7 files changed, 132 insertions, 6 deletions
diff --git a/etc/profile-m-z/mocp.profile b/etc/profile-m-z/mocp.profile
new file mode 100644
index 000000000..6fc7a4d67
--- /dev/null
+++ b/etc/profile-m-z/mocp.profile
@@ -0,0 +1,53 @@
+# Firejail profile for mocp
+# Description: A powerful & easy to use console audio player
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include mocp.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.moc
+noblacklist ${MUSIC}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+private-bin mocp
+private-cache
+private-dev
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,resolv.conf,ssl
+private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute
+read-only ${HOME}
+read-write ${HOME}/.moc
diff --git a/etc/profile-m-z/mpg123.profile b/etc/profile-m-z/mpg123.profile
index 6e18aa401..b1ab81c1e 100644
--- a/etc/profile-m-z/mpg123.profile
+++ b/etc/profile-m-z/mpg123.profile
@@ -1,13 +1,13 @@
 # Firejail profile for mpg123
 # Description: MPEG audio player/decoder
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include mpg123.local
 # Persistent global definitions
 include globals.local
 noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
 include disable-common.inc
 include disable-devel.inc
@@ -23,19 +23,23 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
+no3d
 nogroups
 nonewprivs
 noroot
+notv
 nou2f
+novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
+tracelog
 #private-bin mpg123*
 private-dev
 private-tmp
-memory-deny-write-execute
 dbus-user none
 dbus-system none
+memory-deny-write-execute
diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile
new file mode 100644
index 000000000..7ff59ea77
--- /dev/null
+++ b/etc/profile-m-z/plv.profile
@@ -0,0 +1,59 @@
+# Firejail profile for plv
+# Description: Inspect pacman log files
+# This file is overwritten after every install/update
+# Persistent local customizations
+include plv.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/PacmanLogViewer
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/PacmanLogViewer
+whitelist ${HOME}/.config/PacmanLogViewer
+whitelist /var/log/pacman*
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin plv
+private-cache
+private-dev
+private-etc alternatives,fonts
+private-opt none
+private-tmp
+writable-var-log
+dbus-user none
+dbus-system none
+#memory-deny-write-execute - breaks opening file-chooser
+read-only ${HOME}
+read-write ${HOME}/.config/PacmanLogViewer
diff --git a/etc/profile-m-z/secret-tool.profile b/etc/profile-m-z/secret-tool.profile
index 70d9a5b1d..99ba11d30 100644
--- a/etc/profile-m-z/secret-tool.profile
+++ b/etc/profile-m-z/secret-tool.profile
@@ -1,6 +1,7 @@
 # Firejail profile for secret-tool
 # Description: Library for storing and retrieving passwords and other secrets
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include secret-tool.local
 # Persistent global definitions
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index a5e9a9932..004664a79 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -10,12 +10,17 @@ noblacklist ${HOME}/.killingfloor
 noblacklist ${HOME}/.local/share/3909/PapersPlease
 noblacklist ${HOME}/.local/share/aspyr-media
 noblacklist ${HOME}/.local/share/cdprojektred
+noblacklist ${HOME}/.local/share/FasterThanLight
 noblacklist ${HOME}/.local/share/feral-interactive
+noblacklist ${HOME}/.local/share/IntoTheBreach
+noblacklist ${HOME}/.local/share/Paradox Interactive
 noblacklist ${HOME}/.local/share/Steam
 noblacklist ${HOME}/.local/share/SuperHexagon
 noblacklist ${HOME}/.local/share/Terraria
 noblacklist ${HOME}/.local/share/vpltd
 noblacklist ${HOME}/.local/share/vulkan
+noblacklist ${HOME}/.mbwarband
+noblacklist ${HOME}/.paradoxinteractive
 noblacklist ${HOME}/.steam
 noblacklist ${HOME}/.steampath
 noblacklist ${HOME}/.steampid
@@ -41,7 +46,9 @@ mkdir ${HOME}/.killingfloor
 mkdir ${HOME}/.local/share/3909/PapersPlease
 mkdir ${HOME}/.local/share/aspyr-media
 mkdir ${HOME}/.local/share/cdprojektred
+mkdir ${HOME}/.local/share/FasterThanLight
 mkdir ${HOME}/.local/share/feral-interactive
+mkdir ${HOME}/.local/share/IntoTheBreach
 mkdir ${HOME}/.local/share/Paradox Interactive
 mkdir ${HOME}/.local/share/Steam
 mkdir ${HOME}/.local/share/SuperHexagon
@@ -58,7 +65,9 @@ whitelist ${HOME}/.killingfloor
 whitelist ${HOME}/.local/share/3909/PapersPlease
 whitelist ${HOME}/.local/share/aspyr-media
 whitelist ${HOME}/.local/share/cdprojektred
+whitelist ${HOME}/.local/share/FasterThanLight
 whitelist ${HOME}/.local/share/feral-interactive
+whitelist ${HOME}/.local/share/IntoTheBreach
 whitelist ${HOME}/.local/share/Paradox Interactive
 whitelist ${HOME}/.local/share/Steam
 whitelist ${HOME}/.local/share/SuperHexagon
@@ -70,7 +79,6 @@ whitelist ${HOME}/.paradoxinteractive
 whitelist ${HOME}/.steam
 whitelist ${HOME}/.steampath
 whitelist ${HOME}/.steampid
-whitelist ${HOME}/.steampid
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/wire-desktop.profile b/etc/profile-m-z/wire-desktop.profile
index c1250b1f0..8f6014dc3 100644
--- a/etc/profile-m-z/wire-desktop.profile
+++ b/etc/profile-m-z/wire-desktop.profile
@@ -9,7 +9,6 @@ include wire-desktop.local
 # Debian/Ubuntu use /opt/Wire. As that is not in PATH by default, run `firejail /opt/Wire/wire-desktop` to start it.
-ignore caps.drop all
 ignore dbus-user none
 ignore dbus-system none
@@ -22,8 +21,9 @@ mkdir ${HOME}/.config/Wire
 whitelist ${HOME}/.config/Wire
 include whitelist-common.inc
-caps.keep sys_admin,sys_chroot
 nou2f
+ignore seccomp
+seccomp !chroot
 shell none
 disable-mnt
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile
index 7053f98e8..08b31f1ff 100644
--- a/etc/profile-m-z/yelp.profile
+++ b/etc/profile-m-z/yelp.profile
@@ -21,6 +21,7 @@ whitelist ${HOME}/.config/yelp
 whitelist /usr/share/doc
 whitelist /usr/share/help
 whitelist /usr/share/yelp
+whitelist /usr/share/yelp-tools
 whitelist /usr/share/yelp-xsl
 include whitelist-common.inc
 include whitelist-runuser-common.inc

diff --git a/etc/profile-m-z/mocp.profile b/etc/profile-m-z/mocp.profile new file mode 100644 index 000000000..6fc7a4d67 --- /dev/null +++ b/etc/profile-m-z/mocp.profile
@@ -0,0 +1,53 @@
		1	# Firejail profile for mocp
		2	# Description: A powerful & easy to use console audio player
		3	# This file is overwritten after every install/update
		4	quiet
		5	# Persistent local customizations
		6	include mocp.local
		7	# Persistent global definitions
		8	include globals.local
		9
		10	noblacklist ${HOME}/.moc
		11	noblacklist ${MUSIC}
		12
		13	include disable-common.inc
		14	include disable-devel.inc
		15	include disable-exec.inc
		16	include disable-interpreters.inc
		17	include disable-passwdmgr.inc
		18	include disable-programs.inc
		19	include disable-xdg.inc
		20
		21	include whitelist-usr-share-common.inc
		22	include whitelist-runuser-common.inc
		23	include whitelist-var-common.inc
		24
		25	apparmor
		26	caps.drop all
		27	ipc-namespace
		28	netfilter
		29	no3d
		30	nodvd
		31	nogroups
		32	nonewprivs
		33	noroot
		34	notv
		35	nou2f
		36	novideo
		37	protocol unix,inet,inet6,netlink
		38	seccomp
		39	shell none
		40	tracelog
		41
		42	private-bin mocp
		43	private-cache
		44	private-dev
		45	private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,resolv.conf,ssl
		46	private-tmp
		47
		48	dbus-user none
		49	dbus-system none
		50
		51	memory-deny-write-execute
		52	read-only ${HOME}
		53	read-write ${HOME}/.moc


diff --git a/etc/profile-m-z/mpg123.profile b/etc/profile-m-z/mpg123.profile index 6e18aa401..b1ab81c1e 100644 --- a/etc/profile-m-z/mpg123.profile +++ b/etc/profile-m-z/mpg123.profile
@@ -1,13 +1,13 @@
1	# Firejail profile for mpg123	1	# Firejail profile for mpg123
2	# Description: MPEG audio player/decoder	2	# Description: MPEG audio player/decoder
3	# This file is overwritten after every install/update	3	# This file is overwritten after every install/update
		4	quiet
4	# Persistent local customizations	5	# Persistent local customizations
5	include mpg123.local	6	include mpg123.local
6	# Persistent global definitions	7	# Persistent global definitions
7	include globals.local	8	include globals.local
8		9
9	noblacklist ${MUSIC}	10	noblacklist ${MUSIC}
10	noblacklist ${VIDEOS}
11		11
12	include disable-common.inc	12	include disable-common.inc
13	include disable-devel.inc	13	include disable-devel.inc
@@ -23,19 +23,23 @@ include whitelist-var-common.inc
23	apparmor	23	apparmor
24	caps.drop all	24	caps.drop all
25	netfilter	25	netfilter
		26	no3d
26	nogroups	27	nogroups
27	nonewprivs	28	nonewprivs
28	noroot	29	noroot
		30	notv
29	nou2f	31	nou2f
		32	novideo
30	protocol unix,inet,inet6,netlink	33	protocol unix,inet,inet6,netlink
31	seccomp	34	seccomp
32	shell none	35	shell none
		36	tracelog
33		37
34	#private-bin mpg123*	38	#private-bin mpg123*
35	private-dev	39	private-dev
36	private-tmp	40	private-tmp
37		41
38	memory-deny-write-execute
39
40	dbus-user none	42	dbus-user none
41	dbus-system none	43	dbus-system none
		44
		45	memory-deny-write-execute


diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile new file mode 100644 index 000000000..7ff59ea77 --- /dev/null +++ b/etc/profile-m-z/plv.profile
@@ -0,0 +1,59 @@
		1	# Firejail profile for plv
		2	# Description: Inspect pacman log files
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include plv.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	noblacklist ${HOME}/.config/PacmanLogViewer
		10
		11	include disable-common.inc
		12	include disable-devel.inc
		13	include disable-exec.inc
		14	include disable-interpreters.inc
		15	include disable-passwdmgr.inc
		16	include disable-programs.inc
		17	include disable-xdg.inc
		18
		19	mkdir ${HOME}/.config/PacmanLogViewer
		20	whitelist ${HOME}/.config/PacmanLogViewer
		21	whitelist /var/log/pacman*
		22	include whitelist-common.inc
		23	include whitelist-usr-share-common.inc
		24	include whitelist-runuser-common.inc
		25	include whitelist-var-common.inc
		26
		27	apparmor
		28	caps.drop all
		29	ipc-namespace
		30	machine-id
		31	net none
		32	no3d
		33	nodvd
		34	nogroups
		35	nonewprivs
		36	noroot
		37	nosound
		38	notv
		39	nou2f
		40	novideo
		41	seccomp
		42	shell none
		43	tracelog
		44
		45	disable-mnt
		46	private-bin plv
		47	private-cache
		48	private-dev
		49	private-etc alternatives,fonts
		50	private-opt none
		51	private-tmp
		52	writable-var-log
		53
		54	dbus-user none
		55	dbus-system none
		56
		57	#memory-deny-write-execute - breaks opening file-chooser
		58	read-only ${HOME}
		59	read-write ${HOME}/.config/PacmanLogViewer


diff --git a/etc/profile-m-z/secret-tool.profile b/etc/profile-m-z/secret-tool.profile index 70d9a5b1d..99ba11d30 100644 --- a/etc/profile-m-z/secret-tool.profile +++ b/etc/profile-m-z/secret-tool.profile
@@ -1,6 +1,7 @@
1	# Firejail profile for secret-tool	1	# Firejail profile for secret-tool
2	# Description: Library for storing and retrieving passwords and other secrets	2	# Description: Library for storing and retrieving passwords and other secrets
3	# This file is overwritten after every install/update	3	# This file is overwritten after every install/update
		4	quiet
4	# Persistent local customizations	5	# Persistent local customizations
5	include secret-tool.local	6	include secret-tool.local
6	# Persistent global definitions	7	# Persistent global definitions


diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index a5e9a9932..004664a79 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile
@@ -10,12 +10,17 @@ noblacklist ${HOME}/.killingfloor
10	noblacklist ${HOME}/.local/share/3909/PapersPlease	10	noblacklist ${HOME}/.local/share/3909/PapersPlease
11	noblacklist ${HOME}/.local/share/aspyr-media	11	noblacklist ${HOME}/.local/share/aspyr-media
12	noblacklist ${HOME}/.local/share/cdprojektred	12	noblacklist ${HOME}/.local/share/cdprojektred
		13	noblacklist ${HOME}/.local/share/FasterThanLight
13	noblacklist ${HOME}/.local/share/feral-interactive	14	noblacklist ${HOME}/.local/share/feral-interactive
		15	noblacklist ${HOME}/.local/share/IntoTheBreach
		16	noblacklist ${HOME}/.local/share/Paradox Interactive
14	noblacklist ${HOME}/.local/share/Steam	17	noblacklist ${HOME}/.local/share/Steam
15	noblacklist ${HOME}/.local/share/SuperHexagon	18	noblacklist ${HOME}/.local/share/SuperHexagon
16	noblacklist ${HOME}/.local/share/Terraria	19	noblacklist ${HOME}/.local/share/Terraria
17	noblacklist ${HOME}/.local/share/vpltd	20	noblacklist ${HOME}/.local/share/vpltd
18	noblacklist ${HOME}/.local/share/vulkan	21	noblacklist ${HOME}/.local/share/vulkan
		22	noblacklist ${HOME}/.mbwarband
		23	noblacklist ${HOME}/.paradoxinteractive
19	noblacklist ${HOME}/.steam	24	noblacklist ${HOME}/.steam
20	noblacklist ${HOME}/.steampath	25	noblacklist ${HOME}/.steampath
21	noblacklist ${HOME}/.steampid	26	noblacklist ${HOME}/.steampid
@@ -41,7 +46,9 @@ mkdir ${HOME}/.killingfloor
41	mkdir ${HOME}/.local/share/3909/PapersPlease	46	mkdir ${HOME}/.local/share/3909/PapersPlease
42	mkdir ${HOME}/.local/share/aspyr-media	47	mkdir ${HOME}/.local/share/aspyr-media
43	mkdir ${HOME}/.local/share/cdprojektred	48	mkdir ${HOME}/.local/share/cdprojektred
		49	mkdir ${HOME}/.local/share/FasterThanLight
44	mkdir ${HOME}/.local/share/feral-interactive	50	mkdir ${HOME}/.local/share/feral-interactive
		51	mkdir ${HOME}/.local/share/IntoTheBreach
45	mkdir ${HOME}/.local/share/Paradox Interactive	52	mkdir ${HOME}/.local/share/Paradox Interactive
46	mkdir ${HOME}/.local/share/Steam	53	mkdir ${HOME}/.local/share/Steam
47	mkdir ${HOME}/.local/share/SuperHexagon	54	mkdir ${HOME}/.local/share/SuperHexagon
@@ -58,7 +65,9 @@ whitelist ${HOME}/.killingfloor
58	whitelist ${HOME}/.local/share/3909/PapersPlease	65	whitelist ${HOME}/.local/share/3909/PapersPlease
59	whitelist ${HOME}/.local/share/aspyr-media	66	whitelist ${HOME}/.local/share/aspyr-media
60	whitelist ${HOME}/.local/share/cdprojektred	67	whitelist ${HOME}/.local/share/cdprojektred
		68	whitelist ${HOME}/.local/share/FasterThanLight
61	whitelist ${HOME}/.local/share/feral-interactive	69	whitelist ${HOME}/.local/share/feral-interactive
		70	whitelist ${HOME}/.local/share/IntoTheBreach
62	whitelist ${HOME}/.local/share/Paradox Interactive	71	whitelist ${HOME}/.local/share/Paradox Interactive
63	whitelist ${HOME}/.local/share/Steam	72	whitelist ${HOME}/.local/share/Steam
64	whitelist ${HOME}/.local/share/SuperHexagon	73	whitelist ${HOME}/.local/share/SuperHexagon
@@ -70,7 +79,6 @@ whitelist ${HOME}/.paradoxinteractive
70	whitelist ${HOME}/.steam	79	whitelist ${HOME}/.steam
71	whitelist ${HOME}/.steampath	80	whitelist ${HOME}/.steampath
72	whitelist ${HOME}/.steampid	81	whitelist ${HOME}/.steampid
73	whitelist ${HOME}/.steampid
74	include whitelist-common.inc	82	include whitelist-common.inc
75	include whitelist-var-common.inc	83	include whitelist-var-common.inc
76		84


diff --git a/etc/profile-m-z/wire-desktop.profile b/etc/profile-m-z/wire-desktop.profile index c1250b1f0..8f6014dc3 100644 --- a/etc/profile-m-z/wire-desktop.profile +++ b/etc/profile-m-z/wire-desktop.profile
@@ -9,7 +9,6 @@ include wire-desktop.local
9		9
10	# Debian/Ubuntu use /opt/Wire. As that is not in PATH by default, run `firejail /opt/Wire/wire-desktop` to start it.	10	# Debian/Ubuntu use /opt/Wire. As that is not in PATH by default, run `firejail /opt/Wire/wire-desktop` to start it.
11		11
12	ignore caps.drop all
13	ignore dbus-user none	12	ignore dbus-user none
14	ignore dbus-system none	13	ignore dbus-system none
15		14
@@ -22,8 +21,9 @@ mkdir ${HOME}/.config/Wire
22	whitelist ${HOME}/.config/Wire	21	whitelist ${HOME}/.config/Wire
23	include whitelist-common.inc	22	include whitelist-common.inc
24		23
25	caps.keep sys_admin,sys_chroot
26	nou2f	24	nou2f
		25	ignore seccomp
		26	seccomp !chroot
27	shell none	27	shell none
28		28
29	disable-mnt	29	disable-mnt


diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile index 7053f98e8..08b31f1ff 100644 --- a/etc/profile-m-z/yelp.profile +++ b/etc/profile-m-z/yelp.profile
@@ -21,6 +21,7 @@ whitelist ${HOME}/.config/yelp
21	whitelist /usr/share/doc	21	whitelist /usr/share/doc
22	whitelist /usr/share/help	22	whitelist /usr/share/help
23	whitelist /usr/share/yelp	23	whitelist /usr/share/yelp
		24	whitelist /usr/share/yelp-tools
24	whitelist /usr/share/yelp-xsl	25	whitelist /usr/share/yelp-xsl
25	include whitelist-common.inc	26	include whitelist-common.inc
26	include whitelist-runuser-common.inc	27	include whitelist-runuser-common.inc