6 files changed, 110 insertions, 2 deletions
diff --git a/etc/clamtk.profile b/etc/clamtk.profile
index c3b5f3ce5..a93523acc 100644
--- a/etc/clamtk.profile
+++ b/etc/clamtk.profile
@@ -24,6 +24,5 @@ shell none
 private-dev
-memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 6bac74bd6..2df014cf3 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -207,6 +207,7 @@ blacklist ${HOME}/.config/mpDris2
 blacklist ${HOME}/.config/mpv
 blacklist ${HOME}/.config/mupen64plus
 blacklist ${HOME}/.config/mypaint
+blacklist ${HOME}/.config/nano
 blacklist ${HOME}/.config/nautilus
 blacklist ${HOME}/.config/nemo
 blacklist ${HOME}/.config/netsurf
@@ -504,6 +505,7 @@ blacklist ${HOME}/.mpdconf
 blacklist ${HOME}/.mplayer
 blacklist ${HOME}/.msmtprc
 blacklist ${HOME}/.multimc5
+blacklist ${HOME}/.nanorc
 blacklist ${HOME}/.neverball
 blacklist ${HOME}/.nv
 blacklist ${HOME}/.nylas-mail
@@ -652,3 +654,5 @@ blacklist ${HOME}/.cache/xmms2
 blacklist ${HOME}/.cache/xreader
 blacklist ${HOME}/.cache/yandex-browser
 blacklist ${HOME}/.cache/yandex-browser-beta
+blacklist /var/games/nethack
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile
index 8c1682291..79c878833 100644
--- a/etc/gnome-calculator.profile
+++ b/etc/gnome-calculator.profile
@@ -41,7 +41,7 @@ disable-mnt
 private-bin gnome-calculator
 private-cache
 private-dev
-private-lib gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*,libgnutls.so.*,libproxy.so.*,librsvg-2.so.*,libxml2.so.*
+#private-lib gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*,libgnutls.so.*,libproxy.so.*,librsvg-2.so.*,libxml2.so.*
 private-tmp
 memory-deny-write-execute
diff --git a/etc/nano.profile b/etc/nano.profile
new file mode 100644
index 000000000..ed172b37c
--- /dev/null
+++ b/etc/nano.profile
@@ -0,0 +1,47 @@
+# Firejail profile for nano
+# Description: nano is an easy text editor for the terminal
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nano.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/nano
+noblacklist ${HOME}/.nanorc
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+# disable-mnt
+private-bin nano,rnano
+private-cache
+private-dev
+# Comment the next line if you want to edit files in /etc directly
+private-etc alternatives,nanorc
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/nethack.profile b/etc/nethack.profile
new file mode 100644
index 000000000..8f63a133a
--- /dev/null
+++ b/etc/nethack.profile
@@ -0,0 +1,47 @@
+# Firejail profile for nethack
+# Description: A rogue-like single player dungeon exploration game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nethack.local
+# Persistent global definitions
+include globals.local
+noblacklist /var/games/nethack
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+whitelist /var/games/nethack
+include whitelist-common.inc
+include whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodbus
+nodvd
+nogroups
+#nonewprivs
+#noroot
+nosound
+notv
+novideo
+#protocol unix,netlink
+#seccomp
+shell none
+disable-mnt
+#private
+private-cache
+private-dev
+private-tmp
+writable-var
+#memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/rnano.profile b/etc/rnano.profile
new file mode 100644
index 000000000..89c1663c4
--- /dev/null
+++ b/etc/rnano.profile
@@ -0,0 +1,11 @@
+# Firejail profile for rnano
+# Description: A restricted nano
+# This file is overwritten after every install/update
+# Persistent local customizations
+include rnano.local
+# Persistent global definitions
+#include globals.local
+# Redirect
+include nano.profile

diff --git a/etc/clamtk.profile b/etc/clamtk.profile index c3b5f3ce5..a93523acc 100644 --- a/etc/clamtk.profile +++ b/etc/clamtk.profile
@@ -24,6 +24,5 @@ shell none
24		24
25	private-dev	25	private-dev
26		26
27	memory-deny-write-execute
28	noexec ${HOME}	27	noexec ${HOME}
29	noexec /tmp	28	noexec /tmp


diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 6bac74bd6..2df014cf3 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc
@@ -207,6 +207,7 @@ blacklist ${HOME}/.config/mpDris2
207	blacklist ${HOME}/.config/mpv	207	blacklist ${HOME}/.config/mpv
208	blacklist ${HOME}/.config/mupen64plus	208	blacklist ${HOME}/.config/mupen64plus
209	blacklist ${HOME}/.config/mypaint	209	blacklist ${HOME}/.config/mypaint
		210	blacklist ${HOME}/.config/nano
210	blacklist ${HOME}/.config/nautilus	211	blacklist ${HOME}/.config/nautilus
211	blacklist ${HOME}/.config/nemo	212	blacklist ${HOME}/.config/nemo
212	blacklist ${HOME}/.config/netsurf	213	blacklist ${HOME}/.config/netsurf
@@ -504,6 +505,7 @@ blacklist ${HOME}/.mpdconf
504	blacklist ${HOME}/.mplayer	505	blacklist ${HOME}/.mplayer
505	blacklist ${HOME}/.msmtprc	506	blacklist ${HOME}/.msmtprc
506	blacklist ${HOME}/.multimc5	507	blacklist ${HOME}/.multimc5
		508	blacklist ${HOME}/.nanorc
507	blacklist ${HOME}/.neverball	509	blacklist ${HOME}/.neverball
508	blacklist ${HOME}/.nv	510	blacklist ${HOME}/.nv
509	blacklist ${HOME}/.nylas-mail	511	blacklist ${HOME}/.nylas-mail
@@ -652,3 +654,5 @@ blacklist ${HOME}/.cache/xmms2
652	blacklist ${HOME}/.cache/xreader	654	blacklist ${HOME}/.cache/xreader
653	blacklist ${HOME}/.cache/yandex-browser	655	blacklist ${HOME}/.cache/yandex-browser
654	blacklist ${HOME}/.cache/yandex-browser-beta	656	blacklist ${HOME}/.cache/yandex-browser-beta
		657
		658	blacklist /var/games/nethack


diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index 8c1682291..79c878833 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile
@@ -41,7 +41,7 @@ disable-mnt
41	private-bin gnome-calculator	41	private-bin gnome-calculator
42	private-cache	42	private-cache
43	private-dev	43	private-dev
44	private-lib gdk-pixbuf-2.,gio,girepository-1.,gvfs,libgconf-2.so.,libgnutls.so.,libproxy.so.,librsvg-2.so.,libxml2.so.*	44	#private-lib gdk-pixbuf-2.,gio,girepository-1.,gvfs,libgconf-2.so.,libgnutls.so.,libproxy.so.,librsvg-2.so.,libxml2.so.*
45	private-tmp	45	private-tmp
46		46
47	memory-deny-write-execute	47	memory-deny-write-execute


diff --git a/etc/nano.profile b/etc/nano.profile new file mode 100644 index 000000000..ed172b37c --- /dev/null +++ b/etc/nano.profile
@@ -0,0 +1,47 @@
		1	# Firejail profile for nano
		2	# Description: nano is an easy text editor for the terminal
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include nano.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	noblacklist ${HOME}/.config/nano
		10	noblacklist ${HOME}/.nanorc
		11
		12	include disable-common.inc
		13	include disable-devel.inc
		14	include disable-interpreters.inc
		15	include disable-passwdmgr.inc
		16	include disable-programs.inc
		17
		18	apparmor
		19	caps.drop all
		20	ipc-namespace
		21	machine-id
		22	net none
		23	no3d
		24	nodbus
		25	nodvd
		26	nogroups
		27	nonewprivs
		28	noroot
		29	nosound
		30	notv
		31	nou2f
		32	novideo
		33	protocol unix
		34	seccomp
		35	shell none
		36	tracelog
		37
		38	# disable-mnt
		39	private-bin nano,rnano
		40	private-cache
		41	private-dev
		42	# Comment the next line if you want to edit files in /etc directly
		43	private-etc alternatives,nanorc
		44
		45	memory-deny-write-execute
		46	noexec ${HOME}
		47	noexec /tmp


diff --git a/etc/nethack.profile b/etc/nethack.profile new file mode 100644 index 000000000..8f63a133a --- /dev/null +++ b/etc/nethack.profile
@@ -0,0 +1,47 @@
		1	# Firejail profile for nethack
		2	# Description: A rogue-like single player dungeon exploration game
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include nethack.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9
		10	noblacklist /var/games/nethack
		11
		12	include disable-common.inc
		13	include disable-devel.inc
		14	include disable-interpreters.inc
		15	include disable-passwdmgr.inc
		16	include disable-programs.inc
		17
		18	whitelist /var/games/nethack
		19	include whitelist-common.inc
		20	include whitelist-var-common.inc
		21
		22	caps.drop all
		23	ipc-namespace
		24	net none
		25	no3d
		26	nodbus
		27	nodvd
		28	nogroups
		29	#nonewprivs
		30	#noroot
		31	nosound
		32	notv
		33	novideo
		34	#protocol unix,netlink
		35	#seccomp
		36	shell none
		37
		38	disable-mnt
		39	#private
		40	private-cache
		41	private-dev
		42	private-tmp
		43	writable-var
		44
		45	#memory-deny-write-execute
		46	noexec ${HOME}
		47	noexec /tmp


diff --git a/etc/rnano.profile b/etc/rnano.profile new file mode 100644 index 000000000..89c1663c4 --- /dev/null +++ b/etc/rnano.profile
@@ -0,0 +1,11 @@
		1	# Firejail profile for rnano
		2	# Description: A restricted nano
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include rnano.local
		6	# Persistent global definitions
		7	#include globals.local
		8
		9
		10	# Redirect
		11	include nano.profile