7 files changed, 118 insertions, 18 deletions

diff --git a/etc/profile-a-l/atril.profile b/etc/profile-a-l/atril.profile
index adca38cb5..2b032e977 100644
--- a/etc/profile-a-l/atril.profile
+++ b/etc/profile-a-l/atril.profile
@@ -40,7 +40,7 @@ seccomp
 shell none
 tracelog
 
-private-bin atril,atril-previewer,atril-thumbnailer
+private-bin 7z,7za,7zr,atril,atril-previewer,atril-thumbnailer,sh,tar,unrar,unzip,zipnote
 private-dev
 private-etc alternatives,fonts,ld.so.cache
 # atril uses webkit gtk to display epub files
diff --git a/etc/profile-a-l/com.github.phase1geo.minder.profile b/etc/profile-a-l/com.github.phase1geo.minder.profile
new file mode 100644
index 000000000..8be06a4b3
--- /dev/null
+++ b/etc/profile-a-l/com.github.phase1geo.minder.profile
@@ -0,0 +1,61 @@
+# Firejail profile for com.github.phase1geo.minder
+# Description: Mind-mapping application
+# This file is overwritten after every install/update
+# Persistent local customizations
+include com.github.phase1geo.minder.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/minder
+noblacklist ${DOCUMENTS}
+noblacklist ${PICTURES}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.local/share/minder
+whitelist ${HOME}/.local/share/minder
+whitelist ${DOCUMENTS}
+whitelist ${DOWNLOADS}
+whitelist ${PICTURES}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin com.github.phase1geo.minder
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,pango,passwd,X11,xdg
+private-tmp
+
+dbus-user filter
+dbus-user.own com.github.phase1geo.minder
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/dolphin-emu.profile b/etc/profile-a-l/dolphin-emu.profile
index 13d830b55..fc920a065 100644
--- a/etc/profile-a-l/dolphin-emu.profile
+++ b/etc/profile-a-l/dolphin-emu.profile
@@ -18,6 +18,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-write-mnt.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.cache/dolphin-emu
diff --git a/etc/profile-a-l/engrampa.profile b/etc/profile-a-l/engrampa.profile
index 6c0892c56..54fe6a0f9 100644
--- a/etc/profile-a-l/engrampa.profile
+++ b/etc/profile-a-l/engrampa.profile
@@ -17,7 +17,6 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-net none
 no3d
 nodvd
 nogroups
@@ -36,7 +35,4 @@ tracelog
 private-dev
 # private-tmp
 
-dbus-user none
 dbus-system none
-
-memory-deny-write-execute
diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile
index ca7731442..4da087f7f 100644
--- a/etc/profile-a-l/firefox-common-addons.profile
+++ b/etc/profile-a-l/firefox-common-addons.profile
@@ -3,11 +3,15 @@
 include firefox-common-addons.local
 
 ignore include whitelist-runuser-common.inc
+ignore private-cache
 
+noblacklist ${HOME}/.cache/youtube-dl
 noblacklist ${HOME}/.config/kgetrc
+noblacklist ${HOME}/.config/mpv
 noblacklist ${HOME}/.config/okularpartrc
 noblacklist ${HOME}/.config/okularrc
 noblacklist ${HOME}/.config/qpdfview
+noblacklist ${HOME}/.config/youtube-dl
 noblacklist ${HOME}/.kde/share/apps/kget
 noblacklist ${HOME}/.kde/share/apps/okular
 noblacklist ${HOME}/.kde/share/config/kgetrc
@@ -22,15 +26,19 @@ noblacklist ${HOME}/.local/share/kget
 noblacklist ${HOME}/.local/share/kxmlgui5/okular
 noblacklist ${HOME}/.local/share/okular
 noblacklist ${HOME}/.local/share/qpdfview
+noblacklist ${HOME}/.netrc
 
 whitelist ${HOME}/.cache/gnome-mplayer/plugin
+whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs
 whitelist ${HOME}/.config/gnome-mplayer
 whitelist ${HOME}/.config/kgetrc
+whitelist ${HOME}/.config/mpv
 whitelist ${HOME}/.config/okularpartrc
 whitelist ${HOME}/.config/okularrc
 whitelist ${HOME}/.config/pipelight-silverlight5.1
 whitelist ${HOME}/.config/pipelight-widevine
 whitelist ${HOME}/.config/qpdfview
+whitelist ${HOME}/.config/youtube-dl
 whitelist ${HOME}/.kde/share/apps/kget
 whitelist ${HOME}/.kde/share/apps/okular
 whitelist ${HOME}/.kde/share/config/kgetrc
@@ -48,6 +56,7 @@ whitelist ${HOME}/.local/share/kxmlgui5/okular
 whitelist ${HOME}/.local/share/okular
 whitelist ${HOME}/.local/share/qpdfview
 whitelist ${HOME}/.local/share/tridactyl
+whitelist ${HOME}/.netrc
 whitelist ${HOME}/.pentadactyl
 whitelist ${HOME}/.pentadactylrc
 whitelist ${HOME}/.tridactylrc
@@ -57,6 +66,9 @@ whitelist ${HOME}/.wine-pipelight
 whitelist ${HOME}/.wine-pipelight64
 whitelist ${HOME}/.zotero
 whitelist ${HOME}/dwhelper
+whitelist /usr/share/lua
+whitelist /usr/share/lua*
+whitelist /usr/share/vulkan
 
 # GNOME Shell integration (chrome-gnome-shell) needs dbus and python
 noblacklist ${HOME}/.local/share/gnome-shell
@@ -75,17 +87,5 @@ include allow-python3.inc
 
 # ff2mpv
 #ignore noexec ${HOME}
-#noblacklist ${HOME}/.config/mpv
-#noblacklist ${HOME}/.config/youtube-dl
-#noblacklist ${HOME}/.netrc
 #include allow-lua.inc
-#include allow-python3.inc
-#mkdir ${HOME}/.config/mpv
-#mkdir ${HOME}/.config/youtube-dl
-#whitelist ${HOME}/.config/mpv
-#whitelist ${HOME}/.config/youtube-dl
-#whitelist ${HOME}/.netrc
-#whitelist /usr/share/lua
-#whitelist /usr/share/lua*
-#whitelist /usr/share/vulkan
 #private-bin env,mpv,python3*,waf,youtube-dl
diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile
index d56d6714e..820d5e694 100644
--- a/etc/profile-a-l/ghostwriter.profile
+++ b/etc/profile-a-l/ghostwriter.profile
@@ -55,5 +55,5 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,firejail,fonts,gconf,groups,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,texlive,Trolltech.conf,X11,xdg
 private-tmp
 
-dbus-user none
+dbus-user filter
 dbus-system none
diff --git a/etc/profile-a-l/jami-gnome.profile b/etc/profile-a-l/jami-gnome.profile
new file mode 100644
index 000000000..226bb0008
--- /dev/null
+++ b/etc/profile-a-l/jami-gnome.profile
@@ -0,0 +1,42 @@
+# Firejail profile for jami-gnome
+# Description: An encrypted peer-to-peer messenger
+# This file is overwritten after every install/update
+# Persistent local customizations
+include jami-gnome.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/jami
+noblacklist ${HOME}/.local/share/jami
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+#include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.config/jami
+mkdir ${HOME}/.local/share/jami
+whitelist ${HOME}/.config/jami
+whitelist ${HOME}/.local/share/jami
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+disable-mnt
+private-dev
+private-tmp
+
+env QT_QPA_PLATFORM=xcb