19 files changed, 102 insertions, 15 deletions

diff --git a/etc/profile-m-z/QMediathekView.profile b/etc/profile-m-z/QMediathekView.profile
index dd5639268..853b6ae52 100644
--- a/etc/profile-m-z/QMediathekView.profile
+++ b/etc/profile-m-z/QMediathekView.profile
@@ -72,7 +72,7 @@ seccomp
 tracelog
 
 disable-mnt
-private-bin mplayer,mpv,QMediathekView,smplayer,totem,vlc,xplayer
+private-bin QMediathekView,mplayer,mpv,smplayer,totem,vlc,xplayer
 private-cache
 private-dev
 private-etc @tls-ca
diff --git a/etc/profile-m-z/QOwnNotes.profile b/etc/profile-m-z/QOwnNotes.profile
index eed839041..e7dba9cd5 100644
--- a/etc/profile-m-z/QOwnNotes.profile
+++ b/etc/profile-m-z/QOwnNotes.profile
@@ -47,7 +47,7 @@ seccomp
 tracelog
 
 disable-mnt
-private-bin gio,QOwnNotes
+private-bin QOwnNotes,gio
 private-dev
 private-etc @tls-ca,host.conf
 private-tmp
diff --git a/etc/profile-m-z/Viber.profile b/etc/profile-m-z/Viber.profile
index fe1f9b877..ea7d8bfa7 100644
--- a/etc/profile-m-z/Viber.profile
+++ b/etc/profile-m-z/Viber.profile
@@ -31,7 +31,7 @@ protocol unix,inet,inet6
 seccomp !chroot
 
 disable-mnt
-private-bin awk,bash,dig,sh,Viber
+private-bin Viber,awk,bash,dig,sh
 private-etc @tls-ca,@x11,mailcap,proxychains.conf
 private-tmp
 
diff --git a/etc/profile-m-z/XMind.profile b/etc/profile-m-z/XMind.profile
index 97b9d2898..5b8747825 100644
--- a/etc/profile-m-z/XMind.profile
+++ b/etc/profile-m-z/XMind.profile
@@ -31,7 +31,7 @@ protocol unix,inet,inet6
 seccomp
 
 disable-mnt
-private-bin cp,sh,XMind
+private-bin XMind,cp,sh
 private-tmp
 private-dev
 
diff --git a/etc/profile-m-z/mov-cli.profile b/etc/profile-m-z/mov-cli.profile
index 8007b887a..1efd1e8f9 100644
--- a/etc/profile-m-z/mov-cli.profile
+++ b/etc/profile-m-z/mov-cli.profile
@@ -26,7 +26,7 @@ notv
 disable-mnt
 private-bin ffmpeg,fzf,mov-cli
 #private-cache
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,magic,magic.mgc,mime.types,nsswitch.conf,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
+private-etc X11,alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,magic,magic.mgc,mime.types,nsswitch.conf,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,xdg
 private-tmp
 
 # Redirect
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile
index ab1e0ab02..097ce6e83 100644
--- a/etc/profile-m-z/mutt.profile
+++ b/etc/profile-m-z/mutt.profile
@@ -127,7 +127,7 @@ tracelog
 #disable-mnt
 private-cache
 private-dev
-private-etc @tls-ca,@x11,msmtprc,Mutt,Muttrc,Muttrc.d,gai.conf,gnupg,gnutls,hosts.conf,mail,mailname,nntpserver,terminfo
+private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gai.conf,gnupg,gnutls,hosts.conf,mail,mailname,msmtprc,nntpserver,terminfo
 private-tmp
 writable-run-user
 writable-var
diff --git a/etc/profile-m-z/natron.profile b/etc/profile-m-z/natron.profile
index b979e1aee..30dd164b6 100644
--- a/etc/profile-m-z/natron.profile
+++ b/etc/profile-m-z/natron.profile
@@ -30,7 +30,7 @@ nou2f
 protocol unix
 seccomp
 
-private-bin natron,Natron,NatronRenderer
+private-bin Natron,NatronRenderer,natron
 
 dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile
index b15e98424..51e2e43bf 100644
--- a/etc/profile-m-z/neomutt.profile
+++ b/etc/profile-m-z/neomutt.profile
@@ -119,7 +119,7 @@ tracelog
 #disable-mnt
 private-cache
 private-dev
-private-etc @tls-ca,@x11,msmtprc,Mutt,Muttrc,Muttrc.d,gnupg,hosts.conf,mail,mailname,neomuttrc,neomuttrc.d,nntpserver
+private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gnupg,hosts.conf,mail,mailname,msmtprc,neomuttrc,neomuttrc.d,nntpserver
 private-tmp
 writable-run-user
 writable-var
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile
index 4c463521c..f301196c6 100644
--- a/etc/profile-m-z/nodejs-common.profile
+++ b/etc/profile-m-z/nodejs-common.profile
@@ -7,7 +7,7 @@ include nodejs-common.local
 # added by caller profile
 #include globals.local
 
-# Note: gulp, node-gyp, npm, npx, semver and yarn are all node scripts
+# Note: gulp, node-gyp, npm, npx, pnpm, pnpx, semver and yarn are all node scripts
 # using the `#!/usr/bin/env node` shebang. By sandboxing node the full
 # node.js stack will be firejailed. The only exception is nvm, which is implemented
 # as a sourced shell function, not an executable binary. Hence it is not
@@ -22,6 +22,7 @@ ignore read-only ${HOME}/.npmrc
 ignore read-only ${HOME}/.nvm
 ignore read-only ${HOME}/.yarnrc
 
+noblacklist ${HOME}/.local/share/pnpm
 noblacklist ${HOME}/.node-gyp
 noblacklist ${HOME}/.npm
 noblacklist ${HOME}/.npmrc
@@ -43,6 +44,7 @@ include disable-xdg.inc
 
 # If you want whitelisting, change ${HOME}/Projects below to your node projects directory
 # and add the next lines to your nodejs-common.local.
+#mkdir ${HOME}/.local/share/pnpm
 #mkdir ${HOME}/.node-gyp
 #mkdir ${HOME}/.npm
 #mkdir ${HOME}/.npm-packages
@@ -52,6 +54,7 @@ include disable-xdg.inc
 #mkdir ${HOME}/.yarn-config
 #mkdir ${HOME}/.yarncache
 #mkfile ${HOME}/.yarnrc
+#whitelist ${HOME}/.local/share/pnpm
 #whitelist ${HOME}/.node-gyp
 #whitelist ${HOME}/.npm
 #whitelist ${HOME}/.npm-packages
diff --git a/etc/profile-m-z/pnpm.profile b/etc/profile-m-z/pnpm.profile
new file mode 100644
index 000000000..08f88be43
--- /dev/null
+++ b/etc/profile-m-z/pnpm.profile
@@ -0,0 +1,11 @@
+# Firejail profile for pnpm
+# Description: Fast, disk space efficient package manager
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pnpm.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include nodejs-common.profile
diff --git a/etc/profile-m-z/pnpx.profile b/etc/profile-m-z/pnpx.profile
new file mode 100644
index 000000000..a99d1232a
--- /dev/null
+++ b/etc/profile-m-z/pnpx.profile
@@ -0,0 +1,11 @@
+# Firejail profile for pnpx
+# Description: Part of the Node.js stack
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pnpx.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include nodejs-common.profile
diff --git a/etc/profile-m-z/postman.profile b/etc/profile-m-z/postman.profile
index c8f00584d..a74b72695 100644
--- a/etc/profile-m-z/postman.profile
+++ b/etc/profile-m-z/postman.profile
@@ -17,7 +17,7 @@ include whitelist-run-common.inc
 
 protocol unix,inet,inet6,netlink
 
-private-bin electron,electron[0-9],electron[0-9][0-9],locale,node,Postman,postman,sh
+private-bin Postman,electron,electron[0-9],electron[0-9][0-9],locale,node,postman,sh
 private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl
 # private-opt breaks file-copy-limit, use a whitelist instead of draining RAM
 # https://github.com/netblue30/firejail/discussions/5307
diff --git a/etc/profile-m-z/ppsspp.profile b/etc/profile-m-z/ppsspp.profile
index da16ae912..5ae6ccf04 100644
--- a/etc/profile-m-z/ppsspp.profile
+++ b/etc/profile-m-z/ppsspp.profile
@@ -39,7 +39,7 @@ novideo
 protocol unix,netlink
 seccomp
 
-private-bin ppsspp,PPSSPP,PPSSPPQt,PPSSPPSDL
+private-bin PPSSPP,PPSSPPQt,PPSSPPSDL,ppsspp
 # Add the next line to your ppsspp.local if you do not need controller support.
 #private-dev
 private-etc @tls-ca,@x11,host.conf
diff --git a/etc/profile-m-z/softmaker-common.profile b/etc/profile-m-z/softmaker-common.profile
index 7ce6748d1..3a3a9062e 100644
--- a/etc/profile-m-z/softmaker-common.profile
+++ b/etc/profile-m-z/softmaker-common.profile
@@ -42,7 +42,7 @@ tracelog
 private-bin freeoffice-planmaker,freeoffice-presentations,freeoffice-textmaker,planmaker18,planmaker18free,presentations18,presentations18free,sh,textmaker18,textmaker18free
 private-cache
 private-dev
-private-etc @tls-ca,fstab,SoftMaker
+private-etc @tls-ca,SoftMaker,fstab
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index 34cb3631a..41de746dd 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -163,7 +163,7 @@ protocol unix,inet,inet6,netlink
 # Add 'ignore seccomp' to your steam.local if you experience this.
 # mount, name_to_handle_at, pivot_root and umount2 are used by Proton >= 5.13
 # (see #4366).
-seccomp !chroot,!mount,!name_to_handle_at,!pivot_root,!ptrace,!umount2
+seccomp !chroot,!mount,!name_to_handle_at,!pivot_root,!process_vm_readv,!ptrace,!umount2
 # process_vm_readv is used by GE-Proton7-18 (see #5185).
 seccomp.32 !process_vm_readv
 # tracelog breaks integrated browser
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile
index fa992ad1a..7ed3d98d4 100644
--- a/etc/profile-m-z/telegram.profile
+++ b/etc/profile-m-z/telegram.profile
@@ -46,7 +46,7 @@ seccomp
 seccomp.block-secondary
 
 disable-mnt
-private-bin bash,sh,telegram,Telegram,telegram-desktop,xdg-open
+private-bin Telegram,bash,sh,telegram,telegram-desktop,xdg-open
 private-cache
 private-dev
 private-etc @tls-ca,@x11,os-release
diff --git a/etc/profile-m-z/tesseract.profile b/etc/profile-m-z/tesseract.profile
index 5babfb8d2..c0293406d 100644
--- a/etc/profile-m-z/tesseract.profile
+++ b/etc/profile-m-z/tesseract.profile
@@ -26,6 +26,7 @@ include whitelist-common.inc
 include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 whitelist /usr/share/tessdata
+whitelist /usr/share/tesseract-ocr
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/tiny-rdm.profile b/etc/profile-m-z/tiny-rdm.profile
new file mode 100644
index 000000000..4134d666c
--- /dev/null
+++ b/etc/profile-m-z/tiny-rdm.profile
@@ -0,0 +1,61 @@
+# Firejail profile for tiny-rdm
+# Description: A Modern Redis GUI Client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tiny-rdm.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/tiny-rdm
+noblacklist ${HOME}/.config/TinyRDM
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-proc.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/tiny-rdm
+mkdir ${HOME}/.config/TinyRDM
+whitelist ${HOME}/.cache/tiny-rdm
+whitelist ${HOME}/.config/TinyRDM
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+notv
+nou2f
+novideo
+nosound
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+tracelog
+
+disable-mnt
+private-bin tiny-rdm
+private-cache
+private-dev
+private-etc @network,@tls-ca,@x11
+private-tmp
+
+dbus-user none
+dbus-system none
+
+restrict-namespaces
diff --git a/etc/profile-m-z/transgui.profile b/etc/profile-m-z/transgui.profile
index 9f1f1c241..bac48805c 100644
--- a/etc/profile-m-z/transgui.profile
+++ b/etc/profile-m-z/transgui.profile
@@ -49,7 +49,7 @@ private-bin geoiplookup,geoiplookup6,transgui
 private-cache
 private-dev
 private-etc @network,@tls-ca,@x11
-private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*,libX11.so.*
+private-lib libGeoIP.so*,libX11.so.*,libgdk_pixbuf-2.0.so.*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*
 private-tmp
 
 dbus-user none