14 files changed, 76 insertions, 17 deletions
diff --git a/README.md b/README.md
index bc8ed26f0..5c07954e9 100644
--- a/README.md
+++ b/README.md
@@ -196,4 +196,4 @@ gnome-screenshot, ripperX, sound-juicer, iagno, com.github.dahenson.agenda, gnom
 penguin-command, x2goclient, frogatto, gnome-mines, gnome-nibbles, lightsoff, ts3client_runscript.sh, warmux, ferdi, abiword,
 four-in-a-row, gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin, gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars,
 hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless, mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers,
-seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more, swell-foop, fdns, jitsi-meet-desktop, nicontine, steam-runtime, apostrophe, quadrapassel, dino-im, strawberry, hitori, bijiben, gnote, gnubik, ZeGrapher, gapplication
+seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more, swell-foop, fdns, jitsi-meet-desktop, nicontine, steam-runtime, apostrophe, quadrapassel, dino-im, strawberry, hitori, bijiben, gnote, gnubik, ZeGrapher, gapplication, xonotic-sdl-wrapper, openarena_ded
diff --git a/RELNOTES b/RELNOTES
index a06f3b23a..1f0ee5326 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -36,7 +36,8 @@ firejail (0.9.63) baseline; urgency=low
  * new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski
  * new profiles: swell-foop, fdns, five-or-more, steam-runtime, jitsi-meet-desktop
  * new profiles: nicotine, plv, mocp, apostrophe, quadrapassel, dino-im, strawberry
-  * new profiles: hitori, bijiben, gnote, gnubik, ZeGrapher, gapplication
+  * new profiles: hitori, bijiben, gnote, gnubik, ZeGrapher, xonotic-sdl-wrapper
+  * new profiles: gapplication, openarena_ded
 -- netblue30 <netblue30@yahoo.com>  Tue, 21 Apr 2020 08:00:00 -0500
 firejail (0.9.62) baseline; urgency=low
diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile
index 207f87074..7c41417ec 100644
--- a/etc/profile-a-l/flameshot.profile
+++ b/etc/profile-a-l/flameshot.profile
@@ -8,6 +8,7 @@ include flameshot.local
 include globals.local
 noblacklist ${PICTURES}
+noblacklist ${HOME}/.config/Dharkael
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +19,13 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
+#whitelist ${PICTURES}
+#whitelist ${HOME}/.config/Dharkael
+whitelist /usr/share/flameshot
+#include whitelist-common.inc
 include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
@@ -35,13 +42,15 @@ novideo
 protocol unix,inet,inet6
 seccomp
 shell none
+tracelog
 disable-mnt
 private-bin flameshot
 private-cache
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,machine-id,pki,resolv.conf,ssl
 private-dev
 private-tmp
-# dbus-user none
+dbus-user filter
-# dbus-system none
+dbus-user.own org.dharkael.Flameshot
+dbus-system none
diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile
index 06f13e8c6..653272499 100644
--- a/etc/profile-a-l/frogatto.profile
+++ b/etc/profile-a-l/frogatto.profile
@@ -20,6 +20,7 @@ mkdir ${HOME}/.frogatto
 whitelist ${HOME}/.frogatto
 whitelist /usr/share/frogatto
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile
index d7b46263d..5bb410278 100644
--- a/etc/profile-a-l/ghostwriter.profile
+++ b/etc/profile-a-l/ghostwriter.profile
@@ -24,6 +24,7 @@ whitelist /usr/share/ghostwriter
 whitelist /usr/share/mozilla-dicts
 whitelist /usr/share/texlive
 whitelist /usr/share/pandoc*
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 apparmor
diff --git a/etc/profile-a-l/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile
index ea4151137..eb5e9ec40 100644
--- a/etc/profile-a-l/gnome-latex.profile
+++ b/etc/profile-a-l/gnome-latex.profile
@@ -49,3 +49,5 @@ private-cache
 private-dev
 # passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed
 private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,login.defs,passwd,texlive
+dbus-system none
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index d1893e412..6e35299be 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -23,6 +23,17 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
+# You can enable whitelisting for keepassxc by uncommenting (or adding to you keepassxc.local) the following lines.
+# If you do so, you MUST store your database under ${HOME}/Documents/KeePassXC/foo.kdbx
+#mkdir ${HOME}/Documents/KeePassXC
+#whitelist ${HOME}/Documents/KeePassXC
+# Needed for KeePassXC-Browser
+#mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
+#whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
+#mkdir ${HOME}/.config/keepassxc
+#whitelist ${HOME}/.config/keepassxc
+#include whitelist-common.inc
 whitelist /usr/share/keepassxc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/minetest.profile b/etc/profile-m-z/minetest.profile
index fa7d9edb0..1da430ce6 100644
--- a/etc/profile-m-z/minetest.profile
+++ b/etc/profile-m-z/minetest.profile
@@ -6,6 +6,9 @@ include minetest.local
 # Persistent global definitions
 include globals.local
+# In order to save in-game screenshots to a persistent location edit ~/.minetest/minetest.conf:
+#   screenshot_path = /home/<USER>/.minetest/screenshots
 noblacklist ${HOME}/.cache/minetest
 noblacklist ${HOME}/.minetest
diff --git a/etc/profile-m-z/openarena.profile b/etc/profile-m-z/openarena.profile
index 3b15a6e42..45682fc31 100644
--- a/etc/profile-m-z/openarena.profile
+++ b/etc/profile-m-z/openarena.profile
@@ -16,30 +16,35 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+mkdir ${HOME}/.openarena
+whitelist ${HOME}/.openarena
+whitelist /usr/share/openarena
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.in
 include whitelist-var-common.inc
 apparmor
 caps.drop all
-# ipc-namespace
+netfilter
-# netfilter
+nodvd
-# nodvd
+nogroups
-# nogroups
 nonewprivs
 noroot
 notv
-# nou2f
+nou2f
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
-# tracelog
+tracelog
-# disable-mnt
+disable-mnt
-# private-bin openarena
+private-bin bash,cut,glxinfo,grep,head,openarena,openarena_ded,quake3,zenity
 private-cache
 private-dev
-# private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg
+private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg
 private-tmp
-# dbus-user none
+dbus-user none
-# dbus-system none
+dbus-system none
diff --git a/etc/profile-m-z/openarena_ded.profile b/etc/profile-m-z/openarena_ded.profile
new file mode 100644
index 000000000..c529e7e11
--- /dev/null
+++ b/etc/profile-m-z/openarena_ded.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for openarena
+# This file is overwritten after every install/update
+# Redirect
+include openarena.profile
diff --git a/etc/profile-m-z/tremulous.profile b/etc/profile-m-z/tremulous.profile
index 66a536008..67463a999 100644
--- a/etc/profile-m-z/tremulous.profile
+++ b/etc/profile-m-z/tremulous.profile
@@ -19,7 +19,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.tremulous
 whitelist ${HOME}/.tremulous
+whitelist /usr/share/tremulous
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 caps.drop all
diff --git a/etc/profile-m-z/xonotic-sdl-wrapper.profile b/etc/profile-m-z/xonotic-sdl-wrapper.profile
new file mode 100644
index 000000000..6f0c7cf4c
--- /dev/null
+++ b/etc/profile-m-z/xonotic-sdl-wrapper.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for xonotic
+# This file is overwritten after every install/update
+include xonotic-sdl-wrapper.local
+# Redirect
+include xonotic.profile
diff --git a/etc/profile-m-z/xonotic.profile b/etc/profile-m-z/xonotic.profile
index 949988c3b..aa8cc7d0e 100644
--- a/etc/profile-m-z/xonotic.profile
+++ b/etc/profile-m-z/xonotic.profile
@@ -14,12 +14,17 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 mkdir ${HOME}/.xonotic
 whitelist ${HOME}/.xonotic
+whitelist /usr/share/xonotic
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 netfilter
 nodvd
@@ -32,12 +37,17 @@ novideo
 protocol unix,inet,inet6
 seccomp
 shell none
+tracelog
 disable-mnt
-private-bin bash,blind-id,darkplaces-glx,darkplaces-sdl,dirname,grep,ldd,netstat,ps,readlink,sh,uname,xonotic,xonotic-glx,xonotic-linux32-dedicated,xonotic-linux32-glx,xonotic-linux32-sdl,xonotic-linux64-dedicated,xonotic-linux64-glx,xonotic-linux64-sdl,xonotic-sdl
+private-cache
+private-bin basename,bash,blind-id,cut,darkplaces-glx,darkplaces-sdl,dirname,glxinfo,grep,head,ldd,netstat,ps,readlink,sed,sh,uname,xonotic,xonotic-glx,xonotic-linux32-dedicated,xonotic-linux32-glx,xonotic-linux32-sdl,xonotic-linux64-dedicated,xonotic-linux64-glx,xonotic-linux64-sdl,xonotic-sdl,xonotic-sdl-wrapper,zenity
 private-dev
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl
 private-tmp
 dbus-user none
 dbus-system none
+read-only ${HOME}
+read-write ${HOME}/.xonotic
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 34f6bf497..6c3779498 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -522,6 +522,7 @@ ooffice
 ooviewdoc
 open-invaders
 openarena
+openarena_ded
 opencity
 openclonk
 openoffice.org
@@ -783,6 +784,7 @@ xmr-stak
 xonotic
 xonotic-glx
 xonotic-sdl
+xonotic-sdl-wrapper
 xournal
 xpdf
 xplayer

diff --git a/README.md b/README.md index bc8ed26f0..5c07954e9 100644 --- a/README.md +++ b/README.md
@@ -196,4 +196,4 @@ gnome-screenshot, ripperX, sound-juicer, iagno, com.github.dahenson.agenda, gnom
196	penguin-command, x2goclient, frogatto, gnome-mines, gnome-nibbles, lightsoff, ts3client_runscript.sh, warmux, ferdi, abiword,	196	penguin-command, x2goclient, frogatto, gnome-mines, gnome-nibbles, lightsoff, ts3client_runscript.sh, warmux, ferdi, abiword,
197	four-in-a-row, gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin, gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars,	197	four-in-a-row, gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin, gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars,
198	hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless, mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers,	198	hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless, mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers,
199	seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more, swell-foop, fdns, jitsi-meet-desktop, nicontine, steam-runtime, apostrophe, quadrapassel, dino-im, strawberry, hitori, bijiben, gnote, gnubik, ZeGrapher, gapplication	199	seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more, swell-foop, fdns, jitsi-meet-desktop, nicontine, steam-runtime, apostrophe, quadrapassel, dino-im, strawberry, hitori, bijiben, gnote, gnubik, ZeGrapher, gapplication, xonotic-sdl-wrapper, openarena_ded


diff --git a/RELNOTES b/RELNOTES index a06f3b23a..1f0ee5326 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -36,7 +36,8 @@ firejail (0.9.63) baseline; urgency=low
36	* new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski	36	* new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski
37	* new profiles: swell-foop, fdns, five-or-more, steam-runtime, jitsi-meet-desktop	37	* new profiles: swell-foop, fdns, five-or-more, steam-runtime, jitsi-meet-desktop
38	* new profiles: nicotine, plv, mocp, apostrophe, quadrapassel, dino-im, strawberry	38	* new profiles: nicotine, plv, mocp, apostrophe, quadrapassel, dino-im, strawberry
39	* new profiles: hitori, bijiben, gnote, gnubik, ZeGrapher, gapplication	39	* new profiles: hitori, bijiben, gnote, gnubik, ZeGrapher, xonotic-sdl-wrapper
		40	* new profiles: gapplication, openarena_ded
40	-- netblue30 <netblue30@yahoo.com> Tue, 21 Apr 2020 08:00:00 -0500	41	-- netblue30 <netblue30@yahoo.com> Tue, 21 Apr 2020 08:00:00 -0500
41		42
42	firejail (0.9.62) baseline; urgency=low	43	firejail (0.9.62) baseline; urgency=low


diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile index 207f87074..7c41417ec 100644 --- a/etc/profile-a-l/flameshot.profile +++ b/etc/profile-a-l/flameshot.profile
@@ -8,6 +8,7 @@ include flameshot.local
8	include globals.local	8	include globals.local
9		9
10	noblacklist ${PICTURES}	10	noblacklist ${PICTURES}
		11	noblacklist ${HOME}/.config/Dharkael
11		12
12	include disable-common.inc	13	include disable-common.inc
13	include disable-devel.inc	14	include disable-devel.inc
@@ -18,7 +19,13 @@ include disable-programs.inc
18	include disable-shell.inc	19	include disable-shell.inc
19	include disable-xdg.inc	20	include disable-xdg.inc
20		21
		22	#whitelist ${PICTURES}
		23	#whitelist ${HOME}/.config/Dharkael
		24	whitelist /usr/share/flameshot
		25	#include whitelist-common.inc
21	include whitelist-runuser-common.inc	26	include whitelist-runuser-common.inc
		27	include whitelist-usr-share-common.inc
		28	include whitelist-var-common.inc
22		29
23	caps.drop all	30	caps.drop all
24	ipc-namespace	31	ipc-namespace
@@ -35,13 +42,15 @@ novideo
35	protocol unix,inet,inet6	42	protocol unix,inet,inet6
36	seccomp	43	seccomp
37	shell none	44	shell none
		45	tracelog
38		46
39	disable-mnt	47	disable-mnt
40	private-bin flameshot	48	private-bin flameshot
41	private-cache	49	private-cache
42	private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,pki,resolv.conf,ssl	50	private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,machine-id,pki,resolv.conf,ssl
43	private-dev	51	private-dev
44	private-tmp	52	private-tmp
45		53
46	# dbus-user none	54	dbus-user filter
47	# dbus-system none	55	dbus-user.own org.dharkael.Flameshot
		56	dbus-system none


diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile index 06f13e8c6..653272499 100644 --- a/etc/profile-a-l/frogatto.profile +++ b/etc/profile-a-l/frogatto.profile
@@ -20,6 +20,7 @@ mkdir ${HOME}/.frogatto
20	whitelist ${HOME}/.frogatto	20	whitelist ${HOME}/.frogatto
21	whitelist /usr/share/frogatto	21	whitelist /usr/share/frogatto
22	include whitelist-common.inc	22	include whitelist-common.inc
		23	include whitelist-runuser-common.inc
23	include whitelist-usr-share-common.inc	24	include whitelist-usr-share-common.inc
24	include whitelist-var-common.inc	25	include whitelist-var-common.inc
25		26


diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile index d7b46263d..5bb410278 100644 --- a/etc/profile-a-l/ghostwriter.profile +++ b/etc/profile-a-l/ghostwriter.profile
@@ -24,6 +24,7 @@ whitelist /usr/share/ghostwriter
24	whitelist /usr/share/mozilla-dicts	24	whitelist /usr/share/mozilla-dicts
25	whitelist /usr/share/texlive	25	whitelist /usr/share/texlive
26	whitelist /usr/share/pandoc*	26	whitelist /usr/share/pandoc*
		27	include whitelist-runuser-common.inc
27	include whitelist-usr-share-common.inc	28	include whitelist-usr-share-common.inc
28		29
29	apparmor	30	apparmor


diff --git a/etc/profile-a-l/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile index ea4151137..eb5e9ec40 100644 --- a/etc/profile-a-l/gnome-latex.profile +++ b/etc/profile-a-l/gnome-latex.profile
@@ -49,3 +49,5 @@ private-cache
49	private-dev	49	private-dev
50	# passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed	50	# passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed
51	private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,login.defs,passwd,texlive	51	private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,login.defs,passwd,texlive
		52
		53	dbus-system none


diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile index d1893e412..6e35299be 100644 --- a/etc/profile-a-l/keepassxc.profile +++ b/etc/profile-a-l/keepassxc.profile
@@ -23,6 +23,17 @@ include disable-programs.inc
23	include disable-shell.inc	23	include disable-shell.inc
24	include disable-xdg.inc	24	include disable-xdg.inc
25		25
		26	# You can enable whitelisting for keepassxc by uncommenting (or adding to you keepassxc.local) the following lines.
		27	# If you do so, you MUST store your database under ${HOME}/Documents/KeePassXC/foo.kdbx
		28	#mkdir ${HOME}/Documents/KeePassXC
		29	#whitelist ${HOME}/Documents/KeePassXC
		30	# Needed for KeePassXC-Browser
		31	#mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
		32	#whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
		33	#mkdir ${HOME}/.config/keepassxc
		34	#whitelist ${HOME}/.config/keepassxc
		35	#include whitelist-common.inc
		36
26	whitelist /usr/share/keepassxc	37	whitelist /usr/share/keepassxc
27	include whitelist-usr-share-common.inc	38	include whitelist-usr-share-common.inc
28	include whitelist-var-common.inc	39	include whitelist-var-common.inc


diff --git a/etc/profile-m-z/minetest.profile b/etc/profile-m-z/minetest.profile index fa7d9edb0..1da430ce6 100644 --- a/etc/profile-m-z/minetest.profile +++ b/etc/profile-m-z/minetest.profile
@@ -6,6 +6,9 @@ include minetest.local
6	# Persistent global definitions	6	# Persistent global definitions
7	include globals.local	7	include globals.local
8		8
		9	# In order to save in-game screenshots to a persistent location edit ~/.minetest/minetest.conf:
		10	# screenshot_path = /home/<USER>/.minetest/screenshots
		11
9	noblacklist ${HOME}/.cache/minetest	12	noblacklist ${HOME}/.cache/minetest
10	noblacklist ${HOME}/.minetest	13	noblacklist ${HOME}/.minetest
11		14


diff --git a/etc/profile-m-z/openarena.profile b/etc/profile-m-z/openarena.profile index 3b15a6e42..45682fc31 100644 --- a/etc/profile-m-z/openarena.profile +++ b/etc/profile-m-z/openarena.profile
@@ -16,30 +16,35 @@ include disable-passwdmgr.inc
16	include disable-programs.inc	16	include disable-programs.inc
17	include disable-xdg.inc	17	include disable-xdg.inc
18		18
		19	mkdir ${HOME}/.openarena
		20	whitelist ${HOME}/.openarena
		21	whitelist /usr/share/openarena
		22	include whitelist-common.inc
		23	include whitelist-runuser-common.inc
		24	include whitelist-usr-share-common.in
19	include whitelist-var-common.inc	25	include whitelist-var-common.inc
20		26
21	apparmor	27	apparmor
22	caps.drop all	28	caps.drop all
23	# ipc-namespace	29	netfilter
24	# netfilter	30	nodvd
25	# nodvd	31	nogroups
26	# nogroups
27	nonewprivs	32	nonewprivs
28	noroot	33	noroot
29	notv	34	notv
30	# nou2f	35	nou2f
31	novideo	36	novideo
32	protocol unix,inet,inet6,netlink	37	protocol unix,inet,inet6,netlink
33	seccomp	38	seccomp
34	shell none	39	shell none
35	# tracelog	40	tracelog
36		41
37	# disable-mnt	42	disable-mnt
38	# private-bin openarena	43	private-bin bash,cut,glxinfo,grep,head,openarena,openarena_ded,quake3,zenity
39	private-cache	44	private-cache
40	private-dev	45	private-dev
41	# private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg	46	private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg
42	private-tmp	47	private-tmp
43		48
44	# dbus-user none	49	dbus-user none
45	# dbus-system none	50	dbus-system none


diff --git a/etc/profile-m-z/openarena_ded.profile b/etc/profile-m-z/openarena_ded.profile new file mode 100644 index 000000000..c529e7e11 --- /dev/null +++ b/etc/profile-m-z/openarena_ded.profile
@@ -0,0 +1,5 @@
		1	# Firejail profile alias for openarena
		2	# This file is overwritten after every install/update
		3
		4	# Redirect
		5	include openarena.profile


diff --git a/etc/profile-m-z/tremulous.profile b/etc/profile-m-z/tremulous.profile index 66a536008..67463a999 100644 --- a/etc/profile-m-z/tremulous.profile +++ b/etc/profile-m-z/tremulous.profile
@@ -19,7 +19,10 @@ include disable-xdg.inc
19		19
20	mkdir ${HOME}/.tremulous	20	mkdir ${HOME}/.tremulous
21	whitelist ${HOME}/.tremulous	21	whitelist ${HOME}/.tremulous
		22	whitelist /usr/share/tremulous
22	include whitelist-common.inc	23	include whitelist-common.inc
		24	include whitelist-runuser-common.inc
		25	include whitelist-usr-share-common.inc
23	include whitelist-var-common.inc	26	include whitelist-var-common.inc
24		27
25	caps.drop all	28	caps.drop all


diff --git a/etc/profile-m-z/xonotic-sdl-wrapper.profile b/etc/profile-m-z/xonotic-sdl-wrapper.profile new file mode 100644 index 000000000..6f0c7cf4c --- /dev/null +++ b/etc/profile-m-z/xonotic-sdl-wrapper.profile
@@ -0,0 +1,6 @@
		1	# Firejail profile alias for xonotic
		2	# This file is overwritten after every install/update
		3	include xonotic-sdl-wrapper.local
		4
		5	# Redirect
		6	include xonotic.profile


diff --git a/etc/profile-m-z/xonotic.profile b/etc/profile-m-z/xonotic.profile index 949988c3b..aa8cc7d0e 100644 --- a/etc/profile-m-z/xonotic.profile +++ b/etc/profile-m-z/xonotic.profile
@@ -14,12 +14,17 @@ include disable-exec.inc
14	include disable-interpreters.inc	14	include disable-interpreters.inc
15	include disable-passwdmgr.inc	15	include disable-passwdmgr.inc
16	include disable-programs.inc	16	include disable-programs.inc
		17	include disable-xdg.inc
17		18
18	mkdir ${HOME}/.xonotic	19	mkdir ${HOME}/.xonotic
19	whitelist ${HOME}/.xonotic	20	whitelist ${HOME}/.xonotic
		21	whitelist /usr/share/xonotic
20	include whitelist-common.inc	22	include whitelist-common.inc
		23	include whitelist-runuser-common.inc
		24	include whitelist-usr-share-common.inc
21	include whitelist-var-common.inc	25	include whitelist-var-common.inc
22		26
		27	apparmor
23	caps.drop all	28	caps.drop all
24	netfilter	29	netfilter
25	nodvd	30	nodvd
@@ -32,12 +37,17 @@ novideo
32	protocol unix,inet,inet6	37	protocol unix,inet,inet6
33	seccomp	38	seccomp
34	shell none	39	shell none
		40	tracelog
35		41
36	disable-mnt	42	disable-mnt
37	private-bin bash,blind-id,darkplaces-glx,darkplaces-sdl,dirname,grep,ldd,netstat,ps,readlink,sh,uname,xonotic,xonotic-glx,xonotic-linux32-dedicated,xonotic-linux32-glx,xonotic-linux32-sdl,xonotic-linux64-dedicated,xonotic-linux64-glx,xonotic-linux64-sdl,xonotic-sdl	43	private-cache
		44	private-bin basename,bash,blind-id,cut,darkplaces-glx,darkplaces-sdl,dirname,glxinfo,grep,head,ldd,netstat,ps,readlink,sed,sh,uname,xonotic,xonotic-glx,xonotic-linux32-dedicated,xonotic-linux32-glx,xonotic-linux32-sdl,xonotic-linux64-dedicated,xonotic-linux64-glx,xonotic-linux64-sdl,xonotic-sdl,xonotic-sdl-wrapper,zenity
38	private-dev	45	private-dev
39	private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl	46	private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl
40	private-tmp	47	private-tmp
41		48
42	dbus-user none	49	dbus-user none
43	dbus-system none	50	dbus-system none
		51
		52	read-only ${HOME}
		53	read-write ${HOME}/.xonotic


diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 34f6bf497..6c3779498 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config
@@ -522,6 +522,7 @@ ooffice
522	ooviewdoc	522	ooviewdoc
523	open-invaders	523	open-invaders
524	openarena	524	openarena
		525	openarena_ded
525	opencity	526	opencity
526	openclonk	527	openclonk
527	openoffice.org	528	openoffice.org
@@ -783,6 +784,7 @@ xmr-stak
783	xonotic	784	xonotic
784	xonotic-glx	785	xonotic-glx
785	xonotic-sdl	786	xonotic-sdl
		787	xonotic-sdl-wrapper
786	xournal	788	xournal
787	xpdf	789	xpdf
788	xplayer	790	xplayer