4 files changed, 106 insertions, 2 deletions

diff --git a/etc/profile-a-l/chatterino.profile b/etc/profile-a-l/chatterino.profile
new file mode 100644
index 000000000..4dfd85740
--- /dev/null
+++ b/etc/profile-a-l/chatterino.profile
@@ -0,0 +1,92 @@
+# Firejail profile for Chatterino
+# Description: Chat client for https://twitch.tv
+# This file is overwritten after every install/update
+# Persistent local customizations
+include chatterino.local
+# Persistent global definitions
+include globals.local
+
+# To upload images, whitelist/noblacklist their path in chatterino.local.
+#whitelist ${PICTURES}
+# For custom notification sounds, whitelist/noblacklist their path in chatterino.local.
+#whitelist ${MUSIC}
+
+# Also allow access to mpv/vlc, they're usable via streamlink.
+noblacklist ${HOME}/.config/mpv
+noblacklist ${HOME}/.config/pulse
+noblacklist ${HOME}/.config/vlc
+noblacklist ${HOME}/.local/share/chatterino
+noblacklist ${HOME}/.local/share/vlc
+
+# Allow Lua for mpv (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
+# Allow Python for Streamlink integration (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+# Also allow read-only access to mpv/VLC, they're usable via streamlink.
+mkdir ${HOME}/.local/share/chatterino
+# VLC preferences will fail to save with read-only set.
+whitelist ${HOME}/.local/share/chatterino
+whitelist-ro ${HOME}/.config/mpv
+whitelist-ro ${HOME}/.config/pulse
+whitelist-ro ${HOME}/.config/vlc
+whitelist-ro ${HOME}/.local/share/vlc
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+# Streamlink+VLC doesn't seem to close properly with apparmor enabled.
+#apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noprinters
+noroot
+notv
+nou2f
+# Netlink is required for streamlink integration.
+protocol unix,inet,inet6,netlink
+# Seccomp may break browser integration.
+seccomp
+seccomp.block-secondary
+tracelog
+
+disable-mnt
+# Add more private-bin lines for browsers or video players to chatterino.local if wanted.
+private-bin chatterino,cvlc,env,ffmpeg,mpv,nvlc,pgrep,python*,qvlc,rvlc,streamlink,svlc,vlc
+# private-cache may cause issues with mpv (see #2838)
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,dbus-1,fonts,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,nvidia,passwd,pulse,resolv.conf,rpc,services,ssl,Trolltech.conf,X11
+private-srv none
+private-tmp
+
+dbus-user filter
+dbus-user.own com.chatterino.*
+# Allow notifications.
+dbus-user.talk org.freedesktop.Notifications
+# For media player integration.
+dbus-user.talk org.freedesktop.ScreenSaver
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+dbus-user.own org.mpris.MediaPlayer2.chatterino
+dbus-user.talk org.mpris.MediaPlayer2.Player
+dbus-system none
+
+# Prevents browsers/players from lingering after Chatterino is closed.
+#deterministic-shutdown
+# memory-deny-write-execute may break streamlink and browser integration.
+#memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/electron-hardened.inc.profile b/etc/profile-a-l/electron-hardened.inc.profile
new file mode 100644
index 000000000..eacf5cebe
--- /dev/null
+++ b/etc/profile-a-l/electron-hardened.inc.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for chrome-common-hardened.inc
+# This file is overwritten after every install/update
+# Persistent local customizations
+include electron-hardened.inc.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+# Redirect
+include chrome-common-hardened.inc.profile
diff --git a/etc/profile-a-l/electron.profile b/etc/profile-a-l/electron.profile
index c1d337abd..c15e43399 100644
--- a/etc/profile-a-l/electron.profile
+++ b/etc/profile-a-l/electron.profile
@@ -22,8 +22,8 @@ include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
-# Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone.
-#include chromium-common-hardened.inc.profile
+# Add the next line to your electron.local if your kernel allows unprivileged userns clone.
+#include electron-hardened.inc.profile
 
 apparmor
 caps.keep sys_admin,sys_chroot
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile
index 13313cb67..60d64736e 100644
--- a/etc/profile-a-l/firefox-common.profile
+++ b/etc/profile-a-l/firefox-common.profile
@@ -35,6 +35,8 @@ include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 apparmor
+# Fixme!
+apparmor-replace
 caps.drop all
 # machine-id breaks pulse audio; add it to your firefox-common.local if sound is not required.
 #machine-id