aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--.github/workflows/build-extra.yml16
-rw-r--r--README6
-rw-r--r--README.md5
-rw-r--r--RELNOTES11
-rwxr-xr-xcontrib/sort.py39
-rw-r--r--contrib/vim/syntax/firejail.vim2
-rw-r--r--etc/inc/allow-common-devel.inc1
-rw-r--r--etc/inc/allow-nodejs.inc4
-rw-r--r--etc/inc/allow-opengl-game.inc3
-rw-r--r--etc/inc/disable-common.inc3
-rw-r--r--etc/inc/disable-passwdmgr.inc1
-rw-r--r--etc/inc/disable-programs.inc18
-rw-r--r--etc/inc/whitelist-1793-workaround.inc29
-rw-r--r--etc/inc/whitelist-runuser-common.inc1
-rw-r--r--etc/inc/whitelist-var-common.inc1
-rw-r--r--etc/profile-a-l/0ad.profile1
-rw-r--r--etc/profile-a-l/2048-qt.profile1
-rw-r--r--etc/profile-a-l/Cryptocat.profile1
-rw-r--r--etc/profile-a-l/Fritzing.profile1
-rw-r--r--etc/profile-a-l/JDownloader.profile1
-rw-r--r--etc/profile-a-l/abiword.profile1
-rw-r--r--etc/profile-a-l/agetpkg.profile2
-rw-r--r--etc/profile-a-l/akonadi_control.profile1
-rw-r--r--etc/profile-a-l/akregator.profile1
-rw-r--r--etc/profile-a-l/alacarte.profile1
-rw-r--r--etc/profile-a-l/alienarena-wrapper.profile14
-rw-r--r--etc/profile-a-l/alienarena.profile53
-rw-r--r--etc/profile-a-l/amarok.profile9
-rw-r--r--etc/profile-a-l/amule.profile1
-rw-r--r--etc/profile-a-l/anki.profile1
-rw-r--r--etc/profile-a-l/anydesk.profile1
-rw-r--r--etc/profile-a-l/apktool.profile1
-rw-r--r--etc/profile-a-l/apostrophe.profile1
-rw-r--r--etc/profile-a-l/arch-audit.profile1
-rw-r--r--etc/profile-a-l/archiver-common.profile1
-rw-r--r--etc/profile-a-l/ardour5.profile1
-rw-r--r--etc/profile-a-l/aria2c.profile1
-rw-r--r--etc/profile-a-l/ark.profile1
-rw-r--r--etc/profile-a-l/arm.profile1
-rw-r--r--etc/profile-a-l/artha.profile1
-rw-r--r--etc/profile-a-l/assogiate.profile1
-rw-r--r--etc/profile-a-l/asunder.profile1
-rw-r--r--etc/profile-a-l/atril.profile1
-rw-r--r--etc/profile-a-l/audacious.profile1
-rw-r--r--etc/profile-a-l/audacity.profile1
-rw-r--r--etc/profile-a-l/audio-recorder.profile7
-rw-r--r--etc/profile-a-l/authenticator-rs.profile1
-rw-r--r--etc/profile-a-l/authenticator.profile1
-rw-r--r--etc/profile-a-l/autokey-common.profile1
-rw-r--r--etc/profile-a-l/avidemux.profile1
-rw-r--r--etc/profile-a-l/aweather.profile1
-rw-r--r--etc/profile-a-l/ballbuster-wrapper.profile14
-rw-r--r--etc/profile-a-l/ballbuster.profile53
-rw-r--r--etc/profile-a-l/baloo_file.profile1
-rw-r--r--etc/profile-a-l/balsa.profile1
-rw-r--r--etc/profile-a-l/baobab.profile1
-rw-r--r--etc/profile-a-l/barrier.profile1
-rw-r--r--etc/profile-a-l/bcompare.profile1
-rw-r--r--etc/profile-a-l/bibletime.profile1
-rw-r--r--etc/profile-a-l/bijiben.profile2
-rw-r--r--etc/profile-a-l/bitcoin-qt.profile1
-rw-r--r--etc/profile-a-l/bitlbee.profile1
-rw-r--r--etc/profile-a-l/bitwarden.profile1
-rw-r--r--etc/profile-a-l/bleachbit.profile1
-rw-r--r--etc/profile-a-l/blender.profile1
-rw-r--r--etc/profile-a-l/bless.profile1
-rw-r--r--etc/profile-a-l/blobwars.profile1
-rw-r--r--etc/profile-a-l/bluefish.profile1
-rw-r--r--etc/profile-a-l/brackets.profile1
-rw-r--r--etc/profile-a-l/bzflag.profile1
-rw-r--r--etc/profile-a-l/calibre.profile1
-rw-r--r--etc/profile-a-l/calligra.profile1
-rw-r--r--etc/profile-a-l/cantata.profile1
-rw-r--r--etc/profile-a-l/cawbird.profile1
-rw-r--r--etc/profile-a-l/celluloid.profile1
-rw-r--r--etc/profile-a-l/checkbashisms.profile1
-rw-r--r--etc/profile-a-l/cherrytree.profile1
-rw-r--r--etc/profile-a-l/chromium-common.profile5
-rw-r--r--etc/profile-a-l/chromium.profile1
-rw-r--r--etc/profile-a-l/cin.profile3
-rw-r--r--etc/profile-a-l/clamav.profile1
-rw-r--r--etc/profile-a-l/clamtk.profile1
-rw-r--r--etc/profile-a-l/clawsker.profile1
-rw-r--r--etc/profile-a-l/clementine.profile1
-rw-r--r--etc/profile-a-l/clion.profile1
-rw-r--r--etc/profile-a-l/clipgrab.profile1
-rw-r--r--etc/profile-a-l/clipit.profile1
-rw-r--r--etc/profile-a-l/code.profile1
-rw-r--r--etc/profile-a-l/colorful-wrapper.profile14
-rw-r--r--etc/profile-a-l/colorful.profile53
-rw-r--r--etc/profile-a-l/com.github.bleakgrey.tootle.profile1
-rw-r--r--etc/profile-a-l/com.github.dahenson.agenda.profile1
-rw-r--r--etc/profile-a-l/com.github.johnfactotum.Foliate.profile1
-rw-r--r--etc/profile-a-l/com.github.phase1geo.minder.profile1
-rw-r--r--etc/profile-a-l/conky.profile1
-rw-r--r--etc/profile-a-l/corebird.profile1
-rw-r--r--etc/profile-a-l/cower.profile1
-rw-r--r--etc/profile-a-l/coyim.profile1
-rw-r--r--etc/profile-a-l/crawl.profile1
-rw-r--r--etc/profile-a-l/crow.profile1
-rw-r--r--etc/profile-a-l/curl.profile1
-rw-r--r--etc/profile-a-l/d-feet.profile1
-rw-r--r--etc/profile-a-l/darktable.profile1
-rw-r--r--etc/profile-a-l/dbus-send.profile1
-rw-r--r--etc/profile-a-l/dconf-editor.profile1
-rw-r--r--etc/profile-a-l/dconf.profile1
-rw-r--r--etc/profile-a-l/deadbeef.profile1
-rw-r--r--etc/profile-a-l/default.profile5
-rw-r--r--etc/profile-a-l/deluge.profile1
-rw-r--r--etc/profile-a-l/desktopeditors.profile1
-rw-r--r--etc/profile-a-l/devhelp.profile1
-rw-r--r--etc/profile-a-l/devilspie.profile1
-rw-r--r--etc/profile-a-l/dex2jar.profile1
-rw-r--r--etc/profile-a-l/dia.profile1
-rw-r--r--etc/profile-a-l/dig.profile1
-rw-r--r--etc/profile-a-l/digikam.profile1
-rw-r--r--etc/profile-a-l/dillo.profile1
-rw-r--r--etc/profile-a-l/dino.profile10
-rw-r--r--etc/profile-a-l/discord-common.profile3
-rw-r--r--etc/profile-a-l/display.profile1
-rw-r--r--etc/profile-a-l/dnscrypt-proxy.profile1
-rw-r--r--etc/profile-a-l/dnsmasq.profile1
-rw-r--r--etc/profile-a-l/dooble.profile1
-rw-r--r--etc/profile-a-l/dosbox.profile1
-rw-r--r--etc/profile-a-l/dragon.profile1
-rw-r--r--etc/profile-a-l/drawio.profile1
-rw-r--r--etc/profile-a-l/drill.profile1
-rw-r--r--etc/profile-a-l/dropbox.profile1
-rw-r--r--etc/profile-a-l/easystroke.profile1
-rw-r--r--etc/profile-a-l/electron-mail.profile1
-rw-r--r--etc/profile-a-l/electron.profile1
-rw-r--r--etc/profile-a-l/electrum.profile1
-rw-r--r--etc/profile-a-l/elinks.profile1
-rw-r--r--etc/profile-a-l/email-common.profile1
-rw-r--r--etc/profile-a-l/enchant.profile1
-rw-r--r--etc/profile-a-l/engrampa.profile1
-rw-r--r--etc/profile-a-l/enpass.profile9
-rw-r--r--etc/profile-a-l/eo-common.profile1
-rw-r--r--etc/profile-a-l/eog.profile10
-rw-r--r--etc/profile-a-l/eom.profile9
-rw-r--r--etc/profile-a-l/ephemeral.profile1
-rw-r--r--etc/profile-a-l/equalx.profile1
-rw-r--r--etc/profile-a-l/etr-wrapper.profile14
-rw-r--r--etc/profile-a-l/etr.profile4
-rw-r--r--etc/profile-a-l/evince.profile1
-rw-r--r--etc/profile-a-l/evolution.profile1
-rw-r--r--etc/profile-a-l/exiftool.profile1
-rw-r--r--etc/profile-a-l/falkon.profile1
-rw-r--r--etc/profile-a-l/fbreader.profile1
-rw-r--r--etc/profile-a-l/feedreader.profile1
-rw-r--r--etc/profile-a-l/feh.profile1
-rw-r--r--etc/profile-a-l/ferdi.profile1
-rw-r--r--etc/profile-a-l/fetchmail.profile1
-rw-r--r--etc/profile-a-l/ffmpeg.profile1
-rw-r--r--etc/profile-a-l/file-manager-common.profile1
-rw-r--r--etc/profile-a-l/file-roller.profile5
-rw-r--r--etc/profile-a-l/file.profile1
-rw-r--r--etc/profile-a-l/filezilla.profile1
-rw-r--r--etc/profile-a-l/firedragon.profile26
-rw-r--r--etc/profile-a-l/firefox-common-addons.profile5
-rw-r--r--etc/profile-a-l/firefox-common.profile1
-rw-r--r--etc/profile-a-l/firefox.profile8
-rw-r--r--etc/profile-a-l/flameshot.profile1
-rw-r--r--etc/profile-a-l/flowblade.profile1
-rw-r--r--etc/profile-a-l/font-manager.profile1
-rw-r--r--etc/profile-a-l/fontforge.profile1
-rw-r--r--etc/profile-a-l/fractal.profile1
-rw-r--r--etc/profile-a-l/franz.profile1
-rw-r--r--etc/profile-a-l/freecad.profile1
-rw-r--r--etc/profile-a-l/freeciv.profile1
-rw-r--r--etc/profile-a-l/freecol.profile1
-rw-r--r--etc/profile-a-l/freemind.profile1
-rw-r--r--etc/profile-a-l/freshclam.profile1
-rw-r--r--etc/profile-a-l/frogatto.profile1
-rw-r--r--etc/profile-a-l/frozen-bubble.profile1
-rw-r--r--etc/profile-a-l/gajim.profile1
-rw-r--r--etc/profile-a-l/galculator.profile1
-rw-r--r--etc/profile-a-l/gapplication.profile1
-rw-r--r--etc/profile-a-l/gcloud.profile1
-rw-r--r--etc/profile-a-l/gconf.profile1
-rw-r--r--etc/profile-a-l/geany.profile1
-rw-r--r--etc/profile-a-l/geary.profile1
-rw-r--r--etc/profile-a-l/gedit.profile1
-rw-r--r--etc/profile-a-l/geekbench.profile1
-rw-r--r--etc/profile-a-l/geeqie.profile1
-rw-r--r--etc/profile-a-l/gfeeds.profile1
-rw-r--r--etc/profile-a-l/gget.profile1
-rw-r--r--etc/profile-a-l/ghostwriter.profile1
-rw-r--r--etc/profile-a-l/gimp.profile1
-rw-r--r--etc/profile-a-l/gist.profile1
-rw-r--r--etc/profile-a-l/git-cola.profile1
-rw-r--r--etc/profile-a-l/git.profile1
-rw-r--r--etc/profile-a-l/gitg.profile1
-rw-r--r--etc/profile-a-l/gitter.profile1
-rw-r--r--etc/profile-a-l/gjs.profile1
-rw-r--r--etc/profile-a-l/gl-117-wrapper.profile14
-rw-r--r--etc/profile-a-l/gl-117.profile53
-rw-r--r--etc/profile-a-l/glaxium-wrapper.profile14
-rw-r--r--etc/profile-a-l/glaxium.profile53
-rw-r--r--etc/profile-a-l/globaltime.profile1
-rw-r--r--etc/profile-a-l/gnome-books.profile1
-rw-r--r--etc/profile-a-l/gnome-builder.profile1
-rw-r--r--etc/profile-a-l/gnome-calculator.profile1
-rw-r--r--etc/profile-a-l/gnome-calendar.profile1
-rw-r--r--etc/profile-a-l/gnome-characters.profile1
-rw-r--r--etc/profile-a-l/gnome-chess.profile1
-rw-r--r--etc/profile-a-l/gnome-clocks.profile1
-rw-r--r--etc/profile-a-l/gnome-contacts.profile1
-rw-r--r--etc/profile-a-l/gnome-documents.profile1
-rw-r--r--etc/profile-a-l/gnome-font-viewer.profile1
-rw-r--r--etc/profile-a-l/gnome-hexgl.profile1
-rw-r--r--etc/profile-a-l/gnome-keyring.profile1
-rw-r--r--etc/profile-a-l/gnome-latex.profile1
-rw-r--r--etc/profile-a-l/gnome-logs.profile4
-rw-r--r--etc/profile-a-l/gnome-maps.profile1
-rw-r--r--etc/profile-a-l/gnome-mplayer.profile1
-rw-r--r--etc/profile-a-l/gnome-music.profile1
-rw-r--r--etc/profile-a-l/gnome-nettool.profile1
-rw-r--r--etc/profile-a-l/gnome-passwordsafe.profile1
-rw-r--r--etc/profile-a-l/gnome-photos.profile1
-rw-r--r--etc/profile-a-l/gnome-pie.profile1
-rw-r--r--etc/profile-a-l/gnome-pomodoro.profile1
-rw-r--r--etc/profile-a-l/gnome-recipes.profile1
-rw-r--r--etc/profile-a-l/gnome-schedule.profile1
-rw-r--r--etc/profile-a-l/gnome-screenshot.profile1
-rw-r--r--etc/profile-a-l/gnome-sound-recorder.profile1
-rw-r--r--etc/profile-a-l/gnome-system-log.profile7
-rw-r--r--etc/profile-a-l/gnome-todo.profile1
-rw-r--r--etc/profile-a-l/gnome-twitch.profile1
-rw-r--r--etc/profile-a-l/gnome-weather.profile1
-rw-r--r--etc/profile-a-l/gnome_games-common.profile1
-rw-r--r--etc/profile-a-l/gnote.profile1
-rw-r--r--etc/profile-a-l/gnubik.profile1
-rw-r--r--etc/profile-a-l/godot.profile1
-rw-r--r--etc/profile-a-l/goobox.profile1
-rw-r--r--etc/profile-a-l/google-earth.profile1
-rw-r--r--etc/profile-a-l/google-play-music-desktop-player.profile1
-rw-r--r--etc/profile-a-l/gpa.profile1
-rw-r--r--etc/profile-a-l/gpg-agent.profile1
-rw-r--r--etc/profile-a-l/gpg.profile1
-rw-r--r--etc/profile-a-l/gpicview.profile1
-rw-r--r--etc/profile-a-l/gpredict.profile1
-rw-r--r--etc/profile-a-l/gradio.profile1
-rw-r--r--etc/profile-a-l/gramps.profile1
-rw-r--r--etc/profile-a-l/gravity-beams-and-evaporating-stars.profile1
-rw-r--r--etc/profile-a-l/gthumb.profile1
-rw-r--r--etc/profile-a-l/gtk-update-icon-cache.profile1
-rw-r--r--etc/profile-a-l/guayadeque.profile1
-rw-r--r--etc/profile-a-l/gucharmap.profile1
-rw-r--r--etc/profile-a-l/guvcview.profile1
-rw-r--r--etc/profile-a-l/gwenview.profile1
-rw-r--r--etc/profile-a-l/handbrake.profile1
-rw-r--r--etc/profile-a-l/hashcat.profile1
-rw-r--r--etc/profile-a-l/hasher-common.profile1
-rw-r--r--etc/profile-a-l/hedgewars.profile1
-rw-r--r--etc/profile-a-l/hexchat.profile1
-rw-r--r--etc/profile-a-l/highlight.profile1
-rw-r--r--etc/profile-a-l/homebank.profile1
-rw-r--r--etc/profile-a-l/host.profile1
-rw-r--r--etc/profile-a-l/hugin.profile1
-rw-r--r--etc/profile-a-l/hyperrogue.profile1
-rw-r--r--etc/profile-a-l/i2prouter.profile1
-rw-r--r--etc/profile-a-l/iagno.profile1
-rw-r--r--etc/profile-a-l/idea.sh.profile1
-rw-r--r--etc/profile-a-l/imagej.profile1
-rw-r--r--etc/profile-a-l/img2txt.profile1
-rw-r--r--etc/profile-a-l/impressive.profile1
-rw-r--r--etc/profile-a-l/inkscape.profile1
-rw-r--r--etc/profile-a-l/ipcalc.profile1
-rw-r--r--etc/profile-a-l/itch.profile1
-rw-r--r--etc/profile-a-l/jami-gnome.profile1
-rw-r--r--etc/profile-a-l/jd-gui.profile1
-rw-r--r--etc/profile-a-l/jerry.profile1
-rw-r--r--etc/profile-a-l/jumpnbump.profile1
-rw-r--r--etc/profile-a-l/k3b.profile1
-rw-r--r--etc/profile-a-l/kaffeine.profile1
-rw-r--r--etc/profile-a-l/kalgebra.profile1
-rw-r--r--etc/profile-a-l/kate.profile1
-rw-r--r--etc/profile-a-l/kazam.profile1
-rw-r--r--etc/profile-a-l/kcalc.profile13
-rw-r--r--etc/profile-a-l/kdeinit4.profile1
-rw-r--r--etc/profile-a-l/kdenlive.profile1
-rw-r--r--etc/profile-a-l/kdiff3.profile1
-rw-r--r--etc/profile-a-l/keepass.profile1
-rw-r--r--etc/profile-a-l/keepassx.profile1
-rw-r--r--etc/profile-a-l/keepassxc.profile3
-rw-r--r--etc/profile-a-l/kfind.profile1
-rw-r--r--etc/profile-a-l/kget.profile1
-rw-r--r--etc/profile-a-l/kid3.profile1
-rw-r--r--etc/profile-a-l/kino.profile1
-rw-r--r--etc/profile-a-l/kiwix-desktop.profile1
-rw-r--r--etc/profile-a-l/klatexformula.profile1
-rw-r--r--etc/profile-a-l/klavaro.profile1
-rw-r--r--etc/profile-a-l/kmail.profile1
-rw-r--r--etc/profile-a-l/kmplayer.profile1
-rw-r--r--etc/profile-a-l/kodi.profile1
-rw-r--r--etc/profile-a-l/konversation.profile1
-rw-r--r--etc/profile-a-l/kopete.profile1
-rw-r--r--etc/profile-a-l/krita.profile1
-rw-r--r--etc/profile-a-l/ktorrent.profile1
-rw-r--r--etc/profile-a-l/ktouch.profile1
-rw-r--r--etc/profile-a-l/kube.profile1
-rw-r--r--etc/profile-a-l/kwin_x11.profile1
-rw-r--r--etc/profile-a-l/kwrite.profile1
-rw-r--r--etc/profile-a-l/latex-common.profile1
-rw-r--r--etc/profile-a-l/leafpad.profile1
-rw-r--r--etc/profile-a-l/less.profile1
-rw-r--r--etc/profile-a-l/libreoffice.profile19
-rw-r--r--etc/profile-a-l/librewolf.profile21
-rw-r--r--etc/profile-a-l/liferea.profile1
-rw-r--r--etc/profile-a-l/lincity-ng.profile1
-rw-r--r--etc/profile-a-l/links.profile1
-rw-r--r--etc/profile-a-l/linphone.profile1
-rw-r--r--etc/profile-a-l/lmms.profile1
-rw-r--r--etc/profile-a-l/lollypop.profile1
-rw-r--r--etc/profile-a-l/lugaru.profile1
-rw-r--r--etc/profile-a-l/luminance-hdr.profile1
-rw-r--r--etc/profile-a-l/lximage-qt.profile1
-rw-r--r--etc/profile-a-l/lxmusic.profile1
-rw-r--r--etc/profile-a-l/lynx.profile1
-rw-r--r--etc/profile-m-z/Maelstrom.profile1
-rw-r--r--etc/profile-m-z/QMediathekView.profile1
-rw-r--r--etc/profile-m-z/QOwnNotes.profile1
-rw-r--r--etc/profile-m-z/XMind.profile1
-rw-r--r--etc/profile-m-z/Xephyr.profile1
-rw-r--r--etc/profile-m-z/Xvfb.profile1
-rw-r--r--etc/profile-m-z/ZeGrapher.profile1
-rw-r--r--etc/profile-m-z/macrofusion.profile1
-rw-r--r--etc/profile-m-z/magicor.profile1
-rw-r--r--etc/profile-m-z/man.profile1
-rw-r--r--etc/profile-m-z/manaplus.profile1
-rw-r--r--etc/profile-m-z/marker.profile1
-rw-r--r--etc/profile-m-z/masterpdfeditor.profile1
-rw-r--r--etc/profile-m-z/mate-calc.profile1
-rw-r--r--etc/profile-m-z/mate-color-select.profile1
-rw-r--r--etc/profile-m-z/mate-dictionary.profile1
-rw-r--r--etc/profile-m-z/mcabber.profile1
-rw-r--r--etc/profile-m-z/mdr.profile1
-rw-r--r--etc/profile-m-z/mediainfo.profile1
-rw-r--r--etc/profile-m-z/mediathekview.profile1
-rw-r--r--etc/profile-m-z/megaglest.profile1
-rw-r--r--etc/profile-m-z/meld.profile1
-rw-r--r--etc/profile-m-z/mendeleydesktop.profile1
-rw-r--r--etc/profile-m-z/menulibre.profile1
-rw-r--r--etc/profile-m-z/meteo-qt.profile1
-rw-r--r--etc/profile-m-z/mindless.profile1
-rw-r--r--etc/profile-m-z/minecraft-launcher.profile7
-rw-r--r--etc/profile-m-z/minetest.profile1
-rw-r--r--etc/profile-m-z/minitube.profile1
-rw-r--r--etc/profile-m-z/mirage.profile1
-rw-r--r--etc/profile-m-z/mirrormagic.profile1
-rw-r--r--etc/profile-m-z/mocp.profile1
-rw-r--r--etc/profile-m-z/mousepad.profile1
-rw-r--r--etc/profile-m-z/mp3splt-gtk.profile1
-rw-r--r--etc/profile-m-z/mp3splt.profile1
-rw-r--r--etc/profile-m-z/mpDris2.profile1
-rw-r--r--etc/profile-m-z/mpd.profile1
-rw-r--r--etc/profile-m-z/mpg123.profile1
-rw-r--r--etc/profile-m-z/mplayer.profile1
-rw-r--r--etc/profile-m-z/mpsyt.profile1
-rw-r--r--etc/profile-m-z/mpv.profile1
-rw-r--r--etc/profile-m-z/mrrescue.profile10
-rw-r--r--etc/profile-m-z/ms-office.profile1
-rw-r--r--etc/profile-m-z/mtpaint.profile1
-rw-r--r--etc/profile-m-z/multimc5.profile1
-rw-r--r--etc/profile-m-z/mupdf.profile1
-rw-r--r--etc/profile-m-z/musictube.profile1
-rw-r--r--etc/profile-m-z/musixmatch.profile2
-rw-r--r--etc/profile-m-z/mutt.profile1
-rw-r--r--etc/profile-m-z/mypaint.profile1
-rw-r--r--etc/profile-m-z/nano.profile7
-rw-r--r--etc/profile-m-z/ncdu.profile1
-rw-r--r--etc/profile-m-z/neochat.profile66
-rw-r--r--etc/profile-m-z/neomutt.profile1
-rw-r--r--etc/profile-m-z/netactview.profile1
-rw-r--r--etc/profile-m-z/nethack-vultures.profile1
-rw-r--r--etc/profile-m-z/nethack.profile1
-rw-r--r--etc/profile-m-z/neverball-wrapper.profile14
-rw-r--r--etc/profile-m-z/neverball.profile17
-rw-r--r--etc/profile-m-z/neverputt-wrapper.profile14
-rw-r--r--etc/profile-m-z/newsboat.profile1
-rw-r--r--etc/profile-m-z/newsflash.profile1
-rw-r--r--etc/profile-m-z/nextcloud.profile1
-rw-r--r--etc/profile-m-z/nheko.profile1
-rw-r--r--etc/profile-m-z/nicotine.profile1
-rw-r--r--etc/profile-m-z/nitroshare.profile1
-rw-r--r--etc/profile-m-z/node.profile11
-rw-r--r--etc/profile-m-z/nodejs-common.profile50
-rw-r--r--etc/profile-m-z/nomacs.profile1
-rw-r--r--etc/profile-m-z/notify-send.profile1
-rw-r--r--etc/profile-m-z/npm.profile18
-rw-r--r--etc/profile-m-z/nslookup.profile1
-rw-r--r--etc/profile-m-z/nvm.profile13
-rw-r--r--etc/profile-m-z/nylas.profile1
-rw-r--r--etc/profile-m-z/nyx.profile1
-rw-r--r--etc/profile-m-z/obs.profile1
-rw-r--r--etc/profile-m-z/ocenaudio.profile1
-rw-r--r--etc/profile-m-z/odt2txt.profile1
-rw-r--r--etc/profile-m-z/okular.profile9
-rw-r--r--etc/profile-m-z/onboard.profile1
-rw-r--r--etc/profile-m-z/onionshare-gui.profile1
-rw-r--r--etc/profile-m-z/open-invaders.profile1
-rw-r--r--etc/profile-m-z/openarena.profile1
-rw-r--r--etc/profile-m-z/opencity.profile1
-rw-r--r--etc/profile-m-z/openclonk.profile1
-rw-r--r--etc/profile-m-z/openmw.profile1
-rw-r--r--etc/profile-m-z/openshot.profile1
-rw-r--r--etc/profile-m-z/openttd.profile1
-rw-r--r--etc/profile-m-z/orage.profile1
-rw-r--r--etc/profile-m-z/ostrichriders.profile3
-rw-r--r--etc/profile-m-z/otter-browser.profile1
-rw-r--r--etc/profile-m-z/pandoc.profile1
-rw-r--r--etc/profile-m-z/patch.profile1
-rw-r--r--etc/profile-m-z/pavucontrol.profile1
-rw-r--r--etc/profile-m-z/pdfchain.profile1
-rw-r--r--etc/profile-m-z/pdfmod.profile1
-rw-r--r--etc/profile-m-z/pdfsam.profile1
-rw-r--r--etc/profile-m-z/pdftotext.profile1
-rw-r--r--etc/profile-m-z/peek.profile1
-rw-r--r--etc/profile-m-z/penguin-command.profile1
-rw-r--r--etc/profile-m-z/photoflare.profile1
-rw-r--r--etc/profile-m-z/picard.profile1
-rw-r--r--etc/profile-m-z/pidgin.profile1
-rw-r--r--etc/profile-m-z/pinball-wrapper.profile14
-rw-r--r--etc/profile-m-z/pinball.profile53
-rw-r--r--etc/profile-m-z/ping.profile1
-rw-r--r--etc/profile-m-z/pingus.profile6
-rw-r--r--etc/profile-m-z/pinta.profile1
-rw-r--r--etc/profile-m-z/pioneer.profile1
-rw-r--r--etc/profile-m-z/pithos.profile1
-rw-r--r--etc/profile-m-z/pitivi.profile1
-rw-r--r--etc/profile-m-z/pix.profile1
-rw-r--r--etc/profile-m-z/pkglog.profile1
-rw-r--r--etc/profile-m-z/pluma.profile3
-rw-r--r--etc/profile-m-z/plv.profile1
-rw-r--r--etc/profile-m-z/pngquant.profile1
-rw-r--r--etc/profile-m-z/polari.profile1
-rw-r--r--etc/profile-m-z/pragha.profile1
-rw-r--r--etc/profile-m-z/profanity.profile1
-rw-r--r--etc/profile-m-z/psi-plus.profile1
-rw-r--r--etc/profile-m-z/psi.profile1
-rw-r--r--etc/profile-m-z/pybitmessage.profile1
-rw-r--r--etc/profile-m-z/pycharm-community.profile1
-rw-r--r--etc/profile-m-z/qbittorrent.profile1
-rw-r--r--etc/profile-m-z/qgis.profile1
-rw-r--r--etc/profile-m-z/qlipper.profile1
-rw-r--r--etc/profile-m-z/qmmp.profile1
-rw-r--r--etc/profile-m-z/qnapi.profile1
-rw-r--r--etc/profile-m-z/qpdfview.profile1
-rw-r--r--etc/profile-m-z/qrencode.profile1
-rw-r--r--etc/profile-m-z/qtox.profile1
-rw-r--r--etc/profile-m-z/quaternion.profile1
-rw-r--r--etc/profile-m-z/quiterss.profile1
-rw-r--r--etc/profile-m-z/quodlibet.profile1
-rw-r--r--etc/profile-m-z/redeclipse.profile1
-rw-r--r--etc/profile-m-z/redshift.profile1
-rw-r--r--etc/profile-m-z/regextester.profile12
-rw-r--r--etc/profile-m-z/remmina.profile1
-rw-r--r--etc/profile-m-z/rhythmbox.profile1
-rw-r--r--etc/profile-m-z/ricochet.profile1
-rw-r--r--etc/profile-m-z/ripperx.profile1
-rw-r--r--etc/profile-m-z/ristretto.profile1
-rw-r--r--etc/profile-m-z/rsync-download_only.profile1
-rw-r--r--etc/profile-m-z/rtorrent.profile1
-rw-r--r--etc/profile-m-z/rtv.profile1
-rw-r--r--etc/profile-m-z/sayonara.profile1
-rw-r--r--etc/profile-m-z/scallion.profile1
-rw-r--r--etc/profile-m-z/scorched3d-wrapper.profile7
-rw-r--r--etc/profile-m-z/scorched3d.profile3
-rw-r--r--etc/profile-m-z/scorchwentbonkers.profile1
-rw-r--r--etc/profile-m-z/scribus.profile1
-rw-r--r--etc/profile-m-z/sdat2img.profile1
-rw-r--r--etc/profile-m-z/seahorse-adventures.profile1
-rw-r--r--etc/profile-m-z/seahorse.profile1
-rw-r--r--etc/profile-m-z/server.profile1
-rw-r--r--etc/profile-m-z/servo.profile1
-rw-r--r--etc/profile-m-z/shellcheck.profile1
-rw-r--r--etc/profile-m-z/shortwave.profile1
-rw-r--r--etc/profile-m-z/shotcut.profile1
-rw-r--r--etc/profile-m-z/shotwell.profile1
-rw-r--r--etc/profile-m-z/signal-cli.profile1
-rw-r--r--etc/profile-m-z/silentarmy.profile1
-rw-r--r--etc/profile-m-z/simplescreenrecorder.profile1
-rw-r--r--etc/profile-m-z/simutrans.profile1
-rw-r--r--etc/profile-m-z/slashem.profile1
-rw-r--r--etc/profile-m-z/smplayer.profile1
-rw-r--r--etc/profile-m-z/smtube.profile1
-rw-r--r--etc/profile-m-z/smuxi-frontend-gnome.profile1
-rw-r--r--etc/profile-m-z/softmaker-common.profile1
-rw-r--r--etc/profile-m-z/sol.profile1
-rw-r--r--etc/profile-m-z/sound-juicer.profile1
-rw-r--r--etc/profile-m-z/soundconverter.profile1
-rw-r--r--etc/profile-m-z/spectacle.profile3
-rw-r--r--etc/profile-m-z/spectral.profile1
-rw-r--r--etc/profile-m-z/spotify.profile3
-rw-r--r--etc/profile-m-z/sqlitebrowser.profile1
-rw-r--r--etc/profile-m-z/ssh.profile1
-rw-r--r--etc/profile-m-z/standardnotes-desktop.profile1
-rw-r--r--etc/profile-m-z/steam.profile39
-rw-r--r--etc/profile-m-z/stellarium.profile1
-rw-r--r--etc/profile-m-z/straw-viewer.profile1
-rw-r--r--etc/profile-m-z/strawberry.profile1
-rw-r--r--etc/profile-m-z/strings.profile1
-rw-r--r--etc/profile-m-z/subdownloader.profile1
-rw-r--r--etc/profile-m-z/supertux2.profile4
-rw-r--r--etc/profile-m-z/supertuxkart-wrapper.profile14
-rw-r--r--etc/profile-m-z/surf.profile1
-rw-r--r--etc/profile-m-z/sushi.profile1
-rw-r--r--etc/profile-m-z/synfigstudio.profile1
-rw-r--r--etc/profile-m-z/sysprof.profile17
-rw-r--r--etc/profile-m-z/tcpdump.profile1
-rw-r--r--etc/profile-m-z/teamspeak3.profile1
-rw-r--r--etc/profile-m-z/teeworlds.profile1
-rw-r--r--etc/profile-m-z/telegram.profile1
-rw-r--r--etc/profile-m-z/terasology.profile1
-rw-r--r--etc/profile-m-z/tmux.profile1
-rw-r--r--etc/profile-m-z/tor.profile1
-rw-r--r--etc/profile-m-z/torbrowser-launcher.profile1
-rw-r--r--etc/profile-m-z/torcs.profile1
-rw-r--r--etc/profile-m-z/totem.profile1
-rw-r--r--etc/profile-m-z/transgui.profile1
-rw-r--r--etc/profile-m-z/transmission-common.profile1
-rw-r--r--etc/profile-m-z/tremulous.profile1
-rw-r--r--etc/profile-m-z/trojita.profile1
-rw-r--r--etc/profile-m-z/truecraft.profile1
-rw-r--r--etc/profile-m-z/tuxguitar.profile1
-rw-r--r--etc/profile-m-z/tvbrowser.profile1
-rw-r--r--etc/profile-m-z/udiskie.profile1
-rw-r--r--etc/profile-m-z/uefitool.profile1
-rw-r--r--etc/profile-m-z/uget-gtk.profile1
-rw-r--r--etc/profile-m-z/unbound.profile1
-rw-r--r--etc/profile-m-z/unf.profile1
-rw-r--r--etc/profile-m-z/unknown-horizons.profile1
-rw-r--r--etc/profile-m-z/utox.profile1
-rw-r--r--etc/profile-m-z/uudeview.profile1
-rw-r--r--etc/profile-m-z/viewnior.profile1
-rw-r--r--etc/profile-m-z/viking.profile1
-rw-r--r--etc/profile-m-z/vim.profile1
-rw-r--r--etc/profile-m-z/virtualbox.profile2
-rw-r--r--etc/profile-m-z/vlc.profile1
-rw-r--r--etc/profile-m-z/vmware-view.profile1
-rw-r--r--etc/profile-m-z/vym.profile1
-rw-r--r--etc/profile-m-z/w3m.profile1
-rw-r--r--etc/profile-m-z/warmux.profile1
-rw-r--r--etc/profile-m-z/warsow.profile1
-rw-r--r--etc/profile-m-z/warzone2100.profile1
-rw-r--r--etc/profile-m-z/webstorm.profile1
-rw-r--r--etc/profile-m-z/webui-aria2.profile1
-rw-r--r--etc/profile-m-z/wesnoth.profile1
-rw-r--r--etc/profile-m-z/wget.profile1
-rw-r--r--etc/profile-m-z/whois.profile1
-rw-r--r--etc/profile-m-z/widelands.profile1
-rw-r--r--etc/profile-m-z/wine.profile1
-rw-r--r--etc/profile-m-z/wireshark.profile7
-rw-r--r--etc/profile-m-z/wordwarvi.profile1
-rw-r--r--etc/profile-m-z/wps.profile1
-rw-r--r--etc/profile-m-z/x-terminal-emulator.profile1
-rw-r--r--etc/profile-m-z/x2goclient.profile1
-rw-r--r--etc/profile-m-z/xbill.profile1
-rw-r--r--etc/profile-m-z/xcalc.profile1
-rw-r--r--etc/profile-m-z/xed.profile1
-rw-r--r--etc/profile-m-z/xfce4-dict.profile1
-rw-r--r--etc/profile-m-z/xfce4-mixer.profile3
-rw-r--r--etc/profile-m-z/xfce4-notes.profile1
-rw-r--r--etc/profile-m-z/xfce4-screenshooter.profile1
-rw-r--r--etc/profile-m-z/xiphos.profile1
-rw-r--r--etc/profile-m-z/xmms.profile1
-rw-r--r--etc/profile-m-z/xmr-stak.profile1
-rw-r--r--etc/profile-m-z/xonotic.profile7
-rw-r--r--etc/profile-m-z/xournal.profile1
-rw-r--r--etc/profile-m-z/xpdf.profile1
-rw-r--r--etc/profile-m-z/xplayer.profile1
-rw-r--r--etc/profile-m-z/xpra.profile1
-rw-r--r--etc/profile-m-z/xreader.profile1
-rw-r--r--etc/profile-m-z/xviewer.profile1
-rw-r--r--etc/profile-m-z/yarn.profile20
-rw-r--r--etc/profile-m-z/yelp.profile1
-rw-r--r--etc/profile-m-z/youtube-dl-gui.profile1
-rw-r--r--etc/profile-m-z/youtube-dl.profile1
-rw-r--r--etc/profile-m-z/youtube-viewer.profile1
-rw-r--r--etc/profile-m-z/zaproxy.profile1
-rw-r--r--etc/profile-m-z/zart.profile1
-rw-r--r--etc/profile-m-z/zathura.profile1
-rw-r--r--etc/profile-m-z/zeal.profile1
-rw-r--r--etc/profile-m-z/zulip.profile1
-rw-r--r--etc/templates/profile.template12
-rw-r--r--src/fbuilder/build_bin.c9
-rw-r--r--src/fbuilder/build_fs.c128
-rw-r--r--src/fbuilder/build_home.c28
-rw-r--r--src/fbuilder/build_profile.c73
-rw-r--r--src/fbuilder/fbuilder.h1
-rw-r--r--src/fbuilder/filedb.c49
-rw-r--r--src/fbuilder/main.c12
-rw-r--r--src/firecfg/firecfg.config9
-rw-r--r--src/firejail/appimage.c6
-rw-r--r--src/firejail/bandwidth.c32
-rw-r--r--src/firejail/caps.c2
-rw-r--r--src/firejail/cgroup.c20
-rw-r--r--src/firejail/checkcfg.c2
-rw-r--r--src/firejail/cpu.c6
-rw-r--r--src/firejail/dhcp.c2
-rw-r--r--src/firejail/env.c7
-rw-r--r--src/firejail/firejail.h6
-rw-r--r--src/firejail/fs_dev.c20
-rw-r--r--src/firejail/fs_etc.c63
-rw-r--r--src/firejail/fs_home.c4
-rw-r--r--src/firejail/fs_hostname.c6
-rw-r--r--src/firejail/fs_lib.c2
-rw-r--r--src/firejail/fs_logger.c25
-rw-r--r--src/firejail/fs_trace.c9
-rw-r--r--src/firejail/fs_var.c13
-rw-r--r--src/firejail/join.c6
-rw-r--r--src/firejail/ls.c2
-rw-r--r--src/firejail/macros.c2
-rw-r--r--src/firejail/main.c40
-rw-r--r--src/firejail/network.c2
-rw-r--r--src/firejail/network_main.c2
-rw-r--r--src/firejail/no_sandbox.c14
-rw-r--r--src/firejail/preproc.c2
-rw-r--r--src/firejail/profile.c14
-rw-r--r--src/firejail/protocol.c4
-rw-r--r--src/firejail/pulseaudio.c2
-rw-r--r--src/firejail/restrict_users.c8
-rw-r--r--src/firejail/restricted_shell.c4
-rw-r--r--src/firejail/run_files.c6
-rw-r--r--src/firejail/sandbox.c9
-rw-r--r--src/firejail/sbox.c4
-rw-r--r--src/firejail/seccomp.c8
-rw-r--r--src/firejail/shutdown.c2
-rw-r--r--src/firejail/usage.c4
-rw-r--r--src/firejail/util.c25
-rw-r--r--src/firejail/x11.c4
-rw-r--r--src/firemon/firemon.c2
-rw-r--r--src/man/firejail-profile.txt114
-rw-r--r--src/man/firejail.txt43
-rw-r--r--src/profstats/main.c11
-rw-r--r--src/zsh_completion/_firejail.in2
-rwxr-xr-xtest/utils/build.exp32
638 files changed, 2040 insertions, 514 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index 40ba00db6..fd1f23954 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -10,6 +10,9 @@ on:
10 - RELNOTES 10 - RELNOTES
11 - SECURITY.md 11 - SECURITY.md
12 - 'etc/**' 12 - 'etc/**'
13 - 'src/firecfg/firecfg.config'
14 - '.github/ISSUE_TEMPLATE/*'
15 - '.github/pull_request_template.md'
13 pull_request: 16 pull_request:
14 branches: [ master ] 17 branches: [ master ]
15 paths-ignore: 18 paths-ignore:
@@ -19,6 +22,9 @@ on:
19 - RELNOTES 22 - RELNOTES
20 - SECURITY.md 23 - SECURITY.md
21 - 'etc/**' 24 - 'etc/**'
25 - 'src/firecfg/firecfg.config'
26 - '.github/ISSUE_TEMPLATE/*'
27 - '.github/pull_request_template.md'
22 28
23jobs: 29jobs:
24 build-clang: 30 build-clang:
@@ -26,19 +32,19 @@ jobs:
26 steps: 32 steps:
27 - uses: actions/checkout@v2 33 - uses: actions/checkout@v2
28 - name: configure 34 - name: configure
29 run: CC=clang-10 ./configure --enable-fatal-warnings 35 run: CC=clang-11 ./configure --enable-fatal-warnings
30 - name: make 36 - name: make
31 run: make 37 run: make
32 scan-build: 38 scan-build:
33 runs-on: ubuntu-20.04 39 runs-on: ubuntu-20.04
34 steps: 40 steps:
35 - uses: actions/checkout@v2 41 - uses: actions/checkout@v2
36 - name: install clang-tools-10 42 - name: install clang-tools-11
37 run: sudo apt-get install clang-tools-10 43 run: sudo apt-get install clang-tools-11
38 - name: configure 44 - name: configure
39 run: CC=clang-10 ./configure --enable-fatal-warnings 45 run: CC=clang-11 ./configure --enable-fatal-warnings
40 - name: scan-build 46 - name: scan-build
41 run: NO_EXTRA_CFLAGS="yes" scan-build-10 --status-bugs make 47 run: NO_EXTRA_CFLAGS="yes" scan-build-11 --status-bugs make
42 cppcheck: 48 cppcheck:
43 runs-on: ubuntu-20.04 49 runs-on: ubuntu-20.04
44 steps: 50 steps:
diff --git a/README b/README
index c2736a7b6..99beaf694 100644
--- a/README
+++ b/README
@@ -278,6 +278,7 @@ David Thole (https://github.com/TheDarkTrumpet)
278Davide Beatrici (https://github.com/davidebeatrici) 278Davide Beatrici (https://github.com/davidebeatrici)
279 - steam.profile: correctly blacklist unneeded directories in user's home 279 - steam.profile: correctly blacklist unneeded directories in user's home
280 - minetest fixes 280 - minetest fixes
281 - map /dev/input with "--private-dev", add "--no-input" option to disable it
281David Hyrule (https://github.com/Svaag) 282David Hyrule (https://github.com/Svaag)
282 - remove nou2f in ssh profile 283 - remove nou2f in ssh profile
283Deelvesh Bunjun (https://github.com/DeelveshBunjun) 284Deelvesh Bunjun (https://github.com/DeelveshBunjun)
@@ -553,6 +554,7 @@ Kishore96in (https://github.com/Kishore96in)
553 - okular profile fixes 554 - okular profile fixes
554 - jitsi-meet-desktop profile 555 - jitsi-meet-desktop profile
555 - konversatin profile fix 556 - konversatin profile fix
557 - added Neochat profile
556KOLANICH (https://github.com/KOLANICH) 558KOLANICH (https://github.com/KOLANICH)
557 - added symlink fixer fix_private-bin.py in contrib section 559 - added symlink fixer fix_private-bin.py in contrib section
558 - update fix_private-bin.py 560 - update fix_private-bin.py
@@ -619,6 +621,8 @@ Melvin Vermeeren (https://github.com/melvinvermeeren)
619 - added --noautopulse command line option 621 - added --noautopulse command line option
620Michael Haas (https://github.com/mhaas) 622Michael Haas (https://github.com/mhaas)
621 - bugfixes 623 - bugfixes
624Michael Hoffmann (https://github.com/brisad)
625 - added support for subdirs in private-etc
622Mike Frysinger (vapier@gentoo.org) 626Mike Frysinger (vapier@gentoo.org)
623 - Gentoo compile patch 627 - Gentoo compile patch
624mirabellette (https://github.com/mirabellette) 628mirabellette (https://github.com/mirabellette)
@@ -827,7 +831,7 @@ soredake (https://github.com/soredake)
827 - fix handling of STEAM_RUNTIME_PREFER_HOST_LIBRARIES in steam profile 831 - fix handling of STEAM_RUNTIME_PREFER_HOST_LIBRARIES in steam profile
828 - fix keepassxc.profile 832 - fix keepassxc.profile
829 - fix qtox.profile 833 - fix qtox.profile
830 - add ocaltime to private-etc to make qtox show correct time 834 - add localtime to private-etc to make qtox show correct time
831 - fixes for the keepassxc 2.2.5 version 835 - fixes for the keepassxc 2.2.5 version
832SkewedZeppelin (https://github.com/SkewedZeppelin) 836SkewedZeppelin (https://github.com/SkewedZeppelin)
833 - added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5 profiles 837 - added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5 profiles
diff --git a/README.md b/README.md
index 5e8d365a2..b8303ff1b 100644
--- a/README.md
+++ b/README.md
@@ -333,4 +333,7 @@ Stats:
333vmware-view, display-im6.q16, ipcalc, ipcalc-ng, ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop, 333vmware-view, display-im6.q16, ipcalc, ipcalc-ng, ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop,
334avidemux, calligragemini, vmware-player, vmware-workstation, gget, com.github.phase1geo.minder, nextcloud-desktop, 334avidemux, calligragemini, vmware-player, vmware-workstation, gget, com.github.phase1geo.minder, nextcloud-desktop,
335pcsxr, PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, bcompare, b2sum, cksum, md5sum, sha1sum, sha224sum, 335pcsxr, PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, bcompare, b2sum, cksum, md5sum, sha1sum, sha224sum,
336sha256sum, sha384sum, sha512sum, sum, librewold-nightly 336sha256sum, sha384sum, sha512sum, sum, librewold-nightly, Quodlibet, tmux, sway, alienarena, alienarena-wrapper,
337ballbuster, ballbuster-wrapper, colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium, glaxium-wrapper,
338pinball, pinball-wrapper, etr-wrapper, neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, firedragon
339neochat, node, nvm
diff --git a/RELNOTES b/RELNOTES
index 27064515d..f62bf70bb 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -9,16 +9,25 @@ firejail (0.9.65) baseline; urgency=low
9 * removed --audit options, relpaced by jailtest 9 * removed --audit options, relpaced by jailtest
10 * capabilities list update 10 * capabilities list update
11 * faccessat2 syscall support 11 * faccessat2 syscall support
12 * --private-dev keeps /dev/input
13 * added --noinput to disable /dev/input
14 * Add support for subdirs in --private-etc
12 * compile time: --enable-force-nonewprivs 15 * compile time: --enable-force-nonewprivs
13 * compile time: --disable-output 16 * compile time: --disable-output
14 * compile time: --enable-lts 17 * compile time: --enable-lts
18 * subdirs support in private-etc
19 * input devices support in private-dev, --no-input
15 * new profiles: vmware-view, display-im6.q16, ipcalc, ipcalc-ng 20 * new profiles: vmware-view, display-im6.q16, ipcalc, ipcalc-ng
16 * ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop, 21 * ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop,
17 * avidemux, calligragemini, vmware-player, vmware-workstation 22 * avidemux, calligragemini, vmware-player, vmware-workstation
18 * gget, com.github.phase1geo.minder, nextcloud-desktop, pcsxr 23 * gget, com.github.phase1geo.minder, nextcloud-desktop, pcsxr
19 * PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, sum 24 * PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, sum
20 * bcompare, b2sum, cksum, md5sum, sha1sum, sha224sum, sha256sum 25 * bcompare, b2sum, cksum, md5sum, sha1sum, sha224sum, sha256sum
21 * sha384sum, sha512sum, librewold-nightly 26 * sha384sum, sha512sum, librewold-nightly, Quodlibet, tmux, sway
27 * alienarena, alienarena-wrapper, ballbuster, ballbuster-wrapper,
28 * colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium,
29 * glaxium-wrapper, pinball, pinball-wrapper, etr-wrapper, firedragon
30 * neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, neochat
22 -- netblue30 <netblue30@yahoo.com> Tue, 9 Feb 2021 09:00:00 -0500 31 -- netblue30 <netblue30@yahoo.com> Tue, 9 Feb 2021 09:00:00 -0500
23 32
24firejail (0.9.64.4) baseline; urgency=low 33firejail (0.9.64.4) baseline; urgency=low
diff --git a/contrib/sort.py b/contrib/sort.py
index 9e5062c3c..c7325facb 100755
--- a/contrib/sort.py
+++ b/contrib/sort.py
@@ -35,43 +35,16 @@ def sort_alphabetical(raw_items):
35 35
36def sort_protocol(protocols): 36def sort_protocol(protocols):
37 """sort the given protocole into this scheme: unix,inet,inet6,netlink,packet,bluetooth""" 37 """sort the given protocole into this scheme: unix,inet,inet6,netlink,packet,bluetooth"""
38
38 # shortcut for common protocol lines 39 # shortcut for common protocol lines
39 if protocols in ("unix", "unix,inet,inet6"): 40 if protocols in ("unix", "unix,inet,inet6"):
40 return protocols 41 return protocols
42
41 fixed_protocols = "" 43 fixed_protocols = ""
42 present_protocols = { 44 for protocol in ("unix", "inet", "inet6", "netlink", "packet", "bluetooth"):
43 "unix": False, 45 for prefix in ("", "-", "+", "="):
44 "inet": False, 46 if f",{prefix}{protocol}," in f",{protocols},":
45 "inet6": False, 47 fixed_protocols += f"{prefix}{protocol},"
46 "netlink": False,
47 "packet": False,
48 "bluetooth": False,
49 }
50 for protocol in protocols.split(","):
51 if protocol == "unix":
52 present_protocols["unix"] = True
53 elif protocol == "inet":
54 present_protocols["inet"] = True
55 elif protocol == "inet6":
56 present_protocols["inet6"] = True
57 elif protocol == "netlink":
58 present_protocols["netlink"] = True
59 elif protocol == "packet":
60 present_protocols["packet"] = True
61 elif protocol == "bluetooth":
62 present_protocols["bluetooth"] = True
63 if present_protocols["unix"]:
64 fixed_protocols += "unix,"
65 if present_protocols["inet"]:
66 fixed_protocols += "inet,"
67 if present_protocols["inet6"]:
68 fixed_protocols += "inet6,"
69 if present_protocols["netlink"]:
70 fixed_protocols += "netlink,"
71 if present_protocols["packet"]:
72 fixed_protocols += "packet,"
73 if present_protocols["bluetooth"]:
74 fixed_protocols += "bluetooth,"
75 return fixed_protocols[:-1] 48 return fixed_protocols[:-1]
76 49
77 50
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim
index 65eb690ac..8775ae71d 100644
--- a/contrib/vim/syntax/firejail.vim
+++ b/contrib/vim/syntax/firejail.vim
@@ -49,7 +49,7 @@ syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES
49" Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword) 49" Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword)
50syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained 50syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained
51" Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below 51" Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below
52syn match fjCommand /\v(allusers|apparmor|caps|disable-mnt|ipc-namespace|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-dev|private-lib|private-tmp|seccomp|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained 52syn match fjCommand /\v(allusers|apparmor|caps|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-dev|private-lib|private-tmp|seccomp|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
53syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained 53syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained
54syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained 54syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained
55syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained 55syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained
diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc
index 41643657d..babe46571 100644
--- a/etc/inc/allow-common-devel.inc
+++ b/etc/inc/allow-common-devel.inc
@@ -15,6 +15,7 @@ noblacklist ${HOME}/.java
15noblacklist ${HOME}/.node-gyp 15noblacklist ${HOME}/.node-gyp
16noblacklist ${HOME}/.npm 16noblacklist ${HOME}/.npm
17noblacklist ${HOME}/.npmrc 17noblacklist ${HOME}/.npmrc
18noblacklist ${HOME}/.nvm
18noblacklist ${HOME}/.yarn 19noblacklist ${HOME}/.yarn
19noblacklist ${HOME}/.yarn-config 20noblacklist ${HOME}/.yarn-config
20noblacklist ${HOME}/.yarncache 21noblacklist ${HOME}/.yarncache
diff --git a/etc/inc/allow-nodejs.inc b/etc/inc/allow-nodejs.inc
index 78a4bed80..351c94ab8 100644
--- a/etc/inc/allow-nodejs.inc
+++ b/etc/inc/allow-nodejs.inc
@@ -4,3 +4,7 @@ include allow-nodejs.local
4 4
5noblacklist ${PATH}/node 5noblacklist ${PATH}/node
6noblacklist /usr/include/node 6noblacklist /usr/include/node
7
8# Allow python for node-gyp (blacklisted by disable-interpreters.inc)
9include allow-python2.inc
10include allow-python3.inc
diff --git a/etc/inc/allow-opengl-game.inc b/etc/inc/allow-opengl-game.inc
new file mode 100644
index 000000000..b5ff1bd50
--- /dev/null
+++ b/etc/inc/allow-opengl-game.inc
@@ -0,0 +1,3 @@
1noblacklist ${PATH}/bash
2whitelist /usr/share/opengl-games-utils/opengl-game-functions.sh
3private-bin basename,bash,cut,glxinfo,grep,head,sed,zenity
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 35f89e11b..2dc53d311 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -338,10 +338,12 @@ read-only ${HOME}/dotfiles
338read-only ${HOME}/.gem 338read-only ${HOME}/.gem
339read-only ${HOME}/.luarocks 339read-only ${HOME}/.luarocks
340read-only ${HOME}/.npm-packages 340read-only ${HOME}/.npm-packages
341read-only ${HOME}/.nvm
341read-only ${HOME}/bin 342read-only ${HOME}/bin
342read-only ${HOME}/.bin 343read-only ${HOME}/.bin
343read-only ${HOME}/.local/bin 344read-only ${HOME}/.local/bin
344read-only ${HOME}/.cargo/bin 345read-only ${HOME}/.cargo/bin
346read-only ${HOME}/.rustup
345 347
346# Write-protection for desktop entries 348# Write-protection for desktop entries
347read-only ${HOME}/.config/menus 349read-only ${HOME}/.config/menus
@@ -366,6 +368,7 @@ blacklist ${HOME}/*.key
366blacklist ${HOME}/.Private 368blacklist ${HOME}/.Private
367blacklist ${HOME}/.caff 369blacklist ${HOME}/.caff
368blacklist ${HOME}/.cargo/credentials 370blacklist ${HOME}/.cargo/credentials
371blacklist ${HOME}/.cargo/credentials.toml
369blacklist ${HOME}/.cert 372blacklist ${HOME}/.cert
370blacklist ${HOME}/.config/keybase 373blacklist ${HOME}/.config/keybase
371blacklist ${HOME}/.davfs2/secrets 374blacklist ${HOME}/.davfs2/secrets
diff --git a/etc/inc/disable-passwdmgr.inc b/etc/inc/disable-passwdmgr.inc
index 316378cb8..3ed9a1b14 100644
--- a/etc/inc/disable-passwdmgr.inc
+++ b/etc/inc/disable-passwdmgr.inc
@@ -7,6 +7,7 @@ blacklist ${HOME}/.config/KeePass
7blacklist ${HOME}/.config/keepass 7blacklist ${HOME}/.config/keepass
8blacklist ${HOME}/.config/keepassx 8blacklist ${HOME}/.config/keepassx
9blacklist ${HOME}/.config/keepassxc 9blacklist ${HOME}/.config/keepassxc
10blacklist ${HOME}/.config/KeePassXCrc
10blacklist ${HOME}/.config/Sinew Software Systems 11blacklist ${HOME}/.config/Sinew Software Systems
11blacklist ${HOME}/.fpm 12blacklist ${HOME}/.fpm
12blacklist ${HOME}/.keepass 13blacklist ${HOME}/.keepass
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 8ccbae5ca..90abe1d3e 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -52,6 +52,7 @@ blacklist ${HOME}/.atom
52blacklist ${HOME}/.attic 52blacklist ${HOME}/.attic
53blacklist ${HOME}/.audacity-data 53blacklist ${HOME}/.audacity-data
54blacklist ${HOME}/.avidemux6 54blacklist ${HOME}/.avidemux6
55blacklist ${HOME}/.ballbuster.hs
55blacklist ${HOME}/.balsa 56blacklist ${HOME}/.balsa
56blacklist ${HOME}/.bcast5 57blacklist ${HOME}/.bcast5
57blacklist ${HOME}/.bibletime 58blacklist ${HOME}/.bibletime
@@ -105,6 +106,7 @@ blacklist ${HOME}/.config/Gpredict
105blacklist ${HOME}/.config/INRIA 106blacklist ${HOME}/.config/INRIA
106blacklist ${HOME}/.config/InSilmaril 107blacklist ${HOME}/.config/InSilmaril
107blacklist ${HOME}/.config/Jitsi Meet 108blacklist ${HOME}/.config/Jitsi Meet
109blacklist ${HOME}/.config/KDE/neochat
108blacklist ${HOME}/.config/Kid3 110blacklist ${HOME}/.config/Kid3
109blacklist ${HOME}/.config/Kingsoft 111blacklist ${HOME}/.config/Kingsoft
110blacklist ${HOME}/.config/Loop_Hero 112blacklist ${HOME}/.config/Loop_Hero
@@ -137,6 +139,7 @@ blacklist ${HOME}/.config/Rambox
137blacklist ${HOME}/.config/Riot 139blacklist ${HOME}/.config/Riot
138blacklist ${HOME}/.config/Rocket.Chat 140blacklist ${HOME}/.config/Rocket.Chat
139blacklist ${HOME}/.config/RogueLegacy 141blacklist ${HOME}/.config/RogueLegacy
142blacklist ${HOME}/.config/RogueLegacyStorageContainer
140blacklist ${HOME}/.config/Signal 143blacklist ${HOME}/.config/Signal
141blacklist ${HOME}/.config/Sinew Software Systems 144blacklist ${HOME}/.config/Sinew Software Systems
142blacklist ${HOME}/.config/Slack 145blacklist ${HOME}/.config/Slack
@@ -220,6 +223,7 @@ blacklist ${HOME}/.config/d-feet
220blacklist ${HOME}/.config/electron-mail 223blacklist ${HOME}/.config/electron-mail
221blacklist ${HOME}/.config/emaildefaults 224blacklist ${HOME}/.config/emaildefaults
222blacklist ${HOME}/.config/emailidentities 225blacklist ${HOME}/.config/emailidentities
226blacklist ${HOME}/.config/emilia
223blacklist ${HOME}/.config/enchant 227blacklist ${HOME}/.config/enchant
224blacklist ${HOME}/.config/eog 228blacklist ${HOME}/.config/eog
225blacklist ${HOME}/.config/epiphany 229blacklist ${HOME}/.config/epiphany
@@ -339,6 +343,8 @@ blacklist ${HOME}/.config/mypaint
339blacklist ${HOME}/.config/nano 343blacklist ${HOME}/.config/nano
340blacklist ${HOME}/.config/nautilus 344blacklist ${HOME}/.config/nautilus
341blacklist ${HOME}/.config/nemo 345blacklist ${HOME}/.config/nemo
346blacklist ${HOME}/.config/neochatrc
347blacklist ${HOME}/.config/neochat.notifyrc
342blacklist ${HOME}/.config/neomutt 348blacklist ${HOME}/.config/neomutt
343blacklist ${HOME}/.config/netsurf 349blacklist ${HOME}/.config/netsurf
344blacklist ${HOME}/.config/newsbeuter 350blacklist ${HOME}/.config/newsbeuter
@@ -479,6 +485,7 @@ blacklist ${HOME}/.equalx
479blacklist ${HOME}/.ethereum 485blacklist ${HOME}/.ethereum
480blacklist ${HOME}/.etr 486blacklist ${HOME}/.etr
481blacklist ${HOME}/.filezilla 487blacklist ${HOME}/.filezilla
488blacklist ${HOME}/.firedragon
482blacklist ${HOME}/.flowblade 489blacklist ${HOME}/.flowblade
483blacklist ${HOME}/.fltk 490blacklist ${HOME}/.fltk
484blacklist ${HOME}/.fossamail 491blacklist ${HOME}/.fossamail
@@ -490,6 +497,8 @@ blacklist ${HOME}/.frozen-bubble
490blacklist ${HOME}/.gimp* 497blacklist ${HOME}/.gimp*
491blacklist ${HOME}/.gist 498blacklist ${HOME}/.gist
492blacklist ${HOME}/.gitconfig 499blacklist ${HOME}/.gitconfig
500blacklist ${HOME}/.gl-117
501blacklist ${HOME}/.glaxiumrc
493blacklist ${HOME}/.gnome/gnome-schedule 502blacklist ${HOME}/.gnome/gnome-schedule
494blacklist ${HOME}/.googleearth 503blacklist ${HOME}/.googleearth
495blacklist ${HOME}/.gradle 504blacklist ${HOME}/.gradle
@@ -595,6 +604,7 @@ blacklist ${HOME}/.local/share/Empathy
595blacklist ${HOME}/.local/share/Enpass 604blacklist ${HOME}/.local/share/Enpass
596blacklist ${HOME}/.local/share/Flavio Tordini 605blacklist ${HOME}/.local/share/Flavio Tordini
597blacklist ${HOME}/.local/share/JetBrains 606blacklist ${HOME}/.local/share/JetBrains
607blacklist ${HOME}/.local/share/KDE/neochat
598blacklist ${HOME}/.local/share/Kingsoft 608blacklist ${HOME}/.local/share/Kingsoft
599blacklist ${HOME}/.local/share/Mendeley Ltd. 609blacklist ${HOME}/.local/share/Mendeley Ltd.
600blacklist ${HOME}/.local/share/Mumble 610blacklist ${HOME}/.local/share/Mumble
@@ -607,7 +617,8 @@ blacklist ${HOME}/.local/share/QGIS
607blacklist ${HOME}/.local/share/QMediathekView 617blacklist ${HOME}/.local/share/QMediathekView
608blacklist ${HOME}/.local/share/QuiteRss 618blacklist ${HOME}/.local/share/QuiteRss
609blacklist ${HOME}/.local/share/Ricochet 619blacklist ${HOME}/.local/share/Ricochet
610blacklist ${HOME}/.local/share/RogueLegacy* 620blacklist ${HOME}/.local/share/RogueLegacy
621blacklist ${HOME}/.local/share/RogueLegacyStorageContainer
611blacklist ${HOME}/.local/share/Shortwave 622blacklist ${HOME}/.local/share/Shortwave
612blacklist ${HOME}/.local/share/Steam 623blacklist ${HOME}/.local/share/Steam
613blacklist ${HOME}/.local/share/SteamWorldDig 624blacklist ${HOME}/.local/share/SteamWorldDig
@@ -637,6 +648,7 @@ blacklist ${HOME}/.local/share/cdprojektred
637blacklist ${HOME}/.local/share/clipit 648blacklist ${HOME}/.local/share/clipit
638blacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate 649blacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate
639blacklist ${HOME}/.local/share/contacts 650blacklist ${HOME}/.local/share/contacts
651blacklist ${HOME}/.local/share/cor-games
640blacklist ${HOME}/.local/share/data/Mendeley Ltd. 652blacklist ${HOME}/.local/share/data/Mendeley Ltd.
641blacklist ${HOME}/.local/share/data/Mumble 653blacklist ${HOME}/.local/share/data/Mumble
642blacklist ${HOME}/.local/share/data/MusE 654blacklist ${HOME}/.local/share/data/MusE
@@ -804,6 +816,7 @@ blacklist ${HOME}/.node-gyp
804blacklist ${HOME}/.npm 816blacklist ${HOME}/.npm
805blacklist ${HOME}/.npmrc 817blacklist ${HOME}/.npmrc
806blacklist ${HOME}/.nv 818blacklist ${HOME}/.nv
819blacklist ${HOME}/.nvm
807blacklist ${HOME}/.nylas-mail 820blacklist ${HOME}/.nylas-mail
808blacklist ${HOME}/.openarena 821blacklist ${HOME}/.openarena
809blacklist ${HOME}/.opencity 822blacklist ${HOME}/.opencity
@@ -844,6 +857,7 @@ blacklist ${HOME}/.steampid
844blacklist ${HOME}/.stellarium 857blacklist ${HOME}/.stellarium
845blacklist ${HOME}/.subversion 858blacklist ${HOME}/.subversion
846blacklist ${HOME}/.surf 859blacklist ${HOME}/.surf
860blacklist ${HOME}/.suve/colorful
847blacklist ${HOME}/.swb.ini 861blacklist ${HOME}/.swb.ini
848blacklist ${HOME}/.sword 862blacklist ${HOME}/.sword
849blacklist ${HOME}/.sylpheed-2.0 863blacklist ${HOME}/.sylpheed-2.0
@@ -952,6 +966,7 @@ blacklist ${HOME}/.cache/epiphany
952blacklist ${HOME}/.cache/evolution 966blacklist ${HOME}/.cache/evolution
953blacklist ${HOME}/.cache/falkon 967blacklist ${HOME}/.cache/falkon
954blacklist ${HOME}/.cache/feedreader 968blacklist ${HOME}/.cache/feedreader
969blacklist ${HOME}/.cache/firedragon
955blacklist ${HOME}/.cache/flaska.net/trojita 970blacklist ${HOME}/.cache/flaska.net/trojita
956blacklist ${HOME}/.cache/folks 971blacklist ${HOME}/.cache/folks
957blacklist ${HOME}/.cache/font-manager 972blacklist ${HOME}/.cache/font-manager
@@ -983,6 +998,7 @@ blacklist ${HOME}/.cache/inkscape
983blacklist ${HOME}/.cache/inox 998blacklist ${HOME}/.cache/inox
984blacklist ${HOME}/.cache/iridium 999blacklist ${HOME}/.cache/iridium
985blacklist ${HOME}/.cache/kcmshell5 1000blacklist ${HOME}/.cache/kcmshell5
1001blacklist ${HOME}/.cache/KDE/neochat
986blacklist ${HOME}/.cache/kdenlive 1002blacklist ${HOME}/.cache/kdenlive
987blacklist ${HOME}/.cache/keepassxc 1003blacklist ${HOME}/.cache/keepassxc
988blacklist ${HOME}/.cache/kfind 1004blacklist ${HOME}/.cache/kfind
diff --git a/etc/inc/whitelist-1793-workaround.inc b/etc/inc/whitelist-1793-workaround.inc
new file mode 100644
index 000000000..862837f12
--- /dev/null
+++ b/etc/inc/whitelist-1793-workaround.inc
@@ -0,0 +1,29 @@
1# This file is overwritten during software install.
2# Persistent customizations should go in a .local file.
3include whitelist-1793-workaround.local
4# This works around bug 1793, and allows whitelisting to be used for some KDE applications.
5
6noblacklist ${HOME}/.config/ibus
7noblacklist ${HOME}/.config/mimeapps.list
8noblacklist ${HOME}/.config/pkcs11
9noblacklist ${HOME}/.config/user-dirs.dirs
10noblacklist ${HOME}/.config/user-dirs.locale
11noblacklist ${HOME}/.config/dconf
12noblacklist ${HOME}/.config/fontconfig
13noblacklist ${HOME}/.config/gtk-2.0
14noblacklist ${HOME}/.config/gtk-3.0
15noblacklist ${HOME}/.config/gtk-4.0
16noblacklist ${HOME}/.config/gtkrc
17noblacklist ${HOME}/.config/gtkrc-2.0
18noblacklist ${HOME}/.config/Kvantum
19noblacklist ${HOME}/.config/Trolltech.conf
20noblacklist ${HOME}/.config/QtProject.conf
21noblacklist ${HOME}/.config/kdeglobals
22noblacklist ${HOME}/.config/kio_httprc
23noblacklist ${HOME}/.config/kioslaverc
24noblacklist ${HOME}/.config/ksslcablacklist
25noblacklist ${HOME}/.config/qt5ct
26noblacklist ${HOME}/.config/qtcurve
27
28blacklist ${HOME}/.config/*
29whitelist ${HOME}/.config
diff --git a/etc/inc/whitelist-runuser-common.inc b/etc/inc/whitelist-runuser-common.inc
index 0a1030b34..48309ffe3 100644
--- a/etc/inc/whitelist-runuser-common.inc
+++ b/etc/inc/whitelist-runuser-common.inc
@@ -13,3 +13,4 @@ whitelist ${RUNUSER}/pulse/native
13whitelist ${RUNUSER}/wayland-0 13whitelist ${RUNUSER}/wayland-0
14whitelist ${RUNUSER}/wayland-1 14whitelist ${RUNUSER}/wayland-1
15whitelist ${RUNUSER}/xauth_* 15whitelist ${RUNUSER}/xauth_*
16whitelist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]
diff --git a/etc/inc/whitelist-var-common.inc b/etc/inc/whitelist-var-common.inc
index 1c077b232..d8ba84ad0 100644
--- a/etc/inc/whitelist-var-common.inc
+++ b/etc/inc/whitelist-var-common.inc
@@ -4,6 +4,7 @@ include whitelist-var-common.local
4 4
5# common /var whitelist for all profiles 5# common /var whitelist for all profiles
6 6
7whitelist /var/lib/aspell
7whitelist /var/lib/ca-certificates 8whitelist /var/lib/ca-certificates
8whitelist /var/lib/dbus 9whitelist /var/lib/dbus
9whitelist /var/lib/menu-xdg 10whitelist /var/lib/menu-xdg
diff --git a/etc/profile-a-l/0ad.profile b/etc/profile-a-l/0ad.profile
index c4e820078..454a15ab2 100644
--- a/etc/profile-a-l/0ad.profile
+++ b/etc/profile-a-l/0ad.profile
@@ -34,6 +34,7 @@ caps.drop all
34netfilter 34netfilter
35nodvd 35nodvd
36nogroups 36nogroups
37noinput
37nonewprivs 38nonewprivs
38noroot 39noroot
39notv 40notv
diff --git a/etc/profile-a-l/2048-qt.profile b/etc/profile-a-l/2048-qt.profile
index 12268706a..1d787cba7 100644
--- a/etc/profile-a-l/2048-qt.profile
+++ b/etc/profile-a-l/2048-qt.profile
@@ -28,6 +28,7 @@ caps.drop all
28net none 28net none
29nodvd 29nodvd
30nogroups 30nogroups
31noinput
31nonewprivs 32nonewprivs
32noroot 33noroot
33nosound 34nosound
diff --git a/etc/profile-a-l/Cryptocat.profile b/etc/profile-a-l/Cryptocat.profile
index e9cc07bd7..1d86b0fbf 100644
--- a/etc/profile-a-l/Cryptocat.profile
+++ b/etc/profile-a-l/Cryptocat.profile
@@ -17,6 +17,7 @@ caps.drop all
17netfilter 17netfilter
18nodvd 18nodvd
19nogroups 19nogroups
20noinput
20nonewprivs 21nonewprivs
21noroot 22noroot
22nosound 23nosound
diff --git a/etc/profile-a-l/Fritzing.profile b/etc/profile-a-l/Fritzing.profile
index d318da885..7dc6b5ff0 100644
--- a/etc/profile-a-l/Fritzing.profile
+++ b/etc/profile-a-l/Fritzing.profile
@@ -24,6 +24,7 @@ ipc-namespace
24netfilter 24netfilter
25nodvd 25nodvd
26nogroups 26nogroups
27noinput
27nonewprivs 28nonewprivs
28noroot 29noroot
29nosound 30nosound
diff --git a/etc/profile-a-l/JDownloader.profile b/etc/profile-a-l/JDownloader.profile
index 45ec71e63..d10b70796 100644
--- a/etc/profile-a-l/JDownloader.profile
+++ b/etc/profile-a-l/JDownloader.profile
@@ -30,6 +30,7 @@ netfilter
30no3d 30no3d
31nodvd 31nodvd
32nogroups 32nogroups
33noinput
33nonewprivs 34nonewprivs
34noroot 35noroot
35nosound 36nosound
diff --git a/etc/profile-a-l/abiword.profile b/etc/profile-a-l/abiword.profile
index 1fdc9e9fe..75da9a956 100644
--- a/etc/profile-a-l/abiword.profile
+++ b/etc/profile-a-l/abiword.profile
@@ -28,6 +28,7 @@ net none
28no3d 28no3d
29nodvd 29nodvd
30nogroups 30nogroups
31noinput
31nonewprivs 32nonewprivs
32noroot 33noroot
33nosound 34nosound
diff --git a/etc/profile-a-l/agetpkg.profile b/etc/profile-a-l/agetpkg.profile
index 6d5dab41a..34f59769e 100644
--- a/etc/profile-a-l/agetpkg.profile
+++ b/etc/profile-a-l/agetpkg.profile
@@ -32,11 +32,11 @@ caps.drop all
32hostname agetpkg 32hostname agetpkg
33ipc-namespace 33ipc-namespace
34machine-id 34machine-id
35noautopulse
36netfilter 35netfilter
37no3d 36no3d
38nodvd 37nodvd
39nogroups 38nogroups
39noinput
40nonewprivs 40nonewprivs
41noroot 41noroot
42nosound 42nosound
diff --git a/etc/profile-a-l/akonadi_control.profile b/etc/profile-a-l/akonadi_control.profile
index 4ab1967a6..37fdb38b5 100644
--- a/etc/profile-a-l/akonadi_control.profile
+++ b/etc/profile-a-l/akonadi_control.profile
@@ -40,6 +40,7 @@ netfilter
40no3d 40no3d
41nodvd 41nodvd
42nogroups 42nogroups
43noinput
43# nonewprivs 44# nonewprivs
44noroot 45noroot
45nosound 46nosound
diff --git a/etc/profile-a-l/akregator.profile b/etc/profile-a-l/akregator.profile
index 6a4d775e7..38fcd2dc1 100644
--- a/etc/profile-a-l/akregator.profile
+++ b/etc/profile-a-l/akregator.profile
@@ -33,6 +33,7 @@ netfilter
33no3d 33no3d
34nodvd 34nodvd
35nogroups 35nogroups
36noinput
36nonewprivs 37nonewprivs
37noroot 38noroot
38notv 39notv
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile
index 57b5e5d95..4c6d68020 100644
--- a/etc/profile-a-l/alacarte.profile
+++ b/etc/profile-a-l/alacarte.profile
@@ -37,6 +37,7 @@ net none
37nodvd 37nodvd
38no3d 38no3d
39nogroups 39nogroups
40noinput
40nonewprivs 41nonewprivs
41noroot 42noroot
42nosound 43nosound
diff --git a/etc/profile-a-l/alienarena-wrapper.profile b/etc/profile-a-l/alienarena-wrapper.profile
new file mode 100644
index 000000000..b31996cd2
--- /dev/null
+++ b/etc/profile-a-l/alienarena-wrapper.profile
@@ -0,0 +1,14 @@
1# Firejail profile for alienarena-wrapper
2# This file is overwritten after every install/update
3# Persistent local customizations
4include alienarena-wrapper.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
8
9include allow-opengl-game.inc
10
11private-bin alienarena-wrapper
12
13# Redirect
14include alienarena.profile
diff --git a/etc/profile-a-l/alienarena.profile b/etc/profile-a-l/alienarena.profile
new file mode 100644
index 000000000..81ee6bd46
--- /dev/null
+++ b/etc/profile-a-l/alienarena.profile
@@ -0,0 +1,53 @@
1# Firejail profile for alienarena
2# Description: Multiplayer retro sci-fi deathmatch game
3# This file is overwritten after every install/update
4# Persistent local customizations
5include alienarena.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.local/share/cor-games
10
11include disable-common.inc
12include disable-devel.inc
13include disable-exec.inc
14include disable-interpreters.inc
15include disable-passwdmgr.inc
16include disable-programs.inc
17include disable-shell.inc
18include disable-xdg.inc
19
20mkdir ${HOME}/.local/share/cor-games
21whitelist ${HOME}/.local/share/cor-games
22whitelist /usr/share/alienarena
23include whitelist-common.inc
24include whitelist-runuser-common.inc
25include whitelist-usr-share-common.inc
26include whitelist-var-common.inc
27
28apparmor
29caps.drop all
30netfilter
31nodvd
32nogroups
33noinput
34nonewprivs
35noroot
36notv
37nou2f
38novideo
39protocol unix,inet,inet6
40seccomp
41seccomp.block-secondary
42shell none
43tracelog
44
45disable-mnt
46private-bin alienarena
47private-cache
48private-dev
49private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11
50private-tmp
51
52dbus-user none
53dbus-system none
diff --git a/etc/profile-a-l/amarok.profile b/etc/profile-a-l/amarok.profile
index 678b97be2..a7caddc4c 100644
--- a/etc/profile-a-l/amarok.profile
+++ b/etc/profile-a-l/amarok.profile
@@ -20,6 +20,7 @@ include whitelist-var-common.inc
20caps.drop all 20caps.drop all
21netfilter 21netfilter
22nogroups 22nogroups
23noinput
23nonewprivs 24nonewprivs
24noroot 25noroot
25notv 26notv
@@ -34,14 +35,14 @@ private-dev
34# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,ssl 35# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,ssl
35private-tmp 36private-tmp
36 37
37# If you ain't on kde-plasma you need to uncomment the following
38dbus-user filter 38dbus-user filter
39dbus-user.own org.kde.amarok 39dbus-user.own org.kde.amarok
40#dbus-user.own org.kde.kded
41#dbus-user.own org.kde.klauncher
42dbus-user.own org.mpris.amarok 40dbus-user.own org.mpris.amarok
43dbus-user.own org.mpris.MediaPlayer2.amarok 41dbus-user.own org.mpris.MediaPlayer2.amarok
44dbus-user.talk org.freedesktop.Notifications 42dbus-user.talk org.freedesktop.Notifications
45#dbus-user.talk org.kde.knotify
46dbus-user.talk org.kde.StatusNotifierWatcher 43dbus-user.talk org.kde.StatusNotifierWatcher
44# If you're not on kde-plasma add the next lines to your amarok.local.
45#dbus-user.own org.kde.kded
46#dbus-user.own org.kde.klauncher
47#dbus-user.talk org.kde.knotify
47dbus-system none 48dbus-system none
diff --git a/etc/profile-a-l/amule.profile b/etc/profile-a-l/amule.profile
index feb4a5e7e..e3c4164ee 100644
--- a/etc/profile-a-l/amule.profile
+++ b/etc/profile-a-l/amule.profile
@@ -26,6 +26,7 @@ netfilter
26no3d 26no3d
27nodvd 27nodvd
28nogroups 28nogroups
29noinput
29nonewprivs 30nonewprivs
30noroot 31noroot
31nosound 32nosound
diff --git a/etc/profile-a-l/anki.profile b/etc/profile-a-l/anki.profile
index 61e5f2eea..ef60e91c2 100644
--- a/etc/profile-a-l/anki.profile
+++ b/etc/profile-a-l/anki.profile
@@ -35,6 +35,7 @@ netfilter
35no3d 35no3d
36nodvd 36nodvd
37nogroups 37nogroups
38noinput
38nonewprivs 39nonewprivs
39noroot 40noroot
40nosound 41nosound
diff --git a/etc/profile-a-l/anydesk.profile b/etc/profile-a-l/anydesk.profile
index c847a04dc..fdaf10259 100644
--- a/etc/profile-a-l/anydesk.profile
+++ b/etc/profile-a-l/anydesk.profile
@@ -22,6 +22,7 @@ caps.drop all
22netfilter 22netfilter
23nodvd 23nodvd
24nogroups 24nogroups
25noinput
25nonewprivs 26nonewprivs
26noroot 27noroot
27notv 28notv
diff --git a/etc/profile-a-l/apktool.profile b/etc/profile-a-l/apktool.profile
index 39c5da9ab..4ea43c434 100644
--- a/etc/profile-a-l/apktool.profile
+++ b/etc/profile-a-l/apktool.profile
@@ -20,6 +20,7 @@ net none
20no3d 20no3d
21nodvd 21nodvd
22nogroups 22nogroups
23noinput
23nonewprivs 24nonewprivs
24noroot 25noroot
25nosound 26nosound
diff --git a/etc/profile-a-l/apostrophe.profile b/etc/profile-a-l/apostrophe.profile
index f265c8406..54abdb234 100644
--- a/etc/profile-a-l/apostrophe.profile
+++ b/etc/profile-a-l/apostrophe.profile
@@ -47,6 +47,7 @@ net none
47no3d 47no3d
48nodvd 48nodvd
49nogroups 49nogroups
50noinput
50nonewprivs 51nonewprivs
51noroot 52noroot
52nosound 53nosound
diff --git a/etc/profile-a-l/arch-audit.profile b/etc/profile-a-l/arch-audit.profile
index 934b89404..accabb6f5 100644
--- a/etc/profile-a-l/arch-audit.profile
+++ b/etc/profile-a-l/arch-audit.profile
@@ -29,6 +29,7 @@ netfilter
29no3d 29no3d
30nodvd 30nodvd
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33noroot 34noroot
34nosound 35nosound
diff --git a/etc/profile-a-l/archiver-common.profile b/etc/profile-a-l/archiver-common.profile
index 0ab6465ca..1fab4606b 100644
--- a/etc/profile-a-l/archiver-common.profile
+++ b/etc/profile-a-l/archiver-common.profile
@@ -31,6 +31,7 @@ net none
31no3d 31no3d
32nodvd 32nodvd
33nogroups 33nogroups
34noinput
34nonewprivs 35nonewprivs
35#noroot 36#noroot
36nosound 37nosound
diff --git a/etc/profile-a-l/ardour5.profile b/etc/profile-a-l/ardour5.profile
index a27cb4f6e..84b1d6c18 100644
--- a/etc/profile-a-l/ardour5.profile
+++ b/etc/profile-a-l/ardour5.profile
@@ -25,6 +25,7 @@ ipc-namespace
25net none 25net none
26nodvd 26nodvd
27nogroups 27nogroups
28noinput
28nonewprivs 29nonewprivs
29noroot 30noroot
30notv 31notv
diff --git a/etc/profile-a-l/aria2c.profile b/etc/profile-a-l/aria2c.profile
index bef708bdc..22b8ecd65 100644
--- a/etc/profile-a-l/aria2c.profile
+++ b/etc/profile-a-l/aria2c.profile
@@ -29,6 +29,7 @@ netfilter
29no3d 29no3d
30nodvd 30nodvd
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33noroot 34noroot
34nosound 35nosound
diff --git a/etc/profile-a-l/ark.profile b/etc/profile-a-l/ark.profile
index 4b81b2717..a63dd8f5f 100644
--- a/etc/profile-a-l/ark.profile
+++ b/etc/profile-a-l/ark.profile
@@ -26,6 +26,7 @@ caps.drop all
26netfilter 26netfilter
27nodvd 27nodvd
28nogroups 28nogroups
29noinput
29nonewprivs 30nonewprivs
30noroot 31noroot
31nosound 32nosound
diff --git a/etc/profile-a-l/arm.profile b/etc/profile-a-l/arm.profile
index 51dad94d1..2c8b630ce 100644
--- a/etc/profile-a-l/arm.profile
+++ b/etc/profile-a-l/arm.profile
@@ -29,6 +29,7 @@ netfilter
29no3d 29no3d
30nodvd 30nodvd
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33noroot 34noroot
34nosound 35nosound
diff --git a/etc/profile-a-l/artha.profile b/etc/profile-a-l/artha.profile
index adb33fae1..fab72b7d3 100644
--- a/etc/profile-a-l/artha.profile
+++ b/etc/profile-a-l/artha.profile
@@ -41,6 +41,7 @@ ipc-namespace
41no3d 41no3d
42nodvd 42nodvd
43nogroups 43nogroups
44noinput
44nonewprivs 45nonewprivs
45noroot 46noroot
46nosound 47nosound
diff --git a/etc/profile-a-l/assogiate.profile b/etc/profile-a-l/assogiate.profile
index 1332f4db4..977fe30a4 100644
--- a/etc/profile-a-l/assogiate.profile
+++ b/etc/profile-a-l/assogiate.profile
@@ -29,6 +29,7 @@ net none
29no3d 29no3d
30nodvd 30nodvd
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33noroot 34noroot
34nosound 35nosound
diff --git a/etc/profile-a-l/asunder.profile b/etc/profile-a-l/asunder.profile
index 33dd4103f..c97fd691a 100644
--- a/etc/profile-a-l/asunder.profile
+++ b/etc/profile-a-l/asunder.profile
@@ -28,6 +28,7 @@ caps.drop all
28netfilter 28netfilter
29no3d 29no3d
30# nogroups 30# nogroups
31noinput
31nonewprivs 32nonewprivs
32noroot 33noroot
33nou2f 34nou2f
diff --git a/etc/profile-a-l/atril.profile b/etc/profile-a-l/atril.profile
index 2b032e977..1c3ed66ff 100644
--- a/etc/profile-a-l/atril.profile
+++ b/etc/profile-a-l/atril.profile
@@ -29,6 +29,7 @@ machine-id
29no3d 29no3d
30nodvd 30nodvd
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33noroot 34noroot
34nosound 35nosound
diff --git a/etc/profile-a-l/audacious.profile b/etc/profile-a-l/audacious.profile
index 2e1f6f32a..f9f209786 100644
--- a/etc/profile-a-l/audacious.profile
+++ b/etc/profile-a-l/audacious.profile
@@ -24,6 +24,7 @@ apparmor
24caps.drop all 24caps.drop all
25netfilter 25netfilter
26nogroups 26nogroups
27noinput
27nonewprivs 28nonewprivs
28noroot 29noroot
29notv 30notv
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile
index a11e59553..a2de8436a 100644
--- a/etc/profile-a-l/audacity.profile
+++ b/etc/profile-a-l/audacity.profile
@@ -27,6 +27,7 @@ net none
27no3d 27no3d
28nodvd 28nodvd
29nogroups 29nogroups
30noinput
30nonewprivs 31nonewprivs
31noroot 32noroot
32notv 33notv
diff --git a/etc/profile-a-l/audio-recorder.profile b/etc/profile-a-l/audio-recorder.profile
index b2ed3b030..2c7fdc812 100644
--- a/etc/profile-a-l/audio-recorder.profile
+++ b/etc/profile-a-l/audio-recorder.profile
@@ -20,6 +20,7 @@ include disable-xdg.inc
20whitelist ${MUSIC} 20whitelist ${MUSIC}
21whitelist ${DOWNLOADS} 21whitelist ${DOWNLOADS}
22whitelist /usr/share/audio-recorder 22whitelist /usr/share/audio-recorder
23whitelist /usr/share/gstreamer-1.0
23include whitelist-common.inc 24include whitelist-common.inc
24include whitelist-usr-share-common.inc 25include whitelist-usr-share-common.inc
25include whitelist-var-common.inc 26include whitelist-var-common.inc
@@ -44,7 +45,11 @@ tracelog
44disable-mnt 45disable-mnt
45# private-bin audio-recorder 46# private-bin audio-recorder
46private-cache 47private-cache
47private-etc alternatives,fonts 48private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
48private-tmp 49private-tmp
49 50
51dbus-user filter
52dbus-user.talk ca.desrt.dconf
53dbus-system none
54
50# memory-deny-write-execute - breaks on Arch 55# memory-deny-write-execute - breaks on Arch
diff --git a/etc/profile-a-l/authenticator-rs.profile b/etc/profile-a-l/authenticator-rs.profile
index fb12018f5..2ebe35dd5 100644
--- a/etc/profile-a-l/authenticator-rs.profile
+++ b/etc/profile-a-l/authenticator-rs.profile
@@ -32,6 +32,7 @@ netfilter
32no3d 32no3d
33nodvd 33nodvd
34nogroups 34nogroups
35noinput
35nonewprivs 36nonewprivs
36noroot 37noroot
37nosound 38nosound
diff --git a/etc/profile-a-l/authenticator.profile b/etc/profile-a-l/authenticator.profile
index 131b20c70..42d9cd56a 100644
--- a/etc/profile-a-l/authenticator.profile
+++ b/etc/profile-a-l/authenticator.profile
@@ -26,6 +26,7 @@ netfilter
26no3d 26no3d
27nodvd 27nodvd
28nogroups 28nogroups
29noinput
29nonewprivs 30nonewprivs
30noroot 31noroot
31nosound 32nosound
diff --git a/etc/profile-a-l/autokey-common.profile b/etc/profile-a-l/autokey-common.profile
index b1a77c0a4..891928e5a 100644
--- a/etc/profile-a-l/autokey-common.profile
+++ b/etc/profile-a-l/autokey-common.profile
@@ -27,6 +27,7 @@ caps.drop all
27netfilter 27netfilter
28no3d 28no3d
29nogroups 29nogroups
30noinput
30nonewprivs 31nonewprivs
31noroot 32noroot
32nou2f 33nou2f
diff --git a/etc/profile-a-l/avidemux.profile b/etc/profile-a-l/avidemux.profile
index b5d662d60..1ecc03da1 100644
--- a/etc/profile-a-l/avidemux.profile
+++ b/etc/profile-a-l/avidemux.profile
@@ -33,6 +33,7 @@ caps.drop all
33net none 33net none
34nodvd 34nodvd
35nogroups 35nogroups
36noinput
36nonewprivs 37nonewprivs
37noroot 38noroot
38notv 39notv
diff --git a/etc/profile-a-l/aweather.profile b/etc/profile-a-l/aweather.profile
index 44c3110a0..a57ad4014 100644
--- a/etc/profile-a-l/aweather.profile
+++ b/etc/profile-a-l/aweather.profile
@@ -24,6 +24,7 @@ caps.drop all
24netfilter 24netfilter
25nodvd 25nodvd
26nogroups 26nogroups
27noinput
27nonewprivs 28nonewprivs
28noroot 29noroot
29nosound 30nosound
diff --git a/etc/profile-a-l/ballbuster-wrapper.profile b/etc/profile-a-l/ballbuster-wrapper.profile
new file mode 100644
index 000000000..419dcaab5
--- /dev/null
+++ b/etc/profile-a-l/ballbuster-wrapper.profile
@@ -0,0 +1,14 @@
1# Firejail profile for ballbuster-wrapper
2# This file is overwritten after every install/update
3# Persistent local customizations
4include ballbuster-wrapper.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
8
9include allow-opengl-game.inc
10
11private-bin ballbuster-wrapper
12
13# Redirect
14include ballbuster.profile
diff --git a/etc/profile-a-l/ballbuster.profile b/etc/profile-a-l/ballbuster.profile
new file mode 100644
index 000000000..3952921a3
--- /dev/null
+++ b/etc/profile-a-l/ballbuster.profile
@@ -0,0 +1,53 @@
1# Firejail profile for ballbuster
2# Description: Move the paddle to bounce the ball and break all the bricks
3# This file is overwritten after every install/update
4# Persistent local customizations
5include ballbuster.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.ballbuster.hs
10
11include disable-common.inc
12include disable-devel.inc
13include disable-exec.inc
14include disable-interpreters.inc
15include disable-passwdmgr.inc
16include disable-programs.inc
17include disable-shell.inc
18include disable-xdg.inc
19
20mkfile ${HOME}/.ballbuster.hs
21whitelist ${HOME}/.ballbuster.hs
22whitelist /usr/share/ballbuster
23include whitelist-common.inc
24include whitelist-runuser-common.inc
25include whitelist-usr-share-common.inc
26include whitelist-var-common.inc
27
28apparmor
29caps.drop all
30net none
31nodvd
32nogroups
33noinput
34nonewprivs
35noroot
36notv
37nou2f
38novideo
39protocol unix
40seccomp
41seccomp.block-secondary
42shell none
43tracelog
44
45disable-mnt
46private-bin ballbuster
47private-cache
48private-dev
49private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pulse
50private-tmp
51
52dbus-user none
53dbus-system none
diff --git a/etc/profile-a-l/baloo_file.profile b/etc/profile-a-l/baloo_file.profile
index 785e37a16..fe86d9b80 100644
--- a/etc/profile-a-l/baloo_file.profile
+++ b/etc/profile-a-l/baloo_file.profile
@@ -36,6 +36,7 @@ netfilter
36no3d 36no3d
37nodvd 37nodvd
38nogroups 38nogroups
39noinput
39nonewprivs 40nonewprivs
40noroot 41noroot
41nosound 42nosound
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile
index 573776a71..8c69652c5 100644
--- a/etc/profile-a-l/balsa.profile
+++ b/etc/profile-a-l/balsa.profile
@@ -49,6 +49,7 @@ netfilter
49no3d 49no3d
50nodvd 50nodvd
51nogroups 51nogroups
52noinput
52nonewprivs 53nonewprivs
53noroot 54noroot
54nosound 55nosound
diff --git a/etc/profile-a-l/baobab.profile b/etc/profile-a-l/baobab.profile
index 4401c9dfd..ac03c663a 100644
--- a/etc/profile-a-l/baobab.profile
+++ b/etc/profile-a-l/baobab.profile
@@ -22,6 +22,7 @@ net none
22no3d 22no3d
23nodvd 23nodvd
24nogroups 24nogroups
25noinput
25nonewprivs 26nonewprivs
26noroot 27noroot
27nosound 28nosound
diff --git a/etc/profile-a-l/barrier.profile b/etc/profile-a-l/barrier.profile
index f5da3782e..7b50e9199 100644
--- a/etc/profile-a-l/barrier.profile
+++ b/etc/profile-a-l/barrier.profile
@@ -26,6 +26,7 @@ netfilter
26no3d 26no3d
27nodvd 27nodvd
28nogroups 28nogroups
29noinput
29nonewprivs 30nonewprivs
30noroot 31noroot
31nosound 32nosound
diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile
index 5c93f8be9..3ecaea7fe 100644
--- a/etc/profile-a-l/bcompare.profile
+++ b/etc/profile-a-l/bcompare.profile
@@ -29,6 +29,7 @@ net none
29no3d 29no3d
30nodvd 30nodvd
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33noroot 34noroot
34notv 35notv
diff --git a/etc/profile-a-l/bibletime.profile b/etc/profile-a-l/bibletime.profile
index 235b84be3..c7a82afbd 100644
--- a/etc/profile-a-l/bibletime.profile
+++ b/etc/profile-a-l/bibletime.profile
@@ -38,6 +38,7 @@ machine-id
38netfilter 38netfilter
39nodvd 39nodvd
40nogroups 40nogroups
41noinput
41nonewprivs 42nonewprivs
42noroot 43noroot
43nosound 44nosound
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile
index b074cc0b0..721a6c082 100644
--- a/etc/profile-a-l/bijiben.profile
+++ b/etc/profile-a-l/bijiben.profile
@@ -22,6 +22,7 @@ whitelist ${HOME}/.local/share/bijiben
22whitelist ${HOME}/.cache/tracker 22whitelist ${HOME}/.cache/tracker
23whitelist /usr/share/bijiben 23whitelist /usr/share/bijiben
24whitelist /usr/share/tracker 24whitelist /usr/share/tracker
25whitelist /usr/share/tracker3
25include whitelist-common.inc 26include whitelist-common.inc
26include whitelist-runuser-common.inc 27include whitelist-runuser-common.inc
27include whitelist-usr-share-common.inc 28include whitelist-usr-share-common.inc
@@ -33,6 +34,7 @@ machine-id
33net none 34net none
34nodvd 35nodvd
35nogroups 36nogroups
37noinput
36nonewprivs 38nonewprivs
37noroot 39noroot
38nosound 40nosound
diff --git a/etc/profile-a-l/bitcoin-qt.profile b/etc/profile-a-l/bitcoin-qt.profile
index 3a3f2b62c..932db9b73 100644
--- a/etc/profile-a-l/bitcoin-qt.profile
+++ b/etc/profile-a-l/bitcoin-qt.profile
@@ -30,6 +30,7 @@ netfilter
30no3d 30no3d
31nodvd 31nodvd
32nogroups 32nogroups
33noinput
33nonewprivs 34nonewprivs
34noroot 35noroot
35nosound 36nosound
diff --git a/etc/profile-a-l/bitlbee.profile b/etc/profile-a-l/bitlbee.profile
index 62eeb88f3..dd7651979 100644
--- a/etc/profile-a-l/bitlbee.profile
+++ b/etc/profile-a-l/bitlbee.profile
@@ -23,6 +23,7 @@ include disable-xdg.inc
23netfilter 23netfilter
24no3d 24no3d
25nodvd 25nodvd
26noinput
26nonewprivs 27nonewprivs
27nosound 28nosound
28notv 29notv
diff --git a/etc/profile-a-l/bitwarden.profile b/etc/profile-a-l/bitwarden.profile
index 41f8e51fd..bef25276d 100644
--- a/etc/profile-a-l/bitwarden.profile
+++ b/etc/profile-a-l/bitwarden.profile
@@ -32,6 +32,7 @@ netfilter
32no3d 32no3d
33nodvd 33nodvd
34nogroups 34nogroups
35noinput
35nonewprivs 36nonewprivs
36noroot 37noroot
37nosound 38nosound
diff --git a/etc/profile-a-l/bleachbit.profile b/etc/profile-a-l/bleachbit.profile
index 8f230a413..09fa24577 100644
--- a/etc/profile-a-l/bleachbit.profile
+++ b/etc/profile-a-l/bleachbit.profile
@@ -22,6 +22,7 @@ net none
22no3d 22no3d
23nodvd 23nodvd
24nogroups 24nogroups
25noinput
25nonewprivs 26nonewprivs
26noroot 27noroot
27nosound 28nosound
diff --git a/etc/profile-a-l/blender.profile b/etc/profile-a-l/blender.profile
index 0f80f0a63..701ae431e 100644
--- a/etc/profile-a-l/blender.profile
+++ b/etc/profile-a-l/blender.profile
@@ -28,6 +28,7 @@ caps.drop all
28netfilter 28netfilter
29nodvd 29nodvd
30nogroups 30nogroups
31noinput
31nonewprivs 32nonewprivs
32noroot 33noroot
33notv 34notv
diff --git a/etc/profile-a-l/bless.profile b/etc/profile-a-l/bless.profile
index 216e86109..80dc750f7 100644
--- a/etc/profile-a-l/bless.profile
+++ b/etc/profile-a-l/bless.profile
@@ -22,6 +22,7 @@ net none
22no3d 22no3d
23nodvd 23nodvd
24nogroups 24nogroups
25noinput
25nonewprivs 26nonewprivs
26noroot 27noroot
27nosound 28nosound
diff --git a/etc/profile-a-l/blobwars.profile b/etc/profile-a-l/blobwars.profile
index d43a9d241..904710cb5 100644
--- a/etc/profile-a-l/blobwars.profile
+++ b/etc/profile-a-l/blobwars.profile
@@ -29,6 +29,7 @@ caps.drop all
29net none 29net none
30nodvd 30nodvd
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33noroot 34noroot
34notv 35notv
diff --git a/etc/profile-a-l/bluefish.profile b/etc/profile-a-l/bluefish.profile
index 88ac9c0ed..f28435987 100644
--- a/etc/profile-a-l/bluefish.profile
+++ b/etc/profile-a-l/bluefish.profile
@@ -21,6 +21,7 @@ net none
21no3d 21no3d
22nodvd 22nodvd
23nogroups 23nogroups
24noinput
24nonewprivs 25nonewprivs
25noroot 26noroot
26nosound 27nosound
diff --git a/etc/profile-a-l/brackets.profile b/etc/profile-a-l/brackets.profile
index 70f62813e..0cbac049a 100644
--- a/etc/profile-a-l/brackets.profile
+++ b/etc/profile-a-l/brackets.profile
@@ -20,6 +20,7 @@ caps.drop all
20netfilter 20netfilter
21nodvd 21nodvd
22nogroups 22nogroups
23noinput
23nonewprivs 24nonewprivs
24noroot 25noroot
25nosound 26nosound
diff --git a/etc/profile-a-l/bzflag.profile b/etc/profile-a-l/bzflag.profile
index f06bead1e..bda96bbb3 100644
--- a/etc/profile-a-l/bzflag.profile
+++ b/etc/profile-a-l/bzflag.profile
@@ -27,6 +27,7 @@ ipc-namespace
27netfilter 27netfilter
28nodvd 28nodvd
29nogroups 29nogroups
30noinput
30nonewprivs 31nonewprivs
31noroot 32noroot
32notv 33notv
diff --git a/etc/profile-a-l/calibre.profile b/etc/profile-a-l/calibre.profile
index d17cfa85f..83571397b 100644
--- a/etc/profile-a-l/calibre.profile
+++ b/etc/profile-a-l/calibre.profile
@@ -24,6 +24,7 @@ caps.drop all
24netfilter 24netfilter
25nodvd 25nodvd
26nogroups 26nogroups
27noinput
27nonewprivs 28nonewprivs
28noroot 29noroot
29nosound 30nosound
diff --git a/etc/profile-a-l/calligra.profile b/etc/profile-a-l/calligra.profile
index a14433369..fcff47662 100644
--- a/etc/profile-a-l/calligra.profile
+++ b/etc/profile-a-l/calligra.profile
@@ -20,6 +20,7 @@ ipc-namespace
20netfilter 20netfilter
21nodvd 21nodvd
22nogroups 22nogroups
23noinput
23nonewprivs 24nonewprivs
24noroot 25noroot
25notv 26notv
diff --git a/etc/profile-a-l/cantata.profile b/etc/profile-a-l/cantata.profile
index 294bb31b3..96f88a7c4 100644
--- a/etc/profile-a-l/cantata.profile
+++ b/etc/profile-a-l/cantata.profile
@@ -27,6 +27,7 @@ include disable-xdg.inc
27caps.drop all 27caps.drop all
28ipc-namespace 28ipc-namespace
29netfilter 29netfilter
30noinput
30nonewprivs 31nonewprivs
31noroot 32noroot
32nou2f 33nou2f
diff --git a/etc/profile-a-l/cawbird.profile b/etc/profile-a-l/cawbird.profile
index 3d29c3817..6e137010c 100644
--- a/etc/profile-a-l/cawbird.profile
+++ b/etc/profile-a-l/cawbird.profile
@@ -24,6 +24,7 @@ netfilter
24no3d 24no3d
25nodvd 25nodvd
26nogroups 26nogroups
27noinput
27nonewprivs 28nonewprivs
28noroot 29noroot
29nosound 30nosound
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile
index 6a76dc129..f02161b9b 100644
--- a/etc/profile-a-l/celluloid.profile
+++ b/etc/profile-a-l/celluloid.profile
@@ -41,6 +41,7 @@ apparmor
41caps.drop all 41caps.drop all
42netfilter 42netfilter
43nogroups 43nogroups
44noinput
44nonewprivs 45nonewprivs
45noroot 46noroot
46nou2f 47nou2f
diff --git a/etc/profile-a-l/checkbashisms.profile b/etc/profile-a-l/checkbashisms.profile
index d7f8674e8..24939fc70 100644
--- a/etc/profile-a-l/checkbashisms.profile
+++ b/etc/profile-a-l/checkbashisms.profile
@@ -33,6 +33,7 @@ net none
33no3d 33no3d
34nodvd 34nodvd
35nogroups 35nogroups
36noinput
36nonewprivs 37nonewprivs
37noroot 38noroot
38nosound 39nosound
diff --git a/etc/profile-a-l/cherrytree.profile b/etc/profile-a-l/cherrytree.profile
index 70dea5bd9..7621b3c8c 100644
--- a/etc/profile-a-l/cherrytree.profile
+++ b/etc/profile-a-l/cherrytree.profile
@@ -26,6 +26,7 @@ net none
26no3d 26no3d
27nodvd 27nodvd
28nogroups 28nogroups
29noinput
29nonewprivs 30nonewprivs
30noroot 31noroot
31nosound 32nosound
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index e9bef8df7..f7493aa82 100644
--- a/etc/profile-a-l/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -12,6 +12,10 @@ include chromium-common.local
12noblacklist ${HOME}/.pki 12noblacklist ${HOME}/.pki
13noblacklist ${HOME}/.local/share/pki 13noblacklist ${HOME}/.local/share/pki
14 14
15# Add the next line to your chromium-common.local if you want Google Chrome/Chromium browser
16# to have access to Gnome extensions (extensions.gnome.org) via browser connector
17#include allow-python3.inc
18
15include disable-common.inc 19include disable-common.inc
16include disable-devel.inc 20include disable-devel.inc
17include disable-exec.inc 21include disable-exec.inc
@@ -41,6 +45,7 @@ caps.keep sys_admin,sys_chroot
41netfilter 45netfilter
42nodvd 46nodvd
43nogroups 47nogroups
48noinput
44notv 49notv
45?BROWSER_DISABLE_U2F: nou2f 50?BROWSER_DISABLE_U2F: nou2f
46shell none 51shell none
diff --git a/etc/profile-a-l/chromium.profile b/etc/profile-a-l/chromium.profile
index 14f1bbe64..9ac33aa1c 100644
--- a/etc/profile-a-l/chromium.profile
+++ b/etc/profile-a-l/chromium.profile
@@ -16,6 +16,7 @@ whitelist ${HOME}/.cache/chromium
16whitelist ${HOME}/.config/chromium 16whitelist ${HOME}/.config/chromium
17whitelist ${HOME}/.config/chromium-flags.conf 17whitelist ${HOME}/.config/chromium-flags.conf
18whitelist /usr/share/chromium 18whitelist /usr/share/chromium
19whitelist /usr/share/mozilla/extensions
19 20
20# private-bin chromium,chromium-browser,chromedriver 21# private-bin chromium,chromium-browser,chromedriver
21 22
diff --git a/etc/profile-a-l/cin.profile b/etc/profile-a-l/cin.profile
index 8c3fb42d1..e1f9523c4 100644
--- a/etc/profile-a-l/cin.profile
+++ b/etc/profile-a-l/cin.profile
@@ -19,13 +19,14 @@ ipc-namespace
19net none 19net none
20nodvd 20nodvd
21#nogroups 21#nogroups
22noinput
22nonewprivs 23nonewprivs
23notv 24notv
24nou2f 25nou2f
25noroot 26noroot
26protocol unix 27protocol unix
27 28
28# if an 1-1.2% gap per thread hurts you, comment seccomp 29# If a 1-1.2% gap per thread hurts you, add 'ignore seccomp' to your cin.local.
29seccomp 30seccomp
30shell none 31shell none
31 32
diff --git a/etc/profile-a-l/clamav.profile b/etc/profile-a-l/clamav.profile
index 2726ab5af..e403c2c41 100644
--- a/etc/profile-a-l/clamav.profile
+++ b/etc/profile-a-l/clamav.profile
@@ -17,6 +17,7 @@ net none
17no3d 17no3d
18nodvd 18nodvd
19nogroups 19nogroups
20noinput
20nonewprivs 21nonewprivs
21noroot 22noroot
22nosound 23nosound
diff --git a/etc/profile-a-l/clamtk.profile b/etc/profile-a-l/clamtk.profile
index 4425a2bd0..2a06178a5 100644
--- a/etc/profile-a-l/clamtk.profile
+++ b/etc/profile-a-l/clamtk.profile
@@ -13,6 +13,7 @@ net none
13no3d 13no3d
14nodvd 14nodvd
15nogroups 15nogroups
16noinput
16nonewprivs 17nonewprivs
17noroot 18noroot
18nosound 19nosound
diff --git a/etc/profile-a-l/clawsker.profile b/etc/profile-a-l/clawsker.profile
index f71b35c26..9b62a1f73 100644
--- a/etc/profile-a-l/clawsker.profile
+++ b/etc/profile-a-l/clawsker.profile
@@ -30,6 +30,7 @@ net none
30no3d 30no3d
31nodvd 31nodvd
32nogroups 32nogroups
33noinput
33nonewprivs 34nonewprivs
34noroot 35noroot
35nosound 36nosound
diff --git a/etc/profile-a-l/clementine.profile b/etc/profile-a-l/clementine.profile
index 387b5f0a7..fa33795c1 100644
--- a/etc/profile-a-l/clementine.profile
+++ b/etc/profile-a-l/clementine.profile
@@ -24,6 +24,7 @@ include whitelist-runuser-common.inc
24 24
25apparmor 25apparmor
26caps.drop all 26caps.drop all
27noinput
27nonewprivs 28nonewprivs
28noroot 29noroot
29notv 30notv
diff --git a/etc/profile-a-l/clion.profile b/etc/profile-a-l/clion.profile
index 09246ccbc..22cecff09 100644
--- a/etc/profile-a-l/clion.profile
+++ b/etc/profile-a-l/clion.profile
@@ -24,6 +24,7 @@ caps.drop all
24netfilter 24netfilter
25nodvd 25nodvd
26nogroups 26nogroups
27noinput
27nonewprivs 28nonewprivs
28noroot 29noroot
29notv 30notv
diff --git a/etc/profile-a-l/clipgrab.profile b/etc/profile-a-l/clipgrab.profile
index 130d23522..c8258da07 100644
--- a/etc/profile-a-l/clipgrab.profile
+++ b/etc/profile-a-l/clipgrab.profile
@@ -27,6 +27,7 @@ machine-id
27netfilter 27netfilter
28nodvd 28nodvd
29nogroups 29nogroups
30noinput
30nonewprivs 31nonewprivs
31noroot 32noroot
32nosound 33nosound
diff --git a/etc/profile-a-l/clipit.profile b/etc/profile-a-l/clipit.profile
index 66b5fc859..d421903a3 100644
--- a/etc/profile-a-l/clipit.profile
+++ b/etc/profile-a-l/clipit.profile
@@ -33,6 +33,7 @@ net none
33no3d 33no3d
34nodvd 34nodvd
35nogroups 35nogroups
36noinput
36nonewprivs 37nonewprivs
37noroot 38noroot
38nosound 39nosound
diff --git a/etc/profile-a-l/code.profile b/etc/profile-a-l/code.profile
index 6f8a25211..e19b78908 100644
--- a/etc/profile-a-l/code.profile
+++ b/etc/profile-a-l/code.profile
@@ -21,6 +21,7 @@ caps.drop all
21netfilter 21netfilter
22nodvd 22nodvd
23nogroups 23nogroups
24noinput
24nonewprivs 25nonewprivs
25noroot 26noroot
26nosound 27nosound
diff --git a/etc/profile-a-l/colorful-wrapper.profile b/etc/profile-a-l/colorful-wrapper.profile
new file mode 100644
index 000000000..4b762047d
--- /dev/null
+++ b/etc/profile-a-l/colorful-wrapper.profile
@@ -0,0 +1,14 @@
1# Firejail profile for colorful-wrapper
2# This file is overwritten after every install/update
3# Persistent local customizations
4include colorful-wrapper.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
8
9include allow-opengl-game.inc
10
11private-bin colorful-wrapper
12
13# Redirect
14include colorful.profile
diff --git a/etc/profile-a-l/colorful.profile b/etc/profile-a-l/colorful.profile
new file mode 100644
index 000000000..bd6d8f5b0
--- /dev/null
+++ b/etc/profile-a-l/colorful.profile
@@ -0,0 +1,53 @@
1# Firejail profile for colorful
2# Description: simple 2D sideview shooter
3# This file is overwritten after every install/update
4# Persistent local customizations
5include colorful.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.suve/colorful
10
11include disable-common.inc
12include disable-devel.inc
13include disable-exec.inc
14include disable-interpreters.inc
15include disable-passwdmgr.inc
16include disable-programs.inc
17include disable-shell.inc
18include disable-xdg.inc
19
20mkdir ${HOME}/.suve/colorful
21whitelist ${HOME}/.suve/colorful
22whitelist /usr/share/suve
23include whitelist-common.inc
24include whitelist-runuser-common.inc
25include whitelist-usr-share-common.inc
26include whitelist-var-common.inc
27
28apparmor
29caps.drop all
30net none
31nodvd
32nogroups
33noinput
34nonewprivs
35noroot
36notv
37nou2f
38novideo
39protocol unix
40seccomp
41seccomp.block-secondary
42shell none
43tracelog
44
45disable-mnt
46private-bin colorful
47private-cache
48private-dev
49private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pulse
50private-tmp
51
52dbus-user none
53dbus-system none
diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
index 4de7eb497..c8bdfec23 100644
--- a/etc/profile-a-l/com.github.bleakgrey.tootle.profile
+++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
@@ -31,6 +31,7 @@ machine-id
31netfilter 31netfilter
32nodvd 32nodvd
33nogroups 33nogroups
34noinput
34nonewprivs 35nonewprivs
35noroot 36noroot
36notv 37notv
diff --git a/etc/profile-a-l/com.github.dahenson.agenda.profile b/etc/profile-a-l/com.github.dahenson.agenda.profile
index 77b6c7bd8..b467a0f7a 100644
--- a/etc/profile-a-l/com.github.dahenson.agenda.profile
+++ b/etc/profile-a-l/com.github.dahenson.agenda.profile
@@ -37,6 +37,7 @@ net none
37no3d 37no3d
38nodvd 38nodvd
39nogroups 39nogroups
40noinput
40nonewprivs 41nonewprivs
41noroot 42noroot
42nosound 43nosound
diff --git a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
index c1800fe4c..c13f9618b 100644
--- a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
+++ b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
@@ -40,6 +40,7 @@ machine-id
40net none 40net none
41nodvd 41nodvd
42nogroups 42nogroups
43noinput
43nonewprivs 44nonewprivs
44noroot 45noroot
45nosound 46nosound
diff --git a/etc/profile-a-l/com.github.phase1geo.minder.profile b/etc/profile-a-l/com.github.phase1geo.minder.profile
index 8be06a4b3..d0402d188 100644
--- a/etc/profile-a-l/com.github.phase1geo.minder.profile
+++ b/etc/profile-a-l/com.github.phase1geo.minder.profile
@@ -36,6 +36,7 @@ net none
36no3d 36no3d
37nodvd 37nodvd
38nogroups 38nogroups
39noinput
39nonewprivs 40nonewprivs
40noroot 41noroot
41nosound 42nosound
diff --git a/etc/profile-a-l/conky.profile b/etc/profile-a-l/conky.profile
index e5cd7085a..eaa18739d 100644
--- a/etc/profile-a-l/conky.profile
+++ b/etc/profile-a-l/conky.profile
@@ -28,6 +28,7 @@ netfilter
28no3d 28no3d
29nodvd 29nodvd
30nogroups 30nogroups
31noinput
31nonewprivs 32nonewprivs
32noroot 33noroot
33nosound 34nosound
diff --git a/etc/profile-a-l/corebird.profile b/etc/profile-a-l/corebird.profile
index e9a2c9441..2fb446e2a 100644
--- a/etc/profile-a-l/corebird.profile
+++ b/etc/profile-a-l/corebird.profile
@@ -23,6 +23,7 @@ caps.drop all
23netfilter 23netfilter
24nodvd 24nodvd
25nogroups 25nogroups
26noinput
26nonewprivs 27nonewprivs
27noroot 28noroot
28notv 29notv
diff --git a/etc/profile-a-l/cower.profile b/etc/profile-a-l/cower.profile
index 2c6b15e02..1635995dc 100644
--- a/etc/profile-a-l/cower.profile
+++ b/etc/profile-a-l/cower.profile
@@ -29,6 +29,7 @@ netfilter
29no3d 29no3d
30nodvd 30nodvd
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33noroot 34noroot
34nosound 35nosound
diff --git a/etc/profile-a-l/coyim.profile b/etc/profile-a-l/coyim.profile
index 75813c494..7ece35c2b 100644
--- a/etc/profile-a-l/coyim.profile
+++ b/etc/profile-a-l/coyim.profile
@@ -28,6 +28,7 @@ caps.drop all
28netfilter 28netfilter
29nodvd 29nodvd
30nogroups 30nogroups
31noinput
31nonewprivs 32nonewprivs
32noroot 33noroot
33notv 34notv
diff --git a/etc/profile-a-l/crawl.profile b/etc/profile-a-l/crawl.profile
index 3da2413d9..b10216895 100644
--- a/etc/profile-a-l/crawl.profile
+++ b/etc/profile-a-l/crawl.profile
@@ -27,6 +27,7 @@ net none
27no3d 27no3d
28nodvd 28nodvd
29nogroups 29nogroups
30noinput
30nonewprivs 31nonewprivs
31noroot 32noroot
32nosound 33nosound
diff --git a/etc/profile-a-l/crow.profile b/etc/profile-a-l/crow.profile
index db4be7679..02b15ecc2 100644
--- a/etc/profile-a-l/crow.profile
+++ b/etc/profile-a-l/crow.profile
@@ -27,6 +27,7 @@ netfilter
27no3d 27no3d
28nodvd 28nodvd
29nogroups 29nogroups
30noinput
30nonewprivs 31nonewprivs
31noroot 32noroot
32notv 33notv
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile
index 9366edfa1..c9867c5d7 100644
--- a/etc/profile-a-l/curl.profile
+++ b/etc/profile-a-l/curl.profile
@@ -36,6 +36,7 @@ netfilter
36no3d 36no3d
37nodvd 37nodvd
38nogroups 38nogroups
39noinput
39nonewprivs 40nonewprivs
40noroot 41noroot
41nosound 42nosound
diff --git a/etc/profile-a-l/d-feet.profile b/etc/profile-a-l/d-feet.profile
index 7e622799a..ba1e7adad 100644
--- a/etc/profile-a-l/d-feet.profile
+++ b/etc/profile-a-l/d-feet.profile
@@ -36,6 +36,7 @@ ipc-namespace
36no3d 36no3d
37nodvd 37nodvd
38nogroups 38nogroups
39noinput
39nonewprivs 40nonewprivs
40noroot 41noroot
41nosound 42nosound
diff --git a/etc/profile-a-l/darktable.profile b/etc/profile-a-l/darktable.profile
index 2a71ad11c..61fa52928 100644
--- a/etc/profile-a-l/darktable.profile
+++ b/etc/profile-a-l/darktable.profile
@@ -22,6 +22,7 @@ caps.drop all
22netfilter 22netfilter
23nodvd 23nodvd
24nogroups 24nogroups
25noinput
25nonewprivs 26nonewprivs
26noroot 27noroot
27nosound 28nosound
diff --git a/etc/profile-a-l/dbus-send.profile b/etc/profile-a-l/dbus-send.profile
index 0000de441..67a61bb60 100644
--- a/etc/profile-a-l/dbus-send.profile
+++ b/etc/profile-a-l/dbus-send.profile
@@ -35,6 +35,7 @@ netfilter
35no3d 35no3d
36nodvd 36nodvd
37nogroups 37nogroups
38noinput
38nonewprivs 39nonewprivs
39noroot 40noroot
40nosound 41nosound
diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile
index b41a73916..0c221850a 100644
--- a/etc/profile-a-l/dconf-editor.profile
+++ b/etc/profile-a-l/dconf-editor.profile
@@ -27,6 +27,7 @@ caps.drop all
27no3d 27no3d
28nodvd 28nodvd
29nogroups 29nogroups
30noinput
30nonewprivs 31nonewprivs
31noroot 32noroot
32nosound 33nosound
diff --git a/etc/profile-a-l/dconf.profile b/etc/profile-a-l/dconf.profile
index ea19b2209..be7514cbf 100644
--- a/etc/profile-a-l/dconf.profile
+++ b/etc/profile-a-l/dconf.profile
@@ -30,6 +30,7 @@ net none
30no3d 30no3d
31nodvd 31nodvd
32nogroups 32nogroups
33noinput
33nonewprivs 34nonewprivs
34noroot 35noroot
35nosound 36nosound
diff --git a/etc/profile-a-l/deadbeef.profile b/etc/profile-a-l/deadbeef.profile
index 8e67d9daa..a221ebbd7 100644
--- a/etc/profile-a-l/deadbeef.profile
+++ b/etc/profile-a-l/deadbeef.profile
@@ -21,6 +21,7 @@ caps.drop all
21netfilter 21netfilter
22no3d 22no3d
23nogroups 23nogroups
24noinput
24nonewprivs 25nonewprivs
25noroot 26noroot
26notv 27notv
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile
index 2ecf1a45d..5bdf5df7f 100644
--- a/etc/profile-a-l/default.profile
+++ b/etc/profile-a-l/default.profile
@@ -32,12 +32,13 @@ netfilter
32# no3d 32# no3d
33# nodvd 33# nodvd
34# nogroups 34# nogroups
35noinput
35nonewprivs 36nonewprivs
36noroot 37noroot
37# nosound 38# nosound
38# notv 39notv
39# nou2f 40# nou2f
40# novideo 41novideo
41protocol unix,inet,inet6 42protocol unix,inet,inet6
42seccomp 43seccomp
43# shell none 44# shell none
diff --git a/etc/profile-a-l/deluge.profile b/etc/profile-a-l/deluge.profile
index 17c5059f5..ad7aa6ed5 100644
--- a/etc/profile-a-l/deluge.profile
+++ b/etc/profile-a-l/deluge.profile
@@ -30,6 +30,7 @@ caps.drop all
30machine-id 30machine-id
31netfilter 31netfilter
32nodvd 32nodvd
33noinput
33nonewprivs 34nonewprivs
34noroot 35noroot
35nosound 36nosound
diff --git a/etc/profile-a-l/desktopeditors.profile b/etc/profile-a-l/desktopeditors.profile
index 9a98c4933..212cdab60 100644
--- a/etc/profile-a-l/desktopeditors.profile
+++ b/etc/profile-a-l/desktopeditors.profile
@@ -26,6 +26,7 @@ ipc-namespace
26netfilter 26netfilter
27nodvd 27nodvd
28nogroups 28nogroups
29noinput
29nonewprivs 30nonewprivs
30noroot 31noroot
31notv 32notv
diff --git a/etc/profile-a-l/devhelp.profile b/etc/profile-a-l/devhelp.profile
index a47a71feb..5007f8e74 100644
--- a/etc/profile-a-l/devhelp.profile
+++ b/etc/profile-a-l/devhelp.profile
@@ -27,6 +27,7 @@ caps.drop all
27# net none - makes settings immutable 27# net none - makes settings immutable
28nodvd 28nodvd
29nogroups 29nogroups
30noinput
30nonewprivs 31nonewprivs
31noroot 32noroot
32nosound 33nosound
diff --git a/etc/profile-a-l/devilspie.profile b/etc/profile-a-l/devilspie.profile
index 7c3ac50ad..6267b5709 100644
--- a/etc/profile-a-l/devilspie.profile
+++ b/etc/profile-a-l/devilspie.profile
@@ -32,6 +32,7 @@ net none
32no3d 32no3d
33nodvd 33nodvd
34nogroups 34nogroups
35noinput
35nonewprivs 36nonewprivs
36noroot 37noroot
37nosound 38nosound
diff --git a/etc/profile-a-l/dex2jar.profile b/etc/profile-a-l/dex2jar.profile
index 7a59c5d73..8f3703369 100644
--- a/etc/profile-a-l/dex2jar.profile
+++ b/etc/profile-a-l/dex2jar.profile
@@ -24,6 +24,7 @@ net none
24no3d 24no3d
25nodvd 25nodvd
26nogroups 26nogroups
27noinput
27nonewprivs 28nonewprivs
28noroot 29noroot
29nosound 30nosound
diff --git a/etc/profile-a-l/dia.profile b/etc/profile-a-l/dia.profile
index 31031edeb..531734b7d 100644
--- a/etc/profile-a-l/dia.profile
+++ b/etc/profile-a-l/dia.profile
@@ -36,6 +36,7 @@ net none
36no3d 36no3d
37nodvd 37nodvd
38nogroups 38nogroups
39noinput
39nonewprivs 40nonewprivs
40noroot 41noroot
41nosound 42nosound
diff --git a/etc/profile-a-l/dig.profile b/etc/profile-a-l/dig.profile
index b99b31df8..247159a8a 100644
--- a/etc/profile-a-l/dig.profile
+++ b/etc/profile-a-l/dig.profile
@@ -35,6 +35,7 @@ netfilter
35no3d 35no3d
36nodvd 36nodvd
37nogroups 37nogroups
38noinput
38nonewprivs 39nonewprivs
39noroot 40noroot
40nosound 41nosound
diff --git a/etc/profile-a-l/digikam.profile b/etc/profile-a-l/digikam.profile
index ae4a63c62..2ca7bd400 100644
--- a/etc/profile-a-l/digikam.profile
+++ b/etc/profile-a-l/digikam.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/digikam
10noblacklist ${HOME}/.config/digikamrc 10noblacklist ${HOME}/.config/digikamrc
11noblacklist ${HOME}/.kde/share/apps/digikam 11noblacklist ${HOME}/.kde/share/apps/digikam
12noblacklist ${HOME}/.kde4/share/apps/digikam 12noblacklist ${HOME}/.kde4/share/apps/digikam
13noblacklist ${HOME}/.local/share/kxmlgui5/digikam
13noblacklist ${PICTURES} 14noblacklist ${PICTURES}
14 15
15include disable-common.inc 16include disable-common.inc
diff --git a/etc/profile-a-l/dillo.profile b/etc/profile-a-l/dillo.profile
index 7103d0285..9871a6095 100644
--- a/etc/profile-a-l/dillo.profile
+++ b/etc/profile-a-l/dillo.profile
@@ -25,6 +25,7 @@ include whitelist-var-common.inc
25caps.drop all 25caps.drop all
26netfilter 26netfilter
27nodvd 27nodvd
28noinput
28nonewprivs 29nonewprivs
29noroot 30noroot
30notv 31notv
diff --git a/etc/profile-a-l/dino.profile b/etc/profile-a-l/dino.profile
index d06ca042e..c3174b35f 100644
--- a/etc/profile-a-l/dino.profile
+++ b/etc/profile-a-l/dino.profile
@@ -20,21 +20,24 @@ mkdir ${HOME}/.local/share/dino
20whitelist ${HOME}/.local/share/dino 20whitelist ${HOME}/.local/share/dino
21whitelist ${DOWNLOADS} 21whitelist ${DOWNLOADS}
22include whitelist-common.inc 22include whitelist-common.inc
23include whitelist-runuser-common.inc
24include whitelist-usr-share-common.inc
25include whitelist-var-common.inc
23 26
24caps.drop all 27caps.drop all
25netfilter 28netfilter
26no3d
27nodvd 29nodvd
28nogroups 30nogroups
31noinput
29nonewprivs 32nonewprivs
30noroot 33noroot
31nosound
32notv 34notv
33nou2f 35nou2f
34novideo
35protocol unix,inet,inet6 36protocol unix,inet,inet6
36seccomp 37seccomp
38seccomp.block-secondary
37shell none 39shell none
40tracelog
38 41
39disable-mnt 42disable-mnt
40private-bin dino 43private-bin dino
@@ -42,3 +45,4 @@ private-dev
42# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl -- breaks server connection 45# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl -- breaks server connection
43private-tmp 46private-tmp
44 47
48dbus-system none
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile
index b583f1a1d..19e7bd9ab 100644
--- a/etc/profile-a-l/discord-common.profile
+++ b/etc/profile-a-l/discord-common.profile
@@ -18,6 +18,7 @@ ignore dbus-user none
18ignore dbus-system none 18ignore dbus-system none
19 19
20ignore noexec ${HOME} 20ignore noexec ${HOME}
21ignore novideo
21 22
22whitelist ${HOME}/.config/BetterDiscord 23whitelist ${HOME}/.config/BetterDiscord
23whitelist ${HOME}/.local/share/betterdiscordctl 24whitelist ${HOME}/.local/share/betterdiscordctl
@@ -25,5 +26,7 @@ whitelist ${HOME}/.local/share/betterdiscordctl
25private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh 26private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
26private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl 27private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl
27 28
29join-or-start discord
30
28# Redirect 31# Redirect
29include electron.profile 32include electron.profile
diff --git a/etc/profile-a-l/display.profile b/etc/profile-a-l/display.profile
index 9de634da9..11f3fd36e 100644
--- a/etc/profile-a-l/display.profile
+++ b/etc/profile-a-l/display.profile
@@ -27,6 +27,7 @@ caps.drop all
27net none 27net none
28nodvd 28nodvd
29nogroups 29nogroups
30noinput
30nonewprivs 31nonewprivs
31noroot 32noroot
32nosound 33nosound
diff --git a/etc/profile-a-l/dnscrypt-proxy.profile b/etc/profile-a-l/dnscrypt-proxy.profile
index e48e9d1ac..f8fb1a331 100644
--- a/etc/profile-a-l/dnscrypt-proxy.profile
+++ b/etc/profile-a-l/dnscrypt-proxy.profile
@@ -32,6 +32,7 @@ machine-id
32netfilter 32netfilter
33no3d 33no3d
34nodvd 34nodvd
35noinput
35nonewprivs 36nonewprivs
36nosound 37nosound
37notv 38notv
diff --git a/etc/profile-a-l/dnsmasq.profile b/etc/profile-a-l/dnsmasq.profile
index 6db71bd49..01398c2b2 100644
--- a/etc/profile-a-l/dnsmasq.profile
+++ b/etc/profile-a-l/dnsmasq.profile
@@ -23,6 +23,7 @@ include disable-xdg.inc
23caps.keep net_admin,net_bind_service,net_raw,setgid,setuid 23caps.keep net_admin,net_bind_service,net_raw,setgid,setuid
24no3d 24no3d
25nodvd 25nodvd
26noinput
26nonewprivs 27nonewprivs
27nosound 28nosound
28notv 29notv
diff --git a/etc/profile-a-l/dooble.profile b/etc/profile-a-l/dooble.profile
index bc197b223..37a4113cb 100644
--- a/etc/profile-a-l/dooble.profile
+++ b/etc/profile-a-l/dooble.profile
@@ -25,6 +25,7 @@ caps.drop all
25netfilter 25netfilter
26nodvd 26nodvd
27nogroups 27nogroups
28noinput
28nonewprivs 29nonewprivs
29noroot 30noroot
30notv 31notv
diff --git a/etc/profile-a-l/dosbox.profile b/etc/profile-a-l/dosbox.profile
index b9ef5d49d..988f66f28 100644
--- a/etc/profile-a-l/dosbox.profile
+++ b/etc/profile-a-l/dosbox.profile
@@ -26,6 +26,7 @@ caps.drop all
26netfilter 26netfilter
27nodvd 27nodvd
28nogroups 28nogroups
29noinput
29nonewprivs 30nonewprivs
30noroot 31noroot
31notv 32notv
diff --git a/etc/profile-a-l/dragon.profile b/etc/profile-a-l/dragon.profile
index d355cd121..8fa01d504 100644
--- a/etc/profile-a-l/dragon.profile
+++ b/etc/profile-a-l/dragon.profile
@@ -26,6 +26,7 @@ include whitelist-var-common.inc
26caps.drop all 26caps.drop all
27netfilter 27netfilter
28nogroups 28nogroups
29noinput
29nonewprivs 30nonewprivs
30noroot 31noroot
31notv 32notv
diff --git a/etc/profile-a-l/drawio.profile b/etc/profile-a-l/drawio.profile
index 4d723c8aa..82d96e405 100644
--- a/etc/profile-a-l/drawio.profile
+++ b/etc/profile-a-l/drawio.profile
@@ -31,6 +31,7 @@ machine-id
31net none 31net none
32nodvd 32nodvd
33nogroups 33nogroups
34noinput
34nonewprivs 35nonewprivs
35noroot 36noroot
36nosound 37nosound
diff --git a/etc/profile-a-l/drill.profile b/etc/profile-a-l/drill.profile
index 07f47be5d..068bd88d8 100644
--- a/etc/profile-a-l/drill.profile
+++ b/etc/profile-a-l/drill.profile
@@ -32,6 +32,7 @@ netfilter
32no3d 32no3d
33nodvd 33nodvd
34nogroups 34nogroups
35noinput
35nonewprivs 36nonewprivs
36noroot 37noroot
37nosound 38nosound
diff --git a/etc/profile-a-l/dropbox.profile b/etc/profile-a-l/dropbox.profile
index 641d26d0d..b3b2aaf40 100644
--- a/etc/profile-a-l/dropbox.profile
+++ b/etc/profile-a-l/dropbox.profile
@@ -33,6 +33,7 @@ netfilter
33no3d 33no3d
34nodvd 34nodvd
35nogroups 35nogroups
36noinput
36nonewprivs 37nonewprivs
37noroot 38noroot
38nosound 39nosound
diff --git a/etc/profile-a-l/easystroke.profile b/etc/profile-a-l/easystroke.profile
index bb711b1bf..38e4b16f7 100644
--- a/etc/profile-a-l/easystroke.profile
+++ b/etc/profile-a-l/easystroke.profile
@@ -29,6 +29,7 @@ net none
29no3d 29no3d
30nodvd 30nodvd
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33noroot 34noroot
34nosound 35nosound
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile
index 5957d4316..278dd6cbd 100644
--- a/etc/profile-a-l/electron-mail.profile
+++ b/etc/profile-a-l/electron-mail.profile
@@ -32,6 +32,7 @@ netfilter
32no3d 32no3d
33nodvd 33nodvd
34nogroups 34nogroups
35noinput
35nonewprivs 36nonewprivs
36noroot 37noroot
37notv 38notv
diff --git a/etc/profile-a-l/electron.profile b/etc/profile-a-l/electron.profile
index 8785a192c..493af79d4 100644
--- a/etc/profile-a-l/electron.profile
+++ b/etc/profile-a-l/electron.profile
@@ -26,6 +26,7 @@ caps.keep sys_admin,sys_chroot
26netfilter 26netfilter
27nodvd 27nodvd
28nogroups 28nogroups
29noinput
29notv 30notv
30nou2f 31nou2f
31novideo 32novideo
diff --git a/etc/profile-a-l/electrum.profile b/etc/profile-a-l/electrum.profile
index 73c19f380..ad636d71a 100644
--- a/etc/profile-a-l/electrum.profile
+++ b/etc/profile-a-l/electrum.profile
@@ -32,6 +32,7 @@ netfilter
32no3d 32no3d
33nodvd 33nodvd
34nogroups 34nogroups
35noinput
35nonewprivs 36nonewprivs
36noroot 37noroot
37nosound 38nosound
diff --git a/etc/profile-a-l/elinks.profile b/etc/profile-a-l/elinks.profile
index 2a306d704..8120725d2 100644
--- a/etc/profile-a-l/elinks.profile
+++ b/etc/profile-a-l/elinks.profile
@@ -25,6 +25,7 @@ netfilter
25no3d 25no3d
26nodvd 26nodvd
27nogroups 27nogroups
28noinput
28nonewprivs 29nonewprivs
29noroot 30noroot
30nosound 31nosound
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
index 6b55c2126..6c9a8a6ea 100644
--- a/etc/profile-a-l/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -50,6 +50,7 @@ netfilter
50no3d 50no3d
51nodvd 51nodvd
52nogroups 52nogroups
53noinput
53nonewprivs 54nonewprivs
54noroot 55noroot
55nosound 56nosound
diff --git a/etc/profile-a-l/enchant.profile b/etc/profile-a-l/enchant.profile
index 2b5de799f..ac17b1726 100644
--- a/etc/profile-a-l/enchant.profile
+++ b/etc/profile-a-l/enchant.profile
@@ -33,6 +33,7 @@ net none
33no3d 33no3d
34nodvd 34nodvd
35nogroups 35nogroups
36noinput
36nonewprivs 37nonewprivs
37noroot 38noroot
38nosound 39nosound
diff --git a/etc/profile-a-l/engrampa.profile b/etc/profile-a-l/engrampa.profile
index 7ec611293..f926610e2 100644
--- a/etc/profile-a-l/engrampa.profile
+++ b/etc/profile-a-l/engrampa.profile
@@ -21,6 +21,7 @@ net none
21no3d 21no3d
22nodvd 22nodvd
23nogroups 23nogroups
24noinput
24nonewprivs 25nonewprivs
25noroot 26noroot
26nosound 27nosound
diff --git a/etc/profile-a-l/enpass.profile b/etc/profile-a-l/enpass.profile
index 68113e294..c4123b4c2 100644
--- a/etc/profile-a-l/enpass.profile
+++ b/etc/profile-a-l/enpass.profile
@@ -32,16 +32,17 @@ whitelist ${DOCUMENTS}
32include whitelist-common.inc 32include whitelist-common.inc
33include whitelist-var-common.inc 33include whitelist-var-common.inc
34 34
35# machine-id and nosound break audio notification functionality 35# machine-id and nosound break audio notification functionality.
36# comment both if you need that functionality or put 'ignore machine-id' 36# Add the next lines to your enpass.local if you need that functionality.
37# and 'ignore nosound' in your enpass.local 37#ignore machine-id
38 38#ignore nosound
39caps.drop all 39caps.drop all
40machine-id 40machine-id
41netfilter 41netfilter
42no3d 42no3d
43nodvd 43nodvd
44nogroups 44nogroups
45noinput
45nonewprivs 46nonewprivs
46noroot 47noroot
47nosound 48nosound
diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile
index e059f3b74..8e8047b00 100644
--- a/etc/profile-a-l/eo-common.profile
+++ b/etc/profile-a-l/eo-common.profile
@@ -31,6 +31,7 @@ net none
31no3d 31no3d
32nodvd 32nodvd
33nogroups 33nogroups
34noinput
34nonewprivs 35nonewprivs
35noroot 36noroot
36nosound 37nosound
diff --git a/etc/profile-a-l/eog.profile b/etc/profile-a-l/eog.profile
index aabef65fc..5892374bd 100644
--- a/etc/profile-a-l/eog.profile
+++ b/etc/profile-a-l/eog.profile
@@ -10,11 +10,13 @@ noblacklist ${HOME}/.config/eog
10 10
11whitelist /usr/share/eog 11whitelist /usr/share/eog
12 12
13# private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager' 13# private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager'.
14# comment those if you need that functionality 14# Add the next lines to your eog.local if you need that functionality.
15# or put 'ignore private-bin', 'ignore private-etc' and 'ignore private-lib' in your eog.local 15#ignore private-bin
16private-bin eog 16#ignore private-etc
17#ignore private-lib
17 18
19private-bin eog
18 20
19# broken on Debian 10 (buster) running LXDE got the folowing error: 21# broken on Debian 10 (buster) running LXDE got the folowing error:
20# Failed to register: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown 22# Failed to register: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown
diff --git a/etc/profile-a-l/eom.profile b/etc/profile-a-l/eom.profile
index 5bfeb8c8f..7143a8e03 100644
--- a/etc/profile-a-l/eom.profile
+++ b/etc/profile-a-l/eom.profile
@@ -10,9 +10,12 @@ noblacklist ${HOME}/.config/mate/eom
10 10
11whitelist /usr/share/eom 11whitelist /usr/share/eom
12 12
13# private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager' 13# private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager'.
14# comment those if you need that functionality 14# Add the next lines to your eom.local if you need that functionality.
15# or put 'ignore private-bin', 'ignore private-etc' and 'ignore private-lib' in your eom.local 15#ignore private-bin
16#ignore private-etc
17#ignore private-lib
18
16private-bin eom 19private-bin eom
17 20
18# Redirect 21# Redirect
diff --git a/etc/profile-a-l/ephemeral.profile b/etc/profile-a-l/ephemeral.profile
index 029f613c6..131d68951 100644
--- a/etc/profile-a-l/ephemeral.profile
+++ b/etc/profile-a-l/ephemeral.profile
@@ -41,6 +41,7 @@ caps.drop all
41netfilter 41netfilter
42nodvd 42nodvd
43nogroups 43nogroups
44noinput
44nonewprivs 45nonewprivs
45# noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506. 46# noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506.
46noroot 47noroot
diff --git a/etc/profile-a-l/equalx.profile b/etc/profile-a-l/equalx.profile
index 58b053041..964d3b7ca 100644
--- a/etc/profile-a-l/equalx.profile
+++ b/etc/profile-a-l/equalx.profile
@@ -39,6 +39,7 @@ net none
39no3d 39no3d
40nodvd 40nodvd
41nogroups 41nogroups
42noinput
42nonewprivs 43nonewprivs
43noroot 44noroot
44nosound 45nosound
diff --git a/etc/profile-a-l/etr-wrapper.profile b/etc/profile-a-l/etr-wrapper.profile
new file mode 100644
index 000000000..98f949918
--- /dev/null
+++ b/etc/profile-a-l/etr-wrapper.profile
@@ -0,0 +1,14 @@
1# Firejail profile for etr-wrapper
2# This file is overwritten after every install/update
3# Persistent local customizations
4include etr-wrapper.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
8
9include allow-opengl-game.inc
10
11private-bin etr-wrapper
12
13# Redirect
14include etr.profile
diff --git a/etc/profile-a-l/etr.profile b/etc/profile-a-l/etr.profile
index 1c34335d2..b970b0dfd 100644
--- a/etc/profile-a-l/etr.profile
+++ b/etc/profile-a-l/etr.profile
@@ -30,6 +30,7 @@ caps.drop all
30net none 30net none
31nodvd 31nodvd
32nogroups 32nogroups
33noinput
33nonewprivs 34nonewprivs
34noroot 35noroot
35notv 36notv
@@ -37,6 +38,7 @@ nou2f
37novideo 38novideo
38protocol unix,netlink 39protocol unix,netlink
39seccomp 40seccomp
41seccomp.block-secondary
40shell none 42shell none
41tracelog 43tracelog
42 44
@@ -44,7 +46,7 @@ disable-mnt
44private-bin etr 46private-bin etr
45private-cache 47private-cache
46private-dev 48private-dev
47# private-etc alternatives,drirc,machine-id,openal 49# private-etc alternatives,drirc,machine-id,openal,passwd
48private-tmp 50private-tmp
49 51
50dbus-user none 52dbus-user none
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile
index eeccb81be..adcb29063 100644
--- a/etc/profile-a-l/evince.profile
+++ b/etc/profile-a-l/evince.profile
@@ -37,6 +37,7 @@ netfilter
37no3d 37no3d
38nodvd 38nodvd
39nogroups 39nogroups
40noinput
40nonewprivs 41nonewprivs
41noroot 42noroot
42nosound 43nosound
diff --git a/etc/profile-a-l/evolution.profile b/etc/profile-a-l/evolution.profile
index 422200ffe..7222493ac 100644
--- a/etc/profile-a-l/evolution.profile
+++ b/etc/profile-a-l/evolution.profile
@@ -31,6 +31,7 @@ netfilter
31#no3d 31#no3d
32nodvd 32nodvd
33nogroups 33nogroups
34noinput
34nonewprivs 35nonewprivs
35noroot 36noroot
36nosound 37nosound
diff --git a/etc/profile-a-l/exiftool.profile b/etc/profile-a-l/exiftool.profile
index b6741d701..7b09a2c64 100644
--- a/etc/profile-a-l/exiftool.profile
+++ b/etc/profile-a-l/exiftool.profile
@@ -30,6 +30,7 @@ net none
30no3d 30no3d
31nodvd 31nodvd
32nogroups 32nogroups
33noinput
33nonewprivs 34nonewprivs
34noroot 35noroot
35nosound 36nosound
diff --git a/etc/profile-a-l/falkon.profile b/etc/profile-a-l/falkon.profile
index 640b0e485..b2061db79 100644
--- a/etc/profile-a-l/falkon.profile
+++ b/etc/profile-a-l/falkon.profile
@@ -33,6 +33,7 @@ caps.drop all
33netfilter 33netfilter
34nodvd 34nodvd
35nogroups 35nogroups
36noinput
36nonewprivs 37nonewprivs
37noroot 38noroot
38notv 39notv
diff --git a/etc/profile-a-l/fbreader.profile b/etc/profile-a-l/fbreader.profile
index e9fcc2231..8e81000fd 100644
--- a/etc/profile-a-l/fbreader.profile
+++ b/etc/profile-a-l/fbreader.profile
@@ -24,6 +24,7 @@ apparmor
24caps.drop all 24caps.drop all
25net none 25net none
26nodvd 26nodvd
27noinput
27nonewprivs 28nonewprivs
28noroot 29noroot
29nosound 30nosound
diff --git a/etc/profile-a-l/feedreader.profile b/etc/profile-a-l/feedreader.profile
index 2abd80b06..664ec2da6 100644
--- a/etc/profile-a-l/feedreader.profile
+++ b/etc/profile-a-l/feedreader.profile
@@ -33,6 +33,7 @@ netfilter
33# no3d 33# no3d
34nodvd 34nodvd
35nogroups 35nogroups
36noinput
36nonewprivs 37nonewprivs
37noroot 38noroot
38# nosound 39# nosound
diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile
index 68ce0da61..2f2d8a4c7 100644
--- a/etc/profile-a-l/feh.profile
+++ b/etc/profile-a-l/feh.profile
@@ -23,6 +23,7 @@ net none
23no3d 23no3d
24nodvd 24nodvd
25nogroups 25nogroups
26noinput
26nonewprivs 27nonewprivs
27noroot 28noroot
28nosound 29nosound
diff --git a/etc/profile-a-l/ferdi.profile b/etc/profile-a-l/ferdi.profile
index 9b4c5f114..a2372ec8a 100644
--- a/etc/profile-a-l/ferdi.profile
+++ b/etc/profile-a-l/ferdi.profile
@@ -33,6 +33,7 @@ caps.drop all
33netfilter 33netfilter
34nodvd 34nodvd
35nogroups 35nogroups
36noinput
36nonewprivs 37nonewprivs
37noroot 38noroot
38notv 39notv
diff --git a/etc/profile-a-l/fetchmail.profile b/etc/profile-a-l/fetchmail.profile
index d64fe830f..7358ed5c7 100644
--- a/etc/profile-a-l/fetchmail.profile
+++ b/etc/profile-a-l/fetchmail.profile
@@ -20,6 +20,7 @@ netfilter
20no3d 20no3d
21nodvd 21nodvd
22nogroups 22nogroups
23noinput
23nonewprivs 24nonewprivs
24noroot 25noroot
25nosound 26nosound
diff --git a/etc/profile-a-l/ffmpeg.profile b/etc/profile-a-l/ffmpeg.profile
index c6e9ba095..13ef1beb9 100644
--- a/etc/profile-a-l/ffmpeg.profile
+++ b/etc/profile-a-l/ffmpeg.profile
@@ -32,6 +32,7 @@ machine-id
32netfilter 32netfilter
33nodvd 33nodvd
34nogroups 34nogroups
35noinput
35nonewprivs 36nonewprivs
36noroot 37noroot
37nosound 38nosound
diff --git a/etc/profile-a-l/file-manager-common.profile b/etc/profile-a-l/file-manager-common.profile
index face34c40..23ec4a432 100644
--- a/etc/profile-a-l/file-manager-common.profile
+++ b/etc/profile-a-l/file-manager-common.profile
@@ -36,6 +36,7 @@ caps.drop all
36netfilter 36netfilter
37nodvd 37nodvd
38nogroups 38nogroups
39noinput
39nonewprivs 40nonewprivs
40noroot 41noroot
41notv 42notv
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile
index 2a1eb2001..0b8a8cd6c 100644
--- a/etc/profile-a-l/file-roller.profile
+++ b/etc/profile-a-l/file-roller.profile
@@ -20,12 +20,13 @@ include whitelist-var-common.inc
20 20
21apparmor 21apparmor
22caps.drop all 22caps.drop all
23#ipc-namespace - causing issues launching on archlinux
24machine-id 23machine-id
25# net none - breaks on older Ubuntu versions 24# net none - breaks on older Ubuntu versions
25netfilter
26no3d 26no3d
27nodvd 27nodvd
28nogroups 28nogroups
29noinput
29nonewprivs 30nonewprivs
30noroot 31noroot
31nosound 32nosound
@@ -38,7 +39,7 @@ seccomp.block-secondary
38shell none 39shell none
39tracelog 40tracelog
40 41
41private-bin 7z,7za,7zr,ar,arj,bash,brotli,bzip2,compress,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,p7zip,rar,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,xz,zip,zoo 42private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,unzstd,xz,xzdec,zip,zoo,zstd
42private-cache 43private-cache
43private-dev 44private-dev
44private-etc dconf,fonts,gtk-3.0,xdg 45private-etc dconf,fonts,gtk-3.0,xdg
diff --git a/etc/profile-a-l/file.profile b/etc/profile-a-l/file.profile
index c02f9e3de..5c7583605 100644
--- a/etc/profile-a-l/file.profile
+++ b/etc/profile-a-l/file.profile
@@ -23,6 +23,7 @@ net none
23no3d 23no3d
24nodvd 24nodvd
25nogroups 25nogroups
26noinput
26nonewprivs 27nonewprivs
27nosound 28nosound
28notv 29notv
diff --git a/etc/profile-a-l/filezilla.profile b/etc/profile-a-l/filezilla.profile
index 728929638..dc5def54f 100644
--- a/etc/profile-a-l/filezilla.profile
+++ b/etc/profile-a-l/filezilla.profile
@@ -27,6 +27,7 @@ include whitelist-var-common.inc
27caps.drop all 27caps.drop all
28netfilter 28netfilter
29nodvd 29nodvd
30noinput
30nonewprivs 31nonewprivs
31noroot 32noroot
32nosound 33nosound
diff --git a/etc/profile-a-l/firedragon.profile b/etc/profile-a-l/firedragon.profile
new file mode 100644
index 000000000..77487161e
--- /dev/null
+++ b/etc/profile-a-l/firedragon.profile
@@ -0,0 +1,26 @@
1# Firejail profile for FireDragon
2# Description: Librewolf fork with enhanced KDE integration
3# This file is overwritten after every install/update
4# Persistent local customizations
5include firedragon.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.cache/firedragon
10noblacklist ${HOME}/.firedragon
11
12mkdir ${HOME}/.cache/firedragon
13mkdir ${HOME}/.firedragon
14whitelist ${HOME}/.cache/firedragon
15whitelist ${HOME}/.firedragon
16
17# Add the next lines to your firedragon.local if you want to use the migration wizard.
18#noblacklist ${HOME}/.mozilla
19#whitelist ${HOME}/.mozilla
20
21# FireDragon requires a shell to launch on Arch. We can possibly remove sh though.
22# Add the next line to your firedragon.local to enable private-bin.
23#private-bin bash,dbus-launch,dbus-send,env,firedragon,python*,sh,which
24
25# Redirect
26include firefox-common.profile
diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile
index 4da087f7f..d282f9a60 100644
--- a/etc/profile-a-l/firefox-common-addons.profile
+++ b/etc/profile-a-l/firefox-common-addons.profile
@@ -73,8 +73,9 @@ whitelist /usr/share/vulkan
73# GNOME Shell integration (chrome-gnome-shell) needs dbus and python 73# GNOME Shell integration (chrome-gnome-shell) needs dbus and python
74noblacklist ${HOME}/.local/share/gnome-shell 74noblacklist ${HOME}/.local/share/gnome-shell
75whitelist ${HOME}/.local/share/gnome-shell 75whitelist ${HOME}/.local/share/gnome-shell
76ignore dbus-user none 76dbus-user.talk ca.desrt.dconf
77ignore dbus-system none 77dbus-user.talk org.gnome.ChromeGnomeShell
78dbus-user.talk org.gnome.Shell
78# Allow python (blacklisted by disable-interpreters.inc) 79# Allow python (blacklisted by disable-interpreters.inc)
79include allow-python3.inc 80include allow-python3.inc
80 81
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile
index b0ead7590..8b74ed979 100644
--- a/etc/profile-a-l/firefox-common.profile
+++ b/etc/profile-a-l/firefox-common.profile
@@ -37,6 +37,7 @@ caps.drop all
37netfilter 37netfilter
38nodvd 38nodvd
39nogroups 39nogroups
40noinput
40nonewprivs 41nonewprivs
41# noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506. 42# noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506.
42noroot 43noroot
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index cefba93d4..b22a78458 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -6,6 +6,14 @@ include firefox.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9# NOTE: sandboxing web browsers is as important as it is complex. Users might be
10# interested in creating custom profiles depending on use case (e.g. one for
11# general browsing, another for banking, ...). Consult our FAQ/issue tracker for more
12# info. Here are a few links to get you going.
13# https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#firefox-doesnt-open-in-a-new-sandbox-instead-it-opens-a-new-tab-in-an-existing-firefox-instance
14# https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox
15# https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968
16
9noblacklist ${HOME}/.cache/mozilla 17noblacklist ${HOME}/.cache/mozilla
10noblacklist ${HOME}/.mozilla 18noblacklist ${HOME}/.mozilla
11 19
diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile
index d1c18e690..55af96c84 100644
--- a/etc/profile-a-l/flameshot.profile
+++ b/etc/profile-a-l/flameshot.profile
@@ -37,6 +37,7 @@ netfilter
37no3d 37no3d
38nodvd 38nodvd
39nogroups 39nogroups
40noinput
40nonewprivs 41nonewprivs
41noroot 42noroot
42nosound 43nosound
diff --git a/etc/profile-a-l/flowblade.profile b/etc/profile-a-l/flowblade.profile
index 40472ab93..a4421e3ce 100644
--- a/etc/profile-a-l/flowblade.profile
+++ b/etc/profile-a-l/flowblade.profile
@@ -24,6 +24,7 @@ caps.drop all
24netfilter 24netfilter
25nodvd 25nodvd
26nogroups 26nogroups
27noinput
27nonewprivs 28nonewprivs
28noroot 29noroot
29notv 30notv
diff --git a/etc/profile-a-l/font-manager.profile b/etc/profile-a-l/font-manager.profile
index acad6ad13..cd0129436 100644
--- a/etc/profile-a-l/font-manager.profile
+++ b/etc/profile-a-l/font-manager.profile
@@ -38,6 +38,7 @@ machine-id
38no3d 38no3d
39nodvd 39nodvd
40nogroups 40nogroups
41noinput
41nonewprivs 42nonewprivs
42noroot 43noroot
43nosound 44nosound
diff --git a/etc/profile-a-l/fontforge.profile b/etc/profile-a-l/fontforge.profile
index 6d305e2af..bd1495877 100644
--- a/etc/profile-a-l/fontforge.profile
+++ b/etc/profile-a-l/fontforge.profile
@@ -25,6 +25,7 @@ caps.drop all
25netfilter 25netfilter
26nodvd 26nodvd
27nogroups 27nogroups
28noinput
28nonewprivs 29nonewprivs
29noroot 30noroot
30nosound 31nosound
diff --git a/etc/profile-a-l/fractal.profile b/etc/profile-a-l/fractal.profile
index dede61b71..1b1d031b4 100644
--- a/etc/profile-a-l/fractal.profile
+++ b/etc/profile-a-l/fractal.profile
@@ -34,6 +34,7 @@ caps.drop all
34netfilter 34netfilter
35nodvd 35nodvd
36nogroups 36nogroups
37noinput
37nonewprivs 38nonewprivs
38noroot 39noroot
39notv 40notv
diff --git a/etc/profile-a-l/franz.profile b/etc/profile-a-l/franz.profile
index 344804ca9..9b780a572 100644
--- a/etc/profile-a-l/franz.profile
+++ b/etc/profile-a-l/franz.profile
@@ -33,6 +33,7 @@ caps.drop all
33netfilter 33netfilter
34nodvd 34nodvd
35nogroups 35nogroups
36noinput
36nonewprivs 37nonewprivs
37noroot 38noroot
38notv 39notv
diff --git a/etc/profile-a-l/freecad.profile b/etc/profile-a-l/freecad.profile
index 0a1d4a750..8043d0530 100644
--- a/etc/profile-a-l/freecad.profile
+++ b/etc/profile-a-l/freecad.profile
@@ -26,6 +26,7 @@ ipc-namespace
26net none 26net none
27nodvd 27nodvd
28nogroups 28nogroups
29noinput
29nonewprivs 30nonewprivs
30noroot 31noroot
31nosound 32nosound
diff --git a/etc/profile-a-l/freeciv.profile b/etc/profile-a-l/freeciv.profile
index 0fe933478..23c19682c 100644
--- a/etc/profile-a-l/freeciv.profile
+++ b/etc/profile-a-l/freeciv.profile
@@ -27,6 +27,7 @@ ipc-namespace
27netfilter 27netfilter
28nodvd 28nodvd
29nogroups 29nogroups
30noinput
30nonewprivs 31nonewprivs
31noroot 32noroot
32notv 33notv
diff --git a/etc/profile-a-l/freecol.profile b/etc/profile-a-l/freecol.profile
index 3cbd2ff53..93fa7da03 100644
--- a/etc/profile-a-l/freecol.profile
+++ b/etc/profile-a-l/freecol.profile
@@ -39,6 +39,7 @@ ipc-namespace
39netfilter 39netfilter
40nodvd 40nodvd
41nogroups 41nogroups
42noinput
42nonewprivs 43nonewprivs
43noroot 44noroot
44notv 45notv
diff --git a/etc/profile-a-l/freemind.profile b/etc/profile-a-l/freemind.profile
index 0ffb5c54d..699177039 100644
--- a/etc/profile-a-l/freemind.profile
+++ b/etc/profile-a-l/freemind.profile
@@ -29,6 +29,7 @@ netfilter
29no3d 29no3d
30nodvd 30nodvd
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33noroot 34noroot
34nosound 35nosound
diff --git a/etc/profile-a-l/freshclam.profile b/etc/profile-a-l/freshclam.profile
index 2bab79e2e..6382b80af 100644
--- a/etc/profile-a-l/freshclam.profile
+++ b/etc/profile-a-l/freshclam.profile
@@ -14,6 +14,7 @@ netfilter
14no3d 14no3d
15nodvd 15nodvd
16nogroups 16nogroups
17noinput
17nonewprivs 18nonewprivs
18nosound 19nosound
19notv 20notv
diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile
index 23d259337..fa56d2b2d 100644
--- a/etc/profile-a-l/frogatto.profile
+++ b/etc/profile-a-l/frogatto.profile
@@ -29,6 +29,7 @@ caps.drop all
29net none 29net none
30nodvd 30nodvd
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33noroot 34noroot
34notv 35notv
diff --git a/etc/profile-a-l/frozen-bubble.profile b/etc/profile-a-l/frozen-bubble.profile
index c11567804..76352e41e 100644
--- a/etc/profile-a-l/frozen-bubble.profile
+++ b/etc/profile-a-l/frozen-bubble.profile
@@ -31,6 +31,7 @@ caps.drop all
31net none 31net none
32nodvd 32nodvd
33nogroups 33nogroups
34noinput
34nonewprivs 35nonewprivs
35noroot 36noroot
36notv 37notv
diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile
index e2da1747e..ed3f0357d 100644
--- a/etc/profile-a-l/gajim.profile
+++ b/etc/profile-a-l/gajim.profile
@@ -46,6 +46,7 @@ caps.drop all
46netfilter 46netfilter
47nodvd 47nodvd
48nogroups 48nogroups
49noinput
49nonewprivs 50nonewprivs
50noroot 51noroot
51notv 52notv
diff --git a/etc/profile-a-l/galculator.profile b/etc/profile-a-l/galculator.profile
index 89f20b923..550b3808b 100644
--- a/etc/profile-a-l/galculator.profile
+++ b/etc/profile-a-l/galculator.profile
@@ -29,6 +29,7 @@ caps.drop all
29net none 29net none
30nodvd 30nodvd
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33noroot 34noroot
34nosound 35nosound
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile
index 5e1b024fe..f2da60c87 100644
--- a/etc/profile-a-l/gapplication.profile
+++ b/etc/profile-a-l/gapplication.profile
@@ -30,6 +30,7 @@ net none
30no3d 30no3d
31nodvd 31nodvd
32nogroups 32nogroups
33noinput
33nonewprivs 34nonewprivs
34noroot 35noroot
35nosound 36nosound
diff --git a/etc/profile-a-l/gcloud.profile b/etc/profile-a-l/gcloud.profile
index 46a862a21..388f4c0df 100644
--- a/etc/profile-a-l/gcloud.profile
+++ b/etc/profile-a-l/gcloud.profile
@@ -24,6 +24,7 @@ netfilter
24nodvd 24nodvd
25# required for sudo-free docker 25# required for sudo-free docker
26#nogroups 26#nogroups
27noinput
27nonewprivs 28nonewprivs
28noroot 29noroot
29notv 30notv
diff --git a/etc/profile-a-l/gconf.profile b/etc/profile-a-l/gconf.profile
index 96848575d..fec1a555a 100644
--- a/etc/profile-a-l/gconf.profile
+++ b/etc/profile-a-l/gconf.profile
@@ -38,6 +38,7 @@ net none
38no3d 38no3d
39nodvd 39nodvd
40nogroups 40nogroups
41noinput
41nonewprivs 42nonewprivs
42noroot 43noroot
43nosound 44nosound
diff --git a/etc/profile-a-l/geany.profile b/etc/profile-a-l/geany.profile
index 31599e32a..6fdb9b37a 100644
--- a/etc/profile-a-l/geany.profile
+++ b/etc/profile-a-l/geany.profile
@@ -20,6 +20,7 @@ netfilter
20no3d 20no3d
21nodvd 21nodvd
22nogroups 22nogroups
23noinput
23nonewprivs 24nonewprivs
24noroot 25noroot
25nosound 26nosound
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile
index b11863c6a..74e135a7c 100644
--- a/etc/profile-a-l/geary.profile
+++ b/etc/profile-a-l/geary.profile
@@ -53,6 +53,7 @@ netfilter
53no3d 53no3d
54nodvd 54nodvd
55nogroups 55nogroups
56noinput
56nonewprivs 57nonewprivs
57noroot 58noroot
58nosound 59nosound
diff --git a/etc/profile-a-l/gedit.profile b/etc/profile-a-l/gedit.profile
index d61bea6c4..108b7041d 100644
--- a/etc/profile-a-l/gedit.profile
+++ b/etc/profile-a-l/gedit.profile
@@ -29,6 +29,7 @@ machine-id
29no3d 29no3d
30nodvd 30nodvd
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33noroot 34noroot
34nosound 35nosound
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile
index 77287769a..e0aadff24 100644
--- a/etc/profile-a-l/geekbench.profile
+++ b/etc/profile-a-l/geekbench.profile
@@ -27,6 +27,7 @@ netfilter
27no3d 27no3d
28nodvd 28nodvd
29nogroups 29nogroups
30noinput
30nonewprivs 31nonewprivs
31noroot 32noroot
32nosound 33nosound
diff --git a/etc/profile-a-l/geeqie.profile b/etc/profile-a-l/geeqie.profile
index 8810ca161..dd33b3fb5 100644
--- a/etc/profile-a-l/geeqie.profile
+++ b/etc/profile-a-l/geeqie.profile
@@ -19,6 +19,7 @@ include disable-programs.inc
19caps.drop all 19caps.drop all
20nodvd 20nodvd
21nogroups 21nogroups
22noinput
22nonewprivs 23nonewprivs
23noroot 24noroot
24nosound 25nosound
diff --git a/etc/profile-a-l/gfeeds.profile b/etc/profile-a-l/gfeeds.profile
index caeb3ce51..7ec8ba810 100644
--- a/etc/profile-a-l/gfeeds.profile
+++ b/etc/profile-a-l/gfeeds.profile
@@ -44,6 +44,7 @@ netfilter
44no3d 44no3d
45nodvd 45nodvd
46nogroups 46nogroups
47noinput
47nonewprivs 48nonewprivs
48noroot 49noroot
49nosound 50nosound
diff --git a/etc/profile-a-l/gget.profile b/etc/profile-a-l/gget.profile
index 828d638ed..d9c5a0d9a 100644
--- a/etc/profile-a-l/gget.profile
+++ b/etc/profile-a-l/gget.profile
@@ -33,6 +33,7 @@ netfilter
33no3d 33no3d
34nodvd 34nodvd
35nogroups 35nogroups
36noinput
36nonewprivs 37nonewprivs
37noroot 38noroot
38nosound 39nosound
diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile
index 820d5e694..276ab76df 100644
--- a/etc/profile-a-l/ghostwriter.profile
+++ b/etc/profile-a-l/ghostwriter.profile
@@ -36,6 +36,7 @@ machine-id
36netfilter 36netfilter
37nodvd 37nodvd
38nogroups 38nogroups
39noinput
39nonewprivs 40nonewprivs
40noroot 41noroot
41nosound 42nosound
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile
index e26fadca2..dfc1304d1 100644
--- a/etc/profile-a-l/gimp.profile
+++ b/etc/profile-a-l/gimp.profile
@@ -45,6 +45,7 @@ caps.drop all
45net none 45net none
46nodvd 46nodvd
47nogroups 47nogroups
48noinput
48nonewprivs 49nonewprivs
49noroot 50noroot
50nosound 51nosound
diff --git a/etc/profile-a-l/gist.profile b/etc/profile-a-l/gist.profile
index 681fc2829..661c3a375 100644
--- a/etc/profile-a-l/gist.profile
+++ b/etc/profile-a-l/gist.profile
@@ -38,6 +38,7 @@ netfilter
38no3d 38no3d
39nodvd 39nodvd
40nogroups 40nogroups
41noinput
41nonewprivs 42nonewprivs
42noroot 43noroot
43nosound 44nosound
diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile
index 7894e4d8d..5e4249376 100644
--- a/etc/profile-a-l/git-cola.profile
+++ b/etc/profile-a-l/git-cola.profile
@@ -54,6 +54,7 @@ netfilter
54no3d 54no3d
55nodvd 55nodvd
56nogroups 56nogroups
57noinput
57nonewprivs 58nonewprivs
58noroot 59noroot
59nosound 60nosound
diff --git a/etc/profile-a-l/git.profile b/etc/profile-a-l/git.profile
index aefb2917d..bfa0081c6 100644
--- a/etc/profile-a-l/git.profile
+++ b/etc/profile-a-l/git.profile
@@ -45,6 +45,7 @@ netfilter
45no3d 45no3d
46nodvd 46nodvd
47nogroups 47nogroups
48noinput
48nonewprivs 49nonewprivs
49noroot 50noroot
50nosound 51nosound
diff --git a/etc/profile-a-l/gitg.profile b/etc/profile-a-l/gitg.profile
index 7b6820a81..05d7dffa9 100644
--- a/etc/profile-a-l/gitg.profile
+++ b/etc/profile-a-l/gitg.profile
@@ -39,6 +39,7 @@ netfilter
39no3d 39no3d
40nodvd 40nodvd
41nogroups 41nogroups
42noinput
42nonewprivs 43nonewprivs
43noroot 44noroot
44nosound 45nosound
diff --git a/etc/profile-a-l/gitter.profile b/etc/profile-a-l/gitter.profile
index 017b1765a..460e2b990 100644
--- a/etc/profile-a-l/gitter.profile
+++ b/etc/profile-a-l/gitter.profile
@@ -26,6 +26,7 @@ machine-id
26netfilter 26netfilter
27nodvd 27nodvd
28nogroups 28nogroups
29noinput
29nonewprivs 30nonewprivs
30noroot 31noroot
31nosound 32nosound
diff --git a/etc/profile-a-l/gjs.profile b/etc/profile-a-l/gjs.profile
index 9c8848b8a..ed68b3c2d 100644
--- a/etc/profile-a-l/gjs.profile
+++ b/etc/profile-a-l/gjs.profile
@@ -30,6 +30,7 @@ caps.drop all
30netfilter 30netfilter
31nodvd 31nodvd
32nogroups 32nogroups
33noinput
33nonewprivs 34nonewprivs
34noroot 35noroot
35notv 36notv
diff --git a/etc/profile-a-l/gl-117-wrapper.profile b/etc/profile-a-l/gl-117-wrapper.profile
new file mode 100644
index 000000000..d783940f3
--- /dev/null
+++ b/etc/profile-a-l/gl-117-wrapper.profile
@@ -0,0 +1,14 @@
1# Firejail profile for gl-117-wrapper
2# This file is overwritten after every install/update
3# Persistent local customizations
4include gl-117-wrapper.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
8
9include allow-opengl-game.inc
10
11private-bin gl-117-wrapper
12
13# Redirect
14include gl-117.profile
diff --git a/etc/profile-a-l/gl-117.profile b/etc/profile-a-l/gl-117.profile
new file mode 100644
index 000000000..c8cefc67e
--- /dev/null
+++ b/etc/profile-a-l/gl-117.profile
@@ -0,0 +1,53 @@
1# Firejail profile for gl-117
2# Description: Action flight simulator
3# This file is overwritten after every install/update
4# Persistent local customizations
5include gl-117.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.gl-117
10
11include disable-common.inc
12include disable-devel.inc
13include disable-exec.inc
14include disable-interpreters.inc
15include disable-passwdmgr.inc
16include disable-programs.inc
17include disable-shell.inc
18include disable-xdg.inc
19
20mkdir ${HOME}/.gl-117
21whitelist ${HOME}/.gl-117
22whitelist /usr/share/gl-117
23include whitelist-common.inc
24include whitelist-runuser-common.inc
25include whitelist-usr-share-common.inc
26include whitelist-var-common.inc
27
28apparmor
29caps.drop all
30net none
31nodvd
32nogroups
33noinput
34nonewprivs
35noroot
36notv
37nou2f
38novideo
39protocol unix
40seccomp
41seccomp.block-secondary
42shell none
43tracelog
44
45disable-mnt
46private-bin gl-117
47private-cache
48private-dev
49private-etc alsa,alternatives,asound.conf,bumblebee,drirc,glvnd,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nvidia,pulse
50private-tmp
51
52dbus-user none
53dbus-system none
diff --git a/etc/profile-a-l/glaxium-wrapper.profile b/etc/profile-a-l/glaxium-wrapper.profile
new file mode 100644
index 000000000..7dc2cf65e
--- /dev/null
+++ b/etc/profile-a-l/glaxium-wrapper.profile
@@ -0,0 +1,14 @@
1# Firejail profile for glaxium-wrapper
2# This file is overwritten after every install/update
3# Persistent local customizations
4include glaxium-wrapper.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
8
9include allow-opengl-game.inc
10
11private-bin glaxium-wrapper
12
13# Redirect
14include glaxium.profile
diff --git a/etc/profile-a-l/glaxium.profile b/etc/profile-a-l/glaxium.profile
new file mode 100644
index 000000000..ee7af0546
--- /dev/null
+++ b/etc/profile-a-l/glaxium.profile
@@ -0,0 +1,53 @@
1# Firejail profile for glaxium
2# Description: 3d spaceship shoot-em-up
3# This file is overwritten after every install/update
4# Persistent local customizations
5include glaxium.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.glaxiumrc
10
11include disable-common.inc
12include disable-devel.inc
13include disable-exec.inc
14include disable-interpreters.inc
15include disable-passwdmgr.inc
16include disable-programs.inc
17include disable-shell.inc
18include disable-xdg.inc
19
20mkfile ${HOME}/.glaxiumrc
21whitelist ${HOME}/.glaxiumrc
22whitelist /usr/share/glaxium
23include whitelist-common.inc
24include whitelist-runuser-common.inc
25include whitelist-usr-share-common.inc
26include whitelist-var-common.inc
27
28apparmor
29caps.drop all
30net none
31nodvd
32nogroups
33noinput
34nonewprivs
35noroot
36notv
37nou2f
38novideo
39protocol unix
40seccomp
41seccomp.block-secondary
42shell none
43tracelog
44
45disable-mnt
46private-bin glaxium
47private-cache
48private-dev
49private-etc alsa,alternatives,asound.conf,bumblebee,drirc,glvnd,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nvidia,pulse
50private-tmp
51
52dbus-user none
53dbus-system none
diff --git a/etc/profile-a-l/globaltime.profile b/etc/profile-a-l/globaltime.profile
index bb78a608e..14b3ef811 100644
--- a/etc/profile-a-l/globaltime.profile
+++ b/etc/profile-a-l/globaltime.profile
@@ -20,6 +20,7 @@ netfilter
20no3d 20no3d
21nodvd 21nodvd
22nogroups 22nogroups
23noinput
23nonewprivs 24nonewprivs
24noroot 25noroot
25nosound 26nosound
diff --git a/etc/profile-a-l/gnome-books.profile b/etc/profile-a-l/gnome-books.profile
index 998109ca7..34a7f557c 100644
--- a/etc/profile-a-l/gnome-books.profile
+++ b/etc/profile-a-l/gnome-books.profile
@@ -29,6 +29,7 @@ net none
29no3d 29no3d
30nodvd 30nodvd
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33noroot 34noroot
34nosound 35nosound
diff --git a/etc/profile-a-l/gnome-builder.profile b/etc/profile-a-l/gnome-builder.profile
index 8f637902c..37ca5aeff 100644
--- a/etc/profile-a-l/gnome-builder.profile
+++ b/etc/profile-a-l/gnome-builder.profile
@@ -26,6 +26,7 @@ ipc-namespace
26netfilter 26netfilter
27nodvd 27nodvd
28nogroups 28nogroups
29noinput
29nonewprivs 30nonewprivs
30noroot 31noroot
31notv 32notv
diff --git a/etc/profile-a-l/gnome-calculator.profile b/etc/profile-a-l/gnome-calculator.profile
index 7780dfa65..4c465cc49 100644
--- a/etc/profile-a-l/gnome-calculator.profile
+++ b/etc/profile-a-l/gnome-calculator.profile
@@ -30,6 +30,7 @@ netfilter
30no3d 30no3d
31nodvd 31nodvd
32nogroups 32nogroups
33noinput
33nonewprivs 34nonewprivs
34noroot 35noroot
35nosound 36nosound
diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile
index 9927fb869..eaf25b177 100644
--- a/etc/profile-a-l/gnome-calendar.profile
+++ b/etc/profile-a-l/gnome-calendar.profile
@@ -28,6 +28,7 @@ netfilter
28no3d 28no3d
29nodvd 29nodvd
30nogroups 30nogroups
31noinput
31nonewprivs 32nonewprivs
32noroot 33noroot
33nosound 34nosound
diff --git a/etc/profile-a-l/gnome-characters.profile b/etc/profile-a-l/gnome-characters.profile
index 048fad65c..741fe9bf7 100644
--- a/etc/profile-a-l/gnome-characters.profile
+++ b/etc/profile-a-l/gnome-characters.profile
@@ -31,6 +31,7 @@ net none
31no3d 31no3d
32nodvd 32nodvd
33nogroups 33nogroups
34noinput
34nonewprivs 35nonewprivs
35noroot 36noroot
36nosound 37nosound
diff --git a/etc/profile-a-l/gnome-chess.profile b/etc/profile-a-l/gnome-chess.profile
index 84a3cabd6..bd39f625c 100644
--- a/etc/profile-a-l/gnome-chess.profile
+++ b/etc/profile-a-l/gnome-chess.profile
@@ -35,6 +35,7 @@ net none
35no3d 35no3d
36nodvd 36nodvd
37nogroups 37nogroups
38noinput
38nonewprivs 39nonewprivs
39noroot 40noroot
40nosound 41nosound
diff --git a/etc/profile-a-l/gnome-clocks.profile b/etc/profile-a-l/gnome-clocks.profile
index fc899178f..1e7c70b84 100644
--- a/etc/profile-a-l/gnome-clocks.profile
+++ b/etc/profile-a-l/gnome-clocks.profile
@@ -28,6 +28,7 @@ netfilter
28no3d 28no3d
29nodvd 29nodvd
30nogroups 30nogroups
31noinput
31nonewprivs 32nonewprivs
32noroot 33noroot
33notv 34notv
diff --git a/etc/profile-a-l/gnome-contacts.profile b/etc/profile-a-l/gnome-contacts.profile
index 03b89e394..dcc6163b6 100644
--- a/etc/profile-a-l/gnome-contacts.profile
+++ b/etc/profile-a-l/gnome-contacts.profile
@@ -24,6 +24,7 @@ caps.drop all
24netfilter 24netfilter
25#no3d - breaks on Arch 25#no3d - breaks on Arch
26nodvd 26nodvd
27noinput
27nonewprivs 28nonewprivs
28noroot 29noroot
29nosound 30nosound
diff --git a/etc/profile-a-l/gnome-documents.profile b/etc/profile-a-l/gnome-documents.profile
index 705fe624e..29ad67af8 100644
--- a/etc/profile-a-l/gnome-documents.profile
+++ b/etc/profile-a-l/gnome-documents.profile
@@ -27,6 +27,7 @@ netfilter
27no3d 27no3d
28nodvd 28nodvd
29nogroups 29nogroups
30noinput
30nonewprivs 31nonewprivs
31noroot 32noroot
32nosound 33nosound
diff --git a/etc/profile-a-l/gnome-font-viewer.profile b/etc/profile-a-l/gnome-font-viewer.profile
index b2327133c..aa0844b8b 100644
--- a/etc/profile-a-l/gnome-font-viewer.profile
+++ b/etc/profile-a-l/gnome-font-viewer.profile
@@ -22,6 +22,7 @@ caps.drop all
22net none 22net none
23no3d 23no3d
24nodvd 24nodvd
25noinput
25nonewprivs 26nonewprivs
26noroot 27noroot
27nosound 28nosound
diff --git a/etc/profile-a-l/gnome-hexgl.profile b/etc/profile-a-l/gnome-hexgl.profile
index bb5ef0eab..2db956faf 100644
--- a/etc/profile-a-l/gnome-hexgl.profile
+++ b/etc/profile-a-l/gnome-hexgl.profile
@@ -26,6 +26,7 @@ caps.drop all
26net none 26net none
27nodvd 27nodvd
28nogroups 28nogroups
29noinput
29nonewprivs 30nonewprivs
30noroot 31noroot
31notv 32notv
diff --git a/etc/profile-a-l/gnome-keyring.profile b/etc/profile-a-l/gnome-keyring.profile
index a0b9ef04e..25b4c47de 100644
--- a/etc/profile-a-l/gnome-keyring.profile
+++ b/etc/profile-a-l/gnome-keyring.profile
@@ -37,6 +37,7 @@ netfilter
37no3d 37no3d
38nodvd 38nodvd
39nogroups 39nogroups
40noinput
40nonewprivs 41nonewprivs
41noroot 42noroot
42nosound 43nosound
diff --git a/etc/profile-a-l/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile
index 87376da40..1a7eafeca 100644
--- a/etc/profile-a-l/gnome-latex.profile
+++ b/etc/profile-a-l/gnome-latex.profile
@@ -33,6 +33,7 @@ net none
33no3d 33no3d
34nodvd 34nodvd
35nogroups 35nogroups
36noinput
36nonewprivs 37nonewprivs
37noroot 38noroot
38nosound 39nosound
diff --git a/etc/profile-a-l/gnome-logs.profile b/etc/profile-a-l/gnome-logs.profile
index d29c7609e..9d2ea7b7b 100644
--- a/etc/profile-a-l/gnome-logs.profile
+++ b/etc/profile-a-l/gnome-logs.profile
@@ -26,6 +26,7 @@ ipc-namespace
26net none 26net none
27no3d 27no3d
28nodvd 28nodvd
29noinput
29nonewprivs 30nonewprivs
30nosound 31nosound
31notv 32notv
@@ -50,6 +51,5 @@ dbus-user.own org.gnome.Logs
50dbus-user.talk ca.desrt.dconf 51dbus-user.talk ca.desrt.dconf
51dbus-system none 52dbus-system none
52 53
53# comment this if you export logs to a file in your ${HOME} 54# Add 'ignore read-only ${HOME}' to your gnome-logs.local if you export logs to a file under your ${HOME}.
54# or put 'ignore read-only ${HOME}' in your gnome-logs.local.
55read-only ${HOME} 55read-only ${HOME}
diff --git a/etc/profile-a-l/gnome-maps.profile b/etc/profile-a-l/gnome-maps.profile
index 23629df95..cf2ac2f75 100644
--- a/etc/profile-a-l/gnome-maps.profile
+++ b/etc/profile-a-l/gnome-maps.profile
@@ -46,6 +46,7 @@ machine-id
46netfilter 46netfilter
47nodvd 47nodvd
48nogroups 48nogroups
49noinput
49nonewprivs 50nonewprivs
50noroot 51noroot
51nosound 52nosound
diff --git a/etc/profile-a-l/gnome-mplayer.profile b/etc/profile-a-l/gnome-mplayer.profile
index 12bee6448..43fe71f5e 100644
--- a/etc/profile-a-l/gnome-mplayer.profile
+++ b/etc/profile-a-l/gnome-mplayer.profile
@@ -20,6 +20,7 @@ include disable-xdg.inc
20 20
21caps.drop all 21caps.drop all
22nogroups 22nogroups
23noinput
23nonewprivs 24nonewprivs
24noroot 25noroot
25nou2f 26nou2f
diff --git a/etc/profile-a-l/gnome-music.profile b/etc/profile-a-l/gnome-music.profile
index 36b46897c..2fcbe9910 100644
--- a/etc/profile-a-l/gnome-music.profile
+++ b/etc/profile-a-l/gnome-music.profile
@@ -29,6 +29,7 @@ caps.drop all
29netfilter 29netfilter
30no3d 30no3d
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33noroot 34noroot
34notv 35notv
diff --git a/etc/profile-a-l/gnome-nettool.profile b/etc/profile-a-l/gnome-nettool.profile
index 33eb9c81a..814751db3 100644
--- a/etc/profile-a-l/gnome-nettool.profile
+++ b/etc/profile-a-l/gnome-nettool.profile
@@ -27,6 +27,7 @@ netfilter
27no3d 27no3d
28nodvd 28nodvd
29nogroups 29nogroups
30noinput
30# ping needs to elevate privileges, noroot and nonewprivs will kill it 31# ping needs to elevate privileges, noroot and nonewprivs will kill it
31#nonewprivs 32#nonewprivs
32#noroot 33#noroot
diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile
index 073de47b9..763d67b92 100644
--- a/etc/profile-a-l/gnome-passwordsafe.profile
+++ b/etc/profile-a-l/gnome-passwordsafe.profile
@@ -35,6 +35,7 @@ net none
35no3d 35no3d
36nodvd 36nodvd
37nogroups 37nogroups
38noinput
38nonewprivs 39nonewprivs
39noroot 40noroot
40nosound 41nosound
diff --git a/etc/profile-a-l/gnome-photos.profile b/etc/profile-a-l/gnome-photos.profile
index 65cc23b5f..58bf3f349 100644
--- a/etc/profile-a-l/gnome-photos.profile
+++ b/etc/profile-a-l/gnome-photos.profile
@@ -25,6 +25,7 @@ caps.drop all
25netfilter 25netfilter
26nodvd 26nodvd
27nogroups 27nogroups
28noinput
28nonewprivs 29nonewprivs
29noroot 30noroot
30nosound 31nosound
diff --git a/etc/profile-a-l/gnome-pie.profile b/etc/profile-a-l/gnome-pie.profile
index c1d2dae35..41903b136 100644
--- a/etc/profile-a-l/gnome-pie.profile
+++ b/etc/profile-a-l/gnome-pie.profile
@@ -21,6 +21,7 @@ ipc-namespace
21no3d 21no3d
22nodvd 22nodvd
23nogroups 23nogroups
24noinput
24nonewprivs 25nonewprivs
25noroot 26noroot
26nosound 27nosound
diff --git a/etc/profile-a-l/gnome-pomodoro.profile b/etc/profile-a-l/gnome-pomodoro.profile
index a46e47759..c2ba7556d 100644
--- a/etc/profile-a-l/gnome-pomodoro.profile
+++ b/etc/profile-a-l/gnome-pomodoro.profile
@@ -30,6 +30,7 @@ net none
30no3d 30no3d
31nodvd 31nodvd
32nogroups 32nogroups
33noinput
33nonewprivs 34nonewprivs
34noroot 35noroot
35notv 36notv
diff --git a/etc/profile-a-l/gnome-recipes.profile b/etc/profile-a-l/gnome-recipes.profile
index c4969590f..48c98ebe0 100644
--- a/etc/profile-a-l/gnome-recipes.profile
+++ b/etc/profile-a-l/gnome-recipes.profile
@@ -34,6 +34,7 @@ machine-id
34netfilter 34netfilter
35nodvd 35nodvd
36nogroups 36nogroups
37noinput
37nonewprivs 38nonewprivs
38noroot 39noroot
39nosound 40nosound
diff --git a/etc/profile-a-l/gnome-schedule.profile b/etc/profile-a-l/gnome-schedule.profile
index 55913a2d7..69c90b33d 100644
--- a/etc/profile-a-l/gnome-schedule.profile
+++ b/etc/profile-a-l/gnome-schedule.profile
@@ -51,6 +51,7 @@ machine-id
51no3d 51no3d
52nodvd 52nodvd
53nogroups 53nogroups
54noinput
54nosound 55nosound
55notv 56notv
56nou2f 57nou2f
diff --git a/etc/profile-a-l/gnome-screenshot.profile b/etc/profile-a-l/gnome-screenshot.profile
index 2534eed5a..b683b6f6c 100644
--- a/etc/profile-a-l/gnome-screenshot.profile
+++ b/etc/profile-a-l/gnome-screenshot.profile
@@ -28,6 +28,7 @@ net none
28no3d 28no3d
29nodvd 29nodvd
30nogroups 30nogroups
31noinput
31nonewprivs 32nonewprivs
32noroot 33noroot
33notv 34notv
diff --git a/etc/profile-a-l/gnome-sound-recorder.profile b/etc/profile-a-l/gnome-sound-recorder.profile
index 2e063ebfe..34f5fdeff 100644
--- a/etc/profile-a-l/gnome-sound-recorder.profile
+++ b/etc/profile-a-l/gnome-sound-recorder.profile
@@ -26,6 +26,7 @@ caps.drop all
26net none 26net none
27nodvd 27nodvd
28nogroups 28nogroups
29noinput
29nonewprivs 30nonewprivs
30noroot 31noroot
31notv 32notv
diff --git a/etc/profile-a-l/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile
index 9c0a26a02..8a818695d 100644
--- a/etc/profile-a-l/gnome-system-log.profile
+++ b/etc/profile-a-l/gnome-system-log.profile
@@ -27,9 +27,9 @@ ipc-namespace
27no3d 27no3d
28nodvd 28nodvd
29# When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html), 29# When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html),
30# comment both 'nogroups' and 'noroot' 30# put 'ignore nogroups' and 'ignore noroot' in your gnome-system-log.local.
31# or put 'ignore nogroups' and 'ignore noroot' in your gnome-system-log.local.
32nogroups 31nogroups
32noinput
33nonewprivs 33nonewprivs
34noroot 34noroot
35nosound 35nosound
@@ -53,6 +53,5 @@ writable-var-log
53# dbus-system none 53# dbus-system none
54 54
55memory-deny-write-execute 55memory-deny-write-execute
56# Comment the line below if you export logs to a file in your ${HOME} 56# Add 'ignore read-only ${HOME}' to your gnome-system-log.local if you export logs to a file under your ${HOME}.
57# or put 'ignore read-only ${HOME}' in your gnome-system-log.local
58read-only ${HOME} 57read-only ${HOME}
diff --git a/etc/profile-a-l/gnome-todo.profile b/etc/profile-a-l/gnome-todo.profile
index 5bef96ae7..3b147cd48 100644
--- a/etc/profile-a-l/gnome-todo.profile
+++ b/etc/profile-a-l/gnome-todo.profile
@@ -30,6 +30,7 @@ machine-id
30net none 30net none
31nodvd 31nodvd
32nogroups 32nogroups
33noinput
33nonewprivs 34nonewprivs
34noroot 35noroot
35nosound 36nosound
diff --git a/etc/profile-a-l/gnome-twitch.profile b/etc/profile-a-l/gnome-twitch.profile
index 5e8153035..b8ec195d3 100644
--- a/etc/profile-a-l/gnome-twitch.profile
+++ b/etc/profile-a-l/gnome-twitch.profile
@@ -25,6 +25,7 @@ include whitelist-common.inc
25caps.drop all 25caps.drop all
26nodvd 26nodvd
27nogroups 27nogroups
28noinput
28nonewprivs 29nonewprivs
29noroot 30noroot
30notv 31notv
diff --git a/etc/profile-a-l/gnome-weather.profile b/etc/profile-a-l/gnome-weather.profile
index beed92a7d..2e08fa41d 100644
--- a/etc/profile-a-l/gnome-weather.profile
+++ b/etc/profile-a-l/gnome-weather.profile
@@ -29,6 +29,7 @@ netfilter
29no3d 29no3d
30nodvd 30nodvd
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33noroot 34noroot
34nosound 35nosound
diff --git a/etc/profile-a-l/gnome_games-common.profile b/etc/profile-a-l/gnome_games-common.profile
index 56ed7a436..5627842f5 100644
--- a/etc/profile-a-l/gnome_games-common.profile
+++ b/etc/profile-a-l/gnome_games-common.profile
@@ -26,6 +26,7 @@ machine-id
26net none 26net none
27nodvd 27nodvd
28nogroups 28nogroups
29noinput
29nonewprivs 30nonewprivs
30noroot 31noroot
31nosound 32nosound
diff --git a/etc/profile-a-l/gnote.profile b/etc/profile-a-l/gnote.profile
index 1b5129fc5..c3014a288 100644
--- a/etc/profile-a-l/gnote.profile
+++ b/etc/profile-a-l/gnote.profile
@@ -35,6 +35,7 @@ net none
35no3d 35no3d
36nodvd 36nodvd
37nogroups 37nogroups
38noinput
38nonewprivs 39nonewprivs
39noroot 40noroot
40nosound 41nosound
diff --git a/etc/profile-a-l/gnubik.profile b/etc/profile-a-l/gnubik.profile
index 8eaba161c..22851ce9f 100644
--- a/etc/profile-a-l/gnubik.profile
+++ b/etc/profile-a-l/gnubik.profile
@@ -27,6 +27,7 @@ machine-id
27net none 27net none
28nodvd 28nodvd
29nogroups 29nogroups
30noinput
30nonewprivs 31nonewprivs
31noroot 32noroot
32nosound 33nosound
diff --git a/etc/profile-a-l/godot.profile b/etc/profile-a-l/godot.profile
index f37f345ba..09ca17caa 100644
--- a/etc/profile-a-l/godot.profile
+++ b/etc/profile-a-l/godot.profile
@@ -24,6 +24,7 @@ caps.drop all
24netfilter 24netfilter
25nodvd 25nodvd
26nogroups 26nogroups
27noinput
27nonewprivs 28nonewprivs
28noroot 29noroot
29notv 30notv
diff --git a/etc/profile-a-l/goobox.profile b/etc/profile-a-l/goobox.profile
index c932ad528..8399d77c4 100644
--- a/etc/profile-a-l/goobox.profile
+++ b/etc/profile-a-l/goobox.profile
@@ -19,6 +19,7 @@ caps.drop all
19netfilter 19netfilter
20no3d 20no3d
21nogroups 21nogroups
22noinput
22nonewprivs 23nonewprivs
23noroot 24noroot
24notv 25notv
diff --git a/etc/profile-a-l/google-earth.profile b/etc/profile-a-l/google-earth.profile
index 12b1cbafd..65ac04771 100644
--- a/etc/profile-a-l/google-earth.profile
+++ b/etc/profile-a-l/google-earth.profile
@@ -26,6 +26,7 @@ ipc-namespace
26netfilter 26netfilter
27nodvd 27nodvd
28nogroups 28nogroups
29noinput
29nonewprivs 30nonewprivs
30noroot 31noroot
31notv 32notv
diff --git a/etc/profile-a-l/google-play-music-desktop-player.profile b/etc/profile-a-l/google-play-music-desktop-player.profile
index daa385234..a7aabe105 100644
--- a/etc/profile-a-l/google-play-music-desktop-player.profile
+++ b/etc/profile-a-l/google-play-music-desktop-player.profile
@@ -28,6 +28,7 @@ netfilter
28no3d 28no3d
29nodvd 29nodvd
30nogroups 30nogroups
31noinput
31nonewprivs 32nonewprivs
32noroot 33noroot
33notv 34notv
diff --git a/etc/profile-a-l/gpa.profile b/etc/profile-a-l/gpa.profile
index ce7c8496d..37b4f0b1c 100644
--- a/etc/profile-a-l/gpa.profile
+++ b/etc/profile-a-l/gpa.profile
@@ -18,6 +18,7 @@ caps.drop all
18netfilter 18netfilter
19nodvd 19nodvd
20nogroups 20nogroups
21noinput
21nonewprivs 22nonewprivs
22noroot 23noroot
23nosound 24nosound
diff --git a/etc/profile-a-l/gpg-agent.profile b/etc/profile-a-l/gpg-agent.profile
index adc8957e6..7f0b614b1 100644
--- a/etc/profile-a-l/gpg-agent.profile
+++ b/etc/profile-a-l/gpg-agent.profile
@@ -36,6 +36,7 @@ netfilter
36no3d 36no3d
37nodvd 37nodvd
38nogroups 38nogroups
39noinput
39nonewprivs 40nonewprivs
40noroot 41noroot
41nosound 42nosound
diff --git a/etc/profile-a-l/gpg.profile b/etc/profile-a-l/gpg.profile
index 787f35f9e..4a4d6527c 100644
--- a/etc/profile-a-l/gpg.profile
+++ b/etc/profile-a-l/gpg.profile
@@ -32,6 +32,7 @@ netfilter
32no3d 32no3d
33nodvd 33nodvd
34nogroups 34nogroups
35noinput
35nonewprivs 36nonewprivs
36noroot 37noroot
37nosound 38nosound
diff --git a/etc/profile-a-l/gpicview.profile b/etc/profile-a-l/gpicview.profile
index a536e5985..fa53c26c8 100644
--- a/etc/profile-a-l/gpicview.profile
+++ b/etc/profile-a-l/gpicview.profile
@@ -27,6 +27,7 @@ machine-id
27net none 27net none
28nodvd 28nodvd
29nogroups 29nogroups
30noinput
30nonewprivs 31nonewprivs
31noroot 32noroot
32nosound 33nosound
diff --git a/etc/profile-a-l/gpredict.profile b/etc/profile-a-l/gpredict.profile
index 3152db096..253d644f1 100644
--- a/etc/profile-a-l/gpredict.profile
+++ b/etc/profile-a-l/gpredict.profile
@@ -24,6 +24,7 @@ caps.drop all
24netfilter 24netfilter
25nodvd 25nodvd
26nogroups 26nogroups
27noinput
27nonewprivs 28nonewprivs
28noroot 29noroot
29nosound 30nosound
diff --git a/etc/profile-a-l/gradio.profile b/etc/profile-a-l/gradio.profile
index a16e65efb..2b4c536d2 100644
--- a/etc/profile-a-l/gradio.profile
+++ b/etc/profile-a-l/gradio.profile
@@ -30,6 +30,7 @@ netfilter
30no3d 30no3d
31nodvd 31nodvd
32nogroups 32nogroups
33noinput
33nonewprivs 34nonewprivs
34noroot 35noroot
35notv 36notv
diff --git a/etc/profile-a-l/gramps.profile b/etc/profile-a-l/gramps.profile
index 427fe2d7a..c7e0c2977 100644
--- a/etc/profile-a-l/gramps.profile
+++ b/etc/profile-a-l/gramps.profile
@@ -32,6 +32,7 @@ netfilter
32no3d 32no3d
33nodvd 33nodvd
34nogroups 34nogroups
35noinput
35nonewprivs 36nonewprivs
36noroot 37noroot
37nosound 38nosound
diff --git a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
index 0cb3aa864..890ba2560 100644
--- a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
+++ b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
@@ -25,6 +25,7 @@ caps.drop all
25net none 25net none
26nodvd 26nodvd
27nogroups 27nogroups
28noinput
28nonewprivs 29nonewprivs
29noroot 30noroot
30notv 31notv
diff --git a/etc/profile-a-l/gthumb.profile b/etc/profile-a-l/gthumb.profile
index de0fc96ae..5927e8c4d 100644
--- a/etc/profile-a-l/gthumb.profile
+++ b/etc/profile-a-l/gthumb.profile
@@ -20,6 +20,7 @@ include disable-shell.inc
20caps.drop all 20caps.drop all
21nodvd 21nodvd
22nogroups 22nogroups
23noinput
23nonewprivs 24nonewprivs
24noroot 25noroot
25nosound 26nosound
diff --git a/etc/profile-a-l/gtk-update-icon-cache.profile b/etc/profile-a-l/gtk-update-icon-cache.profile
index 2051a8af6..c8addae75 100644
--- a/etc/profile-a-l/gtk-update-icon-cache.profile
+++ b/etc/profile-a-l/gtk-update-icon-cache.profile
@@ -30,6 +30,7 @@ net none
30no3d 30no3d
31nodvd 31nodvd
32nogroups 32nogroups
33noinput
33nonewprivs 34nonewprivs
34noroot 35noroot
35nosound 36nosound
diff --git a/etc/profile-a-l/guayadeque.profile b/etc/profile-a-l/guayadeque.profile
index 8a7f65918..3d2b71e9d 100644
--- a/etc/profile-a-l/guayadeque.profile
+++ b/etc/profile-a-l/guayadeque.profile
@@ -20,6 +20,7 @@ include disable-xdg.inc
20caps.drop all 20caps.drop all
21netfilter 21netfilter
22nogroups 22nogroups
23noinput
23nonewprivs 24nonewprivs
24noroot 25noroot
25notv 26notv
diff --git a/etc/profile-a-l/gucharmap.profile b/etc/profile-a-l/gucharmap.profile
index 3df42d209..6adb79852 100644
--- a/etc/profile-a-l/gucharmap.profile
+++ b/etc/profile-a-l/gucharmap.profile
@@ -27,6 +27,7 @@ machine-id
27no3d 27no3d
28nodvd 28nodvd
29nogroups 29nogroups
30noinput
30nonewprivs 31nonewprivs
31noroot 32noroot
32nosound 33nosound
diff --git a/etc/profile-a-l/guvcview.profile b/etc/profile-a-l/guvcview.profile
index 46fc06940..9221ca31c 100644
--- a/etc/profile-a-l/guvcview.profile
+++ b/etc/profile-a-l/guvcview.profile
@@ -34,6 +34,7 @@ caps.drop all
34net none 34net none
35nodvd 35nodvd
36nogroups 36nogroups
37noinput
37nonewprivs 38nonewprivs
38noroot 39noroot
39notv 40notv
diff --git a/etc/profile-a-l/gwenview.profile b/etc/profile-a-l/gwenview.profile
index efdc56e38..d33e2a673 100644
--- a/etc/profile-a-l/gwenview.profile
+++ b/etc/profile-a-l/gwenview.profile
@@ -34,6 +34,7 @@ caps.drop all
34netfilter 34netfilter
35nodvd 35nodvd
36nogroups 36nogroups
37noinput
37nonewprivs 38nonewprivs
38noroot 39noroot
39notv 40notv
diff --git a/etc/profile-a-l/handbrake.profile b/etc/profile-a-l/handbrake.profile
index 0539ffcb8..847e1ec1e 100644
--- a/etc/profile-a-l/handbrake.profile
+++ b/etc/profile-a-l/handbrake.profile
@@ -24,6 +24,7 @@ apparmor
24caps.drop all 24caps.drop all
25net none 25net none
26nogroups 26nogroups
27noinput
27nonewprivs 28nonewprivs
28noroot 29noroot
29nou2f 30nou2f
diff --git a/etc/profile-a-l/hashcat.profile b/etc/profile-a-l/hashcat.profile
index 8ec67ff19..aab4b0c21 100644
--- a/etc/profile-a-l/hashcat.profile
+++ b/etc/profile-a-l/hashcat.profile
@@ -25,6 +25,7 @@ caps.drop all
25net none 25net none
26nodvd 26nodvd
27nogroups 27nogroups
28noinput
28nonewprivs 29nonewprivs
29noroot 30noroot
30nosound 31nosound
diff --git a/etc/profile-a-l/hasher-common.profile b/etc/profile-a-l/hasher-common.profile
index 1633cc3ee..44584f26b 100644
--- a/etc/profile-a-l/hasher-common.profile
+++ b/etc/profile-a-l/hasher-common.profile
@@ -33,6 +33,7 @@ net none
33no3d 33no3d
34nodvd 34nodvd
35nogroups 35nogroups
36noinput
36nonewprivs 37nonewprivs
37noroot 38noroot
38nosound 39nosound
diff --git a/etc/profile-a-l/hedgewars.profile b/etc/profile-a-l/hedgewars.profile
index 8ac07d3da..c0675d8ec 100644
--- a/etc/profile-a-l/hedgewars.profile
+++ b/etc/profile-a-l/hedgewars.profile
@@ -24,6 +24,7 @@ caps.drop all
24netfilter 24netfilter
25nodvd 25nodvd
26nogroups 26nogroups
27noinput
27nonewprivs 28nonewprivs
28noroot 29noroot
29notv 30notv
diff --git a/etc/profile-a-l/hexchat.profile b/etc/profile-a-l/hexchat.profile
index c60510260..f72af0b4a 100644
--- a/etc/profile-a-l/hexchat.profile
+++ b/etc/profile-a-l/hexchat.profile
@@ -35,6 +35,7 @@ netfilter
35no3d 35no3d
36nodvd 36nodvd
37nogroups 37nogroups
38noinput
38nonewprivs 39nonewprivs
39noroot 40noroot
40notv 41notv
diff --git a/etc/profile-a-l/highlight.profile b/etc/profile-a-l/highlight.profile
index c2812d7f5..643736ac7 100644
--- a/etc/profile-a-l/highlight.profile
+++ b/etc/profile-a-l/highlight.profile
@@ -20,6 +20,7 @@ net none
20no3d 20no3d
21nodvd 21nodvd
22nogroups 22nogroups
23noinput
23nonewprivs 24nonewprivs
24noroot 25noroot
25nosound 26nosound
diff --git a/etc/profile-a-l/homebank.profile b/etc/profile-a-l/homebank.profile
index da32de640..199b1a5e5 100644
--- a/etc/profile-a-l/homebank.profile
+++ b/etc/profile-a-l/homebank.profile
@@ -35,6 +35,7 @@ nodvd
35no3d 35no3d
36nodvd 36nodvd
37nogroups 37nogroups
38noinput
38nonewprivs 39nonewprivs
39noroot 40noroot
40nosound 41nosound
diff --git a/etc/profile-a-l/host.profile b/etc/profile-a-l/host.profile
index e5a5a7efa..00d9f7a76 100644
--- a/etc/profile-a-l/host.profile
+++ b/etc/profile-a-l/host.profile
@@ -29,6 +29,7 @@ netfilter
29no3d 29no3d
30nodvd 30nodvd
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33noroot 34noroot
34nosound 35nosound
diff --git a/etc/profile-a-l/hugin.profile b/etc/profile-a-l/hugin.profile
index e03b68128..267712c87 100644
--- a/etc/profile-a-l/hugin.profile
+++ b/etc/profile-a-l/hugin.profile
@@ -23,6 +23,7 @@ caps.drop all
23net none 23net none
24nodvd 24nodvd
25nogroups 25nogroups
26noinput
26nonewprivs 27nonewprivs
27noroot 28noroot
28nosound 29nosound
diff --git a/etc/profile-a-l/hyperrogue.profile b/etc/profile-a-l/hyperrogue.profile
index f2cb25edf..e66ffd7e1 100644
--- a/etc/profile-a-l/hyperrogue.profile
+++ b/etc/profile-a-l/hyperrogue.profile
@@ -29,6 +29,7 @@ caps.drop all
29net none 29net none
30nodvd 30nodvd
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33noroot 34noroot
34notv 35notv
diff --git a/etc/profile-a-l/i2prouter.profile b/etc/profile-a-l/i2prouter.profile
index d95d53b7a..47c984175 100644
--- a/etc/profile-a-l/i2prouter.profile
+++ b/etc/profile-a-l/i2prouter.profile
@@ -56,6 +56,7 @@ netfilter
56no3d 56no3d
57nodvd 57nodvd
58nogroups 58nogroups
59noinput
59nonewprivs 60nonewprivs
60nosound 61nosound
61notv 62notv
diff --git a/etc/profile-a-l/iagno.profile b/etc/profile-a-l/iagno.profile
index 42fc7d449..363d3dc2e 100644
--- a/etc/profile-a-l/iagno.profile
+++ b/etc/profile-a-l/iagno.profile
@@ -21,6 +21,7 @@ caps.drop all
21net none 21net none
22nodvd 22nodvd
23nogroups 23nogroups
24noinput
24nonewprivs 25nonewprivs
25noroot 26noroot
26notv 27notv
diff --git a/etc/profile-a-l/idea.sh.profile b/etc/profile-a-l/idea.sh.profile
index 0a048a38a..680b8e777 100644
--- a/etc/profile-a-l/idea.sh.profile
+++ b/etc/profile-a-l/idea.sh.profile
@@ -26,6 +26,7 @@ caps.drop all
26netfilter 26netfilter
27nodvd 27nodvd
28nogroups 28nogroups
29noinput
29nonewprivs 30nonewprivs
30noroot 31noroot
31notv 32notv
diff --git a/etc/profile-a-l/imagej.profile b/etc/profile-a-l/imagej.profile
index 91a60c188..12ce7976b 100644
--- a/etc/profile-a-l/imagej.profile
+++ b/etc/profile-a-l/imagej.profile
@@ -23,6 +23,7 @@ ipc-namespace
23net none 23net none
24nodvd 24nodvd
25nogroups 25nogroups
26noinput
26nonewprivs 27nonewprivs
27noroot 28noroot
28nosound 29nosound
diff --git a/etc/profile-a-l/img2txt.profile b/etc/profile-a-l/img2txt.profile
index ae03fc8bc..c26958d06 100644
--- a/etc/profile-a-l/img2txt.profile
+++ b/etc/profile-a-l/img2txt.profile
@@ -29,6 +29,7 @@ machine-id
29net none 29net none
30nodvd 30nodvd
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33noroot 34noroot
34nosound 35nosound
diff --git a/etc/profile-a-l/impressive.profile b/etc/profile-a-l/impressive.profile
index af82fb059..c152be01c 100644
--- a/etc/profile-a-l/impressive.profile
+++ b/etc/profile-a-l/impressive.profile
@@ -35,6 +35,7 @@ machine-id
35net none 35net none
36nodvd 36nodvd
37nogroups 37nogroups
38noinput
38nonewprivs 39nonewprivs
39noroot 40noroot
40nosound 41nosound
diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile
index f14868668..35dd86b32 100644
--- a/etc/profile-a-l/inkscape.profile
+++ b/etc/profile-a-l/inkscape.profile
@@ -39,6 +39,7 @@ machine-id
39net none 39net none
40nodvd 40nodvd
41nogroups 41nogroups
42noinput
42nonewprivs 43nonewprivs
43noroot 44noroot
44nosound 45nosound
diff --git a/etc/profile-a-l/ipcalc.profile b/etc/profile-a-l/ipcalc.profile
index 4b97b83b7..791065c1a 100644
--- a/etc/profile-a-l/ipcalc.profile
+++ b/etc/profile-a-l/ipcalc.profile
@@ -33,6 +33,7 @@ netfilter
33no3d 33no3d
34nodvd 34nodvd
35nogroups 35nogroups
36noinput
36nonewprivs 37nonewprivs
37noroot 38noroot
38nosound 39nosound
diff --git a/etc/profile-a-l/itch.profile b/etc/profile-a-l/itch.profile
index b3c78c810..e02dcbdb1 100644
--- a/etc/profile-a-l/itch.profile
+++ b/etc/profile-a-l/itch.profile
@@ -27,6 +27,7 @@ caps.drop all
27netfilter 27netfilter
28nodvd 28nodvd
29nogroups 29nogroups
30noinput
30nonewprivs 31nonewprivs
31noroot 32noroot
32notv 33notv
diff --git a/etc/profile-a-l/jami-gnome.profile b/etc/profile-a-l/jami-gnome.profile
index 226bb0008..3e9abf369 100644
--- a/etc/profile-a-l/jami-gnome.profile
+++ b/etc/profile-a-l/jami-gnome.profile
@@ -28,6 +28,7 @@ ipc-namespace
28netfilter 28netfilter
29nodvd 29nodvd
30nogroups 30nogroups
31noinput
31nonewprivs 32nonewprivs
32noroot 33noroot
33notv 34notv
diff --git a/etc/profile-a-l/jd-gui.profile b/etc/profile-a-l/jd-gui.profile
index 0944051e5..7d29f1068 100644
--- a/etc/profile-a-l/jd-gui.profile
+++ b/etc/profile-a-l/jd-gui.profile
@@ -25,6 +25,7 @@ net none
25no3d 25no3d
26nodvd 26nodvd
27nogroups 27nogroups
28noinput
28nonewprivs 29nonewprivs
29noroot 30noroot
30nosound 31nosound
diff --git a/etc/profile-a-l/jerry.profile b/etc/profile-a-l/jerry.profile
index b79ae0ee0..85b1f2120 100644
--- a/etc/profile-a-l/jerry.profile
+++ b/etc/profile-a-l/jerry.profile
@@ -22,6 +22,7 @@ net none
22no3d 22no3d
23nodvd 23nodvd
24nogroups 24nogroups
25noinput
25nonewprivs 26nonewprivs
26noroot 27noroot
27nosound 28nosound
diff --git a/etc/profile-a-l/jumpnbump.profile b/etc/profile-a-l/jumpnbump.profile
index daeb54610..9954b8aea 100644
--- a/etc/profile-a-l/jumpnbump.profile
+++ b/etc/profile-a-l/jumpnbump.profile
@@ -28,6 +28,7 @@ caps.drop all
28net none 28net none
29nodvd 29nodvd
30nogroups 30nogroups
31noinput
31nonewprivs 32nonewprivs
32noroot 33noroot
33notv 34notv
diff --git a/etc/profile-a-l/k3b.profile b/etc/profile-a-l/k3b.profile
index 3e686a454..5ae90dff6 100644
--- a/etc/profile-a-l/k3b.profile
+++ b/etc/profile-a-l/k3b.profile
@@ -26,6 +26,7 @@ caps.keep chown,dac_override,ipc_lock,net_bind_service,sys_admin,sys_nice,sys_ra
26netfilter 26netfilter
27no3d 27no3d
28# nonewprivs - breaks privileged helpers 28# nonewprivs - breaks privileged helpers
29noinput
29# noroot - breaks privileged helpers 30# noroot - breaks privileged helpers
30nosound 31nosound
31notv 32notv
diff --git a/etc/profile-a-l/kaffeine.profile b/etc/profile-a-l/kaffeine.profile
index c7f811939..d55fd22cb 100644
--- a/etc/profile-a-l/kaffeine.profile
+++ b/etc/profile-a-l/kaffeine.profile
@@ -28,6 +28,7 @@ include whitelist-var-common.inc
28caps.drop all 28caps.drop all
29netfilter 29netfilter
30nogroups 30nogroups
31noinput
31nonewprivs 32nonewprivs
32noroot 33noroot
33nou2f 34nou2f
diff --git a/etc/profile-a-l/kalgebra.profile b/etc/profile-a-l/kalgebra.profile
index e1e93163b..503dac4b6 100644
--- a/etc/profile-a-l/kalgebra.profile
+++ b/etc/profile-a-l/kalgebra.profile
@@ -27,6 +27,7 @@ machine-id
27net none 27net none
28nodvd 28nodvd
29nogroups 29nogroups
30noinput
30nonewprivs 31nonewprivs
31noroot 32noroot
32nosound 33nosound
diff --git a/etc/profile-a-l/kate.profile b/etc/profile-a-l/kate.profile
index 37605dfa9..27b87e7c3 100644
--- a/etc/profile-a-l/kate.profile
+++ b/etc/profile-a-l/kate.profile
@@ -38,6 +38,7 @@ caps.drop all
38netfilter 38netfilter
39nodvd 39nodvd
40nogroups 40nogroups
41noinput
41nonewprivs 42nonewprivs
42noroot 43noroot
43nosound 44nosound
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile
index 7d9f4c22f..9795cf168 100644
--- a/etc/profile-a-l/kazam.profile
+++ b/etc/profile-a-l/kazam.profile
@@ -35,6 +35,7 @@ caps.drop all
35net none 35net none
36nodvd 36nodvd
37nogroups 37nogroups
38noinput
38nonewprivs 39nonewprivs
39noroot 40noroot
40notv 41notv
diff --git a/etc/profile-a-l/kcalc.profile b/etc/profile-a-l/kcalc.profile
index fa82e76f3..e36ee5ed2 100644
--- a/etc/profile-a-l/kcalc.profile
+++ b/etc/profile-a-l/kcalc.profile
@@ -15,6 +15,7 @@ include disable-interpreters.inc
15include disable-passwdmgr.inc 15include disable-passwdmgr.inc
16include disable-programs.inc 16include disable-programs.inc
17include disable-shell.inc 17include disable-shell.inc
18include disable-xdg.inc
18 19
19mkdir ${HOME}/.local/share/kxmlgui5/kcalc 20mkdir ${HOME}/.local/share/kxmlgui5/kcalc
20mkfile ${HOME}/.config/kcalcrc 21mkfile ${HOME}/.config/kcalcrc
@@ -24,7 +25,12 @@ whitelist ${HOME}/.config/kcalcrc
24whitelist ${HOME}/.kde/share/config/kcalcrc 25whitelist ${HOME}/.kde/share/config/kcalcrc
25whitelist ${HOME}/.kde4/share/config/kcalcrc 26whitelist ${HOME}/.kde4/share/config/kcalcrc
26whitelist ${HOME}/.local/share/kxmlgui5/kcalc 27whitelist ${HOME}/.local/share/kxmlgui5/kcalc
28whitelist /usr/share/config.kcfg/kcalc.kcfg
29whitelist /usr/share/kcalc
30whitelist /usr/share/kconf_update/kcalcrc.upd
27include whitelist-common.inc 31include whitelist-common.inc
32include whitelist-runuser-common.inc
33include whitelist-usr-share-common.inc
28include whitelist-var-common.inc 34include whitelist-var-common.inc
29 35
30apparmor 36apparmor
@@ -33,6 +39,7 @@ net none
33no3d 39no3d
34nodvd 40nodvd
35nogroups 41nogroups
42noinput
36nonewprivs 43nonewprivs
37noroot 44noroot
38nosound 45nosound
@@ -41,13 +48,19 @@ nou2f
41novideo 48novideo
42protocol unix 49protocol unix
43seccomp 50seccomp
51seccomp.block-secondary
44shell none 52shell none
53tracelog
45 54
46disable-mnt 55disable-mnt
47private-bin kcalc 56private-bin kcalc
57private-cache
48private-dev 58private-dev
59private-etc alternatives,fonts,ld.so.cache,locale,locale.conf
49# private-lib - problems on Arch 60# private-lib - problems on Arch
50private-tmp 61private-tmp
51 62
52dbus-user none 63dbus-user none
53dbus-system none 64dbus-system none
65
66#memory-deny-write-execute
diff --git a/etc/profile-a-l/kdeinit4.profile b/etc/profile-a-l/kdeinit4.profile
index f7235ea84..925ab3517 100644
--- a/etc/profile-a-l/kdeinit4.profile
+++ b/etc/profile-a-l/kdeinit4.profile
@@ -21,6 +21,7 @@ caps.drop all
21netfilter 21netfilter
22no3d 22no3d
23nogroups 23nogroups
24noinput
24nonewprivs 25nonewprivs
25# nosound - disabled for knotify 26# nosound - disabled for knotify
26noroot 27noroot
diff --git a/etc/profile-a-l/kdenlive.profile b/etc/profile-a-l/kdenlive.profile
index 9ca33b68e..d2a08a269 100644
--- a/etc/profile-a-l/kdenlive.profile
+++ b/etc/profile-a-l/kdenlive.profile
@@ -25,6 +25,7 @@ caps.drop all
25# net none 25# net none
26nodvd 26nodvd
27nogroups 27nogroups
28noinput
28nonewprivs 29nonewprivs
29noroot 30noroot
30notv 31notv
diff --git a/etc/profile-a-l/kdiff3.profile b/etc/profile-a-l/kdiff3.profile
index eb1e219ab..7c1cb2294 100644
--- a/etc/profile-a-l/kdiff3.profile
+++ b/etc/profile-a-l/kdiff3.profile
@@ -36,6 +36,7 @@ machine-id
36net none 36net none
37nodvd 37nodvd
38nogroups 38nogroups
39noinput
39nonewprivs 40nonewprivs
40noroot 41noroot
41nosound 42nosound
diff --git a/etc/profile-a-l/keepass.profile b/etc/profile-a-l/keepass.profile
index 9852f8a79..ae8971ab4 100644
--- a/etc/profile-a-l/keepass.profile
+++ b/etc/profile-a-l/keepass.profile
@@ -28,6 +28,7 @@ netfilter
28no3d 28no3d
29nodvd 29nodvd
30nogroups 30nogroups
31noinput
31nonewprivs 32nonewprivs
32noroot 33noroot
33nosound 34nosound
diff --git a/etc/profile-a-l/keepassx.profile b/etc/profile-a-l/keepassx.profile
index b8239e140..ac364986d 100644
--- a/etc/profile-a-l/keepassx.profile
+++ b/etc/profile-a-l/keepassx.profile
@@ -28,6 +28,7 @@ net none
28no3d 28no3d
29nodvd 29nodvd
30nogroups 30nogroups
31noinput
31nonewprivs 32nonewprivs
32noroot 33noroot
33nosound 34nosound
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index 11c279911..c352a5d89 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/*.kdb
10noblacklist ${HOME}/*.kdbx 10noblacklist ${HOME}/*.kdbx
11noblacklist ${HOME}/.cache/keepassxc 11noblacklist ${HOME}/.cache/keepassxc
12noblacklist ${HOME}/.config/keepassxc 12noblacklist ${HOME}/.config/keepassxc
13noblacklist ${HOME}/.config/KeePassXCrc
13noblacklist ${HOME}/.keepassxc 14noblacklist ${HOME}/.keepassxc
14noblacklist ${DOCUMENTS} 15noblacklist ${DOCUMENTS}
15 16
@@ -51,6 +52,7 @@ include disable-xdg.inc
51#mkdir ${HOME}/.config/keepassxc 52#mkdir ${HOME}/.config/keepassxc
52#whitelist ${HOME}/.cache/keepassxc 53#whitelist ${HOME}/.cache/keepassxc
53#whitelist ${HOME}/.config/keepassxc 54#whitelist ${HOME}/.config/keepassxc
55#whitelist ${HOME}/.config/KeePassXCrc
54#include whitelist-common.inc 56#include whitelist-common.inc
55 57
56whitelist /usr/share/keepassxc 58whitelist /usr/share/keepassxc
@@ -63,6 +65,7 @@ net none
63no3d 65no3d
64nodvd 66nodvd
65nogroups 67nogroups
68noinput
66nonewprivs 69nonewprivs
67noroot 70noroot
68nosound 71nosound
diff --git a/etc/profile-a-l/kfind.profile b/etc/profile-a-l/kfind.profile
index ed815676a..6f6fe8d0a 100644
--- a/etc/profile-a-l/kfind.profile
+++ b/etc/profile-a-l/kfind.profile
@@ -29,6 +29,7 @@ netfilter
29no3d 29no3d
30nodvd 30nodvd
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33noroot 34noroot
34nosound 35nosound
diff --git a/etc/profile-a-l/kget.profile b/etc/profile-a-l/kget.profile
index 5990d0752..2c684504b 100644
--- a/etc/profile-a-l/kget.profile
+++ b/etc/profile-a-l/kget.profile
@@ -27,6 +27,7 @@ caps.drop all
27netfilter 27netfilter
28nodvd 28nodvd
29nogroups 29nogroups
30noinput
30nonewprivs 31nonewprivs
31noroot 32noroot
32nosound 33nosound
diff --git a/etc/profile-a-l/kid3.profile b/etc/profile-a-l/kid3.profile
index aa2e0ad1e..e18292e99 100644
--- a/etc/profile-a-l/kid3.profile
+++ b/etc/profile-a-l/kid3.profile
@@ -25,6 +25,7 @@ caps.drop all
25netfilter 25netfilter
26nodvd 26nodvd
27nogroups 27nogroups
28noinput
28nonewprivs 29nonewprivs
29noroot 30noroot
30notv 31notv
diff --git a/etc/profile-a-l/kino.profile b/etc/profile-a-l/kino.profile
index b3ade0dd9..74014ffe6 100644
--- a/etc/profile-a-l/kino.profile
+++ b/etc/profile-a-l/kino.profile
@@ -22,6 +22,7 @@ apparmor
22caps.drop all 22caps.drop all
23netfilter 23netfilter
24nogroups 24nogroups
25noinput
25nonewprivs 26nonewprivs
26noroot 27noroot
27notv 28notv
diff --git a/etc/profile-a-l/kiwix-desktop.profile b/etc/profile-a-l/kiwix-desktop.profile
index d222d6d24..40ee0bbc7 100644
--- a/etc/profile-a-l/kiwix-desktop.profile
+++ b/etc/profile-a-l/kiwix-desktop.profile
@@ -31,6 +31,7 @@ netfilter
31# no3d 31# no3d
32nodvd 32nodvd
33nogroups 33nogroups
34noinput
34nonewprivs 35nonewprivs
35noroot 36noroot
36# nosound 37# nosound
diff --git a/etc/profile-a-l/klatexformula.profile b/etc/profile-a-l/klatexformula.profile
index 10b689ce5..c6a9023f1 100644
--- a/etc/profile-a-l/klatexformula.profile
+++ b/etc/profile-a-l/klatexformula.profile
@@ -26,6 +26,7 @@ machine-id
26net none 26net none
27nodvd 27nodvd
28nogroups 28nogroups
29noinput
29nonewprivs 30nonewprivs
30noroot 31noroot
31nosound 32nosound
diff --git a/etc/profile-a-l/klavaro.profile b/etc/profile-a-l/klavaro.profile
index c03d75098..f5cd3a48c 100644
--- a/etc/profile-a-l/klavaro.profile
+++ b/etc/profile-a-l/klavaro.profile
@@ -31,6 +31,7 @@ net none
31no3d 31no3d
32nodvd 32nodvd
33nogroups 33nogroups
34noinput
34nonewprivs 35nonewprivs
35noroot 36noroot
36notv 37notv
diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile
index ab4ff10b9..95ae98e53 100644
--- a/etc/profile-a-l/kmail.profile
+++ b/etc/profile-a-l/kmail.profile
@@ -45,6 +45,7 @@ caps.drop all
45netfilter 45netfilter
46nodvd 46nodvd
47nogroups 47nogroups
48noinput
48nonewprivs 49nonewprivs
49noroot 50noroot
50nosound 51nosound
diff --git a/etc/profile-a-l/kmplayer.profile b/etc/profile-a-l/kmplayer.profile
index 7eabde61d..e88b53499 100644
--- a/etc/profile-a-l/kmplayer.profile
+++ b/etc/profile-a-l/kmplayer.profile
@@ -27,6 +27,7 @@ apparmor
27caps.drop all 27caps.drop all
28netfilter 28netfilter
29nogroups 29nogroups
30noinput
30nonewprivs 31nonewprivs
31noroot 32noroot
32nou2f 33nou2f
diff --git a/etc/profile-a-l/kodi.profile b/etc/profile-a-l/kodi.profile
index 63cae6231..b72632bf4 100644
--- a/etc/profile-a-l/kodi.profile
+++ b/etc/profile-a-l/kodi.profile
@@ -32,6 +32,7 @@ apparmor
32caps.drop all 32caps.drop all
33netfilter 33netfilter
34nogroups 34nogroups
35noinput
35nonewprivs 36nonewprivs
36# Seems to cause issues with Nvidia drivers sometimes (#3501) 37# Seems to cause issues with Nvidia drivers sometimes (#3501)
37noroot 38noroot
diff --git a/etc/profile-a-l/konversation.profile b/etc/profile-a-l/konversation.profile
index 4dd929c6b..5b5ed6e24 100644
--- a/etc/profile-a-l/konversation.profile
+++ b/etc/profile-a-l/konversation.profile
@@ -27,6 +27,7 @@ caps.drop all
27netfilter 27netfilter
28nodvd 28nodvd
29nogroups 29nogroups
30noinput
30nonewprivs 31nonewprivs
31noroot 32noroot
32notv 33notv
diff --git a/etc/profile-a-l/kopete.profile b/etc/profile-a-l/kopete.profile
index a5269373d..88f47d1bf 100644
--- a/etc/profile-a-l/kopete.profile
+++ b/etc/profile-a-l/kopete.profile
@@ -26,6 +26,7 @@ caps.drop all
26netfilter 26netfilter
27nodvd 27nodvd
28nogroups 28nogroups
29noinput
29nonewprivs 30nonewprivs
30noroot 31noroot
31notv 32notv
diff --git a/etc/profile-a-l/krita.profile b/etc/profile-a-l/krita.profile
index be9921478..8604e63d0 100644
--- a/etc/profile-a-l/krita.profile
+++ b/etc/profile-a-l/krita.profile
@@ -33,6 +33,7 @@ ipc-namespace
33netfilter 33netfilter
34nodvd 34nodvd
35nogroups 35nogroups
36noinput
36nonewprivs 37nonewprivs
37noroot 38noroot
38nosound 39nosound
diff --git a/etc/profile-a-l/ktorrent.profile b/etc/profile-a-l/ktorrent.profile
index b55e00f22..5a85194e0 100644
--- a/etc/profile-a-l/ktorrent.profile
+++ b/etc/profile-a-l/ktorrent.profile
@@ -46,6 +46,7 @@ netfilter
46no3d 46no3d
47nodvd 47nodvd
48nogroups 48nogroups
49noinput
49nonewprivs 50nonewprivs
50noroot 51noroot
51nosound 52nosound
diff --git a/etc/profile-a-l/ktouch.profile b/etc/profile-a-l/ktouch.profile
index 8d8bcdd7d..4cf72b74c 100644
--- a/etc/profile-a-l/ktouch.profile
+++ b/etc/profile-a-l/ktouch.profile
@@ -31,6 +31,7 @@ machine-id
31net none 31net none
32nodvd 32nodvd
33nogroups 33nogroups
34noinput
34nonewprivs 35nonewprivs
35noroot 36noroot
36nosound 37nosound
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile
index e0cfb9f24..4e9a12e5f 100644
--- a/etc/profile-a-l/kube.profile
+++ b/etc/profile-a-l/kube.profile
@@ -51,6 +51,7 @@ netfilter
51no3d 51no3d
52nodvd 52nodvd
53nogroups 53nogroups
54noinput
54nonewprivs 55nonewprivs
55noroot 56noroot
56nosound 57nosound
diff --git a/etc/profile-a-l/kwin_x11.profile b/etc/profile-a-l/kwin_x11.profile
index 316a93d30..15e7ceb17 100644
--- a/etc/profile-a-l/kwin_x11.profile
+++ b/etc/profile-a-l/kwin_x11.profile
@@ -28,6 +28,7 @@ caps.drop all
28netfilter 28netfilter
29nodvd 29nodvd
30nogroups 30nogroups
31noinput
31nonewprivs 32nonewprivs
32noroot 33noroot
33nosound 34nosound
diff --git a/etc/profile-a-l/kwrite.profile b/etc/profile-a-l/kwrite.profile
index 4ff8efa70..804ffafeb 100644
--- a/etc/profile-a-l/kwrite.profile
+++ b/etc/profile-a-l/kwrite.profile
@@ -33,6 +33,7 @@ caps.drop all
33netfilter 33netfilter
34nodvd 34nodvd
35nogroups 35nogroups
36noinput
36nonewprivs 37nonewprivs
37noroot 38noroot
38# nosound - KWrite is using ALSA! 39# nosound - KWrite is using ALSA!
diff --git a/etc/profile-a-l/latex-common.profile b/etc/profile-a-l/latex-common.profile
index b090be726..ac1b8785d 100644
--- a/etc/profile-a-l/latex-common.profile
+++ b/etc/profile-a-l/latex-common.profile
@@ -22,6 +22,7 @@ net none
22no3d 22no3d
23nodvd 23nodvd
24nogroups 24nogroups
25noinput
25nonewprivs 26nonewprivs
26noroot 27noroot
27nosound 28nosound
diff --git a/etc/profile-a-l/leafpad.profile b/etc/profile-a-l/leafpad.profile
index eb23b200b..4bbb0a86d 100644
--- a/etc/profile-a-l/leafpad.profile
+++ b/etc/profile-a-l/leafpad.profile
@@ -24,6 +24,7 @@ net none
24no3d 24no3d
25nodvd 25nodvd
26nogroups 26nogroups
27noinput
27nonewprivs 28nonewprivs
28noroot 29noroot
29nosound 30nosound
diff --git a/etc/profile-a-l/less.profile b/etc/profile-a-l/less.profile
index e1f0bc290..8eb5ad0c2 100644
--- a/etc/profile-a-l/less.profile
+++ b/etc/profile-a-l/less.profile
@@ -23,6 +23,7 @@ machine-id
23net none 23net none
24no3d 24no3d
25nodvd 25nodvd
26noinput
26nonewprivs 27nonewprivs
27#noroot 28#noroot
28nosound 29nosound
diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile
index 031f0e19f..e4440eac0 100644
--- a/etc/profile-a-l/libreoffice.profile
+++ b/etc/profile-a-l/libreoffice.profile
@@ -9,8 +9,8 @@ include globals.local
9noblacklist /usr/local/sbin 9noblacklist /usr/local/sbin
10noblacklist ${HOME}/.config/libreoffice 10noblacklist ${HOME}/.config/libreoffice
11 11
12# libreoffice uses java for some certain operations 12# libreoffice uses java for some functionality.
13# comment if you don't care about java functionality 13# Add 'ignore include allow-java.inc' to your libreoffice.local if you don't need that functionality.
14# Allow java (blacklisted by disable-devel.inc) 14# Allow java (blacklisted by disable-devel.inc)
15include allow-java.inc 15include allow-java.inc
16 16
@@ -22,25 +22,28 @@ include disable-programs.inc
22 22
23include whitelist-var-common.inc 23include whitelist-var-common.inc
24 24
25# ubuntu 18.04 comes with its own apparmor profile, but it is not in enforce mode. 25# Debian 10/Ubuntu 18.04 come with their own apparmor profile, but it is not in enforce mode.
26# comment the next line to use the ubuntu profile instead of firejail's apparmor profile 26# Add the next lines to your libreoffice.local to use the Ubuntu profile instead of firejail's apparmor profile.
27#ignore apparmor
28#ignore nonewprivs
29#ignore protocol
30#ignore seccomp
31#ignore tracelog
32
27apparmor 33apparmor
28caps.drop all 34caps.drop all
29netfilter 35netfilter
30nodvd 36nodvd
31nogroups 37nogroups
32# comment nonewprivs when using the ubuntu 18.04/debian 10 apparmor profile 38noinput
33nonewprivs 39nonewprivs
34noroot 40noroot
35notv 41notv
36nou2f 42nou2f
37novideo 43novideo
38# comment the protocol line when using the ubuntu 18.04/debian 10 apparmor profile
39protocol unix,inet,inet6 44protocol unix,inet,inet6
40# comment seccomp when using the ubuntu 18.04/debian 10 apparmor profile
41seccomp 45seccomp
42shell none 46shell none
43# comment tracelog when using the ubuntu 18.04/debian 10 apparmor profile
44tracelog 47tracelog
45 48
46#private-bin libreoffice,sh,uname,dirname,grep,sed,basename,ls 49#private-bin libreoffice,sh,uname,dirname,grep,sed,basename,ls
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile
index 0934e1271..8e3e58f19 100644
--- a/etc/profile-a-l/librewolf.profile
+++ b/etc/profile-a-l/librewolf.profile
@@ -18,8 +18,8 @@ whitelist ${HOME}/.librewolf
18#noblacklist ${HOME}/.mozilla 18#noblacklist ${HOME}/.mozilla
19#whitelist ${HOME}/.mozilla 19#whitelist ${HOME}/.mozilla
20 20
21# Uncomment or put in your librewolf.local one of the following whitelist to enable KeePassXC Plugin 21# To enable KeePassXC Plugin add one of the following lines to your librewolf.local.
22# NOTE: start KeePassXC before Librewolf and keep it open to allow communication between them 22# NOTE: start KeePassXC before Librewolf and keep it open to allow communication between them.
23#whitelist ${RUNUSER}/kpxc_server 23#whitelist ${RUNUSER}/kpxc_server
24#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer 24#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
25 25
@@ -31,25 +31,24 @@ include whitelist-usr-share-common.inc
31 31
32# Add the next line to your librewolf.local to enable private-bin (Arch Linux). 32# Add the next line to your librewolf.local to enable private-bin (Arch Linux).
33#private-bin dbus-launch,dbus-send,librewolf,sh 33#private-bin dbus-launch,dbus-send,librewolf,sh
34# Add the next line to your librewolf.local to enable private-etc. Note 34# Add the next line to your librewolf.local to enable private-etc.
35# that private-etc must first be enabled in firefox-common.local. 35# NOTE: private-etc must first be enabled in firefox-common.local.
36#private-etc librewolf 36#private-etc librewolf
37 37
38dbus-user filter 38dbus-user filter
39# Uncomment or put in your librewolf.local to enable native notifications. 39# Add the next line to your librewolf.local to enable native notifications.
40#dbus-user.talk org.freedesktop.Notifications 40#dbus-user.talk org.freedesktop.Notifications
41# Uncomment or put in your librewolf.local to allow to inhibit screensavers 41# Add the next line to your librewolf.local to allow inhibiting screensavers.
42#dbus-user.talk org.freedesktop.ScreenSaver 42#dbus-user.talk org.freedesktop.ScreenSaver
43# Uncomment or put in your librewolf.local for plasma browser integration 43# Add the next lines to your librewolf.local for plasma browser integration.
44#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration 44#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
45#dbus-user.talk org.kde.JobViewServer 45#dbus-user.talk org.kde.JobViewServer
46#dbus-user.talk org.kde.kuiserver 46#dbus-user.talk org.kde.kuiserver
47# Uncomment or put in your librewolf.local to allow screen sharing under wayland. 47# Add the next lines to your librewolf.local to allow screensharing under Wayland.
48#whitelist ${RUNUSER}/pipewire-0 48#whitelist ${RUNUSER}/pipewire-0
49#dbus-user.talk org.freedesktop.portal.* 49#dbus-user.talk org.freedesktop.portal.*
50# Also uncomment or put in your librewolf.local if screen sharing sharing still 50# Also add the next line to your librewolf.local if screensharing does not work with
51# does not work with the above lines (might depend on the portal 51# the above lines (depends on the portal implementation).
52# implementation)
53#ignore noroot 52#ignore noroot
54ignore dbus-user none 53ignore dbus-user none
55 54
diff --git a/etc/profile-a-l/liferea.profile b/etc/profile-a-l/liferea.profile
index 1b10f0934..7afca1d5f 100644
--- a/etc/profile-a-l/liferea.profile
+++ b/etc/profile-a-l/liferea.profile
@@ -37,6 +37,7 @@ netfilter
37# no3d 37# no3d
38nodvd 38nodvd
39nogroups 39nogroups
40noinput
40nonewprivs 41nonewprivs
41noroot 42noroot
42# nosound 43# nosound
diff --git a/etc/profile-a-l/lincity-ng.profile b/etc/profile-a-l/lincity-ng.profile
index 91bd12d0d..4254b7f33 100644
--- a/etc/profile-a-l/lincity-ng.profile
+++ b/etc/profile-a-l/lincity-ng.profile
@@ -28,6 +28,7 @@ ipc-namespace
28net none 28net none
29nodvd 29nodvd
30nogroups 30nogroups
31noinput
31nonewprivs 32nonewprivs
32noroot 33noroot
33notv 34notv
diff --git a/etc/profile-a-l/links.profile b/etc/profile-a-l/links.profile
index 272bc4f3a..a1eeda14a 100644
--- a/etc/profile-a-l/links.profile
+++ b/etc/profile-a-l/links.profile
@@ -39,6 +39,7 @@ netfilter
39no3d 39no3d
40nodvd 40nodvd
41nogroups 41nogroups
42noinput
42nonewprivs 43nonewprivs
43noroot 44noroot
44# Add 'ignore nosound' to your links.local if you want to restrict access to 45# Add 'ignore nosound' to your links.local if you want to restrict access to
diff --git a/etc/profile-a-l/linphone.profile b/etc/profile-a-l/linphone.profile
index c509122e2..7ebdbef4c 100644
--- a/etc/profile-a-l/linphone.profile
+++ b/etc/profile-a-l/linphone.profile
@@ -35,6 +35,7 @@ netfilter
35no3d 35no3d
36nodvd 36nodvd
37nogroups 37nogroups
38noinput
38nonewprivs 39nonewprivs
39noroot 40noroot
40notv 41notv
diff --git a/etc/profile-a-l/lmms.profile b/etc/profile-a-l/lmms.profile
index afe1ad635..48b0e14dc 100644
--- a/etc/profile-a-l/lmms.profile
+++ b/etc/profile-a-l/lmms.profile
@@ -24,6 +24,7 @@ net none
24no3d 24no3d
25nodvd 25nodvd
26nogroups 26nogroups
27noinput
27nonewprivs 28nonewprivs
28noroot 29noroot
29notv 30notv
diff --git a/etc/profile-a-l/lollypop.profile b/etc/profile-a-l/lollypop.profile
index 1ce83822d..f2676fec5 100644
--- a/etc/profile-a-l/lollypop.profile
+++ b/etc/profile-a-l/lollypop.profile
@@ -27,6 +27,7 @@ caps.drop all
27netfilter 27netfilter
28no3d 28no3d
29nogroups 29nogroups
30noinput
30nonewprivs 31nonewprivs
31noroot 32noroot
32notv 33notv
diff --git a/etc/profile-a-l/lugaru.profile b/etc/profile-a-l/lugaru.profile
index cd8f0e529..174c65a65 100644
--- a/etc/profile-a-l/lugaru.profile
+++ b/etc/profile-a-l/lugaru.profile
@@ -32,6 +32,7 @@ ipc-namespace
32net none 32net none
33nodvd 33nodvd
34nogroups 34nogroups
35noinput
35nonewprivs 36nonewprivs
36noroot 37noroot
37notv 38notv
diff --git a/etc/profile-a-l/luminance-hdr.profile b/etc/profile-a-l/luminance-hdr.profile
index 2b0feaa17..31067034e 100644
--- a/etc/profile-a-l/luminance-hdr.profile
+++ b/etc/profile-a-l/luminance-hdr.profile
@@ -21,6 +21,7 @@ caps.drop all
21netfilter 21netfilter
22nodvd 22nodvd
23nogroups 23nogroups
24noinput
24nonewprivs 25nonewprivs
25noroot 26noroot
26nosound 27nosound
diff --git a/etc/profile-a-l/lximage-qt.profile b/etc/profile-a-l/lximage-qt.profile
index a33ddab78..b2a56012e 100644
--- a/etc/profile-a-l/lximage-qt.profile
+++ b/etc/profile-a-l/lximage-qt.profile
@@ -22,6 +22,7 @@ net none
22no3d 22no3d
23nodvd 23nodvd
24nogroups 24nogroups
25noinput
25nonewprivs 26nonewprivs
26noroot 27noroot
27nosound 28nosound
diff --git a/etc/profile-a-l/lxmusic.profile b/etc/profile-a-l/lxmusic.profile
index 9094f4377..cc4b95551 100644
--- a/etc/profile-a-l/lxmusic.profile
+++ b/etc/profile-a-l/lxmusic.profile
@@ -26,6 +26,7 @@ netfilter
26no3d 26no3d
27nodvd 27nodvd
28nogroups 28nogroups
29noinput
29nonewprivs 30nonewprivs
30noroot 31noroot
31notv 32notv
diff --git a/etc/profile-a-l/lynx.profile b/etc/profile-a-l/lynx.profile
index 76a0e7ed0..a919e924b 100644
--- a/etc/profile-a-l/lynx.profile
+++ b/etc/profile-a-l/lynx.profile
@@ -24,6 +24,7 @@ netfilter
24no3d 24no3d
25nodvd 25nodvd
26nogroups 26nogroups
27noinput
27nonewprivs 28nonewprivs
28noroot 29noroot
29nosound 30nosound
diff --git a/etc/profile-m-z/Maelstrom.profile b/etc/profile-m-z/Maelstrom.profile
index 77bce4179..62d0a8b3a 100644
--- a/etc/profile-m-z/Maelstrom.profile
+++ b/etc/profile-m-z/Maelstrom.profile
@@ -26,6 +26,7 @@ ipc-namespace
26net none 26net none
27nodvd 27nodvd
28nogroups 28nogroups
29noinput
29#nonewprivs 30#nonewprivs
30#noroot 31#noroot
31notv 32notv
diff --git a/etc/profile-m-z/QMediathekView.profile b/etc/profile-m-z/QMediathekView.profile
index 5ab302218..86120587b 100644
--- a/etc/profile-m-z/QMediathekView.profile
+++ b/etc/profile-m-z/QMediathekView.profile
@@ -37,6 +37,7 @@ netfilter
37# no3d 37# no3d
38nodvd 38nodvd
39nogroups 39nogroups
40noinput
40nonewprivs 41nonewprivs
41noroot 42noroot
42notv 43notv
diff --git a/etc/profile-m-z/QOwnNotes.profile b/etc/profile-m-z/QOwnNotes.profile
index e2dcf17e0..660378089 100644
--- a/etc/profile-m-z/QOwnNotes.profile
+++ b/etc/profile-m-z/QOwnNotes.profile
@@ -36,6 +36,7 @@ netfilter
36no3d 36no3d
37nodvd 37nodvd
38nogroups 38nogroups
39noinput
39nonewprivs 40nonewprivs
40noroot 41noroot
41nosound 42nosound
diff --git a/etc/profile-m-z/XMind.profile b/etc/profile-m-z/XMind.profile
index 7e7c0c3cd..d78e04595 100644
--- a/etc/profile-m-z/XMind.profile
+++ b/etc/profile-m-z/XMind.profile
@@ -23,6 +23,7 @@ caps.drop all
23netfilter 23netfilter
24nodvd 24nodvd
25nogroups 25nogroups
26noinput
26nonewprivs 27nonewprivs
27noroot 28noroot
28notv 29notv
diff --git a/etc/profile-m-z/Xephyr.profile b/etc/profile-m-z/Xephyr.profile
index ab5fdf942..5cf5161ce 100644
--- a/etc/profile-m-z/Xephyr.profile
+++ b/etc/profile-m-z/Xephyr.profile
@@ -22,6 +22,7 @@ caps.drop all
22# Xephyr needs to be allowed access to the abstract Unix socket namespace. 22# Xephyr needs to be allowed access to the abstract Unix socket namespace.
23nodvd 23nodvd
24nogroups 24nogroups
25noinput
25nonewprivs 26nonewprivs
26# In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix. 27# In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix.
27# noroot 28# noroot
diff --git a/etc/profile-m-z/Xvfb.profile b/etc/profile-m-z/Xvfb.profile
index 937d02d60..1acd43023 100644
--- a/etc/profile-m-z/Xvfb.profile
+++ b/etc/profile-m-z/Xvfb.profile
@@ -25,6 +25,7 @@ caps.drop all
25# Xvfb needs to be allowed access to the abstract Unix socket namespace. 25# Xvfb needs to be allowed access to the abstract Unix socket namespace.
26nodvd 26nodvd
27nogroups 27nogroups
28noinput
28nonewprivs 29nonewprivs
29# In noroot mode, Xvfb cannot create a socket in the real /tmp/.X11-unix. 30# In noroot mode, Xvfb cannot create a socket in the real /tmp/.X11-unix.
30#noroot 31#noroot
diff --git a/etc/profile-m-z/ZeGrapher.profile b/etc/profile-m-z/ZeGrapher.profile
index 02c5a043d..7686c3442 100644
--- a/etc/profile-m-z/ZeGrapher.profile
+++ b/etc/profile-m-z/ZeGrapher.profile
@@ -27,6 +27,7 @@ machine-id
27net none 27net none
28nodvd 28nodvd
29nogroups 29nogroups
30noinput
30nonewprivs 31nonewprivs
31noroot 32noroot
32nosound 33nosound
diff --git a/etc/profile-m-z/macrofusion.profile b/etc/profile-m-z/macrofusion.profile
index 2e0071b47..d1dcb6fe0 100644
--- a/etc/profile-m-z/macrofusion.profile
+++ b/etc/profile-m-z/macrofusion.profile
@@ -26,6 +26,7 @@ ipc-namespace
26net none 26net none
27nodvd 27nodvd
28nogroups 28nogroups
29noinput
29nonewprivs 30nonewprivs
30noroot 31noroot
31nosound 32nosound
diff --git a/etc/profile-m-z/magicor.profile b/etc/profile-m-z/magicor.profile
index d26aed0bb..8a27b2626 100644
--- a/etc/profile-m-z/magicor.profile
+++ b/etc/profile-m-z/magicor.profile
@@ -32,6 +32,7 @@ caps.drop all
32net none 32net none
33nodvd 33nodvd
34nogroups 34nogroups
35noinput
35nonewprivs 36nonewprivs
36notv 37notv
37nou2f 38nou2f
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile
index e199d29d1..bd510fcac 100644
--- a/etc/profile-m-z/man.profile
+++ b/etc/profile-m-z/man.profile
@@ -42,6 +42,7 @@ net none
42no3d 42no3d
43nodvd 43nodvd
44nogroups 44nogroups
45noinput
45nonewprivs 46nonewprivs
46noroot 47noroot
47nosound 48nosound
diff --git a/etc/profile-m-z/manaplus.profile b/etc/profile-m-z/manaplus.profile
index eba77c8f2..f59a56ac6 100644
--- a/etc/profile-m-z/manaplus.profile
+++ b/etc/profile-m-z/manaplus.profile
@@ -31,6 +31,7 @@ ipc-namespace
31netfilter 31netfilter
32nodvd 32nodvd
33nogroups 33nogroups
34noinput
34nonewprivs 35nonewprivs
35noroot 36noroot
36notv 37notv
diff --git a/etc/profile-m-z/marker.profile b/etc/profile-m-z/marker.profile
index 84039aca3..087c02964 100644
--- a/etc/profile-m-z/marker.profile
+++ b/etc/profile-m-z/marker.profile
@@ -38,6 +38,7 @@ netfilter
38no3d 38no3d
39nodvd 39nodvd
40nogroups 40nogroups
41noinput
41nonewprivs 42nonewprivs
42noroot 43noroot
43nosound 44nosound
diff --git a/etc/profile-m-z/masterpdfeditor.profile b/etc/profile-m-z/masterpdfeditor.profile
index e4da0c66a..de1135071 100644
--- a/etc/profile-m-z/masterpdfeditor.profile
+++ b/etc/profile-m-z/masterpdfeditor.profile
@@ -23,6 +23,7 @@ caps.drop all
23machine-id 23machine-id
24nodvd 24nodvd
25nogroups 25nogroups
26noinput
26nonewprivs 27nonewprivs
27noroot 28noroot
28nosound 29nosound
diff --git a/etc/profile-m-z/mate-calc.profile b/etc/profile-m-z/mate-calc.profile
index ce418d68f..39ee7439d 100644
--- a/etc/profile-m-z/mate-calc.profile
+++ b/etc/profile-m-z/mate-calc.profile
@@ -30,6 +30,7 @@ net none
30no3d 30no3d
31nodvd 31nodvd
32nogroups 32nogroups
33noinput
33nonewprivs 34nonewprivs
34noroot 35noroot
35nosound 36nosound
diff --git a/etc/profile-m-z/mate-color-select.profile b/etc/profile-m-z/mate-color-select.profile
index d30965922..007bab30d 100644
--- a/etc/profile-m-z/mate-color-select.profile
+++ b/etc/profile-m-z/mate-color-select.profile
@@ -21,6 +21,7 @@ netfilter
21no3d 21no3d
22nodvd 22nodvd
23nogroups 23nogroups
24noinput
24nonewprivs 25nonewprivs
25noroot 26noroot
26nosound 27nosound
diff --git a/etc/profile-m-z/mate-dictionary.profile b/etc/profile-m-z/mate-dictionary.profile
index 2267bbb50..ae1fcbf62 100644
--- a/etc/profile-m-z/mate-dictionary.profile
+++ b/etc/profile-m-z/mate-dictionary.profile
@@ -25,6 +25,7 @@ netfilter
25no3d 25no3d
26nodvd 26nodvd
27nogroups 27nogroups
28noinput
28nonewprivs 29nonewprivs
29noroot 30noroot
30nosound 31nosound
diff --git a/etc/profile-m-z/mcabber.profile b/etc/profile-m-z/mcabber.profile
index b63de6c3e..38d2d8d63 100644
--- a/etc/profile-m-z/mcabber.profile
+++ b/etc/profile-m-z/mcabber.profile
@@ -19,6 +19,7 @@ include disable-shell.inc
19caps.drop all 19caps.drop all
20netfilter 20netfilter
21nodvd 21nodvd
22noinput
22nonewprivs 23nonewprivs
23noroot 24noroot
24nosound 25nosound
diff --git a/etc/profile-m-z/mdr.profile b/etc/profile-m-z/mdr.profile
index fb97daa27..5d3f8dc41 100644
--- a/etc/profile-m-z/mdr.profile
+++ b/etc/profile-m-z/mdr.profile
@@ -29,6 +29,7 @@ net none
29no3d 29no3d
30nodvd 30nodvd
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33noroot 34noroot
34nosound 35nosound
diff --git a/etc/profile-m-z/mediainfo.profile b/etc/profile-m-z/mediainfo.profile
index be7c8cbca..17363624f 100644
--- a/etc/profile-m-z/mediainfo.profile
+++ b/etc/profile-m-z/mediainfo.profile
@@ -27,6 +27,7 @@ net none
27no3d 27no3d
28nodvd 28nodvd
29nogroups 29nogroups
30noinput
30nonewprivs 31nonewprivs
31noroot 32noroot
32nosound 33nosound
diff --git a/etc/profile-m-z/mediathekview.profile b/etc/profile-m-z/mediathekview.profile
index 95cd673c6..0063badd8 100644
--- a/etc/profile-m-z/mediathekview.profile
+++ b/etc/profile-m-z/mediathekview.profile
@@ -34,6 +34,7 @@ caps.drop all
34netfilter 34netfilter
35nodvd 35nodvd
36nogroups 36nogroups
37noinput
37nonewprivs 38nonewprivs
38noroot 39noroot
39notv 40notv
diff --git a/etc/profile-m-z/megaglest.profile b/etc/profile-m-z/megaglest.profile
index 37ac9e304..972838729 100644
--- a/etc/profile-m-z/megaglest.profile
+++ b/etc/profile-m-z/megaglest.profile
@@ -31,6 +31,7 @@ ipc-namespace
31netfilter 31netfilter
32nodvd 32nodvd
33nogroups 33nogroups
34noinput
34nonewprivs 35nonewprivs
35noroot 36noroot
36notv 37notv
diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile
index 900523b81..1225cc107 100644
--- a/etc/profile-m-z/meld.profile
+++ b/etc/profile-m-z/meld.profile
@@ -56,6 +56,7 @@ netfilter
56no3d 56no3d
57nodvd 57nodvd
58nogroups 58nogroups
59noinput
59nonewprivs 60nonewprivs
60noroot 61noroot
61nosound 62nosound
diff --git a/etc/profile-m-z/mendeleydesktop.profile b/etc/profile-m-z/mendeleydesktop.profile
index 6022b110a..c0bdbb230 100644
--- a/etc/profile-m-z/mendeleydesktop.profile
+++ b/etc/profile-m-z/mendeleydesktop.profile
@@ -31,6 +31,7 @@ caps.drop all
31netfilter 31netfilter
32nodvd 32nodvd
33nogroups 33nogroups
34noinput
34nonewprivs 35nonewprivs
35noroot 36noroot
36notv 37notv
diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile
index e29e4bc70..2081b8c96 100644
--- a/etc/profile-m-z/menulibre.profile
+++ b/etc/profile-m-z/menulibre.profile
@@ -37,6 +37,7 @@ net none
37nodvd 37nodvd
38no3d 38no3d
39nogroups 39nogroups
40noinput
40nonewprivs 41nonewprivs
41noroot 42noroot
42nosound 43nosound
diff --git a/etc/profile-m-z/meteo-qt.profile b/etc/profile-m-z/meteo-qt.profile
index c8b0a0ff1..85ed7bc74 100644
--- a/etc/profile-m-z/meteo-qt.profile
+++ b/etc/profile-m-z/meteo-qt.profile
@@ -31,6 +31,7 @@ caps.drop all
31netfilter 31netfilter
32nodvd 32nodvd
33nogroups 33nogroups
34noinput
34nonewprivs 35nonewprivs
35noroot 36noroot
36nosound 37nosound
diff --git a/etc/profile-m-z/mindless.profile b/etc/profile-m-z/mindless.profile
index 6108c0b69..fbf6b58e8 100644
--- a/etc/profile-m-z/mindless.profile
+++ b/etc/profile-m-z/mindless.profile
@@ -26,6 +26,7 @@ net none
26no3d 26no3d
27nodvd 27nodvd
28nogroups 28nogroups
29noinput
29nonewprivs 30nonewprivs
30noroot 31noroot
31nosound 32nosound
diff --git a/etc/profile-m-z/minecraft-launcher.profile b/etc/profile-m-z/minecraft-launcher.profile
index 8c7d18c58..2536d0b38 100644
--- a/etc/profile-m-z/minecraft-launcher.profile
+++ b/etc/profile-m-z/minecraft-launcher.profile
@@ -6,7 +6,8 @@ include minecraft-launcher.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9# On some distros executable may be in '/opt/minecraft-launcher/', if so, run 'firejail /opt/minecraft-launcher/minecraft-launcher' to start it. 9# Some distros put the executable in /opt/minecraft-launcher.
10# Run 'firejail /opt/minecraft-launcher/minecraft-launcher' to start it.
10 11
11ignore noexec ${HOME} 12ignore noexec ${HOME}
12 13
@@ -35,6 +36,7 @@ caps.drop all
35netfilter 36netfilter
36nodvd 37nodvd
37nogroups 38nogroups
39noinput
38nonewprivs 40nonewprivs
39noroot 41noroot
40notv 42notv
@@ -49,7 +51,8 @@ disable-mnt
49private-bin java,java-config,minecraft-launcher 51private-bin java,java-config,minecraft-launcher
50private-cache 52private-cache
51private-dev 53private-dev
52# If multiplayer or realms break add your own java folder from /etc or comment the line below. 54# If multiplayer or realms break, add 'private-etc <your-own-java-folder-from-/etc>'
55# or 'ignore private-etc' to your minecraft-launcher.local.
53private-etc alternatives,asound.conf,ati,ca-certificates,crypto-policies,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-14-openjdk,java-7-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,login.defs,machine-id,mime.types,nvidia,passwd,pki,pulse,resolv.conf,selinux,services,ssl,timezone,X11,xdg 56private-etc alternatives,asound.conf,ati,ca-certificates,crypto-policies,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-14-openjdk,java-7-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,login.defs,machine-id,mime.types,nvidia,passwd,pki,pulse,resolv.conf,selinux,services,ssl,timezone,X11,xdg
54private-opt minecraft-launcher 57private-opt minecraft-launcher
55private-tmp 58private-tmp
diff --git a/etc/profile-m-z/minetest.profile b/etc/profile-m-z/minetest.profile
index 666af323d..cad1adbda 100644
--- a/etc/profile-m-z/minetest.profile
+++ b/etc/profile-m-z/minetest.profile
@@ -40,6 +40,7 @@ ipc-namespace
40netfilter 40netfilter
41nodvd 41nodvd
42nogroups 42nogroups
43noinput
43nonewprivs 44nonewprivs
44noroot 45noroot
45notv 46notv
diff --git a/etc/profile-m-z/minitube.profile b/etc/profile-m-z/minitube.profile
index 78ef5e398..3fe3428d0 100644
--- a/etc/profile-m-z/minitube.profile
+++ b/etc/profile-m-z/minitube.profile
@@ -40,6 +40,7 @@ caps.drop all
40netfilter 40netfilter
41nodvd 41nodvd
42nogroups 42nogroups
43noinput
43nonewprivs 44nonewprivs
44noroot 45noroot
45notv 46notv
diff --git a/etc/profile-m-z/mirage.profile b/etc/profile-m-z/mirage.profile
index e0ebb4895..505009283 100644
--- a/etc/profile-m-z/mirage.profile
+++ b/etc/profile-m-z/mirage.profile
@@ -41,6 +41,7 @@ caps.drop all
41netfilter 41netfilter
42nodvd 42nodvd
43nogroups 43nogroups
44noinput
44nonewprivs 45nonewprivs
45noroot 46noroot
46notv 47notv
diff --git a/etc/profile-m-z/mirrormagic.profile b/etc/profile-m-z/mirrormagic.profile
index ded84bf7e..58dfd56f5 100644
--- a/etc/profile-m-z/mirrormagic.profile
+++ b/etc/profile-m-z/mirrormagic.profile
@@ -29,6 +29,7 @@ caps.drop all
29net none 29net none
30nodvd 30nodvd
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33noroot 34noroot
34notv 35notv
diff --git a/etc/profile-m-z/mocp.profile b/etc/profile-m-z/mocp.profile
index 6fc7a4d67..e71ba4569 100644
--- a/etc/profile-m-z/mocp.profile
+++ b/etc/profile-m-z/mocp.profile
@@ -29,6 +29,7 @@ netfilter
29no3d 29no3d
30nodvd 30nodvd
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33noroot 34noroot
34notv 35notv
diff --git a/etc/profile-m-z/mousepad.profile b/etc/profile-m-z/mousepad.profile
index 5f15b71e2..98063fa7c 100644
--- a/etc/profile-m-z/mousepad.profile
+++ b/etc/profile-m-z/mousepad.profile
@@ -23,6 +23,7 @@ caps.drop all
23net none 23net none
24nodvd 24nodvd
25nogroups 25nogroups
26noinput
26nonewprivs 27nonewprivs
27noroot 28noroot
28nosound 29nosound
diff --git a/etc/profile-m-z/mp3splt-gtk.profile b/etc/profile-m-z/mp3splt-gtk.profile
index 3481a4a82..37ce60e04 100644
--- a/etc/profile-m-z/mp3splt-gtk.profile
+++ b/etc/profile-m-z/mp3splt-gtk.profile
@@ -24,6 +24,7 @@ net none
24no3d 24no3d
25nodvd 25nodvd
26nogroups 26nogroups
27noinput
27nonewprivs 28nonewprivs
28noroot 29noroot
29notv 30notv
diff --git a/etc/profile-m-z/mp3splt.profile b/etc/profile-m-z/mp3splt.profile
index c65754a03..070de8451 100644
--- a/etc/profile-m-z/mp3splt.profile
+++ b/etc/profile-m-z/mp3splt.profile
@@ -28,6 +28,7 @@ net none
28no3d 28no3d
29nodvd 29nodvd
30nogroups 30nogroups
31noinput
31nonewprivs 32nonewprivs
32noroot 33noroot
33nosound 34nosound
diff --git a/etc/profile-m-z/mpDris2.profile b/etc/profile-m-z/mpDris2.profile
index 4ba1dfbd6..55a0b5897 100644
--- a/etc/profile-m-z/mpDris2.profile
+++ b/etc/profile-m-z/mpDris2.profile
@@ -36,6 +36,7 @@ netfilter
36no3d 36no3d
37nodvd 37nodvd
38nogroups 38nogroups
39noinput
39nonewprivs 40nonewprivs
40noroot 41noroot
41nosound 42nosound
diff --git a/etc/profile-m-z/mpd.profile b/etc/profile-m-z/mpd.profile
index 3fda87a48..b517d4ab2 100644
--- a/etc/profile-m-z/mpd.profile
+++ b/etc/profile-m-z/mpd.profile
@@ -26,6 +26,7 @@ caps.drop all
26netfilter 26netfilter
27no3d 27no3d
28nodvd 28nodvd
29noinput
29nonewprivs 30nonewprivs
30noroot 31noroot
31notv 32notv
diff --git a/etc/profile-m-z/mpg123.profile b/etc/profile-m-z/mpg123.profile
index b1ab81c1e..25187e894 100644
--- a/etc/profile-m-z/mpg123.profile
+++ b/etc/profile-m-z/mpg123.profile
@@ -25,6 +25,7 @@ caps.drop all
25netfilter 25netfilter
26no3d 26no3d
27nogroups 27nogroups
28noinput
28nonewprivs 29nonewprivs
29noroot 30noroot
30notv 31notv
diff --git a/etc/profile-m-z/mplayer.profile b/etc/profile-m-z/mplayer.profile
index 58384e33c..5d023b7f1 100644
--- a/etc/profile-m-z/mplayer.profile
+++ b/etc/profile-m-z/mplayer.profile
@@ -28,6 +28,7 @@ caps.drop all
28# net none - mplayer can be used for streaming. 28# net none - mplayer can be used for streaming.
29netfilter 29netfilter
30# nogroups 30# nogroups
31noinput
31nonewprivs 32nonewprivs
32noroot 33noroot
33nou2f 34nou2f
diff --git a/etc/profile-m-z/mpsyt.profile b/etc/profile-m-z/mpsyt.profile
index bdf50421b..bfe57a132 100644
--- a/etc/profile-m-z/mpsyt.profile
+++ b/etc/profile-m-z/mpsyt.profile
@@ -53,6 +53,7 @@ netfilter
53nodvd 53nodvd
54# Seems to cause issues with Nvidia drivers sometimes 54# Seems to cause issues with Nvidia drivers sometimes
55nogroups 55nogroups
56noinput
56nonewprivs 57nonewprivs
57noroot 58noroot
58notv 59notv
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index 1804389c3..310f36ea1 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -63,6 +63,7 @@ caps.drop all
63netfilter 63netfilter
64# nogroups seems to cause issues with Nvidia drivers sometimes 64# nogroups seems to cause issues with Nvidia drivers sometimes
65nogroups 65nogroups
66noinput
66nonewprivs 67nonewprivs
67noroot 68noroot
68nou2f 69nou2f
diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile
index f02a4f357..035a7e625 100644
--- a/etc/profile-m-z/mrrescue.profile
+++ b/etc/profile-m-z/mrrescue.profile
@@ -8,18 +8,26 @@ include globals.local
8 8
9noblacklist ${HOME}/.local/share/love 9noblacklist ${HOME}/.local/share/love
10 10
11# Allow /bin/sh (blacklisted by disable-shell.inc)
12include allow-bin-sh.inc
13
14# Allow lua (blacklisted by disable-interpreters.inc)
15include allow-lua.inc
16
11include disable-common.inc 17include disable-common.inc
12include disable-devel.inc 18include disable-devel.inc
13include disable-exec.inc 19include disable-exec.inc
14include disable-interpreters.inc 20include disable-interpreters.inc
15include disable-passwdmgr.inc 21include disable-passwdmgr.inc
16include disable-programs.inc 22include disable-programs.inc
23include disable-shell.inc
17include disable-xdg.inc 24include disable-xdg.inc
18 25
19mkdir ${HOME}/.local/share/love 26mkdir ${HOME}/.local/share/love
20whitelist ${HOME}/.local/share/love 27whitelist ${HOME}/.local/share/love
21whitelist /usr/share/mrrescue 28whitelist /usr/share/mrrescue
22include whitelist-common.inc 29include whitelist-common.inc
30include whitelist-runuser-common.inc
23include whitelist-usr-share-common.inc 31include whitelist-usr-share-common.inc
24include whitelist-var-common.inc 32include whitelist-var-common.inc
25 33
@@ -28,6 +36,7 @@ caps.drop all
28net none 36net none
29nodvd 37nodvd
30nogroups 38nogroups
39noinput
31nonewprivs 40nonewprivs
32noroot 41noroot
33notv 42notv
@@ -35,6 +44,7 @@ nou2f
35novideo 44novideo
36protocol unix,netlink 45protocol unix,netlink
37seccomp 46seccomp
47seccomp.block-secondary
38shell none 48shell none
39tracelog 49tracelog
40 50
diff --git a/etc/profile-m-z/ms-office.profile b/etc/profile-m-z/ms-office.profile
index a6892d698..38fc84ecc 100644
--- a/etc/profile-m-z/ms-office.profile
+++ b/etc/profile-m-z/ms-office.profile
@@ -23,6 +23,7 @@ caps.drop all
23netfilter 23netfilter
24nodvd 24nodvd
25nogroups 25nogroups
26noinput
26nonewprivs 27nonewprivs
27noroot 28noroot
28notv 29notv
diff --git a/etc/profile-m-z/mtpaint.profile b/etc/profile-m-z/mtpaint.profile
index 9f1f0f53d..85c3ee9f2 100644
--- a/etc/profile-m-z/mtpaint.profile
+++ b/etc/profile-m-z/mtpaint.profile
@@ -28,6 +28,7 @@ net none
28nodvd 28nodvd
29no3d 29no3d
30nogroups 30nogroups
31noinput
31nonewprivs 32nonewprivs
32noroot 33noroot
33nosound 34nosound
diff --git a/etc/profile-m-z/multimc5.profile b/etc/profile-m-z/multimc5.profile
index 475307418..6df681df1 100644
--- a/etc/profile-m-z/multimc5.profile
+++ b/etc/profile-m-z/multimc5.profile
@@ -31,6 +31,7 @@ caps.drop all
31netfilter 31netfilter
32nodvd 32nodvd
33nogroups 33nogroups
34noinput
34nonewprivs 35nonewprivs
35noroot 36noroot
36notv 37notv
diff --git a/etc/profile-m-z/mupdf.profile b/etc/profile-m-z/mupdf.profile
index a3e56170a..9e4609c48 100644
--- a/etc/profile-m-z/mupdf.profile
+++ b/etc/profile-m-z/mupdf.profile
@@ -24,6 +24,7 @@ machine-id
24net none 24net none
25nodvd 25nodvd
26nogroups 26nogroups
27noinput
27nonewprivs 28nonewprivs
28noroot 29noroot
29nosound 30nosound
diff --git a/etc/profile-m-z/musictube.profile b/etc/profile-m-z/musictube.profile
index dbfd12619..04500ac6a 100644
--- a/etc/profile-m-z/musictube.profile
+++ b/etc/profile-m-z/musictube.profile
@@ -36,6 +36,7 @@ caps.drop all
36netfilter 36netfilter
37nodvd 37nodvd
38nogroups 38nogroups
39noinput
39nonewprivs 40nonewprivs
40noroot 41noroot
41notv 42notv
diff --git a/etc/profile-m-z/musixmatch.profile b/etc/profile-m-z/musixmatch.profile
index a6b85a8e4..74b3e9a5f 100644
--- a/etc/profile-m-z/musixmatch.profile
+++ b/etc/profile-m-z/musixmatch.profile
@@ -20,9 +20,11 @@ netfilter
20no3d 20no3d
21nodvd 21nodvd
22nogroups 22nogroups
23noinput
23nonewprivs 24nonewprivs
24noroot 25noroot
25nogroups 26nogroups
27noinput
26nosound 28nosound
27notv 29notv
28nou2f 30nou2f
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile
index 2c6e047d8..debf81659 100644
--- a/etc/profile-m-z/mutt.profile
+++ b/etc/profile-m-z/mutt.profile
@@ -119,6 +119,7 @@ netfilter
119no3d 119no3d
120nodvd 120nodvd
121nogroups 121nogroups
122noinput
122nonewprivs 123nonewprivs
123noroot 124noroot
124nosound 125nosound
diff --git a/etc/profile-m-z/mypaint.profile b/etc/profile-m-z/mypaint.profile
index c592e8477..d8d487fe7 100644
--- a/etc/profile-m-z/mypaint.profile
+++ b/etc/profile-m-z/mypaint.profile
@@ -30,6 +30,7 @@ net none
30no3d 30no3d
31nodvd 31nodvd
32nogroups 32nogroups
33noinput
33nonewprivs 34nonewprivs
34noroot 35noroot
35nosound 36nosound
diff --git a/etc/profile-m-z/nano.profile b/etc/profile-m-z/nano.profile
index 2a4625896..4698c2287 100644
--- a/etc/profile-m-z/nano.profile
+++ b/etc/profile-m-z/nano.profile
@@ -30,6 +30,7 @@ net none
30no3d 30no3d
31nodvd 31nodvd
32nogroups 32nogroups
33noinput
33nonewprivs 34nonewprivs
34noroot 35noroot
35nosound 36nosound
@@ -46,8 +47,12 @@ x11 none
46private-bin nano,rnano 47private-bin nano,rnano
47private-cache 48private-cache
48private-dev 49private-dev
49# Comment the next line if you want to edit files in /etc directly 50# Add the next lines to your nano.local if you want to edit files in /etc directly.
51#ignore private-etc
52#writable-etc
50private-etc alternatives,nanorc 53private-etc alternatives,nanorc
54# Add the next line to your nano.local if you want to edit files in /var directly.
55#writable-var
51 56
52dbus-user none 57dbus-user none
53dbus-system none 58dbus-system none
diff --git a/etc/profile-m-z/ncdu.profile b/etc/profile-m-z/ncdu.profile
index 651804bf1..063e30366 100644
--- a/etc/profile-m-z/ncdu.profile
+++ b/etc/profile-m-z/ncdu.profile
@@ -16,6 +16,7 @@ net none
16no3d 16no3d
17nodvd 17nodvd
18nogroups 18nogroups
19noinput
19nonewprivs 20nonewprivs
20noroot 21noroot
21nosound 22nosound
diff --git a/etc/profile-m-z/neochat.profile b/etc/profile-m-z/neochat.profile
new file mode 100644
index 000000000..9f00448c8
--- /dev/null
+++ b/etc/profile-m-z/neochat.profile
@@ -0,0 +1,66 @@
1# Firejail profile for neochat
2# Description: Matrix Client
3# This file is overwritten after every install/update
4# Persistent local customizations
5include neochat.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.cache/KDE/neochat
10noblacklist ${HOME}/.config/KDE
11noblacklist ${HOME}/.config/KDE/neochat
12noblacklist ${HOME}/.config/neochatrc
13noblacklist ${HOME}/.config/neochat.notifyrc
14noblacklist ${HOME}/.local/share/KDE/neochat
15
16include disable-common.inc
17include disable-devel.inc
18include disable-exec.inc
19include disable-interpreters.inc
20include disable-passwdmgr.inc
21include disable-programs.inc
22include disable-shell.inc
23include disable-xdg.inc
24
25mkdir ${HOME}/.cache/KDE/neochat
26mkdir ${HOME}/.local/share/KDE/neochat
27whitelist ${HOME}/.cache/KDE/neochat
28whitelist ${HOME}/.local/share/KDE/neochat
29whitelist ${DOWNLOADS}
30include whitelist-1793-workaround.inc
31include whitelist-common.inc
32include whitelist-runuser-common.inc
33include whitelist-usr-share-common.inc
34include whitelist-var-common.inc
35
36apparmor
37caps.drop all
38machine-id
39netfilter
40nodvd
41nogroups
42noinput
43nonewprivs
44noroot
45nosound
46notv
47nou2f
48novideo
49protocol unix,inet,inet6
50seccomp
51seccomp.block-secondary
52shell none
53tracelog
54
55disable-mnt
56private-bin neochat
57private-dev
58private-etc alternatives,ca-certificates,crypto-policies,dbus-1,fonts,host.conf,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg
59private-tmp
60
61dbus-user filter
62dbus-user.own org.kde.neochat
63dbus-user.talk org.freedesktop.Notifications
64dbus-user.talk org.kde.StatusNotifierWatcher
65dbus-user.talk org.kde.kwalletd5
66dbus-system none
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile
index 26865b90a..fafa129e4 100644
--- a/etc/profile-m-z/neomutt.profile
+++ b/etc/profile-m-z/neomutt.profile
@@ -122,6 +122,7 @@ netfilter
122no3d 122no3d
123nodvd 123nodvd
124nogroups 124nogroups
125noinput
125nonewprivs 126nonewprivs
126noroot 127noroot
127nosound 128nosound
diff --git a/etc/profile-m-z/netactview.profile b/etc/profile-m-z/netactview.profile
index fd73cea89..5d45dd7bc 100644
--- a/etc/profile-m-z/netactview.profile
+++ b/etc/profile-m-z/netactview.profile
@@ -32,6 +32,7 @@ netfilter
32no3d 32no3d
33nodvd 33nodvd
34nogroups 34nogroups
35noinput
35nonewprivs 36nonewprivs
36noroot 37noroot
37nosound 38nosound
diff --git a/etc/profile-m-z/nethack-vultures.profile b/etc/profile-m-z/nethack-vultures.profile
index 4daa8054b..c9a537370 100644
--- a/etc/profile-m-z/nethack-vultures.profile
+++ b/etc/profile-m-z/nethack-vultures.profile
@@ -26,6 +26,7 @@ ipc-namespace
26net none 26net none
27nodvd 27nodvd
28nogroups 28nogroups
29noinput
29#nonewprivs 30#nonewprivs
30#noroot 31#noroot
31notv 32notv
diff --git a/etc/profile-m-z/nethack.profile b/etc/profile-m-z/nethack.profile
index c8c927db2..b57abe260 100644
--- a/etc/profile-m-z/nethack.profile
+++ b/etc/profile-m-z/nethack.profile
@@ -25,6 +25,7 @@ net none
25no3d 25no3d
26nodvd 26nodvd
27nogroups 27nogroups
28noinput
28#nonewprivs 29#nonewprivs
29#noroot 30#noroot
30nosound 31nosound
diff --git a/etc/profile-m-z/neverball-wrapper.profile b/etc/profile-m-z/neverball-wrapper.profile
new file mode 100644
index 000000000..534e41dd1
--- /dev/null
+++ b/etc/profile-m-z/neverball-wrapper.profile
@@ -0,0 +1,14 @@
1# Firejail profile for neverball-wrapper
2# This file is overwritten after every install/update
3# Persistent local customizations
4include neverball-wrapper.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
8
9include allow-opengl-game.inc
10
11private-bin neverball-wrapper
12
13# Redirect
14include neverball.profile
diff --git a/etc/profile-m-z/neverball.profile b/etc/profile-m-z/neverball.profile
index 84c634549..ecfbb14e4 100644
--- a/etc/profile-m-z/neverball.profile
+++ b/etc/profile-m-z/neverball.profile
@@ -14,26 +14,39 @@ include disable-exec.inc
14include disable-interpreters.inc 14include disable-interpreters.inc
15include disable-passwdmgr.inc 15include disable-passwdmgr.inc
16include disable-programs.inc 16include disable-programs.inc
17include disable-shell.inc
18include disable-xdg.inc
17 19
18mkdir ${HOME}/.neverball 20mkdir ${HOME}/.neverball
19whitelist ${HOME}/.neverball 21whitelist ${HOME}/.neverball
22whitelist /usr/share/neverball
20include whitelist-common.inc 23include whitelist-common.inc
24include whitelist-runuser-common.inc
25include whitelist-usr-share-common.inc
26include whitelist-var-common.inc
21 27
22caps.drop all 28caps.drop all
23netfilter 29net none
24nodvd 30nodvd
25nogroups 31nogroups
32noinput
26nonewprivs 33nonewprivs
27noroot 34noroot
28notv 35notv
29nou2f 36nou2f
30novideo 37novideo
31protocol unix,netlink 38protocol unix
32seccomp 39seccomp
40seccomp.block-secondary
33shell none 41shell none
42tracelog
34 43
35disable-mnt 44disable-mnt
36private-bin neverball 45private-bin neverball
46private-cache
37private-dev 47private-dev
48private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,machine-id
38private-tmp 49private-tmp
39 50
51dbus-user none
52dbus-system none
diff --git a/etc/profile-m-z/neverputt-wrapper.profile b/etc/profile-m-z/neverputt-wrapper.profile
new file mode 100644
index 000000000..dacd113cc
--- /dev/null
+++ b/etc/profile-m-z/neverputt-wrapper.profile
@@ -0,0 +1,14 @@
1# Firejail profile for neverputt-wrapper
2# This file is overwritten after every install/update
3# Persistent local customizations
4include neverputt-wrapper.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
8
9include allow-opengl-game.inc
10
11private-bin neverputt-wrapper
12
13# Redirect
14include neverputt.profile
diff --git a/etc/profile-m-z/newsboat.profile b/etc/profile-m-z/newsboat.profile
index 23c2de43c..13bc3a615 100644
--- a/etc/profile-m-z/newsboat.profile
+++ b/etc/profile-m-z/newsboat.profile
@@ -40,6 +40,7 @@ netfilter
40no3d 40no3d
41nodvd 41nodvd
42nogroups 42nogroups
43noinput
43nonewprivs 44nonewprivs
44noroot 45noroot
45notv 46notv
diff --git a/etc/profile-m-z/newsflash.profile b/etc/profile-m-z/newsflash.profile
index d0ac83baf..18d8c6ed4 100644
--- a/etc/profile-m-z/newsflash.profile
+++ b/etc/profile-m-z/newsflash.profile
@@ -36,6 +36,7 @@ machine-id
36netfilter 36netfilter
37nodvd 37nodvd
38nogroups 38nogroups
39noinput
39nonewprivs 40nonewprivs
40noroot 41noroot
41nosound 42nosound
diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile
index 53dd3a05a..9fd76fbe7 100644
--- a/etc/profile-m-z/nextcloud.profile
+++ b/etc/profile-m-z/nextcloud.profile
@@ -47,6 +47,7 @@ netfilter
47no3d 47no3d
48nodvd 48nodvd
49nogroups 49nogroups
50noinput
50nonewprivs 51nonewprivs
51noroot 52noroot
52nosound 53nosound
diff --git a/etc/profile-m-z/nheko.profile b/etc/profile-m-z/nheko.profile
index 1b5da8d27..f8062891c 100644
--- a/etc/profile-m-z/nheko.profile
+++ b/etc/profile-m-z/nheko.profile
@@ -36,6 +36,7 @@ caps.drop all
36netfilter 36netfilter
37nodvd 37nodvd
38nogroups 38nogroups
39noinput
39nonewprivs 40nonewprivs
40noroot 41noroot
41notv 42notv
diff --git a/etc/profile-m-z/nicotine.profile b/etc/profile-m-z/nicotine.profile
index 3bf32a3db..1c7dbc009 100644
--- a/etc/profile-m-z/nicotine.profile
+++ b/etc/profile-m-z/nicotine.profile
@@ -36,6 +36,7 @@ netfilter
36no3d 36no3d
37nodvd 37nodvd
38nogroups 38nogroups
39noinput
39nonewprivs 40nonewprivs
40noroot 41noroot
41nosound 42nosound
diff --git a/etc/profile-m-z/nitroshare.profile b/etc/profile-m-z/nitroshare.profile
index 1743a771e..8dba84f02 100644
--- a/etc/profile-m-z/nitroshare.profile
+++ b/etc/profile-m-z/nitroshare.profile
@@ -28,6 +28,7 @@ netfilter
28no3d 28no3d
29nodvd 29nodvd
30nogroups 30nogroups
31noinput
31nonewprivs 32nonewprivs
32noroot 33noroot
33nosound 34nosound
diff --git a/etc/profile-m-z/node.profile b/etc/profile-m-z/node.profile
new file mode 100644
index 000000000..cd48ed3c7
--- /dev/null
+++ b/etc/profile-m-z/node.profile
@@ -0,0 +1,11 @@
1# Firejail profile for node
2# Description: Evented I/O for V8 javascript
3quiet
4# This file is overwritten after every install/update
5# Persistent local customizations
6include node.local
7# Persistent global definitions
8include globals.local
9
10# Redirect
11include nodejs-common.profile
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile
index 202905631..fa69f9214 100644
--- a/etc/profile-m-z/nodejs-common.profile
+++ b/etc/profile-m-z/nodejs-common.profile
@@ -10,6 +10,20 @@ include nodejs-common.local
10blacklist /tmp/.X11-unix 10blacklist /tmp/.X11-unix
11blacklist ${RUNUSER} 11blacklist ${RUNUSER}
12 12
13ignore read-only ${HOME}/.npm-packages
14ignore read-only ${HOME}/.npmrc
15ignore read-only ${HOME}/.nvm
16ignore read-only ${HOME}/.yarnrc
17
18noblacklist ${HOME}/.node-gyp
19noblacklist ${HOME}/.npm
20noblacklist ${HOME}/.npmrc
21noblacklist ${HOME}/.nvm
22noblacklist ${HOME}/.yarn
23noblacklist ${HOME}/.yarn-config
24noblacklist ${HOME}/.yarncache
25noblacklist ${HOME}/.yarnrc
26
13ignore noexec ${HOME} 27ignore noexec ${HOME}
14 28
15include allow-bin-sh.inc 29include allow-bin-sh.inc
@@ -21,6 +35,32 @@ include disable-programs.inc
21include disable-shell.inc 35include disable-shell.inc
22include disable-xdg.inc 36include disable-xdg.inc
23 37
38# If you want whitelisting, change ${HOME}/Projects below to your node projects directory
39# and add the next lines to your nodejs-common.local.
40#mkdir ${HOME}/.node-gyp
41#mkdir ${HOME}/.npm
42#mkdir ${HOME}/.npm-packages
43#mkfile ${HOME}/.npmrc
44#mkdir ${HOME}/.nvm
45#mkdir ${HOME}/.yarn
46#mkdir ${HOME}/.yarn-config
47#mkdir ${HOME}/.yarncache
48#mkfile ${HOME}/.yarnrc
49#whitelist ${HOME}/.node-gyp
50#whitelist ${HOME}/.npm
51#whitelist ${HOME}/.npm-packages
52#whitelist ${HOME}/.npmrc
53#whitelist ${HOME}/.nvm
54#whitelist ${HOME}/.yarn
55#whitelist ${HOME}/.yarn-config
56#whitelist ${HOME}/.yarncache
57#whitelist ${HOME}/.yarnrc
58#whitelist ${HOME}/Projects
59#include whitelist-common.inc
60
61whitelist /usr/share/doc/node
62whitelist /usr/share/nvm
63whitelist /usr/share/systemtap/tapset/node.stp
24include whitelist-runuser-common.inc 64include whitelist-runuser-common.inc
25include whitelist-usr-share-common.inc 65include whitelist-usr-share-common.inc
26include whitelist-var-common.inc 66include whitelist-var-common.inc
@@ -32,6 +72,7 @@ netfilter
32no3d 72no3d
33nodvd 73nodvd
34nogroups 74nogroups
75noinput
35nonewprivs 76nonewprivs
36noroot 77noroot
37nosound 78nosound
@@ -45,10 +86,11 @@ shell none
45 86
46disable-mnt 87disable-mnt
47private-dev 88private-dev
48# May need to add `passwd` to `private-etc` below to enable debugging with some IDEs 89private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl,xdg
49private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,xdg 90#private-tmp
50# May need to be commented out in order to enable debugging with some IDEs
51private-tmp
52 91
53dbus-user none 92dbus-user none
54dbus-system none 93dbus-system none
94
95# Add the next line to your nodejs-common.local if you prefer to disable gatsby telemetry.
96#env GATSBY_TELEMETRY_DISABLED=1
diff --git a/etc/profile-m-z/nomacs.profile b/etc/profile-m-z/nomacs.profile
index d081c9cb7..a36dee874 100644
--- a/etc/profile-m-z/nomacs.profile
+++ b/etc/profile-m-z/nomacs.profile
@@ -27,6 +27,7 @@ machine-id
27netfilter 27netfilter
28nodvd 28nodvd
29nogroups 29nogroups
30noinput
30nonewprivs 31nonewprivs
31noroot 32noroot
32nosound 33nosound
diff --git a/etc/profile-m-z/notify-send.profile b/etc/profile-m-z/notify-send.profile
index ff292f409..650118c98 100644
--- a/etc/profile-m-z/notify-send.profile
+++ b/etc/profile-m-z/notify-send.profile
@@ -32,6 +32,7 @@ net none
32no3d 32no3d
33nodvd 33nodvd
34nogroups 34nogroups
35noinput
35nonewprivs 36nonewprivs
36noroot 37noroot
37nosound 38nosound
diff --git a/etc/profile-m-z/npm.profile b/etc/profile-m-z/npm.profile
index f51d58782..4d8beea5a 100644
--- a/etc/profile-m-z/npm.profile
+++ b/etc/profile-m-z/npm.profile
@@ -7,23 +7,5 @@ include npm.local
7# Persistent global definitions 7# Persistent global definitions
8include globals.local 8include globals.local
9 9
10ignore read-only ${HOME}/.npm-packages
11ignore read-only ${HOME}/.npmrc
12
13noblacklist ${HOME}/.node-gyp
14noblacklist ${HOME}/.npm
15noblacklist ${HOME}/.npmrc
16
17# If you want whitelisting, change ${HOME}/Projects below to your npm projects directory
18# and add the next lines to your npm.local.
19#mkdir ${HOME}/.node-gyp
20#mkdir ${HOME}/.npm
21#mkfile ${HOME}/.npmrc
22#whitelist ${HOME}/.node-gyp
23#whitelist ${HOME}/.npm
24#whitelist ${HOME}/.npmrc
25#whitelist ${HOME}/Projects
26#include whitelist-common.inc
27
28# Redirect 10# Redirect
29include nodejs-common.profile 11include nodejs-common.profile
diff --git a/etc/profile-m-z/nslookup.profile b/etc/profile-m-z/nslookup.profile
index 17798a6fb..c7a131a2c 100644
--- a/etc/profile-m-z/nslookup.profile
+++ b/etc/profile-m-z/nslookup.profile
@@ -33,6 +33,7 @@ netfilter
33no3d 33no3d
34nodvd 34nodvd
35nogroups 35nogroups
36noinput
36nonewprivs 37nonewprivs
37noroot 38noroot
38nosound 39nosound
diff --git a/etc/profile-m-z/nvm.profile b/etc/profile-m-z/nvm.profile
new file mode 100644
index 000000000..80da22834
--- /dev/null
+++ b/etc/profile-m-z/nvm.profile
@@ -0,0 +1,13 @@
1# Firejail profile for nvm
2# Description: Node Version Manager - Simple bash script to manage multiple active node.js versions
3quiet
4# This file is overwritten after every install/update
5# Persistent local customizations
6include nvm.local
7# Persistent global definitions
8include globals.local
9
10ignore noroot
11
12# Redirect
13include nodejs-common.profile
diff --git a/etc/profile-m-z/nylas.profile b/etc/profile-m-z/nylas.profile
index c959eb991..fe0c2116b 100644
--- a/etc/profile-m-z/nylas.profile
+++ b/etc/profile-m-z/nylas.profile
@@ -25,6 +25,7 @@ caps.drop all
25netfilter 25netfilter
26nodvd 26nodvd
27nogroups 27nogroups
28noinput
28nonewprivs 29nonewprivs
29noroot 30noroot
30nosound 31nosound
diff --git a/etc/profile-m-z/nyx.profile b/etc/profile-m-z/nyx.profile
index 9e27dafab..d040d42af 100644
--- a/etc/profile-m-z/nyx.profile
+++ b/etc/profile-m-z/nyx.profile
@@ -31,6 +31,7 @@ netfilter
31no3d 31no3d
32nodvd 32nodvd
33nogroups 33nogroups
34noinput
34nonewprivs 35nonewprivs
35noroot 36noroot
36nosound 37nosound
diff --git a/etc/profile-m-z/obs.profile b/etc/profile-m-z/obs.profile
index 4277bdab3..9345cee4f 100644
--- a/etc/profile-m-z/obs.profile
+++ b/etc/profile-m-z/obs.profile
@@ -27,6 +27,7 @@ include whitelist-var-common.inc
27caps.drop all 27caps.drop all
28nodvd 28nodvd
29nogroups 29nogroups
30noinput
30nonewprivs 31nonewprivs
31noroot 32noroot
32notv 33notv
diff --git a/etc/profile-m-z/ocenaudio.profile b/etc/profile-m-z/ocenaudio.profile
index be3618e31..7be68a201 100644
--- a/etc/profile-m-z/ocenaudio.profile
+++ b/etc/profile-m-z/ocenaudio.profile
@@ -32,6 +32,7 @@ netfilter
32no3d 32no3d
33nodvd 33nodvd
34nogroups 34nogroups
35noinput
35nonewprivs 36nonewprivs
36noroot 37noroot
37notv 38notv
diff --git a/etc/profile-m-z/odt2txt.profile b/etc/profile-m-z/odt2txt.profile
index 6201b6fba..6163d2e22 100644
--- a/etc/profile-m-z/odt2txt.profile
+++ b/etc/profile-m-z/odt2txt.profile
@@ -23,6 +23,7 @@ net none
23no3d 23no3d
24nodvd 24nodvd
25nogroups 25nogroups
26noinput
26nonewprivs 27nonewprivs
27noroot 28noroot
28nosound 29nosound
diff --git a/etc/profile-m-z/okular.profile b/etc/profile-m-z/okular.profile
index e21ac997a..ab8ccf623 100644
--- a/etc/profile-m-z/okular.profile
+++ b/etc/profile-m-z/okular.profile
@@ -28,10 +28,16 @@ include disable-programs.inc
28include disable-shell.inc 28include disable-shell.inc
29include disable-xdg.inc 29include disable-xdg.inc
30 30
31whitelist /usr/share/config.kcfg 31whitelist /usr/share/config.kcfg/gssettings.kcfg
32whitelist /usr/share/config.kcfg/pdfsettings.kcfg
33whitelist /usr/share/config.kcfg/okular.kcfg
34whitelist /usr/share/config.kcfg/okular_core.kcfg
35whitelist /usr/share/ghostscript
36whitelist /usr/share/kconf_update/okular.upd
32whitelist /usr/share/kxmlgui5/okular 37whitelist /usr/share/kxmlgui5/okular
33whitelist /usr/share/okular 38whitelist /usr/share/okular
34whitelist /usr/share/poppler 39whitelist /usr/share/poppler
40include whitelist-runuser-common.inc
35include whitelist-usr-share-common.inc 41include whitelist-usr-share-common.inc
36include whitelist-var-common.inc 42include whitelist-var-common.inc
37 43
@@ -42,6 +48,7 @@ machine-id
42netfilter 48netfilter
43nodvd 49nodvd
44nogroups 50nogroups
51noinput
45nonewprivs 52nonewprivs
46noroot 53noroot
47nosound 54nosound
diff --git a/etc/profile-m-z/onboard.profile b/etc/profile-m-z/onboard.profile
index 152bd7ac5..5b367b639 100644
--- a/etc/profile-m-z/onboard.profile
+++ b/etc/profile-m-z/onboard.profile
@@ -36,6 +36,7 @@ net none
36nodvd 36nodvd
37no3d 37no3d
38nogroups 38nogroups
39noinput
39nonewprivs 40nonewprivs
40noroot 41noroot
41notv 42notv
diff --git a/etc/profile-m-z/onionshare-gui.profile b/etc/profile-m-z/onionshare-gui.profile
index 5bfcd0527..960df9034 100644
--- a/etc/profile-m-z/onionshare-gui.profile
+++ b/etc/profile-m-z/onionshare-gui.profile
@@ -25,6 +25,7 @@ netfilter
25no3d 25no3d
26nodvd 26nodvd
27nogroups 27nogroups
28noinput
28nonewprivs 29nonewprivs
29noroot 30noroot
30nosound 31nosound
diff --git a/etc/profile-m-z/open-invaders.profile b/etc/profile-m-z/open-invaders.profile
index e18599d1d..7a840d4a9 100644
--- a/etc/profile-m-z/open-invaders.profile
+++ b/etc/profile-m-z/open-invaders.profile
@@ -26,6 +26,7 @@ caps.drop all
26net none 26net none
27nodvd 27nodvd
28nogroups 28nogroups
29noinput
29nonewprivs 30nonewprivs
30noroot 31noroot
31notv 32notv
diff --git a/etc/profile-m-z/openarena.profile b/etc/profile-m-z/openarena.profile
index 88d5d0e1e..36ce0316f 100644
--- a/etc/profile-m-z/openarena.profile
+++ b/etc/profile-m-z/openarena.profile
@@ -29,6 +29,7 @@ caps.drop all
29netfilter 29netfilter
30nodvd 30nodvd
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33noroot 34noroot
34notv 35notv
diff --git a/etc/profile-m-z/opencity.profile b/etc/profile-m-z/opencity.profile
index cb8a511ad..a3d371e15 100644
--- a/etc/profile-m-z/opencity.profile
+++ b/etc/profile-m-z/opencity.profile
@@ -28,6 +28,7 @@ ipc-namespace
28net none 28net none
29nodvd 29nodvd
30nogroups 30nogroups
31noinput
31nonewprivs 32nonewprivs
32noroot 33noroot
33notv 34notv
diff --git a/etc/profile-m-z/openclonk.profile b/etc/profile-m-z/openclonk.profile
index a6760617c..32b40df42 100644
--- a/etc/profile-m-z/openclonk.profile
+++ b/etc/profile-m-z/openclonk.profile
@@ -29,6 +29,7 @@ ipc-namespace
29netfilter 29netfilter
30nodvd 30nodvd
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33noroot 34noroot
34notv 35notv
diff --git a/etc/profile-m-z/openmw.profile b/etc/profile-m-z/openmw.profile
index 89b146619..d1fe67aed 100644
--- a/etc/profile-m-z/openmw.profile
+++ b/etc/profile-m-z/openmw.profile
@@ -39,6 +39,7 @@ netfilter
39# Add 'ignore nodvd' to your openmw.local when installing from disc. 39# Add 'ignore nodvd' to your openmw.local when installing from disc.
40nodvd 40nodvd
41nogroups 41nogroups
42noinput
42nonewprivs 43nonewprivs
43noroot 44noroot
44notv 45notv
diff --git a/etc/profile-m-z/openshot.profile b/etc/profile-m-z/openshot.profile
index ac960345a..6118630c4 100644
--- a/etc/profile-m-z/openshot.profile
+++ b/etc/profile-m-z/openshot.profile
@@ -30,6 +30,7 @@ caps.drop all
30net none 30net none
31nodvd 31nodvd
32nogroups 32nogroups
33noinput
33nonewprivs 34nonewprivs
34noroot 35noroot
35notv 36notv
diff --git a/etc/profile-m-z/openttd.profile b/etc/profile-m-z/openttd.profile
index b71883d68..546958bb7 100644
--- a/etc/profile-m-z/openttd.profile
+++ b/etc/profile-m-z/openttd.profile
@@ -28,6 +28,7 @@ ipc-namespace
28net none 28net none
29nodvd 29nodvd
30nogroups 30nogroups
31noinput
31nonewprivs 32nonewprivs
32noroot 33noroot
33notv 34notv
diff --git a/etc/profile-m-z/orage.profile b/etc/profile-m-z/orage.profile
index 4e12892d6..4e4d8bea5 100644
--- a/etc/profile-m-z/orage.profile
+++ b/etc/profile-m-z/orage.profile
@@ -22,6 +22,7 @@ netfilter
22no3d 22no3d
23nodvd 23nodvd
24nogroups 24nogroups
25noinput
25nonewprivs 26nonewprivs
26noroot 27noroot
27# nosound - calendar application, It must be able to play sound to wake you up. 28# nosound - calendar application, It must be able to play sound to wake you up.
diff --git a/etc/profile-m-z/ostrichriders.profile b/etc/profile-m-z/ostrichriders.profile
index 3bfda7946..310b90919 100644
--- a/etc/profile-m-z/ostrichriders.profile
+++ b/etc/profile-m-z/ostrichriders.profile
@@ -29,6 +29,8 @@ ipc-namespace
29net none 29net none
30nodvd 30nodvd
31nogroups 31nogroups
32# Add 'ignore noinput' to your ostrichriders.local if you need controller support.
33noinput
32nonewprivs 34nonewprivs
33noroot 35noroot
34notv 36notv
@@ -42,7 +44,6 @@ tracelog
42disable-mnt 44disable-mnt
43private-bin ostrichriders 45private-bin ostrichriders
44private-cache 46private-cache
45# comment the following line if you need controller support
46private-dev 47private-dev
47private-tmp 48private-tmp
48 49
diff --git a/etc/profile-m-z/otter-browser.profile b/etc/profile-m-z/otter-browser.profile
index aa26ddd4e..20a4e25ed 100644
--- a/etc/profile-m-z/otter-browser.profile
+++ b/etc/profile-m-z/otter-browser.profile
@@ -41,6 +41,7 @@ caps.drop all
41netfilter 41netfilter
42nodvd 42nodvd
43nogroups 43nogroups
44noinput
44nonewprivs 45nonewprivs
45noroot 46noroot
46notv 47notv
diff --git a/etc/profile-m-z/pandoc.profile b/etc/profile-m-z/pandoc.profile
index d2dcef0d0..513b4119e 100644
--- a/etc/profile-m-z/pandoc.profile
+++ b/etc/profile-m-z/pandoc.profile
@@ -31,6 +31,7 @@ net none
31no3d 31no3d
32nodvd 32nodvd
33nogroups 33nogroups
34noinput
34nonewprivs 35nonewprivs
35noroot 36noroot
36nosound 37nosound
diff --git a/etc/profile-m-z/patch.profile b/etc/profile-m-z/patch.profile
index b034efde9..0de968185 100644
--- a/etc/profile-m-z/patch.profile
+++ b/etc/profile-m-z/patch.profile
@@ -28,6 +28,7 @@ net none
28no3d 28no3d
29nodvd 29nodvd
30nogroups 30nogroups
31noinput
31nonewprivs 32nonewprivs
32noroot 33noroot
33nosound 34nosound
diff --git a/etc/profile-m-z/pavucontrol.profile b/etc/profile-m-z/pavucontrol.profile
index f7d3576da..b46fb3026 100644
--- a/etc/profile-m-z/pavucontrol.profile
+++ b/etc/profile-m-z/pavucontrol.profile
@@ -31,6 +31,7 @@ netfilter
31no3d 31no3d
32nodvd 32nodvd
33nogroups 33nogroups
34noinput
34nonewprivs 35nonewprivs
35noroot 36noroot
36notv 37notv
diff --git a/etc/profile-m-z/pdfchain.profile b/etc/profile-m-z/pdfchain.profile
index 4b6da4d6f..d72417914 100644
--- a/etc/profile-m-z/pdfchain.profile
+++ b/etc/profile-m-z/pdfchain.profile
@@ -22,6 +22,7 @@ ipc-namespace
22net none 22net none
23no3d 23no3d
24nogroups 24nogroups
25noinput
25nonewprivs 26nonewprivs
26noroot 27noroot
27nosound 28nosound
diff --git a/etc/profile-m-z/pdfmod.profile b/etc/profile-m-z/pdfmod.profile
index fb3c42526..a19826555 100644
--- a/etc/profile-m-z/pdfmod.profile
+++ b/etc/profile-m-z/pdfmod.profile
@@ -27,6 +27,7 @@ net none
27no3d 27no3d
28nodvd 28nodvd
29nogroups 29nogroups
30noinput
30nonewprivs 31nonewprivs
31noroot 32noroot
32nosound 33nosound
diff --git a/etc/profile-m-z/pdfsam.profile b/etc/profile-m-z/pdfsam.profile
index 2f4227159..e2808d4d2 100644
--- a/etc/profile-m-z/pdfsam.profile
+++ b/etc/profile-m-z/pdfsam.profile
@@ -25,6 +25,7 @@ net none
25no3d 25no3d
26nodvd 26nodvd
27nogroups 27nogroups
28noinput
28nonewprivs 29nonewprivs
29noroot 30noroot
30nosound 31nosound
diff --git a/etc/profile-m-z/pdftotext.profile b/etc/profile-m-z/pdftotext.profile
index 6bbd30b22..d3902a51c 100644
--- a/etc/profile-m-z/pdftotext.profile
+++ b/etc/profile-m-z/pdftotext.profile
@@ -32,6 +32,7 @@ net none
32no3d 32no3d
33nodvd 33nodvd
34nogroups 34nogroups
35noinput
35nonewprivs 36nonewprivs
36noroot 37noroot
37nosound 38nosound
diff --git a/etc/profile-m-z/peek.profile b/etc/profile-m-z/peek.profile
index 710a533a9..c33953687 100644
--- a/etc/profile-m-z/peek.profile
+++ b/etc/profile-m-z/peek.profile
@@ -33,6 +33,7 @@ net none
33no3d 33no3d
34nodvd 34nodvd
35nogroups 35nogroups
36noinput
36nonewprivs 37nonewprivs
37noroot 38noroot
38nosound 39nosound
diff --git a/etc/profile-m-z/penguin-command.profile b/etc/profile-m-z/penguin-command.profile
index db0d84496..f5ad0321d 100644
--- a/etc/profile-m-z/penguin-command.profile
+++ b/etc/profile-m-z/penguin-command.profile
@@ -25,6 +25,7 @@ caps.drop all
25net none 25net none
26nodvd 26nodvd
27nogroups 27nogroups
28noinput
28nonewprivs 29nonewprivs
29noroot 30noroot
30notv 31notv
diff --git a/etc/profile-m-z/photoflare.profile b/etc/profile-m-z/photoflare.profile
index 9e6b4a87d..40068ff78 100644
--- a/etc/profile-m-z/photoflare.profile
+++ b/etc/profile-m-z/photoflare.profile
@@ -28,6 +28,7 @@ net none
28nodvd 28nodvd
29no3d 29no3d
30nogroups 30nogroups
31noinput
31nonewprivs 32nonewprivs
32noroot 33noroot
33nosound 34nosound
diff --git a/etc/profile-m-z/picard.profile b/etc/profile-m-z/picard.profile
index 15fc7a454..a5ea47088 100644
--- a/etc/profile-m-z/picard.profile
+++ b/etc/profile-m-z/picard.profile
@@ -28,6 +28,7 @@ caps.drop all
28no3d 28no3d
29nodvd 29nodvd
30nogroups 30nogroups
31noinput
31nonewprivs 32nonewprivs
32noroot 33noroot
33nosound 34nosound
diff --git a/etc/profile-m-z/pidgin.profile b/etc/profile-m-z/pidgin.profile
index e81e78ca7..26872e9a1 100644
--- a/etc/profile-m-z/pidgin.profile
+++ b/etc/profile-m-z/pidgin.profile
@@ -32,6 +32,7 @@ caps.drop all
32netfilter 32netfilter
33nodvd 33nodvd
34nogroups 34nogroups
35noinput
35nonewprivs 36nonewprivs
36noroot 37noroot
37notv 38notv
diff --git a/etc/profile-m-z/pinball-wrapper.profile b/etc/profile-m-z/pinball-wrapper.profile
new file mode 100644
index 000000000..2b5ed6e27
--- /dev/null
+++ b/etc/profile-m-z/pinball-wrapper.profile
@@ -0,0 +1,14 @@
1# Firejail profile for pinball-wrapper
2# This file is overwritten after every install/update
3# Persistent local customizations
4include pinball-wrapper.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
8
9include allow-opengl-game.inc
10
11private-bin pinball-wrapper
12
13# Redirect
14include pinball.profile
diff --git a/etc/profile-m-z/pinball.profile b/etc/profile-m-z/pinball.profile
new file mode 100644
index 000000000..ab433e729
--- /dev/null
+++ b/etc/profile-m-z/pinball.profile
@@ -0,0 +1,53 @@
1# Firejail profile for pinball
2# Description: Emilia 3D Pinball Game
3# This file is overwritten after every install/update
4# Persistent local customizations
5include pinball.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.config/emilia
10
11include disable-common.inc
12include disable-devel.inc
13include disable-exec.inc
14include disable-interpreters.inc
15include disable-passwdmgr.inc
16include disable-programs.inc
17include disable-shell.inc
18include disable-xdg.inc
19
20mkdir ${HOME}/.config/emilia
21whitelist ${HOME}/.config/emilia
22whitelist /usr/share/pinball
23include whitelist-common.inc
24include whitelist-runuser-common.inc
25include whitelist-usr-share-common.inc
26include whitelist-var-common.inc
27
28apparmor
29caps.drop all
30net none
31nodvd
32nogroups
33noinput
34nonewprivs
35noroot
36notv
37nou2f
38novideo
39protocol unix
40seccomp
41seccomp.block-secondary
42shell none
43tracelog
44
45disable-mnt
46private-bin pinball
47private-cache
48private-dev
49private-etc alsa,alternatives,asound.conf,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,machine-id,pulse
50private-tmp
51
52dbus-user none
53dbus-system none
diff --git a/etc/profile-m-z/ping.profile b/etc/profile-m-z/ping.profile
index 03b548ffa..e914007c0 100644
--- a/etc/profile-m-z/ping.profile
+++ b/etc/profile-m-z/ping.profile
@@ -31,6 +31,7 @@ netfilter
31no3d 31no3d
32nodvd 32nodvd
33nogroups 33nogroups
34noinput
34# ping needs to rise privileges, noroot and nonewprivs will kill it 35# ping needs to rise privileges, noroot and nonewprivs will kill it
35#nonewprivs 36#nonewprivs
36#noroot 37#noroot
diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile
index ebfd236aa..3889d87d2 100644
--- a/etc/profile-m-z/pingus.profile
+++ b/etc/profile-m-z/pingus.profile
@@ -8,12 +8,16 @@ include globals.local
8 8
9noblacklist ${HOME}/.pingus 9noblacklist ${HOME}/.pingus
10 10
11# Allow /bin/sh (blacklisted by disable-shell.inc)
12include allow-bin-sh.inc
13
11include disable-common.inc 14include disable-common.inc
12include disable-devel.inc 15include disable-devel.inc
13include disable-exec.inc 16include disable-exec.inc
14include disable-interpreters.inc 17include disable-interpreters.inc
15include disable-passwdmgr.inc 18include disable-passwdmgr.inc
16include disable-programs.inc 19include disable-programs.inc
20include disable-shell.inc
17include disable-xdg.inc 21include disable-xdg.inc
18 22
19mkdir ${HOME}/.pingus 23mkdir ${HOME}/.pingus
@@ -29,6 +33,7 @@ caps.drop all
29net none 33net none
30nodvd 34nodvd
31nogroups 35nogroups
36noinput
32nonewprivs 37nonewprivs
33noroot 38noroot
34notv 39notv
@@ -36,6 +41,7 @@ nou2f
36novideo 41novideo
37protocol unix,netlink 42protocol unix,netlink
38seccomp 43seccomp
44seccomp.block-secondary
39shell none 45shell none
40tracelog 46tracelog
41 47
diff --git a/etc/profile-m-z/pinta.profile b/etc/profile-m-z/pinta.profile
index 7d94972c4..19406c399 100644
--- a/etc/profile-m-z/pinta.profile
+++ b/etc/profile-m-z/pinta.profile
@@ -23,6 +23,7 @@ ipc-namespace
23net none 23net none
24nodvd 24nodvd
25nogroups 25nogroups
26noinput
26nonewprivs 27nonewprivs
27noroot 28noroot
28nosound 29nosound
diff --git a/etc/profile-m-z/pioneer.profile b/etc/profile-m-z/pioneer.profile
index 5f329195b..721b3944a 100644
--- a/etc/profile-m-z/pioneer.profile
+++ b/etc/profile-m-z/pioneer.profile
@@ -27,6 +27,7 @@ ipc-namespace
27net none 27net none
28nodvd 28nodvd
29nogroups 29nogroups
30noinput
30nonewprivs 31nonewprivs
31noroot 32noroot
32notv 33notv
diff --git a/etc/profile-m-z/pithos.profile b/etc/profile-m-z/pithos.profile
index 0864dd0bc..18990f0b2 100644
--- a/etc/profile-m-z/pithos.profile
+++ b/etc/profile-m-z/pithos.profile
@@ -27,6 +27,7 @@ netfilter
27no3d 27no3d
28nodvd 28nodvd
29nogroups 29nogroups
30noinput
30nonewprivs 31nonewprivs
31noroot 32noroot
32notv 33notv
diff --git a/etc/profile-m-z/pitivi.profile b/etc/profile-m-z/pitivi.profile
index c722e29b4..a2dd809c4 100644
--- a/etc/profile-m-z/pitivi.profile
+++ b/etc/profile-m-z/pitivi.profile
@@ -28,6 +28,7 @@ ipc-namespace
28net none 28net none
29nodvd 29nodvd
30nogroups 30nogroups
31noinput
31nonewprivs 32nonewprivs
32noroot 33noroot
33notv 34notv
diff --git a/etc/profile-m-z/pix.profile b/etc/profile-m-z/pix.profile
index a2c35beb5..81d3e9370 100644
--- a/etc/profile-m-z/pix.profile
+++ b/etc/profile-m-z/pix.profile
@@ -20,6 +20,7 @@ include disable-shell.inc
20caps.drop all 20caps.drop all
21nodvd 21nodvd
22nogroups 22nogroups
23noinput
23nonewprivs 24nonewprivs
24noroot 25noroot
25nosound 26nosound
diff --git a/etc/profile-m-z/pkglog.profile b/etc/profile-m-z/pkglog.profile
index cc4f016c5..4eb41b3bd 100644
--- a/etc/profile-m-z/pkglog.profile
+++ b/etc/profile-m-z/pkglog.profile
@@ -29,6 +29,7 @@ net none
29no3d 29no3d
30nodvd 30nodvd
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33noroot 34noroot
34nosound 35nosound
diff --git a/etc/profile-m-z/pluma.profile b/etc/profile-m-z/pluma.profile
index 5303eae8a..10e12e5b1 100644
--- a/etc/profile-m-z/pluma.profile
+++ b/etc/profile-m-z/pluma.profile
@@ -29,6 +29,7 @@ machine-id
29no3d 29no3d
30nodvd 30nodvd
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33noroot 34noroot
34nosound 35nosound
@@ -49,6 +50,4 @@ private-tmp
49# dbus-user none 50# dbus-user none
50# dbus-system none 51# dbus-system none
51 52
52memory-deny-write-execute
53
54join-or-start pluma 53join-or-start pluma
diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile
index 7f7ae4204..5201fd853 100644
--- a/etc/profile-m-z/plv.profile
+++ b/etc/profile-m-z/plv.profile
@@ -32,6 +32,7 @@ net none
32no3d 32no3d
33nodvd 33nodvd
34nogroups 34nogroups
35noinput
35nonewprivs 36nonewprivs
36noroot 37noroot
37nosound 38nosound
diff --git a/etc/profile-m-z/pngquant.profile b/etc/profile-m-z/pngquant.profile
index 3513e91cc..8a181d5a8 100644
--- a/etc/profile-m-z/pngquant.profile
+++ b/etc/profile-m-z/pngquant.profile
@@ -32,6 +32,7 @@ net none
32no3d 32no3d
33nodvd 33nodvd
34nogroups 34nogroups
35noinput
35nonewprivs 36nonewprivs
36noroot 37noroot
37nosound 38nosound
diff --git a/etc/profile-m-z/polari.profile b/etc/profile-m-z/polari.profile
index 87a53775f..a3d4f9851 100644
--- a/etc/profile-m-z/polari.profile
+++ b/etc/profile-m-z/polari.profile
@@ -35,6 +35,7 @@ netfilter
35no3d 35no3d
36nodvd 36nodvd
37nogroups 37nogroups
38noinput
38nonewprivs 39nonewprivs
39noroot 40noroot
40nosound 41nosound
diff --git a/etc/profile-m-z/pragha.profile b/etc/profile-m-z/pragha.profile
index 019c1a547..f138d785e 100644
--- a/etc/profile-m-z/pragha.profile
+++ b/etc/profile-m-z/pragha.profile
@@ -23,6 +23,7 @@ caps.drop all
23netfilter 23netfilter
24no3d 24no3d
25nogroups 25nogroups
26noinput
26nonewprivs 27nonewprivs
27noroot 28noroot
28notv 29notv
diff --git a/etc/profile-m-z/profanity.profile b/etc/profile-m-z/profanity.profile
index a02bcd826..743458725 100644
--- a/etc/profile-m-z/profanity.profile
+++ b/etc/profile-m-z/profanity.profile
@@ -31,6 +31,7 @@ netfilter
31no3d 31no3d
32nodvd 32nodvd
33nogroups 33nogroups
34noinput
34nonewprivs 35nonewprivs
35noroot 36noroot
36nosound 37nosound
diff --git a/etc/profile-m-z/psi-plus.profile b/etc/profile-m-z/psi-plus.profile
index 16fffe517..5ac58b0ac 100644
--- a/etc/profile-m-z/psi-plus.profile
+++ b/etc/profile-m-z/psi-plus.profile
@@ -30,6 +30,7 @@ netfilter
30no3d 30no3d
31nodvd 31nodvd
32nogroups 32nogroups
33noinput
33nonewprivs 34nonewprivs
34noroot 35noroot
35notv 36notv
diff --git a/etc/profile-m-z/psi.profile b/etc/profile-m-z/psi.profile
index 376743b8d..7e0ef99fc 100644
--- a/etc/profile-m-z/psi.profile
+++ b/etc/profile-m-z/psi.profile
@@ -55,6 +55,7 @@ caps.drop all
55netfilter 55netfilter
56nodvd 56nodvd
57nogroups 57nogroups
58noinput
58nonewprivs 59nonewprivs
59noroot 60noroot
60notv 61notv
diff --git a/etc/profile-m-z/pybitmessage.profile b/etc/profile-m-z/pybitmessage.profile
index 034c144c7..60ae37930 100644
--- a/etc/profile-m-z/pybitmessage.profile
+++ b/etc/profile-m-z/pybitmessage.profile
@@ -28,6 +28,7 @@ netfilter
28no3d 28no3d
29nodvd 29nodvd
30nogroups 30nogroups
31noinput
31nonewprivs 32nonewprivs
32noroot 33noroot
33nosound 34nosound
diff --git a/etc/profile-m-z/pycharm-community.profile b/etc/profile-m-z/pycharm-community.profile
index 9ee426a95..00d7239ae 100644
--- a/etc/profile-m-z/pycharm-community.profile
+++ b/etc/profile-m-z/pycharm-community.profile
@@ -22,6 +22,7 @@ caps.drop all
22machine-id 22machine-id
23nodvd 23nodvd
24nogroups 24nogroups
25noinput
25nosound 26nosound
26notv 27notv
27nou2f 28nou2f
diff --git a/etc/profile-m-z/qbittorrent.profile b/etc/profile-m-z/qbittorrent.profile
index 2fb02aefc..506b738cc 100644
--- a/etc/profile-m-z/qbittorrent.profile
+++ b/etc/profile-m-z/qbittorrent.profile
@@ -41,6 +41,7 @@ machine-id
41netfilter 41netfilter
42nodvd 42nodvd
43nogroups 43nogroups
44noinput
44nonewprivs 45nonewprivs
45noroot 46noroot
46nosound 47nosound
diff --git a/etc/profile-m-z/qgis.profile b/etc/profile-m-z/qgis.profile
index eee538383..2e97daea2 100644
--- a/etc/profile-m-z/qgis.profile
+++ b/etc/profile-m-z/qgis.profile
@@ -37,6 +37,7 @@ netfilter
37machine-id 37machine-id
38nodvd 38nodvd
39nogroups 39nogroups
40noinput
40nonewprivs 41nonewprivs
41noroot 42noroot
42nosound 43nosound
diff --git a/etc/profile-m-z/qlipper.profile b/etc/profile-m-z/qlipper.profile
index fb9dca48f..6e94d5845 100644
--- a/etc/profile-m-z/qlipper.profile
+++ b/etc/profile-m-z/qlipper.profile
@@ -21,6 +21,7 @@ netfilter
21no3d 21no3d
22nodvd 22nodvd
23nogroups 23nogroups
24noinput
24nonewprivs 25nonewprivs
25noroot 26noroot
26nosound 27nosound
diff --git a/etc/profile-m-z/qmmp.profile b/etc/profile-m-z/qmmp.profile
index e1f679417..c3d982c17 100644
--- a/etc/profile-m-z/qmmp.profile
+++ b/etc/profile-m-z/qmmp.profile
@@ -21,6 +21,7 @@ caps.drop all
21netfilter 21netfilter
22# no3d 22# no3d
23nogroups 23nogroups
24noinput
24nonewprivs 25nonewprivs
25noroot 26noroot
26notv 27notv
diff --git a/etc/profile-m-z/qnapi.profile b/etc/profile-m-z/qnapi.profile
index 0d1f9c3de..ca11df5be 100644
--- a/etc/profile-m-z/qnapi.profile
+++ b/etc/profile-m-z/qnapi.profile
@@ -33,6 +33,7 @@ ipc-namespace
33netfilter 33netfilter
34nodvd 34nodvd
35nogroups 35nogroups
36noinput
36nonewprivs 37nonewprivs
37noroot 38noroot
38nosound 39nosound
diff --git a/etc/profile-m-z/qpdfview.profile b/etc/profile-m-z/qpdfview.profile
index 80e34334a..be690ffa4 100644
--- a/etc/profile-m-z/qpdfview.profile
+++ b/etc/profile-m-z/qpdfview.profile
@@ -26,6 +26,7 @@ caps.drop all
26machine-id 26machine-id
27nodvd 27nodvd
28nogroups 28nogroups
29noinput
29nonewprivs 30nonewprivs
30noroot 31noroot
31nosound 32nosound
diff --git a/etc/profile-m-z/qrencode.profile b/etc/profile-m-z/qrencode.profile
index 6480651b2..6cbf8519f 100644
--- a/etc/profile-m-z/qrencode.profile
+++ b/etc/profile-m-z/qrencode.profile
@@ -31,6 +31,7 @@ net none
31no3d 31no3d
32nodvd 32nodvd
33nogroups 33nogroups
34noinput
34nonewprivs 35nonewprivs
35noroot 36noroot
36nosound 37nosound
diff --git a/etc/profile-m-z/qtox.profile b/etc/profile-m-z/qtox.profile
index eb8e3e314..8ffe24d11 100644
--- a/etc/profile-m-z/qtox.profile
+++ b/etc/profile-m-z/qtox.profile
@@ -30,6 +30,7 @@ ipc-namespace
30netfilter 30netfilter
31nodvd 31nodvd
32nogroups 32nogroups
33noinput
33nonewprivs 34nonewprivs
34noroot 35noroot
35notv 36notv
diff --git a/etc/profile-m-z/quaternion.profile b/etc/profile-m-z/quaternion.profile
index 3041860b3..1d146aa39 100644
--- a/etc/profile-m-z/quaternion.profile
+++ b/etc/profile-m-z/quaternion.profile
@@ -34,6 +34,7 @@ caps.drop all
34netfilter 34netfilter
35nodvd 35nodvd
36nogroups 36nogroups
37noinput
37nonewprivs 38nonewprivs
38noroot 39noroot
39notv 40notv
diff --git a/etc/profile-m-z/quiterss.profile b/etc/profile-m-z/quiterss.profile
index 366cff4ed..9490089b2 100644
--- a/etc/profile-m-z/quiterss.profile
+++ b/etc/profile-m-z/quiterss.profile
@@ -37,6 +37,7 @@ caps.drop all
37netfilter 37netfilter
38nodvd 38nodvd
39nogroups 39nogroups
40noinput
40nonewprivs 41nonewprivs
41noroot 42noroot
42nosound 43nosound
diff --git a/etc/profile-m-z/quodlibet.profile b/etc/profile-m-z/quodlibet.profile
index e3680dcf1..92b02b2bf 100644
--- a/etc/profile-m-z/quodlibet.profile
+++ b/etc/profile-m-z/quodlibet.profile
@@ -46,6 +46,7 @@ netfilter
46no3d 46no3d
47nodvd 47nodvd
48nogroups 48nogroups
49noinput
49nonewprivs 50nonewprivs
50noroot 51noroot
51notv 52notv
diff --git a/etc/profile-m-z/redeclipse.profile b/etc/profile-m-z/redeclipse.profile
index a29205e14..9bc196a16 100644
--- a/etc/profile-m-z/redeclipse.profile
+++ b/etc/profile-m-z/redeclipse.profile
@@ -28,6 +28,7 @@ caps.drop all
28netfilter 28netfilter
29nodvd 29nodvd
30nogroups 30nogroups
31noinput
31nonewprivs 32nonewprivs
32noroot 33noroot
33notv 34notv
diff --git a/etc/profile-m-z/redshift.profile b/etc/profile-m-z/redshift.profile
index 298ab1902..f87c5f67c 100644
--- a/etc/profile-m-z/redshift.profile
+++ b/etc/profile-m-z/redshift.profile
@@ -31,6 +31,7 @@ netfilter
31no3d 31no3d
32nodvd 32nodvd
33nogroups 33nogroups
34noinput
34nonewprivs 35nonewprivs
35noroot 36noroot
36nosound 37nosound
diff --git a/etc/profile-m-z/regextester.profile b/etc/profile-m-z/regextester.profile
index 6fb0d4b5f..f5131c5d0 100644
--- a/etc/profile-m-z/regextester.profile
+++ b/etc/profile-m-z/regextester.profile
@@ -16,9 +16,8 @@ include disable-shell.inc
16include disable-xdg.inc 16include disable-xdg.inc
17 17
18whitelist /usr/share/com.github.artemanufrij.regextester 18whitelist /usr/share/com.github.artemanufrij.regextester
19include whitelist-usr-share-common.inc
20
21include whitelist-common.inc 19include whitelist-common.inc
20include whitelist-usr-share-common.inc
22include whitelist-var-common.inc 21include whitelist-var-common.inc
23 22
24apparmor 23apparmor
@@ -29,6 +28,7 @@ net none
29no3d 28no3d
30nodvd 29nodvd
31nogroups 30nogroups
31noinput
32nonewprivs 32nonewprivs
33noroot 33noroot
34nosound 34nosound
@@ -48,11 +48,9 @@ private-etc alternatives,fonts
48private-lib libgranite.so.* 48private-lib libgranite.so.*
49private-tmp 49private-tmp
50 50
51# makes settings immutable 51dbus-user filter
52# dbus-user none 52dbus-user.talk ca.desrt.dconf
53# dbus-system none 53dbus-system none
54
55memory-deny-write-execute
56 54
57# never write anything 55# never write anything
58read-only ${HOME} 56read-only ${HOME}
diff --git a/etc/profile-m-z/remmina.profile b/etc/profile-m-z/remmina.profile
index d4c7bdf31..aca22f187 100644
--- a/etc/profile-m-z/remmina.profile
+++ b/etc/profile-m-z/remmina.profile
@@ -27,6 +27,7 @@ include whitelist-var-common.inc
27caps.drop all 27caps.drop all
28nodvd 28nodvd
29nogroups 29nogroups
30noinput
30nonewprivs 31nonewprivs
31noroot 32noroot
32notv 33notv
diff --git a/etc/profile-m-z/rhythmbox.profile b/etc/profile-m-z/rhythmbox.profile
index 9fb7dc713..970e8ffba 100644
--- a/etc/profile-m-z/rhythmbox.profile
+++ b/etc/profile-m-z/rhythmbox.profile
@@ -38,6 +38,7 @@ apparmor
38caps.drop all 38caps.drop all
39netfilter 39netfilter
40nogroups 40nogroups
41noinput
41nonewprivs 42nonewprivs
42noroot 43noroot
43notv 44notv
diff --git a/etc/profile-m-z/ricochet.profile b/etc/profile-m-z/ricochet.profile
index 86e3fbfb5..b664a2be3 100644
--- a/etc/profile-m-z/ricochet.profile
+++ b/etc/profile-m-z/ricochet.profile
@@ -26,6 +26,7 @@ netfilter
26no3d 26no3d
27nodvd 27nodvd
28nogroups 28nogroups
29noinput
29nonewprivs 30nonewprivs
30noroot 31noroot
31notv 32notv
diff --git a/etc/profile-m-z/ripperx.profile b/etc/profile-m-z/ripperx.profile
index cf6daada5..be815e714 100644
--- a/etc/profile-m-z/ripperx.profile
+++ b/etc/profile-m-z/ripperx.profile
@@ -25,6 +25,7 @@ caps.drop all
25netfilter 25netfilter
26no3d 26no3d
27nogroups 27nogroups
28noinput
28nonewprivs 29nonewprivs
29noroot 30noroot
30nou2f 31nou2f
diff --git a/etc/profile-m-z/ristretto.profile b/etc/profile-m-z/ristretto.profile
index a1cbdf16c..5572cab5a 100644
--- a/etc/profile-m-z/ristretto.profile
+++ b/etc/profile-m-z/ristretto.profile
@@ -26,6 +26,7 @@ netfilter
26no3d 26no3d
27nodvd 27nodvd
28nogroups 28nogroups
29noinput
29nonewprivs 30nonewprivs
30noroot 31noroot
31nosound 32nosound
diff --git a/etc/profile-m-z/rsync-download_only.profile b/etc/profile-m-z/rsync-download_only.profile
index 4bce35d16..690b44bb1 100644
--- a/etc/profile-m-z/rsync-download_only.profile
+++ b/etc/profile-m-z/rsync-download_only.profile
@@ -34,6 +34,7 @@ netfilter
34no3d 34no3d
35nodvd 35nodvd
36nogroups 36nogroups
37noinput
37nonewprivs 38nonewprivs
38noroot 39noroot
39nosound 40nosound
diff --git a/etc/profile-m-z/rtorrent.profile b/etc/profile-m-z/rtorrent.profile
index 308c1c802..6ef51b7f1 100644
--- a/etc/profile-m-z/rtorrent.profile
+++ b/etc/profile-m-z/rtorrent.profile
@@ -18,6 +18,7 @@ caps.drop all
18machine-id 18machine-id
19netfilter 19netfilter
20nodvd 20nodvd
21noinput
21nonewprivs 22nonewprivs
22noroot 23noroot
23nosound 24nosound
diff --git a/etc/profile-m-z/rtv.profile b/etc/profile-m-z/rtv.profile
index 970545ff6..f0b8d31e9 100644
--- a/etc/profile-m-z/rtv.profile
+++ b/etc/profile-m-z/rtv.profile
@@ -41,6 +41,7 @@ netfilter
41no3d 41no3d
42nodvd 42nodvd
43nogroups 43nogroups
44noinput
44nonewprivs 45nonewprivs
45noroot 46noroot
46nosound 47nosound
diff --git a/etc/profile-m-z/sayonara.profile b/etc/profile-m-z/sayonara.profile
index 6557c0c42..de79913cc 100644
--- a/etc/profile-m-z/sayonara.profile
+++ b/etc/profile-m-z/sayonara.profile
@@ -20,6 +20,7 @@ caps.drop all
20netfilter 20netfilter
21no3d 21no3d
22nogroups 22nogroups
23noinput
23nonewprivs 24nonewprivs
24noroot 25noroot
25notv 26notv
diff --git a/etc/profile-m-z/scallion.profile b/etc/profile-m-z/scallion.profile
index 0f67d4d09..eb8468c3b 100644
--- a/etc/profile-m-z/scallion.profile
+++ b/etc/profile-m-z/scallion.profile
@@ -25,6 +25,7 @@ ipc-namespace
25net none 25net none
26nodvd 26nodvd
27nogroups 27nogroups
28noinput
28nonewprivs 29nonewprivs
29noroot 30noroot
30nosound 31nosound
diff --git a/etc/profile-m-z/scorched3d-wrapper.profile b/etc/profile-m-z/scorched3d-wrapper.profile
index 507d0827e..e76caec1d 100644
--- a/etc/profile-m-z/scorched3d-wrapper.profile
+++ b/etc/profile-m-z/scorched3d-wrapper.profile
@@ -1,10 +1,11 @@
1# Firejail profile for scorched3d 1# Firejail profile for scorched3d-wrapper
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations 3# Persistent local customizations
4include scorched3d-wrapper.local 4include scorched3d-wrapper.local
5 5
6whitelist /usr/share/opengl-games-utils 6include allow-opengl-game.inc
7private-bin basename,bash,cut,glxinfo,grep,head,sed,zenity 7
8private-bin scorched3d-wrapper
8 9
9# Redirect 10# Redirect
10include scorched3d.profile 11include scorched3d.profile
diff --git a/etc/profile-m-z/scorched3d.profile b/etc/profile-m-z/scorched3d.profile
index 6a1003c33..aac3e721f 100644
--- a/etc/profile-m-z/scorched3d.profile
+++ b/etc/profile-m-z/scorched3d.profile
@@ -29,6 +29,7 @@ ipc-namespace
29netfilter 29netfilter
30nodvd 30nodvd
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33noroot 34noroot
34notv 35notv
@@ -40,7 +41,7 @@ shell none
40tracelog 41tracelog
41 42
42disable-mnt 43disable-mnt
43private-bin scorched3d,scorched3d-wrapper,scorched3dc,scorched3ds 44private-bin scorched3d,scorched3dc,scorched3ds
44private-cache 45private-cache
45private-dev 46private-dev
46private-tmp 47private-tmp
diff --git a/etc/profile-m-z/scorchwentbonkers.profile b/etc/profile-m-z/scorchwentbonkers.profile
index 484ebc38e..2cb1df6b5 100644
--- a/etc/profile-m-z/scorchwentbonkers.profile
+++ b/etc/profile-m-z/scorchwentbonkers.profile
@@ -29,6 +29,7 @@ caps.drop all
29net none 29net none
30nodvd 30nodvd
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33noroot 34noroot
34notv 35notv
diff --git a/etc/profile-m-z/scribus.profile b/etc/profile-m-z/scribus.profile
index 22cd10737..1fdeaa145 100644
--- a/etc/profile-m-z/scribus.profile
+++ b/etc/profile-m-z/scribus.profile
@@ -45,6 +45,7 @@ caps.drop all
45net none 45net none
46nodvd 46nodvd
47nogroups 47nogroups
48noinput
48nonewprivs 49nonewprivs
49noroot 50noroot
50nosound 51nosound
diff --git a/etc/profile-m-z/sdat2img.profile b/etc/profile-m-z/sdat2img.profile
index 8d16cd07f..aa2fa9b1b 100644
--- a/etc/profile-m-z/sdat2img.profile
+++ b/etc/profile-m-z/sdat2img.profile
@@ -26,6 +26,7 @@ net none
26no3d 26no3d
27nodvd 27nodvd
28nogroups 28nogroups
29noinput
29nonewprivs 30nonewprivs
30noroot 31noroot
31nosound 32nosound
diff --git a/etc/profile-m-z/seahorse-adventures.profile b/etc/profile-m-z/seahorse-adventures.profile
index cb2e5ef91..131dcbb68 100644
--- a/etc/profile-m-z/seahorse-adventures.profile
+++ b/etc/profile-m-z/seahorse-adventures.profile
@@ -29,6 +29,7 @@ caps.drop all
29net none 29net none
30nodvd 30nodvd
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33noroot 34noroot
34notv 35notv
diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile
index 2b82e5d06..d3d8e453f 100644
--- a/etc/profile-m-z/seahorse.profile
+++ b/etc/profile-m-z/seahorse.profile
@@ -46,6 +46,7 @@ netfilter
46no3d 46no3d
47nodvd 47nodvd
48nogroups 48nogroups
49noinput
49nonewprivs 50nonewprivs
50noroot 51noroot
51nosound 52nosound
diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile
index d47f1289a..7d56684db 100644
--- a/etc/profile-m-z/server.profile
+++ b/etc/profile-m-z/server.profile
@@ -60,6 +60,7 @@ machine-id
60no3d 60no3d
61nodvd 61nodvd
62# nogroups 62# nogroups
63noinput
63# nonewprivs 64# nonewprivs
64# noroot 65# noroot
65nosound 66nosound
diff --git a/etc/profile-m-z/servo.profile b/etc/profile-m-z/servo.profile
index dc3fdaf34..df8fbc3e3 100644
--- a/etc/profile-m-z/servo.profile
+++ b/etc/profile-m-z/servo.profile
@@ -29,6 +29,7 @@ caps.drop all
29netfilter 29netfilter
30nodvd 30nodvd
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33noroot 34noroot
34notv 35notv
diff --git a/etc/profile-m-z/shellcheck.profile b/etc/profile-m-z/shellcheck.profile
index 2ae298142..b7f398f45 100644
--- a/etc/profile-m-z/shellcheck.profile
+++ b/etc/profile-m-z/shellcheck.profile
@@ -31,6 +31,7 @@ net none
31no3d 31no3d
32nodvd 32nodvd
33nogroups 33nogroups
34noinput
34nonewprivs 35nonewprivs
35noroot 36noroot
36nosound 37nosound
diff --git a/etc/profile-m-z/shortwave.profile b/etc/profile-m-z/shortwave.profile
index ee2314833..d629240ec 100644
--- a/etc/profile-m-z/shortwave.profile
+++ b/etc/profile-m-z/shortwave.profile
@@ -32,6 +32,7 @@ caps.drop all
32netfilter 32netfilter
33nodvd 33nodvd
34nogroups 34nogroups
35noinput
35nonewprivs 36nonewprivs
36noroot 37noroot
37notv 38notv
diff --git a/etc/profile-m-z/shotcut.profile b/etc/profile-m-z/shotcut.profile
index bec0bfbb0..63af4d367 100644
--- a/etc/profile-m-z/shotcut.profile
+++ b/etc/profile-m-z/shotcut.profile
@@ -21,6 +21,7 @@ caps.drop all
21net none 21net none
22nodvd 22nodvd
23nogroups 23nogroups
24noinput
24nonewprivs 25nonewprivs
25noroot 26noroot
26notv 27notv
diff --git a/etc/profile-m-z/shotwell.profile b/etc/profile-m-z/shotwell.profile
index 749029530..ddc8a7743 100644
--- a/etc/profile-m-z/shotwell.profile
+++ b/etc/profile-m-z/shotwell.profile
@@ -35,6 +35,7 @@ machine-id
35netfilter 35netfilter
36nodvd 36nodvd
37nogroups 37nogroups
38noinput
38nonewprivs 39nonewprivs
39noroot 40noroot
40nosound 41nosound
diff --git a/etc/profile-m-z/signal-cli.profile b/etc/profile-m-z/signal-cli.profile
index 6a2f5c434..478377344 100644
--- a/etc/profile-m-z/signal-cli.profile
+++ b/etc/profile-m-z/signal-cli.profile
@@ -31,6 +31,7 @@ netfilter
31no3d 31no3d
32nodvd 32nodvd
33nogroups 33nogroups
34noinput
34nonewprivs 35nonewprivs
35noroot 36noroot
36nosound 37nosound
diff --git a/etc/profile-m-z/silentarmy.profile b/etc/profile-m-z/silentarmy.profile
index 220035ee7..3f3e2a75d 100644
--- a/etc/profile-m-z/silentarmy.profile
+++ b/etc/profile-m-z/silentarmy.profile
@@ -21,6 +21,7 @@ caps.drop all
21netfilter 21netfilter
22nodvd 22nodvd
23nogroups 23nogroups
24noinput
24nonewprivs 25nonewprivs
25noroot 26noroot
26nosound 27nosound
diff --git a/etc/profile-m-z/simplescreenrecorder.profile b/etc/profile-m-z/simplescreenrecorder.profile
index edcc2a0f4..d664f8bf5 100644
--- a/etc/profile-m-z/simplescreenrecorder.profile
+++ b/etc/profile-m-z/simplescreenrecorder.profile
@@ -25,6 +25,7 @@ apparmor
25caps.drop all 25caps.drop all
26nodvd 26nodvd
27nogroups 27nogroups
28noinput
28nonewprivs 29nonewprivs
29noroot 30noroot
30notv 31notv
diff --git a/etc/profile-m-z/simutrans.profile b/etc/profile-m-z/simutrans.profile
index 1b81f2ea1..afaa0f6d8 100644
--- a/etc/profile-m-z/simutrans.profile
+++ b/etc/profile-m-z/simutrans.profile
@@ -25,6 +25,7 @@ caps.drop all
25net none 25net none
26nodvd 26nodvd
27nogroups 27nogroups
28noinput
28nonewprivs 29nonewprivs
29noroot 30noroot
30notv 31notv
diff --git a/etc/profile-m-z/slashem.profile b/etc/profile-m-z/slashem.profile
index ca0516e65..c5a31c237 100644
--- a/etc/profile-m-z/slashem.profile
+++ b/etc/profile-m-z/slashem.profile
@@ -25,6 +25,7 @@ net none
25no3d 25no3d
26nodvd 26nodvd
27nogroups 27nogroups
28noinput
28#nonewprivs 29#nonewprivs
29#noroot 30#noroot
30nosound 31nosound
diff --git a/etc/profile-m-z/smplayer.profile b/etc/profile-m-z/smplayer.profile
index 9d6db4cdb..01547e5c1 100644
--- a/etc/profile-m-z/smplayer.profile
+++ b/etc/profile-m-z/smplayer.profile
@@ -39,6 +39,7 @@ apparmor
39caps.drop all 39caps.drop all
40netfilter 40netfilter
41# nogroups 41# nogroups
42noinput
42nonewprivs 43nonewprivs
43noroot 44noroot
44nou2f 45nou2f
diff --git a/etc/profile-m-z/smtube.profile b/etc/profile-m-z/smtube.profile
index 79bc02979..196950eaf 100644
--- a/etc/profile-m-z/smtube.profile
+++ b/etc/profile-m-z/smtube.profile
@@ -36,6 +36,7 @@ notv
36nou2f 36nou2f
37novideo 37novideo
38nogroups 38nogroups
39noinput
39nonewprivs 40nonewprivs
40noroot 41noroot
41protocol unix,inet,inet6,netlink 42protocol unix,inet,inet6,netlink
diff --git a/etc/profile-m-z/smuxi-frontend-gnome.profile b/etc/profile-m-z/smuxi-frontend-gnome.profile
index 541e5a1c4..c3a9bb858 100644
--- a/etc/profile-m-z/smuxi-frontend-gnome.profile
+++ b/etc/profile-m-z/smuxi-frontend-gnome.profile
@@ -35,6 +35,7 @@ caps.drop all
35netfilter 35netfilter
36nodvd 36nodvd
37nogroups 37nogroups
38noinput
38nonewprivs 39nonewprivs
39noroot 40noroot
40notv 41notv
diff --git a/etc/profile-m-z/softmaker-common.profile b/etc/profile-m-z/softmaker-common.profile
index a8ec5848c..83315231f 100644
--- a/etc/profile-m-z/softmaker-common.profile
+++ b/etc/profile-m-z/softmaker-common.profile
@@ -30,6 +30,7 @@ ipc-namespace
30netfilter 30netfilter
31nodvd 31nodvd
32nogroups 32nogroups
33noinput
33nonewprivs 34nonewprivs
34noroot 35noroot
35notv 36notv
diff --git a/etc/profile-m-z/sol.profile b/etc/profile-m-z/sol.profile
index 44fb8cfe2..6b8a17813 100644
--- a/etc/profile-m-z/sol.profile
+++ b/etc/profile-m-z/sol.profile
@@ -25,6 +25,7 @@ net none
25# no3d 25# no3d
26nodvd 26nodvd
27nogroups 27nogroups
28noinput
28nonewprivs 29nonewprivs
29noroot 30noroot
30# nosound 31# nosound
diff --git a/etc/profile-m-z/sound-juicer.profile b/etc/profile-m-z/sound-juicer.profile
index b9f3768be..ef00fdfff 100644
--- a/etc/profile-m-z/sound-juicer.profile
+++ b/etc/profile-m-z/sound-juicer.profile
@@ -24,6 +24,7 @@ caps.drop all
24netfilter 24netfilter
25no3d 25no3d
26nogroups 26nogroups
27noinput
27nonewprivs 28nonewprivs
28noroot 29noroot
29nosound 30nosound
diff --git a/etc/profile-m-z/soundconverter.profile b/etc/profile-m-z/soundconverter.profile
index bdd6eb7f5..4dbf34100 100644
--- a/etc/profile-m-z/soundconverter.profile
+++ b/etc/profile-m-z/soundconverter.profile
@@ -34,6 +34,7 @@ machine-id
34no3d 34no3d
35nodvd 35nodvd
36nogroups 36nogroups
37noinput
37nonewprivs 38nonewprivs
38noroot 39noroot
39nosound 40nosound
diff --git a/etc/profile-m-z/spectacle.profile b/etc/profile-m-z/spectacle.profile
index cedff0b83..4468f21e7 100644
--- a/etc/profile-m-z/spectacle.profile
+++ b/etc/profile-m-z/spectacle.profile
@@ -26,6 +26,8 @@ include disable-xdg.inc
26mkfile ${HOME}/.config/spectaclerc 26mkfile ${HOME}/.config/spectaclerc
27whitelist ${HOME}/.config/spectaclerc 27whitelist ${HOME}/.config/spectaclerc
28whitelist ${PICTURES} 28whitelist ${PICTURES}
29whitelist /usr/share/kconf_update/spectacle_newConfig.upd
30whitelist /usr/share/kconf_update/spectacle_shortcuts.upd
29include whitelist-common.inc 31include whitelist-common.inc
30include whitelist-runuser-common.inc 32include whitelist-runuser-common.inc
31include whitelist-usr-share-common.inc 33include whitelist-usr-share-common.inc
@@ -38,6 +40,7 @@ net none
38no3d 40no3d
39nodvd 41nodvd
40nogroups 42nogroups
43noinput
41nonewprivs 44nonewprivs
42noroot 45noroot
43nosound 46nosound
diff --git a/etc/profile-m-z/spectral.profile b/etc/profile-m-z/spectral.profile
index bf0f9f3a1..283674517 100644
--- a/etc/profile-m-z/spectral.profile
+++ b/etc/profile-m-z/spectral.profile
@@ -33,6 +33,7 @@ caps.drop all
33netfilter 33netfilter
34nodvd 34nodvd
35nogroups 35nogroups
36noinput
36nonewprivs 37nonewprivs
37noroot 38noroot
38notv 39notv
diff --git a/etc/profile-m-z/spotify.profile b/etc/profile-m-z/spotify.profile
index 1a34cb86d..01bc2bc05 100644
--- a/etc/profile-m-z/spotify.profile
+++ b/etc/profile-m-z/spotify.profile
@@ -31,6 +31,7 @@ caps.drop all
31netfilter 31netfilter
32nodvd 32nodvd
33nogroups 33nogroups
34noinput
34nonewprivs 35nonewprivs
35noroot 36noroot
36notv 37notv
@@ -43,7 +44,7 @@ tracelog
43disable-mnt 44disable-mnt
44private-bin bash,cat,dirname,find,grep,head,rm,sh,spotify,tclsh,touch,zenity 45private-bin bash,cat,dirname,find,grep,head,rm,sh,spotify,tclsh,touch,zenity
45private-dev 46private-dev
46# Comment the next line or put 'ignore private-etc' in your spotify.local if want to see the albums covers or if you want to use the radio 47# If you want to see album covers or want to use the radio, add 'ignore private-etc' to your spotify.local.
47private-etc alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hosts,ld.so.cache,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl 48private-etc alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hosts,ld.so.cache,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
48private-opt spotify 49private-opt spotify
49private-srv none 50private-srv none
diff --git a/etc/profile-m-z/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile
index 110434736..4dd2c7262 100644
--- a/etc/profile-m-z/sqlitebrowser.profile
+++ b/etc/profile-m-z/sqlitebrowser.profile
@@ -28,6 +28,7 @@ ipc-namespace
28netfilter 28netfilter
29nodvd 29nodvd
30nogroups 30nogroups
31noinput
31nonewprivs 32nonewprivs
32noroot 33noroot
33nosound 34nosound
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
index 7bc731333..a58642192 100644
--- a/etc/profile-m-z/ssh.profile
+++ b/etc/profile-m-z/ssh.profile
@@ -31,6 +31,7 @@ netfilter
31no3d 31no3d
32nodvd 32nodvd
33nogroups 33nogroups
34noinput
34nonewprivs 35nonewprivs
35# noroot - see issue #1543 36# noroot - see issue #1543
36nosound 37nosound
diff --git a/etc/profile-m-z/standardnotes-desktop.profile b/etc/profile-m-z/standardnotes-desktop.profile
index 1292b806b..48a532876 100644
--- a/etc/profile-m-z/standardnotes-desktop.profile
+++ b/etc/profile-m-z/standardnotes-desktop.profile
@@ -27,6 +27,7 @@ machine-id
27netfilter 27netfilter
28nodvd 28nodvd
29nogroups 29nogroups
30noinput
30nonewprivs 31nonewprivs
31noroot 32noroot
32nosound 33nosound
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index 0bcbe6da2..06d08f3a2 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/Epic
10noblacklist ${HOME}/.config/Loop_Hero 10noblacklist ${HOME}/.config/Loop_Hero
11noblacklist ${HOME}/.config/ModTheSpire 11noblacklist ${HOME}/.config/ModTheSpire
12noblacklist ${HOME}/.config/RogueLegacy 12noblacklist ${HOME}/.config/RogueLegacy
13noblacklist ${HOME}/.config/RogueLegacyStorageContainer
13noblacklist ${HOME}/.killingfloor 14noblacklist ${HOME}/.killingfloor
14noblacklist ${HOME}/.klei 15noblacklist ${HOME}/.klei
15noblacklist ${HOME}/.local/share/3909/PapersPlease 16noblacklist ${HOME}/.local/share/3909/PapersPlease
@@ -22,7 +23,8 @@ noblacklist ${HOME}/.local/share/feral-interactive
22noblacklist ${HOME}/.local/share/IntoTheBreach 23noblacklist ${HOME}/.local/share/IntoTheBreach
23noblacklist ${HOME}/.local/share/Paradox Interactive 24noblacklist ${HOME}/.local/share/Paradox Interactive
24noblacklist ${HOME}/.local/share/PillarsOfEternity 25noblacklist ${HOME}/.local/share/PillarsOfEternity
25noblacklist ${HOME}/.local/share/RogueLegacy* 26noblacklist ${HOME}/.local/share/RogueLegacy
27noblacklist ${HOME}/.local/share/RogueLegacyStorageContainer
26noblacklist ${HOME}/.local/share/Steam 28noblacklist ${HOME}/.local/share/Steam
27noblacklist ${HOME}/.local/share/SteamWorldDig 29noblacklist ${HOME}/.local/share/SteamWorldDig
28noblacklist ${HOME}/.local/share/SteamWorld Dig 2 30noblacklist ${HOME}/.local/share/SteamWorld Dig 2
@@ -69,7 +71,7 @@ mkdir ${HOME}/.local/share/feral-interactive
69mkdir ${HOME}/.local/share/IntoTheBreach 71mkdir ${HOME}/.local/share/IntoTheBreach
70mkdir ${HOME}/.local/share/Paradox Interactive 72mkdir ${HOME}/.local/share/Paradox Interactive
71mkdir ${HOME}/.local/share/PillarsOfEternity 73mkdir ${HOME}/.local/share/PillarsOfEternity
72mkdir ${HOME}/.local/share/RogueLegacy* 74mkdir ${HOME}/.local/share/RogueLegacy
73mkdir ${HOME}/.local/share/Steam 75mkdir ${HOME}/.local/share/Steam
74mkdir ${HOME}/.local/share/SteamWorldDig 76mkdir ${HOME}/.local/share/SteamWorldDig
75mkdir ${HOME}/.local/share/SteamWorld Dig 2 77mkdir ${HOME}/.local/share/SteamWorld Dig 2
@@ -86,6 +88,7 @@ whitelist ${HOME}/.config/Epic
86whitelist ${HOME}/.config/Loop_Hero 88whitelist ${HOME}/.config/Loop_Hero
87whitelist ${HOME}/.config/ModTheSpire 89whitelist ${HOME}/.config/ModTheSpire
88whitelist ${HOME}/.config/RogueLegacy 90whitelist ${HOME}/.config/RogueLegacy
91whitelist ${HOME}/.config/RogueLegacyStorageContainer
89whitelist ${HOME}/.config/unity3d 92whitelist ${HOME}/.config/unity3d
90whitelist ${HOME}/.killingfloor 93whitelist ${HOME}/.killingfloor
91whitelist ${HOME}/.klei 94whitelist ${HOME}/.klei
@@ -99,7 +102,8 @@ whitelist ${HOME}/.local/share/feral-interactive
99whitelist ${HOME}/.local/share/IntoTheBreach 102whitelist ${HOME}/.local/share/IntoTheBreach
100whitelist ${HOME}/.local/share/Paradox Interactive 103whitelist ${HOME}/.local/share/Paradox Interactive
101whitelist ${HOME}/.local/share/PillarsOfEternity 104whitelist ${HOME}/.local/share/PillarsOfEternity
102whitelist ${HOME}/.local/share/RogueLegacy* 105whitelist ${HOME}/.local/share/RogueLegacy
106whitelist ${HOME}/.local/share/RogueLegacyStorageContainer
103whitelist ${HOME}/.local/share/Steam 107whitelist ${HOME}/.local/share/Steam
104whitelist ${HOME}/.local/share/SteamWorldDig 108whitelist ${HOME}/.local/share/SteamWorldDig
105whitelist ${HOME}/.local/share/SteamWorld Dig 2 109whitelist ${HOME}/.local/share/SteamWorld Dig 2
@@ -115,39 +119,48 @@ whitelist ${HOME}/.steampid
115include whitelist-common.inc 119include whitelist-common.inc
116include whitelist-var-common.inc 120include whitelist-var-common.inc
117 121
122# NOTE: The following were intentionally left out as they are alternative
123# (i.e.: unnecessary and/or legacy) paths whose existence may potentially
124# clobber other paths (see #4225). If you use any, either add the entry to
125# steam.local or move the contents to a path listed above (or open an issue if
126# it's missing above).
127#mkdir ${HOME}/.config/RogueLegacyStorageContainer
128#mkdir ${HOME}/.local/share/RogueLegacyStorageContainer
129
118caps.drop all 130caps.drop all
119#ipc-namespace 131#ipc-namespace
120netfilter 132netfilter
121nodvd 133nodvd
122# nVidia users may need to comment / ignore nogroups and noroot
123nogroups 134nogroups
124nonewprivs 135nonewprivs
136# If you use nVidia you might need to add 'ignore noroot' to your steam.local.
125noroot 137noroot
126notv 138notv
127nou2f 139nou2f
128# novideo should be commented for VR 140# For VR support add 'ignore novideo' to your steam.local.
129novideo 141novideo
130protocol unix,inet,inet6,netlink 142protocol unix,inet,inet6,netlink
131# seccomp sometimes causes issues (see #2951, #3267), 143# seccomp sometimes causes issues (see #2951, #3267).
132# comment it or add 'ignore seccomp' to steam.local if so. 144# Add 'ignore seccomp' to your steam.local if you experience this.
133seccomp !ptrace 145seccomp !ptrace
134shell none 146shell none
135# tracelog breaks integrated browser 147# tracelog breaks integrated browser
136#tracelog 148#tracelog
137 149
138# private-bin is disabled while in testing, but has been tested working with multiple games 150# private-bin is disabled while in testing, but is known to work with multiple games.
151# Add the next line to your steam.local to enable private-bin.
139#private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lsof,lspci,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity 152#private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lsof,lspci,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity
140# extra programs are available which might be needed for select games 153# Extra programs are available which might be needed for select games.
154# Add the next line to your steam.local to enable support for these programs.
141#private-bin java,java-config,mono 155#private-bin java,java-config,mono
142# picture viewers are needed for viewing screenshots 156# To view screenshots add the next line to your steam.local.
143#private-bin eog,eom,gthumb,pix,viewnior,xviewer 157#private-bin eog,eom,gthumb,pix,viewnior,xviewer
144 158
145# comment the following line if you need controller support
146private-dev 159private-dev
147# private-etc breaks a small selection of games on some systems, comment to support those 160# private-etc breaks a small selection of games on some systems. Add 'ignore private-etc'
161# to your steam.local to support those.
148private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl 162private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl
149private-tmp 163private-tmp
150 164
151# breaks appindicator support
152# dbus-user none 165# dbus-user none
153# dbus-system none 166# dbus-system none
diff --git a/etc/profile-m-z/stellarium.profile b/etc/profile-m-z/stellarium.profile
index 3f93fe591..a752ab53c 100644
--- a/etc/profile-m-z/stellarium.profile
+++ b/etc/profile-m-z/stellarium.profile
@@ -29,6 +29,7 @@ machine-id
29netfilter 29netfilter
30nodvd 30nodvd
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33noroot 34noroot
34nosound 35nosound
diff --git a/etc/profile-m-z/straw-viewer.profile b/etc/profile-m-z/straw-viewer.profile
index 2ae35d211..f8108c9d6 100644
--- a/etc/profile-m-z/straw-viewer.profile
+++ b/etc/profile-m-z/straw-viewer.profile
@@ -42,6 +42,7 @@ caps.drop all
42netfilter 42netfilter
43nodvd 43nodvd
44nogroups 44nogroups
45noinput
45nonewprivs 46nonewprivs
46noroot 47noroot
47notv 48notv
diff --git a/etc/profile-m-z/strawberry.profile b/etc/profile-m-z/strawberry.profile
index 0801add28..b87906f55 100644
--- a/etc/profile-m-z/strawberry.profile
+++ b/etc/profile-m-z/strawberry.profile
@@ -28,6 +28,7 @@ caps.drop all
28netfilter 28netfilter
29nodvd 29nodvd
30nogroups 30nogroups
31noinput
31nonewprivs 32nonewprivs
32noroot 33noroot
33notv 34notv
diff --git a/etc/profile-m-z/strings.profile b/etc/profile-m-z/strings.profile
index 6a582532d..1ebcded7f 100644
--- a/etc/profile-m-z/strings.profile
+++ b/etc/profile-m-z/strings.profile
@@ -29,6 +29,7 @@ net none
29no3d 29no3d
30nodvd 30nodvd
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33#noroot 34#noroot
34nosound 35nosound
diff --git a/etc/profile-m-z/subdownloader.profile b/etc/profile-m-z/subdownloader.profile
index 428af3737..bbe92fd38 100644
--- a/etc/profile-m-z/subdownloader.profile
+++ b/etc/profile-m-z/subdownloader.profile
@@ -32,6 +32,7 @@ netfilter
32no3d 32no3d
33nodvd 33nodvd
34nogroups 34nogroups
35noinput
35nonewprivs 36nonewprivs
36noroot 37noroot
37nosound 38nosound
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile
index 9cc023765..dd456f085 100644
--- a/etc/profile-m-z/supertux2.profile
+++ b/etc/profile-m-z/supertux2.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
14include disable-interpreters.inc 14include disable-interpreters.inc
15include disable-passwdmgr.inc 15include disable-passwdmgr.inc
16include disable-programs.inc 16include disable-programs.inc
17include disable-shell.inc
17include disable-xdg.inc 18include disable-xdg.inc
18 19
19mkdir ${HOME}/.local/share/supertux2 20mkdir ${HOME}/.local/share/supertux2
@@ -29,6 +30,7 @@ caps.drop all
29net none 30net none
30nodvd 31nodvd
31nogroups 32nogroups
33noinput
32nonewprivs 34nonewprivs
33noroot 35noroot
34notv 36notv
@@ -42,6 +44,8 @@ tracelog
42 44
43disable-mnt 45disable-mnt
44# private-bin supertux2 46# private-bin supertux2
47private-cache
48private-etc machine-id
45private-dev 49private-dev
46private-tmp 50private-tmp
47 51
diff --git a/etc/profile-m-z/supertuxkart-wrapper.profile b/etc/profile-m-z/supertuxkart-wrapper.profile
new file mode 100644
index 000000000..af8d73deb
--- /dev/null
+++ b/etc/profile-m-z/supertuxkart-wrapper.profile
@@ -0,0 +1,14 @@
1# Firejail profile for supertuxkart-wrapper
2# This file is overwritten after every install/update
3# Persistent local customizations
4include supertuxkart-wrapper.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
8
9include allow-opengl-game.inc
10
11private-bin supertuxkart-wrapper
12
13# Redirect
14include supertuxkart.profile
diff --git a/etc/profile-m-z/surf.profile b/etc/profile-m-z/surf.profile
index 5ad82601d..8db7d2433 100644
--- a/etc/profile-m-z/surf.profile
+++ b/etc/profile-m-z/surf.profile
@@ -22,6 +22,7 @@ include whitelist-common.inc
22caps.drop all 22caps.drop all
23netfilter 23netfilter
24nodvd 24nodvd
25noinput
25nonewprivs 26nonewprivs
26noroot 27noroot
27notv 28notv
diff --git a/etc/profile-m-z/sushi.profile b/etc/profile-m-z/sushi.profile
index 68abd8c94..2a15a5d09 100644
--- a/etc/profile-m-z/sushi.profile
+++ b/etc/profile-m-z/sushi.profile
@@ -24,6 +24,7 @@ caps.drop all
24net none 24net none
25nodvd 25nodvd
26nogroups 26nogroups
27noinput
27nonewprivs 28nonewprivs
28noroot 29noroot
29notv 30notv
diff --git a/etc/profile-m-z/synfigstudio.profile b/etc/profile-m-z/synfigstudio.profile
index a83080cc3..c60186c42 100644
--- a/etc/profile-m-z/synfigstudio.profile
+++ b/etc/profile-m-z/synfigstudio.profile
@@ -20,6 +20,7 @@ caps.drop all
20net none 20net none
21nodvd 21nodvd
22nogroups 22nogroups
23noinput
23nonewprivs 24nonewprivs
24noroot 25noroot
25nosound 26nosound
diff --git a/etc/profile-m-z/sysprof.profile b/etc/profile-m-z/sysprof.profile
index 9e9d2a448..b52b25b96 100644
--- a/etc/profile-m-z/sysprof.profile
+++ b/etc/profile-m-z/sysprof.profile
@@ -15,8 +15,15 @@ include disable-passwdmgr.inc
15include disable-programs.inc 15include disable-programs.inc
16include disable-xdg.inc 16include disable-xdg.inc
17 17
18# help menu functionality (yelp) - comment or add this block prepended with 'ignore' 18# Add the next lines to your sysprof.local if you don't need (yelp) help menu functionality.
19# to your sysprof.local if you don't need the help functionality 19#ignore noblacklist ${HOME}/.config/yelp
20#ignore mkdir ${HOME}/.config/yelp
21#nowhitelist ${HOME}/.config/yelp
22#nowhitelist /usr/share/help/C/sysprof
23#nowhitelist /usr/share/yelp
24#nowhitelist /usr/share/yelp-tools
25#nowhitelist /usr/share/yelp-xsl
26
20noblacklist ${HOME}/.config/yelp 27noblacklist ${HOME}/.config/yelp
21mkdir ${HOME}/.config/yelp 28mkdir ${HOME}/.config/yelp
22whitelist ${HOME}/.config/yelp 29whitelist ${HOME}/.config/yelp
@@ -39,8 +46,10 @@ net none
39no3d 46no3d
40nodvd 47nodvd
41nogroups 48nogroups
49noinput
42nonewprivs 50nonewprivs
43# Ubuntu 16.04 version needs root privileges - comment or put 'ignore noroot' in sysprof.local if you run Xenial 51# Some older Debian/Ubuntu sysprof versions need root privileges.
52# Add 'ignore noroot' to your sysprof.local if you run one of these.
44noroot 53noroot
45nosound 54nosound
46notv 55notv
@@ -56,7 +65,7 @@ disable-mnt
56private-cache 65private-cache
57private-dev 66private-dev
58private-etc alternatives,fonts,ld.so.cache,machine-id,ssl 67private-etc alternatives,fonts,ld.so.cache,machine-id,ssl
59# private-lib breaks help menu 68# private-lib - breaks help menu
60#private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so 69#private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so
61private-tmp 70private-tmp
62 71
diff --git a/etc/profile-m-z/tcpdump.profile b/etc/profile-m-z/tcpdump.profile
index 6f863d7a1..e2ba5893c 100644
--- a/etc/profile-m-z/tcpdump.profile
+++ b/etc/profile-m-z/tcpdump.profile
@@ -28,6 +28,7 @@ netfilter
28no3d 28no3d
29nodvd 29nodvd
30#nogroups 30#nogroups
31noinput
31nonewprivs 32nonewprivs
32#noroot 33#noroot
33nosound 34nosound
diff --git a/etc/profile-m-z/teamspeak3.profile b/etc/profile-m-z/teamspeak3.profile
index c1c666f58..02a2c8ae4 100644
--- a/etc/profile-m-z/teamspeak3.profile
+++ b/etc/profile-m-z/teamspeak3.profile
@@ -27,6 +27,7 @@ netfilter
27no3d 27no3d
28nodvd 28nodvd
29nogroups 29nogroups
30noinput
30nonewprivs 31nonewprivs
31noroot 32noroot
32notv 33notv
diff --git a/etc/profile-m-z/teeworlds.profile b/etc/profile-m-z/teeworlds.profile
index c0d62bec2..be01aee12 100644
--- a/etc/profile-m-z/teeworlds.profile
+++ b/etc/profile-m-z/teeworlds.profile
@@ -27,6 +27,7 @@ ipc-namespace
27netfilter 27netfilter
28nodvd 28nodvd
29nogroups 29nogroups
30noinput
30nonewprivs 31nonewprivs
31noroot 32noroot
32notv 33notv
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile
index 38d291324..05c621fb2 100644
--- a/etc/profile-m-z/telegram.profile
+++ b/etc/profile-m-z/telegram.profile
@@ -31,6 +31,7 @@ apparmor
31caps.drop all 31caps.drop all
32netfilter 32netfilter
33nodvd 33nodvd
34noinput
34nonewprivs 35nonewprivs
35noroot 36noroot
36notv 37notv
diff --git a/etc/profile-m-z/terasology.profile b/etc/profile-m-z/terasology.profile
index 36ce6d469..ce2ca1d17 100644
--- a/etc/profile-m-z/terasology.profile
+++ b/etc/profile-m-z/terasology.profile
@@ -30,6 +30,7 @@ ipc-namespace
30net none 30net none
31nodvd 31nodvd
32nogroups 32nogroups
33noinput
33nonewprivs 34nonewprivs
34noroot 35noroot
35notv 36notv
diff --git a/etc/profile-m-z/tmux.profile b/etc/profile-m-z/tmux.profile
index 706f39f24..0139d7515 100644
--- a/etc/profile-m-z/tmux.profile
+++ b/etc/profile-m-z/tmux.profile
@@ -25,6 +25,7 @@ netfilter
25no3d 25no3d
26nodvd 26nodvd
27nogroups 27nogroups
28noinput
28nonewprivs 29nonewprivs
29noroot 30noroot
30nosound 31nosound
diff --git a/etc/profile-m-z/tor.profile b/etc/profile-m-z/tor.profile
index 13d071635..73ef290f4 100644
--- a/etc/profile-m-z/tor.profile
+++ b/etc/profile-m-z/tor.profile
@@ -32,6 +32,7 @@ netfilter
32no3d 32no3d
33nodvd 33nodvd
34nogroups 34nogroups
35noinput
35nonewprivs 36nonewprivs
36nosound 37nosound
37notv 38notv
diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile
index 3cbfe8d8b..7659ed1e9 100644
--- a/etc/profile-m-z/torbrowser-launcher.profile
+++ b/etc/profile-m-z/torbrowser-launcher.profile
@@ -45,6 +45,7 @@ caps.drop all
45netfilter 45netfilter
46nodvd 46nodvd
47nogroups 47nogroups
48noinput
48nonewprivs 49nonewprivs
49noroot 50noroot
50notv 51notv
diff --git a/etc/profile-m-z/torcs.profile b/etc/profile-m-z/torcs.profile
index 1ed78934e..0f98a8f64 100644
--- a/etc/profile-m-z/torcs.profile
+++ b/etc/profile-m-z/torcs.profile
@@ -29,6 +29,7 @@ ipc-namespace
29net none 29net none
30nodvd 30nodvd
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33noroot 34noroot
34notv 35notv
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile
index 90c45c7d0..70d9e0aee 100644
--- a/etc/profile-m-z/totem.profile
+++ b/etc/profile-m-z/totem.profile
@@ -40,6 +40,7 @@ include whitelist-var-common.inc
40caps.drop all 40caps.drop all
41netfilter 41netfilter
42nogroups 42nogroups
43noinput
43nonewprivs 44nonewprivs
44noroot 45noroot
45nou2f 46nou2f
diff --git a/etc/profile-m-z/transgui.profile b/etc/profile-m-z/transgui.profile
index c31055cdc..ea118a9f0 100644
--- a/etc/profile-m-z/transgui.profile
+++ b/etc/profile-m-z/transgui.profile
@@ -31,6 +31,7 @@ machine-id
31netfilter 31netfilter
32nodvd 32nodvd
33nogroups 33nogroups
34noinput
34nonewprivs 35nonewprivs
35noroot 36noroot
36nosound 37nosound
diff --git a/etc/profile-m-z/transmission-common.profile b/etc/profile-m-z/transmission-common.profile
index d601f0f15..82671b709 100644
--- a/etc/profile-m-z/transmission-common.profile
+++ b/etc/profile-m-z/transmission-common.profile
@@ -31,6 +31,7 @@ caps.drop all
31machine-id 31machine-id
32netfilter 32netfilter
33nodvd 33nodvd
34noinput
34nonewprivs 35nonewprivs
35noroot 36noroot
36nosound 37nosound
diff --git a/etc/profile-m-z/tremulous.profile b/etc/profile-m-z/tremulous.profile
index 67463a999..aba563fac 100644
--- a/etc/profile-m-z/tremulous.profile
+++ b/etc/profile-m-z/tremulous.profile
@@ -30,6 +30,7 @@ ipc-namespace
30netfilter 30netfilter
31nodvd 31nodvd
32nogroups 32nogroups
33noinput
33nonewprivs 34nonewprivs
34noroot 35noroot
35notv 36notv
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile
index b82aadd13..2d95081f6 100644
--- a/etc/profile-m-z/trojita.profile
+++ b/etc/profile-m-z/trojita.profile
@@ -38,6 +38,7 @@ netfilter
38no3d 38no3d
39nodvd 39nodvd
40nogroups 40nogroups
41noinput
41nonewprivs 42nonewprivs
42noroot 43noroot
43nosound 44nosound
diff --git a/etc/profile-m-z/truecraft.profile b/etc/profile-m-z/truecraft.profile
index e76d52219..749626475 100644
--- a/etc/profile-m-z/truecraft.profile
+++ b/etc/profile-m-z/truecraft.profile
@@ -24,6 +24,7 @@ include whitelist-common.inc
24caps.drop all 24caps.drop all
25nodvd 25nodvd
26nogroups 26nogroups
27noinput
27nonewprivs 28nonewprivs
28noroot 29noroot
29notv 30notv
diff --git a/etc/profile-m-z/tuxguitar.profile b/etc/profile-m-z/tuxguitar.profile
index d2b13d9ee..d0bcbe79f 100644
--- a/etc/profile-m-z/tuxguitar.profile
+++ b/etc/profile-m-z/tuxguitar.profile
@@ -29,6 +29,7 @@ netfilter
29no3d 29no3d
30nodvd 30nodvd
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33noroot 34noroot
34notv 35notv
diff --git a/etc/profile-m-z/tvbrowser.profile b/etc/profile-m-z/tvbrowser.profile
index d3dcbfe53..dae7d86da 100644
--- a/etc/profile-m-z/tvbrowser.profile
+++ b/etc/profile-m-z/tvbrowser.profile
@@ -34,6 +34,7 @@ netfilter
34no3d 34no3d
35nodvd 35nodvd
36nogroups 36nogroups
37noinput
37nonewprivs 38nonewprivs
38noroot 39noroot
39notv 40notv
diff --git a/etc/profile-m-z/udiskie.profile b/etc/profile-m-z/udiskie.profile
index 265f6429d..601b818c2 100644
--- a/etc/profile-m-z/udiskie.profile
+++ b/etc/profile-m-z/udiskie.profile
@@ -24,6 +24,7 @@ machine-id
24net none 24net none
25no3d 25no3d
26nogroups 26nogroups
27noinput
27nonewprivs 28nonewprivs
28noroot 29noroot
29nosound 30nosound
diff --git a/etc/profile-m-z/uefitool.profile b/etc/profile-m-z/uefitool.profile
index 8807b0b2c..3e4fdbb03 100644
--- a/etc/profile-m-z/uefitool.profile
+++ b/etc/profile-m-z/uefitool.profile
@@ -21,6 +21,7 @@ net none
21no3d 21no3d
22nodvd 22nodvd
23nogroups 23nogroups
24noinput
24nonewprivs 25nonewprivs
25noroot 26noroot
26nosound 27nosound
diff --git a/etc/profile-m-z/uget-gtk.profile b/etc/profile-m-z/uget-gtk.profile
index c8f28444f..4420099ff 100644
--- a/etc/profile-m-z/uget-gtk.profile
+++ b/etc/profile-m-z/uget-gtk.profile
@@ -23,6 +23,7 @@ include whitelist-var-common.inc
23caps.drop all 23caps.drop all
24netfilter 24netfilter
25nodvd 25nodvd
26noinput
26nonewprivs 27nonewprivs
27noroot 28noroot
28nosound 29nosound
diff --git a/etc/profile-m-z/unbound.profile b/etc/profile-m-z/unbound.profile
index 714a3f2f4..0c077babf 100644
--- a/etc/profile-m-z/unbound.profile
+++ b/etc/profile-m-z/unbound.profile
@@ -31,6 +31,7 @@ machine-id
31netfilter 31netfilter
32no3d 32no3d
33nodvd 33nodvd
34noinput
34nonewprivs 35nonewprivs
35nosound 36nosound
36notv 37notv
diff --git a/etc/profile-m-z/unf.profile b/etc/profile-m-z/unf.profile
index bcd256ba3..6db7ba362 100644
--- a/etc/profile-m-z/unf.profile
+++ b/etc/profile-m-z/unf.profile
@@ -32,6 +32,7 @@ net none
32no3d 32no3d
33nodvd 33nodvd
34nogroups 34nogroups
35noinput
35nonewprivs 36nonewprivs
36noroot 37noroot
37nosound 38nosound
diff --git a/etc/profile-m-z/unknown-horizons.profile b/etc/profile-m-z/unknown-horizons.profile
index 7dc13e284..956492f52 100644
--- a/etc/profile-m-z/unknown-horizons.profile
+++ b/etc/profile-m-z/unknown-horizons.profile
@@ -25,6 +25,7 @@ apparmor
25caps.drop all 25caps.drop all
26nodvd 26nodvd
27nogroups 27nogroups
28noinput
28nonewprivs 29nonewprivs
29noroot 30noroot
30notv 31notv
diff --git a/etc/profile-m-z/utox.profile b/etc/profile-m-z/utox.profile
index cd4374004..dd881f091 100644
--- a/etc/profile-m-z/utox.profile
+++ b/etc/profile-m-z/utox.profile
@@ -30,6 +30,7 @@ ipc-namespace
30netfilter 30netfilter
31nodvd 31nodvd
32nogroups 32nogroups
33noinput
33nonewprivs 34nonewprivs
34noroot 35noroot
35notv 36notv
diff --git a/etc/profile-m-z/uudeview.profile b/etc/profile-m-z/uudeview.profile
index f60c134e0..2adc044e5 100644
--- a/etc/profile-m-z/uudeview.profile
+++ b/etc/profile-m-z/uudeview.profile
@@ -26,6 +26,7 @@ machine-id
26net none 26net none
27nodvd 27nodvd
28#nogroups 28#nogroups
29noinput
29nonewprivs 30nonewprivs
30#noroot 31#noroot
31nosound 32nosound
diff --git a/etc/profile-m-z/viewnior.profile b/etc/profile-m-z/viewnior.profile
index 83727d42b..a9ba344dd 100644
--- a/etc/profile-m-z/viewnior.profile
+++ b/etc/profile-m-z/viewnior.profile
@@ -29,6 +29,7 @@ net none
29no3d 29no3d
30nodvd 30nodvd
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33noroot 34noroot
34nosound 35nosound
diff --git a/etc/profile-m-z/viking.profile b/etc/profile-m-z/viking.profile
index 5b6228a94..8f8ef5939 100644
--- a/etc/profile-m-z/viking.profile
+++ b/etc/profile-m-z/viking.profile
@@ -23,6 +23,7 @@ netfilter
23no3d 23no3d
24nodvd 24nodvd
25nogroups 25nogroups
26noinput
26nonewprivs 27nonewprivs
27noroot 28noroot
28nosound 29nosound
diff --git a/etc/profile-m-z/vim.profile b/etc/profile-m-z/vim.profile
index e9a474239..c3cfe5980 100644
--- a/etc/profile-m-z/vim.profile
+++ b/etc/profile-m-z/vim.profile
@@ -23,6 +23,7 @@ caps.drop all
23netfilter 23netfilter
24nodvd 24nodvd
25nogroups 25nogroups
26noinput
26nonewprivs 27nonewprivs
27noroot 28noroot
28notv 29notv
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile
index 64d787bfb..c22fb0ff9 100644
--- a/etc/profile-m-z/virtualbox.profile
+++ b/etc/profile-m-z/virtualbox.profile
@@ -44,7 +44,7 @@ shell none
44tracelog 44tracelog
45 45
46#disable-mnt 46#disable-mnt
47#private-bin basename,bash,env,gawk,grep,ps,readlink,sh,virtualbox,VirtualBox,VBox*,vbox*,whoami 47#private-bin awk,basename,bash,env,gawk,grep,ps,readlink,sh,virtualbox,VirtualBox,VBox*,vbox*,whoami
48private-cache 48private-cache
49private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl 49private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
50private-tmp 50private-tmp
diff --git a/etc/profile-m-z/vlc.profile b/etc/profile-m-z/vlc.profile
index 9a12686cd..cd7dccd8a 100644
--- a/etc/profile-m-z/vlc.profile
+++ b/etc/profile-m-z/vlc.profile
@@ -34,6 +34,7 @@ include whitelist-var-common.inc
34caps.drop all 34caps.drop all
35netfilter 35netfilter
36nogroups 36nogroups
37noinput
37nonewprivs 38nonewprivs
38noroot 39noroot
39nou2f 40nou2f
diff --git a/etc/profile-m-z/vmware-view.profile b/etc/profile-m-z/vmware-view.profile
index 0cb6d34d2..f07c31b68 100644
--- a/etc/profile-m-z/vmware-view.profile
+++ b/etc/profile-m-z/vmware-view.profile
@@ -33,6 +33,7 @@ caps.drop all
33netfilter 33netfilter
34nodvd 34nodvd
35nogroups 35nogroups
36noinput
36nonewprivs 37nonewprivs
37noroot 38noroot
38notv 39notv
diff --git a/etc/profile-m-z/vym.profile b/etc/profile-m-z/vym.profile
index fbb53943c..5421c4e4b 100644
--- a/etc/profile-m-z/vym.profile
+++ b/etc/profile-m-z/vym.profile
@@ -20,6 +20,7 @@ netfilter
20no3d 20no3d
21nodvd 21nodvd
22nogroups 22nogroups
23noinput
23nonewprivs 24nonewprivs
24noroot 25noroot
25nosound 26nosound
diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile
index a43835944..131213ed2 100644
--- a/etc/profile-m-z/w3m.profile
+++ b/etc/profile-m-z/w3m.profile
@@ -33,6 +33,7 @@ netfilter
33no3d 33no3d
34nodvd 34nodvd
35nogroups 35nogroups
36noinput
36nonewprivs 37nonewprivs
37noroot 38noroot
38nosound 39nosound
diff --git a/etc/profile-m-z/warmux.profile b/etc/profile-m-z/warmux.profile
index aaef652fd..1227a202c 100644
--- a/etc/profile-m-z/warmux.profile
+++ b/etc/profile-m-z/warmux.profile
@@ -35,6 +35,7 @@ caps.drop all
35netfilter 35netfilter
36nodvd 36nodvd
37nogroups 37nogroups
38noinput
38nonewprivs 39nonewprivs
39noroot 40noroot
40notv 41notv
diff --git a/etc/profile-m-z/warsow.profile b/etc/profile-m-z/warsow.profile
index 178e0c7b1..e0cd3daad 100644
--- a/etc/profile-m-z/warsow.profile
+++ b/etc/profile-m-z/warsow.profile
@@ -35,6 +35,7 @@ ipc-namespace
35netfilter 35netfilter
36nodvd 36nodvd
37nogroups 37nogroups
38noinput
38nonewprivs 39nonewprivs
39noroot 40noroot
40notv 41notv
diff --git a/etc/profile-m-z/warzone2100.profile b/etc/profile-m-z/warzone2100.profile
index 06a7c3412..420e8927e 100644
--- a/etc/profile-m-z/warzone2100.profile
+++ b/etc/profile-m-z/warzone2100.profile
@@ -31,6 +31,7 @@ caps.drop all
31netfilter 31netfilter
32nodvd 32nodvd
33nogroups 33nogroups
34noinput
34nonewprivs 35nonewprivs
35noroot 36noroot
36notv 37notv
diff --git a/etc/profile-m-z/webstorm.profile b/etc/profile-m-z/webstorm.profile
index e9053f598..69e96d0cd 100644
--- a/etc/profile-m-z/webstorm.profile
+++ b/etc/profile-m-z/webstorm.profile
@@ -31,6 +31,7 @@ caps.drop all
31netfilter 31netfilter
32nodvd 32nodvd
33nogroups 33nogroups
34noinput
34nonewprivs 35nonewprivs
35noroot 36noroot
36notv 37notv
diff --git a/etc/profile-m-z/webui-aria2.profile b/etc/profile-m-z/webui-aria2.profile
index 8928f8116..d5a998f35 100644
--- a/etc/profile-m-z/webui-aria2.profile
+++ b/etc/profile-m-z/webui-aria2.profile
@@ -20,6 +20,7 @@ caps.drop all
20netfilter 20netfilter
21nodvd 21nodvd
22nogroups 22nogroups
23noinput
23nonewprivs 24nonewprivs
24noroot 25noroot
25nosound 26nosound
diff --git a/etc/profile-m-z/wesnoth.profile b/etc/profile-m-z/wesnoth.profile
index 934edfce9..199b3c6f0 100644
--- a/etc/profile-m-z/wesnoth.profile
+++ b/etc/profile-m-z/wesnoth.profile
@@ -26,6 +26,7 @@ include whitelist-common.inc
26 26
27caps.drop all 27caps.drop all
28nodvd 28nodvd
29noinput
29nonewprivs 30nonewprivs
30noroot 31noroot
31notv 32notv
diff --git a/etc/profile-m-z/wget.profile b/etc/profile-m-z/wget.profile
index 8a7042f59..53c4711bd 100644
--- a/etc/profile-m-z/wget.profile
+++ b/etc/profile-m-z/wget.profile
@@ -35,6 +35,7 @@ netfilter
35no3d 35no3d
36nodvd 36nodvd
37nogroups 37nogroups
38noinput
38nonewprivs 39nonewprivs
39noroot 40noroot
40nosound 41nosound
diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile
index fa7a16093..93871a5a4 100644
--- a/etc/profile-m-z/whois.profile
+++ b/etc/profile-m-z/whois.profile
@@ -30,6 +30,7 @@ netfilter
30no3d 30no3d
31nodvd 31nodvd
32nogroups 32nogroups
33noinput
33nonewprivs 34nonewprivs
34noroot 35noroot
35nosound 36nosound
diff --git a/etc/profile-m-z/widelands.profile b/etc/profile-m-z/widelands.profile
index f18878554..0dc26b11d 100644
--- a/etc/profile-m-z/widelands.profile
+++ b/etc/profile-m-z/widelands.profile
@@ -28,6 +28,7 @@ ipc-namespace
28netfilter 28netfilter
29nodvd 29nodvd
30nogroups 30nogroups
31noinput
31nonewprivs 32nonewprivs
32noroot 33noroot
33notv 34notv
diff --git a/etc/profile-m-z/wine.profile b/etc/profile-m-z/wine.profile
index 67427209f..0ea24aafd 100644
--- a/etc/profile-m-z/wine.profile
+++ b/etc/profile-m-z/wine.profile
@@ -31,6 +31,7 @@ caps.drop all
31netfilter 31netfilter
32nodvd 32nodvd
33nogroups 33nogroups
34noinput
34nonewprivs 35nonewprivs
35noroot 36noroot
36# nosound 37# nosound
diff --git a/etc/profile-m-z/wireshark.profile b/etc/profile-m-z/wireshark.profile
index 6a84246e1..1824026a8 100644
--- a/etc/profile-m-z/wireshark.profile
+++ b/etc/profile-m-z/wireshark.profile
@@ -31,6 +31,7 @@ caps.keep dac_override,net_admin,net_raw
31netfilter 31netfilter
32no3d 32no3d
33# nogroups - breaks network traffic capture for unprivileged users 33# nogroups - breaks network traffic capture for unprivileged users
34noinput
34# nonewprivs - breaks network traffic capture for unprivileged users 35# nonewprivs - breaks network traffic capture for unprivileged users
35# noroot 36# noroot
36nodvd 37nodvd
@@ -39,11 +40,15 @@ notv
39nou2f 40nou2f
40novideo 41novideo
41# protocol unix,inet,inet6,netlink,packet,bluetooth - commented out in case they bring in new protocols 42# protocol unix,inet,inet6,netlink,packet,bluetooth - commented out in case they bring in new protocols
42seccomp 43#seccomp
43shell none 44shell none
44tracelog 45tracelog
45 46
46# private-bin wireshark 47# private-bin wireshark
48private-cache
47private-dev 49private-dev
48# private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,ssl 50# private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,ssl
49private-tmp 51private-tmp
52
53dbus-user none
54dbus-system none
diff --git a/etc/profile-m-z/wordwarvi.profile b/etc/profile-m-z/wordwarvi.profile
index da1210bb8..9c724a5d2 100644
--- a/etc/profile-m-z/wordwarvi.profile
+++ b/etc/profile-m-z/wordwarvi.profile
@@ -30,6 +30,7 @@ net none
30no3d 30no3d
31nodvd 31nodvd
32nogroups 32nogroups
33noinput
33nonewprivs 34nonewprivs
34noroot 35noroot
35notv 36notv
diff --git a/etc/profile-m-z/wps.profile b/etc/profile-m-z/wps.profile
index 2b97d5b0a..a44b6490e 100644
--- a/etc/profile-m-z/wps.profile
+++ b/etc/profile-m-z/wps.profile
@@ -29,6 +29,7 @@ netfilter
29no3d 29no3d
30nodvd 30nodvd
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33noroot 34noroot
34nosound 35nosound
diff --git a/etc/profile-m-z/x-terminal-emulator.profile b/etc/profile-m-z/x-terminal-emulator.profile
index fe0781336..141d167a8 100644
--- a/etc/profile-m-z/x-terminal-emulator.profile
+++ b/etc/profile-m-z/x-terminal-emulator.profile
@@ -9,6 +9,7 @@ caps.drop all
9ipc-namespace 9ipc-namespace
10net none 10net none
11nogroups 11nogroups
12noinput
12noroot 13noroot
13nou2f 14nou2f
14protocol unix 15protocol unix
diff --git a/etc/profile-m-z/x2goclient.profile b/etc/profile-m-z/x2goclient.profile
index 6146016b2..557f07cd9 100644
--- a/etc/profile-m-z/x2goclient.profile
+++ b/etc/profile-m-z/x2goclient.profile
@@ -26,6 +26,7 @@ netfilter
26#no3d 26#no3d
27nodvd 27nodvd
28nogroups 28nogroups
29noinput
29nonewprivs 30nonewprivs
30noroot 31noroot
31notv 32notv
diff --git a/etc/profile-m-z/xbill.profile b/etc/profile-m-z/xbill.profile
index cdfebfb29..384f76acc 100644
--- a/etc/profile-m-z/xbill.profile
+++ b/etc/profile-m-z/xbill.profile
@@ -28,6 +28,7 @@ net none
28no3d 28no3d
29nodvd 29nodvd
30nogroups 30nogroups
31noinput
31nonewprivs 32nonewprivs
32noroot 33noroot
33nosound 34nosound
diff --git a/etc/profile-m-z/xcalc.profile b/etc/profile-m-z/xcalc.profile
index 56ce01498..7fb483289 100644
--- a/etc/profile-m-z/xcalc.profile
+++ b/etc/profile-m-z/xcalc.profile
@@ -22,6 +22,7 @@ net none
22no3d 22no3d
23nodvd 23nodvd
24nogroups 24nogroups
25noinput
25nonewprivs 26nonewprivs
26noroot 27noroot
27nosound 28nosound
diff --git a/etc/profile-m-z/xed.profile b/etc/profile-m-z/xed.profile
index b114f9ab5..4a3022e83 100644
--- a/etc/profile-m-z/xed.profile
+++ b/etc/profile-m-z/xed.profile
@@ -31,6 +31,7 @@ machine-id
31no3d 31no3d
32nodvd 32nodvd
33nogroups 33nogroups
34noinput
34nonewprivs 35nonewprivs
35noroot 36noroot
36nosound 37nosound
diff --git a/etc/profile-m-z/xfce4-dict.profile b/etc/profile-m-z/xfce4-dict.profile
index a3e0c4633..ecd321c7e 100644
--- a/etc/profile-m-z/xfce4-dict.profile
+++ b/etc/profile-m-z/xfce4-dict.profile
@@ -23,6 +23,7 @@ netfilter
23no3d 23no3d
24nodvd 24nodvd
25nogroups 25nogroups
26noinput
26nonewprivs 27nonewprivs
27noroot 28noroot
28nosound 29nosound
diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile
index 78cb2862c..bb38dbebd 100644
--- a/etc/profile-m-z/xfce4-mixer.profile
+++ b/etc/profile-m-z/xfce4-mixer.profile
@@ -19,7 +19,7 @@ include disable-xdg.inc
19 19
20mkfile ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml 20mkfile ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
21whitelist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml 21whitelist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
22whitelist /usr/share/gstreamer 22whitelist /usr/share/gstreamer-*
23whitelist /usr/share/xfce4 23whitelist /usr/share/xfce4
24whitelist /usr/share/xfce4-mixer 24whitelist /usr/share/xfce4-mixer
25include whitelist-common.inc 25include whitelist-common.inc
@@ -33,6 +33,7 @@ netfilter
33no3d 33no3d
34nodvd 34nodvd
35nogroups 35nogroups
36noinput
36nonewprivs 37nonewprivs
37noroot 38noroot
38notv 39notv
diff --git a/etc/profile-m-z/xfce4-notes.profile b/etc/profile-m-z/xfce4-notes.profile
index c3d0930ff..ebfb4333c 100644
--- a/etc/profile-m-z/xfce4-notes.profile
+++ b/etc/profile-m-z/xfce4-notes.profile
@@ -25,6 +25,7 @@ netfilter
25no3d 25no3d
26nodvd 26nodvd
27nogroups 27nogroups
28noinput
28nonewprivs 29nonewprivs
29noroot 30noroot
30nosound 31nosound
diff --git a/etc/profile-m-z/xfce4-screenshooter.profile b/etc/profile-m-z/xfce4-screenshooter.profile
index c9200304c..b1e5bafbf 100644
--- a/etc/profile-m-z/xfce4-screenshooter.profile
+++ b/etc/profile-m-z/xfce4-screenshooter.profile
@@ -29,6 +29,7 @@ netfilter
29no3d 29no3d
30nodvd 30nodvd
31nogroups 31nogroups
32noinput
32nonewprivs 33nonewprivs
33noroot 34noroot
34notv 35notv
diff --git a/etc/profile-m-z/xiphos.profile b/etc/profile-m-z/xiphos.profile
index 188589df3..81d98db7a 100644
--- a/etc/profile-m-z/xiphos.profile
+++ b/etc/profile-m-z/xiphos.profile
@@ -32,6 +32,7 @@ machine-id
32netfilter 32netfilter
33nodvd 33nodvd
34nogroups 34nogroups
35noinput
35nonewprivs 36nonewprivs
36noroot 37noroot
37nosound 38nosound
diff --git a/etc/profile-m-z/xmms.profile b/etc/profile-m-z/xmms.profile
index 9391f68de..25261d925 100644
--- a/etc/profile-m-z/xmms.profile
+++ b/etc/profile-m-z/xmms.profile
@@ -19,6 +19,7 @@ include disable-xdg.inc
19caps.drop all 19caps.drop all
20netfilter 20netfilter
21no3d 21no3d
22noinput
22nonewprivs 23nonewprivs
23noroot 24noroot
24notv 25notv
diff --git a/etc/profile-m-z/xmr-stak.profile b/etc/profile-m-z/xmr-stak.profile
index 3278e295d..e7020f36b 100644
--- a/etc/profile-m-z/xmr-stak.profile
+++ b/etc/profile-m-z/xmr-stak.profile
@@ -24,6 +24,7 @@ ipc-namespace
24netfilter 24netfilter
25nodvd 25nodvd
26nogroups 26nogroups
27noinput
27nonewprivs 28nonewprivs
28noroot 29noroot
29nosound 30nosound
diff --git a/etc/profile-m-z/xonotic.profile b/etc/profile-m-z/xonotic.profile
index aa8cc7d0e..53c9a0a08 100644
--- a/etc/profile-m-z/xonotic.profile
+++ b/etc/profile-m-z/xonotic.profile
@@ -8,12 +8,16 @@ include globals.local
8 8
9noblacklist ${HOME}/.xonotic 9noblacklist ${HOME}/.xonotic
10 10
11include allow-bin-sh.inc
12include allow-opengl-game.inc
13
11include disable-common.inc 14include disable-common.inc
12include disable-devel.inc 15include disable-devel.inc
13include disable-exec.inc 16include disable-exec.inc
14include disable-interpreters.inc 17include disable-interpreters.inc
15include disable-passwdmgr.inc 18include disable-passwdmgr.inc
16include disable-programs.inc 19include disable-programs.inc
20include disable-shell.inc
17include disable-xdg.inc 21include disable-xdg.inc
18 22
19mkdir ${HOME}/.xonotic 23mkdir ${HOME}/.xonotic
@@ -29,6 +33,7 @@ caps.drop all
29netfilter 33netfilter
30nodvd 34nodvd
31nogroups 35nogroups
36noinput
32nonewprivs 37nonewprivs
33noroot 38noroot
34notv 39notv
@@ -41,7 +46,7 @@ tracelog
41 46
42disable-mnt 47disable-mnt
43private-cache 48private-cache
44private-bin basename,bash,blind-id,cut,darkplaces-glx,darkplaces-sdl,dirname,glxinfo,grep,head,ldd,netstat,ps,readlink,sed,sh,uname,xonotic,xonotic-glx,xonotic-linux32-dedicated,xonotic-linux32-glx,xonotic-linux32-sdl,xonotic-linux64-dedicated,xonotic-linux64-glx,xonotic-linux64-sdl,xonotic-sdl,xonotic-sdl-wrapper,zenity 49private-bin blind-id,darkplaces-glx,darkplaces-sdl,dirname,ldd,netstat,ps,readlink,sh,uname,xonotic*
45private-dev 50private-dev
46private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl 51private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl
47private-tmp 52private-tmp
diff --git a/etc/profile-m-z/xournal.profile b/etc/profile-m-z/xournal.profile
index 0c6969e09..c4f092d50 100644
--- a/etc/profile-m-z/xournal.profile
+++ b/etc/profile-m-z/xournal.profile
@@ -28,6 +28,7 @@ net none
28no3d 28no3d
29nodvd 29nodvd
30nogroups 30nogroups
31noinput
31nonewprivs 32nonewprivs
32noroot 33noroot
33nosound 34nosound
diff --git a/etc/profile-m-z/xpdf.profile b/etc/profile-m-z/xpdf.profile
index cdffe4eb7..1447ec9a7 100644
--- a/etc/profile-m-z/xpdf.profile
+++ b/etc/profile-m-z/xpdf.profile
@@ -26,6 +26,7 @@ net none
26no3d 26no3d
27nodvd 27nodvd
28nogroups 28nogroups
29noinput
29nonewprivs 30nonewprivs
30noroot 31noroot
31nosound 32nosound
diff --git a/etc/profile-m-z/xplayer.profile b/etc/profile-m-z/xplayer.profile
index f0290f461..c3bb3292c 100644
--- a/etc/profile-m-z/xplayer.profile
+++ b/etc/profile-m-z/xplayer.profile
@@ -32,6 +32,7 @@ include whitelist-var-common.inc
32caps.drop all 32caps.drop all
33netfilter 33netfilter
34nogroups 34nogroups
35noinput
35nonewprivs 36nonewprivs
36noroot 37noroot
37nou2f 38nou2f
diff --git a/etc/profile-m-z/xpra.profile b/etc/profile-m-z/xpra.profile
index 1033a7471..6e409e1aa 100644
--- a/etc/profile-m-z/xpra.profile
+++ b/etc/profile-m-z/xpra.profile
@@ -33,6 +33,7 @@ caps.drop all
33# xpra needs to be allowed access to the abstract Unix socket namespace. 33# xpra needs to be allowed access to the abstract Unix socket namespace.
34nodvd 34nodvd
35nogroups 35nogroups
36noinput
36nonewprivs 37nonewprivs
37# In noroot mode, xpra cannot create a socket in the real /tmp/.X11-unix. 38# In noroot mode, xpra cannot create a socket in the real /tmp/.X11-unix.
38#noroot 39#noroot
diff --git a/etc/profile-m-z/xreader.profile b/etc/profile-m-z/xreader.profile
index 643c5a317..3ab35edfc 100644
--- a/etc/profile-m-z/xreader.profile
+++ b/etc/profile-m-z/xreader.profile
@@ -26,6 +26,7 @@ caps.drop all
26no3d 26no3d
27nodvd 27nodvd
28nogroups 28nogroups
29noinput
29nonewprivs 30nonewprivs
30noroot 31noroot
31nosound 32nosound
diff --git a/etc/profile-m-z/xviewer.profile b/etc/profile-m-z/xviewer.profile
index 0ac0f665e..4d454f81c 100644
--- a/etc/profile-m-z/xviewer.profile
+++ b/etc/profile-m-z/xviewer.profile
@@ -26,6 +26,7 @@ caps.drop all
26no3d 26no3d
27nodvd 27nodvd
28nogroups 28nogroups
29noinput
29nonewprivs 30nonewprivs
30noroot 31noroot
31nosound 32nosound
diff --git a/etc/profile-m-z/yarn.profile b/etc/profile-m-z/yarn.profile
index 360bd8442..05b55d071 100644
--- a/etc/profile-m-z/yarn.profile
+++ b/etc/profile-m-z/yarn.profile
@@ -6,25 +6,5 @@ include yarn.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9ignore read-only ${HOME}/.yarnrc
10
11noblacklist ${HOME}/.yarn
12noblacklist ${HOME}/.yarn-config
13noblacklist ${HOME}/.yarncache
14noblacklist ${HOME}/.yarnrc
15
16# If you want whitelisting, change ${HOME}/Projects below to your yarn projects directory and
17# add the next lines to you yarn.local.
18#mkdir ${HOME}/.yarn
19#mkdir ${HOME}/.yarn-config
20#mkdir ${HOME}/.yarncache
21#mkfile ${HOME}/.yarnrc
22#whitelist ${HOME}/.yarn
23#whitelist ${HOME}/.yarn-config
24#whitelist ${HOME}/.yarncache
25#whitelist ${HOME}/.yarnrc
26#whitelist ${HOME}/Projects
27#include whitelist-common.inc
28
29# Redirect 9# Redirect
30include nodejs-common.profile 10include nodejs-common.profile
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile
index a08a30b52..93054bfed 100644
--- a/etc/profile-m-z/yelp.profile
+++ b/etc/profile-m-z/yelp.profile
@@ -38,6 +38,7 @@ caps.drop all
38net none 38net none
39nodvd 39nodvd
40nogroups 40nogroups
41noinput
41nonewprivs 42nonewprivs
42noroot 43noroot
43# nosound - add the next line to your yelp.local if you don't need sound support. 44# nosound - add the next line to your yelp.local if you don't need sound support.
diff --git a/etc/profile-m-z/youtube-dl-gui.profile b/etc/profile-m-z/youtube-dl-gui.profile
index c072d6267..b52271a2c 100644
--- a/etc/profile-m-z/youtube-dl-gui.profile
+++ b/etc/profile-m-z/youtube-dl-gui.profile
@@ -33,6 +33,7 @@ machine-id
33netfilter 33netfilter
34nodvd 34nodvd
35nogroups 35nogroups
36noinput
36nonewprivs 37nonewprivs
37noroot 38noroot
38nosound 39nosound
diff --git a/etc/profile-m-z/youtube-dl.profile b/etc/profile-m-z/youtube-dl.profile
index 6ce632682..24c4d6db3 100644
--- a/etc/profile-m-z/youtube-dl.profile
+++ b/etc/profile-m-z/youtube-dl.profile
@@ -43,6 +43,7 @@ netfilter
43no3d 43no3d
44nodvd 44nodvd
45nogroups 45nogroups
46noinput
46nonewprivs 47nonewprivs
47noroot 48noroot
48nosound 49nosound
diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile
index b8f97db1d..7d6e9b0eb 100644
--- a/etc/profile-m-z/youtube-viewer.profile
+++ b/etc/profile-m-z/youtube-viewer.profile
@@ -38,6 +38,7 @@ caps.drop all
38netfilter 38netfilter
39nodvd 39nodvd
40nogroups 40nogroups
41noinput
41nonewprivs 42nonewprivs
42noroot 43noroot
43notv 44notv
diff --git a/etc/profile-m-z/zaproxy.profile b/etc/profile-m-z/zaproxy.profile
index 6228ff3bd..5a168feb6 100644
--- a/etc/profile-m-z/zaproxy.profile
+++ b/etc/profile-m-z/zaproxy.profile
@@ -31,6 +31,7 @@ netfilter
31no3d 31no3d
32nodvd 32nodvd
33nogroups 33nogroups
34noinput
34nonewprivs 35nonewprivs
35noroot 36noroot
36nosound 37nosound
diff --git a/etc/profile-m-z/zart.profile b/etc/profile-m-z/zart.profile
index ca35e3b51..10f83aa30 100644
--- a/etc/profile-m-z/zart.profile
+++ b/etc/profile-m-z/zart.profile
@@ -23,6 +23,7 @@ ipc-namespace
23net none 23net none
24nodvd 24nodvd
25nogroups 25nogroups
26noinput
26nonewprivs 27nonewprivs
27noroot 28noroot
28notv 29notv
diff --git a/etc/profile-m-z/zathura.profile b/etc/profile-m-z/zathura.profile
index 86615341f..a39729685 100644
--- a/etc/profile-m-z/zathura.profile
+++ b/etc/profile-m-z/zathura.profile
@@ -32,6 +32,7 @@ machine-id
32net none 32net none
33nodvd 33nodvd
34nogroups 34nogroups
35noinput
35nonewprivs 36nonewprivs
36noroot 37noroot
37nosound 38nosound
diff --git a/etc/profile-m-z/zeal.profile b/etc/profile-m-z/zeal.profile
index 2d0d944fd..2c6f6910f 100644
--- a/etc/profile-m-z/zeal.profile
+++ b/etc/profile-m-z/zeal.profile
@@ -36,6 +36,7 @@ netfilter
36no3d 36no3d
37nodvd 37nodvd
38nogroups 38nogroups
39noinput
39nonewprivs 40nonewprivs
40noroot 41noroot
41nosound 42nosound
diff --git a/etc/profile-m-z/zulip.profile b/etc/profile-m-z/zulip.profile
index 993f2a64b..093da5212 100644
--- a/etc/profile-m-z/zulip.profile
+++ b/etc/profile-m-z/zulip.profile
@@ -31,6 +31,7 @@ netfilter
31no3d 31no3d
32nodvd 32nodvd
33nogroups 33nogroups
34noinput
34nonewprivs 35nonewprivs
35noroot 36noroot
36notv 37notv
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 043e83c58..fcc7fe949 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -64,7 +64,7 @@ include globals.local
64#blacklist /tmp/.X11-unix 64#blacklist /tmp/.X11-unix
65# Disable Wayland 65# Disable Wayland
66#blacklist ${RUNUSER}/wayland-* 66#blacklist ${RUNUSER}/wayland-*
67# Disable RUNUSER (cli only) 67# Disable RUNUSER (cli only; supersedes Disable Wayland)
68#blacklist ${RUNUSER} 68#blacklist ${RUNUSER}
69 69
70# It is common practice to add files/dirs containing program-specific configuration 70# It is common practice to add files/dirs containing program-specific configuration
@@ -81,6 +81,9 @@ include globals.local
81# `ls -aR` 81# `ls -aR`
82#noblacklist PATH 82#noblacklist PATH
83 83
84# Allow /bin/sh (blacklisted by disable-shell.inc)
85#include allow-bin-sh.inc
86
84# Allows files commonly used by IDEs 87# Allows files commonly used by IDEs
85#include allow-common-devel.inc 88#include allow-common-devel.inc
86 89
@@ -103,12 +106,11 @@ include globals.local
103# Allow ruby (blacklisted by disable-interpreters.inc) 106# Allow ruby (blacklisted by disable-interpreters.inc)
104#include allow-ruby.inc 107#include allow-ruby.inc
105 108
106# Allow /bin/sh (blacklisted by disable-shell.inc)
107#include allow-bin-sh.inc
108
109# Allow ssh (blacklisted by disable-common.inc) 109# Allow ssh (blacklisted by disable-common.inc)
110#include allow-ssh.inc 110#include allow-ssh.inc
111 111
112# disable-*.inc includes
113# remove disable-write-mnt.inc if you set disable-mnt
112#include disable-common.inc 114#include disable-common.inc
113#include disable-devel.inc 115#include disable-devel.inc
114#include disable-exec.inc 116#include disable-exec.inc
@@ -148,6 +150,7 @@ include globals.local
148##nodbus (deprecated, use 'dbus-user none' and 'dbus-system none', see below) 150##nodbus (deprecated, use 'dbus-user none' and 'dbus-system none', see below)
149#nodvd 151#nodvd
150#nogroups 152#nogroups
153#noinput
151#nonewprivs 154#nonewprivs
152#noroot 155#noroot
153#nosound 156#nosound
@@ -219,3 +222,4 @@ include globals.local
219#memory-deny-write-execute 222#memory-deny-write-execute
220##noexec PATH 223##noexec PATH
221##read-only ${HOME} 224##read-only ${HOME}
225##read-write ${HOME}
diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c
index 96bd351f3..9577042c4 100644
--- a/src/fbuilder/build_bin.c
+++ b/src/fbuilder/build_bin.c
@@ -83,11 +83,9 @@ static void process_bin(const char *fname) {
83 continue; 83 continue;
84 *ptr2 = '\0'; 84 *ptr2 = '\0';
85 85
86 // skip strace 86 // skip strace and firejail (in case we hit a symlink in /usr/local/bin)
87 if (strcmp(ptr, "strace") == 0) 87 if (strcmp(ptr, "strace") && strcmp(ptr, "firejail"))
88 continue; 88 bin_out = filedb_add(bin_out, ptr);
89
90 bin_out = filedb_add(bin_out, ptr);
91 } 89 }
92 90
93 fclose(fp); 91 fclose(fp);
@@ -121,6 +119,5 @@ void build_bin(const char *fname, FILE *fp) {
121 ptr = ptr->next; 119 ptr = ptr->next;
122 } 120 }
123 fprintf(fp, "\n"); 121 fprintf(fp, "\n");
124 fprintf(fp, "# private-lib\n");
125 } 122 }
126} 123}
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c
index 495f71ab8..8700e0ba1 100644
--- a/src/fbuilder/build_fs.c
+++ b/src/fbuilder/build_fs.c
@@ -146,31 +146,49 @@ void build_etc(const char *fname, FILE *fp) {
146//******************************************* 146//*******************************************
147// var directory 147// var directory
148//******************************************* 148//*******************************************
149#if 0
150// todo: load the list from whitelist-var-common.inc
151static char *var_skip[] = {
152 "/var/lib/ca-certificates",
153 "/var/lib/dbus",
154 "/var/lib/menu-xdg",
155 "/var/lib/uim",
156 "/var/cache/fontconfig",
157 "/var/tmp",
158 "/var/run",
159 "/var/lock",
160 NULL
161};
162#endif
149static FileDB *var_out = NULL; 163static FileDB *var_out = NULL;
164static FileDB *var_skip = NULL;
150static void var_callback(char *ptr) { 165static void var_callback(char *ptr) {
151 if (strcmp(ptr, "/var/lib") == 0) 166 // extract the directory:
152 ; 167 assert(strncmp(ptr, "/var", 4) == 0);
153 else if (strcmp(ptr, "/var/cache") == 0) 168 char *p1 = ptr + 4;
154 ; 169 if (*p1 != '/')
155 else if (strncmp(ptr, "/var/lib/menu-xdg", 17) == 0) 170 return;
156 var_out = filedb_add(var_out, "/var/lib/menu-xdg"); 171 p1++;
157 else if (strncmp(ptr, "/var/cache/fontconfig", 21) == 0) 172
158 var_out = filedb_add(var_out, "/var/cache/fontconfig"); 173 if (*p1 == '/') // double '/'
159 else 174 p1++;
160 var_out = filedb_add(var_out, ptr); 175 if (*p1 == '\0')
176 return;
177
178 if (!filedb_find(var_skip, p1))
179 var_out = filedb_add(var_out, p1);
161} 180}
162 181
163void build_var(const char *fname, FILE *fp) { 182void build_var(const char *fname, FILE *fp) {
164 assert(fname); 183 assert(fname);
165 184
185 var_skip = filedb_load_whitelist(var_skip, "whitelist-var-common.inc", "whitelist /var/");
166 process_files(fname, "/var", var_callback); 186 process_files(fname, "/var", var_callback);
167 187
168 if (var_out == NULL) { 188 // always whitelist /var
169 fprintf(fp, "blacklist /var\n"); 189 if (var_out)
170 } else { 190 filedb_print(var_out, "whitelist /var/", fp);
171 filedb_print(var_out, "whitelist ", fp); 191 fprintf(fp, "include whitelist-var-common.inc\n");
172 fprintf(fp, "include whitelist-var-common.inc\n");
173 }
174} 192}
175 193
176 194
@@ -178,6 +196,7 @@ void build_var(const char *fname, FILE *fp) {
178// usr/share directory 196// usr/share directory
179//******************************************* 197//*******************************************
180static FileDB *share_out = NULL; 198static FileDB *share_out = NULL;
199static FileDB *share_skip = NULL;
181static void share_callback(char *ptr) { 200static void share_callback(char *ptr) {
182 // extract the directory: 201 // extract the directory:
183 assert(strncmp(ptr, "/usr/share", 10) == 0); 202 assert(strncmp(ptr, "/usr/share", 10) == 0);
@@ -195,21 +214,21 @@ static void share_callback(char *ptr) {
195 if (p2) 214 if (p2)
196 *p2 = '\0'; 215 *p2 = '\0';
197 216
198 // store the file 217
199 share_out = filedb_add(share_out, ptr); 218 if (!filedb_find(share_skip, p1))
219 share_out = filedb_add(share_out, p1);
200} 220}
201 221
202void build_share(const char *fname, FILE *fp) { 222void build_share(const char *fname, FILE *fp) {
203 assert(fname); 223 assert(fname);
204 224
225 share_skip = filedb_load_whitelist(share_skip, "whitelist-usr-share-common.inc", "whitelist /usr/share/");
205 process_files(fname, "/usr/share", share_callback); 226 process_files(fname, "/usr/share", share_callback);
206 227
207 if (share_out == NULL) { 228 // always whitelist /usr/share
208 fprintf(fp, "blacklist /usr/share\n"); 229 if (share_out)
209 } else { 230 filedb_print(share_out, "whitelist /usr/share/", fp);
210 filedb_print(share_out, "whitelist ", fp); 231 fprintf(fp, "include whitelist-usr-share-common.inc\n");
211 fprintf(fp, "include whitelist-usr-share-common.inc\n");
212 }
213} 232}
214 233
215//******************************************* 234//*******************************************
@@ -220,6 +239,10 @@ static void tmp_callback(char *ptr) {
220 // skip strace file 239 // skip strace file
221 if (strncmp(ptr, "/tmp/firejail-strace", 20) == 0) 240 if (strncmp(ptr, "/tmp/firejail-strace", 20) == 0)
222 return; 241 return;
242 if (strncmp(ptr, "/tmp/runtime-", 13) == 0)
243 return;
244 if (strcmp(ptr, "/tmp") == 0)
245 return;
223 246
224 tmp_out = filedb_add(tmp_out, ptr); 247 tmp_out = filedb_add(tmp_out, ptr);
225} 248}
@@ -232,8 +255,7 @@ void build_tmp(const char *fname, FILE *fp) {
232 if (tmp_out == NULL) 255 if (tmp_out == NULL)
233 fprintf(fp, "private-tmp\n"); 256 fprintf(fp, "private-tmp\n");
234 else { 257 else {
235 fprintf(fp, "\n"); 258 fprintf(fp, "#private-tmp\n");
236 fprintf(fp, "# private-tmp\n");
237 fprintf(fp, "# File accessed in /tmp directory:\n"); 259 fprintf(fp, "# File accessed in /tmp directory:\n");
238 fprintf(fp, "# "); 260 fprintf(fp, "# ");
239 FileDB *ptr = tmp_out; 261 FileDB *ptr = tmp_out;
@@ -249,40 +271,37 @@ void build_tmp(const char *fname, FILE *fp) {
249// dev directory 271// dev directory
250//******************************************* 272//*******************************************
251static char *dev_skip[] = { 273static char *dev_skip[] = {
274 "/dev/stdin",
275 "/dev/stdout",
276 "/dev/stderr",
252 "/dev/zero", 277 "/dev/zero",
253 "/dev/null", 278 "/dev/null",
254 "/dev/full", 279 "/dev/full",
255 "/dev/random", 280 "/dev/random",
281 "/dev/srandom",
256 "/dev/urandom", 282 "/dev/urandom",
283 "/dev/sr0",
284 "/dev/cdrom",
285 "/dev/cdrw",
286 "/dev/dvd",
287 "/dev/dvdrw",
288 "/dev/fd",
289 "/dev/pts",
290 "/dev/ptmx",
291 "/dev/log",
292
293 "/dev/aload", // old ALSA devices, not covered in private-dev
294 "/dev/dsp", // old OSS device, deprecated
295
257 "/dev/tty", 296 "/dev/tty",
258 "/dev/snd", 297 "/dev/snd",
259 "/dev/dri", 298 "/dev/dri",
260 "/dev/pts", 299 "/dev/nvidia",
261 "/dev/nvidia0", 300 "/dev/video",
262 "/dev/nvidia1",
263 "/dev/nvidia2",
264 "/dev/nvidia3",
265 "/dev/nvidia4",
266 "/dev/nvidia5",
267 "/dev/nvidia6",
268 "/dev/nvidia7",
269 "/dev/nvidia8",
270 "/dev/nvidia9",
271 "/dev/nvidiactl",
272 "/dev/nvidia-modeset",
273 "/dev/nvidia-uvm",
274 "/dev/video0",
275 "/dev/video1",
276 "/dev/video2",
277 "/dev/video3",
278 "/dev/video4",
279 "/dev/video5",
280 "/dev/video6",
281 "/dev/video7",
282 "/dev/video8",
283 "/dev/video9",
284 "/dev/dvb", 301 "/dev/dvb",
285 "/dev/sr0", 302 "/dev/hidraw",
303 "/dev/usb",
304 "/dev/input",
286 NULL 305 NULL
287}; 306};
288 307
@@ -292,7 +311,7 @@ static void dev_callback(char *ptr) {
292 int i = 0; 311 int i = 0;
293 int found = 0; 312 int found = 0;
294 while (dev_skip[i]) { 313 while (dev_skip[i]) {
295 if (strcmp(ptr, dev_skip[i]) == 0) { 314 if (strncmp(ptr, dev_skip[i], strlen(dev_skip[i])) == 0) {
296 found = 1; 315 found = 1;
297 break; 316 break;
298 } 317 }
@@ -310,9 +329,8 @@ void build_dev(const char *fname, FILE *fp) {
310 if (dev_out == NULL) 329 if (dev_out == NULL)
311 fprintf(fp, "private-dev\n"); 330 fprintf(fp, "private-dev\n");
312 else { 331 else {
313 fprintf(fp, "\n"); 332 fprintf(fp, "#private-dev\n");
314 fprintf(fp, "# private-dev\n"); 333 fprintf(fp, "# This is the list of devices accessed on top of regular private-dev devices:\n");
315 fprintf(fp, "# This is the list of devices accessed (on top of regular private-dev devices:\n");
316 fprintf(fp, "# "); 334 fprintf(fp, "# ");
317 FileDB *ptr = dev_out; 335 FileDB *ptr = dev_out;
318 while (ptr) { 336 while (ptr) {
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c
index 683009b71..b3ec6cffd 100644
--- a/src/fbuilder/build_home.c
+++ b/src/fbuilder/build_home.c
@@ -23,30 +23,6 @@
23static FileDB *db_skip = NULL; 23static FileDB *db_skip = NULL;
24static FileDB *db_out = NULL; 24static FileDB *db_out = NULL;
25 25
26static void load_whitelist_common(void) {
27 FILE *fp = fopen(SYSCONFDIR "/whitelist-common.inc", "r");
28 if (!fp) {
29 fprintf(stderr, "Error: cannot open whitelist-common.inc\n");
30 exit(1);
31 }
32
33 char buf[MAX_BUF];
34 while (fgets(buf, MAX_BUF, fp)) {
35 if (strncmp(buf, "whitelist ${HOME}/", 18) != 0)
36 continue;
37 char *fn = buf + 18;
38 char *ptr = strchr(buf, '\n');
39 if (!ptr)
40 continue;
41 *ptr = '\0';
42
43 // add the file to skip list
44 db_skip = filedb_add(db_skip, fn);
45 }
46
47 fclose(fp);
48}
49
50void process_home(const char *fname, char *home, int home_len) { 26void process_home(const char *fname, char *home, int home_len) {
51 assert(fname); 27 assert(fname);
52 assert(home); 28 assert(home);
@@ -141,7 +117,7 @@ void process_home(const char *fname, char *home, int home_len) {
141 } 117 }
142 118
143 // skip files and directories in whitelist-common.inc 119 // skip files and directories in whitelist-common.inc
144 if (filedb_find(db_skip, toadd)) { 120 if (strlen(toadd) == 0 || filedb_find(db_skip, toadd)) {
145 if (dir) 121 if (dir)
146 free(dir); 122 free(dir);
147 continue; 123 continue;
@@ -162,7 +138,7 @@ void build_home(const char *fname, FILE *fp) {
162 assert(fname); 138 assert(fname);
163 139
164 // load whitelist common 140 // load whitelist common
165 load_whitelist_common(); 141 db_skip = filedb_load_whitelist(db_skip, "whitelist-common.inc", "whitelist ${HOME}/");
166 142
167 // find user home directory 143 // find user home directory
168 struct passwd *pw = getpwuid(getuid()); 144 struct passwd *pw = getpwuid(getuid());
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
index 96a83954d..1726b4dbb 100644
--- a/src/fbuilder/build_profile.c
+++ b/src/fbuilder/build_profile.c
@@ -141,6 +141,12 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
141 if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { 141 if (WIFEXITED(status) && WEXITSTATUS(status) == 0) {
142 if (fp == stdout) 142 if (fp == stdout)
143 printf("--- Built profile beings after this line ---\n"); 143 printf("--- Built profile beings after this line ---\n");
144 fprintf(fp, "# Save this file as \"application.profile\" (change \"application\" with the\n");
145 fprintf(fp, "# program name) in ~/.config/firejail directory. Firejail will find it\n");
146 fprintf(fp, "# automatically every time you sandbox your application.\n#\n");
147 fprintf(fp, "# Run \"firejail application\" to test it. In the file there are\n");
148 fprintf(fp, "# some other commands you can try. Enable them by removing the \"#\".\n\n");
149
144 fprintf(fp, "# Firejail profile for %s\n", argv[index]); 150 fprintf(fp, "# Firejail profile for %s\n", argv[index]);
145 fprintf(fp, "# Persistent local customizations\n"); 151 fprintf(fp, "# Persistent local customizations\n");
146 fprintf(fp, "#include %s.local\n", argv[index]); 152 fprintf(fp, "#include %s.local\n", argv[index]);
@@ -148,56 +154,69 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
148 fprintf(fp, "#include globals.local\n"); 154 fprintf(fp, "#include globals.local\n");
149 fprintf(fp, "\n"); 155 fprintf(fp, "\n");
150 156
151 fprintf(fp, "### basic blacklisting\n"); 157 fprintf(fp, "### Basic Blacklisting ###\n");
158 fprintf(fp, "### Enable as many of them as you can! A very important one is\n");
159 fprintf(fp, "### \"disable-exec.inc\". This will make among other things your home\n");
160 fprintf(fp, "### and /tmp directories non-executable.\n");
152 fprintf(fp, "include disable-common.inc\n"); 161 fprintf(fp, "include disable-common.inc\n");
153 fprintf(fp, "# include disable-devel.inc\n"); 162 fprintf(fp, "#include disable-devel.inc\n");
154 fprintf(fp, "# include disable-exec.inc\n"); 163 fprintf(fp, "#include disable-exec.inc\n");
155 fprintf(fp, "# include disable-interpreters.inc\n"); 164 fprintf(fp, "#include disable-interpreters.inc\n");
156 fprintf(fp, "include disable-passwdmgr.inc\n"); 165 fprintf(fp, "include disable-passwdmgr.inc\n");
157 fprintf(fp, "# include disable-programs.inc\n"); 166 fprintf(fp, "include disable-programs.inc\n");
158 fprintf(fp, "# include disable-xdg.inc\n"); 167 fprintf(fp, "#include disable-shell.inc\n");
168 fprintf(fp, "#include disable-xdg.inc\n");
159 fprintf(fp, "\n"); 169 fprintf(fp, "\n");
160 170
161 fprintf(fp, "### home directory whitelisting\n"); 171 fprintf(fp, "### Home Directory Whitelisting ###\n");
172 fprintf(fp, "### If something goes wrong, this section is the first one to comment out.\n");
173 fprintf(fp, "### Instead, you'll have to relay on the basic blacklisting above.\n");
162 build_home(trace_output, fp); 174 build_home(trace_output, fp);
163 fprintf(fp, "\n"); 175 fprintf(fp, "\n");
164 176
165 fprintf(fp, "### filesystem\n"); 177 fprintf(fp, "### Filesystem Whitelisting ###\n");
166 fprintf(fp, "# /usr/share:\n");
167 build_share(trace_output, fp); 178 build_share(trace_output, fp);
168 fprintf(fp, "# /var:\n"); 179 //todo: include whitelist-runuser-common.inc
169 build_var(trace_output, fp); 180 build_var(trace_output, fp);
170 fprintf(fp, "\n"); 181 fprintf(fp, "\n");
171 fprintf(fp, "# $PATH:\n");
172 build_bin(trace_output, fp);
173 fprintf(fp, "# /dev:\n");
174 build_dev(trace_output, fp);
175 fprintf(fp, "# /etc:\n");
176 build_etc(trace_output, fp);
177 fprintf(fp, "# /tmp:\n");
178 build_tmp(trace_output, fp);
179 fprintf(fp, "\n");
180 182
181 fprintf(fp, "### security filters\n"); 183 fprintf(fp, "#apparmor\n");
182 fprintf(fp, "caps.drop all\n"); 184 fprintf(fp, "caps.drop all\n");
185 fprintf(fp, "ipc-namespace\n");
186 fprintf(fp, "netfilter\n");
187 fprintf(fp, "#nodvd\n");
188 fprintf(fp, "#nogroups\n");
189 fprintf(fp, "#noinput\n");
183 fprintf(fp, "nonewprivs\n"); 190 fprintf(fp, "nonewprivs\n");
191 fprintf(fp, "noroot\n");
192 fprintf(fp, "#notv\n");
193 fprintf(fp, "#nou2f\n");
194 fprintf(fp, "#novideo\n");
195 build_protocol(trace_output, fp);
184 fprintf(fp, "seccomp\n"); 196 fprintf(fp, "seccomp\n");
185 if (!have_strace) { 197 if (!have_strace) {
186 fprintf(fp, "# If you install strace on your system, Firejail will also create a\n"); 198 fprintf(fp, "### If you install strace on your system, Firejail will also create a\n");
187 fprintf(fp, "# whitelisted seccomp filter.\n"); 199 fprintf(fp, "### whitelisted seccomp filter.\n");
188 } 200 }
189 else if (!have_yama_permission) 201 else if (!have_yama_permission)
190 fprintf(fp, "# Yama security module prevents creation of a whitelisted seccomp filter\n"); 202 fprintf(fp, "### Yama security module prevents creation of a whitelisted seccomp filter\n");
191 else 203 else
192 build_seccomp(strace_output, fp); 204 build_seccomp(strace_output, fp);
205 fprintf(fp, "shell none\n");
206 fprintf(fp, "#tracelog\n");
193 fprintf(fp, "\n"); 207 fprintf(fp, "\n");
194 208
195 fprintf(fp, "### network\n"); 209 fprintf(fp, "#disable-mnt\n");
196 build_protocol(trace_output, fp); 210 build_bin(trace_output, fp);
211 fprintf(fp, "#private-lib\n");
212 build_dev(trace_output, fp);
213 build_etc(trace_output, fp);
214 build_tmp(trace_output, fp);
197 fprintf(fp, "\n"); 215 fprintf(fp, "\n");
198 216
199 fprintf(fp, "### environment\n"); 217 fprintf(fp, "#dbus-user none\n");
200 fprintf(fp, "shell none\n"); 218 fprintf(fp, "#dbus-system none\n");
219 fprintf(fp, "#memory-deny-write-execute\n");
201 220
202 if (!arg_debug) { 221 if (!arg_debug) {
203 unlink(trace_output); 222 unlink(trace_output);
diff --git a/src/fbuilder/fbuilder.h b/src/fbuilder/fbuilder.h
index 8d3621c02..08dd35e10 100644
--- a/src/fbuilder/fbuilder.h
+++ b/src/fbuilder/fbuilder.h
@@ -66,5 +66,6 @@ typedef struct filedb_t {
66FileDB *filedb_add(FileDB *head, const char *fname); 66FileDB *filedb_add(FileDB *head, const char *fname);
67FileDB *filedb_find(FileDB *head, const char *fname); 67FileDB *filedb_find(FileDB *head, const char *fname);
68void filedb_print(FileDB *head, const char *prefix, FILE *fp); 68void filedb_print(FileDB *head, const char *prefix, FILE *fp);
69FileDB *filedb_load_whitelist(FileDB *head, const char *fname, const char *prefix);
69 70
70#endif 71#endif
diff --git a/src/fbuilder/filedb.c b/src/fbuilder/filedb.c
index 6e302a606..94a226cb7 100644
--- a/src/fbuilder/filedb.c
+++ b/src/fbuilder/filedb.c
@@ -20,7 +20,9 @@
20 20
21#include "fbuilder.h" 21#include "fbuilder.h"
22 22
23// find exact name or an exact name in a parent directory
23FileDB *filedb_find(FileDB *head, const char *fname) { 24FileDB *filedb_find(FileDB *head, const char *fname) {
25 assert(fname);
24 FileDB *ptr = head; 26 FileDB *ptr = head;
25 int found = 0; 27 int found = 0;
26 int len = strlen(fname); 28 int len = strlen(fname);
@@ -52,6 +54,8 @@ FileDB *filedb_find(FileDB *head, const char *fname) {
52FileDB *filedb_add(FileDB *head, const char *fname) { 54FileDB *filedb_add(FileDB *head, const char *fname) {
53 assert(fname); 55 assert(fname);
54 56
57 // todo: support fnames such as ${RUNUSER}/.mutter-Xwaylandauth.*
58
55 // don't add it if it is already there or if the parent directory is already in the list 59 // don't add it if it is already there or if the parent directory is already in the list
56 if (filedb_find(head, fname)) 60 if (filedb_find(head, fname))
57 return head; 61 return head;
@@ -70,9 +74,52 @@ FileDB *filedb_add(FileDB *head, const char *fname) {
70}; 74};
71 75
72void filedb_print(FileDB *head, const char *prefix, FILE *fp) { 76void filedb_print(FileDB *head, const char *prefix, FILE *fp) {
77 assert(head);
78 assert(prefix);
79
73 FileDB *ptr = head; 80 FileDB *ptr = head;
74 while (ptr) { 81 while (ptr) {
75 fprintf(fp, "%s%s\n", prefix, ptr->fname); 82 if (fp)
83 fprintf(fp, "%s%s\n", prefix, ptr->fname);
84 else
85 printf("%s%s\n", prefix, ptr->fname);
76 ptr = ptr->next; 86 ptr = ptr->next;
77 } 87 }
78} 88}
89
90FileDB *filedb_load_whitelist(FileDB *head, const char *fname, const char *prefix) {
91 assert(fname);
92 assert(prefix);
93 int len = strlen(prefix);
94 char *f;
95 if (asprintf(&f, "%s/%s", SYSCONFDIR, fname) == -1)
96 errExit("asprintf");
97 FILE *fp = fopen(f, "r");
98 if (!fp) {
99 fprintf(stderr, "Error: cannot open whitelist-common.inc\n");
100 free(f);
101 exit(1);
102 }
103
104 char buf[MAX_BUF];
105 while (fgets(buf, MAX_BUF, fp)) {
106 if (strncmp(buf, prefix, len) != 0)
107 continue;
108
109 char *fn = buf + len;
110 char *ptr = strchr(buf, '\n');
111 if (!ptr)
112 continue;
113 *ptr = '\0';
114
115 // add the file to skip list
116 head = filedb_add(head, fn);
117 }
118
119 fclose(fp);
120 free(f);
121//printf("***************************************************\n");
122//filedb_print(head, prefix, NULL);
123//printf("***************************************************\n");
124 return head;
125}
diff --git a/src/fbuilder/main.c b/src/fbuilder/main.c
index f4917aefc..35ec49519 100644
--- a/src/fbuilder/main.c
+++ b/src/fbuilder/main.c
@@ -58,10 +58,16 @@ printf("\n");
58 exit(1); 58 exit(1);
59 } 59 }
60 60
61 // don't run if the file exists
62 if (access(argv[i] + 8, F_OK) == 0) {
63 fprintf(stderr, "Error: the profile file already exists. Please use a different file name.\n");
64 exit(1);
65 }
66
61 // check file access 67 // check file access
62 fp = fopen(argv[i] + 8, "w"); 68 fp = fopen(argv[i] + 8, "w");
63 if (!fp) { 69 if (!fp) {
64 fprintf(stderr, "Error fbuild: cannot open profile file.\n"); 70 fprintf(stderr, "Error: cannot open profile file.\n");
65 exit(1); 71 exit(1);
66 } 72 }
67 prof_file = 1; 73 prof_file = 1;
@@ -69,7 +75,7 @@ printf("\n");
69 } 75 }
70 else { 76 else {
71 if (*argv[i] == '-') { 77 if (*argv[i] == '-') {
72 fprintf(stderr, "Error fbuilder: invalid program\n"); 78 fprintf(stderr, "Error: invalid program\n");
73 usage(); 79 usage();
74 exit(1); 80 exit(1);
75 } 81 }
@@ -79,7 +85,7 @@ printf("\n");
79 } 85 }
80 86
81 if (prog_index == 0) { 87 if (prog_index == 0) {
82 fprintf(stderr, "Error fbuilder: program and arguments required\n"); 88 fprintf(stderr, "Error : program and arguments required\n");
83 usage(); 89 usage();
84 if (prof_file) 90 if (prof_file)
85 fclose(fp); 91 fclose(fp);
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index be50d5f44..474904ebf 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -74,6 +74,7 @@ autokey-run
74autokey-shell 74autokey-shell
75avidemux3_qt5 75avidemux3_qt5
76aweather 76aweather
77ballbuster
77baloo_file 78baloo_file
78baloo_filemetadata_temp_extractor 79baloo_filemetadata_temp_extractor
79balsa 80balsa
@@ -147,6 +148,7 @@ cmus
147code 148code
148code-oss 149code-oss
149cola 150cola
151colorful
150com.github.bleakgrey.tootle 152com.github.bleakgrey.tootle
151com.github.dahenson.agenda 153com.github.dahenson.agenda
152com.github.johnfactotum.Foliate 154com.github.johnfactotum.Foliate
@@ -236,6 +238,7 @@ ffplay
236ffprobe 238ffprobe
237file-roller 239file-roller
238filezilla 240filezilla
241firedragon
239firefox 242firefox
240firefox-beta 243firefox-beta
241firefox-developer-edition 244firefox-developer-edition
@@ -293,6 +296,8 @@ git-cola
293github-desktop 296github-desktop
294gitter 297gitter
295# gjs -- https://github.com/netblue30/firejail/issues/3333#issuecomment-612601102 298# gjs -- https://github.com/netblue30/firejail/issues/3333#issuecomment-612601102
299gl-117
300glaxium
296globaltime 301globaltime
297gmpc 302gmpc
298gnome-2048 303gnome-2048
@@ -550,6 +555,7 @@ mypaint
550mypaint-ora-thumbnailer 555mypaint-ora-thumbnailer
551natron 556natron
552ncdu 557ncdu
558neochat
553neomutt 559neomutt
554netactview 560netactview
555nethack 561nethack
@@ -615,6 +621,7 @@ penguin-command
615photoflare 621photoflare
616picard 622picard
617pidgin 623pidgin
624pinball
618#ping - disabled until we fix #1912 625#ping - disabled until we fix #1912
619pingus 626pingus
620pinta 627pinta
@@ -673,7 +680,6 @@ runenpass.sh
673sayonara 680sayonara
674scallion 681scallion
675scorched3d 682scorched3d
676scorched3d-wrapper
677scorchwentbonkers 683scorchwentbonkers
678scribus 684scribus
679sdat2img 685sdat2img
@@ -867,7 +873,6 @@ xmr-stak
867xonotic 873xonotic
868xonotic-glx 874xonotic-glx
869xonotic-sdl 875xonotic-sdl
870xonotic-sdl-wrapper
871xournal 876xournal
872xournalpp 877xournalpp
873xpdf 878xpdf
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index 59758bf2d..6b9fed765 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -67,7 +67,7 @@ void appimage_set(const char *appimage) {
67 67
68 // find or allocate a free loop device to use 68 // find or allocate a free loop device to use
69 EUID_ROOT(); 69 EUID_ROOT();
70 int cfd = open("/dev/loop-control", O_RDWR); 70 int cfd = open("/dev/loop-control", O_RDWR|O_CLOEXEC);
71 if (cfd == -1) 71 if (cfd == -1)
72 err_loop(); 72 err_loop();
73 int devnr = ioctl(cfd, LOOP_CTL_GET_FREE); 73 int devnr = ioctl(cfd, LOOP_CTL_GET_FREE);
@@ -78,7 +78,7 @@ void appimage_set(const char *appimage) {
78 errExit("asprintf"); 78 errExit("asprintf");
79 79
80 // associate loop device with appimage 80 // associate loop device with appimage
81 int lfd = open(devloop, O_RDONLY); 81 int lfd = open(devloop, O_RDONLY|O_CLOEXEC);
82 if (lfd == -1) 82 if (lfd == -1)
83 err_loop(); 83 err_loop();
84 if (ioctl(lfd, LOOP_SET_FD, ffd) == -1) 84 if (ioctl(lfd, LOOP_SET_FD, ffd) == -1)
@@ -146,7 +146,7 @@ void appimage_mount(void) {
146void appimage_clear(void) { 146void appimage_clear(void) {
147 EUID_ROOT(); 147 EUID_ROOT();
148 if (devloop) { 148 if (devloop) {
149 int lfd = open(devloop, O_RDONLY); 149 int lfd = open(devloop, O_RDONLY|O_CLOEXEC);
150 if (lfd != -1) { 150 if (lfd != -1) {
151 if (ioctl(lfd, LOOP_CLR_FD, 0) != -1) 151 if (ioctl(lfd, LOOP_CLR_FD, 0) != -1)
152 fmessage("AppImage detached\n"); 152 fmessage("AppImage detached\n");
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c
index 1c952c0bc..a085f2c27 100644
--- a/src/firejail/bandwidth.c
+++ b/src/firejail/bandwidth.c
@@ -22,6 +22,7 @@
22#include <sys/types.h> 22#include <sys/types.h>
23#include <sys/stat.h> 23#include <sys/stat.h>
24#include <unistd.h> 24#include <unistd.h>
25#include <errno.h>
25#include <net/if.h> 26#include <net/if.h>
26#include "firejail.h" 27#include "firejail.h"
27 28
@@ -119,26 +120,19 @@ static void bandwidth_create_run_file(pid_t pid) {
119 if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1) 120 if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1)
120 errExit("asprintf"); 121 errExit("asprintf");
121 122
122 // if the file already exists, do nothing
123 struct stat s;
124 if (stat(fname, &s) == 0) {
125 free(fname);
126 return;
127 }
128
129 // create an empty file and set mod and ownership 123 // create an empty file and set mod and ownership
130 /* coverity[toctou] */ 124 // if the file already exists, do nothing
131 FILE *fp = fopen(fname, "w"); 125 FILE *fp = fopen(fname, "wxe");
132 if (fp) { 126 free(fname);
133 SET_PERMS_STREAM(fp, 0, 0, 0644); 127 if (!fp) {
134 fclose(fp); 128 if (errno == EEXIST)
135 } 129 return;
136 else {
137 fprintf(stderr, "Error: cannot create bandwidth file\n"); 130 fprintf(stderr, "Error: cannot create bandwidth file\n");
138 exit(1); 131 exit(1);
139 } 132 }
140 133
141 free(fname); 134 SET_PERMS_STREAM(fp, 0, 0, 0644);
135 fclose(fp);
142} 136}
143 137
144 138
@@ -148,7 +142,7 @@ void network_set_run_file(pid_t pid) {
148 errExit("asprintf"); 142 errExit("asprintf");
149 143
150 // create an empty file and set mod and ownership 144 // create an empty file and set mod and ownership
151 FILE *fp = fopen(fname, "w"); 145 FILE *fp = fopen(fname, "we");
152 if (fp) { 146 if (fp) {
153 if (cfg.bridge0.configured) 147 if (cfg.bridge0.configured)
154 fprintf(fp, "%s:%s\n", cfg.bridge0.dev, cfg.bridge0.devsandbox); 148 fprintf(fp, "%s:%s\n", cfg.bridge0.dev, cfg.bridge0.devsandbox);
@@ -178,7 +172,7 @@ static void read_bandwidth_file(pid_t pid) {
178 if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1) 172 if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1)
179 errExit("asprintf"); 173 errExit("asprintf");
180 174
181 FILE *fp = fopen(fname, "r"); 175 FILE *fp = fopen(fname, "re");
182 if (fp) { 176 if (fp) {
183 char buf[1024]; 177 char buf[1024];
184 while (fgets(buf, 1024,fp)) { 178 while (fgets(buf, 1024,fp)) {
@@ -214,7 +208,7 @@ static void write_bandwidth_file(pid_t pid) {
214 if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1) 208 if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1)
215 errExit("asprintf"); 209 errExit("asprintf");
216 210
217 FILE *fp = fopen(fname, "w"); 211 FILE *fp = fopen(fname, "we");
218 if (fp) { 212 if (fp) {
219 IFBW *ptr = ifbw; 213 IFBW *ptr = ifbw;
220 while (ptr) { 214 while (ptr) {
@@ -307,7 +301,7 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in
307 char *fname; 301 char *fname;
308 if (asprintf(&fname, "%s/%d-netmap", RUN_FIREJAIL_NETWORK_DIR, (int) pid) == -1) 302 if (asprintf(&fname, "%s/%d-netmap", RUN_FIREJAIL_NETWORK_DIR, (int) pid) == -1)
309 errExit("asprintf"); 303 errExit("asprintf");
310 FILE *fp = fopen(fname, "r"); 304 FILE *fp = fopen(fname, "re");
311 if (!fp) { 305 if (!fp) {
312 fprintf(stderr, "Error: cannot read network map file %s\n", fname); 306 fprintf(stderr, "Error: cannot read network map file %s\n", fname);
313 exit(1); 307 exit(1);
diff --git a/src/firejail/caps.c b/src/firejail/caps.c
index 597f9915b..5e02b99c2 100644
--- a/src/firejail/caps.c
+++ b/src/firejail/caps.c
@@ -389,7 +389,7 @@ static uint64_t extract_caps(int pid) {
389 errExit("asprintf"); 389 errExit("asprintf");
390 390
391 EUID_ROOT(); // grsecurity 391 EUID_ROOT(); // grsecurity
392 FILE *fp = fopen(file, "r"); 392 FILE *fp = fopen(file, "re");
393 EUID_USER(); // grsecurity 393 EUID_USER(); // grsecurity
394 if (!fp) 394 if (!fp)
395 goto errexit; 395 goto errexit;
diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c
index 986b1157d..e7ffbca36 100644
--- a/src/firejail/cgroup.c
+++ b/src/firejail/cgroup.c
@@ -26,7 +26,7 @@ void save_cgroup(void) {
26 if (cfg.cgroup == NULL) 26 if (cfg.cgroup == NULL)
27 return; 27 return;
28 28
29 FILE *fp = fopen(RUN_CGROUP_CFG, "w"); 29 FILE *fp = fopen(RUN_CGROUP_CFG, "wxe");
30 if (fp) { 30 if (fp) {
31 fprintf(fp, "%s", cfg.cgroup); 31 fprintf(fp, "%s", cfg.cgroup);
32 fflush(0); 32 fflush(0);
@@ -48,7 +48,7 @@ void load_cgroup(const char *fname) {
48 if (!fname) 48 if (!fname)
49 return; 49 return;
50 50
51 FILE *fp = fopen(fname, "r"); 51 FILE *fp = fopen(fname, "re");
52 if (fp) { 52 if (fp) {
53 char buf[MAXBUF]; 53 char buf[MAXBUF];
54 if (fgets(buf, MAXBUF, fp)) { 54 if (fgets(buf, MAXBUF, fp)) {
@@ -91,19 +91,19 @@ void set_cgroup(const char *path) {
91 goto errout; 91 goto errout;
92 92
93 // tasks file exists 93 // tasks file exists
94 struct stat s; 94 FILE *fp = fopen(path, "ae");
95 if (stat(path, &s) == -1) 95 if (!fp)
96 goto errout; 96 goto errout;
97
98 // task file belongs to the user running the sandbox 97 // task file belongs to the user running the sandbox
98 int fd = fileno(fp);
99 if (fd == -1)
100 errExit("fileno");
101 struct stat s;
102 if (fstat(fd, &s) == -1)
103 errExit("fstat");
99 if (s.st_uid != getuid() && s.st_gid != getgid()) 104 if (s.st_uid != getuid() && s.st_gid != getgid())
100 goto errout2; 105 goto errout2;
101
102 // add the task to cgroup 106 // add the task to cgroup
103 /* coverity[toctou] */
104 FILE *fp = fopen(path, "a");
105 if (!fp)
106 goto errout;
107 pid_t pid = getpid(); 107 pid_t pid = getpid();
108 int rv = fprintf(fp, "%d\n", pid); 108 int rv = fprintf(fp, "%d\n", pid);
109 (void) rv; 109 (void) rv;
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 8a6e47e17..614b144e5 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -60,7 +60,7 @@ int checkcfg(int val) {
60 60
61 // open configuration file 61 // open configuration file
62 const char *fname = SYSCONFDIR "/firejail.config"; 62 const char *fname = SYSCONFDIR "/firejail.config";
63 fp = fopen(fname, "r"); 63 fp = fopen(fname, "re");
64 if (!fp) { 64 if (!fp) {
65#ifdef HAVE_GLOBALCFG 65#ifdef HAVE_GLOBALCFG
66 fprintf(stderr, "Error: Firejail configuration file %s not found\n", fname); 66 fprintf(stderr, "Error: Firejail configuration file %s not found\n", fname);
diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c
index 3427e8ade..fe7258fb0 100644
--- a/src/firejail/cpu.c
+++ b/src/firejail/cpu.c
@@ -75,7 +75,7 @@ void save_cpu(void) {
75 if (cfg.cpus == 0) 75 if (cfg.cpus == 0)
76 return; 76 return;
77 77
78 FILE *fp = fopen(RUN_CPU_CFG, "w"); 78 FILE *fp = fopen(RUN_CPU_CFG, "wxe");
79 if (fp) { 79 if (fp) {
80 fprintf(fp, "%x\n", cfg.cpus); 80 fprintf(fp, "%x\n", cfg.cpus);
81 SET_PERMS_STREAM(fp, 0, 0, 0600); 81 SET_PERMS_STREAM(fp, 0, 0, 0600);
@@ -91,7 +91,7 @@ void load_cpu(const char *fname) {
91 if (!fname) 91 if (!fname)
92 return; 92 return;
93 93
94 FILE *fp = fopen(fname, "r"); 94 FILE *fp = fopen(fname, "re");
95 if (fp) { 95 if (fp) {
96 unsigned tmp; 96 unsigned tmp;
97 int rv = fscanf(fp, "%x", &tmp); 97 int rv = fscanf(fp, "%x", &tmp);
@@ -139,7 +139,7 @@ static void print_cpu(int pid) {
139 } 139 }
140 140
141 EUID_ROOT(); // grsecurity 141 EUID_ROOT(); // grsecurity
142 FILE *fp = fopen(file, "r"); 142 FILE *fp = fopen(file, "re");
143 EUID_USER(); // grsecurity 143 EUID_USER(); // grsecurity
144 if (!fp) { 144 if (!fp) {
145 printf(" Error: cannot open %s\n", file); 145 printf(" Error: cannot open %s\n", file);
diff --git a/src/firejail/dhcp.c b/src/firejail/dhcp.c
index bdbb338d5..5bcdcad37 100644
--- a/src/firejail/dhcp.c
+++ b/src/firejail/dhcp.c
@@ -93,7 +93,7 @@ static pid_t dhcp_read_pidfile(const Dhclient *client) {
93 while (found == 0 && tries < 10) { 93 while (found == 0 && tries < 10) {
94 if (tries >= 1) 94 if (tries >= 1)
95 usleep(100000); 95 usleep(100000);
96 FILE *pidfile = fopen(client->pid_file, "r"); 96 FILE *pidfile = fopen(client->pid_file, "re");
97 if (pidfile) { 97 if (pidfile) {
98 long pid; 98 long pid;
99 if (fscanf(pidfile, "%ld", &pid) == 1) 99 if (fscanf(pidfile, "%ld", &pid) == 1)
diff --git a/src/firejail/env.c b/src/firejail/env.c
index 03818df0b..f5e9dd980 100644
--- a/src/firejail/env.c
+++ b/src/firejail/env.c
@@ -59,12 +59,7 @@ void env_ibus_load(void) {
59 if (asprintf(&dirname, "%s/.config/ibus/bus", cfg.homedir) == -1) 59 if (asprintf(&dirname, "%s/.config/ibus/bus", cfg.homedir) == -1)
60 errExit("asprintf"); 60 errExit("asprintf");
61 61
62 struct stat s;
63 if (stat(dirname, &s) == -1)
64 return;
65
66 // find the file 62 // find the file
67 /* coverity[toctou] */
68 DIR *dir = opendir(dirname); 63 DIR *dir = opendir(dirname);
69 if (!dir) { 64 if (!dir) {
70 free(dirname); 65 free(dirname);
@@ -84,7 +79,7 @@ void env_ibus_load(void) {
84 char *fname; 79 char *fname;
85 if (asprintf(&fname, "%s/%s", dirname, entry->d_name) == -1) 80 if (asprintf(&fname, "%s/%s", dirname, entry->d_name) == -1)
86 errExit("asprintf"); 81 errExit("asprintf");
87 FILE *fp = fopen(fname, "r"); 82 FILE *fp = fopen(fname, "re");
88 free(fname); 83 free(fname);
89 if (!fp) 84 if (!fp)
90 continue; 85 continue;
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 20de229df..1c1ad4e97 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -310,7 +310,6 @@ extern int arg_private_cwd; // private working directory
310extern int arg_scan; // arp-scan all interfaces 310extern int arg_scan; // arp-scan all interfaces
311extern int arg_whitelist; // whitelist command 311extern int arg_whitelist; // whitelist command
312extern int arg_nosound; // disable sound 312extern int arg_nosound; // disable sound
313extern int arg_noautopulse; // disable automatic ~/.config/pulse init
314extern int arg_novideo; //disable video devices in /dev 313extern int arg_novideo; //disable video devices in /dev
315extern int arg_no3d; // disable 3d hardware acceleration 314extern int arg_no3d; // disable 3d hardware acceleration
316extern int arg_quiet; // no output for scripting 315extern int arg_quiet; // no output for scripting
@@ -319,6 +318,7 @@ extern int arg_join_filesystem; // join only the mount namespace
319extern int arg_nice; // nice value configured 318extern int arg_nice; // nice value configured
320extern int arg_ipc; // enable ipc namespace 319extern int arg_ipc; // enable ipc namespace
321extern int arg_writable_etc; // writable etc 320extern int arg_writable_etc; // writable etc
321extern int arg_keep_config_pulse; // disable automatic ~/.config/pulse init
322extern int arg_writable_var; // writable var 322extern int arg_writable_var; // writable var
323extern int arg_keep_var_tmp; // don't overwrite /var/tmp 323extern int arg_keep_var_tmp; // don't overwrite /var/tmp
324extern int arg_writable_run_user; // writable /run/user 324extern int arg_writable_run_user; // writable /run/user
@@ -335,7 +335,8 @@ extern int arg_noprofile; // use default.profile if none other found/specified
335extern int arg_memory_deny_write_execute; // block writable and executable memory 335extern int arg_memory_deny_write_execute; // block writable and executable memory
336extern int arg_notv; // --notv 336extern int arg_notv; // --notv
337extern int arg_nodvd; // --nodvd 337extern int arg_nodvd; // --nodvd
338extern int arg_nou2f; // --nou2f 338extern int arg_nou2f; // --nou2f
339extern int arg_noinput; // --noinput
339extern int arg_deterministic_exit_code; // always exit with first child's exit status 340extern int arg_deterministic_exit_code; // always exit with first child's exit status
340 341
341typedef enum { 342typedef enum {
@@ -565,6 +566,7 @@ void fs_dev_disable_video(void);
565void fs_dev_disable_tv(void); 566void fs_dev_disable_tv(void);
566void fs_dev_disable_dvd(void); 567void fs_dev_disable_dvd(void);
567void fs_dev_disable_u2f(void); 568void fs_dev_disable_u2f(void);
569void fs_dev_disable_input(void);
568 570
569// fs_home.c 571// fs_home.c
570// private mode (--private) 572// private mode (--private)
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index b2fa60f63..8c2870a4d 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -41,6 +41,7 @@ typedef enum {
41 DEV_TV, 41 DEV_TV,
42 DEV_DVD, 42 DEV_DVD,
43 DEV_U2F, 43 DEV_U2F,
44 DEV_INPUT
44} DEV_TYPE; 45} DEV_TYPE;
45 46
46 47
@@ -89,6 +90,7 @@ static DevEntry dev[] = {
89 {"/dev/hidraw8", RUN_DEV_DIR "/hidraw8", DEV_U2F}, 90 {"/dev/hidraw8", RUN_DEV_DIR "/hidraw8", DEV_U2F},
90 {"/dev/hidraw9", RUN_DEV_DIR "/hidraw9", DEV_U2F}, 91 {"/dev/hidraw9", RUN_DEV_DIR "/hidraw9", DEV_U2F},
91 {"/dev/usb", RUN_DEV_DIR "/usb", DEV_U2F}, // USB devices such as Yubikey, U2F 92 {"/dev/usb", RUN_DEV_DIR "/usb", DEV_U2F}, // USB devices such as Yubikey, U2F
93 {"/dev/input", RUN_DEV_DIR "/input", DEV_INPUT},
92 {NULL, NULL, DEV_NONE} 94 {NULL, NULL, DEV_NONE}
93}; 95};
94 96
@@ -103,7 +105,8 @@ static void deventry_mount(void) {
103 (dev[i].type == DEV_VIDEO && arg_novideo == 0) || 105 (dev[i].type == DEV_VIDEO && arg_novideo == 0) ||
104 (dev[i].type == DEV_TV && arg_notv == 0) || 106 (dev[i].type == DEV_TV && arg_notv == 0) ||
105 (dev[i].type == DEV_DVD && arg_nodvd == 0) || 107 (dev[i].type == DEV_DVD && arg_nodvd == 0) ||
106 (dev[i].type == DEV_U2F && arg_nou2f == 0)) { 108 (dev[i].type == DEV_U2F && arg_nou2f == 0) ||
109 (dev[i].type == DEV_INPUT && arg_noinput == 0)) {
107 110
108 int dir = is_dir(dev[i].run_fname); 111 int dir = is_dir(dev[i].run_fname);
109 if (arg_debug) 112 if (arg_debug)
@@ -119,7 +122,7 @@ static void deventry_mount(void) {
119 i++; 122 i++;
120 continue; 123 continue;
121 } 124 }
122 FILE *fp = fopen(dev[i].dev_fname, "w"); 125 FILE *fp = fopen(dev[i].dev_fname, "we");
123 if (fp) { 126 if (fp) {
124 fprintf(fp, "\n"); 127 fprintf(fp, "\n");
125 SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode); 128 SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode);
@@ -215,7 +218,7 @@ void fs_private_dev(void){
215 struct stat s; 218 struct stat s;
216 if (stat("/dev/log", &s) == 0) { 219 if (stat("/dev/log", &s) == 0) {
217 have_devlog = 1; 220 have_devlog = 1;
218 FILE *fp = fopen(RUN_DEVLOG_FILE, "w"); 221 FILE *fp = fopen(RUN_DEVLOG_FILE, "we");
219 if (!fp) 222 if (!fp)
220 have_devlog = 0; 223 have_devlog = 0;
221 else { 224 else {
@@ -236,7 +239,7 @@ void fs_private_dev(void){
236 239
237 // bring back /dev/log 240 // bring back /dev/log
238 if (have_devlog) { 241 if (have_devlog) {
239 FILE *fp = fopen("/dev/log", "w"); 242 FILE *fp = fopen("/dev/log", "we");
240 if (fp) { 243 if (fp) {
241 fprintf(fp, "\n"); 244 fprintf(fp, "\n");
242 fclose(fp); 245 fclose(fp);
@@ -386,3 +389,12 @@ void fs_dev_disable_u2f(void) {
386 i++; 389 i++;
387 } 390 }
388} 391}
392
393void fs_dev_disable_input(void) {
394 int i = 0;
395 while (dev[i].dev_fname != NULL) {
396 if (dev[i].type == DEV_INPUT)
397 disable_file_or_dir(dev[i].dev_fname);
398 i++;
399 }
400}
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index abec25d45..b0e1e1bf1 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -52,7 +52,7 @@ void fs_machineid(void) {
52 mid.u8[8] = (mid.u8[8] & 0x3F) | 0x80; 52 mid.u8[8] = (mid.u8[8] & 0x3F) | 0x80;
53 53
54 // write it in a file 54 // write it in a file
55 FILE *fp = fopen(RUN_MACHINEID, "w"); 55 FILE *fp = fopen(RUN_MACHINEID, "we");
56 if (!fp) 56 if (!fp)
57 errExit("fopen"); 57 errExit("fopen");
58 fprintf(fp, "%08x%08x%08x%08x\n", mid.u32[0], mid.u32[1], mid.u32[2], mid.u32[3]); 58 fprintf(fp, "%08x%08x%08x%08x\n", mid.u32[0], mid.u32[1], mid.u32[2], mid.u32[3]);
@@ -76,6 +76,44 @@ void fs_machineid(void) {
76 } 76 }
77} 77}
78 78
79// Duplicate directory structure from src to dst by creating empty directories.
80// The paths _must_ be identical after their respective prefixes.
81// When finished, dst will point to the target directory. That is, if
82// it starts out pointing to a file, it will instead be truncated so
83// that it contains the parent directory instead.
84static void build_dirs(char *src, char *dst, size_t src_prefix_len, size_t dst_prefix_len) {
85 char *p = src + src_prefix_len + 1;
86 char *q = dst + dst_prefix_len + 1;
87 char *r = dst + dst_prefix_len;
88 struct stat s;
89 bool last = false;
90 *r = '\0';
91 for (; !last; p++, q++) {
92 if (*p == '\0') {
93 last = true;
94 }
95 if (*p == '\0' || (*p == '/' && *(p - 1) != '/')) {
96 // We found a new component of our src path.
97 // Null-terminate it temporarily here so that we can work
98 // with it.
99 *p = '\0';
100 if (stat(src, &s) == 0 && S_ISDIR(s.st_mode)) {
101 // Null-terminate the dst path and undo its previous
102 // termination.
103 *q = '\0';
104 *r = '/';
105 r = q;
106 create_empty_dir_as_root(dst, s.st_mode);
107 }
108 if (!last) {
109 // If we're not at the final terminating null, restore
110 // the slash so that we can continue our traversal.
111 *p = '/';
112 }
113 }
114 }
115}
116
79// return 0 if file not found, 1 if found 117// return 0 if file not found, 1 if found
80static int check_dir_or_file(const char *fname) { 118static int check_dir_or_file(const char *fname) {
81 assert(fname); 119 assert(fname);
@@ -103,7 +141,7 @@ errexit:
103static void duplicate(const char *fname, const char *private_dir, const char *private_run_dir) { 141static void duplicate(const char *fname, const char *private_dir, const char *private_run_dir) {
104 assert(fname); 142 assert(fname);
105 143
106 if (*fname == '~' || strchr(fname, '/') || strcmp(fname, "..") == 0) { 144 if (*fname == '~' || *fname == '/' || strncmp(fname, "..", 2) == 0) {
107 fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname); 145 fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname);
108 exit(1); 146 exit(1);
109 } 147 }
@@ -119,21 +157,16 @@ static void duplicate(const char *fname, const char *private_dir, const char *pr
119 } 157 }
120 158
121 if (arg_debug) 159 if (arg_debug)
122 printf("copying %s to private %s\n", src, private_dir); 160 printf("Copying %s to private %s\n", src, private_dir);
123 161
124 struct stat s; 162 char *dst;
125 if (stat(src, &s) == 0 && S_ISDIR(s.st_mode)) { 163 if (asprintf(&dst, "%s/%s", private_run_dir, fname) == -1)
126 // create the directory in RUN_ETC_DIR 164 errExit("asprintf");
127 char *dirname; 165
128 if (asprintf(&dirname, "%s/%s", private_run_dir, fname) == -1) 166 build_dirs(src, dst, strlen(private_dir), strlen(private_run_dir));
129 errExit("asprintf"); 167 sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FCOPY, src, dst);
130 create_empty_dir_as_root(dirname, s.st_mode);
131 sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, dirname);
132 free(dirname);
133 }
134 else
135 sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, private_run_dir);
136 168
169 free(dst);
137 fs_logger2("clone", src); 170 fs_logger2("clone", src);
138 free(src); 171 free(src);
139} 172}
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index e3b044a3b..4bcefa443 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -130,7 +130,7 @@ static int store_xauthority(void) {
130 } 130 }
131 131
132 // create an empty file as root, and change ownership to user 132 // create an empty file as root, and change ownership to user
133 FILE *fp = fopen(dest, "w"); 133 FILE *fp = fopen(dest, "we");
134 if (fp) { 134 if (fp) {
135 fprintf(fp, "\n"); 135 fprintf(fp, "\n");
136 SET_PERMS_STREAM(fp, getuid(), getgid(), 0600); 136 SET_PERMS_STREAM(fp, getuid(), getgid(), 0600);
@@ -178,7 +178,7 @@ static int store_asoundrc(void) {
178 } 178 }
179 179
180 // create an empty file as root, and change ownership to user 180 // create an empty file as root, and change ownership to user
181 FILE *fp = fopen(dest, "w"); 181 FILE *fp = fopen(dest, "we");
182 if (fp) { 182 if (fp) {
183 fprintf(fp, "\n"); 183 fprintf(fp, "\n");
184 SET_PERMS_STREAM(fp, getuid(), getgid(), 0644); 184 SET_PERMS_STREAM(fp, getuid(), getgid(), 0644);
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c
index 8a3bb71ea..80046f7ae 100644
--- a/src/firejail/fs_hostname.c
+++ b/src/firejail/fs_hostname.c
@@ -47,11 +47,11 @@ void fs_hostname(const char *hostname) {
47 printf("Creating a new /etc/hosts file\n"); 47 printf("Creating a new /etc/hosts file\n");
48 // copy /etc/host into our new file, and modify it on the fly 48 // copy /etc/host into our new file, and modify it on the fly
49 /* coverity[toctou] */ 49 /* coverity[toctou] */
50 FILE *fp1 = fopen("/etc/hosts", "r"); 50 FILE *fp1 = fopen("/etc/hosts", "re");
51 if (!fp1) 51 if (!fp1)
52 goto errexit; 52 goto errexit;
53 53
54 FILE *fp2 = fopen(RUN_HOSTS_FILE, "w"); 54 FILE *fp2 = fopen(RUN_HOSTS_FILE, "we");
55 if (!fp2) { 55 if (!fp2) {
56 fclose(fp1); 56 fclose(fp1);
57 goto errexit; 57 goto errexit;
@@ -165,7 +165,7 @@ void fs_resolvconf(void) {
165 165
166 if (arg_debug) 166 if (arg_debug)
167 printf("Creating a new /etc/resolv.conf file\n"); 167 printf("Creating a new /etc/resolv.conf file\n");
168 FILE *fp = fopen("/etc/resolv.conf", "w"); 168 FILE *fp = fopen("/etc/resolv.conf", "wxe");
169 if (!fp) { 169 if (!fp) {
170 fprintf(stderr, "Error: cannot create /etc/resolv.conf file\n"); 170 fprintf(stderr, "Error: cannot create /etc/resolv.conf file\n");
171 exit(1); 171 exit(1);
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index 85fb70854..5df356d04 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -221,7 +221,7 @@ void fslib_mount_libs(const char *full_path, unsigned user) {
221 sbox_run(mask | SBOX_SECCOMP | SBOX_CAPS_NONE, 3, PATH_FLDD, full_path, RUN_LIB_FILE); 221 sbox_run(mask | SBOX_SECCOMP | SBOX_CAPS_NONE, 3, PATH_FLDD, full_path, RUN_LIB_FILE);
222 222
223 // open the list of libraries and install them on by one 223 // open the list of libraries and install them on by one
224 FILE *fp = fopen(RUN_LIB_FILE, "r"); 224 FILE *fp = fopen(RUN_LIB_FILE, "re");
225 if (!fp) 225 if (!fp)
226 errExit("fopen"); 226 errExit("fopen");
227 227
diff --git a/src/firejail/fs_logger.c b/src/firejail/fs_logger.c
index 67ad4b52e..604e297b1 100644
--- a/src/firejail/fs_logger.c
+++ b/src/firejail/fs_logger.c
@@ -92,7 +92,7 @@ void fs_logger_print(void) {
92 if (!head) 92 if (!head)
93 return; 93 return;
94 94
95 FILE *fp = fopen(RUN_FSLOGGER_FILE, "a"); 95 FILE *fp = fopen(RUN_FSLOGGER_FILE, "ae");
96 if (!fp) { 96 if (!fp) {
97 perror("fopen"); 97 perror("fopen");
98 return; 98 return;
@@ -123,15 +123,8 @@ void fs_logger_print_log(pid_t pid) {
123 // in case the pid is that of a firejail process, use the pid of the first child process 123 // in case the pid is that of a firejail process, use the pid of the first child process
124 pid = switch_to_child(pid); 124 pid = switch_to_child(pid);
125 125
126 // check privileges for non-root users 126 // exit if no permission to join the sandbox
127 uid_t uid = getuid(); 127 check_join_permission(pid);
128 if (uid != 0) {
129 uid_t sandbox_uid = pid_get_uid(pid);
130 if (uid != sandbox_uid) {
131 fprintf(stderr, "Error: permission denied\n");
132 exit(1);
133 }
134 }
135 128
136 // print RUN_FSLOGGER_FILE 129 // print RUN_FSLOGGER_FILE
137 char *fname; 130 char *fname;
@@ -139,24 +132,16 @@ void fs_logger_print_log(pid_t pid) {
139 errExit("asprintf"); 132 errExit("asprintf");
140 133
141 EUID_ROOT(); 134 EUID_ROOT();
142 struct stat s; 135 FILE *fp = fopen(fname, "re");
143 if (stat(fname, &s) == -1 || s.st_uid != 0) { 136 free(fname);
144 fprintf(stderr, "Error: Cannot access filesystem log\n");
145 exit(1);
146 }
147
148 /* coverity[toctou] */
149 FILE *fp = fopen(fname, "r");
150 if (!fp) { 137 if (!fp) {
151 fprintf(stderr, "Error: Cannot open filesystem log\n"); 138 fprintf(stderr, "Error: Cannot open filesystem log\n");
152 exit(1); 139 exit(1);
153 } 140 }
154
155 char buf[MAXBUF]; 141 char buf[MAXBUF];
156 while (fgets(buf, MAXBUF, fp)) 142 while (fgets(buf, MAXBUF, fp))
157 printf("%s", buf); 143 printf("%s", buf);
158 fclose(fp); 144 fclose(fp);
159 free(fname);
160 145
161 exit(0); 146 exit(0);
162} 147}
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c
index 8f939b5f5..1fc38361e 100644
--- a/src/firejail/fs_trace.c
+++ b/src/firejail/fs_trace.c
@@ -33,8 +33,7 @@ void fs_trace_preload(void) {
33 if (stat("/etc/ld.so.preload", &s)) { 33 if (stat("/etc/ld.so.preload", &s)) {
34 if (arg_debug) 34 if (arg_debug)
35 printf("Creating an empty /etc/ld.so.preload file\n"); 35 printf("Creating an empty /etc/ld.so.preload file\n");
36 /* coverity[toctou] */ 36 FILE *fp = fopen("/etc/ld.so.preload", "wxe");
37 FILE *fp = fopen("/etc/ld.so.preload", "w");
38 if (!fp) 37 if (!fp)
39 errExit("fopen"); 38 errExit("fopen");
40 SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); 39 SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
@@ -64,11 +63,11 @@ void fs_tracefile(void) {
64 if (ftruncate(fd, 0) == -1) 63 if (ftruncate(fd, 0) == -1)
65 errExit("ftruncate"); 64 errExit("ftruncate");
66 EUID_ROOT(); 65 EUID_ROOT();
67 FILE *fp = fopen(RUN_TRACE_FILE, "w"); 66 FILE *fp = fopen(RUN_TRACE_FILE, "we");
68 if (!fp) 67 if (!fp)
69 errExit("fopen " RUN_TRACE_FILE); 68 errExit("fopen " RUN_TRACE_FILE);
70 fclose(fp); 69 fclose(fp);
71 fs_logger2("touch ", arg_tracefile); 70 fs_logger2("touch", arg_tracefile);
72 // mount using the symbolic link in /proc/self/fd 71 // mount using the symbolic link in /proc/self/fd
73 if (arg_debug) 72 if (arg_debug)
74 printf("Bind mount %s to %s\n", arg_tracefile, RUN_TRACE_FILE); 73 printf("Bind mount %s to %s\n", arg_tracefile, RUN_TRACE_FILE);
@@ -88,7 +87,7 @@ void fs_trace(void) {
88 if (arg_debug) 87 if (arg_debug)
89 printf("Create the new ld.so.preload file\n"); 88 printf("Create the new ld.so.preload file\n");
90 89
91 FILE *fp = fopen(RUN_LDPRELOAD_FILE, "w"); 90 FILE *fp = fopen(RUN_LDPRELOAD_FILE, "we");
92 if (!fp) 91 if (!fp)
93 errExit("fopen"); 92 errExit("fopen");
94 const char *prefix = RUN_FIREJAIL_LIB_DIR; 93 const char *prefix = RUN_FIREJAIL_LIB_DIR;
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index f07581cd8..bae3d6df0 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -127,7 +127,7 @@ void fs_var_log(void) {
127 127
128 // create an empty /var/log/wtmp file 128 // create an empty /var/log/wtmp file
129 /* coverity[toctou] */ 129 /* coverity[toctou] */
130 FILE *fp = fopen("/var/log/wtmp", "w"); 130 FILE *fp = fopen("/var/log/wtmp", "wxe");
131 if (fp) { 131 if (fp) {
132 SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH); 132 SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH);
133 fclose(fp); 133 fclose(fp);
@@ -135,7 +135,7 @@ void fs_var_log(void) {
135 fs_logger("touch /var/log/wtmp"); 135 fs_logger("touch /var/log/wtmp");
136 136
137 // create an empty /var/log/btmp file 137 // create an empty /var/log/btmp file
138 fp = fopen("/var/log/btmp", "w"); 138 fp = fopen("/var/log/btmp", "wxe");
139 if (fp) { 139 if (fp) {
140 SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP); 140 SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP);
141 fclose(fp); 141 fclose(fp);
@@ -158,8 +158,7 @@ void fs_var_lib(void) {
158 fs_logger("tmpfs /var/lib/dhcp"); 158 fs_logger("tmpfs /var/lib/dhcp");
159 159
160 // isc dhcp server requires a /var/lib/dhcp/dhcpd.leases file 160 // isc dhcp server requires a /var/lib/dhcp/dhcpd.leases file
161 FILE *fp = fopen("/var/lib/dhcp/dhcpd.leases", "w"); 161 FILE *fp = fopen("/var/lib/dhcp/dhcpd.leases", "wxe");
162
163 if (fp) { 162 if (fp) {
164 fprintf(fp, "\n"); 163 fprintf(fp, "\n");
165 SET_PERMS_STREAM(fp, 0, 0, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); 164 SET_PERMS_STREAM(fp, 0, 0, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
@@ -287,7 +286,7 @@ void fs_var_utmp(void) {
287 if (stat(UTMP_FILE, &s) == 0) 286 if (stat(UTMP_FILE, &s) == 0)
288 utmp_group = s.st_gid; 287 utmp_group = s.st_gid;
289 else { 288 else {
290 fwarning("cannot find /var/run/utmp\n"); 289 fwarning("cannot find %s\n", UTMP_FILE);
291 return; 290 return;
292 } 291 }
293 292
@@ -296,7 +295,7 @@ void fs_var_utmp(void) {
296 printf("Create the new utmp file\n"); 295 printf("Create the new utmp file\n");
297 296
298 /* coverity[toctou] */ 297 /* coverity[toctou] */
299 FILE *fp = fopen(RUN_UTMP_FILE, "w"); 298 FILE *fp = fopen(RUN_UTMP_FILE, "we");
300 if (!fp) 299 if (!fp)
301 errExit("fopen"); 300 errExit("fopen");
302 301
@@ -323,5 +322,5 @@ void fs_var_utmp(void) {
323 printf("Mount the new utmp file\n"); 322 printf("Mount the new utmp file\n");
324 if (mount(RUN_UTMP_FILE, UTMP_FILE, NULL, MS_BIND|MS_NOSUID|MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) 323 if (mount(RUN_UTMP_FILE, UTMP_FILE, NULL, MS_BIND|MS_NOSUID|MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
325 errExit("mount bind utmp"); 324 errExit("mount bind utmp");
326 fs_logger("create /var/run/utmp"); 325 fs_logger2("create", UTMP_FILE);
327} 326}
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 1575a7469..bab4b830f 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -103,7 +103,7 @@ static void extract_x11_display(pid_t pid) {
103 if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1) 103 if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1)
104 errExit("asprintf"); 104 errExit("asprintf");
105 105
106 FILE *fp = fopen(fname, "r"); 106 FILE *fp = fopen(fname, "re");
107 free(fname); 107 free(fname);
108 if (!fp) 108 if (!fp)
109 return; 109 return;
@@ -219,7 +219,7 @@ static void extract_caps(pid_t pid) {
219 perror("asprintf"); 219 perror("asprintf");
220 exit(1); 220 exit(1);
221 } 221 }
222 FILE *fp = fopen(file, "r"); 222 FILE *fp = fopen(file, "re");
223 if (!fp) 223 if (!fp)
224 goto errexit; 224 goto errexit;
225 225
@@ -266,7 +266,7 @@ static void extract_user_namespace(pid_t pid) {
266 char *uidmap; 266 char *uidmap;
267 if (asprintf(&uidmap, "/proc/%u/uid_map", pid) == -1) 267 if (asprintf(&uidmap, "/proc/%u/uid_map", pid) == -1)
268 errExit("asprintf"); 268 errExit("asprintf");
269 FILE *fp = fopen(uidmap, "r"); 269 FILE *fp = fopen(uidmap, "re");
270 if (!fp) { 270 if (!fp) {
271 free(uidmap); 271 free(uidmap);
272 return; 272 return;
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index 63ef2309b..796c42290 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -221,7 +221,7 @@ void cat(const char *path) {
221 221
222 if (arg_debug) 222 if (arg_debug)
223 printf("cat %s\n", path); 223 printf("cat %s\n", path);
224 FILE *fp = fopen(path, "r"); 224 FILE *fp = fopen(path, "re");
225 if (!fp) { 225 if (!fp) {
226 fprintf(stderr, "Error: cannot read %s\n", path); 226 fprintf(stderr, "Error: cannot read %s\n", path);
227 exit(1); 227 exit(1);
diff --git a/src/firejail/macros.c b/src/firejail/macros.c
index 7f2f6dbf3..bcac1feb4 100644
--- a/src/firejail/macros.c
+++ b/src/firejail/macros.c
@@ -99,7 +99,7 @@ static char *resolve_xdg(const char *var) {
99 99
100 if (asprintf(&fname, "%s/.config/user-dirs.dirs", cfg.homedir) == -1) 100 if (asprintf(&fname, "%s/.config/user-dirs.dirs", cfg.homedir) == -1)
101 errExit("asprintf"); 101 errExit("asprintf");
102 FILE *fp = fopen(fname, "r"); 102 FILE *fp = fopen(fname, "re");
103 if (!fp) { 103 if (!fp) {
104 free(fname); 104 free(fname);
105 return NULL; 105 return NULL;
diff --git a/src/firejail/main.c b/src/firejail/main.c
index b3524fcf5..593835843 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -116,7 +116,6 @@ int arg_private_cwd = 0; // private working directory
116int arg_scan = 0; // arp-scan all interfaces 116int arg_scan = 0; // arp-scan all interfaces
117int arg_whitelist = 0; // whitelist command 117int arg_whitelist = 0; // whitelist command
118int arg_nosound = 0; // disable sound 118int arg_nosound = 0; // disable sound
119int arg_noautopulse = 0; // disable automatic ~/.config/pulse init
120int arg_novideo = 0; //disable video devices in /dev 119int arg_novideo = 0; //disable video devices in /dev
121int arg_no3d; // disable 3d hardware acceleration 120int arg_no3d; // disable 3d hardware acceleration
122int arg_quiet = 0; // no output for scripting 121int arg_quiet = 0; // no output for scripting
@@ -125,6 +124,7 @@ int arg_join_filesystem = 0; // join only the mount namespace
125int arg_nice = 0; // nice value configured 124int arg_nice = 0; // nice value configured
126int arg_ipc = 0; // enable ipc namespace 125int arg_ipc = 0; // enable ipc namespace
127int arg_writable_etc = 0; // writable etc 126int arg_writable_etc = 0; // writable etc
127int arg_keep_config_pulse = 0; // disable automatic ~/.config/pulse init
128int arg_writable_var = 0; // writable var 128int arg_writable_var = 0; // writable var
129int arg_keep_var_tmp = 0; // don't overwrite /var/tmp 129int arg_keep_var_tmp = 0; // don't overwrite /var/tmp
130int arg_writable_run_user = 0; // writable /run/user 130int arg_writable_run_user = 0; // writable /run/user
@@ -143,6 +143,7 @@ int arg_memory_deny_write_execute = 0; // block writable and executable memory
143int arg_notv = 0; // --notv 143int arg_notv = 0; // --notv
144int arg_nodvd = 0; // --nodvd 144int arg_nodvd = 0; // --nodvd
145int arg_nou2f = 0; // --nou2f 145int arg_nou2f = 0; // --nou2f
146int arg_noinput = 0; // --noinput
146int arg_deterministic_exit_code = 0; // always exit with first child's exit status 147int arg_deterministic_exit_code = 0; // always exit with first child's exit status
147DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW; // --dbus-user 148DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW; // --dbus-user
148DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system 149DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system
@@ -534,7 +535,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
534 char *fname; 535 char *fname;
535 if (asprintf(&fname, RUN_FIREJAIL_PROFILE_DIR "/%d", pid) == -1) 536 if (asprintf(&fname, RUN_FIREJAIL_PROFILE_DIR "/%d", pid) == -1)
536 errExit("asprintf"); 537 errExit("asprintf");
537 FILE *fp = fopen(fname, "r"); 538 FILE *fp = fopen(fname, "re");
538 if (!fp) { 539 if (!fp) {
539 fprintf(stderr, "Error: sandbox %s not found\n", argv[i] + 16); 540 fprintf(stderr, "Error: sandbox %s not found\n", argv[i] + 16);
540 exit(1); 541 exit(1);
@@ -1042,7 +1043,7 @@ int main(int argc, char **argv, char **envp) {
1042 preproc_build_firejail_dir(); 1043 preproc_build_firejail_dir();
1043 const char *container_name = env_get("container"); 1044 const char *container_name = env_get("container");
1044 if (!container_name || strcmp(container_name, "firejail")) { 1045 if (!container_name || strcmp(container_name, "firejail")) {
1045 lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR); 1046 lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR);
1046 if (lockfd_directory != -1) { 1047 if (lockfd_directory != -1) {
1047 int rv = fchown(lockfd_directory, 0, 0); 1048 int rv = fchown(lockfd_directory, 0, 0);
1048 (void) rv; 1049 (void) rv;
@@ -1144,7 +1145,7 @@ int main(int argc, char **argv, char **envp) {
1144 1145
1145#ifdef DEBUG_RESTRICTED_SHELL 1146#ifdef DEBUG_RESTRICTED_SHELL
1146 {EUID_ROOT(); 1147 {EUID_ROOT();
1147 FILE *fp = fopen("/firelog", "w"); 1148 FILE *fp = fopen("/firelog", "we");
1148 if (fp) { 1149 if (fp) {
1149 int i; 1150 int i;
1150 fprintf(fp, "argc %d: ", argc); 1151 fprintf(fp, "argc %d: ", argc);
@@ -1163,7 +1164,7 @@ int main(int argc, char **argv, char **envp) {
1163 strncmp(argv[2], "scp ", 4) == 0) { 1164 strncmp(argv[2], "scp ", 4) == 0) {
1164#ifdef DEBUG_RESTRICTED_SHELL 1165#ifdef DEBUG_RESTRICTED_SHELL
1165 {EUID_ROOT(); 1166 {EUID_ROOT();
1166 FILE *fp = fopen("/firelog", "a"); 1167 FILE *fp = fopen("/firelog", "ae");
1167 if (fp) { 1168 if (fp) {
1168 fprintf(fp, "run without a sandbox\n"); 1169 fprintf(fp, "run without a sandbox\n");
1169 fclose(fp); 1170 fclose(fp);
@@ -1196,7 +1197,7 @@ int main(int argc, char **argv, char **envp) {
1196 1197
1197#ifdef DEBUG_RESTRICTED_SHELL 1198#ifdef DEBUG_RESTRICTED_SHELL
1198 {EUID_ROOT(); 1199 {EUID_ROOT();
1199 FILE *fp = fopen("/firelog", "a"); 1200 FILE *fp = fopen("/firelog", "ae");
1200 if (fp) { 1201 if (fp) {
1201 fprintf(fp, "fullargc %d: ", fullargc); 1202 fprintf(fp, "fullargc %d: ", fullargc);
1202 int i; 1203 int i;
@@ -1218,7 +1219,7 @@ int main(int argc, char **argv, char **envp) {
1218 1219
1219#ifdef DEBUG_RESTRICTED_SHELL 1220#ifdef DEBUG_RESTRICTED_SHELL
1220 {EUID_ROOT(); 1221 {EUID_ROOT();
1221 FILE *fp = fopen("/firelog", "a"); 1222 FILE *fp = fopen("/firelog", "ae");
1222 if (fp) { 1223 if (fp) {
1223 fprintf(fp, "argc %d: ", argc); 1224 fprintf(fp, "argc %d: ", argc);
1224 int i; 1225 int i;
@@ -1823,6 +1824,8 @@ int main(int argc, char **argv, char **envp) {
1823 exit(1); 1824 exit(1);
1824 } 1825 }
1825 arg_noprofile = 1; 1826 arg_noprofile = 1;
1827 // force keep-config-pulse in order to keep ~/.config/pulse as is
1828 arg_keep_config_pulse = 1;
1826 } 1829 }
1827 else if (strncmp(argv[i], "--ignore=", 9) == 0) { 1830 else if (strncmp(argv[i], "--ignore=", 9) == 0) {
1828 if (custom_profile) { 1831 if (custom_profile) {
@@ -1873,6 +1876,9 @@ int main(int argc, char **argv, char **envp) {
1873 } 1876 }
1874 arg_writable_etc = 1; 1877 arg_writable_etc = 1;
1875 } 1878 }
1879 else if (strcmp(argv[i], "--keep-config-pulse") == 0) {
1880 arg_keep_config_pulse = 1;
1881 }
1876 else if (strcmp(argv[i], "--writable-var") == 0) { 1882 else if (strcmp(argv[i], "--writable-var") == 0) {
1877 arg_writable_var = 1; 1883 arg_writable_var = 1;
1878 } 1884 }
@@ -2075,7 +2081,7 @@ int main(int argc, char **argv, char **envp) {
2075 else if (strcmp(argv[i], "--nosound") == 0) 2081 else if (strcmp(argv[i], "--nosound") == 0)
2076 arg_nosound = 1; 2082 arg_nosound = 1;
2077 else if (strcmp(argv[i], "--noautopulse") == 0) 2083 else if (strcmp(argv[i], "--noautopulse") == 0)
2078 arg_noautopulse = 1; 2084 arg_keep_config_pulse = 1;
2079 else if (strcmp(argv[i], "--novideo") == 0) 2085 else if (strcmp(argv[i], "--novideo") == 0)
2080 arg_novideo = 1; 2086 arg_novideo = 1;
2081 else if (strcmp(argv[i], "--no3d") == 0) 2087 else if (strcmp(argv[i], "--no3d") == 0)
@@ -2086,6 +2092,8 @@ int main(int argc, char **argv, char **envp) {
2086 arg_nodvd = 1; 2092 arg_nodvd = 1;
2087 else if (strcmp(argv[i], "--nou2f") == 0) 2093 else if (strcmp(argv[i], "--nou2f") == 0)
2088 arg_nou2f = 1; 2094 arg_nou2f = 1;
2095 else if (strcmp(argv[i], "--noinput") == 0)
2096 arg_noinput = 1;
2089 else if (strcmp(argv[i], "--nodbus") == 0) { 2097 else if (strcmp(argv[i], "--nodbus") == 0) {
2090 arg_dbus_user = DBUS_POLICY_BLOCK; 2098 arg_dbus_user = DBUS_POLICY_BLOCK;
2091 arg_dbus_system = DBUS_POLICY_BLOCK; 2099 arg_dbus_system = DBUS_POLICY_BLOCK;
@@ -2847,7 +2855,7 @@ int main(int argc, char **argv, char **envp) {
2847 // check and assign an IP address - for macvlan it will be done again in the sandbox! 2855 // check and assign an IP address - for macvlan it will be done again in the sandbox!
2848 if (any_bridge_configured()) { 2856 if (any_bridge_configured()) {
2849 EUID_ROOT(); 2857 EUID_ROOT();
2850 lockfd_network = open(RUN_NETWORK_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR); 2858 lockfd_network = open(RUN_NETWORK_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR);
2851 if (lockfd_network != -1) { 2859 if (lockfd_network != -1) {
2852 int rv = fchown(lockfd_network, 0, 0); 2860 int rv = fchown(lockfd_network, 0, 0);
2853 (void) rv; 2861 (void) rv;
@@ -2869,12 +2877,6 @@ int main(int argc, char **argv, char **envp) {
2869 } 2877 }
2870 EUID_ASSERT(); 2878 EUID_ASSERT();
2871 2879
2872 // create the parent-child communication pipe
2873 if (pipe(parent_to_child_fds) < 0)
2874 errExit("pipe");
2875 if (pipe(child_to_parent_fds) < 0)
2876 errExit("pipe");
2877
2878 if (arg_noroot && arg_overlay) { 2880 if (arg_noroot && arg_overlay) {
2879 fwarning("--overlay and --noroot are mutually exclusive, noroot disabled\n"); 2881 fwarning("--overlay and --noroot are mutually exclusive, noroot disabled\n");
2880 arg_noroot = 0; 2882 arg_noroot = 0;
@@ -2887,7 +2889,7 @@ int main(int argc, char **argv, char **envp) {
2887 2889
2888 // set name and x11 run files 2890 // set name and x11 run files
2889 EUID_ROOT(); 2891 EUID_ROOT();
2890 lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR); 2892 lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR);
2891 if (lockfd_directory != -1) { 2893 if (lockfd_directory != -1) {
2892 int rv = fchown(lockfd_directory, 0, 0); 2894 int rv = fchown(lockfd_directory, 0, 0);
2893 (void) rv; 2895 (void) rv;
@@ -2916,6 +2918,12 @@ int main(int argc, char **argv, char **envp) {
2916 } 2918 }
2917#endif 2919#endif
2918 2920
2921 // create the parent-child communication pipe
2922 if (pipe2(parent_to_child_fds, O_CLOEXEC) < 0)
2923 errExit("pipe");
2924 if (pipe2(child_to_parent_fds, O_CLOEXEC) < 0)
2925 errExit("pipe");
2926
2919 // clone environment 2927 // clone environment
2920 int flags = CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWUTS | SIGCHLD; 2928 int flags = CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWUTS | SIGCHLD;
2921 2929
diff --git a/src/firejail/network.c b/src/firejail/network.c
index f7142cefd..289e164c6 100644
--- a/src/firejail/network.c
+++ b/src/firejail/network.c
@@ -217,7 +217,7 @@ int net_add_route(uint32_t ip, uint32_t mask, uint32_t gw) {
217 217
218#define BUFSIZE 1024 218#define BUFSIZE 1024
219uint32_t network_get_defaultgw(void) { 219uint32_t network_get_defaultgw(void) {
220 FILE *fp = fopen("/proc/self/net/route", "r"); 220 FILE *fp = fopen("/proc/self/net/route", "re");
221 if (!fp) 221 if (!fp)
222 errExit("fopen"); 222 errExit("fopen");
223 223
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c
index ee3c00872..d3e75bbed 100644
--- a/src/firejail/network_main.c
+++ b/src/firejail/network_main.c
@@ -292,7 +292,7 @@ void net_dns_print(pid_t pid) {
292 errExit("chdir"); 292 errExit("chdir");
293 293
294 // access /etc/resolv.conf 294 // access /etc/resolv.conf
295 FILE *fp = fopen("/etc/resolv.conf", "r"); 295 FILE *fp = fopen("/etc/resolv.conf", "re");
296 if (!fp) { 296 if (!fp) {
297 fprintf(stderr, "Error: cannot access /etc/resolv.conf\n"); 297 fprintf(stderr, "Error: cannot access /etc/resolv.conf\n");
298 exit(1); 298 exit(1);
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index 60a82821e..0e153c47b 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -20,6 +20,7 @@
20#include "firejail.h" 20#include "firejail.h"
21#include <sys/types.h> 21#include <sys/types.h>
22#include <sys/stat.h> 22#include <sys/stat.h>
23#include <errno.h>
23#include <unistd.h> 24#include <unistd.h>
24#include <grp.h> 25#include <grp.h>
25 26
@@ -47,7 +48,7 @@ int check_namespace_virt(void) {
47 48
48 // check PID 1 container environment variable 49 // check PID 1 container environment variable
49 EUID_ROOT(); 50 EUID_ROOT();
50 FILE *fp = fopen("/proc/1/environ", "r"); 51 FILE *fp = fopen("/proc/1/environ", "re");
51 if (fp) { 52 if (fp) {
52 int c = 0; 53 int c = 0;
53 while (c != EOF) { 54 while (c != EOF) {
@@ -105,20 +106,15 @@ int check_kernel_procs(void) {
105 // look at the first 10 processes 106 // look at the first 10 processes
106 // if a kernel process is found, return 1 107 // if a kernel process is found, return 1
107 for (i = 1; i <= 10; i++) { 108 for (i = 1; i <= 10; i++) {
108 struct stat s;
109 char *fname; 109 char *fname;
110 if (asprintf(&fname, "/proc/%d/comm", i) == -1) 110 if (asprintf(&fname, "/proc/%d/comm", i) == -1)
111 errExit("asprintf"); 111 errExit("asprintf");
112 if (stat(fname, &s) == -1) {
113 free(fname);
114 continue;
115 }
116 112
117 // open file 113 // open file
118 /* coverity[toctou] */ 114 FILE *fp = fopen(fname, "re");
119 FILE *fp = fopen(fname, "r");
120 if (!fp) { 115 if (!fp) {
121 fwarning("cannot open %s\n", fname); 116 if (errno != ENOENT)
117 fwarning("cannot open %s\n", fname);
122 free(fname); 118 free(fname);
123 continue; 119 continue;
124 } 120 }
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index 7f602545d..1aafd1ca2 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -164,7 +164,7 @@ void preproc_clean_run(void) {
164 int max_pids=32769; 164 int max_pids=32769;
165 int start_pid = 100; 165 int start_pid = 100;
166 // extract real max_pids 166 // extract real max_pids
167 FILE *fp = fopen("/proc/sys/kernel/pid_max", "r"); 167 FILE *fp = fopen("/proc/sys/kernel/pid_max", "re");
168 if (fp) { 168 if (fp) {
169 int val; 169 int val;
170 if (fscanf(fp, "%d", &val) == 1) { 170 if (fscanf(fp, "%d", &val) == 1) {
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 351b760df..dd4506ac1 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -423,7 +423,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
423 return 0; 423 return 0;
424 } 424 }
425 else if (strcmp(ptr, "noautopulse") == 0) { 425 else if (strcmp(ptr, "noautopulse") == 0) {
426 arg_noautopulse = 1; 426 arg_keep_config_pulse = 1;
427 return 0; 427 return 0;
428 } 428 }
429 else if (strcmp(ptr, "notv") == 0) { 429 else if (strcmp(ptr, "notv") == 0) {
@@ -442,6 +442,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
442 arg_no3d = 1; 442 arg_no3d = 1;
443 return 0; 443 return 0;
444 } 444 }
445 else if (strcmp(ptr, "noinput") == 0) {
446 arg_noinput = 1;
447 return 0;
448 }
445 else if (strcmp(ptr, "nodbus") == 0) { 449 else if (strcmp(ptr, "nodbus") == 0) {
446#ifdef HAVE_DBUSPROXY 450#ifdef HAVE_DBUSPROXY
447 arg_dbus_user = DBUS_POLICY_BLOCK; 451 arg_dbus_user = DBUS_POLICY_BLOCK;
@@ -1139,6 +1143,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
1139 arg_machineid = 1; 1143 arg_machineid = 1;
1140 return 0; 1144 return 0;
1141 } 1145 }
1146
1147 if (strcmp(ptr, "keep-config-pulse") == 0) {
1148 arg_keep_config_pulse = 1;
1149 return 0;
1150 }
1151
1142 // writable-var 1152 // writable-var
1143 if (strcmp(ptr, "writable-var") == 0) { 1153 if (strcmp(ptr, "writable-var") == 0) {
1144 arg_writable_var = 1; 1154 arg_writable_var = 1;
@@ -1687,7 +1697,7 @@ void profile_read(const char *fname) {
1687 } 1697 }
1688 1698
1689 // open profile file: 1699 // open profile file:
1690 FILE *fp = fopen(fname, "r"); 1700 FILE *fp = fopen(fname, "re");
1691 if (fp == NULL) { 1701 if (fp == NULL) {
1692 fprintf(stderr, "Error: cannot open profile file %s\n", fname); 1702 fprintf(stderr, "Error: cannot open profile file %s\n", fname);
1693 exit(1); 1703 exit(1);
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c
index 926af7967..f21f8c96e 100644
--- a/src/firejail/protocol.c
+++ b/src/firejail/protocol.c
@@ -23,7 +23,7 @@
23 23
24void protocol_filter_save(void) { 24void protocol_filter_save(void) {
25 // save protocol filter configuration in PROTOCOL_CFG 25 // save protocol filter configuration in PROTOCOL_CFG
26 FILE *fp = fopen(RUN_PROTOCOL_CFG, "w"); 26 FILE *fp = fopen(RUN_PROTOCOL_CFG, "wxe");
27 if (!fp) 27 if (!fp)
28 errExit("fopen"); 28 errExit("fopen");
29 fprintf(fp, "%s\n", cfg.protocol); 29 fprintf(fp, "%s\n", cfg.protocol);
@@ -35,7 +35,7 @@ void protocol_filter_load(const char *fname) {
35 assert(fname); 35 assert(fname);
36 36
37 // read protocol filter configuration from PROTOCOL_CFG 37 // read protocol filter configuration from PROTOCOL_CFG
38 FILE *fp = fopen(fname, "r"); 38 FILE *fp = fopen(fname, "re");
39 if (!fp) 39 if (!fp)
40 return; 40 return;
41 41
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index a50134893..1b01a71c6 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -106,7 +106,7 @@ void pulseaudio_init(void) {
106 errExit("asprintf"); 106 errExit("asprintf");
107 if (copy_file(PULSE_CLIENT_SYSCONF, pulsecfg, -1, -1, 0644)) // root needed 107 if (copy_file(PULSE_CLIENT_SYSCONF, pulsecfg, -1, -1, 0644)) // root needed
108 errExit("copy_file"); 108 errExit("copy_file");
109 FILE *fp = fopen(pulsecfg, "a"); 109 FILE *fp = fopen(pulsecfg, "ae");
110 if (!fp) 110 if (!fp)
111 errExit("fopen"); 111 errExit("fopen");
112 fprintf(fp, "%s", "\nenable-shm = no\n"); 112 fprintf(fp, "%s", "\nenable-shm = no\n");
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index 8368d84a1..53e395b89 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -183,10 +183,10 @@ static void sanitize_passwd(void) {
183 183
184 // open files 184 // open files
185 /* coverity[toctou] */ 185 /* coverity[toctou] */
186 fpin = fopen("/etc/passwd", "r"); 186 fpin = fopen("/etc/passwd", "re");
187 if (!fpin) 187 if (!fpin)
188 goto errout; 188 goto errout;
189 fpout = fopen(RUN_PASSWD_FILE, "w"); 189 fpout = fopen(RUN_PASSWD_FILE, "we");
190 if (!fpout) 190 if (!fpout)
191 goto errout; 191 goto errout;
192 192
@@ -318,10 +318,10 @@ static void sanitize_group(void) {
318 318
319 // open files 319 // open files
320 /* coverity[toctou] */ 320 /* coverity[toctou] */
321 fpin = fopen("/etc/group", "r"); 321 fpin = fopen("/etc/group", "re");
322 if (!fpin) 322 if (!fpin)
323 goto errout; 323 goto errout;
324 fpout = fopen(RUN_GROUP_FILE, "w"); 324 fpout = fopen(RUN_GROUP_FILE, "we");
325 if (!fpout) 325 if (!fpout)
326 goto errout; 326 goto errout;
327 327
diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c
index ae453f4f1..ed66903b5 100644
--- a/src/firejail/restricted_shell.c
+++ b/src/firejail/restricted_shell.c
@@ -32,7 +32,7 @@ int restricted_shell(const char *user) {
32 char *fname; 32 char *fname;
33 if (asprintf(&fname, "%s/login.users", SYSCONFDIR) == -1) 33 if (asprintf(&fname, "%s/login.users", SYSCONFDIR) == -1)
34 errExit("asprintf"); 34 errExit("asprintf");
35 FILE *fp = fopen(fname, "r"); 35 FILE *fp = fopen(fname, "re");
36 free(fname); 36 free(fname);
37 if (fp == NULL) 37 if (fp == NULL)
38 return 0; 38 return 0;
@@ -96,7 +96,7 @@ int restricted_shell(const char *user) {
96 fullargv[i] = ptr; 96 fullargv[i] = ptr;
97#ifdef DEBUG_RESTRICTED_SHELL 97#ifdef DEBUG_RESTRICTED_SHELL
98 {EUID_ROOT(); 98 {EUID_ROOT();
99 FILE *fp = fopen("/firelog", "a"); 99 FILE *fp = fopen("/firelog", "ae");
100 if (fp) { 100 if (fp) {
101 fprintf(fp, "i %d ptr #%s#\n", i, fullargv[i]); 101 fprintf(fp, "i %d ptr #%s#\n", i, fullargv[i]);
102 fclose(fp); 102 fclose(fp);
diff --git a/src/firejail/run_files.c b/src/firejail/run_files.c
index cd44f745f..c28c3e01b 100644
--- a/src/firejail/run_files.c
+++ b/src/firejail/run_files.c
@@ -101,7 +101,7 @@ void set_name_run_file(pid_t pid) {
101 errExit("asprintf"); 101 errExit("asprintf");
102 102
103 // the file is deleted first 103 // the file is deleted first
104 FILE *fp = fopen(fname, "w"); 104 FILE *fp = fopen(fname, "we");
105 if (!fp) { 105 if (!fp) {
106 fprintf(stderr, "Error: cannot create %s\n", fname); 106 fprintf(stderr, "Error: cannot create %s\n", fname);
107 exit(1); 107 exit(1);
@@ -120,7 +120,7 @@ void set_x11_run_file(pid_t pid, int display) {
120 errExit("asprintf"); 120 errExit("asprintf");
121 121
122 // the file is deleted first 122 // the file is deleted first
123 FILE *fp = fopen(fname, "w"); 123 FILE *fp = fopen(fname, "we");
124 if (!fp) { 124 if (!fp) {
125 fprintf(stderr, "Error: cannot create %s\n", fname); 125 fprintf(stderr, "Error: cannot create %s\n", fname);
126 exit(1); 126 exit(1);
@@ -139,7 +139,7 @@ void set_profile_run_file(pid_t pid, const char *fname) {
139 139
140 EUID_ROOT(); 140 EUID_ROOT();
141 // the file is deleted first 141 // the file is deleted first
142 FILE *fp = fopen(runfile, "w"); 142 FILE *fp = fopen(runfile, "we");
143 if (!fp) { 143 if (!fp) {
144 fprintf(stderr, "Error: cannot create %s\n", runfile); 144 fprintf(stderr, "Error: cannot create %s\n", runfile);
145 exit(1); 145 exit(1);
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 743d84b43..08f0f32c9 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -67,7 +67,7 @@ static void sandbox_handler(int sig){
67 if (asprintf(&monfile, "/proc/%d/cmdline", monitored_pid) == -1) 67 if (asprintf(&monfile, "/proc/%d/cmdline", monitored_pid) == -1)
68 errExit("asprintf"); 68 errExit("asprintf");
69 while (monsec) { 69 while (monsec) {
70 FILE *fp = fopen(monfile, "r"); 70 FILE *fp = fopen(monfile, "re");
71 if (!fp) 71 if (!fp)
72 break; 72 break;
73 73
@@ -162,7 +162,7 @@ static void save_nogroups(void) {
162 if (arg_nogroups == 0) 162 if (arg_nogroups == 0)
163 return; 163 return;
164 164
165 FILE *fp = fopen(RUN_GROUPS_CFG, "w"); 165 FILE *fp = fopen(RUN_GROUPS_CFG, "wxe");
166 if (fp) { 166 if (fp) {
167 fprintf(fp, "\n"); 167 fprintf(fp, "\n");
168 SET_PERMS_STREAM(fp, 0, 0, 0644); // assume mode 0644 168 SET_PERMS_STREAM(fp, 0, 0, 0644); // assume mode 0644
@@ -1015,7 +1015,7 @@ int sandbox(void* sandbox_arg) {
1015 // disable /dev/snd 1015 // disable /dev/snd
1016 fs_dev_disable_sound(); 1016 fs_dev_disable_sound();
1017 } 1017 }
1018 else if (!arg_noautopulse) 1018 else if (!arg_keep_config_pulse)
1019 pulseaudio_init(); 1019 pulseaudio_init();
1020 1020
1021 if (arg_no3d) 1021 if (arg_no3d)
@@ -1033,6 +1033,9 @@ int sandbox(void* sandbox_arg) {
1033 if (arg_novideo) 1033 if (arg_novideo)
1034 fs_dev_disable_video(); 1034 fs_dev_disable_video();
1035 1035
1036 if (arg_noinput)
1037 fs_dev_disable_input();
1038
1036 //**************************** 1039 //****************************
1037 // set dns 1040 // set dns
1038 //**************************** 1041 //****************************
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index f9c41f661..4a8dd1bf7 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -248,7 +248,9 @@ int sbox_run(unsigned filtermask, int num, ...) {
248 va_start(valist, num); 248 va_start(valist, num);
249 249
250 // build argument list 250 // build argument list
251 char **arg = malloc((num + 1) * sizeof(char *)); 251 char **arg = calloc(num + 1, sizeof(char *));
252 if (!arg)
253 errExit("calloc");
252 int i; 254 int i;
253 for (i = 0; i < num; i++) 255 for (i = 0; i < num; i++)
254 arg[i] = va_arg(valist, char *); 256 arg[i] = va_arg(valist, char *);
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 785c29517..9670fe816 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -86,7 +86,7 @@ int seccomp_install_filters(void) {
86static void seccomp_save_file_list(const char *fname) { 86static void seccomp_save_file_list(const char *fname) {
87 assert(fname); 87 assert(fname);
88 88
89 FILE *fp = fopen(RUN_SECCOMP_LIST, "a+"); 89 FILE *fp = fopen(RUN_SECCOMP_LIST, "ae");
90 if (!fp) 90 if (!fp)
91 errExit("fopen"); 91 errExit("fopen");
92 92
@@ -99,7 +99,7 @@ static void seccomp_save_file_list(const char *fname) {
99#define MAXBUF 4096 99#define MAXBUF 4096
100static int load_file_list_flag = 0; 100static int load_file_list_flag = 0;
101void seccomp_load_file_list(void) { 101void seccomp_load_file_list(void) {
102 FILE *fp = fopen(RUN_SECCOMP_LIST, "r"); 102 FILE *fp = fopen(RUN_SECCOMP_LIST, "re");
103 if (!fp) 103 if (!fp)
104 return; // no seccomp configuration whatsoever 104 return; // no seccomp configuration whatsoever
105 105
@@ -122,7 +122,7 @@ int seccomp_load(const char *fname) {
122 assert(fname); 122 assert(fname);
123 123
124 // open filter file 124 // open filter file
125 int fd = open(fname, O_RDONLY); 125 int fd = open(fname, O_RDONLY|O_CLOEXEC);
126 if (fd == -1) 126 if (fd == -1)
127 goto errexit; 127 goto errexit;
128 128
@@ -438,7 +438,7 @@ void seccomp_print_filter(pid_t pid) {
438 if (stat(fname, &s) == -1) 438 if (stat(fname, &s) == -1)
439 goto errexit; 439 goto errexit;
440 440
441 FILE *fp = fopen(fname, "r"); 441 FILE *fp = fopen(fname, "re");
442 if (!fp) 442 if (!fp)
443 goto errexit; 443 goto errexit;
444 free(fname); 444 free(fname);
diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c
index 8fb03d0a6..fbfe1765b 100644
--- a/src/firejail/shutdown.c
+++ b/src/firejail/shutdown.c
@@ -64,7 +64,7 @@ void shut(pid_t pid) {
64 monsec--; 64 monsec--;
65 65
66 EUID_ROOT(); 66 EUID_ROOT();
67 FILE *fp = fopen(monfile, "r"); 67 FILE *fp = fopen(monfile, "re");
68 EUID_USER(); 68 EUID_USER();
69 if (!fp) { 69 if (!fp) {
70 killdone = 1; 70 killdone = 1;
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 397150158..888a6ffed 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -114,7 +114,8 @@ static char *usage_str =
114 " --join-network=name|pid - join the network namespace.\n" 114 " --join-network=name|pid - join the network namespace.\n"
115#endif 115#endif
116 " --join-or-start=name|pid - join the sandbox or start a new one.\n" 116 " --join-or-start=name|pid - join the sandbox or start a new one.\n"
117 " --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n" 117 " --keep-config-pulse - disable automatic ~/.config/pulse init.\n"
118 " --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n"
118 " --keep-var-tmp - /var/tmp directory is untouched.\n" 119 " --keep-var-tmp - /var/tmp directory is untouched.\n"
119 " --list - list all sandboxes.\n" 120 " --list - list all sandboxes.\n"
120#ifdef HAVE_FILE_TRANSFER 121#ifdef HAVE_FILE_TRANSFER
@@ -154,6 +155,7 @@ static char *usage_str =
154 " --nodvd - disable DVD and audio CD devices.\n" 155 " --nodvd - disable DVD and audio CD devices.\n"
155 " --noexec=filename - remount the file or directory noexec nosuid and nodev.\n" 156 " --noexec=filename - remount the file or directory noexec nosuid and nodev.\n"
156 " --nogroups - disable supplementary groups.\n" 157 " --nogroups - disable supplementary groups.\n"
158 " --noinput - disable input devices.\n"
157 " --nonewprivs - sets the NO_NEW_PRIVS prctl.\n" 159 " --nonewprivs - sets the NO_NEW_PRIVS prctl.\n"
158 " --noprofile - do not use a security profile.\n" 160 " --noprofile - do not use a security profile.\n"
159#ifdef HAVE_USERNS 161#ifdef HAVE_USERNS
diff --git a/src/firejail/util.c b/src/firejail/util.c
index def635ea7..2731f61dc 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -298,14 +298,14 @@ int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, m
298 assert(destname); 298 assert(destname);
299 299
300 // open source 300 // open source
301 int src = open(srcname, O_RDONLY); 301 int src = open(srcname, O_RDONLY|O_CLOEXEC);
302 if (src < 0) { 302 if (src < 0) {
303 fwarning("cannot open source file %s, file not copied\n", srcname); 303 fwarning("cannot open source file %s, file not copied\n", srcname);
304 return -1; 304 return -1;
305 } 305 }
306 306
307 // open destination 307 // open destination
308 int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); 308 int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC|O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
309 if (dst < 0) { 309 if (dst < 0) {
310 fwarning("cannot open destination file %s, file not copied\n", destname); 310 fwarning("cannot open destination file %s, file not copied\n", destname);
311 close(src); 311 close(src);
@@ -348,7 +348,7 @@ void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid
348 348
349void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) { 349void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) {
350 // open destination 350 // open destination
351 int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); 351 int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC|O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
352 if (dst < 0) { 352 if (dst < 0) {
353 fwarning("cannot open destination file %s, file not copied\n", destname); 353 fwarning("cannot open destination file %s, file not copied\n", destname);
354 return; 354 return;
@@ -361,7 +361,7 @@ void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_
361 // drop privileges 361 // drop privileges
362 drop_privs(0); 362 drop_privs(0);
363 363
364 int src = open(srcname, O_RDONLY); 364 int src = open(srcname, O_RDONLY|O_CLOEXEC);
365 if (src < 0) { 365 if (src < 0) {
366 fwarning("cannot open source file %s, file not copied\n", srcname); 366 fwarning("cannot open source file %s, file not copied\n", srcname);
367 } else { 367 } else {
@@ -626,7 +626,7 @@ int find_child(pid_t parent, pid_t *child) {
626 perror("asprintf"); 626 perror("asprintf");
627 exit(1); 627 exit(1);
628 } 628 }
629 FILE *fp = fopen(file, "r"); 629 FILE *fp = fopen(file, "re");
630 if (!fp) { 630 if (!fp) {
631 free(file); 631 free(file);
632 continue; 632 continue;
@@ -732,7 +732,7 @@ void update_map(char *mapping, char *map_file) {
732 if (mapping[j] == ',') 732 if (mapping[j] == ',')
733 mapping[j] = '\n'; 733 mapping[j] = '\n';
734 734
735 fd = open(map_file, O_RDWR); 735 fd = open(map_file, O_RDWR|O_CLOEXEC);
736 if (fd == -1) { 736 if (fd == -1) {
737 fprintf(stderr, "Error: cannot open %s: %s\n", map_file, strerror(errno)); 737 fprintf(stderr, "Error: cannot open %s: %s\n", map_file, strerror(errno));
738 exit(EXIT_FAILURE); 738 exit(EXIT_FAILURE);
@@ -752,9 +752,9 @@ void wait_for_other(int fd) {
752 // wait for the parent to be initialized 752 // wait for the parent to be initialized
753 //**************************** 753 //****************************
754 char childstr[BUFLEN + 1]; 754 char childstr[BUFLEN + 1];
755 int newfd = dup(fd); 755 int newfd = fcntl(fd, F_DUPFD_CLOEXEC, 0);
756 if (newfd == -1) 756 if (newfd == -1)
757 errExit("dup"); 757 errExit("fcntl");
758 FILE* stream; 758 FILE* stream;
759 stream = fdopen(newfd, "r"); 759 stream = fdopen(newfd, "r");
760 *childstr = '\0'; 760 *childstr = '\0';
@@ -801,9 +801,9 @@ void wait_for_other(int fd) {
801 801
802void notify_other(int fd) { 802void notify_other(int fd) {
803 FILE* stream; 803 FILE* stream;
804 int newfd = dup(fd); 804 int newfd = fcntl(fd, F_DUPFD_CLOEXEC, 0);
805 if (newfd == -1) 805 if (newfd == -1)
806 errExit("dup"); 806 errExit("fcntl");
807 stream = fdopen(newfd, "w"); 807 stream = fdopen(newfd, "w");
808 fprintf(stream, "arg_noroot=%d\n", arg_noroot); 808 fprintf(stream, "arg_noroot=%d\n", arg_noroot);
809 fflush(stream); 809 fflush(stream);
@@ -821,7 +821,7 @@ uid_t pid_get_uid(pid_t pid) {
821 exit(1); 821 exit(1);
822 } 822 }
823 EUID_ROOT(); // grsecurity fix 823 EUID_ROOT(); // grsecurity fix
824 FILE *fp = fopen(file, "r"); 824 FILE *fp = fopen(file, "re");
825 if (!fp) { 825 if (!fp) {
826 free(file); 826 free(file);
827 fprintf(stderr, "Error: cannot open /proc file\n"); 827 fprintf(stderr, "Error: cannot open /proc file\n");
@@ -1031,8 +1031,7 @@ void create_empty_file_as_root(const char *fname, mode_t mode) {
1031 if (arg_debug) 1031 if (arg_debug)
1032 printf("Creating empty %s file\n", fname); 1032 printf("Creating empty %s file\n", fname);
1033 1033
1034 /* coverity[toctou] */ 1034 FILE *fp = fopen(fname, "wxe");
1035 FILE *fp = fopen(fname, "w");
1036 if (!fp) 1035 if (!fp)
1037 errExit("fopen"); 1036 errExit("fopen");
1038 SET_PERMS_STREAM(fp, 0, 0, mode); 1037 SET_PERMS_STREAM(fp, 0, 0, mode);
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index da0acc69c..257d376a1 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -84,7 +84,7 @@ int x11_display(void) {
84static int x11_abstract_sockets_present(void) { 84static int x11_abstract_sockets_present(void) {
85 85
86 EUID_ROOT(); // grsecurity fix 86 EUID_ROOT(); // grsecurity fix
87 FILE *fp = fopen("/proc/net/unix", "r"); 87 FILE *fp = fopen("/proc/net/unix", "re");
88 if (!fp) 88 if (!fp)
89 errExit("fopen"); 89 errExit("fopen");
90 EUID_USER(); 90 EUID_USER();
@@ -1363,7 +1363,7 @@ void fs_x11(void) {
1363 fs_logger("tmpfs /tmp/.X11-unix"); 1363 fs_logger("tmpfs /tmp/.X11-unix");
1364 1364
1365 // create an empty root-owned file which will have the desired socket bind-mounted over it 1365 // create an empty root-owned file which will have the desired socket bind-mounted over it
1366 int fd = open(x11file, O_RDONLY|O_CREAT|O_EXCL, S_IRUSR | S_IWUSR); 1366 int fd = open(x11file, O_RDONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR);
1367 if (fd < 0) 1367 if (fd < 0)
1368 errExit(x11file); 1368 errExit(x11file);
1369 close(fd); 1369 close(fd);
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c
index 37870747d..6c34cd411 100644
--- a/src/firemon/firemon.c
+++ b/src/firemon/firemon.c
@@ -52,7 +52,7 @@ static void my_handler(int s){
52 52
53 if (terminal_set) 53 if (terminal_set)
54 tcsetattr(0, TCSANOW, &tlocal); 54 tcsetattr(0, TCSANOW, &tlocal);
55 exit(0); 55 _exit(0);
56} 56}
57 57
58// find the second child process for the specified pid 58// find the second child process for the specified pid
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index ee685da73..49be8d0b0 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -1,12 +1,78 @@
1.TH FIREJAIL-PROFILE 5 "MONTH YEAR" "VERSION" "firejail profiles man page" 1.TH FIREJAIL-PROFILE 5 "MONTH YEAR" "VERSION" "firejail profiles man page"
2.SH NAME 2.SH NAME
3profile \- Security profile file syntax for Firejail 3profile \- Security profile file syntax, and information about building new application profiles.
4 4
5.SH USAGE 5.SH SYNOPSIS
6
7Using a specific profile:
8.PP
9.RS
10.TP
11\fBfirejail \-\-profile=filename.profile
12.br
13
14.br
15Example:
16.br
17$ firejail --profile=/etc/firejail/kdenlive.profile --appimage kdenlive.appimage
18.br
19
20.br
21.TP
22\fBfirejail \-\-profile=profile_name
23.br
24
25.br
26Example:
27.br
28$ firejail --profile=kdenlive --appimage kdenlive.appimage
29.br
30
31.br
32.RE
33.PP
34
35
36
37Building a profile manually:
38.PP
39.RS
40Start with the template in /usr/share/doc/firejail/profile.template and modify it in a text editor.
41To integrate the program in your desktop environment copy the profile file in ~/.config/firejail
42directory and run "sudo firecfg".
43.RE
44.PP
45
46Aliases and redirections:
47.PP
48.RS
49In some cases the same profile can be used for several applications.
50One such example is LibreOffice.
51Build a regular profile for the main application, and for the rest use
52/usr/share/doc/firejail/redirect_alias-profile.template.
53.RE
54.PP
55
56Running the profile builder:
57.PP
58.RS
6.TP 59.TP
7firejail \-\-profile=filename.profile 60\fBfirejail \-\-build=appname.profile appname
61.br
62
63.br
64Example:
65.br
66$ firejail --build=blobby.profile blobby
67.br
68
69.br
70Run the program in "firejail \-\-build" and try to exercise as many program features as possible.
71The profile is extracted and saved in the current directory. Open it in a text editor and add or remove
72sandboxing options as necessary. Test again after modifying the profile. To integrate the program
73in your desktop environment copy the profile file in ~/.config/firejail directory and run "sudo firecfg".
8.RE 74.RE
9firejail \-\-profile=profile_name 75.PP
10 76
11.SH DESCRIPTION 77.SH DESCRIPTION
12Several command line options can be passed to the program using 78Several command line options can be passed to the program using
@@ -205,6 +271,10 @@ Mount-bind file1 on top of file2. This option is only available when running as
205\fBdisable-mnt 271\fBdisable-mnt
206Disable /mnt, /media, /run/mount and /run/media access. 272Disable /mnt, /media, /run/mount and /run/media access.
207.TP 273.TP
274\fBkeep-config-pulse
275Disable automatic ~/.config/pulse init, for complex setups such as remote
276pulse servers or non-standard socket paths.
277.TP
208\fBkeep-dev-shm 278\fBkeep-dev-shm
209/dev/shm directory is untouched (even with private-dev). 279/dev/shm directory is untouched (even with private-dev).
210.TP 280.TP
@@ -295,7 +365,9 @@ Use the options no3d, nodvd, nosound, notv, nou2f and novideo for additional res
295Build a new /etc in a temporary 365Build a new /etc in a temporary
296filesystem, and copy the files and directories in the list. 366filesystem, and copy the files and directories in the list.
297The files and directories in the list must be expressed as relative to 367The files and directories in the list must be expressed as relative to
298the /etc directory. 368the /etc directory, and must not contain the / character
369(e.g., /etc/foo must be expressed as foo, but /etc/foo/bar --
370expressed as foo/bar -- is disallowed).
299All modifications are discarded when the sandbox is closed. 371All modifications are discarded when the sandbox is closed.
300#ifdef HAVE_PRIVATE_HOME 372#ifdef HAVE_PRIVATE_HOME
301.TP 373.TP
@@ -319,14 +391,18 @@ This feature is still under development, see \fBman 1 firejail\fR for some examp
319Build a new /opt in a temporary 391Build a new /opt in a temporary
320filesystem, and copy the files and directories in the list. 392filesystem, and copy the files and directories in the list.
321The files and directories in the list must be expressed as relative to 393The files and directories in the list must be expressed as relative to
322the /opt directory. 394the /opt directory, and must not contain the / character
395(e.g., /opt/foo must be expressed as foo, but /opt/foo/bar --
396expressed as foo/bar -- is disallowed).
323All modifications are discarded when the sandbox is closed. 397All modifications are discarded when the sandbox is closed.
324.TP 398.TP
325\fBprivate-srv file,directory 399\fBprivate-srv file,directory
326Build a new /srv in a temporary 400Build a new /srv in a temporary
327filesystem, and copy the files and directories in the list. 401filesystem, and copy the files and directories in the list.
328The files and directories in the list must be expressed as relative to 402The files and directories in the list must be expressed as relative to
329the /srv directory. 403the /srv directory, and must not contain the / character
404(e.g., /srv/foo must be expressed as foo, but /srv/foo/bar --
405expressed as foo/bar -- is disallowed).
330All modifications are discarded when the sandbox is closed. 406All modifications are discarded when the sandbox is closed.
331.TP 407.TP
332\fBprivate-tmp 408\fBprivate-tmp
@@ -646,9 +722,8 @@ name browser
646\fBno3d 722\fBno3d
647Disable 3D hardware acceleration. 723Disable 3D hardware acceleration.
648.TP 724.TP
649\fBnoautopulse 725\fBnoautopulse \fR(deprecated)
650Disable automatic ~/.config/pulse init, for complex setups such as remote 726See keep-config-pulse.
651pulse servers or non-standard socket paths.
652.TP 727.TP
653\fBnodvd 728\fBnodvd
654Disable DVD and audio CD devices. 729Disable DVD and audio CD devices.
@@ -668,6 +743,9 @@ Disable U2F devices.
668\fBnovideo 743\fBnovideo
669Disable video capture devices. 744Disable video capture devices.
670.TP 745.TP
746\fBnoinput
747Disable input devices.
748.TP
671\fBshell none 749\fBshell none
672Run the program directly, without a shell. 750Run the program directly, without a shell.
673 751
@@ -882,7 +960,21 @@ Join the sandbox identified by name or start a new one.
882Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname". 960Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname".
883 961
884.SH FILES 962.SH FILES
885/etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile 963.TP
964\fB/etc/firejail/appname.profile
965Global Firejail configuration consisting mainly of profiles for each application supported by default.
966
967.TP
968\fB$HOME/.config/firejail/appname.profile
969User application profiles, will take precedence over the global profiles.
970
971.TP
972\fB/usr/share/doc/firejail/profile.template
973Template for building new profiles.
974
975.TP
976\fB/usr/share/doc/firejail/redirect_alias-profile.template
977Template for aliasing/redirecting profiles.
886 978
887.SH LICENSE 979.SH LICENSE
888Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. 980Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index f27379a2d..68aea5857 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1052,6 +1052,17 @@ Same as "firejail --join=name" if sandbox with specified name exists, otherwise
1052Note that in contrary to other join options there is respective profile option. 1052Note that in contrary to other join options there is respective profile option.
1053 1053
1054.TP 1054.TP
1055\fB\-\-keep-config-pulse
1056Disable automatic ~/.config/pulse init, for complex setups such as remote
1057pulse servers or non-standard socket paths.
1058.br
1059
1060.br
1061Example:
1062.br
1063$ firejail \-\-keep-config-pulse firefox
1064
1065.TP
1055\fB\-\-keep-dev-shm 1066\fB\-\-keep-dev-shm
1056/dev/shm directory is untouched (even with --private-dev) 1067/dev/shm directory is untouched (even with --private-dev)
1057.br 1068.br
@@ -1460,15 +1471,8 @@ Example:
1460$ firejail --no3d firefox 1471$ firejail --no3d firefox
1461 1472
1462.TP 1473.TP
1463\fB\-\-noautopulse 1474\fB\-\-noautopulse \fR(deprecated)
1464Disable automatic ~/.config/pulse init, for complex setups such as remote 1475See --keep-config-pulse.
1465pulse servers or non-standard socket paths.
1466.br
1467
1468.br
1469Example:
1470.br
1471$ firejail \-\-noautopulse firefox
1472 1476
1473.TP 1477.TP
1474\fB\-\-noblacklist=dirname_or_filename 1478\fB\-\-noblacklist=dirname_or_filename
@@ -1515,6 +1519,15 @@ Example:
1515.br 1519.br
1516$ firejail \-\-nodvd 1520$ firejail \-\-nodvd
1517.TP 1521.TP
1522\fB\-\-noinput
1523Disable input devices.
1524.br
1525
1526.br
1527Example:
1528.br
1529$ firejail \-\-noinput
1530.TP
1518\fB\-\-noexec=dirname_or_filename 1531\fB\-\-noexec=dirname_or_filename
1519Remount directory or file noexec, nodev and nosuid. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. 1532Remount directory or file noexec, nodev and nosuid. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
1520.br 1533.br
@@ -1883,7 +1896,7 @@ $
1883Build a new /etc in a temporary 1896Build a new /etc in a temporary
1884filesystem, and copy the files and directories in the list. 1897filesystem, and copy the files and directories in the list.
1885The files and directories in the list must be expressed as relative to 1898The files and directories in the list must be expressed as relative to
1886the /etc directory. 1899the /etc directory (e.g., /etc/foo must be expressed as foo).
1887If no listed file is found, /etc directory will be empty. 1900If no listed file is found, /etc directory will be empty.
1888All modifications are discarded when the sandbox is closed. 1901All modifications are discarded when the sandbox is closed.
1889.br 1902.br
@@ -1893,7 +1906,7 @@ Example:
1893.br 1906.br
1894$ firejail --private-etc=group,hostname,localtime, \\ 1907$ firejail --private-etc=group,hostname,localtime, \\
1895.br 1908.br
1896nsswitch.conf,passwd,resolv.conf,default/motd-news 1909nsswitch.conf,passwd,resolv.conf
1897#ifdef HAVE_PRIVATE_HOME 1910#ifdef HAVE_PRIVATE_HOME
1898.TP 1911.TP
1899\fB\-\-private-home=file,directory 1912\fB\-\-private-home=file,directory
@@ -1968,7 +1981,9 @@ $
1968Build a new /opt in a temporary 1981Build a new /opt in a temporary
1969filesystem, and copy the files and directories in the list. 1982filesystem, and copy the files and directories in the list.
1970The files and directories in the list must be expressed as relative to 1983The files and directories in the list must be expressed as relative to
1971the /opt directory. 1984the /opt directory, and must not contain the / character
1985(e.g., /opt/foo must be expressed as foo, but /opt/foo/bar --
1986expressed as foo/bar -- is disallowed).
1972If no listed file is found, /opt directory will be empty. 1987If no listed file is found, /opt directory will be empty.
1973All modifications are discarded when the sandbox is closed. 1988All modifications are discarded when the sandbox is closed.
1974.br 1989.br
@@ -1983,7 +1998,9 @@ $ firejail --private-opt=firefox /opt/firefox/firefox
1983Build a new /srv in a temporary 1998Build a new /srv in a temporary
1984filesystem, and copy the files and directories in the list. 1999filesystem, and copy the files and directories in the list.
1985The files and directories in the list must be expressed as relative to 2000The files and directories in the list must be expressed as relative to
1986the /srv directory. 2001the /srv directory, and must not contain the / character
2002(e.g., /srv/foo must be expressed as foo, but /srv/foo/bar --
2003expressed as srv/bar -- is disallowed).
1987If no listed file is found, /srv directory will be empty. 2004If no listed file is found, /srv directory will be empty.
1988All modifications are discarded when the sandbox is closed. 2005All modifications are discarded when the sandbox is closed.
1989.br 2006.br
diff --git a/src/profstats/main.c b/src/profstats/main.c
index 5035280b1..10e44bd65 100644
--- a/src/profstats/main.c
+++ b/src/profstats/main.c
@@ -46,6 +46,7 @@ static int cnt_whitelistusrshare = 0; // include whitelist-usr-share-common.inc
46static int cnt_ssh = 0; 46static int cnt_ssh = 0;
47static int cnt_mdwx = 0; 47static int cnt_mdwx = 0;
48static int cnt_whitelisthome = 0; 48static int cnt_whitelisthome = 0;
49static int cnt_noroot = 0;
49 50
50static int level = 0; 51static int level = 0;
51static int arg_debug = 0; 52static int arg_debug = 0;
@@ -65,6 +66,7 @@ static int arg_mdwx = 0;
65static int arg_dbus_system_none = 0; 66static int arg_dbus_system_none = 0;
66static int arg_dbus_user_none = 0; 67static int arg_dbus_user_none = 0;
67static int arg_whitelisthome = 0; 68static int arg_whitelisthome = 0;
69static int arg_noroot = 0;
68 70
69 71
70static char *profile = NULL; 72static char *profile = NULL;
@@ -80,6 +82,7 @@ static void usage(void) {
80 printf(" --dbus-user-none - profiles without \"dbus-user none\"\n"); 82 printf(" --dbus-user-none - profiles without \"dbus-user none\"\n");
81 printf(" --ssh - print profiles without \"include disable-common.inc\"\n"); 83 printf(" --ssh - print profiles without \"include disable-common.inc\"\n");
82 printf(" --noexec - print profiles without \"include disable-exec.inc\"\n"); 84 printf(" --noexec - print profiles without \"include disable-exec.inc\"\n");
85 printf(" --noroot - print profiles without \"noroot\"\n");
83 printf(" --private-bin - print profiles without private-bin\n"); 86 printf(" --private-bin - print profiles without private-bin\n");
84 printf(" --private-dev - print profiles without private-dev\n"); 87 printf(" --private-dev - print profiles without private-dev\n");
85 printf(" --private-etc - print profiles without private-etc\n"); 88 printf(" --private-etc - print profiles without private-etc\n");
@@ -128,6 +131,8 @@ void process_file(const char *fname) {
128 cnt_caps++; 131 cnt_caps++;
129 else if (strncmp(ptr, "include disable-exec.inc", 24) == 0) 132 else if (strncmp(ptr, "include disable-exec.inc", 24) == 0)
130 cnt_noexec++; 133 cnt_noexec++;
134 else if (strncmp(ptr, "noroot", 6) == 0)
135 cnt_noroot++;
131 else if (strncmp(ptr, "include whitelist-var-common.inc", 32) == 0) 136 else if (strncmp(ptr, "include whitelist-var-common.inc", 32) == 0)
132 cnt_whitelistvar++; 137 cnt_whitelistvar++;
133 else if (strncmp(ptr, "include whitelist-runuser-common.inc", 36) == 0 || 138 else if (strncmp(ptr, "include whitelist-runuser-common.inc", 36) == 0 ||
@@ -212,6 +217,8 @@ int main(int argc, char **argv) {
212 arg_mdwx = 1; 217 arg_mdwx = 1;
213 else if (strcmp(argv[i], "--noexec") == 0) 218 else if (strcmp(argv[i], "--noexec") == 0)
214 arg_noexec = 1; 219 arg_noexec = 1;
220 else if (strcmp(argv[i], "--noroot") == 0)
221 arg_noroot = 1;
215 else if (strcmp(argv[i], "--private-bin") == 0) 222 else if (strcmp(argv[i], "--private-bin") == 0)
216 arg_privatebin = 1; 223 arg_privatebin = 1;
217 else if (strcmp(argv[i], "--private-dev") == 0) 224 else if (strcmp(argv[i], "--private-dev") == 0)
@@ -256,6 +263,7 @@ int main(int argc, char **argv) {
256 int caps = cnt_caps; 263 int caps = cnt_caps;
257 int apparmor = cnt_apparmor; 264 int apparmor = cnt_apparmor;
258 int noexec = cnt_noexec; 265 int noexec = cnt_noexec;
266 int noroot = cnt_noroot;
259 int privatebin = cnt_privatebin; 267 int privatebin = cnt_privatebin;
260 int privatetmp = cnt_privatetmp; 268 int privatetmp = cnt_privatetmp;
261 int privatedev = cnt_privatedev; 269 int privatedev = cnt_privatedev;
@@ -313,6 +321,8 @@ int main(int argc, char **argv) {
313 printf("No seccomp found in %s\n", argv[i]); 321 printf("No seccomp found in %s\n", argv[i]);
314 if (arg_noexec && noexec == cnt_noexec) 322 if (arg_noexec && noexec == cnt_noexec)
315 printf("No include disable-exec.inc found in %s\n", argv[i]); 323 printf("No include disable-exec.inc found in %s\n", argv[i]);
324 if (arg_noroot && noroot == cnt_noroot)
325 printf("No noroot found in %s\n", argv[i]);
316 if (arg_privatedev && privatedev == cnt_privatedev) 326 if (arg_privatedev && privatedev == cnt_privatedev)
317 printf("No private-dev found in %s\n", argv[i]); 327 printf("No private-dev found in %s\n", argv[i]);
318 if (arg_privatebin && privatebin == cnt_privatebin) 328 if (arg_privatebin && privatebin == cnt_privatebin)
@@ -346,6 +356,7 @@ int main(int argc, char **argv) {
346 printf(" seccomp\t\t\t%d\n", cnt_seccomp); 356 printf(" seccomp\t\t\t%d\n", cnt_seccomp);
347 printf(" capabilities\t\t%d\n", cnt_caps); 357 printf(" capabilities\t\t%d\n", cnt_caps);
348 printf(" noexec\t\t\t%d (include disable-exec.inc)\n", cnt_noexec); 358 printf(" noexec\t\t\t%d (include disable-exec.inc)\n", cnt_noexec);
359 printf(" noroot\t\t\t%d\n", cnt_noroot);
349 printf(" memory-deny-write-execute\t%d\n", cnt_mdwx); 360 printf(" memory-deny-write-execute\t%d\n", cnt_mdwx);
350 printf(" apparmor\t\t\t%d\n", cnt_apparmor); 361 printf(" apparmor\t\t\t%d\n", cnt_apparmor);
351 printf(" private-bin\t\t\t%d\n", cnt_privatebin); 362 printf(" private-bin\t\t\t%d\n", cnt_privatebin);
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
index fd27bb35f..f1a19b86d 100644
--- a/src/zsh_completion/_firejail.in
+++ b/src/zsh_completion/_firejail.in
@@ -98,6 +98,7 @@ _firejail_args=(
98 '*--ignore=-[ignore command in profile files]: :' 98 '*--ignore=-[ignore command in profile files]: :'
99 '--ipc-namespace[enable a new IPC namespace]' 99 '--ipc-namespace[enable a new IPC namespace]'
100 '--join-or-start=-[join the sandbox or start a new one name|pid]: :_all_firejails' 100 '--join-or-start=-[join the sandbox or start a new one name|pid]: :_all_firejails'
101 '--keep-config-pulse[disable automatic ~/.config/pulse init]'
101 '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]' 102 '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]'
102 '--keep-var-tmp[/var/tmp directory is untouched]' 103 '--keep-var-tmp[/var/tmp directory is untouched]'
103 '--machine-id[preserve /etc/machine-id]' 104 '--machine-id[preserve /etc/machine-id]'
@@ -116,6 +117,7 @@ _firejail_args=(
116 '--nodvd[disable DVD and audio CD devices]' 117 '--nodvd[disable DVD and audio CD devices]'
117 '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files' 118 '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files'
118 '--nogroups[disable supplementary groups]' 119 '--nogroups[disable supplementary groups]'
120 '--noinput[disable input devices]'
119 '--nonewprivs[sets the NO_NEW_PRIVS prctl]' 121 '--nonewprivs[sets the NO_NEW_PRIVS prctl]'
120 '--nosound[disable sound system]' 122 '--nosound[disable sound system]'
121 '--nou2f[disable U2F devices]' 123 '--nou2f[disable U2F devices]'
diff --git a/test/utils/build.exp b/test/utils/build.exp
index cdc2f3b7b..7fbe969a4 100755
--- a/test/utils/build.exp
+++ b/test/utils/build.exp
@@ -21,35 +21,35 @@ expect {
21} 21}
22expect { 22expect {
23 timeout {puts "TESTING ERROR 2\n";exit} 23 timeout {puts "TESTING ERROR 2\n";exit}
24 "blacklist /usr/share" 24 "include whitelist-usr-share-common.inc"
25} 25}
26expect { 26expect {
27 timeout {puts "TESTING ERROR 3\n";exit} 27 timeout {puts "TESTING ERROR 3\n";exit}
28 "blacklist /var" 28 "include whitelist-var-common.inc"
29} 29}
30expect { 30expect {
31 timeout {puts "TESTING ERROR 4\n";exit} 31 timeout {puts "TESTING ERROR 4\n";exit}
32 "private-bin cat," 32 "caps.drop all"
33} 33}
34expect { 34expect {
35 timeout {puts "TESTING ERROR 5\n";exit} 35 timeout {puts "TESTING ERROR 5\n";exit}
36 "private-dev" 36 "ipc-namespace"
37} 37}
38expect { 38expect {
39 timeout {puts "TESTING ERROR 6\n";exit} 39 timeout {puts "TESTING ERROR 6\n";exit}
40 "private-etc" 40 "netfilter"
41} 41}
42expect { 42expect {
43 timeout {puts "TESTING ERROR 7\n";exit} 43 timeout {puts "TESTING ERROR 7\n";exit}
44 "private-tmp" 44 "nonewprivs"
45} 45}
46expect { 46expect {
47 timeout {puts "TESTING ERROR 8\n";exit} 47 timeout {puts "TESTING ERROR 8\n";exit}
48 "caps.drop all" 48 "noroot"
49} 49}
50expect { 50expect {
51 timeout {puts "TESTING ERROR 9\n";exit} 51 timeout {puts "TESTING ERROR 9\n";exit}
52 "nonewprivs" 52 "net none"
53} 53}
54expect { 54expect {
55 timeout {puts "TESTING ERROR 10\n";exit} 55 timeout {puts "TESTING ERROR 10\n";exit}
@@ -57,11 +57,23 @@ expect {
57} 57}
58expect { 58expect {
59 timeout {puts "TESTING ERROR 11\n";exit} 59 timeout {puts "TESTING ERROR 11\n";exit}
60 "net none" 60 "shell none"
61}
62expect {
63 timeout {puts "TESTING ERROR 11\n";exit}
64 "private-bin cat,"
61} 65}
62expect { 66expect {
63 timeout {puts "TESTING ERROR 12\n";exit} 67 timeout {puts "TESTING ERROR 12\n";exit}
64 "shell none" 68 "private-dev"
69}
70expect {
71 timeout {puts "TESTING ERROR 13\n";exit}
72 "private-etc none"
73}
74expect {
75 timeout {puts "TESTING ERROR 14\n";exit}
76 "private-tmp"
65} 77}
66after 100 78after 100
67 79
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-01 01:21:26 +0000