11 files changed, 30 insertions, 16 deletions

diff --git a/README b/README
index b7687b494..77fa231b1 100644
--- a/README
+++ b/README
@@ -9,7 +9,7 @@ Pidgin, Quassel, and XChat.
 Firejail also expands the restricted shell facility found  in  bash  by adding
 Linux  namespace support. It supports sandboxing specific users upon login.
 
-Download: http://sourceforge.net/projects/firejail/files/
+Download: https://sourceforge.net/projects/firejail/files/
 Build and install: ./configure && make && sudo make install
 Documentation and support: https://firejail.wordpress.com/
 Development: https://github.com/netblue30/firejail
@@ -123,6 +123,9 @@ BogDan Vatra (https://github.com/bog-dan-ro)
 Bruno Nova (https://github.com/brunonova)
         - whitelist fix
         - bash arguments fix
+Bundy01 (https://github.com/Bundy01)
+        - fixup geary
+        - add gradio profile
 BytesTuner (https://github.com/BytesTuner)
         - provided keepassxc profile
 caoliver (https://github.com/caoliver)
@@ -242,7 +245,7 @@ Fred-Barclay (https://github.com/Fred-Barclay)
         - added Catfish profile
 g3ngr33n (https://github.com/g3ngr33n)
         - fix musl compilation
-G4JC (http://sourceforge.net/u/gaming4jc/profile/)
+G4JC (https://sourceforge.net/u/gaming4jc/profile/)
         - ARM support
         - profile fixes
 Gaman Gabriel (https://github.com/stelariusinfinitek)
@@ -409,7 +412,7 @@ Ondra Nekola (https://github.com/satai)
         - allow firefox theming with non-global themes
 Panzerfather (https://github.com/Panzerfather)
         - allow eog to access user's trash
-Patrick Toomey (http://sourceforge.net/u/ptoomey/profile/)
+Patrick Toomey (https://sourceforge.net/u/ptoomey/profile/)
         - user namespace implementation
 Paul Moore <pmoore@redhat.com>
         -src/fsec-print/print.c extracted from libseccomp software package
@@ -549,7 +552,7 @@ SkewedZeppelin (https://github.com/SkewedZeppelin)
         - hardern /var
         - profile standard layout
         - Spotify and itch.io profile fixes
-sshirokov (http://sourceforge.net/u/yshirokov/profile/)
+sshirokov (https://sourceforge.net/u/yshirokov/profile/)
         - Patch to output "Reading profile" to stderr instead of stdout
 SYN-cook (https://github.com/SYN-cook)
         - keepass/keepassx browser fixes
diff --git a/README.md b/README.md
index cf1384249..15234f80f 100644
--- a/README.md
+++ b/README.md
@@ -134,4 +134,4 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 `````
 
 ## New profiles
-Microsoft Office Online, riot-desktop, gnome-mpv, snox, 
+Microsoft Office Online, riot-desktop, gnome-mpv, snox, gradio
diff --git a/RELNOTES b/RELNOTES
index 0cb390192..979633aef 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -5,7 +5,7 @@ firejail (0.9.55) baseline; urgency=low
   * support full paths in private-lib
   * globbing support in private-lib
   * new profiles: ms-excel, ms-office, ms-onenote, ms-outlook, ms-powerpoint
-  * new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox
+  * new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox, gradio
  -- netblue30 <netblue30@yahoo.com>  Fri, 25 May 2018 08:00:00 -0500
 
 firejail (0.9.54) baseline; urgency=low
diff --git a/etc/ark.profile b/etc/ark.profile
index 0c7ef3dae..12675b30b 100644
--- a/etc/ark.profile
+++ b/etc/ark.profile
@@ -31,7 +31,7 @@ protocol unix
 seccomp
 shell none
 
-private-bin ark,unrar,rar,unzip,zip,zipinfo,7z,p7zip,unar,lsar,lrzip,lzop,lz4,bash,dash,sh,tclsh
+private-bin ark,unrar,rar,unzip,zip,zipinfo,7z,p7zip,unar,lsar,lrzip,lzop,lz4,bash,sh,tclsh
 #private-etc smb.conf,samba,mtab,fonts,drirc,kde5rc,passwd,group,xdg
 
 private-dev
diff --git a/etc/bsdtar.profile b/etc/bsdtar.profile
index a49fc023a..d3bc76ba5 100644
--- a/etc/bsdtar.profile
+++ b/etc/bsdtar.profile
@@ -34,7 +34,7 @@ shell none
 tracelog
 
 # support compressed archives
-private-bin sh,bash,dash,bsdtar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop,lz4,libarchive
+private-bin sh,bash,bsdtar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop,lz4,libarchive
 private-dev
 private-etc passwd,group,localtime
 
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 56121809a..b2357716a 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -391,4 +391,4 @@ blacklist ${HOME}/*.local/share/flatpak
 blacklist /var/lib/flatpak
 blacklist /usr/share/flatpak
 # most of the time bwrap is SUID binary
-blacklist /usr/bin/bwrap
\ No newline at end of file
+blacklist ${PATH}/bwrap
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index f72b5a5c3..1dee73078 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -393,6 +393,7 @@ blacklist ${HOME}/.local/share/gnome-photos
 blacklist ${HOME}/.local/share/gnome-recipes
 blacklist ${HOME}/.local/share/gnome-ring
 blacklist ${HOME}/.local/share/gnome-twitch
+blacklist ${HOME}/.local/share/gradio
 blacklist ${HOME}/.local/share/gwenview
 blacklist ${HOME}/.local/share/kaffeine
 blacklist ${HOME}/.local/share/kate
@@ -550,6 +551,7 @@ blacklist ${HOME}/.cache/google-chrome
 blacklist ${HOME}/.cache/google-chrome-beta
 blacklist ${HOME}/.cache/google-chrome-unstable
 blacklist ${HOME}/.cache/gnome-twitch
+blacklist ${HOME}/.cache/gradio
 blacklist ${HOME}/.cache/icedove
 blacklist ${HOME}/.cache/INRIA/Natron
 blacklist ${HOME}/.cache/inkscape
diff --git a/etc/gradio.profile b/etc/gradio.profile
index 1a7ff60ed..bba92a0bc 100644
--- a/etc/gradio.profile
+++ b/etc/gradio.profile
@@ -5,10 +5,8 @@ include /etc/firejail/gradio.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+noblacklist ${HOME}/.cache/gradio
 noblacklist ${HOME}/.local/share/gradio
-mkdir ${HOME}/.local/share/gradio
-whitelist ${HOME}/.local/share/gradio
-whitelist ${HOME}/.cache/gradio
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
@@ -16,6 +14,10 @@ include /etc/firejail/disable-interpreters.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+mkdir ${HOME}/.cache/gradio
+mkdir ${HOME}/.local/share/gradio
+whitelist ${HOME}/.cache/gradio
+whitelist ${HOME}/.local/share/gradio
 include /etc/firejail/whitelist-common.inc
 include /etc/firejail/whitelist-var-common.inc
 
diff --git a/etc/server.profile b/etc/server.profile
index 9cc906e55..94e2d5da9 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -22,18 +22,24 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps
+# ipc-namespace
+# netfilter /etc/firejail/webserver.net
 no3d
+# nodbus
 nodvd
+# nogroups
+# nonewprivs
+# noroot
 nosound
 notv
 novideo
 seccomp
-
-# netfilter /etc/firejail/webserver.net
+# shell none
 
 # disable-mnt
 private
 # private-bin program
+# private-cache
 private-dev
 # private-etc none
 # private-lib
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 718c2f973..5e5a5a967 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -188,6 +188,7 @@ google-play-music-desktop-player
 gpa
 gpicview
 gpredict
+gradio
 gthumb
 guayadeque
 gucharmap
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 851eb1026..59f15f75c 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -391,10 +391,10 @@ Examples:
 
 .TP
 \fBrlimit-as 123456789012
-Set he maximum size of the process's virtual memory to 123456789012 bytes.
+Set the maximum size of the process's virtual memory to 123456789012 bytes.
 .TP
 \fBrlimit-cpu 123
-Set he maximum CPU time in seconds.
+Set the maximum CPU time in seconds.
 .TP
 \fBrlimit-fsize 1024
 Set the maximum file size that can be created by a process to 1024 bytes.