9 files changed, 145 insertions, 5 deletions
diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile
index b6afbad59..49e84dedb 100644
--- a/etc/profile-m-z/makepkg.profile
+++ b/etc/profile-m-z/makepkg.profile
@@ -35,8 +35,8 @@ include disable-exec.inc
 include disable-programs.inc
 caps.drop all
-machine-id
 ipc-namespace
+machine-id
 netfilter
 no3d
 nodvd
diff --git a/etc/profile-m-z/qt5ct.profile b/etc/profile-m-z/qt5ct.profile
new file mode 100644
index 000000000..83d22c2cd
--- /dev/null
+++ b/etc/profile-m-z/qt5ct.profile
@@ -0,0 +1,65 @@
+# Firejail profile for qt5ct
+# Description: Qt5 Configuration Utility
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qt5ct.local
+# Persistent global definitions
+include globals.local
+blacklist /usr/libexec
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/qt5ct
+mkdir ${HOME}/.local/share/qt5ct
+whitelist ${HOME}/.config/qt5ct
+whitelist ${HOME}/.local/share/qt5ct
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+tracelog
+disable-mnt
+private-bin qt5ct
+private-cache
+private-dev
+private-etc dbus-1,machine-id
+private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute
+read-only ${HOME}
+read-write ${HOME}/.config/qt5ct
+read-write ${HOME}/.local/share/qt5ct
+restrict-namespaces
diff --git a/etc/profile-m-z/qt6ct.profile b/etc/profile-m-z/qt6ct.profile
new file mode 100644
index 000000000..5667c98a3
--- /dev/null
+++ b/etc/profile-m-z/qt6ct.profile
@@ -0,0 +1,65 @@
+# Firejail profile for qt6ct
+# Description: Qt6 Configuration Utility
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qt6ct.local
+# Persistent global definitions
+include globals.local
+blacklist /usr/libexec
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/qt6ct
+mkdir ${HOME}/.local/share/qt6ct
+whitelist ${HOME}/.config/qt6ct
+whitelist ${HOME}/.local/share/qt6ct
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+tracelog
+disable-mnt
+private-bin qt6ct
+private-cache
+private-dev
+private-etc dbus-1,machine-id
+private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute
+read-only ${HOME}
+read-write ${HOME}/.config/qt6ct
+read-write ${HOME}/.local/share/qt6ct
+restrict-namespaces
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
index fde85be64..62efa28db 100644
--- a/etc/profile-m-z/ssh.profile
+++ b/etc/profile-m-z/ssh.profile
@@ -18,6 +18,7 @@ include disable-common.inc
 include disable-exec.inc
 include disable-programs.inc
+whitelist ${RUNUSER}/gcr/ssh
 whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh
 whitelist ${RUNUSER}/keyring/ssh
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile
index da3b4f782..ca1234db0 100644
--- a/etc/profile-m-z/tar.profile
+++ b/etc/profile-m-z/tar.profile
@@ -17,7 +17,6 @@ ignore include disable-shell.inc
 # all capabilities this is automatically read-only.
 noblacklist /var/lib/pacman
-private-etc
 #private-lib libfakeroot,liblzma.so.*,libreadline.so.*
 # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
 writable-var
diff --git a/etc/profile-m-z/unlz4.profile b/etc/profile-m-z/unlz4.profile
new file mode 100644
index 000000000..00e7496e4
--- /dev/null
+++ b/etc/profile-m-z/unlz4.profile
@@ -0,0 +1,11 @@
+# Firejail profile for unlz4
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include unlz4.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include lz4.profile
diff --git a/etc/profile-m-z/unrar.profile b/etc/profile-m-z/unrar.profile
index 43d5dae5e..ed2acb12d 100644
--- a/etc/profile-m-z/unrar.profile
+++ b/etc/profile-m-z/unrar.profile
@@ -8,7 +8,6 @@ include unrar.local
 include globals.local
 private-bin unrar
-private-etc
 private-tmp
 # Redirect
diff --git a/etc/profile-m-z/unzip.profile b/etc/profile-m-z/unzip.profile
index 9fefe6ad3..88341a3ad 100644
--- a/etc/profile-m-z/unzip.profile
+++ b/etc/profile-m-z/unzip.profile
@@ -10,7 +10,5 @@ include globals.local
 # GNOME Shell integration (chrome-gnome-shell)
 noblacklist ${HOME}/.local/share/gnome-shell
-private-etc
 # Redirect
 include archiver-common.profile
diff --git a/etc/profile-m-z/virt-manager.profile b/etc/profile-m-z/virt-manager.profile
index 86fe63ef9..a93d873a8 100644
--- a/etc/profile-m-z/virt-manager.profile
+++ b/etc/profile-m-z/virt-manager.profile
@@ -6,6 +6,8 @@ include virt-manager.local
 # Persistent global definitions
 include globals.local
+blacklist /usr/libexec
 noblacklist ${HOME}/.cache/virt-manager
 noblacklist ${RUNUSER}/libvirt

diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile index b6afbad59..49e84dedb 100644 --- a/etc/profile-m-z/makepkg.profile +++ b/etc/profile-m-z/makepkg.profile
@@ -35,8 +35,8 @@ include disable-exec.inc
35	include disable-programs.inc	35	include disable-programs.inc
36		36
37	caps.drop all	37	caps.drop all
38	machine-id
39	ipc-namespace	38	ipc-namespace
		39	machine-id
40	netfilter	40	netfilter
41	no3d	41	no3d
42	nodvd	42	nodvd


diff --git a/etc/profile-m-z/qt5ct.profile b/etc/profile-m-z/qt5ct.profile new file mode 100644 index 000000000..83d22c2cd --- /dev/null +++ b/etc/profile-m-z/qt5ct.profile
@@ -0,0 +1,65 @@
		1	# Firejail profile for qt5ct
		2	# Description: Qt5 Configuration Utility
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include qt5ct.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	blacklist /usr/libexec
		10
		11	include disable-common.inc
		12	include disable-devel.inc
		13	include disable-exec.inc
		14	include disable-interpreters.inc
		15	include disable-proc.inc
		16	include disable-programs.inc
		17	include disable-shell.inc
		18	include disable-xdg.inc
		19
		20	mkdir ${HOME}/.config/qt5ct
		21	mkdir ${HOME}/.local/share/qt5ct
		22	whitelist ${HOME}/.config/qt5ct
		23	whitelist ${HOME}/.local/share/qt5ct
		24
		25	include whitelist-common.inc
		26	include whitelist-run-common.inc
		27	include whitelist-runuser-common.inc
		28	include whitelist-usr-share-common.inc
		29	include whitelist-var-common.inc
		30
		31	apparmor
		32	caps.drop all
		33	machine-id
		34	net none
		35	no3d
		36	nodvd
		37	nogroups
		38	noinput
		39	nonewprivs
		40	noprinters
		41	noroot
		42	nosound
		43	notv
		44	nou2f
		45	novideo
		46	protocol unix
		47	seccomp
		48	seccomp.block-secondary
		49	tracelog
		50
		51	disable-mnt
		52	private-bin qt5ct
		53	private-cache
		54	private-dev
		55	private-etc dbus-1,machine-id
		56	private-tmp
		57
		58	dbus-user none
		59	dbus-system none
		60
		61	memory-deny-write-execute
		62	read-only ${HOME}
		63	read-write ${HOME}/.config/qt5ct
		64	read-write ${HOME}/.local/share/qt5ct
		65	restrict-namespaces


diff --git a/etc/profile-m-z/qt6ct.profile b/etc/profile-m-z/qt6ct.profile new file mode 100644 index 000000000..5667c98a3 --- /dev/null +++ b/etc/profile-m-z/qt6ct.profile
@@ -0,0 +1,65 @@
		1	# Firejail profile for qt6ct
		2	# Description: Qt6 Configuration Utility
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include qt6ct.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	blacklist /usr/libexec
		10
		11	include disable-common.inc
		12	include disable-devel.inc
		13	include disable-exec.inc
		14	include disable-interpreters.inc
		15	include disable-proc.inc
		16	include disable-programs.inc
		17	include disable-shell.inc
		18	include disable-xdg.inc
		19
		20	mkdir ${HOME}/.config/qt6ct
		21	mkdir ${HOME}/.local/share/qt6ct
		22	whitelist ${HOME}/.config/qt6ct
		23	whitelist ${HOME}/.local/share/qt6ct
		24
		25	include whitelist-common.inc
		26	include whitelist-run-common.inc
		27	include whitelist-runuser-common.inc
		28	include whitelist-usr-share-common.inc
		29	include whitelist-var-common.inc
		30
		31	apparmor
		32	caps.drop all
		33	machine-id
		34	net none
		35	no3d
		36	nodvd
		37	nogroups
		38	noinput
		39	nonewprivs
		40	noprinters
		41	noroot
		42	nosound
		43	notv
		44	nou2f
		45	novideo
		46	protocol unix
		47	seccomp
		48	seccomp.block-secondary
		49	tracelog
		50
		51	disable-mnt
		52	private-bin qt6ct
		53	private-cache
		54	private-dev
		55	private-etc dbus-1,machine-id
		56	private-tmp
		57
		58	dbus-user none
		59	dbus-system none
		60
		61	memory-deny-write-execute
		62	read-only ${HOME}
		63	read-write ${HOME}/.config/qt6ct
		64	read-write ${HOME}/.local/share/qt6ct
		65	restrict-namespaces


diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile index fde85be64..62efa28db 100644 --- a/etc/profile-m-z/ssh.profile +++ b/etc/profile-m-z/ssh.profile
@@ -18,6 +18,7 @@ include disable-common.inc
18	include disable-exec.inc	18	include disable-exec.inc
19	include disable-programs.inc	19	include disable-programs.inc
20		20
		21	whitelist ${RUNUSER}/gcr/ssh
21	whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh	22	whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh
22	whitelist ${RUNUSER}/keyring/ssh	23	whitelist ${RUNUSER}/keyring/ssh
23	include whitelist-usr-share-common.inc	24	include whitelist-usr-share-common.inc


diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile index da3b4f782..ca1234db0 100644 --- a/etc/profile-m-z/tar.profile +++ b/etc/profile-m-z/tar.profile
@@ -17,7 +17,6 @@ ignore include disable-shell.inc
17	# all capabilities this is automatically read-only.	17	# all capabilities this is automatically read-only.
18	noblacklist /var/lib/pacman	18	noblacklist /var/lib/pacman
19		19
20	private-etc
21	#private-lib libfakeroot,liblzma.so.,libreadline.so.	20	#private-lib libfakeroot,liblzma.so.,libreadline.so.
22	# Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)	21	# Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
23	writable-var	22	writable-var


diff --git a/etc/profile-m-z/unlz4.profile b/etc/profile-m-z/unlz4.profile new file mode 100644 index 000000000..00e7496e4 --- /dev/null +++ b/etc/profile-m-z/unlz4.profile
@@ -0,0 +1,11 @@
		1	# Firejail profile for unlz4
		2	# This file is overwritten after every install/update
		3	quiet
		4	# Persistent local customizations
		5	include unlz4.local
		6	# Persistent global definitions
		7	# added by included profile
		8	#include globals.local
		9
		10	# Redirect
		11	include lz4.profile


diff --git a/etc/profile-m-z/unrar.profile b/etc/profile-m-z/unrar.profile index 43d5dae5e..ed2acb12d 100644 --- a/etc/profile-m-z/unrar.profile +++ b/etc/profile-m-z/unrar.profile
@@ -8,7 +8,6 @@ include unrar.local
8	include globals.local	8	include globals.local
9		9
10	private-bin unrar	10	private-bin unrar
11	private-etc
12	private-tmp	11	private-tmp
13		12
14	# Redirect	13	# Redirect


diff --git a/etc/profile-m-z/unzip.profile b/etc/profile-m-z/unzip.profile index 9fefe6ad3..88341a3ad 100644 --- a/etc/profile-m-z/unzip.profile +++ b/etc/profile-m-z/unzip.profile
@@ -10,7 +10,5 @@ include globals.local
10	# GNOME Shell integration (chrome-gnome-shell)	10	# GNOME Shell integration (chrome-gnome-shell)
11	noblacklist ${HOME}/.local/share/gnome-shell	11	noblacklist ${HOME}/.local/share/gnome-shell
12		12
13	private-etc
14
15	# Redirect	13	# Redirect
16	include archiver-common.profile	14	include archiver-common.profile


diff --git a/etc/profile-m-z/virt-manager.profile b/etc/profile-m-z/virt-manager.profile index 86fe63ef9..a93d873a8 100644 --- a/etc/profile-m-z/virt-manager.profile +++ b/etc/profile-m-z/virt-manager.profile
@@ -6,6 +6,8 @@ include virt-manager.local
6	# Persistent global definitions	6	# Persistent global definitions
7	include globals.local	7	include globals.local
8		8
		9	blacklist /usr/libexec
		10
9	noblacklist ${HOME}/.cache/virt-manager	11	noblacklist ${HOME}/.cache/virt-manager
10	noblacklist ${RUNUSER}/libvirt	12	noblacklist ${RUNUSER}/libvirt
11		13