
		14	include allow-python3.inc
		15
		16	# Allow /bin/sh (blacklisted by disable-shell.inc)
		17	include allow-bin-sh.inc
		18
		19	noblacklist ${VIDEOS}
		20
		21	include disable-common.inc
		22	include disable-devel.inc
		23	include disable-exec.inc
		24	include disable-interpreters.inc
		25	include disable-programs.inc
		26	include disable-shell.inc
		27	include disable-xdg.inc
		28
		29	mkdir ${HOME}/.config/green-recorder
		30	whitelist ${HOME}/.config/green-recorder
		31	whitelist ${DOWNLOADS}
		32	whitelist ${VIDEOS}
		33	whitelist /usr/share/ffmpeg
		34	whitelist /usr/share/green-recorder
		35	include whitelist-common.inc
		36	include whitelist-run-common.inc
		37	include whitelist-runuser-common.inc
		38	include whitelist-usr-share-common.inc
		39	include whitelist-var-common.inc
		40
		41	apparmor
		42	caps.drop all
		43	net none
		44	nodvd
		45	nogroups
		46	noinput
		47	nonewprivs
		48	noprinters
		49	noroot
		50	notv
		51	nou2f
		52	novideo
		53	protocol unix
		54	# allow set_mempolicy, which is required to encode using libx265
		55	seccomp !set_mempolicy
		56	seccomp.block-secondary
		57	tracelog
		58
		59	disable-mnt
		60	private-bin awk,bash,convert,ffmpeg,green-recorder,grep,mv,pactl,ps,python*,sh,sleep,xdg-open,xdpyinfo,xwininfo
		61	private-cache
		62	private-dev
		63	private-etc @x11
		64	private-tmp
		65
		66	dbus-user filter
		67	dbus-user.talk org.freedesktop.Notifications
		68	dbus-user.talk org.gnome.Shell.*
		69	?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
		70	dbus-system none
		71
		72	restrict-namespaces


diff --git a/etc/profile-a-l/iagno.profile b/etc/profile-a-l/iagno.profile index 47c341333..7129c70bb 100644 --- a/etc/profile-a-l/iagno.profile +++ b/etc/profile-a-l/iagno.profile
@@ -14,11 +14,10 @@ include disable-programs.inc
14	include disable-shell.inc	14	include disable-shell.inc
15		15
16	whitelist ${HOME}/.local/share/glib-2.0/schemas	16	whitelist ${HOME}/.local/share/glib-2.0/schemas
		17	whitelist /usr/share/gdm
		18	whitelist /usr/share/iagno
17	include whitelist-common.inc	19	include whitelist-common.inc
18
19	include whitelist-runuser-common.inc	20	include whitelist-runuser-common.inc
20	whitelist /usr/share/iagno
21	whitelist /usr/share/gdm
22	include whitelist-usr-share-common.inc	21	include whitelist-usr-share-common.inc
23	include whitelist-var-common.inc	22	include whitelist-var-common.inc
24		23


diff --git a/etc/profile-a-l/lz4.profile b/etc/profile-a-l/lz4.profile new file mode 100644 index 000000000..5e4e416f1 --- /dev/null +++ b/etc/profile-a-l/lz4.profile
@@ -0,0 +1,11 @@
		1	# Firejail profile for lz4
		2	# Description: Compress or decompress .lz4 files
		3	# This file is overwritten after every install/update
		4	quiet
		5	# Persistent local customizations
		6	include lz4.local
		7	# Persistent global definitions
		8	include globals.local
		9
		10	# Redirect
		11	include archiver-common.profile


diff --git a/etc/profile-a-l/lz4c.profile b/etc/profile-a-l/lz4c.profile new file mode 100644 index 000000000..b05a81de1 --- /dev/null +++ b/etc/profile-a-l/lz4c.profile
@@ -0,0 +1,11 @@
		1	# Firejail profile for lz4c
		2	# This file is overwritten after every install/update
		3	quiet
		4	# Persistent local customizations
		5	include lz4c.local
		6	# Persistent global definitions
		7	# added by included profile
		8	#include globals.local
		9
		10	# Redirect
		11	include lz4.profile


diff --git a/etc/profile-a-l/lz4cat.profile b/etc/profile-a-l/lz4cat.profile new file mode 100644 index 000000000..90e056b1b --- /dev/null +++ b/etc/profile-a-l/lz4cat.profile
@@ -0,0 +1,11 @@
		1	# Firejail profile for lz4cat
		2	# This file is overwritten after every install/update
		3	quiet
		4	# Persistent local customizations
		5	include lz4cat.local
		6	# Persistent global definitions
		7	# added by included profile
		8	#include globals.local
		9
		10	# Redirect
		11	include lz4.profile


diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile index b6afbad59..49e84dedb 100644 --- a/etc/profile-m-z/makepkg.profile +++ b/etc/profile-m-z/makepkg.profile
@@ -35,8 +35,8 @@ include disable-exec.inc
35	include disable-programs.inc	35	include disable-programs.inc
36		36
37	caps.drop all	37	caps.drop all
38	machine-id
39	ipc-namespace	38	ipc-namespace
		39	machine-id
40	netfilter	40	netfilter
41	no3d	41	no3d
42	nodvd	42	nodvd


diff --git a/etc/profile-m-z/qt5ct.profile b/etc/profile-m-z/qt5ct.profile new file mode 100644 index 000000000..83d22c2cd --- /dev/null +++ b/etc/profile-m-z/qt5ct.profile
@@ -0,0 +1,65 @@
		1	# Firejail profile for qt5ct
		2	# Description: Qt5 Configuration Utility
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include qt5ct.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	blacklist /usr/libexec
		10
		11	include disable-common.inc
		12	include disable-devel.inc
		13	include disable-exec.inc
		14	include disable-interpreters.inc
		15	include disable-proc.inc
		16	include disable-programs.inc
		17	include disable-shell.inc
		18	include disable-xdg.inc
		19
		20	mkdir ${HOME}/.config/qt5ct
		21	mkdir ${HOME}/.local/share/qt5ct
		22	whitelist ${HOME}/.config/qt5ct
		23	whitelist ${HOME}/.local/share/qt5ct
		24
		25	include whitelist-common.inc
		26	include whitelist-run-common.inc
		27	include whitelist-runuser-common.inc
		28	include whitelist-usr-share-common.inc
		29	include whitelist-var-common.inc
		30
		31	apparmor
		32	caps.drop all
		33	machine-id
		34	net none
		35	no3d
		36	nodvd
		37	nogroups
		38	noinput
		39	nonewprivs
		40	noprinters
		41	noroot
		42	nosound
		43	notv
		44	nou2f
		45	novideo
		46	protocol unix
		47	seccomp
		48	seccomp.block-secondary
		49	tracelog
		50
		51	disable-mnt
		52	private-bin qt5ct
		53	private-cache
		54	private-dev
		55	private-etc dbus-1,machine-id
		56	private-tmp
		57
		58	dbus-user none
		59	dbus-system none
		60
		61	memory-deny-write-execute
		62	read-only ${HOME}
		63	read-write ${HOME}/.config/qt5ct
		64	read-write ${HOME}/.local/share/qt5ct
		65	restrict-namespaces


diff --git a/etc/profile-m-z/qt6ct.profile b/etc/profile-m-z/qt6ct.profile new file mode 100644 index 000000000..5667c98a3 --- /dev/null +++ b/etc/profile-m-z/qt6ct.profile
@@ -0,0 +1,65 @@
		1	# Firejail profile for qt6ct
		2	# Description: Qt6 Configuration Utility
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include qt6ct.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	blacklist /usr/libexec
		10
		11	include disable-common.inc
		12	include disable-devel.inc
		13	include disable-exec.inc
		14	include disable-interpreters.inc
		15	include disable-proc.inc
		16	include disable-programs.inc
		17	include disable-shell.inc
		18	include disable-xdg.inc
		19
		20	mkdir ${HOME}/.config/qt6ct
		21	mkdir ${HOME}/.local/share/qt6ct
		22	whitelist ${HOME}/.config/qt6ct
		23	whitelist ${HOME}/.local/share/qt6ct
		24
		25	include whitelist-common.inc
		26	include whitelist-run-common.inc
		27	include whitelist-runuser-common.inc
		28	include whitelist-usr-share-common.inc
		29	include whitelist-var-common.inc
		30
		31	apparmor
		32	caps.drop all
		33	machine-id
		34	net none
		35	no3d
		36	nodvd
		37	nogroups
		38	noinput
		39	nonewprivs
		40	noprinters
		41	noroot
		42	nosound
		43	notv
		44	nou2f
		45	novideo
		46	protocol unix
		47	seccomp
		48	seccomp.block-secondary
		49	tracelog
		50
		51	disable-mnt
		52	private-bin qt6ct
		53	private-cache
		54	private-dev
		55	private-etc dbus-1,machine-id
		56	private-tmp
		57
		58	dbus-user none
		59	dbus-system none
		60
		61	memory-deny-write-execute
		62	read-only ${HOME}
		63	read-write ${HOME}/.config/qt6ct
		64	read-write ${HOME}/.local/share/qt6ct
		65	restrict-namespaces


diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile index fde85be64..62efa28db 100644 --- a/etc/profile-m-z/ssh.profile +++ b/etc/profile-m-z/ssh.profile
@@ -18,6 +18,7 @@ include disable-common.inc
18	include disable-exec.inc	18	include disable-exec.inc
19	include disable-programs.inc	19	include disable-programs.inc
20		20
		21	whitelist ${RUNUSER}/gcr/ssh
21	whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh	22	whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh
22	whitelist ${RUNUSER}/keyring/ssh	23	whitelist ${RUNUSER}/keyring/ssh
23	include whitelist-usr-share-common.inc	24	include whitelist-usr-share-common.inc


diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile index da3b4f782..ca1234db0 100644 --- a/etc/profile-m-z/tar.profile +++ b/etc/profile-m-z/tar.profile
@@ -17,7 +17,6 @@ ignore include disable-shell.inc
17	# all capabilities this is automatically read-only.	17	# all capabilities this is automatically read-only.
18	noblacklist /var/lib/pacman	18	noblacklist /var/lib/pacman
19		19
20	private-etc
21	#private-lib libfakeroot,liblzma.so.,libreadline.so.	20	#private-lib libfakeroot,liblzma.so.,libreadline.so.
22	# Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)	21	# Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
23	writable-var	22	writable-var


diff --git a/etc/profile-m-z/unlz4.profile b/etc/profile-m-z/unlz4.profile new file mode 100644 index 000000000..00e7496e4 --- /dev/null +++ b/etc/profile-m-z/unlz4.profile
@@ -0,0 +1,11 @@
		1	# Firejail profile for unlz4
		2	# This file is overwritten after every install/update
		3	quiet
		4	# Persistent local customizations
		5	include unlz4.local
		6	# Persistent global definitions
		7	# added by included profile
		8	#include globals.local
		9
		10	# Redirect
		11	include lz4.profile


diff --git a/etc/profile-m-z/unrar.profile b/etc/profile-m-z/unrar.profile index 43d5dae5e..ed2acb12d 100644 --- a/etc/profile-m-z/unrar.profile +++ b/etc/profile-m-z/unrar.profile
@@ -8,7 +8,6 @@ include unrar.local
8	include globals.local	8	include globals.local
9		9
10	private-bin unrar	10	private-bin unrar
11	private-etc
12	private-tmp	11	private-tmp
13		12
14	# Redirect	13	# Redirect


diff --git a/etc/profile-m-z/unzip.profile b/etc/profile-m-z/unzip.profile index 9fefe6ad3..88341a3ad 100644 --- a/etc/profile-m-z/unzip.profile +++ b/etc/profile-m-z/unzip.profile
@@ -10,7 +10,5 @@ include globals.local
10	# GNOME Shell integration (chrome-gnome-shell)	10	# GNOME Shell integration (chrome-gnome-shell)
11	noblacklist ${HOME}/.local/share/gnome-shell	11	noblacklist ${HOME}/.local/share/gnome-shell
12		12
13	private-etc
14
15	# Redirect	13	# Redirect
16	include archiver-common.profile	14	include archiver-common.profile


diff --git a/etc/profile-m-z/virt-manager.profile b/etc/profile-m-z/virt-manager.profile index 86fe63ef9..a93d873a8 100644 --- a/etc/profile-m-z/virt-manager.profile +++ b/etc/profile-m-z/virt-manager.profile
@@ -6,6 +6,8 @@ include virt-manager.local
6	# Persistent global definitions	6	# Persistent global definitions
7	include globals.local	7	include globals.local
8		8
		9	blacklist /usr/libexec
		10
9	noblacklist ${HOME}/.cache/virt-manager	11	noblacklist ${HOME}/.cache/virt-manager
10	noblacklist ${RUNUSER}/libvirt	12	noblacklist ${RUNUSER}/libvirt
11		13


diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index abaec3036..78f41e0a6 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config
@@ -274,6 +274,7 @@ fix-qdf
274	flacsplt	274	flacsplt
275	flameshot	275	flameshot
276	flashpeak-slimjet	276	flashpeak-slimjet
		277	floorp
277	flowblade	278	flowblade
278	fluffychat	279	fluffychat
279	font-manager	280	font-manager
@@ -391,6 +392,7 @@ gpredict
391	gradio	392	gradio
392	gramps	393	gramps
393	gravity-beams-and-evaporating-stars	394	gravity-beams-and-evaporating-stars
		395	green-recorder
394	gthumb	396	gthumb
395	gtk-lbry-viewer	397	gtk-lbry-viewer
396	gtk-pipe-viewer	398	gtk-pipe-viewer
@@ -522,6 +524,9 @@ lximage-qt
522	lxmusic	524	lxmusic
523	lynx	525	lynx
524	lyx	526	lyx
		527	#lz4 # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
		528	#lz4c # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
		529	#lz4cat # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
525	macrofusion	530	macrofusion
526	magicor	531	magicor
527	man	532	man
@@ -724,6 +729,8 @@ qpdf
724	qpdfview	729	qpdfview
725	qq	730	qq
726	qt-faststart	731	qt-faststart
		732	qt5ct
		733	qt6ct
727	qtox	734	qtox
728	quadrapassel	735	quadrapassel
729	quassel	736	quassel
@@ -903,6 +910,7 @@ uget-gtk
903	unbound	910	unbound
904	unf	911	unf
905	unknown-horizons	912	unknown-horizons
		913	#unlz4 # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
906	#unzstd # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)	914	#unzstd # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
907	url-eater	915	url-eater
908	utox	916	utox