11 files changed, 257 insertions, 7 deletions
diff --git a/etc/profile-m-z/mattermost-desktop.profile b/etc/profile-m-z/mattermost-desktop.profile
new file mode 100644
index 000000000..e4487c8aa
--- /dev/null
+++ b/etc/profile-m-z/mattermost-desktop.profile
@@ -0,0 +1,46 @@
+# Firejail profile for mattermost-desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mattermost-desktop.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/Mattermost
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-passwdmgr.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/Mattermost
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/Mattermost
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+caps.keep sys_admin,sys_chroot
+netfilter
+nodvd
+nogroups
+notv
+nou2f
+novideo
+shell none
+disable-mnt
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
+private-tmp
+# Not tested
+#dbus-user filter
+#dbus-user.own com.mattermost.Desktop
+#dbus-user.talk org.freedesktop.Notifications
+#dbus-system none
diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile
index 84db8b785..385700648 100644
--- a/etc/profile-m-z/meld.profile
+++ b/etc/profile-m-z/meld.profile
@@ -70,6 +70,7 @@ private-cache
 private-dev
 # Uncomment the next line (or put it into your meld.local) if you don't need to compare in /etc.
 #private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion
+# Comment the next line (or add 'ignore private-tmp to your meld.local') if you want to use it as a difftool (#3551)
 private-tmp
 read-only ${HOME}/.ssh
diff --git a/etc/profile-m-z/minecraft-launcher.profile b/etc/profile-m-z/minecraft-launcher.profile
new file mode 100644
index 000000000..8c7d18c58
--- /dev/null
+++ b/etc/profile-m-z/minecraft-launcher.profile
@@ -0,0 +1,58 @@
+# Firejail profile for minecraft-launcher
+# Description: Official Minecraft launcher from Mojang
+# This file is overwritten after every install/update
+# Persistent local customizations
+include minecraft-launcher.local
+# Persistent global definitions
+include globals.local
+# On some distros executable may be in '/opt/minecraft-launcher/', if so, run 'firejail /opt/minecraft-launcher/minecraft-launcher' to start it.
+ignore noexec ${HOME}
+noblacklist ${HOME}/.minecraft
+include allow-java.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.minecraft
+whitelist ${HOME}/.minecraft
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin java,java-config,minecraft-launcher
+private-cache
+private-dev
+# If multiplayer or realms break add your own java folder from /etc or comment the line below.
+private-etc alternatives,asound.conf,ati,ca-certificates,crypto-policies,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-14-openjdk,java-7-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,login.defs,machine-id,mime.types,nvidia,passwd,pki,pulse,resolv.conf,selinux,services,ssl,timezone,X11,xdg
+private-opt minecraft-launcher
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index b0e493c5f..2fc027257 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -30,6 +30,8 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
+whitelist /usr/share/lua
+whitelist /usr/share/lua*
 whitelist /usr/share/vulkan
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -37,8 +39,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
+# nogroups seems to cause issues with Nvidia drivers sometimes
-# Seems to cause issues with Nvidia drivers sometimes
 nogroups
 nonewprivs
 noroot
@@ -49,7 +50,7 @@ shell none
 tracelog
 private-bin env,mpv,python*,youtube-dl
-# Causes slow OSD, see #2838
+# private-cache causes slow OSD, see #2838
 #private-cache
 private-dev
diff --git a/etc/profile-m-z/newsflash.profile b/etc/profile-m-z/newsflash.profile
new file mode 100644
index 000000000..d0ac83baf
--- /dev/null
+++ b/etc/profile-m-z/newsflash.profile
@@ -0,0 +1,60 @@
+# Firejail profile for newsflash
+# Description: Modern feed reader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include newsflash.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/NewsFlashGTK
+noblacklist ${HOME}/.config/news-flash
+noblacklist ${HOME}/.local/share/news-flash
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.cache/NewsFlashGTK
+mkdir ${HOME}/.config/news-flash
+mkdir ${HOME}/.local/share/news-flash
+whitelist ${HOME}/.cache/NewsFlashGTK
+whitelist ${HOME}/.config/news-flash
+whitelist ${HOME}/.local/share/news-flash
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin com.gitlab.newsflash,newsflash
+private-cache
+private-dev
+private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pango,pki,resolv.conf,ssl,X11
+private-tmp
+dbus-user none
+#dbus-user.own com.gitlab.newsflash
+#dbus-user.talk org.freedesktop.Notifications
+dbus-system none
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile
index 5d9225705..b51a86e7d 100644
--- a/etc/profile-m-z/signal-desktop.profile
+++ b/etc/profile-m-z/signal-desktop.profile
@@ -34,10 +34,12 @@ nodvd
 nogroups
 notv
 nou2f
+novideo
 shell none
 disable-mnt
 private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/teams.profile b/etc/profile-m-z/teams.profile
index 326b97e4b..bd7faa80a 100644
--- a/etc/profile-m-z/teams.profile
+++ b/etc/profile-m-z/teams.profile
@@ -1,14 +1,14 @@
 # Firejail profile for teams
 # Description: Official Microsoft Teams client for Linux using Electron.
 # This file is overwritten after every install/update
-# Known issues:
-#  * if Teams crashes on startup try using "ignore apparmor" in your local config
 # Persistent local customizations
 include teams.local
 # Persistent global definitions
 # added by included profile
 #include globals.local
+# see #3404
+ignore apparmor
 ignore dbus-user none
 ignore dbus-system none
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile
index e3af5600a..8e0741458 100644
--- a/etc/profile-m-z/telegram.profile
+++ b/etc/profile-m-z/telegram.profile
@@ -25,5 +25,5 @@ seccomp
 disable-mnt
 private-cache
+private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile
index c0dbc9116..12bef5d1f 100644
--- a/etc/profile-m-z/virtualbox.profile
+++ b/etc/profile-m-z/virtualbox.profile
@@ -14,9 +14,12 @@ noblacklist /usr/lib/virtualbox
 noblacklist /usr/lib64/virtualbox
 include disable-common.inc
+include disable-devel.inc
 include disable-exec.inc
+include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 mkdir ${HOME}/.config/VirtualBox
 mkdir ${HOME}/VirtualBox VMs
@@ -24,9 +27,23 @@ whitelist ${HOME}/.config/VirtualBox
 whitelist ${HOME}/VirtualBox VMs
 whitelist ${DOWNLOADS}
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
-caps.keep net_raw,sys_admin,sys_nice
+# For host-only network sys_admin is needed. See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630
+caps.keep net_raw,sys_nice
 netfilter
 nodvd
+#nogroups
 notv
+shell none
+tracelog
+#disable-mnt
+private-cache
+private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/xfce4-screenshooter.profile b/etc/profile-m-z/xfce4-screenshooter.profile
new file mode 100644
index 000000000..b760b44dd
--- /dev/null
+++ b/etc/profile-m-z/xfce4-screenshooter.profile
@@ -0,0 +1,51 @@
+# Firejail profile for xfce4-screenshooter
+# Description: Xfce screenshot tool
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xfce4-screenshooter.local
+# Persistent global definitions
+include globals.local
+noblacklist ${PICTURES}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+whitelist /usr/share/xfce4
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin xfce4-screenshooter,xfconf-query
+private-dev
+private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,pki,resolv.conf,ssl
+private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute
diff --git a/etc/profile-m-z/zoom.profile b/etc/profile-m-z/zoom.profile
index 6eac10703..b3125ee50 100644
--- a/etc/profile-m-z/zoom.profile
+++ b/etc/profile-m-z/zoom.profile
@@ -10,8 +10,11 @@ noblacklist ${HOME}/.zoom
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
+include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 mkdir ${HOME}/.cache/zoom
 mkfile ${HOME}/.config/zoomus.conf
@@ -20,14 +23,25 @@ whitelist ${HOME}/.cache/zoom
 whitelist ${HOME}/.config/zoomus.conf
 whitelist ${HOME}/.zoom
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 caps.drop all
 netfilter
 nodvd
+nogroups
 nonewprivs
 noroot
 notv
+nou2f
 protocol unix,inet,inet6,netlink
 seccomp !chroot
+shell none
+tracelog
+disable-mnt
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp

diff --git a/etc/profile-m-z/mattermost-desktop.profile b/etc/profile-m-z/mattermost-desktop.profile new file mode 100644 index 000000000..e4487c8aa --- /dev/null +++ b/etc/profile-m-z/mattermost-desktop.profile
@@ -0,0 +1,46 @@
		1	# Firejail profile for mattermost-desktop
		2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include mattermost-desktop.local
		5	# Persistent global definitions
		6	include globals.local
		7
		8	noblacklist ${HOME}/.config/Mattermost
		9
		10	include disable-common.inc
		11	include disable-devel.inc
		12	include disable-exec.inc
		13	include disable-interpreters.inc
		14	include disable-programs.inc
		15	include disable-passwdmgr.inc
		16	include disable-shell.inc
		17	include disable-xdg.inc
		18
		19	mkdir ${HOME}/.config/Mattermost
		20	whitelist ${DOWNLOADS}
		21	whitelist ${HOME}/.config/Mattermost
		22	include whitelist-common.inc
		23	include whitelist-runuser-common.inc
		24	include whitelist-usr-share-common.inc
		25	include whitelist-var-common.inc
		26
		27	caps.keep sys_admin,sys_chroot
		28	netfilter
		29	nodvd
		30	nogroups
		31	notv
		32	nou2f
		33	novideo
		34	shell none
		35
		36	disable-mnt
		37	private-cache
		38	private-dev
		39	private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
		40	private-tmp
		41
		42	# Not tested
		43	#dbus-user filter
		44	#dbus-user.own com.mattermost.Desktop
		45	#dbus-user.talk org.freedesktop.Notifications
		46	#dbus-system none


diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile index 84db8b785..385700648 100644 --- a/etc/profile-m-z/meld.profile +++ b/etc/profile-m-z/meld.profile
@@ -70,6 +70,7 @@ private-cache
70	private-dev	70	private-dev
71	# Uncomment the next line (or put it into your meld.local) if you don't need to compare in /etc.	71	# Uncomment the next line (or put it into your meld.local) if you don't need to compare in /etc.
72	#private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion	72	#private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion
		73	# Comment the next line (or add 'ignore private-tmp to your meld.local') if you want to use it as a difftool (#3551)
73	private-tmp	74	private-tmp
74		75
75	read-only ${HOME}/.ssh	76	read-only ${HOME}/.ssh


diff --git a/etc/profile-m-z/minecraft-launcher.profile b/etc/profile-m-z/minecraft-launcher.profile new file mode 100644 index 000000000..8c7d18c58 --- /dev/null +++ b/etc/profile-m-z/minecraft-launcher.profile
@@ -0,0 +1,58 @@
		1	# Firejail profile for minecraft-launcher
		2	# Description: Official Minecraft launcher from Mojang
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include minecraft-launcher.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	# On some distros executable may be in '/opt/minecraft-launcher/', if so, run 'firejail /opt/minecraft-launcher/minecraft-launcher' to start it.
		10
		11	ignore noexec ${HOME}
		12
		13	noblacklist ${HOME}/.minecraft
		14
		15	include allow-java.inc
		16
		17	include disable-common.inc
		18	include disable-devel.inc
		19	include disable-exec.inc
		20	include disable-interpreters.inc
		21	include disable-passwdmgr.inc
		22	include disable-programs.inc
		23	include disable-shell.inc
		24	include disable-xdg.inc
		25
		26	mkdir ${HOME}/.minecraft
		27	whitelist ${HOME}/.minecraft
		28	include whitelist-common.inc
		29	include whitelist-runuser-common.inc
		30	include whitelist-usr-share-common.inc
		31	include whitelist-var-common.inc
		32
		33	apparmor
		34	caps.drop all
		35	netfilter
		36	nodvd
		37	nogroups
		38	nonewprivs
		39	noroot
		40	notv
		41	nou2f
		42	novideo
		43	protocol unix,inet,inet6,netlink
		44	seccomp
		45	shell none
		46	tracelog
		47
		48	disable-mnt
		49	private-bin java,java-config,minecraft-launcher
		50	private-cache
		51	private-dev
		52	# If multiplayer or realms break add your own java folder from /etc or comment the line below.
		53	private-etc alternatives,asound.conf,ati,ca-certificates,crypto-policies,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-14-openjdk,java-7-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,login.defs,machine-id,mime.types,nvidia,passwd,pki,pulse,resolv.conf,selinux,services,ssl,timezone,X11,xdg
		54	private-opt minecraft-launcher
		55	private-tmp
		56
		57	dbus-user none
		58	dbus-system none


diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index b0e493c5f..2fc027257 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile
@@ -30,6 +30,8 @@ include disable-programs.inc
30	include disable-shell.inc	30	include disable-shell.inc
31	include disable-xdg.inc	31	include disable-xdg.inc
32		32
		33	whitelist /usr/share/lua
		34	whitelist /usr/share/lua*
33	whitelist /usr/share/vulkan	35	whitelist /usr/share/vulkan
34	include whitelist-usr-share-common.inc	36	include whitelist-usr-share-common.inc
35	include whitelist-var-common.inc	37	include whitelist-var-common.inc
@@ -37,8 +39,7 @@ include whitelist-var-common.inc
37	apparmor	39	apparmor
38	caps.drop all	40	caps.drop all
39	netfilter	41	netfilter
40		42	# nogroups seems to cause issues with Nvidia drivers sometimes
41	# Seems to cause issues with Nvidia drivers sometimes
42	nogroups	43	nogroups
43	nonewprivs	44	nonewprivs
44	noroot	45	noroot
@@ -49,7 +50,7 @@ shell none
49	tracelog	50	tracelog
50		51
51	private-bin env,mpv,python*,youtube-dl	52	private-bin env,mpv,python*,youtube-dl
52	# Causes slow OSD, see #2838	53	# private-cache causes slow OSD, see #2838
53	#private-cache	54	#private-cache
54	private-dev	55	private-dev
55		56


diff --git a/etc/profile-m-z/newsflash.profile b/etc/profile-m-z/newsflash.profile new file mode 100644 index 000000000..d0ac83baf --- /dev/null +++ b/etc/profile-m-z/newsflash.profile
@@ -0,0 +1,60 @@
		1	# Firejail profile for newsflash
		2	# Description: Modern feed reader
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include newsflash.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	noblacklist ${HOME}/.cache/NewsFlashGTK
		10	noblacklist ${HOME}/.config/news-flash
		11	noblacklist ${HOME}/.local/share/news-flash
		12
		13	include disable-common.inc
		14	include disable-devel.inc
		15	include disable-exec.inc
		16	include disable-interpreters.inc
		17	include disable-passwdmgr.inc
		18	include disable-programs.inc
		19	include disable-shell.inc
		20	include disable-xdg.inc
		21
		22	mkdir ${HOME}/.cache/NewsFlashGTK
		23	mkdir ${HOME}/.config/news-flash
		24	mkdir ${HOME}/.local/share/news-flash
		25	whitelist ${HOME}/.cache/NewsFlashGTK
		26	whitelist ${HOME}/.config/news-flash
		27	whitelist ${HOME}/.local/share/news-flash
		28	include whitelist-common.inc
		29	include whitelist-runuser-common.inc
		30	include whitelist-usr-share-common.inc
		31	include whitelist-var-common.inc
		32
		33	apparmor
		34	caps.drop all
		35	machine-id
		36	netfilter
		37	nodvd
		38	nogroups
		39	nonewprivs
		40	noroot
		41	nosound
		42	notv
		43	nou2f
		44	novideo
		45	protocol unix,inet,inet6
		46	seccomp
		47	shell none
		48	tracelog
		49
		50	disable-mnt
		51	private-bin com.gitlab.newsflash,newsflash
		52	private-cache
		53	private-dev
		54	private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pango,pki,resolv.conf,ssl,X11
		55	private-tmp
		56
		57	dbus-user none
		58	#dbus-user.own com.gitlab.newsflash
		59	#dbus-user.talk org.freedesktop.Notifications
		60	dbus-system none


diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile index 5d9225705..b51a86e7d 100644 --- a/etc/profile-m-z/signal-desktop.profile +++ b/etc/profile-m-z/signal-desktop.profile
@@ -34,10 +34,12 @@ nodvd
34	nogroups	34	nogroups
35	notv	35	notv
36	nou2f	36	nou2f
		37	novideo
37	shell none	38	shell none
38		39
39	disable-mnt	40	disable-mnt
40	private-dev	41	private-dev
		42	private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
41	private-tmp	43	private-tmp
42		44
43	dbus-user none	45	dbus-user none


diff --git a/etc/profile-m-z/teams.profile b/etc/profile-m-z/teams.profile index 326b97e4b..bd7faa80a 100644 --- a/etc/profile-m-z/teams.profile +++ b/etc/profile-m-z/teams.profile
@@ -1,14 +1,14 @@
1	# Firejail profile for teams	1	# Firejail profile for teams
2	# Description: Official Microsoft Teams client for Linux using Electron.	2	# Description: Official Microsoft Teams client for Linux using Electron.
3	# This file is overwritten after every install/update	3	# This file is overwritten after every install/update
4	# Known issues:
5	# * if Teams crashes on startup try using "ignore apparmor" in your local config
6	# Persistent local customizations	4	# Persistent local customizations
7	include teams.local	5	include teams.local
8	# Persistent global definitions	6	# Persistent global definitions
9	# added by included profile	7	# added by included profile
10	#include globals.local	8	#include globals.local
11		9
		10	# see #3404
		11	ignore apparmor
12	ignore dbus-user none	12	ignore dbus-user none
13	ignore dbus-system none	13	ignore dbus-system none
14		14


diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile index e3af5600a..8e0741458 100644 --- a/etc/profile-m-z/telegram.profile +++ b/etc/profile-m-z/telegram.profile
@@ -25,5 +25,5 @@ seccomp
25		25
26	disable-mnt	26	disable-mnt
27	private-cache	27	private-cache
		28	private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
28	private-tmp	29	private-tmp
29


diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile index c0dbc9116..12bef5d1f 100644 --- a/etc/profile-m-z/virtualbox.profile +++ b/etc/profile-m-z/virtualbox.profile
@@ -14,9 +14,12 @@ noblacklist /usr/lib/virtualbox
14	noblacklist /usr/lib64/virtualbox	14	noblacklist /usr/lib64/virtualbox
15		15
16	include disable-common.inc	16	include disable-common.inc
		17	include disable-devel.inc
17	include disable-exec.inc	18	include disable-exec.inc
		19	include disable-interpreters.inc
18	include disable-passwdmgr.inc	20	include disable-passwdmgr.inc
19	include disable-programs.inc	21	include disable-programs.inc
		22	include disable-xdg.inc
20		23
21	mkdir ${HOME}/.config/VirtualBox	24	mkdir ${HOME}/.config/VirtualBox
22	mkdir ${HOME}/VirtualBox VMs	25	mkdir ${HOME}/VirtualBox VMs
@@ -24,9 +27,23 @@ whitelist ${HOME}/.config/VirtualBox
24	whitelist ${HOME}/VirtualBox VMs	27	whitelist ${HOME}/VirtualBox VMs
25	whitelist ${DOWNLOADS}	28	whitelist ${DOWNLOADS}
26	include whitelist-common.inc	29	include whitelist-common.inc
		30	include whitelist-runuser-common.inc
		31	include whitelist-usr-share-common.inc
27	include whitelist-var-common.inc	32	include whitelist-var-common.inc
28		33
29	caps.keep net_raw,sys_admin,sys_nice	34	# For host-only network sys_admin is needed. See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630
		35
		36	caps.keep net_raw,sys_nice
30	netfilter	37	netfilter
31	nodvd	38	nodvd
		39	#nogroups
32	notv	40	notv
		41	shell none
		42	tracelog
		43
		44	#disable-mnt
		45	private-cache
		46	private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
		47
		48	dbus-user none
		49	dbus-system none


diff --git a/etc/profile-m-z/xfce4-screenshooter.profile b/etc/profile-m-z/xfce4-screenshooter.profile new file mode 100644 index 000000000..b760b44dd --- /dev/null +++ b/etc/profile-m-z/xfce4-screenshooter.profile
@@ -0,0 +1,51 @@
		1	# Firejail profile for xfce4-screenshooter
		2	# Description: Xfce screenshot tool
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include xfce4-screenshooter.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	noblacklist ${PICTURES}
		10
		11	include disable-common.inc
		12	include disable-devel.inc
		13	include disable-exec.inc
		14	include disable-interpreters.inc
		15	include disable-passwdmgr.inc
		16	include disable-programs.inc
		17	include disable-shell.inc
		18	include disable-xdg.inc
		19
		20	whitelist /usr/share/xfce4
		21	include whitelist-runuser-common.inc
		22	include whitelist-usr-share-common.inc
		23	include whitelist-var-common.inc
		24
		25	apparmor
		26	caps.drop all
		27	machine-id
		28	netfilter
		29	no3d
		30	nodvd
		31	nogroups
		32	nonewprivs
		33	noroot
		34	notv
		35	nou2f
		36	novideo
		37	protocol unix,inet,inet6
		38	seccomp
		39	shell none
		40	tracelog
		41
		42	disable-mnt
		43	private-bin xfce4-screenshooter,xfconf-query
		44	private-dev
		45	private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,pki,resolv.conf,ssl
		46	private-tmp
		47
		48	dbus-user none
		49	dbus-system none
		50
		51	memory-deny-write-execute


diff --git a/etc/profile-m-z/zoom.profile b/etc/profile-m-z/zoom.profile index 6eac10703..b3125ee50 100644 --- a/etc/profile-m-z/zoom.profile +++ b/etc/profile-m-z/zoom.profile
@@ -10,8 +10,11 @@ noblacklist ${HOME}/.zoom
10		10
11	include disable-common.inc	11	include disable-common.inc
12	include disable-devel.inc	12	include disable-devel.inc
		13	include disable-exec.inc
13	include disable-interpreters.inc	14	include disable-interpreters.inc
		15	include disable-passwdmgr.inc
14	include disable-programs.inc	16	include disable-programs.inc
		17	include disable-xdg.inc
15		18
16	mkdir ${HOME}/.cache/zoom	19	mkdir ${HOME}/.cache/zoom
17	mkfile ${HOME}/.config/zoomus.conf	20	mkfile ${HOME}/.config/zoomus.conf
@@ -20,14 +23,25 @@ whitelist ${HOME}/.cache/zoom
20	whitelist ${HOME}/.config/zoomus.conf	23	whitelist ${HOME}/.config/zoomus.conf
21	whitelist ${HOME}/.zoom	24	whitelist ${HOME}/.zoom
22	include whitelist-common.inc	25	include whitelist-common.inc
		26	include whitelist-runuser-common.inc
		27	include whitelist-usr-share-common.inc
		28	include whitelist-var-common.inc
23		29
24	caps.drop all	30	caps.drop all
25	netfilter	31	netfilter
26	nodvd	32	nodvd
		33	nogroups
27	nonewprivs	34	nonewprivs
28	noroot	35	noroot
29	notv	36	notv
		37	nou2f
30	protocol unix,inet,inet6,netlink	38	protocol unix,inet,inet6,netlink
31	seccomp !chroot	39	seccomp !chroot
		40	shell none
		41	tracelog
32		42
		43	disable-mnt
		44	private-cache
		45	private-dev
		46	private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
33	private-tmp	47	private-tmp