7 files changed, 57 insertions, 8 deletions
diff --git a/etc/profile-m-z/make.profile b/etc/profile-m-z/make.profile
new file mode 100644
index 000000000..7e9638fe4
--- /dev/null
+++ b/etc/profile-m-z/make.profile
@@ -0,0 +1,13 @@
+# Firejail profile for make
+# Description: GNU make utility to maintain groups of programs
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include make.local
+# Persistent global definitions
+include globals.local
+memory-deny-write-execute
+# Redirect
+include build-systems-common.profile
diff --git a/etc/profile-m-z/meson.profile b/etc/profile-m-z/meson.profile
new file mode 100644
index 000000000..b4909a9d8
--- /dev/null
+++ b/etc/profile-m-z/meson.profile
@@ -0,0 +1,14 @@
+# Firejail profile for meson
+# Description: A high productivity build system
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include meson.local
+# Persistent global definitions
+include globals.local
+# Allow python3 (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+# Redirect
+include build-systems-common.profile
diff --git a/etc/profile-m-z/musixmatch.profile b/etc/profile-m-z/musixmatch.profile
index dac90cfa5..aab2ac19d 100644
--- a/etc/profile-m-z/musixmatch.profile
+++ b/etc/profile-m-z/musixmatch.profile
@@ -29,7 +29,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp
+seccomp !chroot
 disable-mnt
 private-dev
diff --git a/etc/profile-m-z/nheko.profile b/etc/profile-m-z/nheko.profile
index 035ad086a..2f305dae9 100644
--- a/etc/profile-m-z/nheko.profile
+++ b/etc/profile-m-z/nheko.profile
@@ -51,11 +51,10 @@ private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-tmp
+dbus-user filter
-# Add the next lines to your nheko.local to enable notification support.
+dbus-user.talk org.freedesktop.secrets
-#ignore dbus-user none
+# Add the next line to your nheko.local to enable notification support.
-#dbus-user filter
 #dbus-user.talk org.freedesktop.Notifications
+# Add the next line to your nheko.local to enable tray icon support.
 #dbus-user.talk org.kde.StatusNotifierWatcher
-dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/pandoc.profile b/etc/profile-m-z/pandoc.profile
index b8e8a750f..460f60beb 100644
--- a/etc/profile-m-z/pandoc.profile
+++ b/etc/profile-m-z/pandoc.profile
@@ -11,6 +11,8 @@ blacklist ${RUNUSER}
 noblacklist ${DOCUMENTS}
+include allow-bin-sh.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -19,6 +21,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
+include whitelist-runuser-common.inc
 # breaks pdf output
 #include whitelist-var-common.inc
@@ -39,12 +42,12 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 x11 none
 disable-mnt
-private-bin context,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf
 private-cache
 private-dev
 private-etc alternatives,ld.so.preload,texlive,texmf
diff --git a/etc/profile-m-z/pip.profile b/etc/profile-m-z/pip.profile
new file mode 100644
index 000000000..a0926371f
--- /dev/null
+++ b/etc/profile-m-z/pip.profile
@@ -0,0 +1,18 @@
+# Firejail profile for pip
+# Description: package manager for Python packages
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include meson.local
+# Persistent global definitions
+include globals.local
+ignore read-only ${HOME}/.local/lib
+# Allow python3 (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+#whitelist ${HOME}/.local/lib/python*
+# Redirect
+include build-systems-common.profile
diff --git a/etc/profile-m-z/vscodium.profile b/etc/profile-m-z/vscodium.profile
index a4a4fb7d8..9c0a887b2 100644
--- a/etc/profile-m-z/vscodium.profile
+++ b/etc/profile-m-z/vscodium.profile
@@ -1,4 +1,4 @@
-# Firejail profile alias for Visual Studio Code
+# Firejail profile alias for VSCodium
 # This file is overwritten after every install/update
 # Persistent local customizations
 include vscodium.local
@@ -7,6 +7,8 @@ include vscodium.local
 #include globals.local
 noblacklist ${HOME}/.VSCodium
+noblacklist ${HOME}/.config/VSCodium
+noblacklist ${HOME}/.vscode-oss
 # Redirect
 include code.profile

diff --git a/etc/profile-m-z/make.profile b/etc/profile-m-z/make.profile new file mode 100644 index 000000000..7e9638fe4 --- /dev/null +++ b/etc/profile-m-z/make.profile
@@ -0,0 +1,13 @@
		1	# Firejail profile for make
		2	# Description: GNU make utility to maintain groups of programs
		3	# This file is overwritten after every install/update
		4	quiet
		5	# Persistent local customizations
		6	include make.local
		7	# Persistent global definitions
		8	include globals.local
		9
		10	memory-deny-write-execute
		11
		12	# Redirect
		13	include build-systems-common.profile


diff --git a/etc/profile-m-z/meson.profile b/etc/profile-m-z/meson.profile new file mode 100644 index 000000000..b4909a9d8 --- /dev/null +++ b/etc/profile-m-z/meson.profile
@@ -0,0 +1,14 @@
		1	# Firejail profile for meson
		2	# Description: A high productivity build system
		3	# This file is overwritten after every install/update
		4	quiet
		5	# Persistent local customizations
		6	include meson.local
		7	# Persistent global definitions
		8	include globals.local
		9
		10	# Allow python3 (blacklisted by disable-interpreters.inc)
		11	include allow-python3.inc
		12
		13	# Redirect
		14	include build-systems-common.profile


diff --git a/etc/profile-m-z/musixmatch.profile b/etc/profile-m-z/musixmatch.profile index dac90cfa5..aab2ac19d 100644 --- a/etc/profile-m-z/musixmatch.profile +++ b/etc/profile-m-z/musixmatch.profile
@@ -29,7 +29,7 @@ notv
29	nou2f	29	nou2f
30	novideo	30	novideo
31	protocol unix,inet,inet6,netlink	31	protocol unix,inet,inet6,netlink
32	seccomp	32	seccomp !chroot
33		33
34	disable-mnt	34	disable-mnt
35	private-dev	35	private-dev


diff --git a/etc/profile-m-z/nheko.profile b/etc/profile-m-z/nheko.profile index 035ad086a..2f305dae9 100644 --- a/etc/profile-m-z/nheko.profile +++ b/etc/profile-m-z/nheko.profile
@@ -51,11 +51,10 @@ private-dev
51	private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg	51	private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
52	private-tmp	52	private-tmp
53		53
54		54	dbus-user filter
55	# Add the next lines to your nheko.local to enable notification support.	55	dbus-user.talk org.freedesktop.secrets
56	#ignore dbus-user none	56	# Add the next line to your nheko.local to enable notification support.
57	#dbus-user filter
58	#dbus-user.talk org.freedesktop.Notifications	57	#dbus-user.talk org.freedesktop.Notifications
		58	# Add the next line to your nheko.local to enable tray icon support.
59	#dbus-user.talk org.kde.StatusNotifierWatcher	59	#dbus-user.talk org.kde.StatusNotifierWatcher
60	dbus-user none
61	dbus-system none	60	dbus-system none


diff --git a/etc/profile-m-z/pandoc.profile b/etc/profile-m-z/pandoc.profile index b8e8a750f..460f60beb 100644 --- a/etc/profile-m-z/pandoc.profile +++ b/etc/profile-m-z/pandoc.profile
@@ -11,6 +11,8 @@ blacklist ${RUNUSER}
11		11
12	noblacklist ${DOCUMENTS}	12	noblacklist ${DOCUMENTS}
13		13
		14	include allow-bin-sh.inc
		15
14	include disable-common.inc	16	include disable-common.inc
15	include disable-devel.inc	17	include disable-devel.inc
16	include disable-exec.inc	18	include disable-exec.inc
@@ -19,6 +21,7 @@ include disable-programs.inc
19	include disable-shell.inc	21	include disable-shell.inc
20	include disable-xdg.inc	22	include disable-xdg.inc
21		23
		24	include whitelist-runuser-common.inc
22	# breaks pdf output	25	# breaks pdf output
23	#include whitelist-var-common.inc	26	#include whitelist-var-common.inc
24		27
@@ -39,12 +42,12 @@ nou2f
39	novideo	42	novideo
40	protocol unix	43	protocol unix
41	seccomp	44	seccomp
		45	seccomp.block-secondary
42	shell none	46	shell none
43	tracelog	47	tracelog
44	x11 none	48	x11 none
45		49
46	disable-mnt	50	disable-mnt
47	private-bin context,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf
48	private-cache	51	private-cache
49	private-dev	52	private-dev
50	private-etc alternatives,ld.so.preload,texlive,texmf	53	private-etc alternatives,ld.so.preload,texlive,texmf


diff --git a/etc/profile-m-z/pip.profile b/etc/profile-m-z/pip.profile new file mode 100644 index 000000000..a0926371f --- /dev/null +++ b/etc/profile-m-z/pip.profile
@@ -0,0 +1,18 @@
		1	# Firejail profile for pip
		2	# Description: package manager for Python packages
		3	# This file is overwritten after every install/update
		4	quiet
		5	# Persistent local customizations
		6	include meson.local
		7	# Persistent global definitions
		8	include globals.local
		9
		10	ignore read-only ${HOME}/.local/lib
		11
		12	# Allow python3 (blacklisted by disable-interpreters.inc)
		13	include allow-python3.inc
		14
		15	#whitelist ${HOME}/.local/lib/python*
		16
		17	# Redirect
		18	include build-systems-common.profile


diff --git a/etc/profile-m-z/vscodium.profile b/etc/profile-m-z/vscodium.profile index a4a4fb7d8..9c0a887b2 100644 --- a/etc/profile-m-z/vscodium.profile +++ b/etc/profile-m-z/vscodium.profile
@@ -1,4 +1,4 @@
1	# Firejail profile alias for Visual Studio Code	1	# Firejail profile alias for VSCodium
2	# This file is overwritten after every install/update	2	# This file is overwritten after every install/update
3	# Persistent local customizations	3	# Persistent local customizations
4	include vscodium.local	4	include vscodium.local
@@ -7,6 +7,8 @@ include vscodium.local
7	#include globals.local	7	#include globals.local
8		8
9	noblacklist ${HOME}/.VSCodium	9	noblacklist ${HOME}/.VSCodium
		10	noblacklist ${HOME}/.config/VSCodium
		11	noblacklist ${HOME}/.vscode-oss
10		12
11	# Redirect	13	# Redirect
12	include code.profile	14	include code.profile