17 files changed, 167 insertions, 39 deletions
diff --git a/etc/profile-a-l/Discord.profile b/etc/profile-a-l/Discord.profile
index 3f274b21c..68fcf157f 100644
--- a/etc/profile-a-l/Discord.profile
+++ b/etc/profile-a-l/Discord.profile
@@ -3,15 +3,8 @@
 # Persistent local customizations
 include Discord.local
 # Persistent global definitions
-include globals.local
+# added by included profile
+#include globals.local
-noblacklist ${HOME}/.config/discord
-mkdir ${HOME}/.config/discord
-whitelist ${HOME}/.config/discord
-private-bin Discord
-private-opt Discord
 # Redirect
-include discord-common.profile
+include discord.profile
diff --git a/etc/profile-a-l/DiscordCanary.profile b/etc/profile-a-l/DiscordCanary.profile
index d24e73ed8..ee6576955 100644
--- a/etc/profile-a-l/DiscordCanary.profile
+++ b/etc/profile-a-l/DiscordCanary.profile
@@ -3,15 +3,8 @@
 # Persistent local customizations
 include DiscordCanary.local
 # Persistent global definitions
-include globals.local
+# added by included profile
+#include globals.local
-noblacklist ${HOME}/.config/discordcanary
-mkdir ${HOME}/.config/discordcanary
-whitelist ${HOME}/.config/discordcanary
-private-bin DiscordCanary
-private-opt DiscordCanary
 # Redirect
-include discord-common.profile
+include discord-canary.profile
diff --git a/etc/profile-a-l/arduino.profile b/etc/profile-a-l/arduino.profile
index 0daab7dcd..bb0bc3513 100644
--- a/etc/profile-a-l/arduino.profile
+++ b/etc/profile-a-l/arduino.profile
@@ -10,13 +10,10 @@ noblacklist ${HOME}/.arduino15
 noblacklist ${HOME}/Arduino
 noblacklist ${DOCUMENTS}
-# Allow java (blacklisted by disable-devel.inc)
+# Allows files commonly used by IDEs
-include allow-java.inc
+include allow-common-devel.inc
 include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
 include disable-programs.inc
 include disable-xdg.inc
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile
index b517620db..2831fec72 100644
--- a/etc/profile-a-l/audacity.profile
+++ b/etc/profile-a-l/audacity.profile
@@ -20,7 +20,8 @@ include disable-xdg.inc
 include whitelist-var-common.inc
-apparmor
+## Enabling App Armor appears to break some Fedora / Arch installs
+#apparmor
 caps.drop all
 net none
 no3d
diff --git a/etc/profile-a-l/chafa.profile b/etc/profile-a-l/chafa.profile
new file mode 100644
index 000000000..b042ac189
--- /dev/null
+++ b/etc/profile-a-l/chafa.profile
@@ -0,0 +1,55 @@
+# Firejail profile for chafa
+# Description: A terminal-based image viewer and image-to-text converter.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include chafa.local
+# Persistent global definitions
+include globals.local
+blacklist ${RUNUSER}
+blacklist /usr/libexec
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+# Add the following to your chafa.local if you do not need to view images in
+# /usr/share.
+#include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+seccomp socket
+seccomp.block-secondary
+tracelog
+x11 none
+private-bin chafa
+private-cache
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
+read-only ${HOME}
diff --git a/etc/profile-a-l/darktable.profile b/etc/profile-a-l/darktable.profile
index 4ee61b66d..20d5657eb 100644
--- a/etc/profile-a-l/darktable.profile
+++ b/etc/profile-a-l/darktable.profile
@@ -10,8 +10,12 @@ noblacklist ${HOME}/.cache/darktable
 noblacklist ${HOME}/.config/darktable
 noblacklist ${PICTURES}
+# Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -33,7 +37,7 @@ novideo
 protocol unix,inet,inet6
 seccomp
-#private-bin darktable
+#private-bin darktable,exiftool,perl
 private-dev
 private-tmp
diff --git a/etc/profile-a-l/digikam.profile b/etc/profile-a-l/digikam.profile
index f1056482c..c1f0e3a14 100644
--- a/etc/profile-a-l/digikam.profile
+++ b/etc/profile-a-l/digikam.profile
@@ -13,6 +13,9 @@ noblacklist ${HOME}/.kde4/share/apps/digikam
 noblacklist ${HOME}/.local/share/kxmlgui5/digikam
 noblacklist ${PICTURES}
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/discord-canary.profile b/etc/profile-a-l/discord-canary.profile
index 43db95b8a..245b07b8d 100644
--- a/etc/profile-a-l/discord-canary.profile
+++ b/etc/profile-a-l/discord-canary.profile
@@ -10,8 +10,8 @@ noblacklist ${HOME}/.config/discordcanary
 mkdir ${HOME}/.config/discordcanary
 whitelist ${HOME}/.config/discordcanary
-private-bin discord-canary,electron,electron[0-9],electron[0-9][0-9]
+private-bin discord-canary,DiscordCanary
-private-opt discord-canary
+private-opt discord-canary,DiscordCanary
 # Redirect
 include discord-common.profile
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile
index c04e38899..bf49c8d48 100644
--- a/etc/profile-a-l/discord-common.profile
+++ b/etc/profile-a-l/discord-common.profile
@@ -23,7 +23,7 @@ ignore novideo
 whitelist ${HOME}/.config/BetterDiscord
 whitelist ${HOME}/.local/share/betterdiscordctl
-private-bin bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
+private-bin awk,bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],fish,grep,head,sed,sh,tclsh,tr,which,xdg-mime,xdg-open,zsh
 private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl
 join-or-start discord
diff --git a/etc/profile-a-l/discord.profile b/etc/profile-a-l/discord.profile
index 8ef02a30f..02d1c65cd 100644
--- a/etc/profile-a-l/discord.profile
+++ b/etc/profile-a-l/discord.profile
@@ -10,8 +10,8 @@ noblacklist ${HOME}/.config/discord
 mkdir ${HOME}/.config/discord
 whitelist ${HOME}/.config/discord
-private-bin discord
+private-bin discord,Discord
-private-opt discord
+private-opt discord,Discord
 # Redirect
 include discord-common.profile
diff --git a/etc/profile-a-l/firefox-developer-edition.profile b/etc/profile-a-l/firefox-developer-edition.profile
index 3a9b8cf92..8c7ca3887 100644
--- a/etc/profile-a-l/firefox-developer-edition.profile
+++ b/etc/profile-a-l/firefox-developer-edition.profile
@@ -7,9 +7,5 @@ include firefox-developer-edition.local
 # added by included profile
 #include globals.local
-# Edition-specific DBus filters
-dbus-user.own org.mozilla.FirefoxDeveloperEdition.*
-dbus-user.own org.mozilla.firefoxdeveloperedition.*
 # Redirect
 include firefox.profile
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index 9138fed90..0e1d30958 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -17,6 +17,7 @@ include globals.local
 noblacklist ${HOME}/.cache/mozilla
 noblacklist ${HOME}/.mozilla
 noblacklist ${RUNUSER}/*firefox*
+noblacklist ${RUNUSER}/psd/*firefox*
 blacklist /usr/libexec
@@ -37,6 +38,7 @@ whitelist /usr/share/gtk-doc/html
 whitelist /usr/share/mozilla
 whitelist /usr/share/webext
 whitelist ${RUNUSER}/*firefox*
+whitelist ${RUNUSER}/psd/*firefox*
 include whitelist-usr-share-common.inc
 # firefox requires a shell to launch on Arch - add the next line to your firefox.local to enable private-bin.
@@ -47,8 +49,7 @@ include whitelist-usr-share-common.inc
 #private-etc firefox
 dbus-user filter
-dbus-user.own org.mozilla.Firefox.*
+dbus-user.own org.mozilla.*
-dbus-user.own org.mozilla.firefox.*
 dbus-user.own org.mpris.MediaPlayer2.firefox.*
 # Add the next line to your firefox.local to enable native notifications.
 #dbus-user.talk org.freedesktop.Notifications
diff --git a/etc/profile-a-l/gdu.profile b/etc/profile-a-l/gdu.profile
new file mode 100644
index 000000000..783183bea
--- /dev/null
+++ b/etc/profile-a-l/gdu.profile
@@ -0,0 +1,46 @@
+# Firejail profile for gdu
+# Description: Fast disk usage analyzer with console interface
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gdu.local
+# Persistent global definitions
+include globals.local
+blacklist ${RUNUSER}/wayland-*
+include disable-exec.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+# block the socket syscall to simulate an be empty protocol line, see #639
+seccomp socket
+seccomp.block-secondary
+x11 none
+private-dev
+dbus-user none
+dbus-system none
+memory-deny-write-execute
+# gdu has built-in delete (d), empty (e) dir/file support and shell spawning (b) features.
+# Depending on workflow and use case the sandbox can be hardened by adding the
+# lines below to your gdu.local if you don't need/want these functionalities.
+#include disable-shell.inc
+#private-bin gdu
+#read-only ${HOME}
diff --git a/etc/profile-a-l/geeqie.profile b/etc/profile-a-l/geeqie.profile
index 81574517d..268c3b334 100644
--- a/etc/profile-a-l/geeqie.profile
+++ b/etc/profile-a-l/geeqie.profile
@@ -10,6 +10,9 @@ noblacklist ${HOME}/.cache/geeqie
 noblacklist ${HOME}/.config/geeqie
 noblacklist ${HOME}/.local/share/geeqie
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
diff --git a/etc/profile-a-l/gtk-lbry-viewer.profile b/etc/profile-a-l/gtk-lbry-viewer.profile
new file mode 100644
index 000000000..e1fb53b16
--- /dev/null
+++ b/etc/profile-a-l/gtk-lbry-viewer.profile
@@ -0,0 +1,12 @@
+# Firejail profile for gtk-lbry-viewer
+# Description: Gtk front-end to lbry-viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtk-lbry-viewer.local
+# added by included profile
+#include globals.local
+ignore quiet
+# Redirect
+include lbry-viewer.profile
diff --git a/etc/profile-a-l/hugin.profile b/etc/profile-a-l/hugin.profile
index fc142e2dc..d4587a303 100644
--- a/etc/profile-a-l/hugin.profile
+++ b/etc/profile-a-l/hugin.profile
@@ -13,6 +13,9 @@ noblacklist ${PICTURES}
 # Allow /bin/sh (blacklisted by disable-shell.inc)
 include allow-bin-sh.inc
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -35,7 +38,7 @@ novideo
 protocol unix
 seccomp
-private-bin align_image_stack,autooptimiser,calibrate_lens_gui,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,enblend,fulla,geocpset,hugin,hugin_executor,hugin_hdrmerge,hugin_lensdb,hugin_stitch_project,icpfind,linefind,nona,pano_modify,pano_trafo,PTBatcherGUI,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,sh,tca_correct,uname,verdandi,vig_optimize
+private-bin align_image_stack,autooptimiser,calibrate_lens_gui,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,enblend,exiftool,fulla,geocpset,hugin,hugin_executor,hugin_hdrmerge,hugin_lensdb,hugin_stitch_project,icpfind,linefind,nona,pano_modify,pano_trafo,perl,PTBatcherGUI,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,sh,tca_correct,uname,verdandi,vig_optimize
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-a-l/lbry-viewer.profile b/etc/profile-a-l/lbry-viewer.profile
new file mode 100644
index 000000000..f6a02ac83
--- /dev/null
+++ b/etc/profile-a-l/lbry-viewer.profile
@@ -0,0 +1,21 @@
+# Firejail profile for lbry-viewer
+# Description:CLI for searching and playing videos from LBRY, with the Librarian frontend
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lbry-viewer.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/lbry-viewer
+noblacklist ${HOME}/.config/lbry-viewer
+mkdir ${HOME}/.config/lbry-viewer
+mkdir ${HOME}/.cache/lbry-viewer
+whitelist ${HOME}/.cache/lbry-viewer
+whitelist ${HOME}/.config/lbry-viewer
+private-bin gtk-lbry-viewer,lbry-viewer
+# Redirect
+include youtube-viewers-common.profile

diff --git a/etc/profile-a-l/Discord.profile b/etc/profile-a-l/Discord.profile index 3f274b21c..68fcf157f 100644 --- a/etc/profile-a-l/Discord.profile +++ b/etc/profile-a-l/Discord.profile
@@ -3,15 +3,8 @@
3	# Persistent local customizations	3	# Persistent local customizations
4	include Discord.local	4	include Discord.local
5	# Persistent global definitions	5	# Persistent global definitions
6	include globals.local	6	# added by included profile
7		7	#include globals.local
8	noblacklist ${HOME}/.config/discord
9
10	mkdir ${HOME}/.config/discord
11	whitelist ${HOME}/.config/discord
12
13	private-bin Discord
14	private-opt Discord
15		8
16	# Redirect	9	# Redirect
17	include discord-common.profile	10	include discord.profile


diff --git a/etc/profile-a-l/DiscordCanary.profile b/etc/profile-a-l/DiscordCanary.profile index d24e73ed8..ee6576955 100644 --- a/etc/profile-a-l/DiscordCanary.profile +++ b/etc/profile-a-l/DiscordCanary.profile
@@ -3,15 +3,8 @@
3	# Persistent local customizations	3	# Persistent local customizations
4	include DiscordCanary.local	4	include DiscordCanary.local
5	# Persistent global definitions	5	# Persistent global definitions
6	include globals.local	6	# added by included profile
7		7	#include globals.local
8	noblacklist ${HOME}/.config/discordcanary
9
10	mkdir ${HOME}/.config/discordcanary
11	whitelist ${HOME}/.config/discordcanary
12
13	private-bin DiscordCanary
14	private-opt DiscordCanary
15		8
16	# Redirect	9	# Redirect
17	include discord-common.profile	10	include discord-canary.profile


diff --git a/etc/profile-a-l/arduino.profile b/etc/profile-a-l/arduino.profile index 0daab7dcd..bb0bc3513 100644 --- a/etc/profile-a-l/arduino.profile +++ b/etc/profile-a-l/arduino.profile
@@ -10,13 +10,10 @@ noblacklist ${HOME}/.arduino15
10	noblacklist ${HOME}/Arduino	10	noblacklist ${HOME}/Arduino
11	noblacklist ${DOCUMENTS}	11	noblacklist ${DOCUMENTS}
12		12
13	# Allow java (blacklisted by disable-devel.inc)	13	# Allows files commonly used by IDEs
14	include allow-java.inc	14	include allow-common-devel.inc
15		15
16	include disable-common.inc	16	include disable-common.inc
17	include disable-devel.inc
18	include disable-exec.inc
19	include disable-interpreters.inc
20	include disable-programs.inc	17	include disable-programs.inc
21	include disable-xdg.inc	18	include disable-xdg.inc
22		19


diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile index b517620db..2831fec72 100644 --- a/etc/profile-a-l/audacity.profile +++ b/etc/profile-a-l/audacity.profile
@@ -20,7 +20,8 @@ include disable-xdg.inc
20		20
21	include whitelist-var-common.inc	21	include whitelist-var-common.inc
22		22
23	apparmor	23	## Enabling App Armor appears to break some Fedora / Arch installs
		24	#apparmor
24	caps.drop all	25	caps.drop all
25	net none	26	net none
26	no3d	27	no3d


diff --git a/etc/profile-a-l/chafa.profile b/etc/profile-a-l/chafa.profile new file mode 100644 index 000000000..b042ac189 --- /dev/null +++ b/etc/profile-a-l/chafa.profile
@@ -0,0 +1,55 @@
		1	# Firejail profile for chafa
		2	# Description: A terminal-based image viewer and image-to-text converter.
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include chafa.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	blacklist ${RUNUSER}
		10	blacklist /usr/libexec
		11
		12	include disable-common.inc
		13	include disable-devel.inc
		14	include disable-exec.inc
		15	include disable-interpreters.inc
		16	include disable-proc.inc
		17	include disable-programs.inc
		18	include disable-shell.inc
		19	include disable-write-mnt.inc
		20
		21	include whitelist-run-common.inc
		22	include whitelist-runuser-common.inc
		23	# Add the following to your chafa.local if you do not need to view images in
		24	# /usr/share.
		25	#include whitelist-usr-share-common.inc
		26	include whitelist-var-common.inc
		27
		28	apparmor
		29	caps.drop all
		30	machine-id
		31	net none
		32	no3d
		33	nodvd
		34	nogroups
		35	noinput
		36	nonewprivs
		37	noroot
		38	nosound
		39	notv
		40	nou2f
		41	novideo
		42	seccomp socket
		43	seccomp.block-secondary
		44	tracelog
		45	x11 none
		46
		47	private-bin chafa
		48	private-cache
		49	private-dev
		50	private-tmp
		51
		52	dbus-user none
		53	dbus-system none
		54
		55	read-only ${HOME}


diff --git a/etc/profile-a-l/darktable.profile b/etc/profile-a-l/darktable.profile index 4ee61b66d..20d5657eb 100644 --- a/etc/profile-a-l/darktable.profile +++ b/etc/profile-a-l/darktable.profile
@@ -10,8 +10,12 @@ noblacklist ${HOME}/.cache/darktable
10	noblacklist ${HOME}/.config/darktable	10	noblacklist ${HOME}/.config/darktable
11	noblacklist ${PICTURES}	11	noblacklist ${PICTURES}
12		12
		13	# Allow lua (blacklisted by disable-interpreters.inc)
13	include allow-lua.inc	14	include allow-lua.inc
14		15
		16	# Allow perl (blacklisted by disable-interpreters.inc)
		17	include allow-perl.inc
		18
15	include disable-common.inc	19	include disable-common.inc
16	include disable-devel.inc	20	include disable-devel.inc
17	include disable-exec.inc	21	include disable-exec.inc
@@ -33,7 +37,7 @@ novideo
33	protocol unix,inet,inet6	37	protocol unix,inet,inet6
34	seccomp	38	seccomp
35		39
36	#private-bin darktable	40	#private-bin darktable,exiftool,perl
37	private-dev	41	private-dev
38	private-tmp	42	private-tmp
39		43


diff --git a/etc/profile-a-l/digikam.profile b/etc/profile-a-l/digikam.profile index f1056482c..c1f0e3a14 100644 --- a/etc/profile-a-l/digikam.profile +++ b/etc/profile-a-l/digikam.profile
@@ -13,6 +13,9 @@ noblacklist ${HOME}/.kde4/share/apps/digikam
13	noblacklist ${HOME}/.local/share/kxmlgui5/digikam	13	noblacklist ${HOME}/.local/share/kxmlgui5/digikam
14	noblacklist ${PICTURES}	14	noblacklist ${PICTURES}
15		15
		16	# Allow perl (blacklisted by disable-interpreters.inc)
		17	include allow-perl.inc
		18
16	include disable-common.inc	19	include disable-common.inc
17	include disable-devel.inc	20	include disable-devel.inc
18	include disable-exec.inc	21	include disable-exec.inc


diff --git a/etc/profile-a-l/discord-canary.profile b/etc/profile-a-l/discord-canary.profile index 43db95b8a..245b07b8d 100644 --- a/etc/profile-a-l/discord-canary.profile +++ b/etc/profile-a-l/discord-canary.profile
@@ -10,8 +10,8 @@ noblacklist ${HOME}/.config/discordcanary
10	mkdir ${HOME}/.config/discordcanary	10	mkdir ${HOME}/.config/discordcanary
11	whitelist ${HOME}/.config/discordcanary	11	whitelist ${HOME}/.config/discordcanary
12		12
13	private-bin discord-canary,electron,electron[0-9],electron[0-9][0-9]	13	private-bin discord-canary,DiscordCanary
14	private-opt discord-canary	14	private-opt discord-canary,DiscordCanary
15		15
16	# Redirect	16	# Redirect
17	include discord-common.profile	17	include discord-common.profile


diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile index c04e38899..bf49c8d48 100644 --- a/etc/profile-a-l/discord-common.profile +++ b/etc/profile-a-l/discord-common.profile
@@ -23,7 +23,7 @@ ignore novideo
23	whitelist ${HOME}/.config/BetterDiscord	23	whitelist ${HOME}/.config/BetterDiscord
24	whitelist ${HOME}/.local/share/betterdiscordctl	24	whitelist ${HOME}/.local/share/betterdiscordctl
25		25
26	private-bin bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh	26	private-bin awk,bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],fish,grep,head,sed,sh,tclsh,tr,which,xdg-mime,xdg-open,zsh
27	private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl	27	private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl
28		28
29	join-or-start discord	29	join-or-start discord


diff --git a/etc/profile-a-l/discord.profile b/etc/profile-a-l/discord.profile index 8ef02a30f..02d1c65cd 100644 --- a/etc/profile-a-l/discord.profile +++ b/etc/profile-a-l/discord.profile
@@ -10,8 +10,8 @@ noblacklist ${HOME}/.config/discord
10	mkdir ${HOME}/.config/discord	10	mkdir ${HOME}/.config/discord
11	whitelist ${HOME}/.config/discord	11	whitelist ${HOME}/.config/discord
12		12
13	private-bin discord	13	private-bin discord,Discord
14	private-opt discord	14	private-opt discord,Discord
15		15
16	# Redirect	16	# Redirect
17	include discord-common.profile	17	include discord-common.profile


diff --git a/etc/profile-a-l/firefox-developer-edition.profile b/etc/profile-a-l/firefox-developer-edition.profile index 3a9b8cf92..8c7ca3887 100644 --- a/etc/profile-a-l/firefox-developer-edition.profile +++ b/etc/profile-a-l/firefox-developer-edition.profile
@@ -7,9 +7,5 @@ include firefox-developer-edition.local
7	# added by included profile	7	# added by included profile
8	#include globals.local	8	#include globals.local
9		9
10	# Edition-specific DBus filters
11	dbus-user.own org.mozilla.FirefoxDeveloperEdition.*
12	dbus-user.own org.mozilla.firefoxdeveloperedition.*
13
14	# Redirect	10	# Redirect
15	include firefox.profile	11	include firefox.profile


diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index 9138fed90..0e1d30958 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile
@@ -17,6 +17,7 @@ include globals.local
17	noblacklist ${HOME}/.cache/mozilla	17	noblacklist ${HOME}/.cache/mozilla
18	noblacklist ${HOME}/.mozilla	18	noblacklist ${HOME}/.mozilla
19	noblacklist ${RUNUSER}/firefox	19	noblacklist ${RUNUSER}/firefox
		20	noblacklist ${RUNUSER}/psd/firefox
20		21
21	blacklist /usr/libexec	22	blacklist /usr/libexec
22		23
@@ -37,6 +38,7 @@ whitelist /usr/share/gtk-doc/html
37	whitelist /usr/share/mozilla	38	whitelist /usr/share/mozilla
38	whitelist /usr/share/webext	39	whitelist /usr/share/webext
39	whitelist ${RUNUSER}/firefox	40	whitelist ${RUNUSER}/firefox
		41	whitelist ${RUNUSER}/psd/firefox
40	include whitelist-usr-share-common.inc	42	include whitelist-usr-share-common.inc
41		43
42	# firefox requires a shell to launch on Arch - add the next line to your firefox.local to enable private-bin.	44	# firefox requires a shell to launch on Arch - add the next line to your firefox.local to enable private-bin.
@@ -47,8 +49,7 @@ include whitelist-usr-share-common.inc
47	#private-etc firefox	49	#private-etc firefox
48		50
49	dbus-user filter	51	dbus-user filter
50	dbus-user.own org.mozilla.Firefox.*	52	dbus-user.own org.mozilla.*
51	dbus-user.own org.mozilla.firefox.*
52	dbus-user.own org.mpris.MediaPlayer2.firefox.*	53	dbus-user.own org.mpris.MediaPlayer2.firefox.*
53	# Add the next line to your firefox.local to enable native notifications.	54	# Add the next line to your firefox.local to enable native notifications.
54	#dbus-user.talk org.freedesktop.Notifications	55	#dbus-user.talk org.freedesktop.Notifications


diff --git a/etc/profile-a-l/gdu.profile b/etc/profile-a-l/gdu.profile new file mode 100644 index 000000000..783183bea --- /dev/null +++ b/etc/profile-a-l/gdu.profile
@@ -0,0 +1,46 @@
		1	# Firejail profile for gdu
		2	# Description: Fast disk usage analyzer with console interface
		3	# This file is overwritten after every install/update
		4	quiet
		5	# Persistent local customizations
		6	include gdu.local
		7	# Persistent global definitions
		8	include globals.local
		9
		10	blacklist ${RUNUSER}/wayland-*
		11
		12	include disable-exec.inc
		13
		14	apparmor
		15	caps.drop all
		16	ipc-namespace
		17	machine-id
		18	net none
		19	no3d
		20	nodvd
		21	nogroups
		22	noinput
		23	nonewprivs
		24	noroot
		25	nosound
		26	notv
		27	nou2f
		28	novideo
		29	# block the socket syscall to simulate an be empty protocol line, see #639
		30	seccomp socket
		31	seccomp.block-secondary
		32	x11 none
		33
		34	private-dev
		35
		36	dbus-user none
		37	dbus-system none
		38
		39	memory-deny-write-execute
		40
		41	# gdu has built-in delete (d), empty (e) dir/file support and shell spawning (b) features.
		42	# Depending on workflow and use case the sandbox can be hardened by adding the
		43	# lines below to your gdu.local if you don't need/want these functionalities.
		44	#include disable-shell.inc
		45	#private-bin gdu
		46	#read-only ${HOME}


diff --git a/etc/profile-a-l/geeqie.profile b/etc/profile-a-l/geeqie.profile index 81574517d..268c3b334 100644 --- a/etc/profile-a-l/geeqie.profile +++ b/etc/profile-a-l/geeqie.profile
@@ -10,6 +10,9 @@ noblacklist ${HOME}/.cache/geeqie
10	noblacklist ${HOME}/.config/geeqie	10	noblacklist ${HOME}/.config/geeqie
11	noblacklist ${HOME}/.local/share/geeqie	11	noblacklist ${HOME}/.local/share/geeqie
12		12
		13	# Allow perl (blacklisted by disable-interpreters.inc)
		14	include allow-perl.inc
		15
13	include disable-common.inc	16	include disable-common.inc
14	include disable-devel.inc	17	include disable-devel.inc
15	include disable-interpreters.inc	18	include disable-interpreters.inc


diff --git a/etc/profile-a-l/gtk-lbry-viewer.profile b/etc/profile-a-l/gtk-lbry-viewer.profile new file mode 100644 index 000000000..e1fb53b16 --- /dev/null +++ b/etc/profile-a-l/gtk-lbry-viewer.profile
@@ -0,0 +1,12 @@
		1	# Firejail profile for gtk-lbry-viewer
		2	# Description: Gtk front-end to lbry-viewer
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include gtk-lbry-viewer.local
		6	# added by included profile
		7	#include globals.local
		8
		9	ignore quiet
		10
		11	# Redirect
		12	include lbry-viewer.profile


diff --git a/etc/profile-a-l/hugin.profile b/etc/profile-a-l/hugin.profile index fc142e2dc..d4587a303 100644 --- a/etc/profile-a-l/hugin.profile +++ b/etc/profile-a-l/hugin.profile
@@ -13,6 +13,9 @@ noblacklist ${PICTURES}
13	# Allow /bin/sh (blacklisted by disable-shell.inc)	13	# Allow /bin/sh (blacklisted by disable-shell.inc)
14	include allow-bin-sh.inc	14	include allow-bin-sh.inc
15		15
		16	# Allow perl (blacklisted by disable-interpreters.inc)
		17	include allow-perl.inc
		18
16	include disable-common.inc	19	include disable-common.inc
17	include disable-devel.inc	20	include disable-devel.inc
18	include disable-exec.inc	21	include disable-exec.inc
@@ -35,7 +38,7 @@ novideo
35	protocol unix	38	protocol unix
36	seccomp	39	seccomp
37		40
38	private-bin align_image_stack,autooptimiser,calibrate_lens_gui,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,enblend,fulla,geocpset,hugin,hugin_executor,hugin_hdrmerge,hugin_lensdb,hugin_stitch_project,icpfind,linefind,nona,pano_modify,pano_trafo,PTBatcherGUI,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,sh,tca_correct,uname,verdandi,vig_optimize	41	private-bin align_image_stack,autooptimiser,calibrate_lens_gui,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,enblend,exiftool,fulla,geocpset,hugin,hugin_executor,hugin_hdrmerge,hugin_lensdb,hugin_stitch_project,icpfind,linefind,nona,pano_modify,pano_trafo,perl,PTBatcherGUI,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,sh,tca_correct,uname,verdandi,vig_optimize
39	private-cache	42	private-cache
40	private-dev	43	private-dev
41	private-tmp	44	private-tmp


diff --git a/etc/profile-a-l/lbry-viewer.profile b/etc/profile-a-l/lbry-viewer.profile new file mode 100644 index 000000000..f6a02ac83 --- /dev/null +++ b/etc/profile-a-l/lbry-viewer.profile
@@ -0,0 +1,21 @@
		1	# Firejail profile for lbry-viewer
		2	# Description:CLI for searching and playing videos from LBRY, with the Librarian frontend
		3	# This file is overwritten after every install/update
		4	quiet
		5	# Persistent local customizations
		6	include lbry-viewer.local
		7	# Persistent global definitions
		8	include globals.local
		9
		10	noblacklist ${HOME}/.cache/lbry-viewer
		11	noblacklist ${HOME}/.config/lbry-viewer
		12
		13	mkdir ${HOME}/.config/lbry-viewer
		14	mkdir ${HOME}/.cache/lbry-viewer
		15	whitelist ${HOME}/.cache/lbry-viewer
		16	whitelist ${HOME}/.config/lbry-viewer
		17
		18	private-bin gtk-lbry-viewer,lbry-viewer
		19
		20	# Redirect
		21	include youtube-viewers-common.profile