aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--.github/pull_request_template.md1
-rw-r--r--.github/workflows/sort.yml1
-rw-r--r--COPYING85
-rw-r--r--README42
-rw-r--r--RELNOTES9
-rw-r--r--SECURITY.md36
-rwxr-xr-xconfigure2
-rw-r--r--configure.ac2
-rwxr-xr-xcontrib/fix_private-bin.py2
-rwxr-xr-xcontrib/gdb-firejail.sh2
-rwxr-xr-xcontrib/sort.py2
-rw-r--r--contrib/vim/syntax/firejail.vim2
-rw-r--r--etc-fixes/0.9.58/atom.profile1
-rw-r--r--etc-fixes/seccomp-join-bug/README1
-rw-r--r--etc/apparmor/firejail-default2
-rw-r--r--etc/firejail.config5
-rw-r--r--etc/inc/allow-common-devel.inc5
-rw-r--r--etc/inc/allow-ruby.inc1
-rw-r--r--etc/inc/disable-devel.inc2
-rw-r--r--etc/inc/disable-interpreters.inc1
-rw-r--r--etc/inc/disable-programs.inc7
-rw-r--r--etc/profile-a-l/abiword.profile2
-rw-r--r--etc/profile-a-l/agetpkg.profile2
-rw-r--r--etc/profile-a-l/alacarte.profile2
-rw-r--r--etc/profile-a-l/amule.profile1
-rw-r--r--etc/profile-a-l/anki.profile2
-rw-r--r--etc/profile-a-l/aria2c.profile2
-rw-r--r--etc/profile-a-l/arm.profile2
-rw-r--r--etc/profile-a-l/artha.profile2
-rw-r--r--etc/profile-a-l/atool.profile2
-rw-r--r--etc/profile-a-l/atril.profile2
-rw-r--r--etc/profile-a-l/authenticator-rs.profile2
-rw-r--r--etc/profile-a-l/authenticator.profile2
-rw-r--r--etc/profile-a-l/balsa.profile4
-rw-r--r--etc/profile-a-l/bibletime.profile2
-rw-r--r--etc/profile-a-l/bitwarden.profile2
-rw-r--r--etc/profile-a-l/bless.profile2
-rw-r--r--etc/profile-a-l/blobby.profile2
-rw-r--r--etc/profile-a-l/blobwars.profile2
-rw-r--r--etc/profile-a-l/bsdtar.profile2
-rw-r--r--etc/profile-a-l/build-systems-common.profile66
-rw-r--r--etc/profile-a-l/bundle.profile23
-rw-r--r--etc/profile-a-l/cameramonitor.profile2
-rw-r--r--etc/profile-a-l/cargo.profile56
-rw-r--r--etc/profile-a-l/cawbird.profile2
-rw-r--r--etc/profile-a-l/celluloid.profile2
-rw-r--r--etc/profile-a-l/cheese.profile14
-rw-r--r--etc/profile-a-l/clawsker.profile2
-rw-r--r--etc/profile-a-l/cmake.profile13
-rw-r--r--etc/profile-a-l/cmus.profile2
-rw-r--r--etc/profile-a-l/cola.profile2
-rw-r--r--etc/profile-a-l/com.github.bleakgrey.tootle.profile2
-rw-r--r--etc/profile-a-l/com.github.dahenson.agenda.profile2
-rw-r--r--etc/profile-a-l/com.github.johnfactotum.Foliate.profile2
-rw-r--r--etc/profile-a-l/coyim.profile2
-rw-r--r--etc/profile-a-l/crow.profile2
-rw-r--r--etc/profile-a-l/d-feet.profile2
-rw-r--r--etc/profile-a-l/dbus-send.profile2
-rw-r--r--etc/profile-a-l/dconf-editor.profile2
-rw-r--r--etc/profile-a-l/dconf.profile2
-rw-r--r--etc/profile-a-l/ddgtk.profile2
-rw-r--r--etc/profile-a-l/devhelp.profile2
-rw-r--r--etc/profile-a-l/devilspie.profile2
-rw-r--r--etc/profile-a-l/discord-common.profile2
-rw-r--r--etc/profile-a-l/display.profile2
-rw-r--r--etc/profile-a-l/drawio.profile2
-rw-r--r--etc/profile-a-l/easystroke.profile2
-rw-r--r--etc/profile-a-l/electron-mail.profile2
-rw-r--r--etc/profile-a-l/electrum.profile2
-rw-r--r--etc/profile-a-l/email-common.profile4
-rw-r--r--etc/profile-a-l/enchant.profile2
-rw-r--r--etc/profile-a-l/eo-common.profile2
-rw-r--r--etc/profile-a-l/eog.profile2
-rw-r--r--etc/profile-a-l/equalx.profile2
-rw-r--r--etc/profile-a-l/evince.profile4
-rw-r--r--etc/profile-a-l/exiftool.profile2
-rw-r--r--etc/profile-a-l/falkon.profile2
-rw-r--r--etc/profile-a-l/feh-network.inc.profile2
-rw-r--r--etc/profile-a-l/feh.profile2
-rw-r--r--etc/profile-a-l/ffplay.profile2
-rw-r--r--etc/profile-a-l/file-roller.profile2
-rw-r--r--etc/profile-a-l/flameshot.profile2
-rw-r--r--etc/profile-a-l/freetube.profile2
-rw-r--r--etc/profile-a-l/frogatto.profile2
-rw-r--r--etc/profile-a-l/gajim.profile2
-rw-r--r--etc/profile-a-l/galculator.profile2
-rw-r--r--etc/profile-a-l/gallery-dl.profile2
-rw-r--r--etc/profile-a-l/gapplication.profile2
-rw-r--r--etc/profile-a-l/gcloud.profile2
-rw-r--r--etc/profile-a-l/gconf.profile2
-rw-r--r--etc/profile-a-l/geary.profile2
-rw-r--r--etc/profile-a-l/geekbench.profile14
-rw-r--r--etc/profile-a-l/gget.profile2
-rw-r--r--etc/profile-a-l/gist.profile2
-rw-r--r--etc/profile-a-l/git-cola.profile2
-rw-r--r--etc/profile-a-l/gitter.profile2
-rw-r--r--etc/profile-a-l/gmpc.profile2
-rw-r--r--etc/profile-a-l/gnome-calendar.profile2
-rw-r--r--etc/profile-a-l/gnome-chess.profile2
-rw-r--r--etc/profile-a-l/gnome-clocks.profile2
-rw-r--r--etc/profile-a-l/gnome-hexgl.profile2
-rw-r--r--etc/profile-a-l/gnome-latex.profile2
-rw-r--r--etc/profile-a-l/gnome-logs.profile2
-rw-r--r--etc/profile-a-l/gnome-music.profile2
-rw-r--r--etc/profile-a-l/gnome-passwordsafe.profile2
-rw-r--r--etc/profile-a-l/gnome-pie.profile2
-rw-r--r--etc/profile-a-l/gnome-recipes.profile2
-rw-r--r--etc/profile-a-l/gnome-screenshot.profile2
-rw-r--r--etc/profile-a-l/gnome-sound-recorder.profile2
-rw-r--r--etc/profile-a-l/gnome-system-log.profile2
-rw-r--r--etc/profile-a-l/gnome-todo.profile2
-rw-r--r--etc/profile-a-l/gnome_games-common.profile2
-rw-r--r--etc/profile-a-l/gnote.profile2
-rw-r--r--etc/profile-a-l/gnubik.profile2
-rw-r--r--etc/profile-a-l/godot.profile2
-rw-r--r--etc/profile-a-l/goldendict.profile57
-rw-r--r--etc/profile-a-l/googler-common.profile2
-rw-r--r--etc/profile-a-l/gpicview.profile2
-rw-r--r--etc/profile-a-l/gpredict.profile2
-rw-r--r--etc/profile-a-l/gradio.profile2
-rw-r--r--etc/profile-a-l/gravity-beams-and-evaporating-stars.profile2
-rw-r--r--etc/profile-a-l/gtk-update-icon-cache.profile2
-rw-r--r--etc/profile-a-l/gwenview.profile2
-rw-r--r--etc/profile-a-l/hyperrogue.profile2
-rw-r--r--etc/profile-a-l/i2prouter.profile2
-rw-r--r--etc/profile-a-l/inkscape.profile1
-rw-r--r--etc/profile-a-l/ipcalc.profile2
-rw-r--r--etc/profile-a-l/jerry.profile2
-rw-r--r--etc/profile-a-l/jumpnbump.profile2
-rw-r--r--etc/profile-a-l/kalgebra.profile2
-rw-r--r--etc/profile-a-l/kazam.profile2
-rw-r--r--etc/profile-a-l/kcalc.profile2
-rw-r--r--etc/profile-a-l/kdiff3.profile2
-rw-r--r--etc/profile-a-l/keepassx.profile2
-rw-r--r--etc/profile-a-l/keepassxc.profile2
-rw-r--r--etc/profile-a-l/kid3.profile2
-rw-r--r--etc/profile-a-l/kiwix-desktop.profile2
-rw-r--r--etc/profile-a-l/klavaro.profile2
-rw-r--r--etc/profile-a-l/ktouch.profile2
-rw-r--r--etc/profile-a-l/kube.profile2
-rw-r--r--etc/profile-a-l/kwin_x11.profile2
-rw-r--r--etc/profile-a-l/kwrite.profile2
-rw-r--r--etc/profile-a-l/librewolf.profile1
-rw-r--r--etc/profile-a-l/links-common.profile4
-rw-r--r--etc/profile-a-l/lollypop.profile2
-rw-r--r--etc/profile-a-l/lyx.profile2
-rw-r--r--etc/profile-m-z/QOwnNotes.profile2
-rw-r--r--etc/profile-m-z/Viber.profile2
-rw-r--r--etc/profile-m-z/Xvfb.profile2
-rw-r--r--etc/profile-m-z/magicor.profile2
-rw-r--r--etc/profile-m-z/make.profile13
-rw-r--r--etc/profile-m-z/man.profile2
-rw-r--r--etc/profile-m-z/masterpdfeditor.profile2
-rw-r--r--etc/profile-m-z/mate-calc.profile2
-rw-r--r--etc/profile-m-z/mate-color-select.profile2
-rw-r--r--etc/profile-m-z/mate-dictionary.profile2
-rw-r--r--etc/profile-m-z/mcabber.profile2
-rw-r--r--etc/profile-m-z/mdr.profile2
-rw-r--r--etc/profile-m-z/mediainfo.profile2
-rw-r--r--etc/profile-m-z/menulibre.profile2
-rw-r--r--etc/profile-m-z/meson.profile14
-rw-r--r--etc/profile-m-z/microsoft-edge-beta.profile2
-rw-r--r--etc/profile-m-z/mindless.profile2
-rw-r--r--etc/profile-m-z/mirrormagic.profile2
-rw-r--r--etc/profile-m-z/mocp.profile2
-rw-r--r--etc/profile-m-z/mp3splt-gtk.profile2
-rw-r--r--etc/profile-m-z/mp3splt.profile2
-rw-r--r--etc/profile-m-z/mpDris2.profile2
-rw-r--r--etc/profile-m-z/mpv.profile2
-rw-r--r--etc/profile-m-z/mrrescue.profile2
-rw-r--r--etc/profile-m-z/ms-office.profile2
-rw-r--r--etc/profile-m-z/mupdf-x11-curl.profile2
-rw-r--r--etc/profile-m-z/musixmatch.profile4
-rw-r--r--etc/profile-m-z/mutt.profile2
-rw-r--r--etc/profile-m-z/mypaint.profile2
-rw-r--r--etc/profile-m-z/nano.profile2
-rw-r--r--etc/profile-m-z/neomutt.profile2
-rw-r--r--etc/profile-m-z/netactview.profile2
-rw-r--r--etc/profile-m-z/newsboat.profile2
-rw-r--r--etc/profile-m-z/nextcloud.profile2
-rw-r--r--etc/profile-m-z/nheko.profile9
-rw-r--r--etc/profile-m-z/nitroshare.profile2
-rw-r--r--etc/profile-m-z/nomacs.profile2
-rw-r--r--etc/profile-m-z/notify-send.profile2
-rw-r--r--etc/profile-m-z/nuclear.profile2
-rw-r--r--etc/profile-m-z/nyx.profile2
-rw-r--r--etc/profile-m-z/ocenaudio.profile2
-rw-r--r--etc/profile-m-z/odt2txt.profile2
-rw-r--r--etc/profile-m-z/okular.profile2
-rw-r--r--etc/profile-m-z/onboard.profile2
-rw-r--r--etc/profile-m-z/openarena.profile2
-rw-r--r--etc/profile-m-z/pandoc.profile7
-rw-r--r--etc/profile-m-z/parole.profile2
-rw-r--r--etc/profile-m-z/pavucontrol.profile2
-rw-r--r--etc/profile-m-z/pdfchain.profile2
-rw-r--r--etc/profile-m-z/pdftotext.profile2
-rw-r--r--etc/profile-m-z/peek.profile2
-rw-r--r--etc/profile-m-z/photoflare.profile2
-rw-r--r--etc/profile-m-z/pingus.profile2
-rw-r--r--etc/profile-m-z/pip.profile18
-rw-r--r--etc/profile-m-z/pkglog.profile2
-rw-r--r--etc/profile-m-z/plv.profile2
-rw-r--r--etc/profile-m-z/pngquant.profile2
-rw-r--r--etc/profile-m-z/pragha.profile2
-rw-r--r--etc/profile-m-z/profanity.profile2
-rw-r--r--etc/profile-m-z/psi.profile2
-rw-r--r--etc/profile-m-z/qgis.profile2
-rw-r--r--etc/profile-m-z/qnapi.profile2
-rw-r--r--etc/profile-m-z/qrencode.profile2
-rw-r--r--etc/profile-m-z/qtox.profile2
-rw-r--r--etc/profile-m-z/regextester.profile2
-rw-r--r--etc/profile-m-z/rsync-download_only.profile2
-rw-r--r--etc/profile-m-z/scorchwentbonkers.profile2
-rw-r--r--etc/profile-m-z/seahorse-adventures.profile2
-rw-r--r--etc/profile-m-z/seahorse-tool.profile2
-rw-r--r--etc/profile-m-z/shotwell.profile2
-rw-r--r--etc/profile-m-z/slack.profile2
-rw-r--r--etc/profile-m-z/smuxi-frontend-gnome.profile2
-rw-r--r--etc/profile-m-z/softmaker-common.profile6
-rw-r--r--etc/profile-m-z/spectacle.profile4
-rw-r--r--etc/profile-m-z/spotify.profile2
-rw-r--r--etc/profile-m-z/sqlitebrowser.profile2
-rw-r--r--etc/profile-m-z/standardnotes-desktop.profile2
-rw-r--r--etc/profile-m-z/straw-viewer.profile2
-rw-r--r--etc/profile-m-z/strawberry.profile2
-rw-r--r--etc/profile-m-z/subdownloader.profile2
-rw-r--r--etc/profile-m-z/supertux2.profile2
-rw-r--r--etc/profile-m-z/supertuxkart.profile2
-rw-r--r--etc/profile-m-z/surf.profile2
-rw-r--r--etc/profile-m-z/sway.profile2
-rw-r--r--etc/profile-m-z/sysprof.profile2
-rw-r--r--etc/profile-m-z/tar.profile2
-rw-r--r--etc/profile-m-z/teams-for-linux.profile2
-rw-r--r--etc/profile-m-z/telegram.profile4
-rw-r--r--etc/profile-m-z/tilp.profile2
-rw-r--r--etc/profile-m-z/tin.profile2
-rw-r--r--etc/profile-m-z/tor.profile2
-rw-r--r--etc/profile-m-z/transgui.profile2
-rw-r--r--etc/profile-m-z/transmission-cli.profile2
-rw-r--r--etc/profile-m-z/transmission-daemon.profile2
-rw-r--r--etc/profile-m-z/transmission-remote-gtk.profile2
-rw-r--r--etc/profile-m-z/transmission-remote.profile2
-rw-r--r--etc/profile-m-z/transmission-show.profile2
-rw-r--r--etc/profile-m-z/trojita.profile2
-rw-r--r--etc/profile-m-z/twitch.profile2
-rw-r--r--etc/profile-m-z/unf.profile2
-rw-r--r--etc/profile-m-z/unrar.profile2
-rw-r--r--etc/profile-m-z/unzip.profile2
-rw-r--r--etc/profile-m-z/utox.profile2
-rw-r--r--etc/profile-m-z/viewnior.profile2
-rw-r--r--etc/profile-m-z/virtualbox.profile2
-rw-r--r--etc/profile-m-z/vmware.profile2
-rw-r--r--etc/profile-m-z/w3m.profile2
-rw-r--r--etc/profile-m-z/warmux.profile2
-rw-r--r--etc/profile-m-z/whalebird.profile2
-rw-r--r--etc/profile-m-z/whois.profile2
-rw-r--r--etc/profile-m-z/wire-desktop.profile2
-rw-r--r--etc/profile-m-z/wordwarvi.profile2
-rw-r--r--etc/profile-m-z/xbill.profile2
-rw-r--r--etc/profile-m-z/xfce4-mixer.profile2
-rw-r--r--etc/profile-m-z/xfce4-screenshooter.profile2
-rw-r--r--etc/profile-m-z/xiphos.profile2
-rw-r--r--etc/profile-m-z/xlinks.profile2
-rw-r--r--etc/profile-m-z/xlinks22
-rw-r--r--etc/profile-m-z/xmr-stak.profile2
-rw-r--r--etc/profile-m-z/xournal.profile2
-rw-r--r--etc/profile-m-z/xreader.profile2
-rw-r--r--etc/profile-m-z/yelp.profile2
-rw-r--r--etc/profile-m-z/youtube-dl-gui.profile2
-rw-r--r--etc/profile-m-z/youtube-dl.profile2
-rw-r--r--etc/profile-m-z/youtube-viewer.profile2
-rw-r--r--etc/profile-m-z/youtube-viewers-common.profile2
-rw-r--r--etc/profile-m-z/youtube.profile2
-rw-r--r--etc/profile-m-z/youtubemusic-nativefier.profile2
-rw-r--r--etc/profile-m-z/yt-dlp.profile2
-rw-r--r--etc/profile-m-z/ytmdesktop.profile2
-rw-r--r--etc/profile-m-z/zulip.profile2
-rw-r--r--etc/templates/profile.template2
-rwxr-xr-xgcov.sh6
-rwxr-xr-xlinecnt.sh4
-rw-r--r--src/bash_completion/firejail.bash_completion.in8
-rw-r--r--src/fcopy/main.c3
-rw-r--r--src/fids/fids.h2
-rw-r--r--src/firecfg/firecfg.config1
-rw-r--r--src/firejail/checkcfg.c2
-rw-r--r--src/firejail/env.c6
-rw-r--r--src/firejail/firejail.h3
-rw-r--r--src/firejail/fs.c52
-rw-r--r--src/firejail/fs_dev.c2
-rw-r--r--src/firejail/fs_home.c11
-rw-r--r--src/firejail/fs_hostname.c7
-rw-r--r--src/firejail/fs_lib.c5
-rw-r--r--src/firejail/fs_lib2.c6
-rw-r--r--src/firejail/fs_whitelist.c59
-rw-r--r--src/firejail/ids.c2
-rw-r--r--src/firejail/join.c20
-rw-r--r--src/firejail/main.c17
-rw-r--r--src/firejail/mountinfo.c71
-rw-r--r--src/firejail/profile.c17
-rw-r--r--src/firejail/sandbox.c19
-rw-r--r--src/firejail/selinux.c21
-rw-r--r--src/firejail/usage.c32
-rw-r--r--src/firejail/util.c14
-rw-r--r--src/jailcheck/jailcheck.h2
-rw-r--r--src/jailcheck/noexec.c2
-rw-r--r--src/man/firejail-profile.txt124
-rw-r--r--src/man/firejail.txt156
-rw-r--r--src/man/firemon.txt2
-rw-r--r--src/tools/profcleaner.c2
-rw-r--r--src/zsh_completion/_firejail.in2
-rwxr-xr-xtest/environment/environment.sh7
-rwxr-xr-xtest/environment/rlimit-join.exp36
312 files changed, 1037 insertions, 706 deletions
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index 57ac2e9c4..7cb92a938 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,4 +1,3 @@
1
2If your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR. 1If your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR.
3 2
4If you submit a PR for new profiles or changing profiles, please do the following: 3If you submit a PR for new profiles or changing profiles, please do the following:
diff --git a/.github/workflows/sort.yml b/.github/workflows/sort.yml
index f3ded0f22..cfa40d2d2 100644
--- a/.github/workflows/sort.yml
+++ b/.github/workflows/sort.yml
@@ -19,4 +19,3 @@ jobs:
19 - uses: actions/checkout@v2 19 - uses: actions/checkout@v2
20 - name: check profiles 20 - name: check profiles
21 run: ./contrib/sort.py etc/*/{*.inc,*.profile} 21 run: ./contrib/sort.py etc/*/{*.inc,*.profile}
22
diff --git a/COPYING b/COPYING
index b6e1c33e0..d159169d1 100644
--- a/COPYING
+++ b/COPYING
@@ -1,12 +1,12 @@
1 GNU GENERAL PUBLIC LICENSE 1 GNU GENERAL PUBLIC LICENSE
2 Version 2, June 1991 2 Version 2, June 1991
3 3
4 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 4 Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
5 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA 5 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
6 Everyone is permitted to copy and distribute verbatim copies 6 Everyone is permitted to copy and distribute verbatim copies
7 of this license document, but changing it is not allowed. 7 of this license document, but changing it is not allowed.
8 8
9 Preamble 9 Preamble
10 10
11 The licenses for most software are designed to take away your 11 The licenses for most software are designed to take away your
12freedom to share and change it. By contrast, the GNU General Public 12freedom to share and change it. By contrast, the GNU General Public
@@ -15,7 +15,7 @@ software--to make sure the software is free for all its users. This
15General Public License applies to most of the Free Software 15General Public License applies to most of the Free Software
16Foundation's software and to any other program whose authors commit to 16Foundation's software and to any other program whose authors commit to
17using it. (Some other Free Software Foundation software is covered by 17using it. (Some other Free Software Foundation software is covered by
18the GNU Library General Public License instead.) You can apply it to 18the GNU Lesser General Public License instead.) You can apply it to
19your programs, too. 19your programs, too.
20 20
21 When we speak of free software, we are referring to freedom, not 21 When we speak of free software, we are referring to freedom, not
@@ -55,8 +55,8 @@ patent must be licensed for everyone's free use or not licensed at all.
55 55
56 The precise terms and conditions for copying, distribution and 56 The precise terms and conditions for copying, distribution and
57modification follow. 57modification follow.
58 58
59 GNU GENERAL PUBLIC LICENSE 59 GNU GENERAL PUBLIC LICENSE
60 TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 60 TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
61 61
62 0. This License applies to any program or other work which contains 62 0. This License applies to any program or other work which contains
@@ -110,7 +110,7 @@ above, provided that you also meet all of these conditions:
110 License. (Exception: if the Program itself is interactive but 110 License. (Exception: if the Program itself is interactive but
111 does not normally print such an announcement, your work based on 111 does not normally print such an announcement, your work based on
112 the Program is not required to print an announcement.) 112 the Program is not required to print an announcement.)
113 113
114These requirements apply to the modified work as a whole. If 114These requirements apply to the modified work as a whole. If
115identifiable sections of that work are not derived from the Program, 115identifiable sections of that work are not derived from the Program,
116and can be reasonably considered independent and separate works in 116and can be reasonably considered independent and separate works in
@@ -168,7 +168,7 @@ access to copy from a designated place, then offering equivalent
168access to copy the source code from the same place counts as 168access to copy the source code from the same place counts as
169distribution of the source code, even though third parties are not 169distribution of the source code, even though third parties are not
170compelled to copy the source along with the object code. 170compelled to copy the source along with the object code.
171 171
172 4. You may not copy, modify, sublicense, or distribute the Program 172 4. You may not copy, modify, sublicense, or distribute the Program
173except as expressly provided under this License. Any attempt 173except as expressly provided under this License. Any attempt
174otherwise to copy, modify, sublicense or distribute the Program is 174otherwise to copy, modify, sublicense or distribute the Program is
@@ -225,7 +225,7 @@ impose that choice.
225 225
226This section is intended to make thoroughly clear what is believed to 226This section is intended to make thoroughly clear what is believed to
227be a consequence of the rest of this License. 227be a consequence of the rest of this License.
228 228
229 8. If the distribution and/or use of the Program is restricted in 229 8. If the distribution and/or use of the Program is restricted in
230certain countries either by patents or by copyrighted interfaces, the 230certain countries either by patents or by copyrighted interfaces, the
231original copyright holder who places the Program under this License 231original copyright holder who places the Program under this License
@@ -255,7 +255,7 @@ make exceptions for this. Our decision will be guided by the two goals
255of preserving the free status of all derivatives of our free software and 255of preserving the free status of all derivatives of our free software and
256of promoting the sharing and reuse of software generally. 256of promoting the sharing and reuse of software generally.
257 257
258 NO WARRANTY 258 NO WARRANTY
259 259
260 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 260 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
261FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN 261FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
@@ -277,4 +277,63 @@ YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
277PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 277PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
278POSSIBILITY OF SUCH DAMAGES. 278POSSIBILITY OF SUCH DAMAGES.
279 279
280 END OF TERMS AND CONDITIONS 280 END OF TERMS AND CONDITIONS
281
282 How to Apply These Terms to Your New Programs
283
284 If you develop a new program, and you want it to be of the greatest
285possible use to the public, the best way to achieve this is to make it
286free software which everyone can redistribute and change under these terms.
287
288 To do so, attach the following notices to the program. It is safest
289to attach them to the start of each source file to most effectively
290convey the exclusion of warranty; and each file should have at least
291the "copyright" line and a pointer to where the full notice is found.
292
293 <one line to give the program's name and a brief idea of what it does.>
294 Copyright (C) <year> <name of author>
295
296 This program is free software; you can redistribute it and/or modify
297 it under the terms of the GNU General Public License as published by
298 the Free Software Foundation; either version 2 of the License, or
299 (at your option) any later version.
300
301 This program is distributed in the hope that it will be useful,
302 but WITHOUT ANY WARRANTY; without even the implied warranty of
303 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
304 GNU General Public License for more details.
305
306 You should have received a copy of the GNU General Public License along
307 with this program; if not, write to the Free Software Foundation, Inc.,
308 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
309
310Also add information on how to contact you by electronic and paper mail.
311
312If the program is interactive, make it output a short notice like this
313when it starts in an interactive mode:
314
315 Gnomovision version 69, Copyright (C) year name of author
316 Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
317 This is free software, and you are welcome to redistribute it
318 under certain conditions; type `show c' for details.
319
320The hypothetical commands `show w' and `show c' should show the appropriate
321parts of the General Public License. Of course, the commands you use may
322be called something other than `show w' and `show c'; they could even be
323mouse-clicks or menu items--whatever suits your program.
324
325You should also get your employer (if you work as a programmer) or your
326school, if any, to sign a "copyright disclaimer" for the program, if
327necessary. Here is a sample; alter the names:
328
329 Yoyodyne, Inc., hereby disclaims all copyright interest in the program
330 `Gnomovision' (which makes passes at compilers) written by James Hacker.
331
332 <signature of Ty Coon>, 1 April 1989
333 Ty Coon, President of Vice
334
335This General Public License does not permit incorporating your program into
336proprietary programs. If your program is a subroutine library, you may
337consider it more useful to permit linking proprietary applications with the
338library. If this is what you want to do, use the GNU Lesser General
339Public License instead of this License.
diff --git a/README b/README
index a15e493ff..3f8eb6136 100644
--- a/README
+++ b/README
@@ -1,13 +1,13 @@
1Firejail is a SUID sandbox program that reduces the risk of security 1Firejail is a SUID sandbox program that reduces the risk of security
2breaches by restricting the running environment of untrusted applications 2breaches by restricting the running environment of untrusted applications
3using Linux namespaces and seccomp-bpf. It includes sandbox profiles for 3using Linux namespaces and seccomp-bpf. It includes sandbox profiles for
4Iceweasel/Mozilla Firefox, Chromium, Midori, Opera, Evince, Transmission, 4Iceweasel/Mozilla Firefox, Chromium, Midori, Opera, Evince, Transmission,
5VLC, Audacious, Clementine, Rhythmbox, Totem, Deluge, qBittorrent. 5VLC, Audacious, Clementine, Rhythmbox, Totem, Deluge, qBittorrent.
6DeaDBeeF, Dropbox, Empathy, FileZilla, IceCat, Thunderbird/Icedove, 6DeaDBeeF, Dropbox, Empathy, FileZilla, IceCat, Thunderbird/Icedove,
7Pidgin, Quassel, and XChat. 7Pidgin, Quassel, and XChat.
8 8
9Firejail also expands the restricted shell facility found in bash by adding 9Firejail also expands the restricted shell facility found in bash by adding
10Linux namespace support. It supports sandboxing specific users upon login. 10Linux namespace support. It supports sandboxing specific users upon login.
11 11
12Download: https://sourceforge.net/projects/firejail/files/ 12Download: https://sourceforge.net/projects/firejail/files/
13Build and install: ./configure && make && sudo make install 13Build and install: ./configure && make && sudo make install
@@ -68,6 +68,8 @@ Firejail Authors (alphabetical order)
68 - fix flameshot raw screenshots 68 - fix flameshot raw screenshots
691dnrr (https://github.com/1dnrr) 691dnrr (https://github.com/1dnrr)
70 - add pybitmessage profile 70 - add pybitmessage profile
71a1346054 (https://github.com/a1346054)
72 - add missing final newlines in various files
71Ádler Jonas Gross (https://github.com/adgross) 73Ádler Jonas Gross (https://github.com/adgross)
72 - AppArmor fix 74 - AppArmor fix
73Adrian L. Shaw (https://github.com/adrianlshaw) 75Adrian L. Shaw (https://github.com/adrianlshaw)
@@ -221,6 +223,8 @@ Carlo Abelli (https://github.com/carloabelli)
221 - fixed simple-scan 223 - fixed simple-scan
222Cat (https://github.com/ecat3) 224Cat (https://github.com/ecat3)
223 - prevent tmux connecting to an existing session 225 - prevent tmux connecting to an existing session
226cayday (https://github.com/caydey)
227 - added ~/Private blacklist in disable-common.inc
224Christian Pinedo (https://github.com/chrpinedo) 228Christian Pinedo (https://github.com/chrpinedo)
225 - added nicotine profile 229 - added nicotine profile
226 - allow python3 in totem profile 230 - allow python3 in totem profile
@@ -246,6 +250,8 @@ crass (https://github.com/crass)
246 - extract_command_name fixes 250 - extract_command_name fixes
247 - update appimage size calculation to newest code from libappimage 251 - update appimage size calculation to newest code from libappimage
248 - firejail should look for processes with names exactly named 252 - firejail should look for processes with names exactly named
253croket (https://github.com/crocket)
254 - fix librewolf profile
249curiosity-seeker (https://github.com/curiosity-seeker - old) 255curiosity-seeker (https://github.com/curiosity-seeker - old)
250curiosityseeker (https://github.com/curiosityseeker - new) 256curiosityseeker (https://github.com/curiosityseeker - new)
251 - tightening unbound and dnscrypt-proxy profiles 257 - tightening unbound and dnscrypt-proxy profiles
@@ -454,7 +460,7 @@ hawkey116477 (https://github.com/hawkeye116477)
454Helmut Grohne (https://github.com/helmutg) 460Helmut Grohne (https://github.com/helmutg)
455 - compiler support in the build system - Debian bug #869707 461 - compiler support in the build system - Debian bug #869707
456hhzek0014 (https://github.com/hhzek0014) 462hhzek0014 (https://github.com/hhzek0014)
457 - updated bibletime.profile 463 - updated bibletime.profile
458hlein (https://github.com/hlein) 464hlein (https://github.com/hlein)
459 - strip out \r's from jail prober 465 - strip out \r's from jail prober
460Holger Heinz (https://github.com/hheinz) 466Holger Heinz (https://github.com/hheinz)
@@ -490,6 +496,10 @@ James Elford (https://github.com/jelford)
490 - removed shell none from ssh-agent configuration, fixing the infinite loop 496 - removed shell none from ssh-agent configuration, fixing the infinite loop
491 - added gcloud profile 497 - added gcloud profile
492 - blacklist sensitive cloud provider files in disable-common 498 - blacklist sensitive cloud provider files in disable-common
499Jan-Niclas (https://github.com/0x6a61)
500 - moved rules from firefox-common.profile to firefox.profile
501 - blacklist /*firefox* except for firefox itself
502 - fix Firefox 'Profile not found' - whitelist /run/user/xxx/firefox
493Jean Lucas (https://github.com/flacks) 503Jean Lucas (https://github.com/flacks)
494 - fix Discord profile 504 - fix Discord profile
495 - add AnyDesk profile 505 - add AnyDesk profile
@@ -526,6 +536,7 @@ John Mullee (https://github.com/jmullee)
526Jonas Heinrich (https://github.com/onny) 536Jonas Heinrich (https://github.com/onny)
527 - added signal-desktop profile 537 - added signal-desktop profile
528 - fixed franz profile 538 - fixed franz profile
539 - remove /etc/hosts is_link check for NixOS
529Jose Riha (https://github.com/jose1711) 540Jose Riha (https://github.com/jose1711)
530 - added meteo-qt profile 541 - added meteo-qt profile
531 - created qgis, links, xlinks profiles 542 - created qgis, links, xlinks profiles
@@ -568,7 +579,7 @@ Kishore96in (https://github.com/Kishore96in)
568 - added falkon profile 579 - added falkon profile
569 - kxmlgui fixes 580 - kxmlgui fixes
570 - okular profile fixes 581 - okular profile fixes
571 - jitsi-meet-desktop profile 582 - jitsi-meet-desktop profile
572 - konversatin profile fix 583 - konversatin profile fix
573 - added Neochat profile 584 - added Neochat profile
574 - added whitelist-1793-workaround.inc 585 - added whitelist-1793-workaround.inc
@@ -595,6 +606,9 @@ Laurent Declercq (https://github.com/nuxwin)
595 - fixed test for shell interpreter in chroots 606 - fixed test for shell interpreter in chroots
596LaurentGH (https://github.com/LaurentGH) 607LaurentGH (https://github.com/LaurentGH)
597 - allow private-bin parameters to be absolute paths 608 - allow private-bin parameters to be absolute paths
609lecso7 (https://github.com/lecso7)
610 - added goldendict profile
611 - allow evince to read .cbz file format
598Loïc Damien (https://github.com/dzamlo) 612Loïc Damien (https://github.com/dzamlo)
599 - small fixes 613 - small fixes
600Liorst4 (https://github.com/Liorst4) 614Liorst4 (https://github.com/Liorst4)
@@ -627,6 +641,8 @@ Martin Carpenter (https://github.com/mcarpenter)
627Martin Dosch (spam-debian@mdosch.de) 641Martin Dosch (spam-debian@mdosch.de)
628 - support for gnome-shell integration addon in Firefox 642 - support for gnome-shell integration addon in Firefox
629 (Bug-Debian: https://bugs.debian.org/872720) 643 (Bug-Debian: https://bugs.debian.org/872720)
644Martynas Janonis (https://github.com/mjanonis)
645 - update wrc for Arch Linux
630Matt Parnell (https://github.com/ilikenwf) 646Matt Parnell (https://github.com/ilikenwf)
631 - whitelisting for core firefox related functionality 647 - whitelisting for core firefox related functionality
632Mattias Wadman (https://github.com/wader) 648Mattias Wadman (https://github.com/wader)
@@ -699,7 +715,7 @@ Ondra Nekola (https://github.com/satai)
699OndrejMalek (https://github.com/OndrejMalek) 715OndrejMalek (https://github.com/OndrejMalek)
700 - various manpage fixes 716 - various manpage fixes
701Ondřej Nový (https://github.com/onovy) 717Ondřej Nový (https://github.com/onovy)
702 - allow video for Signal profile 718 - allow video for Signal profile
703 - added Mattermost desktop profile 719 - added Mattermost desktop profile
704 - hardened Zoom profile 720 - hardened Zoom profile
705 - hardened Signal desktop profile 721 - hardened Signal desktop profile
@@ -716,7 +732,7 @@ Patrick Toomey (https://sourceforge.net/u/ptoomey/profile/)
716Paul Moore <pmoore@redhat.com> 732Paul Moore <pmoore@redhat.com>
717 -src/fsec-print/print.c extracted from libseccomp software package 733 -src/fsec-print/print.c extracted from libseccomp software package
718Paupiah Yash (https://github.com/CaffeinatedStud) 734Paupiah Yash (https://github.com/CaffeinatedStud)
719 - gzip profile 735 - gzip profile
720Pawel (https://github.com/grimskies) 736Pawel (https://github.com/grimskies)
721 - make --join return exit code of the invoked program 737 - make --join return exit code of the invoked program
722Peter Millerchip (https://github.com/pmillerchip) 738Peter Millerchip (https://github.com/pmillerchip)
@@ -944,7 +960,7 @@ SYN-cook (https://github.com/SYN-cook)
944 - gnome-calculator changes 960 - gnome-calculator changes
945startx2017 (https://github.com/startx2017) 961startx2017 (https://github.com/startx2017)
946 - syscall list update 962 - syscall list update
947 - updated default seccomp filters - added bpf, clock_settime, personality, process_vm_writev, query_module, 963 - updated default seccomp filters - added bpf, clock_settime, personality, process_vm_writev, query_module,
948 settimeofday, stime, umount, userfaultfd, ustat, vm86, and vm86old 964 settimeofday, stime, umount, userfaultfd, ustat, vm86, and vm86old
949 - enable/disable join support in /etc/firejail/firejail.config 965 - enable/disable join support in /etc/firejail/firejail.config
950 - firecfg fix: create ~/.local/share/applications directory if it doesn't exist 966 - firecfg fix: create ~/.local/share/applications directory if it doesn't exist
@@ -995,10 +1011,11 @@ Topi Miettinen (https://github.com/topimiettinen)
995 - improve loading of seccomp filter and memory-deny-write-execute feature 1011 - improve loading of seccomp filter and memory-deny-write-execute feature
996 - private-lib feature 1012 - private-lib feature
997 - make --nodbus block also system D-Bus socket 1013 - make --nodbus block also system D-Bus socket
998Ted Robertson (https://github.com/tredondo) 1014Ted Robertson (https://github.com/tredondo)
999 - webstorm profile fixes 1015 - webstorm profile fixes
1000 - added bcompare profile 1016 - added bcompare profile
1001 - various documentation fixes 1017 - various documentation fixes
1018 - blacklist Exodus wallet
1002user1024 (user1024@tut.by) 1019user1024 (user1024@tut.by)
1003 - electron profile whitelisting 1020 - electron profile whitelisting
1004 - fixed Rocket.Chat profile 1021 - fixed Rocket.Chat profile
@@ -1054,7 +1071,7 @@ vismir2 (https://github.com/vismir2)
1054 - feh, ranger, 7z, keepass, keepassx and zathura profiles 1071 - feh, ranger, 7z, keepass, keepassx and zathura profiles
1055 - claws-mail, mutt, git, emacs, vim profiles 1072 - claws-mail, mutt, git, emacs, vim profiles
1056 - lots of profile fixes 1073 - lots of profile fixes
1057 - support for truecrypt and zuluCrypt 1074 - support for truecrypt and zuluCrypt
1058viq (https://github.com/viq) 1075viq (https://github.com/viq)
1059 - discord-canary profile 1076 - discord-canary profile
1060Vladimir Gorelov (https://github.com/larkvirtual) 1077Vladimir Gorelov (https://github.com/larkvirtual)
@@ -1062,11 +1079,12 @@ Vladimir Gorelov (https://github.com/larkvirtual)
1062Vladimir Schowalter (https://github.com/VladimirSchowalter20) 1079Vladimir Schowalter (https://github.com/VladimirSchowalter20)
1063 - apparmor profile enhancements 1080 - apparmor profile enhancements
1064 - various KDE profile enhancements 1081 - various KDE profile enhancements
1065 read-only kde5 services directory 1082 - read-only kde5 services directory
1066Vladislav Nepogodin (https://github.com/vnepogodin) 1083Vladislav Nepogodin (https://github.com/vnepogodin)
1067 - added Librewolf profiles 1084 - added Librewolf profiles
1068 - added Sway profile 1085 - added Sway profile
1069 - fix CLion profile 1086 - fix CLion profile
1087 - fixes for disable-programs.inc
1070xee5ch (https://github.com/xee5ch) 1088xee5ch (https://github.com/xee5ch)
1071 - skypeforlinux profile 1089 - skypeforlinux profile
1072Ypnose (https://github.com/Ypnose) 1090Ypnose (https://github.com/Ypnose)
diff --git a/RELNOTES b/RELNOTES
index 86c4a6104..b50fcd559 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,5 +1,6 @@
1firejail (0.9.67) baseline; urgency=low 1firejail (0.9.67) baseline; urgency=low
2 * work in progress 2 * work in progress
3 * exit code: distinguish fatal signals by adding 128
3 * deprecated --disable-whitelist at compile time 4 * deprecated --disable-whitelist at compile time
4 * deprecated whitelist=yes/no in /etc/firejail/firejail.config 5 * deprecated whitelist=yes/no in /etc/firejail/firejail.config
5 * remove (some) environment variables with auth-tokens 6 * remove (some) environment variables with auth-tokens
@@ -59,7 +60,7 @@ firejail (0.9.64.4) baseline; urgency=low
59 60
60firejail (0.9.64.2) baseline; urgency=low 61firejail (0.9.64.2) baseline; urgency=low
61 * allow --tmpfs inside $HOME for unprivileged users 62 * allow --tmpfs inside $HOME for unprivileged users
62 * --disable-usertmpfs compile time option 63 * --disable-usertmpfs compile time option
63 * allow AF_BLUETOOTH via --protocol=bluetooth 64 * allow AF_BLUETOOTH via --protocol=bluetooth
64 * Setup guide for new users: contrib/firejail-welcome.sh 65 * Setup guide for new users: contrib/firejail-welcome.sh
65 * implement netns in profiles 66 * implement netns in profiles
@@ -566,7 +567,7 @@ firejail (0.9.44) baseline; urgency=low
566 * feature: disable 3D hardware acceleration (--no3d) 567 * feature: disable 3D hardware acceleration (--no3d)
567 * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands 568 * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
568 * feature: move files in sandbox (--put) 569 * feature: move files in sandbox (--put)
569 * feature: accept wildcard patterns in user name field of restricted 570 * feature: accept wildcard patterns in user name field of restricted
570 shell login feature 571 shell login feature
571 * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape 572 * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape
572 * new profiles: feh, ranger, zathura, 7z, keepass, keepassx, 573 * new profiles: feh, ranger, zathura, 7z, keepass, keepassx,
@@ -608,7 +609,7 @@ firejail (0.9.42) baseline; urgency=low
608 * compile time: disable whitelisting (--disable-whitelist) 609 * compile time: disable whitelisting (--disable-whitelist)
609 * compile time: disable global config (--disable-globalcfg) 610 * compile time: disable global config (--disable-globalcfg)
610 * run time: enable/disable overlayfs (overlayfs yes/no) 611 * run time: enable/disable overlayfs (overlayfs yes/no)
611 * run time: enable/disable quiet as default (quiet-by-default yes/no) 612 * run time: enable/disable quiet as default (quiet-by-default yes/no)
612 * run time: user-defined network filter (netfilter-default) 613 * run time: user-defined network filter (netfilter-default)
613 * run time: enable/disable whitelisting (whitelist yes/no) 614 * run time: enable/disable whitelisting (whitelist yes/no)
614 * run time: enable/disable remounting of /proc and /sys 615 * run time: enable/disable remounting of /proc and /sys
@@ -706,7 +707,7 @@ firejail (0.9.38) baseline; urgency=low
706 -- netblue30 <netblue30@yahoo.com> Tue, 2 Feb 2016 10:00:00 -0500 707 -- netblue30 <netblue30@yahoo.com> Tue, 2 Feb 2016 10:00:00 -0500
707 708
708firejail (0.9.36) baseline; urgency=low 709firejail (0.9.36) baseline; urgency=low
709 * added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat, 710 * added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat,
710 parole and rtorrent profiles 711 parole and rtorrent profiles
711 * Google Chrome profile rework 712 * Google Chrome profile rework
712 * added google-chrome-stable profile 713 * added google-chrome-stable profile
diff --git a/SECURITY.md b/SECURITY.md
index 7ec2940f6..ef9b9b5fb 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -2,24 +2,24 @@
2 2
3## Supported Versions 3## Supported Versions
4 4
5| Version | Supported by us | EOL | Supported by distribution | 5| Version | Supported by us | EOL | Supported by distribution |
6| ------- | ------------------ | ---- | ------------------------- | 6| ------- | ------------------ | ------------------ | --------------------------------------------------------------------------------- |
7| 0.9.66 | :heavy_check_mark: | | | 7| 0.9.66 | :heavy_check_mark: | | :white_check_mark: Debian 11 **backports**, Debian 12 (testing/unstable) |
8| 0.9.64 | :x: | | :white_check_mark: Debian 10 **backports**, Debian 11 **backports**, Debian 12 (testing/unstable) | 8| 0.9.64 | :x: | | :white_check_mark: Debian 10 **backports**, Debian 11, Ubuntu 21.04, Ubuntu 21.10 |
9| 0.9.62 | :x: | | :white_check_mark: Ubuntu 20.04 LTS, Ubuntu 20.10 | 9| 0.9.62 | :x: | | :white_check_mark: Ubuntu 20.04 LTS, Ubuntu 20.10 |
10| 0.9.60 | :x: | 29 Dec 2019 | | 10| 0.9.60 | :x: | 29 Dec 2019 | |
11| 0.9.58 | :x: | | :white_check_mark: Debian 9 **backports**, Debian 10 | 11| 0.9.58 | :x: | | :white_check_mark: Debian 9 **backports**, Debian 10 |
12| 0.9.56 | :x: | 27 Jan 2019 | | 12| 0.9.56 | :x: | 27 Jan 2019 | |
13| 0.9.54 | :x: | 18 Sep 2018 | | 13| 0.9.54 | :x: | 18 Sep 2018 | |
14| 0.9.52 | :x: | | :white_check_mark: Ubuntu 18.04 LTS | 14| 0.9.52 | :x: | | :white_check_mark: Ubuntu 18.04 LTS |
15| 0.9.50 | :x: | 12 Dec 2017 | | 15| 0.9.50 | :x: | 12 Dec 2017 | |
16| 0.9.48 | :x: | 09 Sep 2017 | | 16| 0.9.48 | :x: | 09 Sep 2017 | |
17| 0.9.46 | :x: | 12 Jun 2017 | | 17| 0.9.46 | :x: | 12 Jun 2017 | |
18| 0.9.44 | :x: | | :white_check_mark: Debian 9 | 18| 0.9.44 | :x: | | :white_check_mark: Debian 9 |
19| 0.9.42 | :x: | 22 Oct 2016 | | 19| 0.9.42 | :x: | 22 Oct 2016 | |
20| 0.9.40 | :x: | 09 Sep 2016 | | 20| 0.9.40 | :x: | 09 Sep 2016 | |
21| 0.9.38 | :x: | | :white_check_mark: Ubuntu 16.04 LTS | 21| 0.9.38 | :x: | | :white_check_mark: Ubuntu 16.04 LTS |
22| <0.9.38 | :x: | Before 05 Feb 2016 | | 22| <0.9.38 | :x: | Before 05 Feb 2016 | |
23 23
24## Security vulnerabilities 24## Security vulnerabilities
25 25
diff --git a/configure b/configure
index f78bbaded..33a4ca9fb 100755
--- a/configure
+++ b/configure
@@ -3549,7 +3549,7 @@ if test "x$enable_dbusproxy" != "xno"; then :
3549 3549
3550fi 3550fi
3551 3551
3552# overlayfs features temporarely disabled pending fixes 3552# overlayfs features temporarily disabled pending fixes
3553HAVE_OVERLAYFS="" 3553HAVE_OVERLAYFS=""
3554 3554
3555# 3555#
diff --git a/configure.ac b/configure.ac
index 7879a5239..5fde6d402 100644
--- a/configure.ac
+++ b/configure.ac
@@ -76,7 +76,7 @@ AS_IF([test "x$enable_dbusproxy" != "xno"], [
76 AC_SUBST(HAVE_DBUSPROXY) 76 AC_SUBST(HAVE_DBUSPROXY)
77]) 77])
78 78
79# overlayfs features temporarely disabled pending fixes 79# overlayfs features temporarily disabled pending fixes
80HAVE_OVERLAYFS="" 80HAVE_OVERLAYFS=""
81AC_SUBST(HAVE_OVERLAYFS) 81AC_SUBST(HAVE_OVERLAYFS)
82# 82#
diff --git a/contrib/fix_private-bin.py b/contrib/fix_private-bin.py
index 12b596749..961646aa4 100755
--- a/contrib/fix_private-bin.py
+++ b/contrib/fix_private-bin.py
@@ -164,7 +164,7 @@ def printHelp():
164 164
165 165
166def main() -> None: 166def main() -> None:
167 """The main function. Parses the commandline args, shows messages and calles the function actually doing the work.""" 167 """The main function. Parses the commandline args, shows messages and calls the function actually doing the work."""
168 if len(sys.argv) > 2 or (len(sys.argv) == 2 and 168 if len(sys.argv) > 2 or (len(sys.argv) == 2 and
169 (sys.argv[1] == "-h" or sys.argv[1] == "--help")): 169 (sys.argv[1] == "-h" or sys.argv[1] == "--help")):
170 printHelp() 170 printHelp()
diff --git a/contrib/gdb-firejail.sh b/contrib/gdb-firejail.sh
index 941fc45ef..686bdc2c0 100755
--- a/contrib/gdb-firejail.sh
+++ b/contrib/gdb-firejail.sh
@@ -21,4 +21,4 @@ else
21fi 21fi
22 22
23bash -c "kill -STOP \$\$; exec \"\$0\" \"\$@\"" "$@" & 23bash -c "kill -STOP \$\$; exec \"\$0\" \"\$@\"" "$@" &
24sudo gdb -e "$FIREJAIL" -p "$!" 24sudo gdb -e "$FIREJAIL" -p "$!"
diff --git a/contrib/sort.py b/contrib/sort.py
index d7a2cd05d..4af9c674c 100755
--- a/contrib/sort.py
+++ b/contrib/sort.py
@@ -34,7 +34,7 @@ def sort_alphabetical(raw_items):
34 34
35 35
36def sort_protocol(protocols): 36def sort_protocol(protocols):
37 """sort the given protocole into this scheme: unix,inet,inet6,netlink,packet,bluetooth""" 37 """sort the given protocols into this scheme: unix,inet,inet6,netlink,packet,bluetooth"""
38 38
39 # shortcut for common protocol lines 39 # shortcut for common protocol lines
40 if protocols in ("unix", "unix,inet,inet6"): 40 if protocols in ("unix", "unix,inet,inet6"):
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim
index d07690ee2..fa80a9c00 100644
--- a/contrib/vim/syntax/firejail.vim
+++ b/contrib/vim/syntax/firejail.vim
@@ -72,7 +72,7 @@ syn match fjCommandNoCond /quiet$/ contained
72 72
73" Conditionals grabbed from: src/firejail/profile.c 73" Conditionals grabbed from: src/firejail/profile.c
74" Generate list with: awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$/ {process=1;} /\t*\{"[^"]+".*/ { if (process) {print gensub(/^\t*\{"([^"]+)".*$/, "\\1", 1);} } /^\t\{ NULL, NULL \}$/ {process=0;}' src/firejail/profile.c | sort -u | tr $'\n' '|' 74" Generate list with: awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$/ {process=1;} /\t*\{"[^"]+".*/ { if (process) {print gensub(/^\t*\{"([^"]+)".*$/, "\\1", 1);} } /^\t\{ NULL, NULL \}$/ {process=0;}' src/firejail/profile.c | sort -u | tr $'\n' '|'
75syn match fjConditional /\v\?(BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11) ?:/ nextgroup=fjCommand skipwhite contained 75syn match fjConditional /\v\?(ALLOW_TRAY|BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11) ?:/ nextgroup=fjCommand skipwhite contained
76 76
77" A line is either a command, a conditional or a comment 77" A line is either a command, a conditional or a comment
78syn match fjStatement /^/ nextgroup=fjCommand,fjCommandNoCond,fjConditional,fjComment 78syn match fjStatement /^/ nextgroup=fjCommand,fjCommandNoCond,fjConditional,fjComment
diff --git a/etc-fixes/0.9.58/atom.profile b/etc-fixes/0.9.58/atom.profile
index 9bc35da5a..1cc9b0116 100644
--- a/etc-fixes/0.9.58/atom.profile
+++ b/etc-fixes/0.9.58/atom.profile
@@ -1,4 +1,3 @@
1
2# Firejail profile for atom 1# Firejail profile for atom
3# Description: A hackable text editor for the 21st Century 2# Description: A hackable text editor for the 21st Century
4# This file is overwritten after every install/update 3# This file is overwritten after every install/update
diff --git a/etc-fixes/seccomp-join-bug/README b/etc-fixes/seccomp-join-bug/README
index 9f85a0e00..15596eca7 100644
--- a/etc-fixes/seccomp-join-bug/README
+++ b/etc-fixes/seccomp-join-bug/README
@@ -8,4 +8,3 @@ on May 21, 2019:
8 8
9The original discussion thread: https://github.com/netblue30/firejail/issues/2718 9The original discussion thread: https://github.com/netblue30/firejail/issues/2718
10The fix on mainline: https://github.com/netblue30/firejail/commit/eecf35c2f8249489a1d3e512bb07f0d427183134 10The fix on mainline: https://github.com/netblue30/firejail/commit/eecf35c2f8249489a1d3e512bb07f0d427183134
11
diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default
index ca32f5b0d..a7044152e 100644
--- a/etc/apparmor/firejail-default
+++ b/etc/apparmor/firejail-default
@@ -129,7 +129,7 @@ signal (receive),
129########## 129##########
130# The list of recognized capabilities varies from one apparmor version to another. 130# The list of recognized capabilities varies from one apparmor version to another.
131# For example on Debian 10 (apparmor 2.13.2) checkpoint_restore, perfmon, bpf are not available 131# For example on Debian 10 (apparmor 2.13.2) checkpoint_restore, perfmon, bpf are not available
132# We allow all caps by default and remove the ones we don't like: 132# We allow all caps by default and remove the ones we don't like:
133capability, 133capability,
134deny capability audit_write, 134deny capability audit_write,
135deny capability audit_control, 135deny capability audit_control,
diff --git a/etc/firejail.config b/etc/firejail.config
index 2e355586b..7912b746c 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -2,6 +2,9 @@
2# keyword-argument pairs, one per line. Most features are enabled by default. 2# keyword-argument pairs, one per line. Most features are enabled by default.
3# Use 'yes' or 'no' as configuration values. 3# Use 'yes' or 'no' as configuration values.
4 4
5# Allow programs to display a tray icon
6# allow-tray no
7
5# Enable AppArmor functionality, default enabled. 8# Enable AppArmor functionality, default enabled.
6# apparmor yes 9# apparmor yes
7 10
@@ -63,7 +66,7 @@
63# a file argument, the default filter is hardcoded (see man 1 firejail). This 66# a file argument, the default filter is hardcoded (see man 1 firejail). This
64# configuration entry allows the user to change the default by specifying 67# configuration entry allows the user to change the default by specifying
65# a file containing the filter configuration. The filter file format is the 68# a file containing the filter configuration. The filter file format is the
66# format of iptables-save and iptable-restore commands. Example: 69# format of iptables-save and iptables-restore commands. Example:
67# netfilter-default /etc/iptables.iptables.rules 70# netfilter-default /etc/iptables.iptables.rules
68 71
69# Enable or disable networking features, default enabled. 72# Enable or disable networking features, default enabled.
diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc
index 011bbe226..4e460fc10 100644
--- a/etc/inc/allow-common-devel.inc
+++ b/etc/inc/allow-common-devel.inc
@@ -27,5 +27,8 @@ noblacklist ${HOME}/.python-history
27noblacklist ${HOME}/.python_history 27noblacklist ${HOME}/.python_history
28noblacklist ${HOME}/.pythonhist 28noblacklist ${HOME}/.pythonhist
29 29
30# Ruby
31noblacklist ${HOME}/.bundle
32
30# Rust 33# Rust
31noblacklist ${HOME}/.cargo/* 34noblacklist ${HOME}/.cargo
diff --git a/etc/inc/allow-ruby.inc b/etc/inc/allow-ruby.inc
index a8c701219..00276cac7 100644
--- a/etc/inc/allow-ruby.inc
+++ b/etc/inc/allow-ruby.inc
@@ -4,3 +4,4 @@ include allow-ruby.local
4 4
5noblacklist ${PATH}/ruby 5noblacklist ${PATH}/ruby
6noblacklist /usr/lib/ruby 6noblacklist /usr/lib/ruby
7noblacklist /usr/lib64/ruby
diff --git a/etc/inc/disable-devel.inc b/etc/inc/disable-devel.inc
index e74b1b40b..98bf5ecc8 100644
--- a/etc/inc/disable-devel.inc
+++ b/etc/inc/disable-devel.inc
@@ -60,9 +60,7 @@ blacklist /usr/lib/tcc
60blacklist ${PATH}/valgrind* 60blacklist ${PATH}/valgrind*
61blacklist /usr/lib/valgrind 61blacklist /usr/lib/valgrind
62 62
63
64# Source-Code 63# Source-Code
65
66blacklist /usr/src 64blacklist /usr/src
67blacklist /usr/local/src 65blacklist /usr/local/src
68blacklist /usr/include 66blacklist /usr/include
diff --git a/etc/inc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc
index 5d8a236fb..804869e2a 100644
--- a/etc/inc/disable-interpreters.inc
+++ b/etc/inc/disable-interpreters.inc
@@ -48,6 +48,7 @@ blacklist /usr/share/php*
48# Ruby 48# Ruby
49blacklist ${PATH}/ruby 49blacklist ${PATH}/ruby
50blacklist /usr/lib/ruby 50blacklist /usr/lib/ruby
51blacklist /usr/lib64/ruby
51 52
52# Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus 53# Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus
53# Python 2 54# Python 2
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 444446156..d7a32d9b4 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -49,8 +49,9 @@ blacklist ${HOME}/.bibletime
49blacklist ${HOME}/.bitcoin 49blacklist ${HOME}/.bitcoin
50blacklist ${HOME}/.blobby 50blacklist ${HOME}/.blobby
51blacklist ${HOME}/.bogofilter 51blacklist ${HOME}/.bogofilter
52blacklist ${HOME}/.bundle
52blacklist ${HOME}/.bzf 53blacklist ${HOME}/.bzf
53blacklist ${HOME}/.cargo/* 54blacklist ${HOME}/.cargo
54blacklist ${HOME}/.claws-mail 55blacklist ${HOME}/.claws-mail
55blacklist ${HOME}/.cliqz 56blacklist ${HOME}/.cliqz
56blacklist ${HOME}/.clion* 57blacklist ${HOME}/.clion*
@@ -77,6 +78,7 @@ blacklist ${HOME}/.config/Element
77blacklist ${HOME}/.config/Element (Riot) 78blacklist ${HOME}/.config/Element (Riot)
78blacklist ${HOME}/.config/Enox 79blacklist ${HOME}/.config/Enox
79blacklist ${HOME}/.config/Epic 80blacklist ${HOME}/.config/Epic
81blacklist ${HOME}/.config/Exodus
80blacklist ${HOME}/.config/Ferdi 82blacklist ${HOME}/.config/Ferdi
81blacklist ${HOME}/.config/Flavio Tordini 83blacklist ${HOME}/.config/Flavio Tordini
82blacklist ${HOME}/.config/Franz 84blacklist ${HOME}/.config/Franz
@@ -495,12 +497,14 @@ blacklist ${HOME}/.frogatto
495blacklist ${HOME}/.frozen-bubble 497blacklist ${HOME}/.frozen-bubble
496blacklist ${HOME}/.funnyboat 498blacklist ${HOME}/.funnyboat
497blacklist ${HOME}/.gallery-dl.conf 499blacklist ${HOME}/.gallery-dl.conf
500blacklist ${HOME}/.geekbench5
498blacklist ${HOME}/.gimp* 501blacklist ${HOME}/.gimp*
499blacklist ${HOME}/.gist 502blacklist ${HOME}/.gist
500blacklist ${HOME}/.gitconfig 503blacklist ${HOME}/.gitconfig
501blacklist ${HOME}/.gl-117 504blacklist ${HOME}/.gl-117
502blacklist ${HOME}/.glaxiumrc 505blacklist ${HOME}/.glaxiumrc
503blacklist ${HOME}/.gnome/gnome-schedule 506blacklist ${HOME}/.gnome/gnome-schedule
507blacklist ${HOME}/.goldendict
504blacklist ${HOME}/.googleearth 508blacklist ${HOME}/.googleearth
505blacklist ${HOME}/.gradle 509blacklist ${HOME}/.gradle
506blacklist ${HOME}/.gramps 510blacklist ${HOME}/.gramps
@@ -966,6 +970,7 @@ blacklist ${HOME}/.cache/Enpass
966blacklist ${HOME}/.cache/Ferdi 970blacklist ${HOME}/.cache/Ferdi
967blacklist ${HOME}/.cache/Flavio Tordini 971blacklist ${HOME}/.cache/Flavio Tordini
968blacklist ${HOME}/.cache/Franz 972blacklist ${HOME}/.cache/Franz
973blacklist ${HOME}/.cache/GoldenDict
969blacklist ${HOME}/.cache/INRIA 974blacklist ${HOME}/.cache/INRIA
970blacklist ${HOME}/.cache/INRIA/Natron 975blacklist ${HOME}/.cache/INRIA/Natron
971blacklist ${HOME}/.cache/KDE/neochat 976blacklist ${HOME}/.cache/KDE/neochat
diff --git a/etc/profile-a-l/abiword.profile b/etc/profile-a-l/abiword.profile
index 005a502c4..256e2115a 100644
--- a/etc/profile-a-l/abiword.profile
+++ b/etc/profile-a-l/abiword.profile
@@ -42,7 +42,7 @@ tracelog
42private-bin abiword 42private-bin abiword
43private-cache 43private-cache
44private-dev 44private-dev
45private-etc fonts,gtk-3.0,passwd 45private-etc fonts,gtk-3.0,ld.so.preload,passwd
46private-tmp 46private-tmp
47 47
48# dbus-user none 48# dbus-user none
diff --git a/etc/profile-a-l/agetpkg.profile b/etc/profile-a-l/agetpkg.profile
index fea25fd58..8652ae5f1 100644
--- a/etc/profile-a-l/agetpkg.profile
+++ b/etc/profile-a-l/agetpkg.profile
@@ -50,7 +50,7 @@ tracelog
50private-bin agetpkg,python3 50private-bin agetpkg,python3
51private-cache 51private-cache
52private-dev 52private-dev
53private-etc ca-certificates,crypto-policies,pki,resolv.conf,ssl 53private-etc ca-certificates,crypto-policies,ld.so.preload,pki,resolv.conf,ssl
54private-tmp 54private-tmp
55 55
56dbus-user none 56dbus-user none
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile
index 69b499c74..9b74b4d29 100644
--- a/etc/profile-a-l/alacarte.profile
+++ b/etc/profile-a-l/alacarte.profile
@@ -53,7 +53,7 @@ disable-mnt
53# private-bin alacarte,bash,python*,sh 53# private-bin alacarte,bash,python*,sh
54private-cache 54private-cache
55private-dev 55private-dev
56private-etc alternatives,dconf,fonts,gtk-3.0,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg 56private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg
57private-tmp 57private-tmp
58 58
59dbus-user none 59dbus-user none
diff --git a/etc/profile-a-l/amule.profile b/etc/profile-a-l/amule.profile
index 3ce05c5bc..e82c145d1 100644
--- a/etc/profile-a-l/amule.profile
+++ b/etc/profile-a-l/amule.profile
@@ -32,6 +32,7 @@ nosound
32notv 32notv
33nou2f 33nou2f
34novideo 34novideo
35# Add netlink protocol to use UPnP
35protocol unix,inet,inet6 36protocol unix,inet,inet6
36seccomp 37seccomp
37shell none 38shell none
diff --git a/etc/profile-a-l/anki.profile b/etc/profile-a-l/anki.profile
index fa4dfbb6f..b6e931be5 100644
--- a/etc/profile-a-l/anki.profile
+++ b/etc/profile-a-l/anki.profile
@@ -50,7 +50,7 @@ disable-mnt
50private-bin anki,python* 50private-bin anki,python*
51private-cache 51private-cache
52private-dev 52private-dev
53private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,machine-id,pki,resolv.conf,ssl,Trolltech.conf 53private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,ld.so.preload,machine-id,pki,resolv.conf,ssl,Trolltech.conf
54private-tmp 54private-tmp
55 55
56dbus-user none 56dbus-user none
diff --git a/etc/profile-a-l/aria2c.profile b/etc/profile-a-l/aria2c.profile
index 737cf3095..e96def048 100644
--- a/etc/profile-a-l/aria2c.profile
+++ b/etc/profile-a-l/aria2c.profile
@@ -45,7 +45,7 @@ private-bin aria2c,gzip
45# Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772). 45# Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772).
46#private-cache 46#private-cache
47private-dev 47private-dev
48private-etc alternatives,ca-certificates,crypto-policies,groups,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl 48private-etc alternatives,ca-certificates,crypto-policies,groups,ld.so.preload,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl
49private-lib libreadline.so.* 49private-lib libreadline.so.*
50private-tmp 50private-tmp
51 51
diff --git a/etc/profile-a-l/arm.profile b/etc/profile-a-l/arm.profile
index 3253fb586..98ae01950 100644
--- a/etc/profile-a-l/arm.profile
+++ b/etc/profile-a-l/arm.profile
@@ -43,6 +43,6 @@ tracelog
43disable-mnt 43disable-mnt
44private-bin arm,bash,ldconfig,lsof,ps,python*,sh,tor 44private-bin arm,bash,ldconfig,lsof,ps,python*,sh,tor
45private-dev 45private-dev
46private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor 46private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,passwd,pki,ssl,tor
47private-tmp 47private-tmp
48 48
diff --git a/etc/profile-a-l/artha.profile b/etc/profile-a-l/artha.profile
index 8d74b6ba4..adf4e16ee 100644
--- a/etc/profile-a-l/artha.profile
+++ b/etc/profile-a-l/artha.profile
@@ -56,7 +56,7 @@ disable-mnt
56private-bin artha,enchant,notify-send 56private-bin artha,enchant,notify-send
57private-cache 57private-cache
58private-dev 58private-dev
59private-etc alternatives,fonts,machine-id 59private-etc alternatives,fonts,ld.so.preload,machine-id
60private-lib libnotify.so.* 60private-lib libnotify.so.*
61private-tmp 61private-tmp
62 62
diff --git a/etc/profile-a-l/atool.profile b/etc/profile-a-l/atool.profile
index e377de2c8..272f9906d 100644
--- a/etc/profile-a-l/atool.profile
+++ b/etc/profile-a-l/atool.profile
@@ -13,7 +13,7 @@ include allow-perl.inc
13noroot 13noroot
14 14
15# without login.defs atool complains and uses UID/GID 1000 by default 15# without login.defs atool complains and uses UID/GID 1000 by default
16private-etc alternatives,group,login.defs,passwd 16private-etc alternatives,group,ld.so.preload,login.defs,passwd
17private-tmp 17private-tmp
18 18
19# Redirect 19# Redirect
diff --git a/etc/profile-a-l/atril.profile b/etc/profile-a-l/atril.profile
index f7c62926f..264bc0215 100644
--- a/etc/profile-a-l/atril.profile
+++ b/etc/profile-a-l/atril.profile
@@ -42,7 +42,7 @@ tracelog
42 42
43private-bin 7z,7za,7zr,atril,atril-previewer,atril-thumbnailer,sh,tar,unrar,unzip,zipnote 43private-bin 7z,7za,7zr,atril,atril-previewer,atril-thumbnailer,sh,tar,unrar,unzip,zipnote
44private-dev 44private-dev
45private-etc alternatives,fonts,ld.so.cache 45private-etc alternatives,fonts,ld.so.cache,ld.so.preload
46# atril uses webkit gtk to display epub files 46# atril uses webkit gtk to display epub files
47# waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0 47# waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0
48#private-lib webkit2gtk-4.0 - problems on Arch with the new version of WebKit 48#private-lib webkit2gtk-4.0 - problems on Arch with the new version of WebKit
diff --git a/etc/profile-a-l/authenticator-rs.profile b/etc/profile-a-l/authenticator-rs.profile
index 411c5f4d3..8fefc1eb7 100644
--- a/etc/profile-a-l/authenticator-rs.profile
+++ b/etc/profile-a-l/authenticator-rs.profile
@@ -47,7 +47,7 @@ disable-mnt
47private-bin authenticator-rs 47private-bin authenticator-rs
48private-cache 48private-cache
49private-dev 49private-dev
50private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,pki,resolv.conf,ssl,xdg 50private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.preload,pki,resolv.conf,ssl,xdg
51private-tmp 51private-tmp
52 52
53dbus-user filter 53dbus-user filter
diff --git a/etc/profile-a-l/authenticator.profile b/etc/profile-a-l/authenticator.profile
index 0f0fb7ceb..f9a03ca68 100644
--- a/etc/profile-a-l/authenticator.profile
+++ b/etc/profile-a-l/authenticator.profile
@@ -39,7 +39,7 @@ shell none
39disable-mnt 39disable-mnt
40# private-bin authenticator,python* 40# private-bin authenticator,python*
41private-dev 41private-dev
42private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,pki,resolv.conf,ssl 42private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
43private-tmp 43private-tmp
44 44
45# makes settings immutable 45# makes settings immutable
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile
index 197f787ca..2080aad62 100644
--- a/etc/profile-a-l/balsa.profile
+++ b/etc/profile-a-l/balsa.profile
@@ -66,7 +66,7 @@ tracelog
66private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm 66private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm
67private-cache 67private-cache
68private-dev 68private-dev
69private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg 69private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.preload,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg
70private-tmp 70private-tmp
71writable-run-user 71writable-run-user
72writable-var 72writable-var
@@ -79,4 +79,4 @@ dbus-user.talk org.freedesktop.secrets
79dbus-user.talk org.gnome.keyring.SystemPrompter 79dbus-user.talk org.gnome.keyring.SystemPrompter
80dbus-system none 80dbus-system none
81 81
82read-only ${HOME}/.mozilla/firefox/profiles.ini \ No newline at end of file 82read-only ${HOME}/.mozilla/firefox/profiles.ini
diff --git a/etc/profile-a-l/bibletime.profile b/etc/profile-a-l/bibletime.profile
index 0104dc181..24db11c7e 100644
--- a/etc/profile-a-l/bibletime.profile
+++ b/etc/profile-a-l/bibletime.profile
@@ -52,7 +52,7 @@ disable-mnt
52# private-bin bibletime,qt5ct 52# private-bin bibletime,qt5ct
53private-cache 53private-cache
54private-dev 54private-dev
55private-etc alternatives,ca-certificates,crypto-policies,fonts,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf 55private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf
56private-tmp 56private-tmp
57 57
58dbus-user none 58dbus-user none
diff --git a/etc/profile-a-l/bitwarden.profile b/etc/profile-a-l/bitwarden.profile
index ba2eb2ea7..91ce57966 100644
--- a/etc/profile-a-l/bitwarden.profile
+++ b/etc/profile-a-l/bitwarden.profile
@@ -23,7 +23,7 @@ no3d
23nosound 23nosound
24 24
25?HAS_APPIMAGE: ignore private-dev 25?HAS_APPIMAGE: ignore private-dev
26private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,nsswitch.conf,pki,resolv.conf,ssl 26private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
27private-opt Bitwarden 27private-opt Bitwarden
28 28
29# Redirect 29# Redirect
diff --git a/etc/profile-a-l/bless.profile b/etc/profile-a-l/bless.profile
index 61d1c3a1e..8d8787174 100644
--- a/etc/profile-a-l/bless.profile
+++ b/etc/profile-a-l/bless.profile
@@ -35,7 +35,7 @@ shell none
35# private-bin bash,bless,mono,sh 35# private-bin bash,bless,mono,sh
36private-cache 36private-cache
37private-dev 37private-dev
38private-etc alternatives,fonts,mono 38private-etc alternatives,fonts,ld.so.preload,mono
39private-tmp 39private-tmp
40 40
41dbus-user none 41dbus-user none
diff --git a/etc/profile-a-l/blobby.profile b/etc/profile-a-l/blobby.profile
index 11d705c5b..7179bf4a5 100644
--- a/etc/profile-a-l/blobby.profile
+++ b/etc/profile-a-l/blobby.profile
@@ -41,7 +41,7 @@ tracelog
41disable-mnt 41disable-mnt
42private-bin blobby 42private-bin blobby
43private-dev 43private-dev
44private-etc alsa,alternatives,asound.conf,drirc,group,hosts,login.defs,machine-id,passwd,pulse 44private-etc alsa,alternatives,asound.conf,drirc,group,hosts,ld.so.preload,login.defs,machine-id,passwd,pulse
45private-lib 45private-lib
46private-tmp 46private-tmp
47 47
diff --git a/etc/profile-a-l/blobwars.profile b/etc/profile-a-l/blobwars.profile
index 6e3d4256c..683a7858b 100644
--- a/etc/profile-a-l/blobwars.profile
+++ b/etc/profile-a-l/blobwars.profile
@@ -43,7 +43,7 @@ disable-mnt
43private-bin blobwars 43private-bin blobwars
44private-cache 44private-cache
45private-dev 45private-dev
46private-etc machine-id 46private-etc ld.so.preload,machine-id
47private-tmp 47private-tmp
48 48
49dbus-user none 49dbus-user none
diff --git a/etc/profile-a-l/bsdtar.profile b/etc/profile-a-l/bsdtar.profile
index d731a6a6e..dbfc90996 100644
--- a/etc/profile-a-l/bsdtar.profile
+++ b/etc/profile-a-l/bsdtar.profile
@@ -6,7 +6,7 @@ include bsdtar.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9private-etc alternatives,group,localtime,passwd 9private-etc alternatives,group,ld.so.preload,localtime,passwd
10 10
11# Redirect 11# Redirect
12include archiver-common.profile 12include archiver-common.profile
diff --git a/etc/profile-a-l/build-systems-common.profile b/etc/profile-a-l/build-systems-common.profile
new file mode 100644
index 000000000..1b199d612
--- /dev/null
+++ b/etc/profile-a-l/build-systems-common.profile
@@ -0,0 +1,66 @@
1# Firejail profile for build-systems-common
2# This file is overwritten after every install/update
3# Persistent local customizations
4include build-systems-common.local
5# Persistent global definitions
6# added by caller profile
7#include globals.local
8
9ignore noexec ${HOME}
10ignore noexec /tmp
11
12# Allow /bin/sh (blacklisted by disable-shell.inc)
13include allow-bin-sh.inc
14
15# Allows files commonly used by IDEs
16include allow-common-devel.inc
17
18# Allow ssh (blacklisted by disable-common.inc)
19#include allow-ssh.inc
20
21blacklist ${RUNUSER}
22
23include disable-common.inc
24include disable-exec.inc
25include disable-interpreters.inc
26include disable-programs.inc
27include disable-shell.inc
28include disable-X11.inc
29include disable-xdg.inc
30
31#whitelist ${HOME}/Projects
32#include whitelist-common.inc
33
34whitelist /usr/share/pkgconfig
35include whitelist-run-common.inc
36include whitelist-usr-share-common.inc
37include whitelist-var-common.inc
38
39caps.drop all
40ipc-namespace
41machine-id
42# net none
43netfilter
44no3d
45nodvd
46nogroups
47noinput
48nonewprivs
49noroot
50nosound
51notv
52nou2f
53novideo
54protocol unix,inet,inet6
55seccomp
56seccomp.block-secondary
57shell none
58tracelog
59
60disable-mnt
61private-cache
62private-dev
63private-tmp
64
65dbus-user none
66dbus-system none
diff --git a/etc/profile-a-l/bundle.profile b/etc/profile-a-l/bundle.profile
new file mode 100644
index 000000000..bb82022b1
--- /dev/null
+++ b/etc/profile-a-l/bundle.profile
@@ -0,0 +1,23 @@
1# Firejail profile for bundle
2# Description: Ruby Dependency Management
3# This file is overwritten after every install/update
4quiet
5# Persistent local customizations
6include bundle.local
7# Persistent global definitions
8include globals.local
9
10noblacklist ${HOME}/.bundle
11
12# Allow ruby (blacklisted by disable-interpreters.inc)
13include allow-ruby.inc
14
15#whitelist ${HOME}/.bundle
16#whitelist ${HOME}/.gem
17#whitelist ${HOME}/.local/share/gem
18whitelist /usr/share/gems
19whitelist /usr/share/ruby
20whitelist /usr/share/rubygems
21
22# Redirect
23include build-systems-common.profile
diff --git a/etc/profile-a-l/cameramonitor.profile b/etc/profile-a-l/cameramonitor.profile
index ae9e0f1d2..d3c25d451 100644
--- a/etc/profile-a-l/cameramonitor.profile
+++ b/etc/profile-a-l/cameramonitor.profile
@@ -46,7 +46,7 @@ tracelog
46disable-mnt 46disable-mnt
47private-bin cameramonitor,python* 47private-bin cameramonitor,python*
48private-cache 48private-cache
49private-etc alternatives,fonts 49private-etc alternatives,fonts,ld.so.preload
50private-tmp 50private-tmp
51 51
52# dbus-user none 52# dbus-user none
diff --git a/etc/profile-a-l/cargo.profile b/etc/profile-a-l/cargo.profile
index ff46cd429..4c8afd895 100644
--- a/etc/profile-a-l/cargo.profile
+++ b/etc/profile-a-l/cargo.profile
@@ -7,66 +7,18 @@ include cargo.local
7# Persistent global definitions 7# Persistent global definitions
8include globals.local 8include globals.local
9 9
10ignore noexec ${HOME} 10ignore read-only ${HOME}/.cargo/bin
11ignore noexec /tmp
12
13blacklist /tmp/.X11-unix
14blacklist ${RUNUSER}
15 11
16noblacklist ${HOME}/.cargo/credentials 12noblacklist ${HOME}/.cargo/credentials
17noblacklist ${HOME}/.cargo/credentials.toml 13noblacklist ${HOME}/.cargo/credentials.toml
18 14
19# Allows files commonly used by IDEs
20include allow-common-devel.inc
21
22# Allow ssh (blacklisted by disable-common.inc)
23#include allow-ssh.inc
24
25include disable-common.inc
26include disable-exec.inc
27include disable-interpreters.inc
28include disable-programs.inc
29include disable-xdg.inc
30
31#mkdir ${HOME}/.cargo
32#whitelist ${HOME}/YOUR_CARGO_PROJECTS
33#whitelist ${HOME}/.cargo 15#whitelist ${HOME}/.cargo
34#whitelist ${HOME}/.rustup 16#whitelist ${HOME}/.rustup
35#include whitelist-common.inc
36whitelist /usr/share/pkgconfig
37include whitelist-runuser-common.inc
38include whitelist-usr-share-common.inc
39include whitelist-var-common.inc
40 17
41caps.drop all
42ipc-namespace
43machine-id
44netfilter
45no3d
46nodvd
47nogroups
48noinput
49nonewprivs
50noroot
51nosound
52notv
53nou2f
54novideo
55protocol unix,inet,inet6
56seccomp
57seccomp.block-secondary
58shell none
59tracelog
60
61disable-mnt
62#private-bin cargo,rustc 18#private-bin cargo,rustc
63private-cache
64private-dev
65private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,magic,magic.mgc,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl 19private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,magic,magic.mgc,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl
66private-tmp
67
68dbus-user none
69dbus-system none
70 20
71memory-deny-write-execute 21memory-deny-write-execute
72read-write ${HOME}/.cargo/bin 22
23# Redirect
24include build-systems-common.profile
diff --git a/etc/profile-a-l/cawbird.profile b/etc/profile-a-l/cawbird.profile
index 78df5af83..ceba03269 100644
--- a/etc/profile-a-l/cawbird.profile
+++ b/etc/profile-a-l/cawbird.profile
@@ -39,7 +39,7 @@ disable-mnt
39private-bin cawbird 39private-bin cawbird
40private-cache 40private-cache
41private-dev 41private-dev
42private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,resolv.conf,ssl,X11,xdg 42private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,pki,resolv.conf,ssl,X11,xdg
43private-tmp 43private-tmp
44 44
45# dbus-user none 45# dbus-user none
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile
index 0beeaafdd..1a9340632 100644
--- a/etc/profile-a-l/celluloid.profile
+++ b/etc/profile-a-l/celluloid.profile
@@ -53,7 +53,7 @@ tracelog
53 53
54private-bin celluloid,env,gnome-mpv,python*,youtube-dl 54private-bin celluloid,env,gnome-mpv,python*,youtube-dl
55private-cache 55private-cache
56private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg 56private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg
57private-dev 57private-dev
58private-tmp 58private-tmp
59 59
diff --git a/etc/profile-a-l/cheese.profile b/etc/profile-a-l/cheese.profile
index c2fc064f3..978d727f4 100644
--- a/etc/profile-a-l/cheese.profile
+++ b/etc/profile-a-l/cheese.profile
@@ -9,17 +9,24 @@ include globals.local
9noblacklist ${VIDEOS} 9noblacklist ${VIDEOS}
10noblacklist ${PICTURES} 10noblacklist ${PICTURES}
11 11
12include allow-python3.inc
13
12include disable-common.inc 14include disable-common.inc
13include disable-devel.inc 15include disable-devel.inc
14include disable-exec.inc 16include disable-exec.inc
15include disable-interpreters.inc 17include disable-interpreters.inc
16include disable-programs.inc 18include disable-programs.inc
19include disable-shell.inc
17include disable-xdg.inc 20include disable-xdg.inc
18 21
19whitelist ${VIDEOS} 22whitelist ${VIDEOS}
20whitelist ${PICTURES} 23whitelist ${PICTURES}
24whitelist /run/udev/data
25whitelist /usr/libexec/gstreamer-1.0/gst-plugin-scanner
21whitelist /usr/share/gnome-video-effects 26whitelist /usr/share/gnome-video-effects
27whitelist /usr/share/gstreamer-1.0
22include whitelist-common.inc 28include whitelist-common.inc
29include whitelist-run-common.inc
23include whitelist-runuser-common.inc 30include whitelist-runuser-common.inc
24include whitelist-usr-share-common.inc 31include whitelist-usr-share-common.inc
25include whitelist-var-common.inc 32include whitelist-var-common.inc
@@ -30,21 +37,26 @@ machine-id
30net none 37net none
31nodvd 38nodvd
32nogroups 39nogroups
40noinput
33nonewprivs 41nonewprivs
34noroot 42noroot
43nosound
35notv 44notv
36nou2f 45nou2f
37protocol unix 46protocol unix
38seccomp 47seccomp
48seccomp.block-secondary
39shell none 49shell none
40tracelog 50tracelog
41 51
42disable-mnt 52disable-mnt
43private-bin cheese 53private-bin cheese
44private-cache 54private-cache
45private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0 55private-dev
56private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0,ld.so.preload
46private-tmp 57private-tmp
47 58
48dbus-user filter 59dbus-user filter
60dbus-user.own org.gnome.Cheese
49dbus-user.talk ca.desrt.dconf 61dbus-user.talk ca.desrt.dconf
50dbus-system none 62dbus-system none
diff --git a/etc/profile-a-l/clawsker.profile b/etc/profile-a-l/clawsker.profile
index 8ccf67ba1..5eb2cb621 100644
--- a/etc/profile-a-l/clawsker.profile
+++ b/etc/profile-a-l/clawsker.profile
@@ -44,7 +44,7 @@ disable-mnt
44private-bin bash,clawsker,perl,sh,which 44private-bin bash,clawsker,perl,sh,which
45private-cache 45private-cache
46private-dev 46private-dev
47private-etc alternatives,fonts 47private-etc alternatives,fonts,ld.so.preload
48private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-3.so.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl* 48private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-3.so.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl*
49private-tmp 49private-tmp
50 50
diff --git a/etc/profile-a-l/cmake.profile b/etc/profile-a-l/cmake.profile
new file mode 100644
index 000000000..26cc2a00a
--- /dev/null
+++ b/etc/profile-a-l/cmake.profile
@@ -0,0 +1,13 @@
1# Firejail profile for cargo
2# Description: The Rust package manager
3# This file is overwritten after every install/update
4quiet
5# Persistent local customizations
6include cargo.local
7# Persistent global definitions
8include globals.local
9
10memory-deny-write-execute
11
12# Redirect
13include build-systems-common.profile
diff --git a/etc/profile-a-l/cmus.profile b/etc/profile-a-l/cmus.profile
index 19a30e694..e51dd6bed 100644
--- a/etc/profile-a-l/cmus.profile
+++ b/etc/profile-a-l/cmus.profile
@@ -27,4 +27,4 @@ seccomp
27shell none 27shell none
28 28
29private-bin cmus 29private-bin cmus
30private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,resolv.conf,ssl 30private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
diff --git a/etc/profile-a-l/cola.profile b/etc/profile-a-l/cola.profile
index e5debfd82..97bf6d394 100644
--- a/etc/profile-a-l/cola.profile
+++ b/etc/profile-a-l/cola.profile
@@ -7,4 +7,4 @@ include cola.local
7include globals.local 7include globals.local
8 8
9# Redirect 9# Redirect
10include git-cola.profile \ No newline at end of file 10include git-cola.profile
diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
index 8d9de93bb..6f08bc378 100644
--- a/etc/profile-a-l/com.github.bleakgrey.tootle.profile
+++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
@@ -45,7 +45,7 @@ disable-mnt
45private-bin com.github.bleakgrey.tootle 45private-bin com.github.bleakgrey.tootle
46private-cache 46private-cache
47private-dev 47private-dev
48private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg 48private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,machine-id mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
49private-tmp 49private-tmp
50 50
51# Settings are immutable 51# Settings are immutable
diff --git a/etc/profile-a-l/com.github.dahenson.agenda.profile b/etc/profile-a-l/com.github.dahenson.agenda.profile
index e7aa32be9..d33b89e7c 100644
--- a/etc/profile-a-l/com.github.dahenson.agenda.profile
+++ b/etc/profile-a-l/com.github.dahenson.agenda.profile
@@ -52,7 +52,7 @@ disable-mnt
52private-bin com.github.dahenson.agenda 52private-bin com.github.dahenson.agenda
53private-cache 53private-cache
54private-dev 54private-dev
55private-etc dconf,fonts,gtk-3.0 55private-etc dconf,fonts,gtk-3.0,ld.so.preload
56private-tmp 56private-tmp
57 57
58dbus-user filter 58dbus-user filter
diff --git a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
index aa9a19fcb..c75a09a51 100644
--- a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
+++ b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
@@ -55,7 +55,7 @@ disable-mnt
55private-bin com.github.johnfactotum.Foliate,gjs 55private-bin com.github.johnfactotum.Foliate,gjs
56private-cache 56private-cache
57private-dev 57private-dev
58private-etc dconf,fonts,gconf,gtk-3.0 58private-etc dconf,fonts,gconf,gtk-3.0,ld.so.preload
59private-tmp 59private-tmp
60 60
61read-only ${HOME} 61read-only ${HOME}
diff --git a/etc/profile-a-l/coyim.profile b/etc/profile-a-l/coyim.profile
index 03218d85a..1d623fa09 100644
--- a/etc/profile-a-l/coyim.profile
+++ b/etc/profile-a-l/coyim.profile
@@ -40,7 +40,7 @@ tracelog
40disable-mnt 40disable-mnt
41private-cache 41private-cache
42private-dev 42private-dev
43private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,ssl 43private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,machine-id,pki,ssl
44private-tmp 44private-tmp
45 45
46dbus-user none 46dbus-user none
diff --git a/etc/profile-a-l/crow.profile b/etc/profile-a-l/crow.profile
index 177abf829..deb2c0ef8 100644
--- a/etc/profile-a-l/crow.profile
+++ b/etc/profile-a-l/crow.profile
@@ -39,7 +39,7 @@ shell none
39disable-mnt 39disable-mnt
40private-bin crow 40private-bin crow
41private-dev 41private-dev
42private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl 42private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
43private-opt none 43private-opt none
44private-tmp 44private-tmp
45private-srv none 45private-srv none
diff --git a/etc/profile-a-l/d-feet.profile b/etc/profile-a-l/d-feet.profile
index 0e4b8d475..0e754c448 100644
--- a/etc/profile-a-l/d-feet.profile
+++ b/etc/profile-a-l/d-feet.profile
@@ -50,7 +50,7 @@ disable-mnt
50private-bin d-feet,python* 50private-bin d-feet,python*
51private-cache 51private-cache
52private-dev 52private-dev
53private-etc alternatives,dbus-1,fonts,machine-id 53private-etc alternatives,dbus-1,fonts,ld.so.preload,machine-id
54private-tmp 54private-tmp
55 55
56#memory-deny-write-execute - breaks on Arch (see issue #1803) 56#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-a-l/dbus-send.profile b/etc/profile-a-l/dbus-send.profile
index 768f1ac2c..c2532ed3b 100644
--- a/etc/profile-a-l/dbus-send.profile
+++ b/etc/profile-a-l/dbus-send.profile
@@ -51,7 +51,7 @@ private
51private-bin dbus-send 51private-bin dbus-send
52private-cache 52private-cache
53private-dev 53private-dev
54private-etc alternatives,dbus-1 54private-etc alternatives,dbus-1,ld.so.preload
55private-lib libpcre* 55private-lib libpcre*
56private-tmp 56private-tmp
57 57
diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile
index f57063ab6..2b43c5ea3 100644
--- a/etc/profile-a-l/dconf-editor.profile
+++ b/etc/profile-a-l/dconf-editor.profile
@@ -43,7 +43,7 @@ disable-mnt
43private-bin dconf-editor 43private-bin dconf-editor
44private-cache 44private-cache
45private-dev 45private-dev
46private-etc alternatives,dconf,fonts,gtk-3.0,machine-id 46private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload,machine-id
47private-lib 47private-lib
48private-tmp 48private-tmp
49 49
diff --git a/etc/profile-a-l/dconf.profile b/etc/profile-a-l/dconf.profile
index 8b7c86789..1cbeee763 100644
--- a/etc/profile-a-l/dconf.profile
+++ b/etc/profile-a-l/dconf.profile
@@ -46,7 +46,7 @@ disable-mnt
46private-bin dconf,gsettings 46private-bin dconf,gsettings
47private-cache 47private-cache
48private-dev 48private-dev
49private-etc alternatives,dconf 49private-etc alternatives,dconf,ld.so.preload
50private-lib 50private-lib
51private-tmp 51private-tmp
52 52
diff --git a/etc/profile-a-l/ddgtk.profile b/etc/profile-a-l/ddgtk.profile
index 701755d93..0669a5a6c 100644
--- a/etc/profile-a-l/ddgtk.profile
+++ b/etc/profile-a-l/ddgtk.profile
@@ -45,7 +45,7 @@ tracelog
45disable-mnt 45disable-mnt
46private-bin bash,dd,ddgtk,grep,lsblk,python*,sed,sh,tr 46private-bin bash,dd,ddgtk,grep,lsblk,python*,sed,sh,tr
47private-cache 47private-cache
48private-etc alternatives,fonts 48private-etc alternatives,fonts,ld.so.preload
49private-tmp 49private-tmp
50 50
51dbus-user none 51dbus-user none
diff --git a/etc/profile-a-l/devhelp.profile b/etc/profile-a-l/devhelp.profile
index a416bc27e..562f6b105 100644
--- a/etc/profile-a-l/devhelp.profile
+++ b/etc/profile-a-l/devhelp.profile
@@ -42,7 +42,7 @@ disable-mnt
42private-bin devhelp 42private-bin devhelp
43private-cache 43private-cache
44private-dev 44private-dev
45private-etc alternatives,dconf,fonts,ld.so.cache,machine-id,ssl 45private-etc alternatives,dconf,fonts,ld.so.cache,ld.so.preload,machine-id,ssl
46private-tmp 46private-tmp
47 47
48# makes settings immutable 48# makes settings immutable
diff --git a/etc/profile-a-l/devilspie.profile b/etc/profile-a-l/devilspie.profile
index 89c8e1ae8..19b6cffaf 100644
--- a/etc/profile-a-l/devilspie.profile
+++ b/etc/profile-a-l/devilspie.profile
@@ -48,7 +48,7 @@ disable-mnt
48private-bin devilspie 48private-bin devilspie
49private-cache 49private-cache
50private-dev 50private-dev
51private-etc alternatives 51private-etc alternatives,ld.so.preload
52private-lib gconv 52private-lib gconv
53private-tmp 53private-tmp
54 54
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile
index 2613027ba..c04e38899 100644
--- a/etc/profile-a-l/discord-common.profile
+++ b/etc/profile-a-l/discord-common.profile
@@ -24,7 +24,7 @@ whitelist ${HOME}/.config/BetterDiscord
24whitelist ${HOME}/.local/share/betterdiscordctl 24whitelist ${HOME}/.local/share/betterdiscordctl
25 25
26private-bin bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh 26private-bin bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
27private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl 27private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl
28 28
29join-or-start discord 29join-or-start discord
30 30
diff --git a/etc/profile-a-l/display.profile b/etc/profile-a-l/display.profile
index 0f134bd87..6eff39d40 100644
--- a/etc/profile-a-l/display.profile
+++ b/etc/profile-a-l/display.profile
@@ -40,7 +40,7 @@ shell none
40private-bin display,python* 40private-bin display,python*
41private-dev 41private-dev
42# On Debian-based systems, display is a symlink in /etc/alternatives 42# On Debian-based systems, display is a symlink in /etc/alternatives
43private-etc alternatives 43private-etc alternatives,ld.so.preload
44private-tmp 44private-tmp
45 45
46dbus-user none 46dbus-user none
diff --git a/etc/profile-a-l/drawio.profile b/etc/profile-a-l/drawio.profile
index 6d5e2501f..253f5643e 100644
--- a/etc/profile-a-l/drawio.profile
+++ b/etc/profile-a-l/drawio.profile
@@ -45,7 +45,7 @@ shell none
45private-bin drawio 45private-bin drawio
46private-cache 46private-cache
47private-dev 47private-dev
48private-etc alternatives,fonts 48private-etc alternatives,fonts,ld.so.preload
49private-tmp 49private-tmp
50 50
51dbus-user none 51dbus-user none
diff --git a/etc/profile-a-l/easystroke.profile b/etc/profile-a-l/easystroke.profile
index fd7f252b6..0345f2b24 100644
--- a/etc/profile-a-l/easystroke.profile
+++ b/etc/profile-a-l/easystroke.profile
@@ -45,7 +45,7 @@ disable-mnt
45#private-bin bash,easystroke,sh 45#private-bin bash,easystroke,sh
46private-cache 46private-cache
47private-dev 47private-dev
48private-etc alternatives,fonts,group,passwd 48private-etc alternatives,fonts,group,ld.so.preload,passwd
49# breaks custom shell command functionality 49# breaks custom shell command functionality
50#private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* 50#private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
51private-tmp 51private-tmp
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile
index 9aac3f570..e472f57b6 100644
--- a/etc/profile-a-l/electron-mail.profile
+++ b/etc/profile-a-l/electron-mail.profile
@@ -45,7 +45,7 @@ shell none
45private-bin electron-mail 45private-bin electron-mail
46private-cache 46private-cache
47private-dev 47private-dev
48private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,nsswitch.conf,pki,resolv.conf,selinux,ssl,xdg 48private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,ld.so.preload,nsswitch.conf,pki,resolv.conf,selinux,ssl,xdg
49private-opt ElectronMail 49private-opt ElectronMail
50private-tmp 50private-tmp
51 51
diff --git a/etc/profile-a-l/electrum.profile b/etc/profile-a-l/electrum.profile
index 1647f2bc4..8cfc9f797 100644
--- a/etc/profile-a-l/electrum.profile
+++ b/etc/profile-a-l/electrum.profile
@@ -47,7 +47,7 @@ private-bin electrum,python*
47private-cache 47private-cache
48?HAS_APPIMAGE: ignore private-dev 48?HAS_APPIMAGE: ignore private-dev
49private-dev 49private-dev
50private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,machine-id,pki,resolv.conf,ssl 50private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,ld.so.preload,machine-id,pki,resolv.conf,ssl
51private-tmp 51private-tmp
52 52
53# dbus-user none 53# dbus-user none
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
index 03fd9033a..8673b65ca 100644
--- a/etc/profile-a-l/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -12,7 +12,7 @@ noblacklist ${HOME}/.gnupg
12noblacklist ${HOME}/.mozilla 12noblacklist ${HOME}/.mozilla
13noblacklist ${HOME}/.signature 13noblacklist ${HOME}/.signature
14# when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local 14# when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local
15# and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications 15# and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications
16noblacklist ${HOME}/Mail 16noblacklist ${HOME}/Mail
17 17
18noblacklist ${DOCUMENTS} 18noblacklist ${DOCUMENTS}
@@ -66,7 +66,7 @@ tracelog
66# disable-mnt 66# disable-mnt
67private-cache 67private-cache
68private-dev 68private-dev
69private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg 69private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,ld.so.preload,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg
70private-tmp 70private-tmp
71# encrypting and signing email 71# encrypting and signing email
72writable-run-user 72writable-run-user
diff --git a/etc/profile-a-l/enchant.profile b/etc/profile-a-l/enchant.profile
index dc383984e..0a2e23996 100644
--- a/etc/profile-a-l/enchant.profile
+++ b/etc/profile-a-l/enchant.profile
@@ -48,7 +48,7 @@ x11 none
48private-bin enchant,enchant-* 48private-bin enchant,enchant-*
49private-cache 49private-cache
50private-dev 50private-dev
51private-etc alternatives 51private-etc alternatives,ld.so.preload
52private-lib 52private-lib
53private-tmp 53private-tmp
54 54
diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile
index 02112ef20..ddc0ce0b9 100644
--- a/etc/profile-a-l/eo-common.profile
+++ b/etc/profile-a-l/eo-common.profile
@@ -47,6 +47,6 @@ tracelog
47 47
48private-cache 48private-cache
49private-dev 49private-dev
50private-etc alternatives,dconf,fonts,gtk-3.0 50private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload
51private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.* 51private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*
52private-tmp 52private-tmp
diff --git a/etc/profile-a-l/eog.profile b/etc/profile-a-l/eog.profile
index 5892374bd..65e5c6e69 100644
--- a/etc/profile-a-l/eog.profile
+++ b/etc/profile-a-l/eog.profile
@@ -18,7 +18,7 @@ whitelist /usr/share/eog
18 18
19private-bin eog 19private-bin eog
20 20
21# broken on Debian 10 (buster) running LXDE got the folowing error: 21# broken on Debian 10 (buster) running LXDE got the following error:
22# Failed to register: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown 22# Failed to register: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown
23#dbus-user filter 23#dbus-user filter
24#dbus-user.own org.gnome.eog 24#dbus-user.own org.gnome.eog
diff --git a/etc/profile-a-l/equalx.profile b/etc/profile-a-l/equalx.profile
index 7566f7b50..fe7b912bd 100644
--- a/etc/profile-a-l/equalx.profile
+++ b/etc/profile-a-l/equalx.profile
@@ -54,7 +54,7 @@ disable-mnt
54private-bin equalx,gs,pdflatex,pdftocairo 54private-bin equalx,gs,pdflatex,pdftocairo
55private-cache 55private-cache
56private-dev 56private-dev
57private-etc equalx,equalx.conf,fonts,gtk-2.0,latexmk.conf,machine-id,papersize,passwd,texlive,Trolltech.conf 57private-etc equalx,equalx.conf,fonts,gtk-2.0,latexmk.conf,ld.so.preload,machine-id,papersize,passwd,texlive,Trolltech.conf
58private-tmp 58private-tmp
59 59
60dbus-user none 60dbus-user none
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile
index 77fb458ca..63e456488 100644
--- a/etc/profile-a-l/evince.profile
+++ b/etc/profile-a-l/evince.profile
@@ -54,9 +54,9 @@ tracelog
54private-bin evince,evince-previewer,evince-thumbnailer 54private-bin evince,evince-previewer,evince-thumbnailer
55private-cache 55private-cache
56private-dev 56private-dev
57private-etc alternatives,fonts,group,ld.so.cache,machine-id,passwd 57private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd
58# private-lib might break two-page-view on some systems 58# private-lib might break two-page-view on some systems
59private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.* 59private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libarchive.so.*,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*
60private-tmp 60private-tmp
61 61
62# dbus-user filtering might break two-page-view on some systems 62# dbus-user filtering might break two-page-view on some systems
diff --git a/etc/profile-a-l/exiftool.profile b/etc/profile-a-l/exiftool.profile
index 49a16f2f2..12c22ba5b 100644
--- a/etc/profile-a-l/exiftool.profile
+++ b/etc/profile-a-l/exiftool.profile
@@ -48,7 +48,7 @@ x11 none
48#private-bin exiftool,perl 48#private-bin exiftool,perl
49private-cache 49private-cache
50private-dev 50private-dev
51private-etc alternatives 51private-etc alternatives,ld.so.preload
52private-tmp 52private-tmp
53 53
54dbus-user none 54dbus-user none
diff --git a/etc/profile-a-l/falkon.profile b/etc/profile-a-l/falkon.profile
index 3911a8c75..62ea449a6 100644
--- a/etc/profile-a-l/falkon.profile
+++ b/etc/profile-a-l/falkon.profile
@@ -46,7 +46,7 @@ disable-mnt
46# private-bin falkon 46# private-bin falkon
47private-cache 47private-cache
48private-dev 48private-dev
49private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg 49private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
50private-tmp 50private-tmp
51 51
52# dbus-user filter 52# dbus-user filter
diff --git a/etc/profile-a-l/feh-network.inc.profile b/etc/profile-a-l/feh-network.inc.profile
index 690b39171..f9b3d58c9 100644
--- a/etc/profile-a-l/feh-network.inc.profile
+++ b/etc/profile-a-l/feh-network.inc.profile
@@ -5,4 +5,4 @@ include feh-network.inc.local
5ignore net none 5ignore net none
6netfilter 6netfilter
7protocol unix,inet,inet6 7protocol unix,inet,inet6
8private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl 8private-etc ca-certificates,crypto-policies,hosts,ld.so.preload,pki,resolv.conf,ssl
diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile
index 0fdb1d3d3..f2770f294 100644
--- a/etc/profile-a-l/feh.profile
+++ b/etc/profile-a-l/feh.profile
@@ -36,7 +36,7 @@ shell none
36private-bin feh,jpegexiforient,jpegtran 36private-bin feh,jpegexiforient,jpegtran
37private-cache 37private-cache
38private-dev 38private-dev
39private-etc alternatives,feh 39private-etc alternatives,feh,ld.so.preload
40private-tmp 40private-tmp
41 41
42dbus-user none 42dbus-user none
diff --git a/etc/profile-a-l/ffplay.profile b/etc/profile-a-l/ffplay.profile
index 04134cbf4..2284ccbe4 100644
--- a/etc/profile-a-l/ffplay.profile
+++ b/etc/profile-a-l/ffplay.profile
@@ -14,7 +14,7 @@ ignore nogroups
14ignore nosound 14ignore nosound
15 15
16private-bin ffplay 16private-bin ffplay
17private-etc alsa,asound.conf,group 17private-etc alsa,asound.conf,group,ld.so.preload
18 18
19# Redirect 19# Redirect
20include ffmpeg.profile 20include ffmpeg.profile
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile
index 434466139..54fa7dfa7 100644
--- a/etc/profile-a-l/file-roller.profile
+++ b/etc/profile-a-l/file-roller.profile
@@ -43,7 +43,7 @@ tracelog
43private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,unzstd,xz,xzdec,zip,zoo,zstd 43private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,unzstd,xz,xzdec,zip,zoo,zstd
44private-cache 44private-cache
45private-dev 45private-dev
46private-etc dconf,fonts,gtk-3.0,xdg 46private-etc dconf,fonts,gtk-3.0,ld.so.preload,xdg
47# private-tmp 47# private-tmp
48 48
49dbus-system none 49dbus-system none
diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile
index e9241efc3..5c7bc03d8 100644
--- a/etc/profile-a-l/flameshot.profile
+++ b/etc/profile-a-l/flameshot.profile
@@ -52,7 +52,7 @@ tracelog
52disable-mnt 52disable-mnt
53private-bin flameshot 53private-bin flameshot
54private-cache 54private-cache
55private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,machine-id,pki,resolv.conf,ssl 55private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,ld.so.preload,machine-id,pki,resolv.conf,ssl
56private-dev 56private-dev
57#private-tmp 57#private-tmp
58 58
diff --git a/etc/profile-a-l/freetube.profile b/etc/profile-a-l/freetube.profile
index 7beb2bcba..aeed313c8 100644
--- a/etc/profile-a-l/freetube.profile
+++ b/etc/profile-a-l/freetube.profile
@@ -16,7 +16,7 @@ mkdir ${HOME}/.config/FreeTube
16whitelist ${HOME}/.config/FreeTube 16whitelist ${HOME}/.config/FreeTube
17 17
18private-bin electron,electron[0-9],electron[0-9][0-9],freetube,sh 18private-bin electron,electron[0-9],electron[0-9][0-9],freetube,sh
19private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg 19private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
20 20
21# Redirect 21# Redirect
22include electron.profile 22include electron.profile
diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile
index fa08b4956..efd5246d6 100644
--- a/etc/profile-a-l/frogatto.profile
+++ b/etc/profile-a-l/frogatto.profile
@@ -45,7 +45,7 @@ disable-mnt
45private-bin frogatto,sh 45private-bin frogatto,sh
46private-cache 46private-cache
47private-dev 47private-dev
48private-etc machine-id 48private-etc ld.so.preload,machine-id
49private-tmp 49private-tmp
50 50
51dbus-user none 51dbus-user none
diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile
index b0d017db9..6d764a0f9 100644
--- a/etc/profile-a-l/gajim.profile
+++ b/etc/profile-a-l/gajim.profile
@@ -59,7 +59,7 @@ disable-mnt
59private-bin bash,gajim,gajim-history-manager,gpg,gpg2,paplay,python*,sh,zsh 59private-bin bash,gajim,gajim-history-manager,gpg,gpg2,paplay,python*,sh,zsh
60private-cache 60private-cache
61private-dev 61private-dev
62private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,xdg 62private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,xdg
63private-tmp 63private-tmp
64writable-run-user 64writable-run-user
65 65
diff --git a/etc/profile-a-l/galculator.profile b/etc/profile-a-l/galculator.profile
index 50b1c319c..c6280c488 100644
--- a/etc/profile-a-l/galculator.profile
+++ b/etc/profile-a-l/galculator.profile
@@ -43,7 +43,7 @@ tracelog
43private-bin galculator 43private-bin galculator
44private-cache 44private-cache
45private-dev 45private-dev
46private-etc alternatives,fonts 46private-etc alternatives,fonts,ld.so.preload
47private-lib 47private-lib
48private-tmp 48private-tmp
49 49
diff --git a/etc/profile-a-l/gallery-dl.profile b/etc/profile-a-l/gallery-dl.profile
index 9c8200dc4..a31dde21c 100644
--- a/etc/profile-a-l/gallery-dl.profile
+++ b/etc/profile-a-l/gallery-dl.profile
@@ -12,7 +12,7 @@ noblacklist ${HOME}/.config/gallery-dl
12noblacklist ${HOME}/.gallery-dl.conf 12noblacklist ${HOME}/.gallery-dl.conf
13 13
14private-bin gallery-dl 14private-bin gallery-dl
15private-etc gallery-dl.conf 15private-etc gallery-dl.conf,ld.so.preload
16 16
17# Redirect 17# Redirect
18include youtube-dl.profile 18include youtube-dl.profile
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile
index 8263423a0..e9eb55709 100644
--- a/etc/profile-a-l/gapplication.profile
+++ b/etc/profile-a-l/gapplication.profile
@@ -49,7 +49,7 @@ private
49private-bin gapplication 49private-bin gapplication
50private-cache 50private-cache
51private-dev 51private-dev
52private-etc none 52private-etc ld.so.preload,none
53private-tmp 53private-tmp
54 54
55# Add the next line to your gapplication.local to filter D-Bus names. 55# Add the next line to your gapplication.local to filter D-Bus names.
diff --git a/etc/profile-a-l/gcloud.profile b/etc/profile-a-l/gcloud.profile
index 388f4c0df..297e5d345 100644
--- a/etc/profile-a-l/gcloud.profile
+++ b/etc/profile-a-l/gcloud.profile
@@ -36,7 +36,7 @@ tracelog
36 36
37disable-mnt 37disable-mnt
38private-dev 38private-dev
39private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,localtime,nsswitch.conf,pki,resolv.conf,ssl 39private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl
40private-tmp 40private-tmp
41 41
42dbus-user none 42dbus-user none
diff --git a/etc/profile-a-l/gconf.profile b/etc/profile-a-l/gconf.profile
index b01d88f80..6532d85f0 100644
--- a/etc/profile-a-l/gconf.profile
+++ b/etc/profile-a-l/gconf.profile
@@ -54,7 +54,7 @@ disable-mnt
54private-bin gconf-editor,gconf-merge-*,gconfpkg,gconftool-2,gsettings-*-convert,python2* 54private-bin gconf-editor,gconf-merge-*,gconfpkg,gconftool-2,gsettings-*-convert,python2*
55private-cache 55private-cache
56private-dev 56private-dev
57private-etc alternatives,fonts,gconf 57private-etc alternatives,fonts,gconf,ld.so.preload
58private-lib GConf,libpython*,python2* 58private-lib GConf,libpython*,python2*
59private-tmp 59private-tmp
60 60
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile
index 29c620556..b78f7e647 100644
--- a/etc/profile-a-l/geary.profile
+++ b/etc/profile-a-l/geary.profile
@@ -70,7 +70,7 @@ tracelog
70private-bin geary 70private-bin geary
71private-cache 71private-cache
72private-dev 72private-dev
73private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,xdg 73private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.preload,pki,resolv.conf,ssl,xdg
74private-tmp 74private-tmp
75 75
76dbus-user filter 76dbus-user filter
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile
index f0e17963c..4812e1368 100644
--- a/etc/profile-a-l/geekbench.profile
+++ b/etc/profile-a-l/geekbench.profile
@@ -6,6 +6,10 @@ include geekbench.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9noblacklist ${HOME}/.geekbench5
10noblacklist /sbin
11noblacklist /usr/sbin
12
9include disable-common.inc 13include disable-common.inc
10include disable-devel.inc 14include disable-devel.inc
11include disable-exec.inc 15include disable-exec.inc
@@ -13,6 +17,8 @@ include disable-interpreters.inc
13include disable-programs.inc 17include disable-programs.inc
14include disable-xdg.inc 18include disable-xdg.inc
15 19
20mkdir ${HOME}/.geekbench5
21whitelist ${HOME}/.geekbench5
16include whitelist-common.inc 22include whitelist-common.inc
17include whitelist-usr-share-common.inc 23include whitelist-usr-share-common.inc
18include whitelist-var-common.inc 24include whitelist-var-common.inc
@@ -39,16 +45,14 @@ shell none
39tracelog 45tracelog
40 46
41disable-mnt 47disable-mnt
42private-bin bash,geekbenc*,sh 48#private-bin bash,geekbench*,sh -- #4576
43private-cache 49private-cache
44private-dev 50private-dev
45private-etc alternatives,group,lsb-release,passwd 51private-etc alternatives,group,ld.so.preload,lsb-release,passwd
46private-lib gcc/*/*/libstdc++.so.*
47private-opt none
48private-tmp 52private-tmp
49 53
50dbus-user none 54dbus-user none
51dbus-system none 55dbus-system none
52 56
53#memory-deny-write-execute - breaks on Arch (see issue #1803)
54read-only ${HOME} 57read-only ${HOME}
58read-write ${HOME}/.geekbench5
diff --git a/etc/profile-a-l/gget.profile b/etc/profile-a-l/gget.profile
index b2adaa8e4..d8ca4ae41 100644
--- a/etc/profile-a-l/gget.profile
+++ b/etc/profile-a-l/gget.profile
@@ -49,7 +49,7 @@ disable-mnt
49private-bin gget 49private-bin gget
50private-cache 50private-cache
51private-dev 51private-dev
52private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl 52private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,pki,resolv.conf,ssl
53private-lib 53private-lib
54private-tmp 54private-tmp
55 55
diff --git a/etc/profile-a-l/gist.profile b/etc/profile-a-l/gist.profile
index 80fa18119..010cdae06 100644
--- a/etc/profile-a-l/gist.profile
+++ b/etc/profile-a-l/gist.profile
@@ -52,7 +52,7 @@ tracelog
52disable-mnt 52disable-mnt
53private-cache 53private-cache
54private-dev 54private-dev
55private-etc alternatives 55private-etc alternatives,ld.so.preload
56private-tmp 56private-tmp
57 57
58dbus-user none 58dbus-user none
diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile
index f77adef63..c13273321 100644
--- a/etc/profile-a-l/git-cola.profile
+++ b/etc/profile-a-l/git-cola.profile
@@ -70,7 +70,7 @@ tracelog
70private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed 70private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed
71private-cache 71private-cache
72private-dev 72private-dev
73private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg 73private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg
74private-tmp 74private-tmp
75writable-run-user 75writable-run-user
76 76
diff --git a/etc/profile-a-l/gitter.profile b/etc/profile-a-l/gitter.profile
index 5dfb48189..36b016e02 100644
--- a/etc/profile-a-l/gitter.profile
+++ b/etc/profile-a-l/gitter.profile
@@ -37,7 +37,7 @@ shell none
37 37
38disable-mnt 38disable-mnt
39private-bin bash,env,gitter 39private-bin bash,env,gitter
40private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,pulse,resolv.conf,ssl 40private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,pki,pulse,resolv.conf,ssl
41private-opt Gitter 41private-opt Gitter
42private-dev 42private-dev
43private-tmp 43private-tmp
diff --git a/etc/profile-a-l/gmpc.profile b/etc/profile-a-l/gmpc.profile
index 4aa4b6c20..0a1264888 100644
--- a/etc/profile-a-l/gmpc.profile
+++ b/etc/profile-a-l/gmpc.profile
@@ -44,7 +44,7 @@ tracelog
44disable-mnt 44disable-mnt
45#private-bin gmpc 45#private-bin gmpc
46private-cache 46private-cache
47private-etc alternatives,fonts 47private-etc alternatives,fonts,ld.so.preload
48private-tmp 48private-tmp
49writable-run-user 49writable-run-user
50 50
diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile
index c8903a991..2c1dee50c 100644
--- a/etc/profile-a-l/gnome-calendar.profile
+++ b/etc/profile-a-l/gnome-calendar.profile
@@ -45,7 +45,7 @@ private
45private-bin gnome-calendar 45private-bin gnome-calendar
46private-cache 46private-cache
47private-dev 47private-dev
48private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,localtime,nsswitch.conf,pki,resolv.conf,ssl 48private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl
49private-tmp 49private-tmp
50 50
51dbus-user filter 51dbus-user filter
diff --git a/etc/profile-a-l/gnome-chess.profile b/etc/profile-a-l/gnome-chess.profile
index d038d775a..6261fcc27 100644
--- a/etc/profile-a-l/gnome-chess.profile
+++ b/etc/profile-a-l/gnome-chess.profile
@@ -50,5 +50,5 @@ disable-mnt
50private-bin fairymax,gnome-chess,gnuchess,hoichess 50private-bin fairymax,gnome-chess,gnuchess,hoichess
51private-cache 51private-cache
52private-dev 52private-dev
53private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0 53private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0,ld.so.preload
54private-tmp 54private-tmp
diff --git a/etc/profile-a-l/gnome-clocks.profile b/etc/profile-a-l/gnome-clocks.profile
index 96a39f6ce..7d33ac94e 100644
--- a/etc/profile-a-l/gnome-clocks.profile
+++ b/etc/profile-a-l/gnome-clocks.profile
@@ -42,6 +42,6 @@ disable-mnt
42private-bin gnome-clocks,gsound-play 42private-bin gnome-clocks,gsound-play
43private-cache 43private-cache
44private-dev 44private-dev
45private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,localtime,machine-id,pkcs11,pki,ssl 45private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.preload,localtime,machine-id,pkcs11,pki,ssl
46private-tmp 46private-tmp
47 47
diff --git a/etc/profile-a-l/gnome-hexgl.profile b/etc/profile-a-l/gnome-hexgl.profile
index 19a4bc5c7..28c7e3346 100644
--- a/etc/profile-a-l/gnome-hexgl.profile
+++ b/etc/profile-a-l/gnome-hexgl.profile
@@ -42,7 +42,7 @@ private
42private-bin gnome-hexgl 42private-bin gnome-hexgl
43private-cache 43private-cache
44private-dev 44private-dev
45private-etc alsa,asound.conf,machine-id,pulse 45private-etc alsa,asound.conf,ld.so.preload,machine-id,pulse
46private-tmp 46private-tmp
47 47
48dbus-user none 48dbus-user none
diff --git a/etc/profile-a-l/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile
index 26c2c4409..1d2366365 100644
--- a/etc/profile-a-l/gnome-latex.profile
+++ b/etc/profile-a-l/gnome-latex.profile
@@ -48,6 +48,6 @@ tracelog
48private-cache 48private-cache
49private-dev 49private-dev
50# passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed 50# passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed
51private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,login.defs,passwd,texlive 51private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,ld.so.preload,login.defs,passwd,texlive
52 52
53dbus-system none 53dbus-system none
diff --git a/etc/profile-a-l/gnome-logs.profile b/etc/profile-a-l/gnome-logs.profile
index 2c15f7592..3d8218e99 100644
--- a/etc/profile-a-l/gnome-logs.profile
+++ b/etc/profile-a-l/gnome-logs.profile
@@ -40,7 +40,7 @@ disable-mnt
40private-bin gnome-logs 40private-bin gnome-logs
41private-cache 41private-cache
42private-dev 42private-dev
43private-etc alternatives,fonts,localtime,machine-id 43private-etc alternatives,fonts,ld.so.preload,localtime,machine-id
44private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* 44private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
45private-tmp 45private-tmp
46writable-var-log 46writable-var-log
diff --git a/etc/profile-a-l/gnome-music.profile b/etc/profile-a-l/gnome-music.profile
index a00edfa37..fe8268530 100644
--- a/etc/profile-a-l/gnome-music.profile
+++ b/etc/profile-a-l/gnome-music.profile
@@ -42,6 +42,6 @@ tracelog
42# private-bin calls a file manager - whatever is installed! 42# private-bin calls a file manager - whatever is installed!
43#private-bin env,gio-launch-desktop,gnome-music,python*,yelp 43#private-bin env,gio-launch-desktop,gnome-music,python*,yelp
44private-dev 44private-dev
45private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,machine-id,pulse,selinux,xdg 45private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,ld.so.preload,machine-id,pulse,selinux,xdg
46private-tmp 46private-tmp
47 47
diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile
index b69899c70..bdc09b5ac 100644
--- a/etc/profile-a-l/gnome-passwordsafe.profile
+++ b/etc/profile-a-l/gnome-passwordsafe.profile
@@ -53,7 +53,7 @@ disable-mnt
53private-bin gnome-passwordsafe,python3* 53private-bin gnome-passwordsafe,python3*
54private-cache 54private-cache
55private-dev 55private-dev
56private-etc dconf,fonts,gtk-3.0,passwd 56private-etc dconf,fonts,gtk-3.0,ld.so.preload,passwd
57private-tmp 57private-tmp
58 58
59dbus-user filter 59dbus-user filter
diff --git a/etc/profile-a-l/gnome-pie.profile b/etc/profile-a-l/gnome-pie.profile
index 3ab2e4aad..fb108ee97 100644
--- a/etc/profile-a-l/gnome-pie.profile
+++ b/etc/profile-a-l/gnome-pie.profile
@@ -34,7 +34,7 @@ shell none
34disable-mnt 34disable-mnt
35private-cache 35private-cache
36private-dev 36private-dev
37private-etc alternatives,fonts,machine-id 37private-etc alternatives,fonts,ld.so.preload,machine-id
38private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* 38private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
39private-tmp 39private-tmp
40 40
diff --git a/etc/profile-a-l/gnome-recipes.profile b/etc/profile-a-l/gnome-recipes.profile
index 01162b552..9a5f878fc 100644
--- a/etc/profile-a-l/gnome-recipes.profile
+++ b/etc/profile-a-l/gnome-recipes.profile
@@ -47,7 +47,7 @@ shell none
47disable-mnt 47disable-mnt
48private-bin gnome-recipes,tar 48private-bin gnome-recipes,tar
49private-dev 49private-dev
50private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl 50private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,pki,ssl
51private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,libgnutls.so.*,libjpeg.so.*,libp11-kit.so.*,libproxy.so.*,librsvg-2.so.* 51private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,libgnutls.so.*,libjpeg.so.*,libp11-kit.so.*,libproxy.so.*,librsvg-2.so.*
52private-tmp 52private-tmp
53 53
diff --git a/etc/profile-a-l/gnome-screenshot.profile b/etc/profile-a-l/gnome-screenshot.profile
index f5afa9fb3..a4e4ae38a 100644
--- a/etc/profile-a-l/gnome-screenshot.profile
+++ b/etc/profile-a-l/gnome-screenshot.profile
@@ -42,7 +42,7 @@ tracelog
42disable-mnt 42disable-mnt
43private-bin gnome-screenshot 43private-bin gnome-screenshot
44private-dev 44private-dev
45private-etc dconf,fonts,gtk-3.0,localtime,machine-id 45private-etc dconf,fonts,gtk-3.0,ld.so.preload,localtime,machine-id
46private-tmp 46private-tmp
47 47
48dbus-user filter 48dbus-user filter
diff --git a/etc/profile-a-l/gnome-sound-recorder.profile b/etc/profile-a-l/gnome-sound-recorder.profile
index 159145b1b..859d56bd9 100644
--- a/etc/profile-a-l/gnome-sound-recorder.profile
+++ b/etc/profile-a-l/gnome-sound-recorder.profile
@@ -40,5 +40,5 @@ tracelog
40disable-mnt 40disable-mnt
41private-cache 41private-cache
42private-dev 42private-dev
43private-etc alsa,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,machine-id,openal,pango,pulse,xdg 43private-etc alsa,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.preload,machine-id,openal,pango,pulse,xdg
44private-tmp 44private-tmp
diff --git a/etc/profile-a-l/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile
index 3f9497e80..addd76f7f 100644
--- a/etc/profile-a-l/gnome-system-log.profile
+++ b/etc/profile-a-l/gnome-system-log.profile
@@ -43,7 +43,7 @@ disable-mnt
43private-bin gnome-system-log 43private-bin gnome-system-log
44private-cache 44private-cache
45private-dev 45private-dev
46private-etc alternatives,fonts,localtime,machine-id 46private-etc alternatives,fonts,ld.so.preload,localtime,machine-id
47private-lib 47private-lib
48private-tmp 48private-tmp
49writable-var-log 49writable-var-log
diff --git a/etc/profile-a-l/gnome-todo.profile b/etc/profile-a-l/gnome-todo.profile
index 4640f7f43..e7615e4f2 100644
--- a/etc/profile-a-l/gnome-todo.profile
+++ b/etc/profile-a-l/gnome-todo.profile
@@ -46,7 +46,7 @@ disable-mnt
46private-bin gnome-todo 46private-bin gnome-todo
47private-cache 47private-cache
48private-dev 48private-dev
49private-etc dconf,fonts,gtk-3.0,localtime,passwd,xdg 49private-etc dconf,fonts,gtk-3.0,ld.so.preload,localtime,passwd,xdg
50private-tmp 50private-tmp
51 51
52dbus-user filter 52dbus-user filter
diff --git a/etc/profile-a-l/gnome_games-common.profile b/etc/profile-a-l/gnome_games-common.profile
index 4ad39a988..a76fbbb2c 100644
--- a/etc/profile-a-l/gnome_games-common.profile
+++ b/etc/profile-a-l/gnome_games-common.profile
@@ -41,7 +41,7 @@ tracelog
41disable-mnt 41disable-mnt
42private-cache 42private-cache
43private-dev 43private-dev
44private-etc dconf,fonts,gconf,gtk-2.0,gtk-3.0,machine-id,pango,passwd,X11 44private-etc dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.preload,machine-id,pango,passwd,X11
45private-tmp 45private-tmp
46 46
47dbus-user filter 47dbus-user filter
diff --git a/etc/profile-a-l/gnote.profile b/etc/profile-a-l/gnote.profile
index 2d4ce2437..deda06f8e 100644
--- a/etc/profile-a-l/gnote.profile
+++ b/etc/profile-a-l/gnote.profile
@@ -51,7 +51,7 @@ disable-mnt
51private-bin gnote 51private-bin gnote
52private-cache 52private-cache
53private-dev 53private-dev
54private-etc dconf,fonts,gtk-3.0,pango,X11 54private-etc dconf,fonts,gtk-3.0,ld.so.preload,pango,X11
55private-tmp 55private-tmp
56 56
57dbus-user filter 57dbus-user filter
diff --git a/etc/profile-a-l/gnubik.profile b/etc/profile-a-l/gnubik.profile
index 902e76416..e2e154216 100644
--- a/etc/profile-a-l/gnubik.profile
+++ b/etc/profile-a-l/gnubik.profile
@@ -43,7 +43,7 @@ private
43private-bin gnubik 43private-bin gnubik
44private-cache 44private-cache
45private-dev 45private-dev
46private-etc drirc,fonts,gtk-2.0 46private-etc drirc,fonts,gtk-2.0,ld.so.preload
47private-tmp 47private-tmp
48 48
49dbus-user none 49dbus-user none
diff --git a/etc/profile-a-l/godot.profile b/etc/profile-a-l/godot.profile
index b3c19e97f..f33f63497 100644
--- a/etc/profile-a-l/godot.profile
+++ b/etc/profile-a-l/godot.profile
@@ -38,7 +38,7 @@ tracelog
38# private-bin godot 38# private-bin godot
39private-cache 39private-cache
40private-dev 40private-dev
41private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,machine-id,mono,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl 41private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,ld.so.preload,machine-id,mono,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl
42private-tmp 42private-tmp
43 43
44dbus-user none 44dbus-user none
diff --git a/etc/profile-a-l/goldendict.profile b/etc/profile-a-l/goldendict.profile
new file mode 100644
index 000000000..59a572319
--- /dev/null
+++ b/etc/profile-a-l/goldendict.profile
@@ -0,0 +1,57 @@
1# Firejail profile for goldendict
2# This file is overwritten after every install/update
3# Persistent local customizations
4include goldendict.local
5# Persistent global definitions
6include globals.local
7
8noblacklist ${HOME}/.goldendict
9noblacklist ${HOME}/.cache/GoldenDict
10
11include disable-common.inc
12include disable-devel.inc
13include disable-exec.inc
14include disable-interpreters.inc
15include disable-programs.inc
16include disable-shell.inc
17include disable-xdg.inc
18
19mkdir ${HOME}/.goldendict
20mkdir ${HOME}/.cache/GoldenDict
21whitelist ${HOME}/.goldendict
22whitelist ${HOME}/.cache/GoldenDict
23# The default path of dictionaries
24whitelist /usr/share/stardict/dic
25include whitelist-common.inc
26include whitelist-runuser-common.inc
27include whitelist-usr-share-common.inc
28include whitelist-var-common.inc
29
30apparmor
31caps.drop all
32netfilter
33# no3d leads to the libGL MESA-LOADER errors
34#no3d
35nodvd
36nogroups
37noinput
38nonewprivs
39noroot
40notv
41nou2f
42novideo
43protocol unix,inet,inet6,netlink
44seccomp
45seccomp.block-secondary
46shell none
47tracelog
48
49disable-mnt
50private-bin goldendict
51private-cache
52private-dev
53private-etc ca-certificates,crypto-policies,fonts,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
54private-tmp
55
56dbus-user none
57dbus-system none
diff --git a/etc/profile-a-l/googler-common.profile b/etc/profile-a-l/googler-common.profile
index b8e2b04df..a37c7ad77 100644
--- a/etc/profile-a-l/googler-common.profile
+++ b/etc/profile-a-l/googler-common.profile
@@ -54,7 +54,7 @@ disable-mnt
54private-bin env,python3*,sh,w3m 54private-bin env,python3*,sh,w3m
55private-cache 55private-cache
56private-dev 56private-dev
57private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl 57private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
58private-tmp 58private-tmp
59 59
60dbus-user none 60dbus-user none
diff --git a/etc/profile-a-l/gpicview.profile b/etc/profile-a-l/gpicview.profile
index 9a782b238..436134e1b 100644
--- a/etc/profile-a-l/gpicview.profile
+++ b/etc/profile-a-l/gpicview.profile
@@ -41,7 +41,7 @@ tracelog
41private-bin gpicview 41private-bin gpicview
42private-cache 42private-cache
43private-dev 43private-dev
44private-etc alternatives,fonts,group,passwd 44private-etc alternatives,fonts,group,ld.so.preload,passwd
45private-lib 45private-lib
46private-tmp 46private-tmp
47 47
diff --git a/etc/profile-a-l/gpredict.profile b/etc/profile-a-l/gpredict.profile
index 54e52d695..e421c6a0b 100644
--- a/etc/profile-a-l/gpredict.profile
+++ b/etc/profile-a-l/gpredict.profile
@@ -36,6 +36,6 @@ tracelog
36 36
37private-bin gpredict 37private-bin gpredict
38private-dev 38private-dev
39private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl 39private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,pki,resolv.conf,ssl
40private-tmp 40private-tmp
41 41
diff --git a/etc/profile-a-l/gradio.profile b/etc/profile-a-l/gradio.profile
index 31f95fb80..efb6b39c6 100644
--- a/etc/profile-a-l/gradio.profile
+++ b/etc/profile-a-l/gradio.profile
@@ -45,7 +45,7 @@ disable-mnt
45private-bin gradio 45private-bin gradio
46private-cache 46private-cache
47private-dev 47private-dev
48private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg 48private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg
49private-tmp 49private-tmp
50 50
51dbus-user filter 51dbus-user filter
diff --git a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
index c5bcc85f3..10d41735a 100644
--- a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
+++ b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
@@ -40,7 +40,7 @@ private
40private-bin gravity-beams-and-evaporating-stars 40private-bin gravity-beams-and-evaporating-stars
41private-cache 41private-cache
42private-dev 42private-dev
43private-etc fonts,machine-id 43private-etc fonts,ld.so.preload,machine-id
44private-tmp 44private-tmp
45 45
46dbus-user none 46dbus-user none
diff --git a/etc/profile-a-l/gtk-update-icon-cache.profile b/etc/profile-a-l/gtk-update-icon-cache.profile
index 3231374b7..c6347efdf 100644
--- a/etc/profile-a-l/gtk-update-icon-cache.profile
+++ b/etc/profile-a-l/gtk-update-icon-cache.profile
@@ -46,7 +46,7 @@ disable-mnt
46private-bin gtk-update-icon-cache 46private-bin gtk-update-icon-cache
47private-cache 47private-cache
48private-dev 48private-dev
49private-etc none 49private-etc ld.so.preload,none
50private-lib 50private-lib
51private-tmp 51private-tmp
52 52
diff --git a/etc/profile-a-l/gwenview.profile b/etc/profile-a-l/gwenview.profile
index 8c4453a8b..8becf6d84 100644
--- a/etc/profile-a-l/gwenview.profile
+++ b/etc/profile-a-l/gwenview.profile
@@ -46,7 +46,7 @@ shell none
46 46
47private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4 47private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4
48private-dev 48private-dev
49private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,xdg 49private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,ld.so.preload,machine-id,passwd,pulse,xdg
50 50
51# dbus-user none 51# dbus-user none
52# dbus-system none 52# dbus-system none
diff --git a/etc/profile-a-l/hyperrogue.profile b/etc/profile-a-l/hyperrogue.profile
index f210a264f..0baebdae1 100644
--- a/etc/profile-a-l/hyperrogue.profile
+++ b/etc/profile-a-l/hyperrogue.profile
@@ -44,7 +44,7 @@ private-bin hyperrogue
44private-cache 44private-cache
45private-cwd ${HOME} 45private-cwd ${HOME}
46private-dev 46private-dev
47private-etc fonts,machine-id 47private-etc fonts,ld.so.preload,machine-id
48private-tmp 48private-tmp
49 49
50dbus-user none 50dbus-user none
diff --git a/etc/profile-a-l/i2prouter.profile b/etc/profile-a-l/i2prouter.profile
index c875cad72..200b4c8b1 100644
--- a/etc/profile-a-l/i2prouter.profile
+++ b/etc/profile-a-l/i2prouter.profile
@@ -68,5 +68,5 @@ shell none
68disable-mnt 68disable-mnt
69private-cache 69private-cache
70private-dev 70private-dev
71private-etc alternatives,ca-certificates,crypto-policies,dconf,group,hostname,hosts,i2p,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,localtime,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl 71private-etc alternatives,ca-certificates,crypto-policies,dconf,group,hostname,hosts,i2p,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl
72private-tmp 72private-tmp
diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile
index 5e54b5441..e0015e69a 100644
--- a/etc/profile-a-l/inkscape.profile
+++ b/etc/profile-a-l/inkscape.profile
@@ -1,6 +1,7 @@
1# Firejail profile for inkscape 1# Firejail profile for inkscape
2# Description: Vector-based drawing program 2# Description: Vector-based drawing program
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet
4# Persistent local customizations 5# Persistent local customizations
5include inkscape.local 6include inkscape.local
6# Persistent global definitions 7# Persistent global definitions
diff --git a/etc/profile-a-l/ipcalc.profile b/etc/profile-a-l/ipcalc.profile
index ea4ee5ae1..2997328e8 100644
--- a/etc/profile-a-l/ipcalc.profile
+++ b/etc/profile-a-l/ipcalc.profile
@@ -50,7 +50,7 @@ private-bin bash,ipcalc,ipcalc-ng,perl,sh
50# private-cache 50# private-cache
51private-dev 51private-dev
52# empty etc directory 52# empty etc directory
53private-etc none 53private-etc ld.so.preload,none
54private-lib 54private-lib
55private-opt none 55private-opt none
56private-tmp 56private-tmp
diff --git a/etc/profile-a-l/jerry.profile b/etc/profile-a-l/jerry.profile
index 1209c5e11..59260dc64 100644
--- a/etc/profile-a-l/jerry.profile
+++ b/etc/profile-a-l/jerry.profile
@@ -34,7 +34,7 @@ tracelog
34 34
35private-bin bash,jerry,sh,stockfish 35private-bin bash,jerry,sh,stockfish
36private-dev 36private-dev
37private-etc fonts,gtk-2.0,gtk-3.0 37private-etc fonts,gtk-2.0,gtk-3.0,ld.so.preload
38private-tmp 38private-tmp
39 39
40dbus-user none 40dbus-user none
diff --git a/etc/profile-a-l/jumpnbump.profile b/etc/profile-a-l/jumpnbump.profile
index 77d3f6bf4..b9bc8f219 100644
--- a/etc/profile-a-l/jumpnbump.profile
+++ b/etc/profile-a-l/jumpnbump.profile
@@ -42,7 +42,7 @@ disable-mnt
42private-bin jumpnbump 42private-bin jumpnbump
43private-cache 43private-cache
44private-dev 44private-dev
45private-etc none 45private-etc ld.so.preload,none
46private-tmp 46private-tmp
47 47
48dbus-user none 48dbus-user none
diff --git a/etc/profile-a-l/kalgebra.profile b/etc/profile-a-l/kalgebra.profile
index 210b7cf03..5253a78b0 100644
--- a/etc/profile-a-l/kalgebra.profile
+++ b/etc/profile-a-l/kalgebra.profile
@@ -42,7 +42,7 @@ disable-mnt
42private-bin kalgebra,kalgebramobile 42private-bin kalgebra,kalgebramobile
43private-cache 43private-cache
44private-dev 44private-dev
45private-etc fonts,machine-id 45private-etc fonts,ld.so.preload,machine-id
46private-tmp 46private-tmp
47 47
48dbus-user none 48dbus-user none
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile
index 7b990bf41..d88631005 100644
--- a/etc/profile-a-l/kazam.profile
+++ b/etc/profile-a-l/kazam.profile
@@ -49,7 +49,7 @@ disable-mnt
49# private-bin kazam,python* 49# private-bin kazam,python*
50private-cache 50private-cache
51private-dev 51private-dev
52private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,machine-id,pulse,selinux,X11,xdg 52private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.preload,machine-id,pulse,selinux,X11,xdg
53private-tmp 53private-tmp
54 54
55dbus-system none 55dbus-system none
diff --git a/etc/profile-a-l/kcalc.profile b/etc/profile-a-l/kcalc.profile
index 46e8ccb82..c551dbdbe 100644
--- a/etc/profile-a-l/kcalc.profile
+++ b/etc/profile-a-l/kcalc.profile
@@ -55,7 +55,7 @@ disable-mnt
55private-bin kcalc 55private-bin kcalc
56private-cache 56private-cache
57private-dev 57private-dev
58private-etc alternatives,fonts,ld.so.cache,locale,locale.conf 58private-etc alternatives,fonts,ld.so.cache,ld.so.preload,locale,locale.conf
59# private-lib - problems on Arch 59# private-lib - problems on Arch
60private-tmp 60private-tmp
61 61
diff --git a/etc/profile-a-l/kdiff3.profile b/etc/profile-a-l/kdiff3.profile
index 7c9be2bcc..fa50b0a20 100644
--- a/etc/profile-a-l/kdiff3.profile
+++ b/etc/profile-a-l/kdiff3.profile
@@ -48,7 +48,7 @@ shell none
48tracelog 48tracelog
49 49
50disable-mnt 50disable-mnt
51private-bin kdiff3 51private-bin kdiff3
52private-cache 52private-cache
53private-dev 53private-dev
54 54
diff --git a/etc/profile-a-l/keepassx.profile b/etc/profile-a-l/keepassx.profile
index 768a3cef0..616b87d7e 100644
--- a/etc/profile-a-l/keepassx.profile
+++ b/etc/profile-a-l/keepassx.profile
@@ -41,7 +41,7 @@ tracelog
41 41
42private-bin keepassx,keepassx2 42private-bin keepassx,keepassx2
43private-dev 43private-dev
44private-etc alternatives,fonts,machine-id 44private-etc alternatives,fonts,ld.so.preload,machine-id
45private-tmp 45private-tmp
46 46
47dbus-user none 47dbus-user none
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index b915f6202..0f3e6605b 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -88,7 +88,7 @@ tracelog
88 88
89private-bin keepassxc,keepassxc-cli,keepassxc-proxy 89private-bin keepassxc,keepassxc-cli,keepassxc-proxy
90private-dev 90private-dev
91private-etc alternatives,fonts,ld.so.cache,machine-id 91private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
92private-tmp 92private-tmp
93 93
94dbus-user filter 94dbus-user filter
diff --git a/etc/profile-a-l/kid3.profile b/etc/profile-a-l/kid3.profile
index e66716eeb..8b35a8946 100644
--- a/etc/profile-a-l/kid3.profile
+++ b/etc/profile-a-l/kid3.profile
@@ -37,7 +37,7 @@ tracelog
37 37
38private-cache 38private-cache
39private-dev 39private-dev
40private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hostname,hosts,kde5rc,machine-id,pki,pulse,resolv.conf,ssl 40private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hostname,hosts,kde5rc,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
41private-tmp 41private-tmp
42private-opt none 42private-opt none
43private-srv none 43private-srv none
diff --git a/etc/profile-a-l/kiwix-desktop.profile b/etc/profile-a-l/kiwix-desktop.profile
index 968402a8a..837ea9e36 100644
--- a/etc/profile-a-l/kiwix-desktop.profile
+++ b/etc/profile-a-l/kiwix-desktop.profile
@@ -44,7 +44,7 @@ shell none
44disable-mnt 44disable-mnt
45private-cache 45private-cache
46private-dev 46private-dev
47private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl 47private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
48private-tmp 48private-tmp
49 49
50dbus-user none 50dbus-user none
diff --git a/etc/profile-a-l/klavaro.profile b/etc/profile-a-l/klavaro.profile
index f733fa42c..964175274 100644
--- a/etc/profile-a-l/klavaro.profile
+++ b/etc/profile-a-l/klavaro.profile
@@ -45,7 +45,7 @@ disable-mnt
45private-bin bash,klavaro,sh,tclsh,tclsh* 45private-bin bash,klavaro,sh,tclsh,tclsh*
46private-cache 46private-cache
47private-dev 47private-dev
48private-etc alternatives,fonts 48private-etc alternatives,fonts,ld.so.preload
49private-tmp 49private-tmp
50private-opt none 50private-opt none
51private-srv none 51private-srv none
diff --git a/etc/profile-a-l/ktouch.profile b/etc/profile-a-l/ktouch.profile
index 051782172..78eb2e8f5 100644
--- a/etc/profile-a-l/ktouch.profile
+++ b/etc/profile-a-l/ktouch.profile
@@ -46,7 +46,7 @@ disable-mnt
46private-bin ktouch 46private-bin ktouch
47private-cache 47private-cache
48private-dev 48private-dev
49private-etc alternatives,fonts,kde5rc,machine-id 49private-etc alternatives,fonts,kde5rc,ld.so.preload,machine-id
50private-tmp 50private-tmp
51 51
52dbus-user none 52dbus-user none
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile
index 262ffb532..ad6b2f5fe 100644
--- a/etc/profile-a-l/kube.profile
+++ b/etc/profile-a-l/kube.profile
@@ -68,7 +68,7 @@ tracelog
68private-bin kube,sink_synchronizer 68private-bin kube,sink_synchronizer
69private-cache 69private-cache
70private-dev 70private-dev
71private-etc alternatives,ca-certificates,crypto-policies,fonts,gcrypt,gtk-2.0,gtk-3.0,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg 71private-etc alternatives,ca-certificates,crypto-policies,fonts,gcrypt,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.preload,pki,resolv.conf,selinux,ssl,xdg
72private-tmp 72private-tmp
73writable-run-user 73writable-run-user
74 74
diff --git a/etc/profile-a-l/kwin_x11.profile b/etc/profile-a-l/kwin_x11.profile
index 5bbadfc73..32e9870e5 100644
--- a/etc/profile-a-l/kwin_x11.profile
+++ b/etc/profile-a-l/kwin_x11.profile
@@ -42,5 +42,5 @@ tracelog
42disable-mnt 42disable-mnt
43private-bin kwin_x11 43private-bin kwin_x11
44private-dev 44private-dev
45private-etc alternatives,drirc,fonts,kde5rc,ld.so.cache,machine-id,xdg 45private-etc alternatives,drirc,fonts,kde5rc,ld.so.cache,ld.so.preload,machine-id,xdg
46private-tmp 46private-tmp
diff --git a/etc/profile-a-l/kwrite.profile b/etc/profile-a-l/kwrite.profile
index 682c7782d..cd5ce7034 100644
--- a/etc/profile-a-l/kwrite.profile
+++ b/etc/profile-a-l/kwrite.profile
@@ -46,7 +46,7 @@ tracelog
46 46
47private-bin kbuildsycoca4,kdeinit4,kwrite 47private-bin kbuildsycoca4,kdeinit4,kwrite
48private-dev 48private-dev
49private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg 49private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,ld.so.preload,machine-id,pulse,xdg
50private-tmp 50private-tmp
51 51
52# dbus-user none 52# dbus-user none
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile
index c9f5221f7..ebffbbabf 100644
--- a/etc/profile-a-l/librewolf.profile
+++ b/etc/profile-a-l/librewolf.profile
@@ -36,6 +36,7 @@ include whitelist-usr-share-common.inc
36#private-etc librewolf 36#private-etc librewolf
37 37
38dbus-user filter 38dbus-user filter
39dbus-user.own org.mozilla.librewolf.*
39# Add the next line to your librewolf.local to enable native notifications. 40# Add the next line to your librewolf.local to enable native notifications.
40#dbus-user.talk org.freedesktop.Notifications 41#dbus-user.talk org.freedesktop.Notifications
41# Add the next line to your librewolf.local to allow inhibiting screensavers. 42# Add the next line to your librewolf.local to allow inhibiting screensavers.
diff --git a/etc/profile-a-l/links-common.profile b/etc/profile-a-l/links-common.profile
index bd28f25d6..dac3eaee3 100644
--- a/etc/profile-a-l/links-common.profile
+++ b/etc/profile-a-l/links-common.profile
@@ -47,11 +47,11 @@ shell none
47tracelog 47tracelog
48 48
49disable-mnt 49disable-mnt
50# Add 'private-bin PROGRAM1,PROGRAM2' to your links-common.local if you want to use user-configured programs. 50# Add 'private-bin PROGRAM1,PROGRAM2' to your links-common.local if you want to use user-configured programs.
51private-bin sh 51private-bin sh
52private-cache 52private-cache
53private-dev 53private-dev
54private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl 54private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
55# Add the next line to your links-common.local to allow external media players. 55# Add the next line to your links-common.local to allow external media players.
56# private-etc alsa,asound.conf,machine-id,openal,pulse 56# private-etc alsa,asound.conf,machine-id,openal,pulse
57private-tmp 57private-tmp
diff --git a/etc/profile-a-l/lollypop.profile b/etc/profile-a-l/lollypop.profile
index a187ca0fc..a590c5fb7 100644
--- a/etc/profile-a-l/lollypop.profile
+++ b/etc/profile-a-l/lollypop.profile
@@ -37,6 +37,6 @@ seccomp
37shell none 37shell none
38 38
39private-dev 39private-dev
40private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg 40private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg
41private-tmp 41private-tmp
42 42
diff --git a/etc/profile-a-l/lyx.profile b/etc/profile-a-l/lyx.profile
index fa69463d1..3213f3674 100644
--- a/etc/profile-a-l/lyx.profile
+++ b/etc/profile-a-l/lyx.profile
@@ -32,7 +32,7 @@ apparmor
32machine-id 32machine-id
33 33
34# private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex 34# private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex
35private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,lyx,machine-id,mime.types,passwd,texmf,X11,xdg 35private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.preload,locale,locale.alias,locale.conf,lyx,machine-id,mime.types,passwd,texmf,X11,xdg
36 36
37# Redirect 37# Redirect
38include latex-common.profile 38include latex-common.profile
diff --git a/etc/profile-m-z/QOwnNotes.profile b/etc/profile-m-z/QOwnNotes.profile
index 15cb931dd..235640eeb 100644
--- a/etc/profile-m-z/QOwnNotes.profile
+++ b/etc/profile-m-z/QOwnNotes.profile
@@ -50,6 +50,6 @@ tracelog
50disable-mnt 50disable-mnt
51private-bin gio,QOwnNotes 51private-bin gio,QOwnNotes
52private-dev 52private-dev
53private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hosts,ld.so.cache,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl 53private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
54private-tmp 54private-tmp
55 55
diff --git a/etc/profile-m-z/Viber.profile b/etc/profile-m-z/Viber.profile
index 866d57e67..ca7165a5d 100644
--- a/etc/profile-m-z/Viber.profile
+++ b/etc/profile-m-z/Viber.profile
@@ -33,5 +33,5 @@ shell none
33 33
34disable-mnt 34disable-mnt
35private-bin awk,bash,dig,sh,Viber 35private-bin awk,bash,dig,sh,Viber
36private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11 36private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,ld.so.preload,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11
37private-tmp 37private-tmp
diff --git a/etc/profile-m-z/Xvfb.profile b/etc/profile-m-z/Xvfb.profile
index 1acd43023..722e12d9c 100644
--- a/etc/profile-m-z/Xvfb.profile
+++ b/etc/profile-m-z/Xvfb.profile
@@ -43,5 +43,5 @@ private
43# private-bin sh,xkbcomp,Xvfb 43# private-bin sh,xkbcomp,Xvfb
44# private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb 44# private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb
45private-dev 45private-dev
46private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf 46private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,nsswitch.conf,resolv.conf
47private-tmp 47private-tmp
diff --git a/etc/profile-m-z/magicor.profile b/etc/profile-m-z/magicor.profile
index fc5ae3ee9..b7cba2421 100644
--- a/etc/profile-m-z/magicor.profile
+++ b/etc/profile-m-z/magicor.profile
@@ -45,7 +45,7 @@ disable-mnt
45private-bin magicor,python2* 45private-bin magicor,python2*
46private-cache 46private-cache
47private-dev 47private-dev
48private-etc machine-id 48private-etc ld.so.preload,machine-id
49private-tmp 49private-tmp
50 50
51dbus-user none 51dbus-user none
diff --git a/etc/profile-m-z/make.profile b/etc/profile-m-z/make.profile
new file mode 100644
index 000000000..7e9638fe4
--- /dev/null
+++ b/etc/profile-m-z/make.profile
@@ -0,0 +1,13 @@
1# Firejail profile for make
2# Description: GNU make utility to maintain groups of programs
3# This file is overwritten after every install/update
4quiet
5# Persistent local customizations
6include make.local
7# Persistent global definitions
8include globals.local
9
10memory-deny-write-execute
11
12# Redirect
13include build-systems-common.profile
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile
index b2f761230..b6038cc91 100644
--- a/etc/profile-m-z/man.profile
+++ b/etc/profile-m-z/man.profile
@@ -58,7 +58,7 @@ disable-mnt
58#private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim 58#private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim
59private-cache 59private-cache
60private-dev 60private-dev
61private-etc alternatives,fonts,groff,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg 61private-etc alternatives,fonts,groff,ld.so.preload,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg
62#private-tmp 62#private-tmp
63 63
64dbus-user none 64dbus-user none
diff --git a/etc/profile-m-z/masterpdfeditor.profile b/etc/profile-m-z/masterpdfeditor.profile
index e61578ffe..dc2088a18 100644
--- a/etc/profile-m-z/masterpdfeditor.profile
+++ b/etc/profile-m-z/masterpdfeditor.profile
@@ -36,6 +36,6 @@ tracelog
36 36
37private-cache 37private-cache
38private-dev 38private-dev
39private-etc alternatives,fonts 39private-etc alternatives,fonts,ld.so.preload
40private-tmp 40private-tmp
41 41
diff --git a/etc/profile-m-z/mate-calc.profile b/etc/profile-m-z/mate-calc.profile
index 64b184482..cb14c6584 100644
--- a/etc/profile-m-z/mate-calc.profile
+++ b/etc/profile-m-z/mate-calc.profile
@@ -42,7 +42,7 @@ shell none
42 42
43disable-mnt 43disable-mnt
44private-bin mate-calc,mate-calculator 44private-bin mate-calc,mate-calculator
45private-etc alternatives,dconf,fonts,gtk-3.0 45private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload
46private-dev 46private-dev
47private-opt none 47private-opt none
48private-tmp 48private-tmp
diff --git a/etc/profile-m-z/mate-color-select.profile b/etc/profile-m-z/mate-color-select.profile
index a6b49315c..97793abd5 100644
--- a/etc/profile-m-z/mate-color-select.profile
+++ b/etc/profile-m-z/mate-color-select.profile
@@ -33,7 +33,7 @@ shell none
33 33
34disable-mnt 34disable-mnt
35private-bin mate-color-select 35private-bin mate-color-select
36private-etc alternatives,fonts 36private-etc alternatives,fonts,ld.so.preload
37private-dev 37private-dev
38private-lib 38private-lib
39private-tmp 39private-tmp
diff --git a/etc/profile-m-z/mate-dictionary.profile b/etc/profile-m-z/mate-dictionary.profile
index 3f3d027b9..cb0002af6 100644
--- a/etc/profile-m-z/mate-dictionary.profile
+++ b/etc/profile-m-z/mate-dictionary.profile
@@ -37,7 +37,7 @@ shell none
37 37
38disable-mnt 38disable-mnt
39private-bin mate-dictionary 39private-bin mate-dictionary
40private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl 40private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,pki,resolv.conf,ssl
41private-opt mate-dictionary 41private-opt mate-dictionary
42private-dev 42private-dev
43private-tmp 43private-tmp
diff --git a/etc/profile-m-z/mcabber.profile b/etc/profile-m-z/mcabber.profile
index 7592d879c..87083f1e3 100644
--- a/etc/profile-m-z/mcabber.profile
+++ b/etc/profile-m-z/mcabber.profile
@@ -31,4 +31,4 @@ shell none
31 31
32private-bin mcabber 32private-bin mcabber
33private-dev 33private-dev
34private-etc alternatives,ca-certificates,crypto-policies,pki,ssl 34private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,pki,ssl
diff --git a/etc/profile-m-z/mdr.profile b/etc/profile-m-z/mdr.profile
index 08d56ede5..da5e0ffa8 100644
--- a/etc/profile-m-z/mdr.profile
+++ b/etc/profile-m-z/mdr.profile
@@ -45,7 +45,7 @@ disable-mnt
45private-bin mdr 45private-bin mdr
46private-cache 46private-cache
47private-dev 47private-dev
48private-etc none 48private-etc ld.so.preload,none
49private-lib 49private-lib
50private-tmp 50private-tmp
51 51
diff --git a/etc/profile-m-z/mediainfo.profile b/etc/profile-m-z/mediainfo.profile
index 7597d4067..9403321e2 100644
--- a/etc/profile-m-z/mediainfo.profile
+++ b/etc/profile-m-z/mediainfo.profile
@@ -42,7 +42,7 @@ x11 none
42private-bin mediainfo 42private-bin mediainfo
43private-cache 43private-cache
44private-dev 44private-dev
45private-etc alternatives 45private-etc alternatives,ld.so.preload
46private-tmp 46private-tmp
47 47
48dbus-user none 48dbus-user none
diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile
index 4845e9cce..f9f7db3cb 100644
--- a/etc/profile-m-z/menulibre.profile
+++ b/etc/profile-m-z/menulibre.profile
@@ -52,7 +52,7 @@ tracelog
52disable-mnt 52disable-mnt
53private-cache 53private-cache
54private-dev 54private-dev
55private-etc alternatives,dconf,fonts,gtk-3.0,locale.alias,locale.conf,mime.types,nsswitch.conf,passwd,pki,selinux,X11,xdg 55private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload,locale.alias,locale.conf,mime.types,nsswitch.conf,passwd,pki,selinux,X11,xdg
56private-tmp 56private-tmp
57 57
58dbus-user none 58dbus-user none
diff --git a/etc/profile-m-z/meson.profile b/etc/profile-m-z/meson.profile
new file mode 100644
index 000000000..b4909a9d8
--- /dev/null
+++ b/etc/profile-m-z/meson.profile
@@ -0,0 +1,14 @@
1# Firejail profile for meson
2# Description: A high productivity build system
3# This file is overwritten after every install/update
4quiet
5# Persistent local customizations
6include meson.local
7# Persistent global definitions
8include globals.local
9
10# Allow python3 (blacklisted by disable-interpreters.inc)
11include allow-python3.inc
12
13# Redirect
14include build-systems-common.profile
diff --git a/etc/profile-m-z/microsoft-edge-beta.profile b/etc/profile-m-z/microsoft-edge-beta.profile
index 34d9f470a..095038f08 100644
--- a/etc/profile-m-z/microsoft-edge-beta.profile
+++ b/etc/profile-m-z/microsoft-edge-beta.profile
@@ -17,4 +17,4 @@ whitelist ${HOME}/.config/microsoft-edge-beta
17private-opt microsoft 17private-opt microsoft
18 18
19# Redirect 19# Redirect
20include chromium-common.profile \ No newline at end of file 20include chromium-common.profile
diff --git a/etc/profile-m-z/mindless.profile b/etc/profile-m-z/mindless.profile
index ad7e40b12..bcc7b232b 100644
--- a/etc/profile-m-z/mindless.profile
+++ b/etc/profile-m-z/mindless.profile
@@ -42,7 +42,7 @@ private
42private-bin mindless 42private-bin mindless
43private-cache 43private-cache
44private-dev 44private-dev
45private-etc fonts 45private-etc fonts,ld.so.preload
46private-tmp 46private-tmp
47 47
48dbus-user none 48dbus-user none
diff --git a/etc/profile-m-z/mirrormagic.profile b/etc/profile-m-z/mirrormagic.profile
index c47a16ffd..133a17350 100644
--- a/etc/profile-m-z/mirrormagic.profile
+++ b/etc/profile-m-z/mirrormagic.profile
@@ -44,7 +44,7 @@ private
44private-bin mirrormagic 44private-bin mirrormagic
45private-cache 45private-cache
46private-dev 46private-dev
47private-etc machine-id 47private-etc ld.so.preload,machine-id
48private-tmp 48private-tmp
49 49
50dbus-user none 50dbus-user none
diff --git a/etc/profile-m-z/mocp.profile b/etc/profile-m-z/mocp.profile
index dbc3c1d40..79f603f92 100644
--- a/etc/profile-m-z/mocp.profile
+++ b/etc/profile-m-z/mocp.profile
@@ -42,7 +42,7 @@ tracelog
42private-bin mocp 42private-bin mocp
43private-cache 43private-cache
44private-dev 44private-dev
45private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,resolv.conf,ssl 45private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
46private-tmp 46private-tmp
47 47
48dbus-user none 48dbus-user none
diff --git a/etc/profile-m-z/mp3splt-gtk.profile b/etc/profile-m-z/mp3splt-gtk.profile
index f0063d250..445691f6a 100644
--- a/etc/profile-m-z/mp3splt-gtk.profile
+++ b/etc/profile-m-z/mp3splt-gtk.profile
@@ -37,7 +37,7 @@ tracelog
37private-bin mp3splt-gtk 37private-bin mp3splt-gtk
38private-cache 38private-cache
39private-dev 39private-dev
40private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-3.0,machine-id,openal,pulse 40private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-3.0,ld.so.preload,machine-id,openal,pulse
41private-tmp 41private-tmp
42 42
43dbus-user none 43dbus-user none
diff --git a/etc/profile-m-z/mp3splt.profile b/etc/profile-m-z/mp3splt.profile
index 400d8a6b6..4d6109250 100644
--- a/etc/profile-m-z/mp3splt.profile
+++ b/etc/profile-m-z/mp3splt.profile
@@ -44,7 +44,7 @@ disable-mnt
44private-bin flacsplt,mp3splt,mp3wrap,oggsplt 44private-bin flacsplt,mp3splt,mp3wrap,oggsplt
45private-cache 45private-cache
46private-dev 46private-dev
47private-etc alternatives 47private-etc alternatives,ld.so.preload
48private-tmp 48private-tmp
49 49
50memory-deny-write-execute 50memory-deny-write-execute
diff --git a/etc/profile-m-z/mpDris2.profile b/etc/profile-m-z/mpDris2.profile
index 10964ef24..597390914 100644
--- a/etc/profile-m-z/mpDris2.profile
+++ b/etc/profile-m-z/mpDris2.profile
@@ -49,7 +49,7 @@ shell none
49private-bin mpDris2,notify-send,python* 49private-bin mpDris2,notify-send,python*
50private-cache 50private-cache
51private-dev 51private-dev
52private-etc alternatives,hosts,nsswitch.conf 52private-etc alternatives,hosts,ld.so.preload,nsswitch.conf
53private-lib libdbus-1.so.*,libdbus-glib-1.so.*,libgirepository-1.0.so.*,libnotify.so.*,libpython*,python2*,python3* 53private-lib libdbus-1.so.*,libdbus-glib-1.so.*,libgirepository-1.0.so.*,libnotify.so.*,libpython*,python2*,python3*
54private-tmp 54private-tmp
55 55
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index fa433b672..74402a8de 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -11,7 +11,7 @@ include globals.local
11# edit ~/.config/mpv/foobar.conf: 11# edit ~/.config/mpv/foobar.conf:
12# screenshot-directory=~/Pictures 12# screenshot-directory=~/Pictures
13 13
14# Mpv has a powerfull lua-API, some off these lua-scripts interact 14# Mpv has a powerful lua-API, some off these lua-scripts interact
15# with external resources which are blocked by firejail. In such cases 15# with external resources which are blocked by firejail. In such cases
16# you need to allow these resources by 16# you need to allow these resources by
17# - adding additional binaries to private-bin 17# - adding additional binaries to private-bin
diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile
index 530e779fc..16dc97d0c 100644
--- a/etc/profile-m-z/mrrescue.profile
+++ b/etc/profile-m-z/mrrescue.profile
@@ -53,7 +53,7 @@ disable-mnt
53private-bin love,mrrescue,sh 53private-bin love,mrrescue,sh
54private-cache 54private-cache
55private-dev 55private-dev
56private-etc machine-id 56private-etc ld.so.preload,machine-id
57private-tmp 57private-tmp
58 58
59dbus-user none 59dbus-user none
diff --git a/etc/profile-m-z/ms-office.profile b/etc/profile-m-z/ms-office.profile
index ad12f53a4..7b4a305e9 100644
--- a/etc/profile-m-z/ms-office.profile
+++ b/etc/profile-m-z/ms-office.profile
@@ -35,7 +35,7 @@ tracelog
35 35
36disable-mnt 36disable-mnt
37private-bin bash,env,fonts,jak,ms-office,python*,sh 37private-bin bash,env,fonts,jak,ms-office,python*,sh
38private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl 38private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,pki,resolv.conf,ssl
39private-dev 39private-dev
40private-tmp 40private-tmp
41 41
diff --git a/etc/profile-m-z/mupdf-x11-curl.profile b/etc/profile-m-z/mupdf-x11-curl.profile
index a04d386a2..b95ab2194 100644
--- a/etc/profile-m-z/mupdf-x11-curl.profile
+++ b/etc/profile-m-z/mupdf-x11-curl.profile
@@ -12,7 +12,7 @@ ignore net none
12netfilter 12netfilter
13protocol unix,inet,inet6 13protocol unix,inet,inet6
14 14
15private-etc ca-certificates,crypto-policies,hosts,nsswitch.conf,pki,resolv.conf,ssl 15private-etc ca-certificates,crypto-policies,hosts,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
16 16
17# Redirect 17# Redirect
18include mupdf.profile 18include mupdf.profile
diff --git a/etc/profile-m-z/musixmatch.profile b/etc/profile-m-z/musixmatch.profile
index 07661cac8..aab2ac19d 100644
--- a/etc/profile-m-z/musixmatch.profile
+++ b/etc/profile-m-z/musixmatch.profile
@@ -29,9 +29,9 @@ notv
29nou2f 29nou2f
30novideo 30novideo
31protocol unix,inet,inet6,netlink 31protocol unix,inet,inet6,netlink
32seccomp 32seccomp !chroot
33 33
34disable-mnt 34disable-mnt
35private-dev 35private-dev
36private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,ssl 36private-etc alternatives,asound.conf,ca-certificates,crypto-policies,ld.so.preload,machine-id,pki,pulse,ssl
37 37
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile
index c4d96711c..fb923051f 100644
--- a/etc/profile-m-z/mutt.profile
+++ b/etc/profile-m-z/mutt.profile
@@ -134,7 +134,7 @@ tracelog
134# disable-mnt 134# disable-mnt
135private-cache 135private-cache
136private-dev 136private-dev
137private-etc alternatives,ca-certificates,crypto-policies,fonts,gai.conf,gcrypt,gnupg,gnutls,hostname,hosts,hosts.conf,mail,mailname,Mutt,Muttrc,Muttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,terminfo,xdg 137private-etc alternatives,ca-certificates,crypto-policies,fonts,gai.conf,gcrypt,gnupg,gnutls,hostname,hosts,hosts.conf,ld.so.preload,mail,mailname,Mutt,Muttrc,Muttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,terminfo,xdg
138private-tmp 138private-tmp
139writable-run-user 139writable-run-user
140writable-var 140writable-var
diff --git a/etc/profile-m-z/mypaint.profile b/etc/profile-m-z/mypaint.profile
index 1b4fc4346..bf01aaa0e 100644
--- a/etc/profile-m-z/mypaint.profile
+++ b/etc/profile-m-z/mypaint.profile
@@ -43,7 +43,7 @@ tracelog
43 43
44private-cache 44private-cache
45private-dev 45private-dev
46private-etc alternatives,dconf,fonts,gtk-3.0 46private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload
47private-tmp 47private-tmp
48 48
49dbus-user none 49dbus-user none
diff --git a/etc/profile-m-z/nano.profile b/etc/profile-m-z/nano.profile
index 996a1722a..23a30bf97 100644
--- a/etc/profile-m-z/nano.profile
+++ b/etc/profile-m-z/nano.profile
@@ -49,7 +49,7 @@ private-dev
49# Add the next lines to your nano.local if you want to edit files in /etc directly. 49# Add the next lines to your nano.local if you want to edit files in /etc directly.
50#ignore private-etc 50#ignore private-etc
51#writable-etc 51#writable-etc
52private-etc alternatives,nanorc 52private-etc alternatives,ld.so.preload,nanorc
53# Add the next line to your nano.local if you want to edit files in /var directly. 53# Add the next line to your nano.local if you want to edit files in /var directly.
54#writable-var 54#writable-var
55 55
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile
index 7e627a52e..1e59a1490 100644
--- a/etc/profile-m-z/neomutt.profile
+++ b/etc/profile-m-z/neomutt.profile
@@ -137,7 +137,7 @@ tracelog
137# disable-mnt 137# disable-mnt
138private-cache 138private-cache
139private-dev 139private-dev
140private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,hostname,hosts,hosts.conf,mail,mailname,Mutt,Muttrc,Muttrc.d,neomuttrc,neomuttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg 140private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,hostname,hosts,hosts.conf,ld.so.preload,mail,mailname,Mutt,Muttrc,Muttrc.d,neomuttrc,neomuttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg
141private-tmp 141private-tmp
142writable-run-user 142writable-run-user
143writable-var 143writable-var
diff --git a/etc/profile-m-z/netactview.profile b/etc/profile-m-z/netactview.profile
index 1bcc6a962..57f026a0b 100644
--- a/etc/profile-m-z/netactview.profile
+++ b/etc/profile-m-z/netactview.profile
@@ -45,7 +45,7 @@ disable-mnt
45private-bin netactview,netactview_polkit 45private-bin netactview,netactview_polkit
46private-cache 46private-cache
47private-dev 47private-dev
48private-etc alternatives,fonts 48private-etc alternatives,fonts,ld.so.preload
49private-lib 49private-lib
50private-tmp 50private-tmp
51 51
diff --git a/etc/profile-m-z/newsboat.profile b/etc/profile-m-z/newsboat.profile
index fa4ccea7c..34c6110cf 100644
--- a/etc/profile-m-z/newsboat.profile
+++ b/etc/profile-m-z/newsboat.profile
@@ -53,7 +53,7 @@ disable-mnt
53private-bin gzip,lynx,newsboat,sh,w3m 53private-bin gzip,lynx,newsboat,sh,w3m
54private-cache 54private-cache
55private-dev 55private-dev
56private-etc alternatives,ca-certificates,crypto-policies,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo 56private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo
57private-tmp 57private-tmp
58 58
59dbus-user none 59dbus-user none
diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile
index cb499ba34..d0eef9704 100644
--- a/etc/profile-m-z/nextcloud.profile
+++ b/etc/profile-m-z/nextcloud.profile
@@ -61,7 +61,7 @@ tracelog
61disable-mnt 61disable-mnt
62private-bin nextcloud,nextcloud-desktop 62private-bin nextcloud,nextcloud-desktop
63private-cache 63private-cache
64private-etc alternatives,ca-certificates,crypto-policies,drirc,fonts,gcrypt,host.conf,hosts,ld.so.cache,machine-id,Nextcloud,nsswitch.conf,os-release,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg 64private-etc alternatives,ca-certificates,crypto-policies,drirc,fonts,gcrypt,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,Nextcloud,nsswitch.conf,os-release,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
65private-dev 65private-dev
66private-tmp 66private-tmp
67 67
diff --git a/etc/profile-m-z/nheko.profile b/etc/profile-m-z/nheko.profile
index 035ad086a..2f305dae9 100644
--- a/etc/profile-m-z/nheko.profile
+++ b/etc/profile-m-z/nheko.profile
@@ -51,11 +51,10 @@ private-dev
51private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg 51private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
52private-tmp 52private-tmp
53 53
54 54dbus-user filter
55# Add the next lines to your nheko.local to enable notification support. 55dbus-user.talk org.freedesktop.secrets
56#ignore dbus-user none 56# Add the next line to your nheko.local to enable notification support.
57#dbus-user filter
58#dbus-user.talk org.freedesktop.Notifications 57#dbus-user.talk org.freedesktop.Notifications
58# Add the next line to your nheko.local to enable tray icon support.
59#dbus-user.talk org.kde.StatusNotifierWatcher 59#dbus-user.talk org.kde.StatusNotifierWatcher
60dbus-user none
61dbus-system none 60dbus-system none
diff --git a/etc/profile-m-z/nitroshare.profile b/etc/profile-m-z/nitroshare.profile
index d5dd4ca95..d6234cd04 100644
--- a/etc/profile-m-z/nitroshare.profile
+++ b/etc/profile-m-z/nitroshare.profile
@@ -42,7 +42,7 @@ disable-mnt
42private-bin awk,grep,nitroshare,nitroshare-cli,nitroshare-nmh,nitroshare-send,nitroshare-ui 42private-bin awk,grep,nitroshare,nitroshare-cli,nitroshare-nmh,nitroshare-send,nitroshare-ui
43private-cache 43private-cache
44private-dev 44private-dev
45private-etc alternatives,ca-certificates,dconf,fonts,hostname,hosts,ld.so.cache,machine-id,nsswitch.conf,ssl 45private-etc alternatives,ca-certificates,dconf,fonts,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,ssl
46# private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare 46# private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare
47private-tmp 47private-tmp
48 48
diff --git a/etc/profile-m-z/nomacs.profile b/etc/profile-m-z/nomacs.profile
index b044fb879..0bed12b1f 100644
--- a/etc/profile-m-z/nomacs.profile
+++ b/etc/profile-m-z/nomacs.profile
@@ -41,5 +41,5 @@ tracelog
41#private-bin nomacs 41#private-bin nomacs
42private-cache 42private-cache
43private-dev 43private-dev
44private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,login.defs,machine-id,pki,resolv.conf,ssl 44private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.preload,login.defs,machine-id,pki,resolv.conf,ssl
45private-tmp 45private-tmp
diff --git a/etc/profile-m-z/notify-send.profile b/etc/profile-m-z/notify-send.profile
index 5caf3374d..a7bb93a02 100644
--- a/etc/profile-m-z/notify-send.profile
+++ b/etc/profile-m-z/notify-send.profile
@@ -49,7 +49,7 @@ private
49private-bin notify-send 49private-bin notify-send
50private-cache 50private-cache
51private-dev 51private-dev
52private-etc none 52private-etc ld.so.preload,none
53private-tmp 53private-tmp
54 54
55dbus-user filter 55dbus-user filter
diff --git a/etc/profile-m-z/nuclear.profile b/etc/profile-m-z/nuclear.profile
index 886403b9e..9e3093ea7 100644
--- a/etc/profile-m-z/nuclear.profile
+++ b/etc/profile-m-z/nuclear.profile
@@ -18,7 +18,7 @@ whitelist ${HOME}/.config/nuclear
18no3d 18no3d
19 19
20# private-bin nuclear 20# private-bin nuclear
21private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg 21private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
22private-opt nuclear 22private-opt nuclear
23 23
24# Redirect 24# Redirect
diff --git a/etc/profile-m-z/nyx.profile b/etc/profile-m-z/nyx.profile
index 460a580b3..9b431d76d 100644
--- a/etc/profile-m-z/nyx.profile
+++ b/etc/profile-m-z/nyx.profile
@@ -45,7 +45,7 @@ disable-mnt
45private-bin nyx,python* 45private-bin nyx,python*
46private-cache 46private-cache
47private-dev 47private-dev
48private-etc alternatives,fonts,passwd,tor 48private-etc alternatives,fonts,ld.so.preload,passwd,tor
49private-opt none 49private-opt none
50private-srv none 50private-srv none
51private-tmp 51private-tmp
diff --git a/etc/profile-m-z/ocenaudio.profile b/etc/profile-m-z/ocenaudio.profile
index 8e87f1d5d..0bfb35333 100644
--- a/etc/profile-m-z/ocenaudio.profile
+++ b/etc/profile-m-z/ocenaudio.profile
@@ -45,7 +45,7 @@ tracelog
45private-bin ocenaudio 45private-bin ocenaudio
46private-cache 46private-cache
47private-dev 47private-dev
48private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse 48private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,pulse
49private-tmp 49private-tmp
50 50
51# breaks preferences 51# breaks preferences
diff --git a/etc/profile-m-z/odt2txt.profile b/etc/profile-m-z/odt2txt.profile
index 22cec475b..7d2374ccf 100644
--- a/etc/profile-m-z/odt2txt.profile
+++ b/etc/profile-m-z/odt2txt.profile
@@ -38,7 +38,7 @@ x11 none
38private-bin odt2txt 38private-bin odt2txt
39private-cache 39private-cache
40private-dev 40private-dev
41private-etc alternatives 41private-etc alternatives,ld.so.preload
42private-tmp 42private-tmp
43 43
44dbus-user none 44dbus-user none
diff --git a/etc/profile-m-z/okular.profile b/etc/profile-m-z/okular.profile
index 84edc65ef..0a200b46e 100644
--- a/etc/profile-m-z/okular.profile
+++ b/etc/profile-m-z/okular.profile
@@ -61,7 +61,7 @@ tracelog
61 61
62private-bin kbuildsycoca4,kdeinit4,lpr,okular,unar,unrar 62private-bin kbuildsycoca4,kdeinit4,lpr,okular,unar,unrar
63private-dev 63private-dev
64private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,xdg 64private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,ld.so.preload,machine-id,passwd,xdg
65# private-tmp - on KDE we need access to the real /tmp for data exchange with email clients 65# private-tmp - on KDE we need access to the real /tmp for data exchange with email clients
66 66
67# dbus-user none 67# dbus-user none
diff --git a/etc/profile-m-z/onboard.profile b/etc/profile-m-z/onboard.profile
index b0ffba19c..e70e5e81e 100644
--- a/etc/profile-m-z/onboard.profile
+++ b/etc/profile-m-z/onboard.profile
@@ -50,7 +50,7 @@ disable-mnt
50private-cache 50private-cache
51private-bin onboard,python*,tput 51private-bin onboard,python*,tput
52private-dev 52private-dev
53private-etc alternatives,dbus-1,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,mime.types,selinux,X11,xdg 53private-etc alternatives,dbus-1,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.preload,locale,locale.alias,locale.conf,mime.types,selinux,X11,xdg
54private-tmp 54private-tmp
55 55
56dbus-system none 56dbus-system none
diff --git a/etc/profile-m-z/openarena.profile b/etc/profile-m-z/openarena.profile
index 076a655a1..de334defd 100644
--- a/etc/profile-m-z/openarena.profile
+++ b/etc/profile-m-z/openarena.profile
@@ -43,7 +43,7 @@ disable-mnt
43private-bin bash,cut,glxinfo,grep,head,openarena,openarena_ded,quake3,zenity 43private-bin bash,cut,glxinfo,grep,head,openarena,openarena_ded,quake3,zenity
44private-cache 44private-cache
45private-dev 45private-dev
46private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg 46private-etc drirc,ld.so.preload,machine-id,openal,passwd,selinux,udev,xdg
47private-tmp 47private-tmp
48 48
49dbus-user none 49dbus-user none
diff --git a/etc/profile-m-z/pandoc.profile b/etc/profile-m-z/pandoc.profile
index 2595d8a8f..460f60beb 100644
--- a/etc/profile-m-z/pandoc.profile
+++ b/etc/profile-m-z/pandoc.profile
@@ -11,6 +11,8 @@ blacklist ${RUNUSER}
11 11
12noblacklist ${DOCUMENTS} 12noblacklist ${DOCUMENTS}
13 13
14include allow-bin-sh.inc
15
14include disable-common.inc 16include disable-common.inc
15include disable-devel.inc 17include disable-devel.inc
16include disable-exec.inc 18include disable-exec.inc
@@ -19,6 +21,7 @@ include disable-programs.inc
19include disable-shell.inc 21include disable-shell.inc
20include disable-xdg.inc 22include disable-xdg.inc
21 23
24include whitelist-runuser-common.inc
22# breaks pdf output 25# breaks pdf output
23#include whitelist-var-common.inc 26#include whitelist-var-common.inc
24 27
@@ -39,15 +42,15 @@ nou2f
39novideo 42novideo
40protocol unix 43protocol unix
41seccomp 44seccomp
45seccomp.block-secondary
42shell none 46shell none
43tracelog 47tracelog
44x11 none 48x11 none
45 49
46disable-mnt 50disable-mnt
47private-bin context,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf
48private-cache 51private-cache
49private-dev 52private-dev
50private-etc alternatives,texlive,texmf 53private-etc alternatives,ld.so.preload,texlive,texmf
51private-tmp 54private-tmp
52 55
53dbus-user none 56dbus-user none
diff --git a/etc/profile-m-z/parole.profile b/etc/profile-m-z/parole.profile
index 33d75f0d2..a4737d388 100644
--- a/etc/profile-m-z/parole.profile
+++ b/etc/profile-m-z/parole.profile
@@ -27,4 +27,4 @@ shell none
27 27
28private-bin dbus-launch,parole 28private-bin dbus-launch,parole
29private-cache 29private-cache
30private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,pulse,ssl 30private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,ld.so.preload,machine-id,passwd,pki,pulse,ssl
diff --git a/etc/profile-m-z/pavucontrol.profile b/etc/profile-m-z/pavucontrol.profile
index 0bd14e88e..76f1c9704 100644
--- a/etc/profile-m-z/pavucontrol.profile
+++ b/etc/profile-m-z/pavucontrol.profile
@@ -45,7 +45,7 @@ disable-mnt
45private-bin pavucontrol 45private-bin pavucontrol
46private-cache 46private-cache
47private-dev 47private-dev
48private-etc alternatives,asound.conf,avahi,fonts,machine-id,pulse 48private-etc alternatives,asound.conf,avahi,fonts,ld.so.preload,machine-id,pulse
49private-lib 49private-lib
50private-tmp 50private-tmp
51 51
diff --git a/etc/profile-m-z/pdfchain.profile b/etc/profile-m-z/pdfchain.profile
index bebd4ba44..400fc3d77 100644
--- a/etc/profile-m-z/pdfchain.profile
+++ b/etc/profile-m-z/pdfchain.profile
@@ -34,7 +34,7 @@ shell none
34 34
35private-bin pdfchain,pdftk,sh 35private-bin pdfchain,pdftk,sh
36private-dev 36private-dev
37private-etc alternatives,dconf,fonts,gtk-3.0,xdg 37private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload,xdg
38private-tmp 38private-tmp
39 39
40dbus-user none 40dbus-user none
diff --git a/etc/profile-m-z/pdftotext.profile b/etc/profile-m-z/pdftotext.profile
index 0cb08aa74..b1c2dfb1c 100644
--- a/etc/profile-m-z/pdftotext.profile
+++ b/etc/profile-m-z/pdftotext.profile
@@ -48,7 +48,7 @@ x11 none
48private-bin pdftotext 48private-bin pdftotext
49private-cache 49private-cache
50private-dev 50private-dev
51private-etc alternatives 51private-etc alternatives,ld.so.preload
52private-tmp 52private-tmp
53 53
54dbus-user none 54dbus-user none
diff --git a/etc/profile-m-z/peek.profile b/etc/profile-m-z/peek.profile
index a8f925313..e216742a4 100644
--- a/etc/profile-m-z/peek.profile
+++ b/etc/profile-m-z/peek.profile
@@ -48,7 +48,7 @@ tracelog
48disable-mnt 48disable-mnt
49private-bin bash,convert,ffmpeg,firejail,fish,peek,sh,which,zsh 49private-bin bash,convert,ffmpeg,firejail,fish,peek,sh,which,zsh
50private-dev 50private-dev
51private-etc dconf,firejail,fonts,gtk-3.0,login.defs,pango,passwd,X11 51private-etc dconf,firejail,fonts,gtk-3.0,ld.so.preload,login.defs,pango,passwd,X11
52private-tmp 52private-tmp
53 53
54dbus-user filter 54dbus-user filter
diff --git a/etc/profile-m-z/photoflare.profile b/etc/profile-m-z/photoflare.profile
index c012504c4..c0d0ae4df 100644
--- a/etc/profile-m-z/photoflare.profile
+++ b/etc/profile-m-z/photoflare.profile
@@ -43,7 +43,7 @@ disable-mnt
43private-bin photoflare 43private-bin photoflare
44private-cache 44private-cache
45private-dev 45private-dev
46private-etc alternatives,fonts,locale,locale.alias,locale.conf,mime.types,X11 46private-etc alternatives,fonts,ld.so.preload,locale,locale.alias,locale.conf,mime.types,X11
47private-tmp 47private-tmp
48 48
49dbus-user none 49dbus-user none
diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile
index 5b2d7a5a4..fb50e66ca 100644
--- a/etc/profile-m-z/pingus.profile
+++ b/etc/profile-m-z/pingus.profile
@@ -50,7 +50,7 @@ disable-mnt
50private-bin pingus,pingus.bin,sh 50private-bin pingus,pingus.bin,sh
51private-cache 51private-cache
52private-dev 52private-dev
53private-etc machine-id 53private-etc ld.so.preload,machine-id
54private-tmp 54private-tmp
55 55
56dbus-user none 56dbus-user none
diff --git a/etc/profile-m-z/pip.profile b/etc/profile-m-z/pip.profile
new file mode 100644
index 000000000..a0926371f
--- /dev/null
+++ b/etc/profile-m-z/pip.profile
@@ -0,0 +1,18 @@
1# Firejail profile for pip
2# Description: package manager for Python packages
3# This file is overwritten after every install/update
4quiet
5# Persistent local customizations
6include meson.local
7# Persistent global definitions
8include globals.local
9
10ignore read-only ${HOME}/.local/lib
11
12# Allow python3 (blacklisted by disable-interpreters.inc)
13include allow-python3.inc
14
15#whitelist ${HOME}/.local/lib/python*
16
17# Redirect
18include build-systems-common.profile
diff --git a/etc/profile-m-z/pkglog.profile b/etc/profile-m-z/pkglog.profile
index c2707dac4..23e21f347 100644
--- a/etc/profile-m-z/pkglog.profile
+++ b/etc/profile-m-z/pkglog.profile
@@ -44,7 +44,7 @@ private
44private-bin pkglog,python* 44private-bin pkglog,python*
45private-cache 45private-cache
46private-dev 46private-dev
47private-etc alternatives 47private-etc alternatives,ld.so.preload
48private-opt none 48private-opt none
49private-tmp 49private-tmp
50writable-var-log 50writable-var-log
diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile
index 80f768170..a6b0768f1 100644
--- a/etc/profile-m-z/plv.profile
+++ b/etc/profile-m-z/plv.profile
@@ -46,7 +46,7 @@ disable-mnt
46private-bin plv 46private-bin plv
47private-cache 47private-cache
48private-dev 48private-dev
49private-etc alternatives,fonts 49private-etc alternatives,fonts,ld.so.preload
50private-opt none 50private-opt none
51private-tmp 51private-tmp
52writable-var-log 52writable-var-log
diff --git a/etc/profile-m-z/pngquant.profile b/etc/profile-m-z/pngquant.profile
index 0b3d2b44c..534cc5943 100644
--- a/etc/profile-m-z/pngquant.profile
+++ b/etc/profile-m-z/pngquant.profile
@@ -47,7 +47,7 @@ x11 none
47private-bin pngquant 47private-bin pngquant
48private-cache 48private-cache
49private-dev 49private-dev
50private-etc alternatives 50private-etc alternatives,ld.so.preload
51private-tmp 51private-tmp
52 52
53dbus-user none 53dbus-user none
diff --git a/etc/profile-m-z/pragha.profile b/etc/profile-m-z/pragha.profile
index bc0ff0e85..c9793433e 100644
--- a/etc/profile-m-z/pragha.profile
+++ b/etc/profile-m-z/pragha.profile
@@ -33,6 +33,6 @@ seccomp
33shell none 33shell none
34 34
35private-dev 35private-dev
36private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg 36private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg
37private-tmp 37private-tmp
38 38
diff --git a/etc/profile-m-z/profanity.profile b/etc/profile-m-z/profanity.profile
index 705af370b..af0ca5d8f 100644
--- a/etc/profile-m-z/profanity.profile
+++ b/etc/profile-m-z/profanity.profile
@@ -44,7 +44,7 @@ shell none
44private-bin profanity 44private-bin profanity
45private-cache 45private-cache
46private-dev 46private-dev
47private-etc alternatives,ca-certificates,crypto-policies,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl 47private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl
48private-tmp 48private-tmp
49 49
50dbus-user none 50dbus-user none
diff --git a/etc/profile-m-z/psi.profile b/etc/profile-m-z/psi.profile
index 450bb10c7..99a72adee 100644
--- a/etc/profile-m-z/psi.profile
+++ b/etc/profile-m-z/psi.profile
@@ -71,7 +71,7 @@ disable-mnt
71private-bin getopt,psi 71private-bin getopt,psi
72private-cache 72private-cache
73private-dev 73private-dev
74private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gcrypt,group,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg 74private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gcrypt,group,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,machine-id,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
75private-tmp 75private-tmp
76 76
77dbus-user none 77dbus-user none
diff --git a/etc/profile-m-z/qgis.profile b/etc/profile-m-z/qgis.profile
index 3dc232b55..4ebd556d6 100644
--- a/etc/profile-m-z/qgis.profile
+++ b/etc/profile-m-z/qgis.profile
@@ -52,7 +52,7 @@ tracelog
52disable-mnt 52disable-mnt
53private-cache 53private-cache
54private-dev 54private-dev
55private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,QGIS,QGIS.conf,resolv.conf,ssl,Trolltech.conf 55private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,machine-id,pki,QGIS,QGIS.conf,resolv.conf,ssl,Trolltech.conf
56private-tmp 56private-tmp
57 57
58dbus-user none 58dbus-user none
diff --git a/etc/profile-m-z/qnapi.profile b/etc/profile-m-z/qnapi.profile
index 4eee0df5f..89cb5baa8 100644
--- a/etc/profile-m-z/qnapi.profile
+++ b/etc/profile-m-z/qnapi.profile
@@ -47,7 +47,7 @@ tracelog
47private-bin 7z,qnapi 47private-bin 7z,qnapi
48private-cache 48private-cache
49private-dev 49private-dev
50private-etc alternatives,fonts 50private-etc alternatives,fonts,ld.so.preload
51private-opt none 51private-opt none
52private-tmp 52private-tmp
53 53
diff --git a/etc/profile-m-z/qrencode.profile b/etc/profile-m-z/qrencode.profile
index 7ef676068..691449b9f 100644
--- a/etc/profile-m-z/qrencode.profile
+++ b/etc/profile-m-z/qrencode.profile
@@ -47,7 +47,7 @@ disable-mnt
47private-bin qrencode 47private-bin qrencode
48private-cache 48private-cache
49private-dev 49private-dev
50private-etc none 50private-etc ld.so.preload,none
51private-lib libpcre* 51private-lib libpcre*
52private-tmp 52private-tmp
53 53
diff --git a/etc/profile-m-z/qtox.profile b/etc/profile-m-z/qtox.profile
index bae802cc6..60e1539fa 100644
--- a/etc/profile-m-z/qtox.profile
+++ b/etc/profile-m-z/qtox.profile
@@ -43,7 +43,7 @@ disable-mnt
43private-bin qtox 43private-bin qtox
44private-cache 44private-cache
45private-dev 45private-dev
46private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl 46private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl
47private-tmp 47private-tmp
48 48
49dbus-user none 49dbus-user none
diff --git a/etc/profile-m-z/regextester.profile b/etc/profile-m-z/regextester.profile
index 1de59bc7c..6b9144791 100644
--- a/etc/profile-m-z/regextester.profile
+++ b/etc/profile-m-z/regextester.profile
@@ -43,7 +43,7 @@ disable-mnt
43private-bin regextester 43private-bin regextester
44private-cache 44private-cache
45private-dev 45private-dev
46private-etc alternatives,fonts 46private-etc alternatives,fonts,ld.so.preload
47private-lib libgranite.so.* 47private-lib libgranite.so.*
48private-tmp 48private-tmp
49 49
diff --git a/etc/profile-m-z/rsync-download_only.profile b/etc/profile-m-z/rsync-download_only.profile
index 23a65f54a..e49f10b7b 100644
--- a/etc/profile-m-z/rsync-download_only.profile
+++ b/etc/profile-m-z/rsync-download_only.profile
@@ -49,7 +49,7 @@ disable-mnt
49private-bin rsync 49private-bin rsync
50private-cache 50private-cache
51private-dev 51private-dev
52private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl 52private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
53private-tmp 53private-tmp
54 54
55dbus-user none 55dbus-user none
diff --git a/etc/profile-m-z/scorchwentbonkers.profile b/etc/profile-m-z/scorchwentbonkers.profile
index 1069c34ea..d256b2efe 100644
--- a/etc/profile-m-z/scorchwentbonkers.profile
+++ b/etc/profile-m-z/scorchwentbonkers.profile
@@ -43,7 +43,7 @@ disable-mnt
43private-bin scorchwentbonkers 43private-bin scorchwentbonkers
44private-cache 44private-cache
45private-dev 45private-dev
46private-etc alsa,asound.conf,machine-id,pulse 46private-etc alsa,asound.conf,ld.so.preload,machine-id,pulse
47private-tmp 47private-tmp
48 48
49dbus-user none 49dbus-user none
diff --git a/etc/profile-m-z/seahorse-adventures.profile b/etc/profile-m-z/seahorse-adventures.profile
index af7d5eeac..cb3378597 100644
--- a/etc/profile-m-z/seahorse-adventures.profile
+++ b/etc/profile-m-z/seahorse-adventures.profile
@@ -48,7 +48,7 @@ private
48private-bin bash,dash,python*,seahorse-adventures,sh 48private-bin bash,dash,python*,seahorse-adventures,sh
49private-cache 49private-cache
50private-dev 50private-dev
51private-etc machine-id 51private-etc ld.so.preload,machine-id
52private-tmp 52private-tmp
53 53
54dbus-user none 54dbus-user none
diff --git a/etc/profile-m-z/seahorse-tool.profile b/etc/profile-m-z/seahorse-tool.profile
index 96ff74edf..f08b852db 100644
--- a/etc/profile-m-z/seahorse-tool.profile
+++ b/etc/profile-m-z/seahorse-tool.profile
@@ -8,7 +8,7 @@ include seahorse-tool.local
8#include globals.local 8#include globals.local
9 9
10# private-etc workaround for: #2877 10# private-etc workaround for: #2877
11private-etc firejail,login.defs,passwd 11private-etc firejail,ld.so.preload,login.defs,passwd
12private-tmp 12private-tmp
13 13
14# Redirect 14# Redirect
diff --git a/etc/profile-m-z/shotwell.profile b/etc/profile-m-z/shotwell.profile
index b6a828636..304a1cda2 100644
--- a/etc/profile-m-z/shotwell.profile
+++ b/etc/profile-m-z/shotwell.profile
@@ -49,7 +49,7 @@ tracelog
49private-bin shotwell 49private-bin shotwell
50private-cache 50private-cache
51private-dev 51private-dev
52private-etc alternatives,fonts,machine-id 52private-etc alternatives,fonts,ld.so.preload,machine-id
53private-opt none 53private-opt none
54private-tmp 54private-tmp
55 55
diff --git a/etc/profile-m-z/slack.profile b/etc/profile-m-z/slack.profile
index 51f6c8b00..a511ebb1c 100644
--- a/etc/profile-m-z/slack.profile
+++ b/etc/profile-m-z/slack.profile
@@ -26,7 +26,7 @@ mkdir ${HOME}/.config/Slack
26whitelist ${HOME}/.config/Slack 26whitelist ${HOME}/.config/Slack
27 27
28private-bin electron,electron[0-9],electron[0-9][0-9],locale,sh,slack 28private-bin electron,electron[0-9],electron[0-9][0-9],locale,sh,slack
29private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe 29private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,ld.so.preload,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe
30 30
31# Redirect 31# Redirect
32include electron.profile 32include electron.profile
diff --git a/etc/profile-m-z/smuxi-frontend-gnome.profile b/etc/profile-m-z/smuxi-frontend-gnome.profile
index 31d14924c..0cdb5537e 100644
--- a/etc/profile-m-z/smuxi-frontend-gnome.profile
+++ b/etc/profile-m-z/smuxi-frontend-gnome.profile
@@ -48,7 +48,7 @@ disable-mnt
48private-bin bash,mono,mono-sgen,sh,smuxi-frontend-gnome 48private-bin bash,mono,mono-sgen,sh,smuxi-frontend-gnome
49private-cache 49private-cache
50private-dev 50private-dev
51private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,mono,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg 51private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,machine-id,mono,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
52private-tmp 52private-tmp
53 53
54dbus-user none 54dbus-user none
diff --git a/etc/profile-m-z/softmaker-common.profile b/etc/profile-m-z/softmaker-common.profile
index ebdd5c1f8..47468a531 100644
--- a/etc/profile-m-z/softmaker-common.profile
+++ b/etc/profile-m-z/softmaker-common.profile
@@ -6,9 +6,9 @@ include softmaker-common.local
6# added by caller profile 6# added by caller profile
7#include globals.local 7#include globals.local
8 8
9# The offical packages install the desktop file under /usr/local/share/applications 9# The official packages install the desktop file under /usr/local/share/applications
10# with an absolute Exec line. These files are NOT handelt by firecfg, 10# with an absolute Exec line. These files are NOT handled by firecfg,
11# therefore you must manualy copy them in you home and remove '/usr/bin/'. 11# therefore you must manually copy them in you home and remove '/usr/bin/'.
12 12
13noblacklist ${HOME}/SoftMaker 13noblacklist ${HOME}/SoftMaker
14 14
diff --git a/etc/profile-m-z/spectacle.profile b/etc/profile-m-z/spectacle.profile
index d803fa5ce..fc4ae2b04 100644
--- a/etc/profile-m-z/spectacle.profile
+++ b/etc/profile-m-z/spectacle.profile
@@ -22,7 +22,7 @@ include disable-interpreters.inc
22include disable-programs.inc 22include disable-programs.inc
23include disable-xdg.inc 23include disable-xdg.inc
24 24
25mkfile ${HOME}/.config/spectaclerc 25mkfile ${HOME}/.config/spectaclerc
26whitelist ${HOME}/.config/spectaclerc 26whitelist ${HOME}/.config/spectaclerc
27whitelist ${PICTURES} 27whitelist ${PICTURES}
28whitelist /usr/share/kconf_update/spectacle_newConfig.upd 28whitelist /usr/share/kconf_update/spectacle_newConfig.upd
@@ -56,7 +56,7 @@ disable-mnt
56private-bin spectacle 56private-bin spectacle
57private-cache 57private-cache
58private-dev 58private-dev
59private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d 59private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
60private-tmp 60private-tmp
61 61
62dbus-user filter 62dbus-user filter
diff --git a/etc/profile-m-z/spotify.profile b/etc/profile-m-z/spotify.profile
index ffee76d23..0ce918161 100644
--- a/etc/profile-m-z/spotify.profile
+++ b/etc/profile-m-z/spotify.profile
@@ -44,7 +44,7 @@ disable-mnt
44private-bin bash,cat,dirname,find,grep,head,rm,sh,spotify,tclsh,touch,zenity 44private-bin bash,cat,dirname,find,grep,head,rm,sh,spotify,tclsh,touch,zenity
45private-dev 45private-dev
46# If you want to see album covers or want to use the radio, add 'ignore private-etc' to your spotify.local. 46# If you want to see album covers or want to use the radio, add 'ignore private-etc' to your spotify.local.
47private-etc alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hosts,ld.so.cache,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl 47private-etc alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
48private-opt spotify 48private-opt spotify
49private-srv none 49private-srv none
50private-tmp 50private-tmp
diff --git a/etc/profile-m-z/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile
index e35f74404..21a77a0d1 100644
--- a/etc/profile-m-z/sqlitebrowser.profile
+++ b/etc/profile-m-z/sqlitebrowser.profile
@@ -42,7 +42,7 @@ shell none
42private-bin sqlitebrowser 42private-bin sqlitebrowser
43private-cache 43private-cache
44private-dev 44private-dev
45private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,ssl 45private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.preload,machine-id,passwd,pki,ssl
46private-tmp 46private-tmp
47 47
48# breaks proxy creation 48# breaks proxy creation
diff --git a/etc/profile-m-z/standardnotes-desktop.profile b/etc/profile-m-z/standardnotes-desktop.profile
index d54ddacdd..7a59274bf 100644
--- a/etc/profile-m-z/standardnotes-desktop.profile
+++ b/etc/profile-m-z/standardnotes-desktop.profile
@@ -38,7 +38,7 @@ seccomp !chroot
38disable-mnt 38disable-mnt
39private-dev 39private-dev
40private-tmp 40private-tmp
41private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,pki,resolv.conf,ssl,xdg 41private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl,xdg
42 42
43dbus-user none 43dbus-user none
44dbus-system none 44dbus-system none
diff --git a/etc/profile-m-z/straw-viewer.profile b/etc/profile-m-z/straw-viewer.profile
index d73927f2a..513abc21b 100644
--- a/etc/profile-m-z/straw-viewer.profile
+++ b/etc/profile-m-z/straw-viewer.profile
@@ -18,4 +18,4 @@ whitelist ${HOME}/.config/straw-viewer
18private-bin gtk-straw-viewer,straw-viewer 18private-bin gtk-straw-viewer,straw-viewer
19 19
20# Redirect 20# Redirect
21include youtube-viewers-common.profile \ No newline at end of file 21include youtube-viewers-common.profile
diff --git a/etc/profile-m-z/strawberry.profile b/etc/profile-m-z/strawberry.profile
index dfb0a3e3b..50ecc3432 100644
--- a/etc/profile-m-z/strawberry.profile
+++ b/etc/profile-m-z/strawberry.profile
@@ -43,7 +43,7 @@ disable-mnt
43private-bin strawberry,strawberry-tagreader 43private-bin strawberry,strawberry-tagreader
44private-cache 44private-cache
45private-dev 45private-dev
46private-etc ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,nsswitch.conf,pki,resolv.conf,ssl 46private-etc ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
47private-tmp 47private-tmp
48 48
49dbus-system none 49dbus-system none
diff --git a/etc/profile-m-z/subdownloader.profile b/etc/profile-m-z/subdownloader.profile
index 100ac9d14..65cb678d0 100644
--- a/etc/profile-m-z/subdownloader.profile
+++ b/etc/profile-m-z/subdownloader.profile
@@ -44,7 +44,7 @@ tracelog
44 44
45private-cache 45private-cache
46private-dev 46private-dev
47private-etc alternatives,fonts 47private-etc alternatives,fonts,ld.so.preload
48private-tmp 48private-tmp
49 49
50dbus-user none 50dbus-user none
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile
index 0e9113821..323849e35 100644
--- a/etc/profile-m-z/supertux2.profile
+++ b/etc/profile-m-z/supertux2.profile
@@ -45,7 +45,7 @@ tracelog
45disable-mnt 45disable-mnt
46# private-bin supertux2 46# private-bin supertux2
47private-cache 47private-cache
48private-etc machine-id 48private-etc ld.so.preload,machine-id
49private-dev 49private-dev
50private-tmp 50private-tmp
51 51
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile
index 7ba7e7023..5b5b4aae5 100644
--- a/etc/profile-m-z/supertuxkart.profile
+++ b/etc/profile-m-z/supertuxkart.profile
@@ -54,7 +54,7 @@ private-bin supertuxkart
54private-cache 54private-cache
55# Add the next line to your supertuxkart.local if you do not need controller support. 55# Add the next line to your supertuxkart.local if you do not need controller support.
56#private-dev 56#private-dev
57private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,machine-id,openal,pki,resolv.conf,ssl 57private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,ld.so.preload,machine-id,openal,pki,resolv.conf,ssl
58private-tmp 58private-tmp
59private-opt none 59private-opt none
60private-srv none 60private-srv none
diff --git a/etc/profile-m-z/surf.profile b/etc/profile-m-z/surf.profile
index 7c092fccc..cfecb6f62 100644
--- a/etc/profile-m-z/surf.profile
+++ b/etc/profile-m-z/surf.profile
@@ -34,6 +34,6 @@ tracelog
34disable-mnt 34disable-mnt
35private-bin bash,curl,dmenu,ls,printf,sed,sh,sleep,st,stterm,surf,xargs,xprop 35private-bin bash,curl,dmenu,ls,printf,sed,sh,sleep,st,stterm,surf,xargs,xprop
36private-dev 36private-dev
37private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,resolv.conf,ssl 37private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,ld.so.preload,machine-id,passwd,pki,resolv.conf,ssl
38private-tmp 38private-tmp
39 39
diff --git a/etc/profile-m-z/sway.profile b/etc/profile-m-z/sway.profile
index 4637419bf..046d1b4be 100644
--- a/etc/profile-m-z/sway.profile
+++ b/etc/profile-m-z/sway.profile
@@ -1,5 +1,5 @@
1# Firejail profile for Sway 1# Firejail profile for Sway
2# Description: i3-compatible Wayland compositor 2# Description: i3-compatible Wayland compositor
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4# Persistent local customizations 4# Persistent local customizations
5include sway.local 5include sway.local
diff --git a/etc/profile-m-z/sysprof.profile b/etc/profile-m-z/sysprof.profile
index ac4a380bb..c7119ae0f 100644
--- a/etc/profile-m-z/sysprof.profile
+++ b/etc/profile-m-z/sysprof.profile
@@ -63,7 +63,7 @@ disable-mnt
63#private-bin sysprof - breaks help menu 63#private-bin sysprof - breaks help menu
64private-cache 64private-cache
65private-dev 65private-dev
66private-etc alternatives,fonts,ld.so.cache,machine-id,ssl 66private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id,ssl
67# private-lib - breaks help menu 67# private-lib - breaks help menu
68#private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so 68#private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so
69private-tmp 69private-tmp
diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile
index 0d3a900e9..388805f31 100644
--- a/etc/profile-m-z/tar.profile
+++ b/etc/profile-m-z/tar.profile
@@ -14,7 +14,7 @@ ignore include disable-shell.inc
14# all capabilities this is automatically read-only. 14# all capabilities this is automatically read-only.
15noblacklist /var/lib/pacman 15noblacklist /var/lib/pacman
16 16
17private-etc alternatives,group,localtime,login.defs,passwd 17private-etc alternatives,group,ld.so.preload,localtime,login.defs,passwd
18#private-lib libfakeroot,liblzma.so.*,libreadline.so.* 18#private-lib libfakeroot,liblzma.so.*,libreadline.so.*
19# Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) 19# Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
20writable-var 20writable-var
diff --git a/etc/profile-m-z/teams-for-linux.profile b/etc/profile-m-z/teams-for-linux.profile
index c97921d92..310c440b1 100644
--- a/etc/profile-m-z/teams-for-linux.profile
+++ b/etc/profile-m-z/teams-for-linux.profile
@@ -20,7 +20,7 @@ mkdir ${HOME}/.config/teams-for-linux
20whitelist ${HOME}/.config/teams-for-linux 20whitelist ${HOME}/.config/teams-for-linux
21 21
22private-bin bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh 22private-bin bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh
23private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,resolv.conf,ssl 23private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,resolv.conf,ssl
24 24
25# Redirect 25# Redirect
26include electron.profile 26include electron.profile
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile
index 115be54eb..fd4b82524 100644
--- a/etc/profile-m-z/telegram.profile
+++ b/etc/profile-m-z/telegram.profile
@@ -41,10 +41,10 @@ seccomp.block-secondary
41shell none 41shell none
42 42
43disable-mnt 43disable-mnt
44#private-bin telegram,Telegram,telegram-desktop 44private-bin telegram,Telegram,telegram-desktop
45private-cache 45private-cache
46private-dev 46private-dev
47private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg 47private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg
48private-tmp 48private-tmp
49 49
50dbus-user filter 50dbus-user filter
diff --git a/etc/profile-m-z/tilp.profile b/etc/profile-m-z/tilp.profile
index 7c18aab50..07212a452 100644
--- a/etc/profile-m-z/tilp.profile
+++ b/etc/profile-m-z/tilp.profile
@@ -30,6 +30,6 @@ tracelog
30disable-mnt 30disable-mnt
31private-bin tilp 31private-bin tilp
32private-cache 32private-cache
33private-etc alternatives,fonts 33private-etc alternatives,fonts,ld.so.preload
34private-tmp 34private-tmp
35 35
diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile
index 039063c1e..a43e53aae 100644
--- a/etc/profile-m-z/tin.profile
+++ b/etc/profile-m-z/tin.profile
@@ -58,7 +58,7 @@ disable-mnt
58private-bin rtin,tin 58private-bin rtin,tin
59private-cache 59private-cache
60private-dev 60private-dev
61private-etc passwd,resolv.conf,terminfo,tin 61private-etc ld.so.preload,passwd,resolv.conf,terminfo,tin
62private-lib terminfo 62private-lib terminfo
63private-tmp 63private-tmp
64 64
diff --git a/etc/profile-m-z/tor.profile b/etc/profile-m-z/tor.profile
index 08e949309..312123f59 100644
--- a/etc/profile-m-z/tor.profile
+++ b/etc/profile-m-z/tor.profile
@@ -46,6 +46,6 @@ private
46private-bin bash,tor 46private-bin bash,tor
47private-cache 47private-cache
48private-dev 48private-dev
49private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor 49private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,passwd,pki,ssl,tor
50private-tmp 50private-tmp
51writable-var 51writable-var
diff --git a/etc/profile-m-z/transgui.profile b/etc/profile-m-z/transgui.profile
index 2b63f6448..0e23b7843 100644
--- a/etc/profile-m-z/transgui.profile
+++ b/etc/profile-m-z/transgui.profile
@@ -45,7 +45,7 @@ tracelog
45private-bin geoiplookup,geoiplookup6,transgui 45private-bin geoiplookup,geoiplookup6,transgui
46private-cache 46private-cache
47private-dev 47private-dev
48private-etc alternatives,fonts 48private-etc alternatives,fonts,ld.so.preload
49private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*,libX11.so.* 49private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*,libX11.so.*
50private-tmp 50private-tmp
51 51
diff --git a/etc/profile-m-z/transmission-cli.profile b/etc/profile-m-z/transmission-cli.profile
index 486be5fe6..b3fab083c 100644
--- a/etc/profile-m-z/transmission-cli.profile
+++ b/etc/profile-m-z/transmission-cli.profile
@@ -8,7 +8,7 @@ include transmission-cli.local
8include globals.local 8include globals.local
9 9
10private-bin transmission-cli 10private-bin transmission-cli
11private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl 11private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
12 12
13# Redirect 13# Redirect
14include transmission-common.profile 14include transmission-common.profile
diff --git a/etc/profile-m-z/transmission-daemon.profile b/etc/profile-m-z/transmission-daemon.profile
index 348d3cb80..9d91b8b81 100644
--- a/etc/profile-m-z/transmission-daemon.profile
+++ b/etc/profile-m-z/transmission-daemon.profile
@@ -17,7 +17,7 @@ caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot
17protocol packet 17protocol packet
18 18
19private-bin transmission-daemon 19private-bin transmission-daemon
20private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl 20private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
21 21
22read-write /var/lib/transmission 22read-write /var/lib/transmission
23writable-var-log 23writable-var-log
diff --git a/etc/profile-m-z/transmission-remote-gtk.profile b/etc/profile-m-z/transmission-remote-gtk.profile
index a6400e2c0..20d54500f 100644
--- a/etc/profile-m-z/transmission-remote-gtk.profile
+++ b/etc/profile-m-z/transmission-remote-gtk.profile
@@ -12,7 +12,7 @@ noblacklist ${HOME}/.config/transmission-remote-gtk
12mkdir ${HOME}/.config/transmission-remote-gtk 12mkdir ${HOME}/.config/transmission-remote-gtk
13whitelist ${HOME}/.config/transmission-remote-gtk 13whitelist ${HOME}/.config/transmission-remote-gtk
14 14
15private-etc fonts,hostname,hosts,resolv.conf 15private-etc fonts,hostname,hosts,ld.so.preload,resolv.conf
16# Problems with private-lib (see issue #2889) 16# Problems with private-lib (see issue #2889)
17ignore private-lib 17ignore private-lib
18 18
diff --git a/etc/profile-m-z/transmission-remote.profile b/etc/profile-m-z/transmission-remote.profile
index fee4999e6..ad4ad2172 100644
--- a/etc/profile-m-z/transmission-remote.profile
+++ b/etc/profile-m-z/transmission-remote.profile
@@ -8,7 +8,7 @@ include transmission-remote.local
8include globals.local 8include globals.local
9 9
10private-bin transmission-remote 10private-bin transmission-remote
11private-etc alternatives,hosts,nsswitch.conf 11private-etc alternatives,hosts,ld.so.preload,nsswitch.conf
12 12
13# Redirect 13# Redirect
14include transmission-common.profile 14include transmission-common.profile
diff --git a/etc/profile-m-z/transmission-show.profile b/etc/profile-m-z/transmission-show.profile
index 5a3c83f58..822a368da 100644
--- a/etc/profile-m-z/transmission-show.profile
+++ b/etc/profile-m-z/transmission-show.profile
@@ -8,7 +8,7 @@ include transmission-show.local
8include globals.local 8include globals.local
9 9
10private-bin transmission-show 10private-bin transmission-show
11private-etc alternatives,hosts,nsswitch.conf 11private-etc alternatives,hosts,ld.so.preload,nsswitch.conf
12 12
13# Redirect 13# Redirect
14include transmission-common.profile 14include transmission-common.profile
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile
index 41426c606..1959aee1e 100644
--- a/etc/profile-m-z/trojita.profile
+++ b/etc/profile-m-z/trojita.profile
@@ -54,7 +54,7 @@ tracelog
54private-bin trojita 54private-bin trojita
55private-cache 55private-cache
56private-dev 56private-dev
57private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg 57private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.preload,pki,resolv.conf,selinux,ssl,xdg
58private-tmp 58private-tmp
59 59
60dbus-user filter 60dbus-user filter
diff --git a/etc/profile-m-z/twitch.profile b/etc/profile-m-z/twitch.profile
index d767b4c9d..bd2f1bcf9 100644
--- a/etc/profile-m-z/twitch.profile
+++ b/etc/profile-m-z/twitch.profile
@@ -18,7 +18,7 @@ mkdir ${HOME}/.config/Twitch
18whitelist ${HOME}/.config/Twitch 18whitelist ${HOME}/.config/Twitch
19 19
20private-bin electron,electron[0-9],electron[0-9][0-9],twitch 20private-bin electron,electron[0-9],electron[0-9][0-9],twitch
21private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg 21private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
22private-opt Twitch 22private-opt Twitch
23 23
24# Redirect 24# Redirect
diff --git a/etc/profile-m-z/unf.profile b/etc/profile-m-z/unf.profile
index 212e6d181..685e74e25 100644
--- a/etc/profile-m-z/unf.profile
+++ b/etc/profile-m-z/unf.profile
@@ -49,7 +49,7 @@ private-bin unf
49private-cache 49private-cache
50?HAS_APPIMAGE: ignore private-dev 50?HAS_APPIMAGE: ignore private-dev
51private-dev 51private-dev
52private-etc alternatives 52private-etc alternatives,ld.so.preload
53private-lib gcc/*/*/libgcc_s.so.* 53private-lib gcc/*/*/libgcc_s.so.*
54private-tmp 54private-tmp
55 55
diff --git a/etc/profile-m-z/unrar.profile b/etc/profile-m-z/unrar.profile
index 9d3d9b40e..761ee91c5 100644
--- a/etc/profile-m-z/unrar.profile
+++ b/etc/profile-m-z/unrar.profile
@@ -8,7 +8,7 @@ include unrar.local
8include globals.local 8include globals.local
9 9
10private-bin unrar 10private-bin unrar
11private-etc alternatives,group,localtime,passwd 11private-etc alternatives,group,ld.so.preload,localtime,passwd
12private-tmp 12private-tmp
13 13
14# Redirect 14# Redirect
diff --git a/etc/profile-m-z/unzip.profile b/etc/profile-m-z/unzip.profile
index 0231e3dba..981826b16 100644
--- a/etc/profile-m-z/unzip.profile
+++ b/etc/profile-m-z/unzip.profile
@@ -10,7 +10,7 @@ include globals.local
10# GNOME Shell integration (chrome-gnome-shell) 10# GNOME Shell integration (chrome-gnome-shell)
11noblacklist ${HOME}/.local/share/gnome-shell 11noblacklist ${HOME}/.local/share/gnome-shell
12 12
13private-etc alternatives,group,localtime,passwd 13private-etc alternatives,group,ld.so.preload,localtime,passwd
14 14
15# Redirect 15# Redirect
16include archiver-common.profile 16include archiver-common.profile
diff --git a/etc/profile-m-z/utox.profile b/etc/profile-m-z/utox.profile
index b164494fa..5a867a683 100644
--- a/etc/profile-m-z/utox.profile
+++ b/etc/profile-m-z/utox.profile
@@ -43,7 +43,7 @@ disable-mnt
43private-bin utox 43private-bin utox
44private-cache 44private-cache
45private-dev 45private-dev
46private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,openal,pki,pulse,resolv.conf,ssl 46private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,openal,pki,pulse,resolv.conf,ssl
47private-tmp 47private-tmp
48 48
49memory-deny-write-execute 49memory-deny-write-execute
diff --git a/etc/profile-m-z/viewnior.profile b/etc/profile-m-z/viewnior.profile
index 469e65542..ed2f0103b 100644
--- a/etc/profile-m-z/viewnior.profile
+++ b/etc/profile-m-z/viewnior.profile
@@ -43,7 +43,7 @@ tracelog
43private-bin viewnior 43private-bin viewnior
44private-cache 44private-cache
45private-dev 45private-dev
46private-etc alternatives,fonts,machine-id 46private-etc alternatives,fonts,ld.so.preload,machine-id
47private-tmp 47private-tmp
48 48
49dbus-user none 49dbus-user none
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile
index 6ab9aa15b..a6d3eaafd 100644
--- a/etc/profile-m-z/virtualbox.profile
+++ b/etc/profile-m-z/virtualbox.profile
@@ -45,7 +45,7 @@ tracelog
45#disable-mnt 45#disable-mnt
46#private-bin awk,basename,bash,env,gawk,grep,ps,readlink,sh,virtualbox,VirtualBox,VBox*,vbox*,whoami 46#private-bin awk,basename,bash,env,gawk,grep,ps,readlink,sh,virtualbox,VirtualBox,VBox*,vbox*,whoami
47private-cache 47private-cache
48private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl 48private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl
49private-tmp 49private-tmp
50 50
51dbus-user none 51dbus-user none
diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile
index cb85836b7..8e25daee0 100644
--- a/etc/profile-m-z/vmware.profile
+++ b/etc/profile-m-z/vmware.profile
@@ -38,6 +38,6 @@ tracelog
38#disable-mnt 38#disable-mnt
39# Add the next line to your vmware.local to enable private-bin. 39# Add the next line to your vmware.local to enable private-bin.
40#private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-* 40#private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-*
41private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix 41private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
42dbus-user none 42dbus-user none
43dbus-system none 43dbus-system none
diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile
index 81c8a2f5c..d2e30e824 100644
--- a/etc/profile-m-z/w3m.profile
+++ b/etc/profile-m-z/w3m.profile
@@ -62,7 +62,7 @@ disable-mnt
62private-bin perl,sh,w3m 62private-bin perl,sh,w3m
63private-cache 63private-cache
64private-dev 64private-dev
65private-etc alternatives,ca-certificates,crypto-policies,mailcap,nsswitch.conf,pki,resolv.conf,ssl 65private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,mailcap,nsswitch.conf,pki,resolv.conf,ssl
66private-tmp 66private-tmp
67 67
68dbus-user none 68dbus-user none
diff --git a/etc/profile-m-z/warmux.profile b/etc/profile-m-z/warmux.profile
index 92e0e7a83..fc59b7239 100644
--- a/etc/profile-m-z/warmux.profile
+++ b/etc/profile-m-z/warmux.profile
@@ -49,7 +49,7 @@ disable-mnt
49private-bin warmux 49private-bin warmux
50private-cache 50private-cache
51private-dev 51private-dev
52private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,machine-id,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl 52private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.preload,machine-id,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
53private-tmp 53private-tmp
54 54
55dbus-user none 55dbus-user none
diff --git a/etc/profile-m-z/whalebird.profile b/etc/profile-m-z/whalebird.profile
index 2f26bf14c..ae3944561 100644
--- a/etc/profile-m-z/whalebird.profile
+++ b/etc/profile-m-z/whalebird.profile
@@ -21,7 +21,7 @@ whitelist ${HOME}/.config/Whalebird
21no3d 21no3d
22 22
23private-bin electron,electron[0-9],electron[0-9][0-9],whalebird 23private-bin electron,electron[0-9],electron[0-9][0-9],whalebird
24private-etc fonts,machine-id 24private-etc fonts,ld.so.preload,machine-id
25 25
26# Redirect 26# Redirect
27include electron.profile 27include electron.profile
diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile
index 755e62f60..0650e41ad 100644
--- a/etc/profile-m-z/whois.profile
+++ b/etc/profile-m-z/whois.profile
@@ -47,7 +47,7 @@ private
47private-bin bash,sh,whois 47private-bin bash,sh,whois
48private-cache 48private-cache
49private-dev 49private-dev
50private-etc alternatives,hosts,jwhois.conf,resolv.conf,services,whois.conf 50private-etc alternatives,hosts,jwhois.conf,ld.so.preload,resolv.conf,services,whois.conf
51private-lib gconv 51private-lib gconv
52private-tmp 52private-tmp
53 53
diff --git a/etc/profile-m-z/wire-desktop.profile b/etc/profile-m-z/wire-desktop.profile
index 151cd2adb..eebad4a19 100644
--- a/etc/profile-m-z/wire-desktop.profile
+++ b/etc/profile-m-z/wire-desktop.profile
@@ -26,7 +26,7 @@ mkdir ${HOME}/.config/Wire
26whitelist ${HOME}/.config/Wire 26whitelist ${HOME}/.config/Wire
27 27
28private-bin bash,electron,electron[0-9],electron[0-9][0-9],env,sh,wire-desktop 28private-bin bash,electron,electron[0-9],electron[0-9][0-9],env,sh,wire-desktop
29private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl 29private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,machine-id,pki,resolv.conf,ssl
30 30
31# Redirect 31# Redirect
32include electron.profile 32include electron.profile
diff --git a/etc/profile-m-z/wordwarvi.profile b/etc/profile-m-z/wordwarvi.profile
index b2f3341ee..374290ed0 100644
--- a/etc/profile-m-z/wordwarvi.profile
+++ b/etc/profile-m-z/wordwarvi.profile
@@ -45,7 +45,7 @@ private
45private-bin wordwarvi 45private-bin wordwarvi
46private-cache 46private-cache
47private-dev 47private-dev
48private-etc alsa,asound.conf,machine-id,pulse 48private-etc alsa,asound.conf,ld.so.preload,machine-id,pulse
49private-tmp 49private-tmp
50 50
51dbus-user none 51dbus-user none
diff --git a/etc/profile-m-z/xbill.profile b/etc/profile-m-z/xbill.profile
index c9e408ccd..738b5ca13 100644
--- a/etc/profile-m-z/xbill.profile
+++ b/etc/profile-m-z/xbill.profile
@@ -44,7 +44,7 @@ private
44private-bin xbill 44private-bin xbill
45private-cache 45private-cache
46private-dev 46private-dev
47private-etc none 47private-etc ld.so.preload,none
48private-tmp 48private-tmp
49 49
50dbus-user none 50dbus-user none
diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile
index 05c46dffb..21857dbe6 100644
--- a/etc/profile-m-z/xfce4-mixer.profile
+++ b/etc/profile-m-z/xfce4-mixer.profile
@@ -46,7 +46,7 @@ disable-mnt
46private-bin xfce4-mixer,xfconf-query 46private-bin xfce4-mixer,xfconf-query
47private-cache 47private-cache
48private-dev 48private-dev
49private-etc alternatives,asound.conf,fonts,machine-id,pulse 49private-etc alternatives,asound.conf,fonts,ld.so.preload,machine-id,pulse
50private-tmp 50private-tmp
51 51
52dbus-user filter 52dbus-user filter
diff --git a/etc/profile-m-z/xfce4-screenshooter.profile b/etc/profile-m-z/xfce4-screenshooter.profile
index b869ae005..ad3058ce2 100644
--- a/etc/profile-m-z/xfce4-screenshooter.profile
+++ b/etc/profile-m-z/xfce4-screenshooter.profile
@@ -42,7 +42,7 @@ tracelog
42disable-mnt 42disable-mnt
43private-bin xfce4-screenshooter,xfconf-query 43private-bin xfce4-screenshooter,xfconf-query
44private-dev 44private-dev
45private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,pki,resolv.conf,ssl 45private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.preload,pki,resolv.conf,ssl
46private-tmp 46private-tmp
47 47
48dbus-user none 48dbus-user none
diff --git a/etc/profile-m-z/xiphos.profile b/etc/profile-m-z/xiphos.profile
index 070e5e0f7..9b7a006d2 100644
--- a/etc/profile-m-z/xiphos.profile
+++ b/etc/profile-m-z/xiphos.profile
@@ -47,5 +47,5 @@ disable-mnt
47private-bin xiphos 47private-bin xiphos
48private-cache 48private-cache
49private-dev 49private-dev
50private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssli,sword,sword.conf 50private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,pki,resolv.conf,ssli,sword,sword.conf
51private-tmp 51private-tmp
diff --git a/etc/profile-m-z/xlinks.profile b/etc/profile-m-z/xlinks.profile
index d5e25cfe7..1c9310986 100644
--- a/etc/profile-m-z/xlinks.profile
+++ b/etc/profile-m-z/xlinks.profile
@@ -14,7 +14,7 @@ include whitelist-common.inc
14# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' 14# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2'
15# to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line 15# to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line
16private-bin xlinks 16private-bin xlinks
17private-etc fonts 17private-etc fonts,ld.so.preload
18 18
19# Redirect 19# Redirect
20include links.profile 20include links.profile
diff --git a/etc/profile-m-z/xlinks2 b/etc/profile-m-z/xlinks2
index 1ae6a60ca..bbf660e29 100644
--- a/etc/profile-m-z/xlinks2
+++ b/etc/profile-m-z/xlinks2
@@ -14,7 +14,7 @@ include whitelist-common.inc
14# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' 14# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2'
15# to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line 15# to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line
16private-bin xlinks2 16private-bin xlinks2
17private-etc fonts 17private-etc fonts,ld.so.preload
18 18
19# Redirect 19# Redirect
20include links2.profile 20include links2.profile
diff --git a/etc/profile-m-z/xmr-stak.profile b/etc/profile-m-z/xmr-stak.profile
index 8179e8d76..2a9fbf171 100644
--- a/etc/profile-m-z/xmr-stak.profile
+++ b/etc/profile-m-z/xmr-stak.profile
@@ -38,7 +38,7 @@ disable-mnt
38private ${HOME}/.xmr-stak 38private ${HOME}/.xmr-stak
39private-bin xmr-stak 39private-bin xmr-stak
40private-dev 40private-dev
41private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl 41private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
42#private-lib libxmrstak_opencl_backend,libxmrstak_cuda_backend 42#private-lib libxmrstak_opencl_backend,libxmrstak_cuda_backend
43private-opt cuda 43private-opt cuda
44private-tmp 44private-tmp
diff --git a/etc/profile-m-z/xournal.profile b/etc/profile-m-z/xournal.profile
index e4282a125..fe7395078 100644
--- a/etc/profile-m-z/xournal.profile
+++ b/etc/profile-m-z/xournal.profile
@@ -43,7 +43,7 @@ tracelog
43private-bin xournal 43private-bin xournal
44private-cache 44private-cache
45private-dev 45private-dev
46private-etc alternatives,fonts,group,machine-id,passwd 46private-etc alternatives,fonts,group,ld.so.preload,machine-id,passwd
47# TODO should use private-lib 47# TODO should use private-lib
48private-tmp 48private-tmp
49 49
diff --git a/etc/profile-m-z/xreader.profile b/etc/profile-m-z/xreader.profile
index f59adc6e2..8b880426f 100644
--- a/etc/profile-m-z/xreader.profile
+++ b/etc/profile-m-z/xreader.profile
@@ -39,7 +39,7 @@ tracelog
39 39
40private-bin xreader,xreader-previewer,xreader-thumbnailer 40private-bin xreader,xreader-previewer,xreader-thumbnailer
41private-dev 41private-dev
42private-etc alternatives,fonts,ld.so.cache 42private-etc alternatives,fonts,ld.so.cache,ld.so.preload
43private-tmp 43private-tmp
44 44
45memory-deny-write-execute 45memory-deny-write-execute
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile
index 2a6dbe1bf..c5e44c6b4 100644
--- a/etc/profile-m-z/yelp.profile
+++ b/etc/profile-m-z/yelp.profile
@@ -56,7 +56,7 @@ disable-mnt
56private-bin groff,man,tbl,troff,yelp 56private-bin groff,man,tbl,troff,yelp
57private-cache 57private-cache
58private-dev 58private-dev
59private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,groff,gtk-3.0,machine-id,man_db.conf,openal,os-release,pulse,sgml,xml 59private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,groff,gtk-3.0,ld.so.preload,machine-id,man_db.conf,openal,os-release,pulse,sgml,xml
60private-tmp 60private-tmp
61 61
62dbus-user filter 62dbus-user filter
diff --git a/etc/profile-m-z/youtube-dl-gui.profile b/etc/profile-m-z/youtube-dl-gui.profile
index 5d6fb47c1..94f37a92b 100644
--- a/etc/profile-m-z/youtube-dl-gui.profile
+++ b/etc/profile-m-z/youtube-dl-gui.profile
@@ -49,7 +49,7 @@ disable-mnt
49private-bin atomicparsley,ffmpeg,ffprobe,python*,youtube-dl-gui 49private-bin atomicparsley,ffmpeg,ffprobe,python*,youtube-dl-gui
50private-cache 50private-cache
51private-dev 51private-dev
52private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,locale,locale.conf,passwd,pki,resolv.conf,ssl 52private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,locale,locale.conf,passwd,pki,resolv.conf,ssl
53private-tmp 53private-tmp
54 54
55dbus-user none 55dbus-user none
diff --git a/etc/profile-m-z/youtube-dl.profile b/etc/profile-m-z/youtube-dl.profile
index 145e565fd..71e50ab11 100644
--- a/etc/profile-m-z/youtube-dl.profile
+++ b/etc/profile-m-z/youtube-dl.profile
@@ -58,7 +58,7 @@ tracelog
58private-bin env,ffmpeg,python*,youtube-dl 58private-bin env,ffmpeg,python*,youtube-dl
59private-cache 59private-cache
60private-dev 60private-dev
61private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,mime.types,pki,resolv.conf,ssl,youtube-dl.conf 61private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,pki,resolv.conf,ssl,youtube-dl.conf
62private-tmp 62private-tmp
63 63
64dbus-user none 64dbus-user none
diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile
index b54dd37ad..825599fcc 100644
--- a/etc/profile-m-z/youtube-viewer.profile
+++ b/etc/profile-m-z/youtube-viewer.profile
@@ -18,4 +18,4 @@ whitelist ${HOME}/.config/youtube-viewer
18private-bin gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,youtube-viewer 18private-bin gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,youtube-viewer
19 19
20# Redirect 20# Redirect
21include youtube-viewers-common.profile \ No newline at end of file 21include youtube-viewers-common.profile
diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile
index a05f05c51..3224f8fc6 100644
--- a/etc/profile-m-z/youtube-viewers-common.profile
+++ b/etc/profile-m-z/youtube-viewers-common.profile
@@ -53,7 +53,7 @@ disable-mnt
53private-bin bash,ffmpeg,ffprobe,firefox,mpv,perl,python*,sh,smplayer,stty,wget,which,xterm,youtube-dl,yt-dlp 53private-bin bash,ffmpeg,ffprobe,firefox,mpv,perl,python*,sh,smplayer,stty,wget,which,xterm,youtube-dl,yt-dlp
54private-cache 54private-cache
55private-dev 55private-dev
56private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg 56private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
57private-tmp 57private-tmp
58 58
59dbus-user none 59dbus-user none
diff --git a/etc/profile-m-z/youtube.profile b/etc/profile-m-z/youtube.profile
index efb001ee6..c7dbec968 100644
--- a/etc/profile-m-z/youtube.profile
+++ b/etc/profile-m-z/youtube.profile
@@ -17,7 +17,7 @@ mkdir ${HOME}/.config/Youtube
17whitelist ${HOME}/.config/Youtube 17whitelist ${HOME}/.config/Youtube
18 18
19private-bin electron,electron[0-9],electron[0-9][0-9],youtube 19private-bin electron,electron[0-9],electron[0-9][0-9],youtube
20private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg 20private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
21private-opt Youtube 21private-opt Youtube
22 22
23# Redirect 23# Redirect
diff --git a/etc/profile-m-z/youtubemusic-nativefier.profile b/etc/profile-m-z/youtubemusic-nativefier.profile
index ce7161a70..35ecf059d 100644
--- a/etc/profile-m-z/youtubemusic-nativefier.profile
+++ b/etc/profile-m-z/youtubemusic-nativefier.profile
@@ -14,7 +14,7 @@ mkdir ${HOME}/.config/youtubemusic-nativefier-040164
14whitelist ${HOME}/.config/youtubemusic-nativefier-040164 14whitelist ${HOME}/.config/youtubemusic-nativefier-040164
15 15
16private-bin electron,electron[0-9],electron[0-9][0-9],youtubemusic-nativefier 16private-bin electron,electron[0-9],electron[0-9][0-9],youtubemusic-nativefier
17private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg 17private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
18private-opt youtubemusic-nativefier 18private-opt youtubemusic-nativefier
19 19
20# Redirect 20# Redirect
diff --git a/etc/profile-m-z/yt-dlp.profile b/etc/profile-m-z/yt-dlp.profile
index 1c3382a08..bfb24b488 100644
--- a/etc/profile-m-z/yt-dlp.profile
+++ b/etc/profile-m-z/yt-dlp.profile
@@ -13,7 +13,7 @@ noblacklist ${HOME}/.config/yt-dlp
13noblacklist ${HOME}/yt-dlp.conf 13noblacklist ${HOME}/yt-dlp.conf
14 14
15private-bin yt-dlp 15private-bin yt-dlp
16private-etc yt-dlp.conf 16private-etc ld.so.preload,yt-dlp.conf
17 17
18# Redirect 18# Redirect
19include youtube-dl.profile 19include youtube-dl.profile
diff --git a/etc/profile-m-z/ytmdesktop.profile b/etc/profile-m-z/ytmdesktop.profile
index ab46fccc2..84f2f3cb2 100644
--- a/etc/profile-m-z/ytmdesktop.profile
+++ b/etc/profile-m-z/ytmdesktop.profile
@@ -14,7 +14,7 @@ mkdir ${HOME}/.config/youtube-music-desktop-app
14whitelist ${HOME}/.config/youtube-music-desktop-app 14whitelist ${HOME}/.config/youtube-music-desktop-app
15 15
16# private-bin env,ytmdesktop 16# private-bin env,ytmdesktop
17private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg 17private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
18# private-opt 18# private-opt
19 19
20# Redirect 20# Redirect
diff --git a/etc/profile-m-z/zulip.profile b/etc/profile-m-z/zulip.profile
index 604da4c8e..c1c94d74f 100644
--- a/etc/profile-m-z/zulip.profile
+++ b/etc/profile-m-z/zulip.profile
@@ -44,5 +44,5 @@ disable-mnt
44private-bin locale,zulip 44private-bin locale,zulip
45private-cache 45private-cache
46private-dev 46private-dev
47private-etc asound.conf,fonts,machine-id 47private-etc asound.conf,fonts,ld.so.preload,machine-id
48private-tmp 48private-tmp
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index e580a0c0c..7628313e0 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -204,7 +204,7 @@ include globals.local
204 204
205# Since 0.9.63 also a more granular control of dbus is supported. 205# Since 0.9.63 also a more granular control of dbus is supported.
206# To get the dbus-addresses an application needs access to you can 206# To get the dbus-addresses an application needs access to you can
207# check with flatpak (when the application is distriputed that way): 207# check with flatpak (when the application is distributed that way):
208# flatpak remote-info --show-metadata flathub <APP-ID> 208# flatpak remote-info --show-metadata flathub <APP-ID>
209# Notes: 209# Notes:
210# - flatpak implicitly allows an app to own <APP-ID> on the session bus 210# - flatpak implicitly allows an app to own <APP-ID> on the session bus
diff --git a/gcov.sh b/gcov.sh
index 65f06a4d4..9bb2596f6 100755
--- a/gcov.sh
+++ b/gcov.sh
@@ -24,8 +24,8 @@ gcov_init() {
24} 24}
25 25
26generate() { 26generate() {
27 lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-new 27 lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-new
28 lcov --add-tracefile gcov-file-old --add-tracefile gcov-file-new --output-file gcov-file 28 lcov --add-tracefile gcov-file-old --add-tracefile gcov-file-new --output-file gcov-file
29 rm -fr gcov-dir 29 rm -fr gcov-dir
30 genhtml -q gcov-file --output-directory gcov-dir 30 genhtml -q gcov-file --output-directory gcov-dir
31 sudo rm `find . -name *.gcda` 31 sudo rm `find . -name *.gcda`
@@ -35,7 +35,7 @@ generate() {
35 35
36 36
37gcov_init 37gcov_init
38lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-old 38lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-old
39 39
40#make test-utils 40#make test-utils
41#generate 41#generate
diff --git a/linecnt.sh b/linecnt.sh
index ccce2da82..86bccbc07 100755
--- a/linecnt.sh
+++ b/linecnt.sh
@@ -26,6 +26,6 @@ gcov_init() {
26rm -fr gcov-dir 26rm -fr gcov-dir
27gcov_init 27gcov_init
28lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder \ 28lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder \
29 -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp \ 29 -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp \
30 -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file 30 -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file
31genhtml -q gcov-file --output-directory gcov-dir 31genhtml -q gcov-file --output-directory gcov-dir
diff --git a/src/bash_completion/firejail.bash_completion.in b/src/bash_completion/firejail.bash_completion.in
index f68edf380..ff411c807 100644
--- a/src/bash_completion/firejail.bash_completion.in
+++ b/src/bash_completion/firejail.bash_completion.in
@@ -5,7 +5,7 @@
5# http://bash-completion.alioth.debian.org 5# http://bash-completion.alioth.debian.org
6#******************************************************************* 6#*******************************************************************
7 7
8__interfaces(){ 8__interfaces() {
9 cut -f 1 -d ':' /proc/net/dev | tail -n +3 | grep -v lo | xargs 9 cut -f 1 -d ':' /proc/net/dev | tail -n +3 | grep -v lo | xargs
10} 10}
11 11
@@ -90,11 +90,11 @@ _firejail()
90 _filedir 90 _filedir
91 return 0 91 return 0
92 ;; 92 ;;
93 --net) 93 --net)
94 comps=$(__interfaces) 94 comps=$(__interfaces)
95 COMPREPLY=( $(compgen -W '$comps' -- "$cur") ) 95 COMPREPLY=( $(compgen -W '$comps' -- "$cur") )
96 return 0 96 return 0
97 ;; 97 ;;
98 esac 98 esac
99 99
100 $split && return 0 100 $split && return 0
diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index 31810de9a..f279af89f 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -88,7 +88,8 @@ static void selinux_relabel_path(const char *path, const char *inside_path) {
88 if (arg_debug) 88 if (arg_debug)
89 printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon); 89 printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon);
90 90
91 setfilecon_raw(procfs_path, fcon); 91 if (setfilecon_raw(procfs_path, fcon) != 0 && arg_debug)
92 printf("Cannot relabel %s: %s\n", path, strerror(errno));
92 } 93 }
93 freecon(fcon); 94 freecon(fcon);
94 close: 95 close:
diff --git a/src/fids/fids.h b/src/fids/fids.h
index a2e2886fe..eaf2bbd29 100644
--- a/src/fids/fids.h
+++ b/src/fids/fids.h
@@ -48,4 +48,4 @@ int db_exclude_check(const char *fname);
48//#define KEY_SIZE 512 48//#define KEY_SIZE 512
49int blake2b(void *out, size_t outlen, const void *in, size_t inlen); 49int blake2b(void *out, size_t outlen, const void *in, size_t inlen);
50 50
51#endif \ No newline at end of file 51#endif
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 698630180..a544e25f2 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -348,6 +348,7 @@ gnome-weather
348gnote 348gnote
349gnubik 349gnubik
350godot 350godot
351goldendict
351goobox 352goobox
352google-chrome 353google-chrome
353google-chrome-beta 354google-chrome-beta
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 06e6f0ccb..e5d837bbb 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -58,6 +58,7 @@ int checkcfg(int val) {
58 cfg_val[CFG_XPRA_ATTACH] = 0; 58 cfg_val[CFG_XPRA_ATTACH] = 0;
59 cfg_val[CFG_SECCOMP_ERROR_ACTION] = -1; 59 cfg_val[CFG_SECCOMP_ERROR_ACTION] = -1;
60 cfg_val[CFG_BROWSER_ALLOW_DRM] = 0; 60 cfg_val[CFG_BROWSER_ALLOW_DRM] = 0;
61 cfg_val[CFG_ALLOW_TRAY] = 0;
61 62
62 // open configuration file 63 // open configuration file
63 const char *fname = SYSCONFDIR "/firejail.config"; 64 const char *fname = SYSCONFDIR "/firejail.config";
@@ -122,6 +123,7 @@ int checkcfg(int val) {
122 PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach") 123 PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach")
123 PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f") 124 PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f")
124 PARSE_YESNO(CFG_BROWSER_ALLOW_DRM, "browser-allow-drm") 125 PARSE_YESNO(CFG_BROWSER_ALLOW_DRM, "browser-allow-drm")
126 PARSE_YESNO(CFG_ALLOW_TRAY, "allow-tray")
125#undef PARSE_YESNO 127#undef PARSE_YESNO
126 128
127 // netfilter 129 // netfilter
diff --git a/src/firejail/env.c b/src/firejail/env.c
index f5e9dd980..ad16de037 100644
--- a/src/firejail/env.c
+++ b/src/firejail/env.c
@@ -262,7 +262,7 @@ static const char * const env_whitelist[] = {
262 "LANG", 262 "LANG",
263 "LANGUAGE", 263 "LANGUAGE",
264 "LC_MESSAGES", 264 "LC_MESSAGES",
265 "PATH", 265 // "PATH",
266 "DISPLAY" // required by X11 266 "DISPLAY" // required by X11
267}; 267};
268 268
@@ -311,6 +311,10 @@ void env_apply_whitelist(void) {
311 errExit("clearenv"); 311 errExit("clearenv");
312 312
313 env_apply_list(env_whitelist, ARRAY_SIZE(env_whitelist)); 313 env_apply_list(env_whitelist, ARRAY_SIZE(env_whitelist));
314
315 // hardcoding PATH
316 if (setenv("PATH", "/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin", 1) < 0)
317 errExit("setenv");
314} 318}
315 319
316// Filter env variables for a sbox app 320// Filter env variables for a sbox app
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 2a7d88575..90cb2952b 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -563,7 +563,7 @@ typedef struct {
563 563
564// mountinfo.c 564// mountinfo.c
565MountData *get_last_mount(void); 565MountData *get_last_mount(void);
566int get_mount_id(const char *path); 566int get_mount_id(int fd);
567char **build_mount_array(const int mount_id, const char *path); 567char **build_mount_array(const int mount_id, const char *path);
568 568
569// fs_var.c 569// fs_var.c
@@ -801,6 +801,7 @@ enum {
801 CFG_NAME_CHANGE, 801 CFG_NAME_CHANGE,
802 CFG_SECCOMP_ERROR_ACTION, 802 CFG_SECCOMP_ERROR_ACTION,
803 // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv 803 // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv
804 CFG_ALLOW_TRAY,
804 CFG_MAX // this should always be the last entry 805 CFG_MAX // this should always be the last entry
805}; 806};
806extern char *xephyr_screen; 807extern char *xephyr_screen;
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 5ac2da164..3144156a3 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -108,7 +108,7 @@ static void disable_file(OPERATION op, const char *filename) {
108 } 108 }
109 109
110 // check for firejail executable 110 // check for firejail executable
111 // we migth have a file found in ${PATH} pointing to /usr/bin/firejail 111 // we might have a file found in ${PATH} pointing to /usr/bin/firejail
112 // blacklisting it here will end up breaking situations like user clicks on a link in Thunderbird 112 // blacklisting it here will end up breaking situations like user clicks on a link in Thunderbird
113 // and expects Firefox to open in the same sandbox 113 // and expects Firefox to open in the same sandbox
114 if (strcmp(BINDIR "/firejail", fname) == 0) { 114 if (strcmp(BINDIR "/firejail", fname) == 0) {
@@ -200,8 +200,6 @@ static void disable_file(OPERATION op, const char *filename) {
200 } 200 }
201 201
202 fs_tmpfs(fname, uid); 202 fs_tmpfs(fname, uid);
203 EUID_USER(); // fs_tmpfs returns with EUID 0
204
205 selinux_relabel_path(fname, fname); 203 selinux_relabel_path(fname, fname);
206 } 204 }
207 else 205 else
@@ -282,6 +280,8 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[
282 280
283// blacklist files or directories by mounting empty files on top of them 281// blacklist files or directories by mounting empty files on top of them
284void fs_blacklist(void) { 282void fs_blacklist(void) {
283 EUID_ASSERT();
284
285 ProfileEntry *entry = cfg.profile; 285 ProfileEntry *entry = cfg.profile;
286 if (!entry) 286 if (!entry)
287 return; 287 return;
@@ -293,7 +293,6 @@ void fs_blacklist(void) {
293 if (noblacklist == NULL) 293 if (noblacklist == NULL)
294 errExit("failed allocating memory for noblacklist entries"); 294 errExit("failed allocating memory for noblacklist entries");
295 295
296 EUID_USER();
297 while (entry) { 296 while (entry) {
298 OPERATION op = OPERATION_MAX; 297 OPERATION op = OPERATION_MAX;
299 char *ptr; 298 char *ptr;
@@ -469,8 +468,6 @@ void fs_blacklist(void) {
469 for (i = 0; i < noblacklist_c; i++) 468 for (i = 0; i < noblacklist_c; i++)
470 free(noblacklist[i]); 469 free(noblacklist[i]);
471 free(noblacklist); 470 free(noblacklist);
472
473 EUID_ROOT();
474} 471}
475 472
476//*********************************************** 473//***********************************************
@@ -479,7 +476,7 @@ void fs_blacklist(void) {
479 476
480// mount a writable tmpfs on directory; requires a resolved path 477// mount a writable tmpfs on directory; requires a resolved path
481void fs_tmpfs(const char *dir, unsigned check_owner) { 478void fs_tmpfs(const char *dir, unsigned check_owner) {
482 EUID_USER(); 479 EUID_ASSERT();
483 assert(dir); 480 assert(dir);
484 if (arg_debug) 481 if (arg_debug)
485 printf("Mounting tmpfs on %s, check owner: %s\n", dir, (check_owner)? "yes": "no"); 482 printf("Mounting tmpfs on %s, check owner: %s\n", dir, (check_owner)? "yes": "no");
@@ -504,12 +501,13 @@ void fs_tmpfs(const char *dir, unsigned check_owner) {
504 errExit("fstatvfs"); 501 errExit("fstatvfs");
505 unsigned long flags = buf.f_flag & ~(MS_RDONLY|MS_BIND|MS_REMOUNT); 502 unsigned long flags = buf.f_flag & ~(MS_RDONLY|MS_BIND|MS_REMOUNT);
506 // mount via the symbolic link in /proc/self/fd 503 // mount via the symbolic link in /proc/self/fd
507 EUID_ROOT();
508 char *proc; 504 char *proc;
509 if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) 505 if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
510 errExit("asprintf"); 506 errExit("asprintf");
507 EUID_ROOT();
511 if (mount("tmpfs", proc, "tmpfs", flags|MS_NOSUID|MS_NODEV, options) < 0) 508 if (mount("tmpfs", proc, "tmpfs", flags|MS_NOSUID|MS_NODEV, options) < 0)
512 errExit("mounting tmpfs"); 509 errExit("mounting tmpfs");
510 EUID_USER();
513 // check the last mount operation 511 // check the last mount operation
514 MountData *mdata = get_last_mount(); 512 MountData *mdata = get_last_mount();
515 if (strcmp(mdata->fstype, "tmpfs") != 0 || strcmp(mdata->dir, dir) != 0) 513 if (strcmp(mdata->fstype, "tmpfs") != 0 || strcmp(mdata->dir, dir) != 0)
@@ -635,34 +633,30 @@ out:
635} 633}
636 634
637// remount recursively; requires a resolved path 635// remount recursively; requires a resolved path
638static void fs_remount_rec(const char *dir, OPERATION op) { 636static void fs_remount_rec(const char *path, OPERATION op) {
639 EUID_ASSERT(); 637 EUID_ASSERT();
640 assert(dir); 638 assert(op < OPERATION_MAX);
639 assert(path);
641 640
642 struct stat s; 641 // no need to search /proc/self/mountinfo for submounts if not a directory
643 if (stat(dir, &s) != 0) 642 int fd = open(path, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
644 return; 643 if (fd < 0) {
645 if (!S_ISDIR(s.st_mode)) { 644 fs_remount_simple(path, op);
646 // no need to search in /proc/self/mountinfo for submounts if not a directory
647 fs_remount_simple(dir, op);
648 return; 645 return;
649 } 646 }
650 // get mount point of the directory 647
651 int mountid = get_mount_id(dir); 648 // get mount id of the directory
652 if (mountid == -1) 649 int mountid = get_mount_id(fd);
653 return; 650 close(fd);
654 if (mountid == -2) { 651 if (mountid < 0) {
655 // falling back to a simple remount on old kernels 652 // falling back to a simple remount
656 static int mount_warning = 0; 653 fwarning("%s %s not applied recursively\n", opstr[op], path);
657 if (!mount_warning) { 654 fs_remount_simple(path, op);
658 fwarning("read-only, read-write and noexec options are not applied recursively\n");
659 mount_warning = 1;
660 }
661 fs_remount_simple(dir, op);
662 return; 655 return;
663 } 656 }
657
664 // build array with all mount points that need to get remounted 658 // build array with all mount points that need to get remounted
665 char **arr = build_mount_array(mountid, dir); 659 char **arr = build_mount_array(mountid, path);
666 assert(arr); 660 assert(arr);
667 // remount 661 // remount
668 char **tmp = arr; 662 char **tmp = arr;
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 8cc3ecc62..a43b18344 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -330,8 +330,10 @@ void fs_dev_disable_sound(void) {
330 } 330 }
331 331
332 // disable all jack sockets in /dev/shm 332 // disable all jack sockets in /dev/shm
333 EUID_USER();
333 glob_t globbuf; 334 glob_t globbuf;
334 int globerr = glob("/dev/shm/jack*", GLOB_NOSORT, NULL, &globbuf); 335 int globerr = glob("/dev/shm/jack*", GLOB_NOSORT, NULL, &globbuf);
336 EUID_ROOT();
335 if (globerr) 337 if (globerr)
336 return; 338 return;
337 339
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 0ed476063..590337da1 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -395,14 +395,16 @@ void fs_private(void) {
395 } 395 }
396 if (chown(homedir, u, g) < 0) 396 if (chown(homedir, u, g) < 0)
397 errExit("chown"); 397 errExit("chown");
398
399 fs_logger2("mkdir", homedir); 398 fs_logger2("mkdir", homedir);
400 fs_logger2("tmpfs", homedir); 399 fs_logger2("tmpfs", homedir);
401 } 400 }
402 else 401 else {
403 // mask user home directory 402 // mask user home directory
404 // the directory should be owned by the current user 403 // the directory should be owned by the current user
404 EUID_USER();
405 fs_tmpfs(homedir, 1); 405 fs_tmpfs(homedir, 1);
406 EUID_ROOT();
407 }
406 408
407 selinux_relabel_path(homedir, homedir); 409 selinux_relabel_path(homedir, homedir);
408 } 410 }
@@ -564,12 +566,13 @@ void fs_private_home_list(void) {
564 int xflag = store_xauthority(); 566 int xflag = store_xauthority();
565 int aflag = store_asoundrc(); 567 int aflag = store_asoundrc();
566 568
567 // create /run/firejail/mnt/home directory
568 EUID_ROOT(); 569 EUID_ROOT();
570 // create /run/firejail/mnt/home directory
569 mkdir_attr(RUN_HOME_DIR, 0755, uid, gid); 571 mkdir_attr(RUN_HOME_DIR, 0755, uid, gid);
570 selinux_relabel_path(RUN_HOME_DIR, homedir); 572 selinux_relabel_path(RUN_HOME_DIR, homedir);
571 573
572 fs_logger_print(); // save the current log 574 // save the current log
575 fs_logger_print();
573 EUID_USER(); 576 EUID_USER();
574 577
575 // copy the list of files in the new home directory 578 // copy the list of files in the new home directory
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c
index 1a9a78ceb..7d320e90b 100644
--- a/src/firejail/fs_hostname.c
+++ b/src/firejail/fs_hostname.c
@@ -93,10 +93,6 @@ char *fs_check_hosts_file(const char *fname) {
93 invalid_filename(fname, 0); // no globbing 93 invalid_filename(fname, 0); // no globbing
94 char *rv = expand_macros(fname); 94 char *rv = expand_macros(fname);
95 95
96 // no a link
97 if (is_link(rv))
98 goto errexit;
99
100 // the user has read access to the file 96 // the user has read access to the file
101 if (access(rv, R_OK)) 97 if (access(rv, R_OK))
102 goto errexit; 98 goto errexit;
@@ -119,9 +115,6 @@ void fs_mount_hosts_file(void) {
119 struct stat s; 115 struct stat s;
120 if (stat("/etc/hosts", &s) == -1) 116 if (stat("/etc/hosts", &s) == -1)
121 goto errexit; 117 goto errexit;
122 // not a link
123 if (is_link("/etc/hosts"))
124 goto errexit;
125 // owned by root 118 // owned by root
126 if (s.st_uid != 0) 119 if (s.st_uid != 0)
127 goto errexit; 120 goto errexit;
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index 9d7a17cf3..848c186fa 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -195,6 +195,11 @@ void fslib_mount_libs(const char *full_path, unsigned user) {
195 assert(full_path); 195 assert(full_path);
196 // if library/executable does not exist or the user does not have read access to it 196 // if library/executable does not exist or the user does not have read access to it
197 // print a warning and exit the function. 197 // print a warning and exit the function.
198 if (access(full_path, F_OK)) {
199 if (arg_debug || arg_debug_private_lib)
200 printf("Cannot find %s, skipping...\n", full_path);
201 return;
202 }
198 if (user && access(full_path, R_OK)) { 203 if (user && access(full_path, R_OK)) {
199 if (arg_debug || arg_debug_private_lib) 204 if (arg_debug || arg_debug_private_lib)
200 printf("Cannot read %s, skipping...\n", full_path); 205 printf("Cannot read %s, skipping...\n", full_path);
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c
index c69bf7c98..a347b380c 100644
--- a/src/firejail/fs_lib2.c
+++ b/src/firejail/fs_lib2.c
@@ -143,7 +143,7 @@ static void fdir(void) {
143 NULL, 143 NULL,
144 }; 144 };
145 145
146 // need to parse as root user, unprivileged users have no read permission on executables 146 // need to parse as root user, unprivileged users have no read permission on some of these binaries
147 int i; 147 int i;
148 for (i = 0; fbin[i]; i++) 148 for (i = 0; fbin[i]; i++)
149 fslib_mount_libs(fbin[i], 0); 149 fslib_mount_libs(fbin[i], 0);
@@ -153,7 +153,9 @@ void fslib_install_firejail(void) {
153 timetrace_start(); 153 timetrace_start();
154 // bring in firejail executable libraries, in case we are redirected here 154 // bring in firejail executable libraries, in case we are redirected here
155 // by a firejail symlink from /usr/local/bin/firejail 155 // by a firejail symlink from /usr/local/bin/firejail
156 fslib_mount_libs(PATH_FIREJAIL, 1); // parse as user 156 // fldd might have no read permission on the firejail executable
157 // parse as root in order to support these setups
158 fslib_mount_libs(PATH_FIREJAIL, 0);
157 159
158 // bring in firejail directory 160 // bring in firejail directory
159 fdir(); 161 fdir();
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 943f275de..7afebed1f 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -105,6 +105,7 @@ static int whitelist_mkpath(const char* path, mode_t mode) {
105} 105}
106 106
107static void whitelist_file(int dirfd, const char *relpath, const char *path) { 107static void whitelist_file(int dirfd, const char *relpath, const char *path) {
108 EUID_ASSERT();
108 assert(relpath && path); 109 assert(relpath && path);
109 110
110 // open mount source, using a file descriptor that refers to the 111 // open mount source, using a file descriptor that refers to the
@@ -130,12 +131,9 @@ static void whitelist_file(int dirfd, const char *relpath, const char *path) {
130 } 131 }
131 132
132 // create mount target as root, except if inside home or run/user/$UID directory 133 // create mount target as root, except if inside home or run/user/$UID directory
133 int userprivs = 0; 134 if ((strncmp(path, cfg.homedir, homedir_len) != 0 || path[homedir_len] != '/') &&
134 if ((strncmp(path, cfg.homedir, homedir_len) == 0 && path[homedir_len] == '/') || 135 (strncmp(path, runuser, runuser_len) != 0 || path[runuser_len] != '/'))
135 (strncmp(path, runuser, runuser_len) == 0 && path[runuser_len] == '/')) { 136 EUID_ROOT();
136 EUID_USER();
137 userprivs = 1;
138 }
139 137
140 // create path of the mount target 138 // create path of the mount target
141 int fd2 = whitelist_mkpath(path, 0755); 139 int fd2 = whitelist_mkpath(path, 0755);
@@ -146,8 +144,7 @@ static void whitelist_file(int dirfd, const char *relpath, const char *path) {
146 if (arg_debug || arg_debug_whitelists) 144 if (arg_debug || arg_debug_whitelists)
147 printf("Debug %d: skip whitelist %s\n", __LINE__, path); 145 printf("Debug %d: skip whitelist %s\n", __LINE__, path);
148 close(fd); 146 close(fd);
149 if (userprivs) 147 EUID_USER();
150 EUID_ROOT();
151 return; 148 return;
152 } 149 }
153 150
@@ -166,8 +163,7 @@ static void whitelist_file(int dirfd, const char *relpath, const char *path) {
166 } 163 }
167 close(fd); 164 close(fd);
168 close(fd2); 165 close(fd2);
169 if (userprivs) 166 EUID_USER();
170 EUID_ROOT();
171 return; 167 return;
172 } 168 }
173 fd3 = openat(fd2, file, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); 169 fd3 = openat(fd2, file, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
@@ -184,19 +180,17 @@ static void whitelist_file(int dirfd, const char *relpath, const char *path) {
184 } 180 }
185 close(fd); 181 close(fd);
186 close(fd2); 182 close(fd2);
187 if (userprivs) 183 EUID_USER();
188 EUID_ROOT();
189 return; 184 return;
190 } 185 }
191
192 close(fd2); 186 close(fd2);
193 if (userprivs)
194 EUID_ROOT();
195 187
196 if (arg_debug || arg_debug_whitelists) 188 if (arg_debug || arg_debug_whitelists)
197 printf("Whitelisting %s\n", path); 189 printf("Whitelisting %s\n", path);
190 EUID_ROOT();
198 if (bind_mount_by_fd(fd, fd3)) 191 if (bind_mount_by_fd(fd, fd3))
199 errExit("mount bind"); 192 errExit("mount bind");
193 EUID_USER();
200 // check the last mount operation 194 // check the last mount operation
201 MountData *mptr = get_last_mount(); // will do exit(1) if the mount cannot be found 195 MountData *mptr = get_last_mount(); // will do exit(1) if the mount cannot be found
202#ifdef TEST_MOUNTINFO 196#ifdef TEST_MOUNTINFO
@@ -219,22 +213,19 @@ static void whitelist_file(int dirfd, const char *relpath, const char *path) {
219} 213}
220 214
221static void whitelist_symlink(const char *link, const char *target) { 215static void whitelist_symlink(const char *link, const char *target) {
216 EUID_ASSERT();
222 assert(link && target); 217 assert(link && target);
223 218
224 // create files as root, except if inside home or run/user/$UID directory 219 // create files as root, except if inside home or run/user/$UID directory
225 int userprivs = 0; 220 if ((strncmp(link, cfg.homedir, homedir_len) != 0 || link[homedir_len] != '/') &&
226 if ((strncmp(link, cfg.homedir, homedir_len) == 0 && link[homedir_len] == '/') || 221 (strncmp(link, runuser, runuser_len) != 0 || link[runuser_len] != '/'))
227 (strncmp(link, runuser, runuser_len) == 0 && link[runuser_len] == '/')) { 222 EUID_ROOT();
228 EUID_USER();
229 userprivs = 1;
230 }
231 223
232 int fd = whitelist_mkpath(link, 0755); 224 int fd = whitelist_mkpath(link, 0755);
233 if (fd == -1) { 225 if (fd == -1) {
234 if (arg_debug || arg_debug_whitelists) 226 if (arg_debug || arg_debug_whitelists)
235 printf("Debug %d: cannot create symbolic link %s\n", __LINE__, link); 227 printf("Debug %d: cannot create symbolic link %s\n", __LINE__, link);
236 if (userprivs) 228 EUID_USER();
237 EUID_ROOT();
238 return; 229 return;
239 } 230 }
240 231
@@ -252,8 +243,7 @@ static void whitelist_symlink(const char *link, const char *target) {
252 printf("Created symbolic link %s -> %s\n", link, target); 243 printf("Created symbolic link %s -> %s\n", link, target);
253 244
254 close(fd); 245 close(fd);
255 if (userprivs) 246 EUID_USER();
256 EUID_ROOT();
257} 247}
258 248
259static void globbing(const char *pattern) { 249static void globbing(const char *pattern) {
@@ -330,10 +320,11 @@ static void tmpfs_topdirs(const TopDir *topdirs) {
330 // init tmpfs 320 // init tmpfs
331 if (strcmp(topdirs[i].path, "/run") == 0) { 321 if (strcmp(topdirs[i].path, "/run") == 0) {
332 // restore /run/firejail directory 322 // restore /run/firejail directory
333 if (mkdir(RUN_FIREJAIL_DIR, 0755) == -1) 323 EUID_ROOT();
334 errExit("mkdir"); 324 mkdir_attr(RUN_FIREJAIL_DIR, 0755, 0, 0);
335 if (bind_mount_fd_to_path(fd, RUN_FIREJAIL_DIR)) 325 if (bind_mount_fd_to_path(fd, RUN_FIREJAIL_DIR))
336 errExit("mount bind"); 326 errExit("mount bind");
327 EUID_USER();
337 close(fd); 328 close(fd);
338 fs_logger2("whitelist", RUN_FIREJAIL_DIR); 329 fs_logger2("whitelist", RUN_FIREJAIL_DIR);
339 330
@@ -351,12 +342,14 @@ static void tmpfs_topdirs(const TopDir *topdirs) {
351 errExit("asprintf"); 342 errExit("asprintf");
352 if (strcmp(env, pamtmpdir) == 0) { 343 if (strcmp(env, pamtmpdir) == 0) {
353 // create empty user-owned /tmp/user/$UID directory 344 // create empty user-owned /tmp/user/$UID directory
345 EUID_ROOT();
354 mkdir_attr("/tmp/user", 0711, 0, 0); 346 mkdir_attr("/tmp/user", 0711, 0, 0);
355 selinux_relabel_path("/tmp/user", "/tmp/user"); 347 selinux_relabel_path("/tmp/user", "/tmp/user");
356 fs_logger("mkdir /tmp/user"); 348 fs_logger("mkdir /tmp/user");
357 mkdir_attr(pamtmpdir, 0700, getuid(), 0); 349 mkdir_attr(pamtmpdir, 0700, getuid(), 0);
358 selinux_relabel_path(pamtmpdir, pamtmpdir); 350 selinux_relabel_path(pamtmpdir, pamtmpdir);
359 fs_logger2("mkdir", pamtmpdir); 351 fs_logger2("mkdir", pamtmpdir);
352 EUID_USER();
360 } 353 }
361 free(pamtmpdir); 354 free(pamtmpdir);
362 } 355 }
@@ -374,11 +367,8 @@ static void tmpfs_topdirs(const TopDir *topdirs) {
374 } 367 }
375 368
376 // user home directory 369 // user home directory
377 if (tmpfs_home) { 370 if (tmpfs_home)
378 EUID_USER();
379 fs_private(); // checks owner if outside /home 371 fs_private(); // checks owner if outside /home
380 EUID_ROOT();
381 }
382 372
383 // /run/user/$UID directory 373 // /run/user/$UID directory
384 if (tmpfs_runuser) { 374 if (tmpfs_runuser) {
@@ -402,6 +392,7 @@ static int reject_topdir(const char *dir) {
402// keep track of whitelist top level directories by adding them to an array 392// keep track of whitelist top level directories by adding them to an array
403// open each directory 393// open each directory
404static TopDir *add_topdir(const char *dir, TopDir *topdirs, const char *path) { 394static TopDir *add_topdir(const char *dir, TopDir *topdirs, const char *path) {
395 EUID_ASSERT();
405 assert(dir && path); 396 assert(dir && path);
406 397
407 // /proc and /sys are not allowed 398 // /proc and /sys are not allowed
@@ -516,6 +507,8 @@ static char *extract_topdir(const char *path) {
516} 507}
517 508
518void fs_whitelist(void) { 509void fs_whitelist(void) {
510 EUID_ASSERT();
511
519 ProfileEntry *entry = cfg.profile; 512 ProfileEntry *entry = cfg.profile;
520 if (!entry) 513 if (!entry)
521 return; 514 return;
@@ -536,7 +529,6 @@ void fs_whitelist(void) {
536 errExit("calloc"); 529 errExit("calloc");
537 530
538 // verify whitelist files, extract symbolic links, etc. 531 // verify whitelist files, extract symbolic links, etc.
539 EUID_USER();
540 while (entry) { 532 while (entry) {
541 int nowhitelist_flag = 0; 533 int nowhitelist_flag = 0;
542 534
@@ -630,7 +622,7 @@ void fs_whitelist(void) {
630 if (!fname) { 622 if (!fname) {
631 if (arg_debug || arg_debug_whitelists) { 623 if (arg_debug || arg_debug_whitelists) {
632 printf("Removed path: %s\n", entry->data); 624 printf("Removed path: %s\n", entry->data);
633 printf("\texpanded: %s\n", new_name); 625 printf("\tnew_name: %s\n", new_name);
634 printf("\trealpath: (null)\n"); 626 printf("\trealpath: (null)\n");
635 printf("\t%s\n", strerror(errno)); 627 printf("\t%s\n", strerror(errno));
636 } 628 }
@@ -712,7 +704,6 @@ void fs_whitelist(void) {
712 free(nowhitelist); 704 free(nowhitelist);
713 705
714 // mount tmpfs on all top level directories 706 // mount tmpfs on all top level directories
715 EUID_ROOT();
716 tmpfs_topdirs(topdirs); 707 tmpfs_topdirs(topdirs);
717 708
718 // go through profile rules again, and interpret whitelist commands 709 // go through profile rules again, and interpret whitelist commands
diff --git a/src/firejail/ids.c b/src/firejail/ids.c
index 59acdb1fe..a9ff59be4 100644
--- a/src/firejail/ids.c
+++ b/src/firejail/ids.c
@@ -86,4 +86,4 @@ void run_ids(int argc, char **argv) {
86 fprintf(stderr, "Error: unrecognized IDS command\n"); 86 fprintf(stderr, "Error: unrecognized IDS command\n");
87 87
88 exit(0); 88 exit(0);
89} \ No newline at end of file 89}
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 394bbb528..a869f6b64 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -45,7 +45,7 @@ static unsigned display = 0;
45static void signal_handler(int sig){ 45static void signal_handler(int sig){
46 flush_stdin(); 46 flush_stdin();
47 47
48 exit(sig); 48 exit(128 + sig);
49} 49}
50 50
51static void install_handler(void) { 51static void install_handler(void) {
@@ -536,7 +536,6 @@ void join(pid_t pid, int argc, char **argv, int index) {
536 prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); 536 prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
537 537
538#ifdef HAVE_APPARMOR 538#ifdef HAVE_APPARMOR
539 // add apparmor confinement after the execve
540 set_apparmor(); 539 set_apparmor();
541#endif 540#endif
542 541
@@ -552,10 +551,6 @@ void join(pid_t pid, int argc, char **argv, int index) {
552 if (cfg.cpus) // not available for uid 0 551 if (cfg.cpus) // not available for uid 0
553 set_cpu_affinity(); 552 set_cpu_affinity();
554 553
555 // set nice value
556 if (arg_nice)
557 set_nice(cfg.nice);
558
559 // add x11 display 554 // add x11 display
560 if (display) { 555 if (display) {
561 char *display_str; 556 char *display_str;
@@ -574,6 +569,11 @@ void join(pid_t pid, int argc, char **argv, int index) {
574 dbus_set_system_bus_env(); 569 dbus_set_system_bus_env();
575#endif 570#endif
576 571
572 // set nice and rlimits
573 if (arg_nice)
574 set_nice(cfg.nice);
575 set_rlimits();
576
577 start_application(0, shfd, NULL); 577 start_application(0, shfd, NULL);
578 578
579 __builtin_unreachable(); 579 __builtin_unreachable();
@@ -596,15 +596,17 @@ void join(pid_t pid, int argc, char **argv, int index) {
596 596
597 // end of signal-safe code 597 // end of signal-safe code
598 //***************************** 598 //*****************************
599 flush_stdin();
600 599
601 if (WIFEXITED(status)) { 600 if (WIFEXITED(status)) {
601 // if we had a proper exit, return that exit status
602 status = WEXITSTATUS(status); 602 status = WEXITSTATUS(status);
603 } else if (WIFSIGNALED(status)) { 603 } else if (WIFSIGNALED(status)) {
604 status = WTERMSIG(status); 604 // distinguish fatal signals by adding 128
605 status = 128 + WTERMSIG(status);
605 } else { 606 } else {
606 status = 0; 607 status = -1;
607 } 608 }
608 609
610 flush_stdin();
609 exit(status); 611 exit(status);
610} 612}
diff --git a/src/firejail/main.c b/src/firejail/main.c
index e0bf44f62..81d148257 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -189,13 +189,15 @@ static void my_handler(int s) {
189 logsignal(s); 189 logsignal(s);
190 190
191 if (waitpid(child, NULL, WNOHANG) == 0) { 191 if (waitpid(child, NULL, WNOHANG) == 0) {
192 if (has_handler(child, s)) // signals are not delivered if there is no handler yet 192 // child is pid 1 of a pid namespace:
193 // signals are not delivered if there is no handler yet
194 if (has_handler(child, s))
193 kill(child, s); 195 kill(child, s);
194 else 196 else
195 kill(child, SIGKILL); 197 kill(child, SIGKILL);
196 waitpid(child, NULL, 0); 198 waitpid(child, NULL, 0);
197 } 199 }
198 myexit(s); 200 myexit(128 + s);
199} 201}
200 202
201static void install_handler(void) { 203static void install_handler(void) {
@@ -1263,9 +1265,9 @@ int main(int argc, char **argv, char **envp) {
1263 arg_debug = 1; 1265 arg_debug = 1;
1264 arg_quiet = 0; 1266 arg_quiet = 0;
1265 } 1267 }
1266 else if (strcmp(argv[i], "--debug-deny") == 0) 1268 else if (strcmp(argv[i], "--debug-blacklists") == 0)
1267 arg_debug_blacklists = 1; 1269 arg_debug_blacklists = 1;
1268 else if (strcmp(argv[i], "--debug-allow") == 0) 1270 else if (strcmp(argv[i], "--debug-whitelists") == 0)
1269 arg_debug_whitelists = 1; 1271 arg_debug_whitelists = 1;
1270 else if (strcmp(argv[i], "--debug-private-lib") == 0) 1272 else if (strcmp(argv[i], "--debug-private-lib") == 0)
1271 arg_debug_private_lib = 1; 1273 arg_debug_private_lib = 1;
@@ -3216,10 +3218,11 @@ printf("link #%s#\n", prf->link);
3216 if (WIFEXITED(status)){ 3218 if (WIFEXITED(status)){
3217 myexit(WEXITSTATUS(status)); 3219 myexit(WEXITSTATUS(status));
3218 } else if (WIFSIGNALED(status)) { 3220 } else if (WIFSIGNALED(status)) {
3219 myexit(WTERMSIG(status)); 3221 // distinguish fatal signals by adding 128
3222 myexit(128 + WTERMSIG(status));
3220 } else { 3223 } else {
3221 myexit(0); 3224 myexit(1);
3222 } 3225 }
3223 3226
3224 return 0; 3227 return 1;
3225} 3228}
diff --git a/src/firejail/mountinfo.c b/src/firejail/mountinfo.c
index 64a94bd84..304f80eee 100644
--- a/src/firejail/mountinfo.c
+++ b/src/firejail/mountinfo.c
@@ -19,6 +19,7 @@
19*/ 19*/
20 20
21#include "firejail.h" 21#include "firejail.h"
22#include <errno.h>
22 23
23#include <fcntl.h> 24#include <fcntl.h>
24#ifndef O_PATH 25#ifndef O_PATH
@@ -151,53 +152,71 @@ MountData *get_last_mount(void) {
151 return &mdata; 152 return &mdata;
152} 153}
153 154
154// Extract the mount id from /proc/self/fdinfo and return it. 155// Returns mount id, or -1 if fd refers to a procfs or sysfs file
155int get_mount_id(const char *path) { 156static int get_mount_id_from_handle(int fd) {
156 EUID_ASSERT(); 157 EUID_ASSERT();
157 assert(path);
158 158
159 int fd = open(path, O_PATH|O_CLOEXEC); 159 char *proc;
160 if (fd == -1) 160 if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
161 return -1; 161 errExit("asprintf");
162 struct file_handle *fh = malloc(sizeof *fh);
163 if (!fh)
164 errExit("malloc");
165 fh->handle_bytes = 0;
166
167 int rv = -1;
168 int tmp;
169 if (name_to_handle_at(-1, proc, fh, &tmp, AT_SYMLINK_FOLLOW) != -1) {
170 fprintf(stderr, "Error: unexpected result from name_to_handle_at\n");
171 exit(1);
172 }
173 if (errno == EOVERFLOW && fh->handle_bytes)
174 rv = tmp;
175
176 free(proc);
177 free(fh);
178 return rv;
179}
180
181// Returns mount id, or -1 on kernels < 3.15
182static int get_mount_id_from_fdinfo(int fd) {
183 EUID_ASSERT();
184 int rv = -1;
162 185
163 char *fdinfo; 186 char *proc;
164 if (asprintf(&fdinfo, "/proc/self/fdinfo/%d", fd) == -1) 187 if (asprintf(&proc, "/proc/self/fdinfo/%d", fd) == -1)
165 errExit("asprintf"); 188 errExit("asprintf");
166 EUID_ROOT(); 189 EUID_ROOT();
167 FILE *fp = fopen(fdinfo, "re"); 190 FILE *fp = fopen(proc, "re");
168 EUID_USER(); 191 EUID_USER();
169 free(fdinfo);
170 if (!fp) 192 if (!fp)
171 goto errexit; 193 goto errexit;
172 194
173 // read the file
174 char buf[MAX_BUF]; 195 char buf[MAX_BUF];
175 if (fgets(buf, MAX_BUF, fp) == NULL) 196 while (fgets(buf, MAX_BUF, fp)) {
176 goto errexit;
177 do {
178 if (strncmp(buf, "mnt_id:", 7) == 0) { 197 if (strncmp(buf, "mnt_id:", 7) == 0) {
179 char *ptr = buf + 7; 198 if (sscanf(buf + 7, "%d", &rv) != 1)
180 while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) {
181 ptr++;
182 }
183 if (*ptr == '\0')
184 goto errexit; 199 goto errexit;
185 fclose(fp); 200 break;
186 close(fd);
187 return atoi(ptr);
188 } 201 }
189 } while (fgets(buf, MAX_BUF, fp)); 202 }
190 203
191 // fallback, kernels older than 3.15 don't expose the mount id in this place 204 free(proc);
192 fclose(fp); 205 fclose(fp);
193 close(fd); 206 return rv;
194 return -2;
195 207
196errexit: 208errexit:
197 fprintf(stderr, "Error: cannot read proc file\n"); 209 fprintf(stderr, "Error: cannot read proc file\n");
198 exit(1); 210 exit(1);
199} 211}
200 212
213int get_mount_id(int fd) {
214 int rv = get_mount_id_from_fdinfo(fd);
215 if (rv < 0)
216 rv = get_mount_id_from_handle(fd);
217 return rv;
218}
219
201// Check /proc/self/mountinfo if path contains any mounts points. 220// Check /proc/self/mountinfo if path contains any mounts points.
202// Returns an array that can be iterated over for recursive remounting. 221// Returns an array that can be iterated over for recursive remounting.
203char **build_mount_array(const int mount_id, const char *path) { 222char **build_mount_array(const int mount_id, const char *path) {
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index b7c7185a6..5390249ea 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -175,6 +175,10 @@ static int check_allow_drm(void) {
175 return checkcfg(CFG_BROWSER_ALLOW_DRM) != 0; 175 return checkcfg(CFG_BROWSER_ALLOW_DRM) != 0;
176} 176}
177 177
178static int check_allow_tray(void) {
179 return checkcfg(CFG_ALLOW_TRAY) != 0;
180}
181
178Cond conditionals[] = { 182Cond conditionals[] = {
179 {"HAS_APPIMAGE", check_appimage}, 183 {"HAS_APPIMAGE", check_appimage},
180 {"HAS_NET", check_netoptions}, 184 {"HAS_NET", check_netoptions},
@@ -184,6 +188,7 @@ Cond conditionals[] = {
184 {"HAS_X11", check_x11}, 188 {"HAS_X11", check_x11},
185 {"BROWSER_DISABLE_U2F", check_disable_u2f}, 189 {"BROWSER_DISABLE_U2F", check_disable_u2f},
186 {"BROWSER_ALLOW_DRM", check_allow_drm}, 190 {"BROWSER_ALLOW_DRM", check_allow_drm},
191 {"ALLOW_TRAY", check_allow_tray},
187 { NULL, NULL } 192 { NULL, NULL }
188}; 193};
189 194
@@ -630,7 +635,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
630#endif 635#endif
631 return 0; 636 return 0;
632 } 637 }
633 else if (strncmp(ptr, "netns ", 6) == 0) { 638 else if (strncmp(ptr, "netns ", 6) == 0) {
634#ifdef HAVE_NETWORK 639#ifdef HAVE_NETWORK
635 if (checkcfg(CFG_NETWORK)) { 640 if (checkcfg(CFG_NETWORK)) {
636 arg_netns = ptr + 6; 641 arg_netns = ptr + 6;
@@ -981,10 +986,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
981 warning_feature_disabled("seccomp"); 986 warning_feature_disabled("seccomp");
982 return 0; 987 return 0;
983 } 988 }
984 if (strncmp(ptr, "seccomp.32.drop ", 13) == 0) { 989 if (strncmp(ptr, "seccomp.32.drop ", 16) == 0) {
985 if (checkcfg(CFG_SECCOMP)) { 990 if (checkcfg(CFG_SECCOMP)) {
986 arg_seccomp32 = 1; 991 arg_seccomp32 = 1;
987 cfg.seccomp_list_drop32 = seccomp_check_list(ptr + 13); 992 cfg.seccomp_list_drop32 = seccomp_check_list(ptr + 16);
988 } 993 }
989 else 994 else
990 warning_feature_disabled("seccomp"); 995 warning_feature_disabled("seccomp");
@@ -1001,10 +1006,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
1001 warning_feature_disabled("seccomp"); 1006 warning_feature_disabled("seccomp");
1002 return 0; 1007 return 0;
1003 } 1008 }
1004 if (strncmp(ptr, "seccomp.32.keep ", 13) == 0) { 1009 if (strncmp(ptr, "seccomp.32.keep ", 16) == 0) {
1005 if (checkcfg(CFG_SECCOMP)) { 1010 if (checkcfg(CFG_SECCOMP)) {
1006 arg_seccomp32 = 1; 1011 arg_seccomp32 = 1;
1007 cfg.seccomp_list_keep32 = seccomp_check_list(ptr + 13); 1012 cfg.seccomp_list_keep32 = seccomp_check_list(ptr + 16);
1008 } 1013 }
1009 else 1014 else
1010 warning_feature_disabled("seccomp"); 1015 warning_feature_disabled("seccomp");
@@ -1938,7 +1943,7 @@ char *profile_list_compress(char *list)
1938 /* Include non-empty item */ 1943 /* Include non-empty item */
1939 if (!*item) 1944 if (!*item)
1940 in[i] = 0; 1945 in[i] = 0;
1941 /* Remove all allready included items */ 1946 /* Remove all already included items */
1942 for (k = 0; k < i; ++k) 1947 for (k = 0; k < i; ++k)
1943 in[k] = 0; 1948 in[k] = 0;
1944 break; 1949 break;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 59ddfb855..83e50aee2 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -87,9 +87,9 @@ static void sandbox_handler(int sig){
87 87
88 // broadcast a SIGKILL 88 // broadcast a SIGKILL
89 kill(-1, SIGKILL); 89 kill(-1, SIGKILL);
90 flush_stdin();
91 90
92 exit(sig); 91 flush_stdin();
92 exit(128 + sig);
93} 93}
94 94
95static void install_handler(void) { 95static void install_handler(void) {
@@ -1004,10 +1004,12 @@ int sandbox(void* sandbox_arg) {
1004 // apply the profile file 1004 // apply the profile file
1005 //**************************** 1005 //****************************
1006 // apply all whitelist commands ... 1006 // apply all whitelist commands ...
1007 EUID_USER();
1007 fs_whitelist(); 1008 fs_whitelist();
1008 1009
1009 // ... followed by blacklist commands 1010 // ... followed by blacklist commands
1010 fs_blacklist(); // mkdir and mkfile are processed all over again 1011 fs_blacklist(); // mkdir and mkfile are processed all over again
1012 EUID_ROOT();
1011 1013
1012 //**************************** 1014 //****************************
1013 // nosound/no3d/notv/novideo and fix for pulseaudio 7.0 1015 // nosound/no3d/notv/novideo and fix for pulseaudio 7.0
@@ -1243,7 +1245,6 @@ int sandbox(void* sandbox_arg) {
1243 1245
1244 if (app_pid == 0) { 1246 if (app_pid == 0) {
1245#ifdef HAVE_APPARMOR 1247#ifdef HAVE_APPARMOR
1246 // add apparmor confinement after the execve
1247 set_apparmor(); 1248 set_apparmor();
1248#endif 1249#endif
1249 1250
@@ -1258,13 +1259,17 @@ int sandbox(void* sandbox_arg) {
1258 munmap(set_sandbox_status, 1); 1259 munmap(set_sandbox_status, 1);
1259 1260
1260 int status = monitor_application(app_pid); // monitor application 1261 int status = monitor_application(app_pid); // monitor application
1261 flush_stdin();
1262 1262
1263 if (WIFEXITED(status)) { 1263 if (WIFEXITED(status)) {
1264 // if we had a proper exit, return that exit status 1264 // if we had a proper exit, return that exit status
1265 return WEXITSTATUS(status); 1265 status = WEXITSTATUS(status);
1266 } else if (WIFSIGNALED(status)) {
1267 // distinguish fatal signals by adding 128
1268 status = 128 + WTERMSIG(status);
1266 } else { 1269 } else {
1267 // something else went wrong! 1270 status = -1;
1268 return -1;
1269 } 1271 }
1272
1273 flush_stdin();
1274 return status;
1270} 1275}
diff --git a/src/firejail/selinux.c b/src/firejail/selinux.c
index 6969e7a3d..fa59882ed 100644
--- a/src/firejail/selinux.c
+++ b/src/firejail/selinux.c
@@ -21,6 +21,7 @@
21#include "firejail.h" 21#include "firejail.h"
22#include <sys/types.h> 22#include <sys/types.h>
23#include <sys/stat.h> 23#include <sys/stat.h>
24#include <errno.h>
24 25
25#include <fcntl.h> 26#include <fcntl.h>
26#ifndef O_PATH 27#ifndef O_PATH
@@ -57,7 +58,17 @@ void selinux_relabel_path(const char *path, const char *inside_path)
57 58
58 /* Open the file as O_PATH, to pin it while we determine and adjust the label 59 /* Open the file as O_PATH, to pin it while we determine and adjust the label
59 * Defeat symlink races by not allowing symbolic links */ 60 * Defeat symlink races by not allowing symbolic links */
61 int called_as_root = 0;
62 if (geteuid() == 0)
63 called_as_root = 1;
64 if (called_as_root)
65 EUID_USER();
66
60 fd = safer_openat(-1, path, O_NOFOLLOW|O_CLOEXEC|O_PATH); 67 fd = safer_openat(-1, path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
68
69 if (called_as_root)
70 EUID_ROOT();
71
61 if (fd < 0) 72 if (fd < 0)
62 return; 73 return;
63 if (fstat(fd, &st) < 0) 74 if (fstat(fd, &st) < 0)
@@ -68,8 +79,16 @@ void selinux_relabel_path(const char *path, const char *inside_path)
68 if (arg_debug) 79 if (arg_debug)
69 printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon); 80 printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon);
70 81
71 setfilecon_raw(procfs_path, fcon); 82 if (!called_as_root)
83 EUID_ROOT();
84
85 if (setfilecon_raw(procfs_path, fcon) != 0 && arg_debug)
86 printf("Cannot relabel %s: %s\n", path, strerror(errno));
87
88 if (!called_as_root)
89 EUID_USER();
72 } 90 }
91
73 freecon(fcon); 92 freecon(fcon);
74 close: 93 close:
75 close(fd); 94 close(fd);
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index d843c74ae..43f862b9d 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -28,7 +28,6 @@ static char *usage_str =
28 "\n" 28 "\n"
29 "Options:\n" 29 "Options:\n"
30 " -- - signal the end of options and disables further option processing.\n" 30 " -- - signal the end of options and disables further option processing.\n"
31 " --allow=filename - allow file system access.\n"
32 " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" 31 " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n"
33 " --allusers - all user home directories are visible inside the sandbox.\n" 32 " --allusers - all user home directories are visible inside the sandbox.\n"
34 " --apparmor - enable AppArmor confinement.\n" 33 " --apparmor - enable AppArmor confinement.\n"
@@ -39,12 +38,13 @@ static char *usage_str =
39#endif 38#endif
40 " --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n" 39 " --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n"
41 " --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n" 40 " --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n"
42 " --build - build a profile for the application.\n" 41 " --blacklist=filename - blacklist directory or file.\n"
43 " --build=filename - build a profile for the application.\n" 42 " --build - build a whitelisted profile for the application.\n"
43 " --build=filename - build a whitelisted profile for the application.\n"
44 " --caps - enable default Linux capabilities filter.\n" 44 " --caps - enable default Linux capabilities filter.\n"
45 " --caps.drop=all - drop all capabilities.\n" 45 " --caps.drop=all - drop all capabilities.\n"
46 " --caps.drop=capability,capability - drop capabilities.\n" 46 " --caps.drop=capability,capability - blacklist capabilities filter.\n"
47 " --caps.keep=capability,capability - allow capabilities.\n" 47 " --caps.keep=capability,capability - whitelist capabilities filter.\n"
48 " --caps.print=name|pid - print the caps filter.\n" 48 " --caps.print=name|pid - print the caps filter.\n"
49#ifdef HAVE_FILE_TRANSFER 49#ifdef HAVE_FILE_TRANSFER
50 " --cat=name|pid filename - print content of file from sandbox container.\n" 50 " --cat=name|pid filename - print content of file from sandbox container.\n"
@@ -75,18 +75,17 @@ static char *usage_str =
75 " --dbus-user.talk=name - allow talking to name on the session DBus.\n" 75 " --dbus-user.talk=name - allow talking to name on the session DBus.\n"
76#endif 76#endif
77 " --debug - print sandbox debug messages.\n" 77 " --debug - print sandbox debug messages.\n"
78 " --debug-allow - debug file system access.\n" 78 " --debug-blacklists - debug blacklisting.\n"
79 " --debug-deny - debug file system access.\n"
80 " --debug-caps - print all recognized capabilities.\n" 79 " --debug-caps - print all recognized capabilities.\n"
81 " --debug-errnos - print all recognized error numbers.\n" 80 " --debug-errnos - print all recognized error numbers.\n"
82 " --debug-private-lib - debug for --private-lib option.\n" 81 " --debug-private-lib - debug for --private-lib option.\n"
83 " --debug-protocols - print all recognized protocols.\n" 82 " --debug-protocols - print all recognized protocols.\n"
84 " --debug-syscalls - print all recognized system calls.\n" 83 " --debug-syscalls - print all recognized system calls.\n"
85 " --debug-syscalls32 - print all recognized 32 bit system calls.\n" 84 " --debug-syscalls32 - print all recognized 32 bit system calls.\n"
85 " --debug-whitelists - debug whitelisting.\n"
86#ifdef HAVE_NETWORK 86#ifdef HAVE_NETWORK
87 " --defaultgw=address - configure default gateway.\n" 87 " --defaultgw=address - configure default gateway.\n"
88#endif 88#endif
89 " --deny=filename - deny access to directory or file.\n"
90 " --deterministic-exit-code - always exit with first child's status code.\n" 89 " --deterministic-exit-code - always exit with first child's status code.\n"
91 " --dns=address - set DNS server.\n" 90 " --dns=address - set DNS server.\n"
92 " --dns.print=name|pid - print DNS configuration.\n" 91 " --dns.print=name|pid - print DNS configuration.\n"
@@ -147,14 +146,13 @@ static char *usage_str =
147 " --netfilter6=filename - enable IPv6 firewall.\n" 146 " --netfilter6=filename - enable IPv6 firewall.\n"
148 " --netfilter6.print=name|pid - print the IPv6 firewall.\n" 147 " --netfilter6.print=name|pid - print the IPv6 firewall.\n"
149 " --netmask=address - define a network mask when dealing with unconfigured\n" 148 " --netmask=address - define a network mask when dealing with unconfigured\n"
150 "\tparrent interfaces.\n" 149 "\tparent interfaces.\n"
151 " --netns=name - Run the program in a named, persistent network namespace.\n" 150 " --netns=name - Run the program in a named, persistent network namespace.\n"
152 " --netstats - monitor network statistics.\n" 151 " --netstats - monitor network statistics.\n"
153#endif 152#endif
154 " --nice=value - set nice value.\n" 153 " --nice=value - set nice value.\n"
155 " --no3d - disable 3D hardware acceleration.\n" 154 " --no3d - disable 3D hardware acceleration.\n"
156 " --noallow=filename - disable allow command for file or directory.\n" 155 " --noblacklist=filename - disable blacklist for file or directory.\n"
157 " --nodeny=filename - disable deny command for file or directory.\n"
158 " --nodbus - disable D-Bus access.\n" 156 " --nodbus - disable D-Bus access.\n"
159 " --nodvd - disable DVD and audio CD devices.\n" 157 " --nodvd - disable DVD and audio CD devices.\n"
160 " --noexec=filename - remount the file or directory noexec nosuid and nodev.\n" 158 " --noexec=filename - remount the file or directory noexec nosuid and nodev.\n"
@@ -169,6 +167,7 @@ static char *usage_str =
169 " --noautopulse - disable automatic ~/.config/pulse init.\n" 167 " --noautopulse - disable automatic ~/.config/pulse init.\n"
170 " --novideo - disable video devices.\n" 168 " --novideo - disable video devices.\n"
171 " --nou2f - disable U2F devices.\n" 169 " --nou2f - disable U2F devices.\n"
170 " --nowhitelist=filename - disable whitelist for file or directory.\n"
172#ifdef HAVE_OUTPUT 171#ifdef HAVE_OUTPUT
173 " --output=logfile - stdout logging and log rotation.\n" 172 " --output=logfile - stdout logging and log rotation.\n"
174 " --output-stderr=logfile - stdout and stderr logging and log rotation.\n" 173 " --output-stderr=logfile - stdout and stderr logging and log rotation.\n"
@@ -225,14 +224,14 @@ static char *usage_str =
225#ifdef HAVE_NETWORK 224#ifdef HAVE_NETWORK
226 " --scan - ARP-scan all the networks from inside a network namespace.\n" 225 " --scan - ARP-scan all the networks from inside a network namespace.\n"
227#endif 226#endif
228 " --seccomp - enable seccomp filter and drop the default syscalls.\n" 227 " --seccomp - enable seccomp filter and apply the default blacklist.\n"
229 " --seccomp=syscall,syscall,syscall - enable seccomp filter, drop the\n" 228 " --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"
230 "\tdefault syscall list and the syscalls specified by the command.\n" 229 "\tdefault syscall list and the syscalls specified by the command.\n"
231 " --seccomp.block-secondary - build only the native architecture filters.\n" 230 " --seccomp.block-secondary - build only the native architecture filters.\n"
232 " --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n" 231 " --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n"
233 "\tdrop the syscalls specified by the command.\n" 232 "\tblacklist the syscalls specified by the command.\n"
234 " --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n" 233 " --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n"
235 "\tallow the syscalls specified by the command.\n" 234 "\twhitelist the syscalls specified by the command.\n"
236 " --seccomp.print=name|pid - print the seccomp filter for the sandbox\n" 235 " --seccomp.print=name|pid - print the seccomp filter for the sandbox\n"
237 "\tidentified by name or PID.\n" 236 "\tidentified by name or PID.\n"
238 " --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n" 237 " --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n"
@@ -247,7 +246,7 @@ static char *usage_str =
247 " --top - monitor the most CPU-intensive sandboxes.\n" 246 " --top - monitor the most CPU-intensive sandboxes.\n"
248 " --trace - trace open, access and connect system calls.\n" 247 " --trace - trace open, access and connect system calls.\n"
249 " --tracelog - add a syslog message for every access to files or\n" 248 " --tracelog - add a syslog message for every access to files or\n"
250 "\tdirectories dropped by the security profile.\n" 249 "\tdirectories blacklisted by the security profile.\n"
251 " --tree - print a tree of all sandboxed processes.\n" 250 " --tree - print a tree of all sandboxed processes.\n"
252 " --tunnel[=devname] - connect the sandbox to a tunnel created by\n" 251 " --tunnel[=devname] - connect the sandbox to a tunnel created by\n"
253 "\tfiretunnel utility.\n" 252 "\tfiretunnel utility.\n"
@@ -255,6 +254,7 @@ static char *usage_str =
255#ifdef HAVE_NETWORK 254#ifdef HAVE_NETWORK
256 " --veth-name=name - use this name for the interface connected to the bridge.\n" 255 " --veth-name=name - use this name for the interface connected to the bridge.\n"
257#endif 256#endif
257 " --whitelist=filename - whitelist directory or file.\n"
258 " --writable-etc - /etc directory is mounted read-write.\n" 258 " --writable-etc - /etc directory is mounted read-write.\n"
259 " --writable-run-user - allow access to /run/user/$UID/systemd and\n" 259 " --writable-run-user - allow access to /run/user/$UID/systemd and\n"
260 "\t/run/user/$UID/gnupg.\n" 260 "\t/run/user/$UID/gnupg.\n"
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 094a68c60..f0df45eb2 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -459,31 +459,21 @@ int is_dir(const char *fname) {
459 if (*fname == '\0') 459 if (*fname == '\0')
460 return 0; 460 return 0;
461 461
462 int called_as_root = 0;
463 if (geteuid() == 0)
464 called_as_root = 1;
465
466 if (called_as_root)
467 EUID_USER();
468
469 // if fname doesn't end in '/', add one 462 // if fname doesn't end in '/', add one
470 int rv; 463 int rv;
471 struct stat s; 464 struct stat s;
472 if (fname[strlen(fname) - 1] == '/') 465 if (fname[strlen(fname) - 1] == '/')
473 rv = stat(fname, &s); 466 rv = stat_as_user(fname, &s);
474 else { 467 else {
475 char *tmp; 468 char *tmp;
476 if (asprintf(&tmp, "%s/", fname) == -1) { 469 if (asprintf(&tmp, "%s/", fname) == -1) {
477 fprintf(stderr, "Error: cannot allocate memory, %s:%d\n", __FILE__, __LINE__); 470 fprintf(stderr, "Error: cannot allocate memory, %s:%d\n", __FILE__, __LINE__);
478 errExit("asprintf"); 471 errExit("asprintf");
479 } 472 }
480 rv = stat(tmp, &s); 473 rv = stat_as_user(tmp, &s);
481 free(tmp); 474 free(tmp);
482 } 475 }
483 476
484 if (called_as_root)
485 EUID_ROOT();
486
487 if (rv == -1) 477 if (rv == -1)
488 return 0; 478 return 0;
489 479
diff --git a/src/jailcheck/jailcheck.h b/src/jailcheck/jailcheck.h
index be3104da3..3f8c89bfb 100644
--- a/src/jailcheck/jailcheck.h
+++ b/src/jailcheck/jailcheck.h
@@ -61,4 +61,4 @@ char *get_homedir(const char *user, uid_t *uid, gid_t *gid);
61int find_child(pid_t pid); 61int find_child(pid_t pid);
62pid_t switch_to_child(pid_t pid); 62pid_t switch_to_child(pid_t pid);
63 63
64#endif \ No newline at end of file 64#endif
diff --git a/src/jailcheck/noexec.c b/src/jailcheck/noexec.c
index 7f994d6a1..be18ac109 100644
--- a/src/jailcheck/noexec.c
+++ b/src/jailcheck/noexec.c
@@ -110,4 +110,4 @@ void noexec_test(const char *path) {
110 wait(&status); 110 wait(&status);
111 int rv = unlink(fname); 111 int rv = unlink(fname);
112 (void) rv; 112 (void) rv;
113} \ No newline at end of file 113}
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 6280026e6..a1eccaa5e 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -78,7 +78,7 @@ in your desktop environment copy the profile file in ~/.config/firejail director
78Several command line options can be passed to the program using 78Several command line options can be passed to the program using
79profile files. Firejail chooses the profile file as follows: 79profile files. Firejail chooses the profile file as follows:
80 80
81\fB1.\fR If a profile file is provided by the user with \-\-profile option, the profile file is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. 81\fB1.\fR If a profile file is provided by the user with \-\-profile option, the profile file is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix.
82Example: 82Example:
83.PP 83.PP
84.RS 84.RS
@@ -156,7 +156,7 @@ Scripting commands:
156\fBFile and directory names 156\fBFile and directory names
157File and directory names containing spaces are supported. The space character ' ' should not be escaped. 157File and directory names containing spaces are supported. The space character ' ' should not be escaped.
158 158
159Example: "deny ~/My Virtual Machines" 159Example: "blacklist ~/My Virtual Machines"
160 160
161.TP 161.TP
162\fB# this is a comment 162\fB# this is a comment
@@ -170,11 +170,11 @@ net none # this command creates an empty network namespace
170\fB?CONDITIONAL: profile line 170\fB?CONDITIONAL: profile line
171Conditionally add profile line. 171Conditionally add profile line.
172 172
173Example: "?HAS_APPIMAGE: allow ${HOME}/special/appimage/dir" 173Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir"
174 174
175This example will load the profile line only if the \-\-appimage option has been specified on the command line. 175This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line.
176 176
177Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM 177Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals ALLOW_TRAY, BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM
178can be enabled or disabled globally in Firejail's configuration file. 178can be enabled or disabled globally in Firejail's configuration file.
179 179
180The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. 180The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines.
@@ -205,16 +205,16 @@ storing modifications to the persistent configuration. Persistent .local files
205are included at the start of regular profile files. 205are included at the start of regular profile files.
206 206
207.TP 207.TP
208\fBnoallow file_name 208\fBnoblacklist file_name
209If the file name matches file_name, the file will not be allowed in any allow commands that follow. 209If the file name matches file_name, the file will not be blacklisted in any blacklist commands that follow.
210 210
211Example: "nowhitelist ~/.config" 211Example: "noblacklist ${HOME}/.mozilla"
212 212
213.TP 213.TP
214\fBnodeny file_name 214\fBnowhitelist file_name
215If the file name matches file_name, the file will not be denied any deny commands that follow. 215If the file name matches file_name, the file will not be whitelisted in any whitelist commands that follow.
216 216
217Example: "nodeny ${HOME}/.mozilla" 217Example: "nowhitelist ~/.config"
218 218
219.TP 219.TP
220\fBignore 220\fBignore
@@ -242,17 +242,19 @@ HOME directories are searched, see the \fBfirejail\f(1) \fBFILE GLOBBING\fR sect
242for more details. 242for more details.
243Examples: 243Examples:
244.TP 244.TP
245\fBallow file_or_directory 245\fBblacklist file_or_directory
246Allow directory or file. A temporary file system is mounted on the top directory, and the 246Blacklist directory or file. Examples:
247allowed files are mount-binded inside. Modifications to allowd files are persistent,
248everything else is discarded when the sandbox is closed. The top directory can be
249all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and
250all directories in /usr.
251.br 247.br
252 248
253.br 249.br
254Symbolic link handling: with the exception of user home, both the link and the real file should be in 250blacklist /usr/bin
255the same top directory. For user home, both the link and the real file should be owned by the user. 251.br
252blacklist /usr/bin/gcc*
253.br
254blacklist ${PATH}/ifconfig
255.br
256blacklist ${HOME}/.ssh
257
256.TP 258.TP
257\fBblacklist-nolog file_or_directory 259\fBblacklist-nolog file_or_directory
258When --tracelog flag is set, blacklisting generates syslog messages if the sandbox tries to access the file or directory. 260When --tracelog flag is set, blacklisting generates syslog messages if the sandbox tries to access the file or directory.
@@ -271,20 +273,6 @@ Mount-bind directory1 on top of directory2. This option is only available when r
271\fBbind file1,file2 273\fBbind file1,file2
272Mount-bind file1 on top of file2. This option is only available when running as root. 274Mount-bind file1 on top of file2. This option is only available when running as root.
273.TP 275.TP
274\fBdeny file_or_directory
275Deny access to directory or file. Examples:
276.br
277
278.br
279deny /usr/bin
280.br
281deny /usr/bin/gcc*
282.br
283deny ${PATH}/ifconfig
284.br
285deny ${HOME}/.ssh
286
287.TP
288\fBdisable-mnt 276\fBdisable-mnt
289Disable /mnt, /media, /run/mount and /run/media access. 277Disable /mnt, /media, /run/mount and /run/media access.
290.TP 278.TP
@@ -304,7 +292,7 @@ The directory is created if it doesn't already exist.
304.br 292.br
305 293
306.br 294.br
307Use this command for allowed directories you need to preserve 295Use this command for whitelisted directories you need to preserve
308when the sandbox is closed. Without it, the application will create the directory, and the directory 296when the sandbox is closed. Without it, the application will create the directory, and the directory
309will be deleted when the sandbox is closed. Subdirectories are recursively created. Example from 297will be deleted when the sandbox is closed. Subdirectories are recursively created. Example from
310firefox profile: 298firefox profile:
@@ -317,7 +305,7 @@ whitelist ~/.mozilla
317.br 305.br
318mkdir ~/.cache/mozilla/firefox 306mkdir ~/.cache/mozilla/firefox
319.br 307.br
320allow ~/.cache/mozilla/firefox 308whitelist ~/.cache/mozilla/firefox
321.br 309.br
322 310
323.br 311.br
@@ -336,16 +324,16 @@ Remount the file or the directory noexec, nodev and nosuid.
336#ifdef HAVE_OVERLAYFS 324#ifdef HAVE_OVERLAYFS
337.TP 325.TP
338\fBoverlay 326\fBoverlay
339Mount a filesystem overlay on top of the current filesystem. 327Mount a filesystem overlay on top of the current filesystem.
340The overlay is stored in $HOME/.firejail/<PID> directory. 328The overlay is stored in $HOME/.firejail/<PID> directory.
341.TP 329.TP
342\fBoverlay-named name 330\fBoverlay-named name
343Mount a filesystem overlay on top of the current filesystem. 331Mount a filesystem overlay on top of the current filesystem.
344The overlay is stored in $HOME/.firejail/name directory. 332The overlay is stored in $HOME/.firejail/name directory.
345.TP 333.TP
346\fBoverlay-tmpfs 334\fBoverlay-tmpfs
347Mount a filesystem overlay on top of the current filesystem. 335Mount a filesystem overlay on top of the current filesystem.
348All filesystem modifications are discarded when the sandbox is closed. 336All filesystem modifications are discarded when the sandbox is closed.
349#endif 337#endif
350.TP 338.TP
351\fBprivate 339\fBprivate
@@ -423,7 +411,7 @@ expressed as foo/bar -- is disallowed).
423All modifications are discarded when the sandbox is closed. 411All modifications are discarded when the sandbox is closed.
424.TP 412.TP
425\fBprivate-tmp 413\fBprivate-tmp
426Mount an empty temporary filesystem on top of /tmp directory allowing /tmp/.X11-unix. 414Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix.
427.TP 415.TP
428\fBread-only file_or_directory 416\fBread-only file_or_directory
429Make directory or file read-only. 417Make directory or file read-only.
@@ -435,13 +423,25 @@ Make directory or file read-write.
435Mount an empty tmpfs filesystem on top of directory. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions. 423Mount an empty tmpfs filesystem on top of directory. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions.
436.TP 424.TP
437\fBtracelog 425\fBtracelog
438File system deny violations logged to syslog. 426Blacklist violations logged to syslog.
427.TP
428\fBwhitelist file_or_directory
429Whitelist directory or file. A temporary file system is mounted on the top directory, and the
430whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
431everything else is discarded when the sandbox is closed. The top directory can be
432all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and
433all directories in /usr.
434.br
435
436.br
437Symbolic link handling: with the exception of user home, both the link and the real file should be in
438the same top directory. For user home, both the link and the real file should be owned by the user.
439.TP 439.TP
440\fBwritable-etc 440\fBwritable-etc
441Mount /etc directory read-write. 441Mount /etc directory read-write.
442.TP 442.TP
443\fBwritable-run-user 443\fBwritable-run-user
444Disable the default denying of run/user/$UID/systemd and /run/user/$UID/gnupg. 444Disable the default blacklisting of run/user/$UID/systemd and /run/user/$UID/gnupg.
445.TP 445.TP
446\fBwritable-var 446\fBwritable-var
447Mount /var directory read-write. 447Mount /var directory read-write.
@@ -455,7 +455,7 @@ The following security filters are currently implemented:
455 455
456.TP 456.TP
457\fBallow-debuggers 457\fBallow-debuggers
458Allow tools such as strace and gdb inside the sandbox by allowing system calls ptrace and process_vm_readv. 458Allow tools such as strace and gdb inside the sandbox by whitelisting system calls ptrace and process_vm_readv.
459#ifdef HAVE_APPARMOR 459#ifdef HAVE_APPARMOR
460.TP 460.TP
461\fBapparmor 461\fBapparmor
@@ -466,13 +466,13 @@ Enable AppArmor confinement.
466Enable default Linux capabilities filter. 466Enable default Linux capabilities filter.
467.TP 467.TP
468\fBcaps.drop capability,capability,capability 468\fBcaps.drop capability,capability,capability
469Deny given Linux capabilities. 469Blacklist given Linux capabilities.
470.TP 470.TP
471\fBcaps.drop all 471\fBcaps.drop all
472Deny all Linux capabilities. 472Blacklist all Linux capabilities.
473.TP 473.TP
474\fBcaps.keep capability,capability,capability 474\fBcaps.keep capability,capability,capability
475Allow given Linux capabilities. 475Whitelist given Linux capabilities.
476.TP 476.TP
477\fBmemory-deny-write-execute 477\fBmemory-deny-write-execute
478Install a seccomp filter to block attempts to create memory mappings 478Install a seccomp filter to block attempts to create memory mappings
@@ -487,42 +487,42 @@ does not result in an increase of privilege.
487#ifdef HAVE_USERNS 487#ifdef HAVE_USERNS
488.TP 488.TP
489\fBnoroot 489\fBnoroot
490Use this command to enable an user namespace. The namespace has only one user, the current user. 490Use this command to enable an user namespace. The namespace has only one user, the current user.
491There is no root account (uid 0) defined in the namespace. 491There is no root account (uid 0) defined in the namespace.
492#endif 492#endif
493.TP 493.TP
494\fBprotocol protocol1,protocol2,protocol3 494\fBprotocol protocol1,protocol2,protocol3
495Enable protocol filter. The filter is based on seccomp and checks the 495Enable protocol filter. The filter is based on seccomp and checks the
496first argument to socket system call. Recognized values: \fBunix\fR, 496first argument to socket system call. Recognized values: \fBunix\fR,
497\fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR. 497\fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR.
498.TP 498.TP
499\fBseccomp 499\fBseccomp
500Enable seccomp filter and deny the syscalls in the default list. See man 1 firejail for more details. 500Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details.
501.TP 501.TP
502\fBseccomp.32 502\fBseccomp.32
503Enable seccomp filter and deny the syscalls in the default list for 32 bit system calls on a 64 bit architecture system. 503Enable seccomp filter and blacklist the syscalls in the default list for 32 bit system calls on a 64 bit architecture system.
504.TP 504.TP
505\fBseccomp syscall,syscall,syscall 505\fBseccomp syscall,syscall,syscall
506Enable seccomp filter and deny the system calls in the list on top of default seccomp filter. 506Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.
507.TP 507.TP
508\fBseccomp.32 syscall,syscall,syscall 508\fBseccomp.32 syscall,syscall,syscall
509Enable seccomp filter and deny the system calls in the list on top of default seccomp filter for 32 bit system calls on a 64 bit architecture system. 509Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter for 32 bit system calls on a 64 bit architecture system.
510.TP 510.TP
511\fBseccomp.block-secondary 511\fBseccomp.block-secondary
512Enable seccomp filter and filter system call architectures 512Enable seccomp filter and filter system call architectures
513so that only the native architecture is allowed. 513so that only the native architecture is allowed.
514.TP 514.TP
515\fBseccomp.drop syscall,syscall,syscall 515\fBseccomp.drop syscall,syscall,syscall
516Enable seccomp filter and deny the system calls in the list. 516Enable seccomp filter and blacklist the system calls in the list.
517.TP 517.TP
518\fBseccomp.32.drop syscall,syscall,syscall 518\fBseccomp.32.drop syscall,syscall,syscall
519Enable seccomp filter and deny the system calls in the list for 32 bit system calls on a 64 bit architecture system. 519Enable seccomp filter and blacklist the system calls in the list for 32 bit system calls on a 64 bit architecture system.
520.TP 520.TP
521\fBseccomp.keep syscall,syscall,syscall 521\fBseccomp.keep syscall,syscall,syscall
522Enable seccomp filter and allow the system calls in the list. 522Enable seccomp filter and whitelist the system calls in the list.
523.TP 523.TP
524\fBseccomp.32.keep syscall,syscall,syscall 524\fBseccomp.32.keep syscall,syscall,syscall
525Enable seccomp filter and allow the system calls in the list for 32 bit system calls on a 64 bit architecture system. 525Enable seccomp filter and whitelist the system calls in the list for 32 bit system calls on a 64 bit architecture system.
526.TP 526.TP
527\fBseccomp-error-action kill | log | ERRNO 527\fBseccomp-error-action kill | log | ERRNO
528Return a different error instead of EPERM to the process, kill it when 528Return a different error instead of EPERM to the process, kill it when
@@ -534,7 +534,7 @@ attempt.
534Enable X11 sandboxing. 534Enable X11 sandboxing.
535.TP 535.TP
536\fBx11 none 536\fBx11 none
537Deny access to /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable. 537Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable.
538Remove DISPLAY and XAUTHORITY environment variables. 538Remove DISPLAY and XAUTHORITY environment variables.
539Stop with error message if X11 abstract socket will be accessible in jail. 539Stop with error message if X11 abstract socket will be accessible in jail.
540.TP 540.TP
@@ -606,7 +606,7 @@ Allow the application to see but not talk to the name org.freedesktop.Notificati
606Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. 606Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
607.TP 607.TP
608\fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications 608\fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
609Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. 609Allow the application to receive broadcast signals from the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
610.TP 610.TP
611\fBdbus-user filter 611\fBdbus-user filter
612Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands. 612Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands.
@@ -873,8 +873,8 @@ a DHCP client and releasing the lease manually.
873 873
874.TP 874.TP
875\fBiprange address,address 875\fBiprange address,address
876Assign an IP address in the provided range to the last network 876Assign an IP address in the provided range to the last network
877interface defined by a net command. A default gateway is assigned by default. 877interface defined by a net command. A default gateway is assigned by default.
878.br 878.br
879 879
880.br 880.br
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 498ff9aa9..2883ab257 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -45,7 +45,7 @@ firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-deb
45#ifdef HAVE_LTS 45#ifdef HAVE_LTS
46This is Firejail long-term support (LTS), an enterprise focused version of the software, 46This is Firejail long-term support (LTS), an enterprise focused version of the software,
47LTS is usually supported for two or three years. 47LTS is usually supported for two or three years.
48During this time only bugs and the occasional documentation problems are fixed. 48During this time only bugs and the occasional documentation problems are fixed.
49The attack surface of the SUID executable was greatly reduced by removing some of the features. 49The attack surface of the SUID executable was greatly reduced by removing some of the features.
50.br 50.br
51 51
@@ -99,40 +99,6 @@ $ firejail [OPTIONS] firefox # starting Mozilla Firefox
99\fB\-\- 99\fB\-\-
100Signal the end of options and disables further option processing. 100Signal the end of options and disables further option processing.
101.TP 101.TP
102\fB\-\-allow=dirname_or_filename
103Allow access to a directory or file. A temporary file system is mounted on the top directory, and the
104allowed files are mount-binded inside. Modifications to allowed files are persistent,
105everything else is discarded when the sandbox is closed. The top directory can be
106all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and
107all directories in /usr.
108.br
109
110.br
111Symbolic link handling: with the exception of user home, both the link and the real file should be in
112the same top directory. For user home, both the link and the real file should be owned by the user.
113.br
114
115.br
116File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
117.br
118
119.br
120Example:
121.br
122$ firejail \-\-noprofile \-\-allow=~/.mozilla
123.br
124$ firejail \-\-allow=/tmp/.X11-unix --allow=/dev/null
125.br
126$ firejail "\-\-allow=/home/username/My Virtual Machines"
127.br
128$ firejail \-\-allow=~/work* \-\-allow=/var/backups*
129
130
131
132
133
134
135.TP
136\fB\-\-allow-debuggers 102\fB\-\-allow-debuggers
137Allow tools such as strace and gdb inside the sandbox by whitelisting 103Allow tools such as strace and gdb inside the sandbox by whitelisting
138system calls ptrace and process_vm_readv. This option is only 104system calls ptrace and process_vm_readv. This option is only
@@ -143,7 +109,7 @@ ptrace system call allows a full bypass of the seccomp filter.
143.br 109.br
144Example: 110Example:
145.br 111.br
146$ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox 112$ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox
147.TP 113.TP
148\fB\-\-allusers 114\fB\-\-allusers
149All directories under /home are visible inside the sandbox. By default, only current user home directory is visible. 115All directories under /home are visible inside the sandbox. By default, only current user home directory is visible.
@@ -203,6 +169,21 @@ Example:
203.br 169.br
204# firejail \-\-bind=/config/etc/passwd,/etc/passwd 170# firejail \-\-bind=/config/etc/passwd,/etc/passwd
205.TP 171.TP
172\fB\-\-blacklist=dirname_or_filename
173Blacklist directory or file. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
174.br
175
176.br
177Example:
178.br
179$ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin
180.br
181$ firejail \-\-blacklist=~/.mozilla
182.br
183$ firejail "\-\-blacklist=/home/username/My Virtual Machines"
184.br
185$ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines
186.TP
206\fB\-\-build 187\fB\-\-build
207The command builds a whitelisted profile. The profile is printed on the screen. If /usr/bin/strace is installed on the system, it also 188The command builds a whitelisted profile. The profile is printed on the screen. If /usr/bin/strace is installed on the system, it also
208builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox, 189builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
@@ -262,7 +243,7 @@ $ firejail \-\-caps.drop=all warzone2100
262 243
263.TP 244.TP
264\fB\-\-caps.drop=capability,capability,capability 245\fB\-\-caps.drop=capability,capability,capability
265Define a custom Linux capabilities filter. 246Define a custom blacklist Linux capabilities filter.
266.br 247.br
267 248
268.br 249.br
@@ -643,14 +624,14 @@ Example:
643$ firejail \-\-debug firefox 624$ firejail \-\-debug firefox
644 625
645.TP 626.TP
646\fB\-\-debug-allow\fR 627\fB\-\-debug-blacklists\fR
647Debug file system access. 628Debug blacklisting.
648.br 629.br
649 630
650.br 631.br
651Example: 632Example:
652.br 633.br
653$ firejail \-\-debug-allow firefox 634$ firejail \-\-debug-blacklists firefox
654 635
655.TP 636.TP
656\fB\-\-debug-caps 637\fB\-\-debug-caps
@@ -663,16 +644,6 @@ Example:
663$ firejail \-\-debug-caps 644$ firejail \-\-debug-caps
664 645
665.TP 646.TP
666\fB\-\-debug-deny\fR
667Debug file access.
668.br
669
670.br
671Example:
672.br
673$ firejail \-\-debug-deny firefox
674
675.TP
676\fB\-\-debug-errnos 647\fB\-\-debug-errnos
677Print all recognized error numbers in the current Firejail software build and exit. 648Print all recognized error numbers in the current Firejail software build and exit.
678.br 649.br
@@ -706,44 +677,33 @@ $ firejail \-\-debug-syscalls
706\fB\-\-debug-syscalls32 677\fB\-\-debug-syscalls32
707Print all recognized 32 bit system calls in the current Firejail software build and exit. 678Print all recognized 32 bit system calls in the current Firejail software build and exit.
708.br 679.br
709
710#ifdef HAVE_NETWORK
711.TP 680.TP
712\fB\-\-defaultgw=address 681\fB\-\-debug-whitelists\fR
713Use this address as default gateway in the new network namespace. 682Debug whitelisting.
714.br 683.br
715 684
716.br 685.br
717Example: 686Example:
718.br 687.br
719$ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox 688$ firejail \-\-debug-whitelists firefox
720#endif 689#ifdef HAVE_NETWORK
721
722.TP 690.TP
723\fB\-\-deny=dirname_or_filename 691\fB\-\-defaultgw=address
724Deny access to directory or file. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. 692Use this address as default gateway in the new network namespace.
725.br 693.br
726 694
727.br 695.br
728Example: 696Example:
729.br 697.br
730$ firejail \-\-deny=/sbin \-\-deny=/usr/sbin 698$ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox
731.br 699#endif
732$ firejail \-\-deny=~/.mozilla
733.br
734$ firejail "\-\-deny=/home/username/My Virtual Machines"
735.br
736$ firejail \-\-deny=/home/username/My\\ Virtual\\ Machines
737
738
739
740.TP 700.TP
741\fB\-\-deterministic-exit-code 701\fB\-\-deterministic-exit-code
742Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. 702Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.
743.br 703.br
744.TP 704.TP
745\fB\-\-disable-mnt 705\fB\-\-disable-mnt
746Deny access to /mnt, /media, /run/mount and /run/media. 706Blacklist /mnt, /media, /run/mount and /run/media access.
747.br 707.br
748 708
749.br 709.br
@@ -987,7 +947,7 @@ $ firejail \-\-net=eth0 \-\-\iprange=192.168.1.100,192.168.1.150
987 947
988.TP 948.TP
989\fB\-\-ipc-namespace 949\fB\-\-ipc-namespace
990Enable a new IPC namespace if the sandbox was started as a regular user. IPC namespace is enabled by default 950Enable a new IPC namespace if the sandbox was started as a regular user. IPC namespace is enabled by default
991for sandboxes started as root. 951for sandboxes started as root.
992.br 952.br
993 953
@@ -1054,7 +1014,7 @@ $ sudo firejail --join-network=browser /sbin/iptables -vL
1054.br 1014.br
1055 1015
1056.br 1016.br
1057# verify IP addresses 1017# verify IP addresses
1058.br 1018.br
1059$ sudo firejail --join-network=browser ip addr 1019$ sudo firejail --join-network=browser ip addr
1060.br 1020.br
@@ -1511,16 +1471,12 @@ Example:
1511$ firejail --no3d firefox 1471$ firejail --no3d firefox
1512 1472
1513.TP 1473.TP
1514\fB\-\-noallow=dirname_or_filename
1515Disable \-\-allow for this directory or file.
1516
1517.TP
1518\fB\-\-noautopulse \fR(deprecated) 1474\fB\-\-noautopulse \fR(deprecated)
1519See --keep-config-pulse. 1475See --keep-config-pulse.
1520 1476
1521.TP 1477.TP
1522\fB\-\-nodeny=dirname_or_filename 1478\fB\-\-noblacklist=dirname_or_filename
1523Disable \-\-deny for this directory or file. 1479Disable blacklist for this directory or file.
1524.br 1480.br
1525 1481
1526.br 1482.br
@@ -1536,7 +1492,7 @@ $ exit
1536.br 1492.br
1537 1493
1538.br 1494.br
1539$ firejail --nodeny=/bin/nc 1495$ firejail --noblacklist=/bin/nc
1540.br 1496.br
1541$ nc dict.org 2628 1497$ nc dict.org 2628
1542.br 1498.br
@@ -1710,6 +1666,10 @@ $ firejail \-\-nou2f
1710Disable video devices. 1666Disable video devices.
1711.br 1667.br
1712 1668
1669.TP
1670\fB\-\-nowhitelist=dirname_or_filename
1671Disable whitelist for this directory or file.
1672
1713#ifdef HAVE_OUTPUT 1673#ifdef HAVE_OUTPUT
1714.TP 1674.TP
1715\fB\-\-output=logfile 1675\fB\-\-output=logfile
@@ -2174,7 +2134,7 @@ Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024).
2174.TP 2134.TP
2175\fB\-\-rlimit-cpu=number 2135\fB\-\-rlimit-cpu=number
2176Set the maximum limit, in seconds, for the amount of CPU time each 2136Set the maximum limit, in seconds, for the amount of CPU time each
2177sandboxed process can consume. When the limit is reached, the processes are killed. 2137sandboxed process can consume. When the limit is reached, the processes are killed.
2178 2138
2179The CPU limit is a limit on CPU seconds rather than elapsed time. CPU seconds is basically how many seconds 2139The CPU limit is a limit on CPU seconds rather than elapsed time. CPU seconds is basically how many seconds
2180the CPU has been in use and does not necessarily directly relate to the elapsed time. Linux kernel keeps 2140the CPU has been in use and does not necessarily directly relate to the elapsed time. Linux kernel keeps
@@ -2218,7 +2178,7 @@ $ firejail \-\-net=eth0 \-\-scan
2218.TP 2178.TP
2219\fB\-\-seccomp 2179\fB\-\-seccomp
2220Enable seccomp filter and blacklist the syscalls in the default list, 2180Enable seccomp filter and blacklist the syscalls in the default list,
2221which is @default-nodebuggers unless \-\-allow-debuggers is specified, 2181which is @default-nodebuggers unless \-\-allow-debuggers is specified,
2222then it is @default. 2182then it is @default.
2223 2183
2224.br 2184.br
@@ -2773,6 +2733,34 @@ Example:
2773.br 2733.br
2774$ firejail \-\-net=br0 --veth-name=if0 2734$ firejail \-\-net=br0 --veth-name=if0
2775#endif 2735#endif
2736.TP
2737\fB\-\-whitelist=dirname_or_filename
2738Whitelist directory or file. A temporary file system is mounted on the top directory, and the
2739whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
2740everything else is discarded when the sandbox is closed. The top directory can be
2741all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and
2742all directories in /usr.
2743.br
2744
2745.br
2746Symbolic link handling: with the exception of user home, both the link and the real file should be in
2747the same top directory. For user home, both the link and the real file should be owned by the user.
2748.br
2749
2750.br
2751File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
2752.br
2753
2754.br
2755Example:
2756.br
2757$ firejail \-\-noprofile \-\-whitelist=~/.mozilla
2758.br
2759$ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null
2760.br
2761$ firejail "\-\-whitelist=/home/username/My Virtual Machines"
2762.br
2763$ firejail \-\-whitelist=~/work* \-\-whitelist=/var/backups*
2776 2764
2777.TP 2765.TP
2778\fB\-\-writable-etc 2766\fB\-\-writable-etc
@@ -2877,7 +2865,7 @@ and it is installed by default on most Linux distributions. It provides support
2877connection model. Untrusted clients are restricted in certain ways to prevent them from reading window 2865connection model. Untrusted clients are restricted in certain ways to prevent them from reading window
2878contents of other clients, stealing input events, etc. 2866contents of other clients, stealing input events, etc.
2879 2867
2880The untrusted mode has several limitations. A lot of regular programs assume they are a trusted X11 clients 2868The untrusted mode has several limitations. A lot of regular programs assume they are a trusted X11 clients
2881and will crash or lock up when run in untrusted mode. Chromium browser and xterm are two examples. 2869and will crash or lock up when run in untrusted mode. Chromium browser and xterm are two examples.
2882Firefox and transmission-gtk seem to be working fine. 2870Firefox and transmission-gtk seem to be working fine.
2883A network namespace is not required for this option. 2871A network namespace is not required for this option.
@@ -3268,7 +3256,7 @@ The owner of the sandbox.
3268.SH RESTRICTED SHELL 3256.SH RESTRICTED SHELL
3269To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in 3257To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in
3270/etc/passwd file for each user that needs to be restricted. Alternatively, 3258/etc/passwd file for each user that needs to be restricted. Alternatively,
3271you can specify /usr/bin/firejail in adduser command: 3259you can specify /usr/bin/firejail in adduser command:
3272 3260
3273adduser \-\-shell /usr/bin/firejail username 3261adduser \-\-shell /usr/bin/firejail username
3274 3262
@@ -3278,7 +3266,7 @@ Additional arguments passed to firejail executable upon login are declared in /e
3278Several command line options can be passed to the program using 3266Several command line options can be passed to the program using
3279profile files. Firejail chooses the profile file as follows: 3267profile files. Firejail chooses the profile file as follows:
3280 3268
32811. If a profile file is provided by the user with --profile=FILE option, the profile FILE is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. If there is a file with the same name as the given profile name, it will be used instead of doing the profile search. To force a profile search, prefix the profile name with a colon (:), eg. --profile=:PROFILE_NAME. 32691. If a profile file is provided by the user with --profile=FILE option, the profile FILE is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. If there is a file with the same name as the given profile name, it will be used instead of doing the profile search. To force a profile search, prefix the profile name with a colon (:), eg. --profile=:PROFILE_NAME.
3282Example: 3270Example:
3283.PP 3271.PP
3284.RS 3272.RS
diff --git a/src/man/firemon.txt b/src/man/firemon.txt
index 76b2f7be2..c4e6e15b3 100644
--- a/src/man/firemon.txt
+++ b/src/man/firemon.txt
@@ -56,7 +56,7 @@ Print route table for each sandbox.
56Print seccomp configuration for each sandbox. 56Print seccomp configuration for each sandbox.
57.TP 57.TP
58\fB\-\-top 58\fB\-\-top
59Monitor the most CPU-intensive sandboxes. This command is similar to 59Monitor the most CPU-intensive sandboxes. This command is similar to
60the regular UNIX top command, however it applies only to sandboxes. 60the regular UNIX top command, however it applies only to sandboxes.
61.TP 61.TP
62\fB\-\-tree 62\fB\-\-tree
diff --git a/src/tools/profcleaner.c b/src/tools/profcleaner.c
index 93bb3f73d..beff93199 100644
--- a/src/tools/profcleaner.c
+++ b/src/tools/profcleaner.c
@@ -72,4 +72,4 @@ int main(int argc, char **argv) {
72 } 72 }
73 73
74 return 0; 74 return 0;
75} \ No newline at end of file 75}
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
index 666dfd4c2..c7f6ee3f1 100644
--- a/src/zsh_completion/_firejail.in
+++ b/src/zsh_completion/_firejail.in
@@ -218,7 +218,7 @@ _firejail_args=(
218 '--netfilter.print=-[print the firewall name|pid]: :_all_firejails' 218 '--netfilter.print=-[print the firewall name|pid]: :_all_firejails'
219 '--netfilter6=-[enable IPv6 firewall]: :' 219 '--netfilter6=-[enable IPv6 firewall]: :'
220 '--netfilter6.print=-[print the IPv6 firewall name|pid]: :_all_firejails' 220 '--netfilter6.print=-[print the IPv6 firewall name|pid]: :_all_firejails'
221 '--netmask=-[define a network mask when dealing with unconfigured parrent interfaces]: :' 221 '--netmask=-[define a network mask when dealing with unconfigured parent interfaces]: :'
222 '--netns=-[Run the program in a named, persistent network namespace]: :' 222 '--netns=-[Run the program in a named, persistent network namespace]: :'
223 '--netstats[monitor network statistics]' 223 '--netstats[monitor network statistics]'
224 '--interface=-[move interface in sandbox]: :' 224 '--interface=-[move interface in sandbox]: :'
diff --git a/test/environment/environment.sh b/test/environment/environment.sh
index 152975c9d..1e1dd549b 100755
--- a/test/environment/environment.sh
+++ b/test/environment/environment.sh
@@ -112,14 +112,17 @@ echo "TESTING: rlimit (test/environment/rlimit.exp)"
112echo "TESTING: rlimit profile (test/environment/rlimit-profile.exp)" 112echo "TESTING: rlimit profile (test/environment/rlimit-profile.exp)"
113./rlimit-profile.exp 113./rlimit-profile.exp
114 114
115echo "TESTING: rlimit join (test/environment/rlimit-join.exp)"
116./rlimit-join.exp
117
115echo "TESTING: rlimit errors (test/environment/rlimit-bad.exp)" 118echo "TESTING: rlimit errors (test/environment/rlimit-bad.exp)"
116./rlimit-bad.exp 119./rlimit-bad.exp
117 120
118echo "TESTING: rlimit errors profile (test/environment/rlimit-bad-profile.exp)" 121echo "TESTING: rlimit errors profile (test/environment/rlimit-bad-profile.exp)"
119./rlimit-bad-profile.exp 122./rlimit-bad-profile.exp
120 123
121echo "TESTING: deterministic exit code (test/environment/deterministic-exit-code.exp" 124echo "TESTING: deterministic exit code (test/environment/deterministic-exit-code.exp)"
122./deterministic-exit-code.exp 125./deterministic-exit-code.exp
123 126
124echo "TESTING: retain umask (test/environment/umask.exp" 127echo "TESTING: retain umask (test/environment/umask.exp)"
125(umask 123 && ./umask.exp) 128(umask 123 && ./umask.exp)
diff --git a/test/environment/rlimit-join.exp b/test/environment/rlimit-join.exp
new file mode 100755
index 000000000..aa8a203c0
--- /dev/null
+++ b/test/environment/rlimit-join.exp
@@ -0,0 +1,36 @@
1#!/usr/bin/expect -f
2# This file is part of Firejail project
3# Copyright (C) 2014-2021 Firejail Authors
4# License GPL v2
5
6set timeout 10
7cd /home
8spawn $env(SHELL)
9match_max 100000
10
11send -- "firejail --noprofile --name=\"rlimit testing\"\r"
12expect {
13 timeout {puts "TESTING ERROR 0\n";exit}
14 "Child process initialized"
15}
16sleep 1
17
18spawn $env(SHELL)
19send -- "firejail --rlimit-nofile=1234 --join=\"rlimit testing\"\r"
20expect {
21 timeout {puts "TESTING ERROR 1\n";exit}
22 "Switching to pid"
23}
24sleep 1
25
26send -- "cat /proc/self/limits\r"
27expect {
28 timeout {puts "TESTING ERROR 2\n";exit}
29 "Max open files 1234 1234"
30}
31after 100
32
33send -- "exit\r"
34after 100
35
36puts "\nall done\n"
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-19 10:51:36 +0000