12 files changed, 111 insertions, 62 deletions
diff --git a/etc/profile-a-l/apostrophe.profile b/etc/profile-a-l/apostrophe.profile
index 4986ac63a..f265c8406 100644
--- a/etc/profile-a-l/apostrophe.profile
+++ b/etc/profile-a-l/apostrophe.profile
@@ -6,15 +6,22 @@ include apostrophe.local
 # Persistent global definitions
 include globals.local
+noblacklist ${HOME}/.texlive20*
 noblacklist ${DOCUMENTS}
 noblacklist ${PICTURES}
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -25,7 +32,10 @@ include disable-shell.inc
 include disable-xdg.inc
 whitelist /usr/share/apostrophe
+whitelist /usr/share/texlive
+whitelist /usr/share/texmf
 whitelist /usr/share/pandoc-*
+whitelist /usr/share/perl5
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -49,10 +59,10 @@ shell none
 tracelog
 disable-mnt
-private-bin apostrophe,pandoc,python3*
+private-bin apostrophe,fmtutil,kpsewhich,mktexfmt,pandoc,pdftex,perl,python3*,sh,xdvipdfmx,xelatex,xetex
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,texlive,X11
 private-tmp
 dbus-user filter
diff --git a/etc/profile-a-l/brave.profile b/etc/profile-a-l/brave.profile
index 5a5e9eacd..09548c761 100644
--- a/etc/profile-a-l/brave.profile
+++ b/etc/profile-a-l/brave.profile
@@ -8,7 +8,10 @@ include globals.local
 # noexec /tmp is included in chromium-common.profile and breaks Brave
 ignore noexec /tmp
-# TOR is installed in ${HOME}
+# TOR is installed in ${HOME}.
+# NOTE: chromium-common.profile enables apparmor. To keep that intact
+# you will need to uncomment the 'brave + tor' rule in /etc/apparmor.d/local/firejail-default.
+# Alternatively you can add 'ignore apparmor' to your brave.local.
 ignore noexec ${HOME}
 noblacklist ${HOME}/.cache/BraveSoftware
diff --git a/etc/profile-a-l/dbus-send.profile b/etc/profile-a-l/dbus-send.profile
index 76a14d99b..0000de441 100644
--- a/etc/profile-a-l/dbus-send.profile
+++ b/etc/profile-a-l/dbus-send.profile
@@ -52,7 +52,7 @@ private-bin dbus-send
 private-cache
 private-dev
 private-etc alternatives,dbus-1
-private-lib libpcre2-8.so.0
+private-lib libpcre*
 private-tmp
 memory-deny-write-execute
diff --git a/etc/profile-a-l/discord-canary.profile b/etc/profile-a-l/discord-canary.profile
index 3e9dacd1e..43db95b8a 100644
--- a/etc/profile-a-l/discord-canary.profile
+++ b/etc/profile-a-l/discord-canary.profile
@@ -10,7 +10,7 @@ noblacklist ${HOME}/.config/discordcanary
 mkdir ${HOME}/.config/discordcanary
 whitelist ${HOME}/.config/discordcanary
-private-bin discord-canary
+private-bin discord-canary,electron,electron[0-9],electron[0-9][0-9]
 private-opt discord-canary
 # Redirect
diff --git a/etc/profile-a-l/etr.profile b/etc/profile-a-l/etr.profile
index 1c34335d2..f55d23778 100644
--- a/etc/profile-a-l/etr.profile
+++ b/etc/profile-a-l/etr.profile
@@ -44,7 +44,7 @@ disable-mnt
 private-bin etr
 private-cache
 private-dev
-# private-etc alternatives,drirc,machine-id,openal
+# private-etc alternatives,drirc,machine-id,openal,passwd
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/exfalso.profile b/etc/profile-a-l/exfalso.profile
index 192858304..92e4395c5 100644
--- a/etc/profile-a-l/exfalso.profile
+++ b/etc/profile-a-l/exfalso.profile
@@ -4,58 +4,12 @@
 # Persistent local customizations
 include exfalso.local
 # Persistent global definitions
-include globals.local
+# added by included profile
+#include globals.local
-noblacklist ${HOME}/.quodlibet
-noblacklist ${MUSIC}
-# Allow python (blacklisted by disable-interpreters.inc)
-include allow-python2.inc
-include allow-python3.inc
-whitelist ${DOWNLOADS}
-whitelist ${MUSIC}
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-shell.inc
-include disable-xdg.inc
-mkdir ${HOME}/.quodlibet
-whitelist ${HOME}/.quodlibet
-include whitelist-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-caps.drop all
-ipc-namespace
-machine-id
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-private-bin exfalso,python*
-private-cache
-private-dev
-private-etc alternatives,fonts,group,passwd
 private-lib libatk-1.0.so.*,libgdk-3.so.*,libgdk_pixbuf-2.0.so.*,libgirepository-1.0.so.*,libgstreamer-1.0.so.*,libgtk-3.so.*,libgtksourceview-3.0.so.*,libpango-1.0.so.*,libpython*,libreadline.so.*,libsoup-2.4.so.*,libssl.so.1.*,python2*,python3*
-private-tmp
 dbus-user none
-dbus-system none
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+# Redirect
+include quodlibet.profile
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile
index 2a1eb2001..50d2b923b 100644
--- a/etc/profile-a-l/file-roller.profile
+++ b/etc/profile-a-l/file-roller.profile
@@ -20,9 +20,9 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
-#ipc-namespace - causing issues launching on archlinux
 machine-id
 # net none - breaks on older Ubuntu versions
+netfilter
 no3d
 nodvd
 nogroups
@@ -38,7 +38,7 @@ seccomp.block-secondary
 shell none
 tracelog
-private-bin 7z,7za,7zr,ar,arj,bash,brotli,bzip2,compress,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,p7zip,rar,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,xz,zip,zoo
+private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,unzstd,xz,xzdec,zip,zoo,zstd
 private-cache
 private-dev
 private-etc dconf,fonts,gtk-3.0,xdg
diff --git a/etc/profile-a-l/firedragon.profile b/etc/profile-a-l/firedragon.profile
new file mode 100644
index 000000000..77487161e
--- /dev/null
+++ b/etc/profile-a-l/firedragon.profile
@@ -0,0 +1,26 @@
+# Firejail profile for FireDragon
+# Description: Librewolf fork with enhanced KDE integration
+# This file is overwritten after every install/update
+# Persistent local customizations
+include firedragon.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/firedragon
+noblacklist ${HOME}/.firedragon
+mkdir ${HOME}/.cache/firedragon
+mkdir ${HOME}/.firedragon
+whitelist ${HOME}/.cache/firedragon
+whitelist ${HOME}/.firedragon
+# Add the next lines to your firedragon.local if you want to use the migration wizard.
+#noblacklist ${HOME}/.mozilla
+#whitelist ${HOME}/.mozilla
+# FireDragon requires a shell to launch on Arch. We can possibly remove sh though.
+# Add the next line to your firedragon.local to enable private-bin.
+#private-bin bash,dbus-launch,dbus-send,env,firedragon,python*,sh,which
+# Redirect
+include firefox-common.profile
diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile
index 851a7c747..d1c18e690 100644
--- a/etc/profile-a-l/flameshot.profile
+++ b/etc/profile-a-l/flameshot.profile
@@ -54,9 +54,15 @@ private-bin flameshot
 private-cache
 private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,machine-id,pki,resolv.conf,ssl
 private-dev
-private-tmp
+#private-tmp
 dbus-user filter
 dbus-user.own org.dharkael.Flameshot
 dbus-user.own org.flameshot.Flameshot
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.portal.Desktop
+dbus-user.talk org.gnome.Shell
+dbus-user.talk org.kde.KWin
+dbus-user.talk org.kde.StatusNotifierWatcher
+dbus-user.own org.kde.*
 dbus-system none
diff --git a/etc/profile-a-l/librewolf-nightly.profile b/etc/profile-a-l/librewolf-nightly.profile
index e6c3da608..72df5a52a 100644
--- a/etc/profile-a-l/librewolf-nightly.profile
+++ b/etc/profile-a-l/librewolf-nightly.profile
@@ -6,5 +6,8 @@ include librewolf-nightly.local
 # added by included profile
 #include globals.local
+# Add the next line to your librewolf-nightly.local to enable private-bin.
+#private-bin librewolf-nightly
 # Redirect
 include librewolf.profile
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile
index 8e891a930..0934e1271 100644
--- a/etc/profile-a-l/librewolf.profile
+++ b/etc/profile-a-l/librewolf.profile
@@ -18,12 +18,40 @@ whitelist ${HOME}/.librewolf
 #noblacklist ${HOME}/.mozilla
 #whitelist ${HOME}/.mozilla
-# librewolf requires a shell to launch on Arch. We can possibly remove sh though.
+# Uncomment or put in your librewolf.local one of the following whitelist to enable KeePassXC Plugin
-# Add the next line to your librewolf.local to enable private-bin.
+# NOTE: start KeePassXC before Librewolf and keep it open to allow communication between them
-#private-bin bash,dbus-launch,dbus-send,env,librewolf,python*,sh,which
+#whitelist ${RUNUSER}/kpxc_server
+#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
+whitelist /usr/share/doc
+whitelist /usr/share/gtk-doc/html
+whitelist /usr/share/mozilla
+whitelist /usr/share/webext
+include whitelist-usr-share-common.inc
+# Add the next line to your librewolf.local to enable private-bin (Arch Linux).
+#private-bin dbus-launch,dbus-send,librewolf,sh
 # Add the next line to your librewolf.local to enable private-etc. Note
 # that private-etc must first be enabled in firefox-common.local.
 #private-etc librewolf
+dbus-user filter
+# Uncomment or put in your librewolf.local to enable native notifications.
+#dbus-user.talk org.freedesktop.Notifications
+# Uncomment or put in your librewolf.local to allow to inhibit screensavers
+#dbus-user.talk org.freedesktop.ScreenSaver
+# Uncomment or put in your librewolf.local for plasma browser integration
+#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
+#dbus-user.talk org.kde.JobViewServer
+#dbus-user.talk org.kde.kuiserver
+# Uncomment or put in your librewolf.local to allow screen sharing under wayland.
+#whitelist ${RUNUSER}/pipewire-0
+#dbus-user.talk org.freedesktop.portal.*
+# Also uncomment or put in your librewolf.local if screen sharing sharing still
+# does not work with the above lines (might depend on the portal
+# implementation)
+#ignore noroot
+ignore dbus-user none
 # Redirect
 include firefox-common.profile
diff --git a/etc/profile-a-l/sway.profile b/etc/profile-a-l/sway.profile
new file mode 100644
index 000000000..4637419bf
--- /dev/null
+++ b/etc/profile-a-l/sway.profile
@@ -0,0 +1,19 @@
+# Firejail profile for Sway
+# Description: i3-compatible Wayland compositor 
+# This file is overwritten after every install/update
+# Persistent local customizations
+include sway.local
+# Persistent global definitions
+include globals.local
+# all applications started in sway will run in this profile
+noblacklist ${HOME}/.config/sway
+# sway uses ~/.config/i3 as fallback if there is no ~/.config/sway
+noblacklist ${HOME}/.config/i3
+include disable-common.inc
+caps.drop all
+netfilter
+noroot
+protocol unix,inet,inet6
+seccomp