18 files changed, 100 insertions, 96 deletions
diff --git a/etc/profile-a-l/abrowser.profile b/etc/profile-a-l/abrowser.profile
index 8b70756ba..6217af780 100644
--- a/etc/profile-a-l/abrowser.profile
+++ b/etc/profile-a-l/abrowser.profile
@@ -14,8 +14,7 @@ whitelist ${HOME}/.cache/mozilla/abrowser
 whitelist ${HOME}/.mozilla
 whitelist /usr/share/abrowser
-# private-etc must first be enabled in firefox-common.profile
+private-etc abrowser
-#private-etc abrowser
 # Redirect
 include firefox-common.profile
diff --git a/etc/profile-a-l/basilisk.profile b/etc/profile-a-l/basilisk.profile
index 7d2fe143c..f5595274e 100644
--- a/etc/profile-a-l/basilisk.profile
+++ b/etc/profile-a-l/basilisk.profile
@@ -19,8 +19,7 @@ seccomp
 ignore seccomp
 #private-bin basilisk
-# private-etc must first be enabled in firefox-common.profile
+private-etc basilisk
-#private-etc basilisk
 #private-opt basilisk
 restrict-namespaces
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile
index e596ec9d2..7afccf5cd 100644
--- a/etc/profile-a-l/bijiben.profile
+++ b/etc/profile-a-l/bijiben.profile
@@ -59,5 +59,8 @@ dbus-user.talk ca.desrt.dconf
 dbus-user.talk org.freedesktop.Tracker1
 dbus-system none
-env WEBKIT_FORCE_SANDBOX=0
+# Warning: Disabling the webkit sandbox may be needed to make firejail work
+# with webkit2gtk, but this is not recommended (see #2995).
+# Add the following line to bijiben.local at your own risk:
+#env WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS=1
 restrict-namespaces
diff --git a/etc/profile-a-l/bitwarden-desktop.profile b/etc/profile-a-l/bitwarden-desktop.profile
new file mode 100644
index 000000000..4c1994c50
--- /dev/null
+++ b/etc/profile-a-l/bitwarden-desktop.profile
@@ -0,0 +1,11 @@
+# Firejail profile for bitwarden-desktop
+# Description: A secure and free password manager for all of your devices
+# This file is overwritten after every install/update.
+# Persistent local customisations
+include bitwarden-desktop.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include bitwarden.profile
diff --git a/etc/profile-a-l/bitwarden.profile b/etc/profile-a-l/bitwarden.profile
index 1572ca572..9ed48b02d 100644
--- a/etc/profile-a-l/bitwarden.profile
+++ b/etc/profile-a-l/bitwarden.profile
@@ -6,13 +6,13 @@ include bitwarden.local
 # Persistent global definitions
 include globals.local
-# Disabled until someone reported positive feedback
-ignore include whitelist-usr-share-common.inc
 ignore noexec /tmp
 noblacklist ${HOME}/.config/Bitwarden
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
 include disable-shell.inc
 mkdir ${HOME}/.config/Bitwarden
diff --git a/etc/profile-a-l/cachy-browser.profile b/etc/profile-a-l/cachy-browser.profile
index 05e1a69f1..6218dbbe8 100644
--- a/etc/profile-a-l/cachy-browser.profile
+++ b/etc/profile-a-l/cachy-browser.profile
@@ -26,9 +26,7 @@ whitelist /usr/share/cachy-browser
 # Add the next line to your cachy-browser.local to enable private-bin (Arch Linux).
 #private-bin dbus-launch,dbus-send,cachy-browser,sh
-# Add the next line to your cachy-browser.local to enable private-etc.
+private-etc cachy-browser
-# Note: private-etc must first be enabled in firefox-common.local.
-#private-etc cachy-browser
 dbus-user filter
 dbus-user.own org.mozilla.cachybrowser.*
diff --git a/etc/profile-a-l/cliqz.profile b/etc/profile-a-l/cliqz.profile
index d0bf9797e..bded735a9 100644
--- a/etc/profile-a-l/cliqz.profile
+++ b/etc/profile-a-l/cliqz.profile
@@ -17,8 +17,7 @@ whitelist ${HOME}/.cliqz
 whitelist ${HOME}/.config/cliqz
 whitelist /usr/share/cliqz
-# private-etc must first be enabled in firefox-common.profile
+private-etc cliqz
-#private-etc cliqz
 # Redirect
 include firefox-common.profile
diff --git a/etc/profile-a-l/cyberfox.profile b/etc/profile-a-l/cyberfox.profile
index c7a42e0eb..173c5b4a5 100644
--- a/etc/profile-a-l/cyberfox.profile
+++ b/etc/profile-a-l/cyberfox.profile
@@ -16,8 +16,7 @@ whitelist /usr/share/8pecxstudios
 whitelist /usr/share/cyberfox
 #private-bin cyberfox,dbus-launch,dbus-send,env,sh,which
-# private-etc must first be enabled in firefox-common.profile
+private-etc cyberfox
-#private-etc cyberfox
 # Redirect
 include firefox-common.profile
diff --git a/etc/profile-a-l/d-feet.profile b/etc/profile-a-l/d-feet.profile
index 75338eb6d..e11134616 100644
--- a/etc/profile-a-l/d-feet.profile
+++ b/etc/profile-a-l/d-feet.profile
@@ -12,45 +12,16 @@ noblacklist ${HOME}/.config/d-feet
 include allow-python2.inc
 include allow-python3.inc
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-programs.inc
-include disable-shell.inc
-include disable-xdg.inc
 mkdir ${HOME}/.config/d-feet
 whitelist ${HOME}/.config/d-feet
 whitelist /usr/share/d-feet
-include whitelist-common.inc
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-apparmor
+# breaks on Ubuntu
-caps.drop all
+ignore net none
-ipc-namespace
-#net none # breaks on Ubuntu
-no3d
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-disable-mnt
 private-bin d-feet,python*
-private-cache
-private-dev
-private-etc dbus-1
-private-tmp
 #memory-deny-write-execute # breaks on Arch (see issue #1803)
-restrict-namespaces
+# Redirect
+include dbus-debug-common.profile
diff --git a/etc/profile-a-l/d-spy.profile b/etc/profile-a-l/d-spy.profile
index 9ff429ecb..2c9ef52cb 100644
--- a/etc/profile-a-l/d-spy.profile
+++ b/etc/profile-a-l/d-spy.profile
@@ -6,43 +6,7 @@ include d-spy.local
 # Persistent global definitions
 include globals.local
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-proc.inc
-include disable-programs.inc
-include disable-shell.inc
-include disable-xdg.inc
-include whitelist-common.inc
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-apparmor
-caps.drop all
-ipc-namespace
-net none
-no3d
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-disable-mnt
 private-bin d-spy
-private-cache
-private-dev
-private-etc dbus-1
-private-tmp
-read-only ${HOME}
+# Redirect
-restrict-namespaces
+include dbus-debug-common.profile
diff --git a/etc/profile-a-l/dbus-debug-common.profile b/etc/profile-a-l/dbus-debug-common.profile
new file mode 100644
index 000000000..0ef060f3a
--- /dev/null
+++ b/etc/profile-a-l/dbus-debug-common.profile
@@ -0,0 +1,49 @@
+# Firejail profile for dbus-debug-common
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dbus-debug-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+tracelog
+disable-mnt
+private-cache
+private-dev
+private-etc dbus-1
+private-tmp
+read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile
index b0ae2d49f..659d9755e 100644
--- a/etc/profile-a-l/default.profile
+++ b/etc/profile-a-l/default.profile
@@ -37,6 +37,7 @@ noinput
 nonewprivs
 noroot
 #nosound
+#notpm
 notv
 #nou2f
 novideo
diff --git a/etc/profile-a-l/dtui.profile b/etc/profile-a-l/dtui.profile
new file mode 100644
index 000000000..b85ae451b
--- /dev/null
+++ b/etc/profile-a-l/dtui.profile
@@ -0,0 +1,15 @@
+# Firejail profile for dtui
+# Description: TUI D-Bus debugger
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include dtui.local
+# Persistent global definitions
+include globals.local
+private-bin dtui
+memory-deny-write-execute
+# Redirect
+include dbus-debug-common.profile
diff --git a/etc/profile-a-l/element-desktop.profile b/etc/profile-a-l/element-desktop.profile
index 1af2884b6..52a439c48 100644
--- a/etc/profile-a-l/element-desktop.profile
+++ b/etc/profile-a-l/element-desktop.profile
@@ -14,6 +14,7 @@ noblacklist ${HOME}/.config/Element
 mkdir ${HOME}/.config/Element
 whitelist ${HOME}/.config/Element
 whitelist /opt/Element
+whitelist /usr/share/element
 dbus-user filter
 dbus-user.talk org.freedesktop.Notifications
diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile
index ccc2dc7f6..5e3d0983d 100644
--- a/etc/profile-a-l/firefox-common-addons.profile
+++ b/etc/profile-a-l/firefox-common-addons.profile
@@ -92,8 +92,7 @@ include allow-python3.inc
 #private-bin keepassxc-proxy
 # Flash plugin
-# private-etc must first be enabled in firefox-common.profile and in profiles including it.
+private-etc adobe
-#private-etc adobe
 # ff2mpv
 #ignore noexec ${HOME}
diff --git a/etc/profile-a-l/icecat.profile b/etc/profile-a-l/icecat.profile
index b0a42fb77..19bda5454 100644
--- a/etc/profile-a-l/icecat.profile
+++ b/etc/profile-a-l/icecat.profile
@@ -14,8 +14,7 @@ whitelist ${HOME}/.cache/mozilla/icecat
 whitelist ${HOME}/.mozilla
 whitelist /usr/share/icecat
-# private-etc must first be enabled in firefox-common.profile
+private-etc icecat
-#private-etc icecat
 # Redirect
 include firefox-common.profile
diff --git a/etc/profile-a-l/iceweasel.profile b/etc/profile-a-l/iceweasel.profile
index badd2648a..d6a925a77 100644
--- a/etc/profile-a-l/iceweasel.profile
+++ b/etc/profile-a-l/iceweasel.profile
@@ -6,8 +6,7 @@ include iceweasel.local
 # added by included profile
 #include globals.local
-# private-etc must first be enabled in firefox-common.profile
+private-etc iceweasel
-#private-etc iceweasel
 # Redirect
 include firefox.profile
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile
index 65a4a3787..8db82d364 100644
--- a/etc/profile-a-l/librewolf.profile
+++ b/etc/profile-a-l/librewolf.profile
@@ -27,9 +27,7 @@ whitelist /usr/share/librewolf
 # Add the next line to your librewolf.local to enable private-bin (Arch Linux).
 #private-bin dbus-launch,dbus-send,librewolf,sh
-# Add the next line to your librewolf.local to enable private-etc.
+private-etc librewolf
-# Note: private-etc must first be enabled in firefox-common.local.
-#private-etc librewolf
 dbus-user filter
 dbus-user.own io.gitlab.librewolf.*

diff --git a/etc/profile-a-l/abrowser.profile b/etc/profile-a-l/abrowser.profile index 8b70756ba..6217af780 100644 --- a/etc/profile-a-l/abrowser.profile +++ b/etc/profile-a-l/abrowser.profile
@@ -14,8 +14,7 @@ whitelist ${HOME}/.cache/mozilla/abrowser
14	whitelist ${HOME}/.mozilla	14	whitelist ${HOME}/.mozilla
15	whitelist /usr/share/abrowser	15	whitelist /usr/share/abrowser
16		16
17	# private-etc must first be enabled in firefox-common.profile	17	private-etc abrowser
18	#private-etc abrowser
19		18
20	# Redirect	19	# Redirect
21	include firefox-common.profile	20	include firefox-common.profile


diff --git a/etc/profile-a-l/basilisk.profile b/etc/profile-a-l/basilisk.profile index 7d2fe143c..f5595274e 100644 --- a/etc/profile-a-l/basilisk.profile +++ b/etc/profile-a-l/basilisk.profile
@@ -19,8 +19,7 @@ seccomp
19	ignore seccomp	19	ignore seccomp
20		20
21	#private-bin basilisk	21	#private-bin basilisk
22	# private-etc must first be enabled in firefox-common.profile	22	private-etc basilisk
23	#private-etc basilisk
24	#private-opt basilisk	23	#private-opt basilisk
25		24
26	restrict-namespaces	25	restrict-namespaces


diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile index e596ec9d2..7afccf5cd 100644 --- a/etc/profile-a-l/bijiben.profile +++ b/etc/profile-a-l/bijiben.profile
@@ -59,5 +59,8 @@ dbus-user.talk ca.desrt.dconf
59	dbus-user.talk org.freedesktop.Tracker1	59	dbus-user.talk org.freedesktop.Tracker1
60	dbus-system none	60	dbus-system none
61		61
62	env WEBKIT_FORCE_SANDBOX=0	62	# Warning: Disabling the webkit sandbox may be needed to make firejail work
		63	# with webkit2gtk, but this is not recommended (see #2995).
		64	# Add the following line to bijiben.local at your own risk:
		65	#env WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS=1
63	restrict-namespaces	66	restrict-namespaces


diff --git a/etc/profile-a-l/bitwarden-desktop.profile b/etc/profile-a-l/bitwarden-desktop.profile new file mode 100644 index 000000000..4c1994c50 --- /dev/null +++ b/etc/profile-a-l/bitwarden-desktop.profile
@@ -0,0 +1,11 @@
		1	# Firejail profile for bitwarden-desktop
		2	# Description: A secure and free password manager for all of your devices
		3	# This file is overwritten after every install/update.
		4	# Persistent local customisations
		5	include bitwarden-desktop.local
		6	# Persistent global definitions
		7	# added by included profile
		8	#include globals.local
		9
		10	# Redirect
		11	include bitwarden.profile


diff --git a/etc/profile-a-l/bitwarden.profile b/etc/profile-a-l/bitwarden.profile index 1572ca572..9ed48b02d 100644 --- a/etc/profile-a-l/bitwarden.profile +++ b/etc/profile-a-l/bitwarden.profile
@@ -6,13 +6,13 @@ include bitwarden.local
6	# Persistent global definitions	6	# Persistent global definitions
7	include globals.local	7	include globals.local
8		8
9	# Disabled until someone reported positive feedback
10	ignore include whitelist-usr-share-common.inc
11
12	ignore noexec /tmp	9	ignore noexec /tmp
13		10
14	noblacklist ${HOME}/.config/Bitwarden	11	noblacklist ${HOME}/.config/Bitwarden
15		12
		13	# Allow /bin/sh (blacklisted by disable-shell.inc)
		14	include allow-bin-sh.inc
		15
16	include disable-shell.inc	16	include disable-shell.inc
17		17
18	mkdir ${HOME}/.config/Bitwarden	18	mkdir ${HOME}/.config/Bitwarden


diff --git a/etc/profile-a-l/cachy-browser.profile b/etc/profile-a-l/cachy-browser.profile index 05e1a69f1..6218dbbe8 100644 --- a/etc/profile-a-l/cachy-browser.profile +++ b/etc/profile-a-l/cachy-browser.profile
@@ -26,9 +26,7 @@ whitelist /usr/share/cachy-browser
26		26
27	# Add the next line to your cachy-browser.local to enable private-bin (Arch Linux).	27	# Add the next line to your cachy-browser.local to enable private-bin (Arch Linux).
28	#private-bin dbus-launch,dbus-send,cachy-browser,sh	28	#private-bin dbus-launch,dbus-send,cachy-browser,sh
29	# Add the next line to your cachy-browser.local to enable private-etc.	29	private-etc cachy-browser
30	# Note: private-etc must first be enabled in firefox-common.local.
31	#private-etc cachy-browser
32		30
33	dbus-user filter	31	dbus-user filter
34	dbus-user.own org.mozilla.cachybrowser.*	32	dbus-user.own org.mozilla.cachybrowser.*


diff --git a/etc/profile-a-l/cliqz.profile b/etc/profile-a-l/cliqz.profile index d0bf9797e..bded735a9 100644 --- a/etc/profile-a-l/cliqz.profile +++ b/etc/profile-a-l/cliqz.profile
@@ -17,8 +17,7 @@ whitelist ${HOME}/.cliqz
17	whitelist ${HOME}/.config/cliqz	17	whitelist ${HOME}/.config/cliqz
18	whitelist /usr/share/cliqz	18	whitelist /usr/share/cliqz
19		19
20	# private-etc must first be enabled in firefox-common.profile	20	private-etc cliqz
21	#private-etc cliqz
22		21
23	# Redirect	22	# Redirect
24	include firefox-common.profile	23	include firefox-common.profile


diff --git a/etc/profile-a-l/cyberfox.profile b/etc/profile-a-l/cyberfox.profile index c7a42e0eb..173c5b4a5 100644 --- a/etc/profile-a-l/cyberfox.profile +++ b/etc/profile-a-l/cyberfox.profile
@@ -16,8 +16,7 @@ whitelist /usr/share/8pecxstudios
16	whitelist /usr/share/cyberfox	16	whitelist /usr/share/cyberfox
17		17
18	#private-bin cyberfox,dbus-launch,dbus-send,env,sh,which	18	#private-bin cyberfox,dbus-launch,dbus-send,env,sh,which
19	# private-etc must first be enabled in firefox-common.profile	19	private-etc cyberfox
20	#private-etc cyberfox
21		20
22	# Redirect	21	# Redirect
23	include firefox-common.profile	22	include firefox-common.profile


diff --git a/etc/profile-a-l/d-feet.profile b/etc/profile-a-l/d-feet.profile index 75338eb6d..e11134616 100644 --- a/etc/profile-a-l/d-feet.profile +++ b/etc/profile-a-l/d-feet.profile
@@ -12,45 +12,16 @@ noblacklist ${HOME}/.config/d-feet
12	include allow-python2.inc	12	include allow-python2.inc
13	include allow-python3.inc	13	include allow-python3.inc
14		14
15	include disable-common.inc
16	include disable-devel.inc
17	include disable-exec.inc
18	include disable-interpreters.inc
19	include disable-programs.inc
20	include disable-shell.inc
21	include disable-xdg.inc
22
23	mkdir ${HOME}/.config/d-feet	15	mkdir ${HOME}/.config/d-feet
24	whitelist ${HOME}/.config/d-feet	16	whitelist ${HOME}/.config/d-feet
25	whitelist /usr/share/d-feet	17	whitelist /usr/share/d-feet
26	include whitelist-common.inc
27	include whitelist-runuser-common.inc
28	include whitelist-usr-share-common.inc
29	include whitelist-var-common.inc
30		18
31	apparmor	19	# breaks on Ubuntu
32	caps.drop all	20	ignore net none
33	ipc-namespace
34	#net none # breaks on Ubuntu
35	no3d
36	nodvd
37	nogroups
38	noinput
39	nonewprivs
40	noroot
41	nosound
42	notv
43	nou2f
44	novideo
45	protocol unix
46	seccomp
47		21
48	disable-mnt
49	private-bin d-feet,python*	22	private-bin d-feet,python*
50	private-cache
51	private-dev
52	private-etc dbus-1
53	private-tmp
54		23
55	#memory-deny-write-execute # breaks on Arch (see issue #1803)	24	#memory-deny-write-execute # breaks on Arch (see issue #1803)
56	restrict-namespaces	25
		26	# Redirect
		27	include dbus-debug-common.profile


diff --git a/etc/profile-a-l/d-spy.profile b/etc/profile-a-l/d-spy.profile index 9ff429ecb..2c9ef52cb 100644 --- a/etc/profile-a-l/d-spy.profile +++ b/etc/profile-a-l/d-spy.profile
@@ -6,43 +6,7 @@ include d-spy.local
6	# Persistent global definitions	6	# Persistent global definitions
7	include globals.local	7	include globals.local
8		8
9	include disable-common.inc
10	include disable-devel.inc
11	include disable-exec.inc
12	include disable-interpreters.inc
13	include disable-proc.inc
14	include disable-programs.inc
15	include disable-shell.inc
16	include disable-xdg.inc
17
18	include whitelist-common.inc
19	include whitelist-runuser-common.inc
20	include whitelist-usr-share-common.inc
21	include whitelist-var-common.inc
22
23	apparmor
24	caps.drop all
25	ipc-namespace
26	net none
27	no3d
28	nodvd
29	nogroups
30	noinput
31	nonewprivs
32	noroot
33	nosound
34	notv
35	nou2f
36	novideo
37	protocol unix
38	seccomp
39
40	disable-mnt
41	private-bin d-spy	9	private-bin d-spy
42	private-cache
43	private-dev
44	private-etc dbus-1
45	private-tmp
46		10
47	read-only ${HOME}	11	# Redirect
48	restrict-namespaces	12	include dbus-debug-common.profile


diff --git a/etc/profile-a-l/dbus-debug-common.profile b/etc/profile-a-l/dbus-debug-common.profile new file mode 100644 index 000000000..0ef060f3a --- /dev/null +++ b/etc/profile-a-l/dbus-debug-common.profile
@@ -0,0 +1,49 @@
		1	# Firejail profile for dbus-debug-common
		2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include dbus-debug-common.local
		5	# Persistent global definitions
		6	# added by caller profile
		7	#include globals.local
		8
		9	include disable-common.inc
		10	include disable-devel.inc
		11	include disable-exec.inc
		12	include disable-interpreters.inc
		13	include disable-proc.inc
		14	include disable-programs.inc
		15	include disable-shell.inc
		16	include disable-xdg.inc
		17
		18	include whitelist-common.inc
		19	include whitelist-runuser-common.inc
		20	include whitelist-usr-share-common.inc
		21	include whitelist-var-common.inc
		22
		23	apparmor
		24	caps.drop all
		25	ipc-namespace
		26	net none
		27	no3d
		28	nodvd
		29	nogroups
		30	noinput
		31	nonewprivs
		32	noroot
		33	nosound
		34	notv
		35	nou2f
		36	novideo
		37	protocol unix
		38	seccomp
		39	seccomp.block-secondary
		40	tracelog
		41
		42	disable-mnt
		43	private-cache
		44	private-dev
		45	private-etc dbus-1
		46	private-tmp
		47
		48	read-only ${HOME}
		49	restrict-namespaces


diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile index b0ae2d49f..659d9755e 100644 --- a/etc/profile-a-l/default.profile +++ b/etc/profile-a-l/default.profile
@@ -37,6 +37,7 @@ noinput
37	nonewprivs	37	nonewprivs
38	noroot	38	noroot
39	#nosound	39	#nosound
		40	#notpm
40	notv	41	notv
41	#nou2f	42	#nou2f
42	novideo	43	novideo


diff --git a/etc/profile-a-l/dtui.profile b/etc/profile-a-l/dtui.profile new file mode 100644 index 000000000..b85ae451b --- /dev/null +++ b/etc/profile-a-l/dtui.profile
@@ -0,0 +1,15 @@
		1	# Firejail profile for dtui
		2	# Description: TUI D-Bus debugger
		3	# This file is overwritten after every install/update
		4	quiet
		5	# Persistent local customizations
		6	include dtui.local
		7	# Persistent global definitions
		8	include globals.local
		9
		10	private-bin dtui
		11
		12	memory-deny-write-execute
		13
		14	# Redirect
		15	include dbus-debug-common.profile


diff --git a/etc/profile-a-l/element-desktop.profile b/etc/profile-a-l/element-desktop.profile index 1af2884b6..52a439c48 100644 --- a/etc/profile-a-l/element-desktop.profile +++ b/etc/profile-a-l/element-desktop.profile
@@ -14,6 +14,7 @@ noblacklist ${HOME}/.config/Element
14	mkdir ${HOME}/.config/Element	14	mkdir ${HOME}/.config/Element
15	whitelist ${HOME}/.config/Element	15	whitelist ${HOME}/.config/Element
16	whitelist /opt/Element	16	whitelist /opt/Element
		17	whitelist /usr/share/element
17		18
18	dbus-user filter	19	dbus-user filter
19	dbus-user.talk org.freedesktop.Notifications	20	dbus-user.talk org.freedesktop.Notifications


diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile index ccc2dc7f6..5e3d0983d 100644 --- a/etc/profile-a-l/firefox-common-addons.profile +++ b/etc/profile-a-l/firefox-common-addons.profile
@@ -92,8 +92,7 @@ include allow-python3.inc
92	#private-bin keepassxc-proxy	92	#private-bin keepassxc-proxy
93		93
94	# Flash plugin	94	# Flash plugin
95	# private-etc must first be enabled in firefox-common.profile and in profiles including it.	95	private-etc adobe
96	#private-etc adobe
97		96
98	# ff2mpv	97	# ff2mpv
99	#ignore noexec ${HOME}	98	#ignore noexec ${HOME}


diff --git a/etc/profile-a-l/icecat.profile b/etc/profile-a-l/icecat.profile index b0a42fb77..19bda5454 100644 --- a/etc/profile-a-l/icecat.profile +++ b/etc/profile-a-l/icecat.profile
@@ -14,8 +14,7 @@ whitelist ${HOME}/.cache/mozilla/icecat
14	whitelist ${HOME}/.mozilla	14	whitelist ${HOME}/.mozilla
15	whitelist /usr/share/icecat	15	whitelist /usr/share/icecat
16		16
17	# private-etc must first be enabled in firefox-common.profile	17	private-etc icecat
18	#private-etc icecat
19		18
20	# Redirect	19	# Redirect
21	include firefox-common.profile	20	include firefox-common.profile


diff --git a/etc/profile-a-l/iceweasel.profile b/etc/profile-a-l/iceweasel.profile index badd2648a..d6a925a77 100644 --- a/etc/profile-a-l/iceweasel.profile +++ b/etc/profile-a-l/iceweasel.profile
@@ -6,8 +6,7 @@ include iceweasel.local
6	# added by included profile	6	# added by included profile
7	#include globals.local	7	#include globals.local
8		8
9	# private-etc must first be enabled in firefox-common.profile	9	private-etc iceweasel
10	#private-etc iceweasel
11		10
12	# Redirect	11	# Redirect
13	include firefox.profile	12	include firefox.profile


diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile index 65a4a3787..8db82d364 100644 --- a/etc/profile-a-l/librewolf.profile +++ b/etc/profile-a-l/librewolf.profile
@@ -27,9 +27,7 @@ whitelist /usr/share/librewolf
27		27
28	# Add the next line to your librewolf.local to enable private-bin (Arch Linux).	28	# Add the next line to your librewolf.local to enable private-bin (Arch Linux).
29	#private-bin dbus-launch,dbus-send,librewolf,sh	29	#private-bin dbus-launch,dbus-send,librewolf,sh
30	# Add the next line to your librewolf.local to enable private-etc.	30	private-etc librewolf
31	# Note: private-etc must first be enabled in firefox-common.local.
32	#private-etc librewolf
33		31
34	dbus-user filter	32	dbus-user filter
35	dbus-user.own io.gitlab.librewolf.*	33	dbus-user.own io.gitlab.librewolf.*