8 files changed, 151 insertions, 8 deletions
diff --git a/etc/profile-a-l/cawbird.profile b/etc/profile-a-l/cawbird.profile
new file mode 100644
index 000000000..3d29c3817
--- /dev/null
+++ b/etc/profile-a-l/cawbird.profile
@@ -0,0 +1,46 @@
+# Firejail profile for cawbird
+# Description: Open-source Twitter client for Linux
+# This file is overwritten after every install/update
+# Persistent local customizations
+include cawbird.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/cawbird
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+apparmor
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin cawbird
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,resolv.conf,ssl,X11,xdg
+private-tmp
+# dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/com.gitlab.newsflash.profile b/etc/profile-a-l/com.gitlab.newsflash.profile
new file mode 100644
index 000000000..0628d3d01
--- /dev/null
+++ b/etc/profile-a-l/com.gitlab.newsflash.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for newsflash
+# This file is overwritten after every install/update
+# Redirect
+include newsflash.profile
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile
index cbeef798f..35bea4aaa 100644
--- a/etc/profile-a-l/discord-common.profile
+++ b/etc/profile-a-l/discord-common.profile
@@ -32,7 +32,7 @@ novideo
 protocol unix,inet,inet6,netlink
 seccomp !chroot
-private-bin bash,cut,echo,egrep,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
+private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl
 private-tmp
diff --git a/etc/profile-a-l/freetube.profile b/etc/profile-a-l/freetube.profile
new file mode 100644
index 000000000..91f0caf87
--- /dev/null
+++ b/etc/profile-a-l/freetube.profile
@@ -0,0 +1,31 @@
+# Firejail profile for freetube
+# Description: Youtube client with local subscription feature
+# This file is overwritten after every install/update
+# Persistent local customizations
+include freetube.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/FreeTube
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-shell.inc 
+include disable-xdg.inc
+mkdir ${HOME}/.config/FreeTube
+whitelist ${HOME}/.config/FreeTube
+seccomp !chroot
+shell none
+disable-mnt
+private-bin freetube
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
+private-tmp
+# Redirect
+include electron.profile
diff --git a/etc/profile-a-l/github-desktop.profile b/etc/profile-a-l/github-desktop.profile
index b25b138ad..152396553 100644
--- a/etc/profile-a-l/github-desktop.profile
+++ b/etc/profile-a-l/github-desktop.profile
@@ -30,7 +30,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp
+seccomp !chroot
 # Note: On debian-based distributions the binary might be located in
 # /opt/GitHub Desktop/github-desktop, and therefore not be in PATH.
diff --git a/etc/profile-a-l/gnome-calculator.profile b/etc/profile-a-l/gnome-calculator.profile
index bc6626598..ceb01f2a0 100644
--- a/etc/profile-a-l/gnome-calculator.profile
+++ b/etc/profile-a-l/gnome-calculator.profile
@@ -25,7 +25,7 @@ apparmor
 caps.drop all
 ipc-namespace
 machine-id
-# net none
+#net none -- breaks currency conversion
 netfilter
 no3d
 nodvd
@@ -39,6 +39,7 @@ novideo
 protocol unix,inet,inet6
 seccomp
 shell none
+tracelog
 disable-mnt
 private-bin gnome-calculator
@@ -47,8 +48,7 @@ private-dev
 #private-lib gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*,libgnutls.so.*,libproxy.so.*,librsvg-2.so.*,libxml2.so.*
 private-tmp
-# makes settings immutable
+dbus-user filter
-# dbus-user none
+dbus-user.own org.gnome.Calculator
-# dbus-system none
+dbus-user.talk ca.desrt.dconf
+dbus-system none
-# memory-deny-write-execute
diff --git a/etc/profile-a-l/gnome-pomodoro.profile b/etc/profile-a-l/gnome-pomodoro.profile
index 2a5d2a231..a46e47759 100644
--- a/etc/profile-a-l/gnome-pomodoro.profile
+++ b/etc/profile-a-l/gnome-pomodoro.profile
@@ -50,7 +50,9 @@ private-tmp
 dbus-user filter
 dbus-user.own org.gnome.Pomodoro
 dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.gnome.Mutter.IdleMonitor
 dbus-user.talk org.gnome.Shell
+dbus-user.talk org.freedesktop.Notifications
 dbus-system none
 read-only ${HOME}
diff --git a/etc/profile-a-l/homebank.profile b/etc/profile-a-l/homebank.profile
new file mode 100644
index 000000000..8e600a2d7
--- /dev/null
+++ b/etc/profile-a-l/homebank.profile
@@ -0,0 +1,59 @@
+# Firejail profile for homebank
+# Description: Personal finance manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include homebank.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/homebank
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc 
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-passwdmgr.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/homebank
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/homebank
+whitelist /usr/share/homebank
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+# net none
+netfilter
+nodvd
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin homebank
+private-cache
+private-dev
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11
+private-tmp
+dbus-user none
+dbus-system none
+# memory-deny-write-execute

diff --git a/etc/profile-a-l/cawbird.profile b/etc/profile-a-l/cawbird.profile new file mode 100644 index 000000000..3d29c3817 --- /dev/null +++ b/etc/profile-a-l/cawbird.profile
@@ -0,0 +1,46 @@
		1	# Firejail profile for cawbird
		2	# Description: Open-source Twitter client for Linux
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include cawbird.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	noblacklist ${HOME}/.config/cawbird
		10
		11	include disable-common.inc
		12	include disable-devel.inc
		13	include disable-exec.inc
		14	include disable-interpreters.inc
		15	include disable-passwdmgr.inc
		16	include disable-programs.inc
		17	include disable-shell.inc
		18	include disable-xdg.inc
		19
		20	apparmor
		21	caps.drop all
		22	machine-id
		23	netfilter
		24	no3d
		25	nodvd
		26	nogroups
		27	nonewprivs
		28	noroot
		29	nosound
		30	notv
		31	nou2f
		32	novideo
		33	protocol unix,inet,inet6
		34	seccomp
		35	shell none
		36	tracelog
		37
		38	disable-mnt
		39	private-bin cawbird
		40	private-cache
		41	private-dev
		42	private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,resolv.conf,ssl,X11,xdg
		43	private-tmp
		44
		45	# dbus-user none
		46	dbus-system none


diff --git a/etc/profile-a-l/com.gitlab.newsflash.profile b/etc/profile-a-l/com.gitlab.newsflash.profile new file mode 100644 index 000000000..0628d3d01 --- /dev/null +++ b/etc/profile-a-l/com.gitlab.newsflash.profile
@@ -0,0 +1,5 @@
		1	# Firejail profile alias for newsflash
		2	# This file is overwritten after every install/update
		3
		4	# Redirect
		5	include newsflash.profile


diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile index cbeef798f..35bea4aaa 100644 --- a/etc/profile-a-l/discord-common.profile +++ b/etc/profile-a-l/discord-common.profile
@@ -32,7 +32,7 @@ novideo
32	protocol unix,inet,inet6,netlink	32	protocol unix,inet,inet6,netlink
33	seccomp !chroot	33	seccomp !chroot
34		34
35	private-bin bash,cut,echo,egrep,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh	35	private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
36	private-dev	36	private-dev
37	private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl	37	private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl
38	private-tmp	38	private-tmp


diff --git a/etc/profile-a-l/freetube.profile b/etc/profile-a-l/freetube.profile new file mode 100644 index 000000000..91f0caf87 --- /dev/null +++ b/etc/profile-a-l/freetube.profile
@@ -0,0 +1,31 @@
		1	# Firejail profile for freetube
		2	# Description: Youtube client with local subscription feature
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include freetube.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	noblacklist ${HOME}/.config/FreeTube
		10
		11	include disable-devel.inc
		12	include disable-exec.inc
		13	include disable-interpreters.inc
		14	include disable-shell.inc
		15	include disable-xdg.inc
		16
		17	mkdir ${HOME}/.config/FreeTube
		18	whitelist ${HOME}/.config/FreeTube
		19
		20	seccomp !chroot
		21	shell none
		22
		23	disable-mnt
		24	private-bin freetube
		25	private-cache
		26	private-dev
		27	private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
		28	private-tmp
		29
		30	# Redirect
		31	include electron.profile


diff --git a/etc/profile-a-l/github-desktop.profile b/etc/profile-a-l/github-desktop.profile index b25b138ad..152396553 100644 --- a/etc/profile-a-l/github-desktop.profile +++ b/etc/profile-a-l/github-desktop.profile
@@ -30,7 +30,7 @@ notv
30	nou2f	30	nou2f
31	novideo	31	novideo
32	protocol unix,inet,inet6,netlink	32	protocol unix,inet,inet6,netlink
33	seccomp	33	seccomp !chroot
34		34
35	# Note: On debian-based distributions the binary might be located in	35	# Note: On debian-based distributions the binary might be located in
36	# /opt/GitHub Desktop/github-desktop, and therefore not be in PATH.	36	# /opt/GitHub Desktop/github-desktop, and therefore not be in PATH.


diff --git a/etc/profile-a-l/gnome-calculator.profile b/etc/profile-a-l/gnome-calculator.profile index bc6626598..ceb01f2a0 100644 --- a/etc/profile-a-l/gnome-calculator.profile +++ b/etc/profile-a-l/gnome-calculator.profile
@@ -25,7 +25,7 @@ apparmor
25	caps.drop all	25	caps.drop all
26	ipc-namespace	26	ipc-namespace
27	machine-id	27	machine-id
28	# net none	28	#net none -- breaks currency conversion
29	netfilter	29	netfilter
30	no3d	30	no3d
31	nodvd	31	nodvd
@@ -39,6 +39,7 @@ novideo
39	protocol unix,inet,inet6	39	protocol unix,inet,inet6
40	seccomp	40	seccomp
41	shell none	41	shell none
		42	tracelog
42		43
43	disable-mnt	44	disable-mnt
44	private-bin gnome-calculator	45	private-bin gnome-calculator
@@ -47,8 +48,7 @@ private-dev
47	#private-lib gdk-pixbuf-2.,gio,girepository-1.,gvfs,libgconf-2.so.,libgnutls.so.,libproxy.so.,librsvg-2.so.,libxml2.so.*	48	#private-lib gdk-pixbuf-2.,gio,girepository-1.,gvfs,libgconf-2.so.,libgnutls.so.,libproxy.so.,librsvg-2.so.,libxml2.so.*
48	private-tmp	49	private-tmp
49		50
50	# makes settings immutable	51	dbus-user filter
51	# dbus-user none	52	dbus-user.own org.gnome.Calculator
52	# dbus-system none	53	dbus-user.talk ca.desrt.dconf
53		54	dbus-system none
54	# memory-deny-write-execute


diff --git a/etc/profile-a-l/gnome-pomodoro.profile b/etc/profile-a-l/gnome-pomodoro.profile index 2a5d2a231..a46e47759 100644 --- a/etc/profile-a-l/gnome-pomodoro.profile +++ b/etc/profile-a-l/gnome-pomodoro.profile
@@ -50,7 +50,9 @@ private-tmp
50	dbus-user filter	50	dbus-user filter
51	dbus-user.own org.gnome.Pomodoro	51	dbus-user.own org.gnome.Pomodoro
52	dbus-user.talk ca.desrt.dconf	52	dbus-user.talk ca.desrt.dconf
		53	dbus-user.talk org.gnome.Mutter.IdleMonitor
53	dbus-user.talk org.gnome.Shell	54	dbus-user.talk org.gnome.Shell
		55	dbus-user.talk org.freedesktop.Notifications
54	dbus-system none	56	dbus-system none
55		57
56	read-only ${HOME}	58	read-only ${HOME}


diff --git a/etc/profile-a-l/homebank.profile b/etc/profile-a-l/homebank.profile new file mode 100644 index 000000000..8e600a2d7 --- /dev/null +++ b/etc/profile-a-l/homebank.profile
@@ -0,0 +1,59 @@
		1	# Firejail profile for homebank
		2	# Description: Personal finance manager
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include homebank.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	noblacklist ${HOME}/.config/homebank
		10
		11	include disable-common.inc
		12	include disable-devel.inc
		13	include disable-exec.inc
		14	include disable-interpreters.inc
		15	include disable-programs.inc
		16	include disable-passwdmgr.inc
		17	include disable-shell.inc
		18	include disable-xdg.inc
		19
		20	mkdir ${HOME}/.config/homebank
		21	whitelist ${DOWNLOADS}
		22	whitelist ${HOME}/.config/homebank
		23	whitelist /usr/share/homebank
		24	include whitelist-common.inc
		25	include whitelist-runuser-common.inc
		26	include whitelist-usr-share-common.inc
		27	include whitelist-var-common.inc
		28
		29	apparmor
		30	caps.drop all
		31	machine-id
		32	# net none
		33	netfilter
		34	nodvd
		35	no3d
		36	nodvd
		37	nogroups
		38	nonewprivs
		39	noroot
		40	nosound
		41	notv
		42	nou2f
		43	novideo
		44	protocol unix,inet,inet6
		45	seccomp
		46	shell none
		47	tracelog
		48
		49	disable-mnt
		50	private-bin homebank
		51	private-cache
		52	private-dev
		53	private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11
		54	private-tmp
		55
		56	dbus-user none
		57	dbus-system none
		58
		59	# memory-deny-write-execute