30 files changed, 188 insertions, 13 deletions
diff --git a/etc/celluloid.profile b/etc/celluloid.profile
index 89543d6cc..6b7db6b44 100644
--- a/etc/celluloid.profile
+++ b/etc/celluloid.profile
@@ -6,8 +6,9 @@ include celluloid.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.config/gnome-mpv
 noblacklist ${HOME}/.config/celluloid
+noblacklist ${HOME}/.config/gnome-mpv
+noblacklist ${HOME}/.config/youtube-dl
 noblacklist ${MUSIC}
 noblacklist ${VIDEOS}
diff --git a/etc/conplay.profile b/etc/conplay.profile
new file mode 100644
index 000000000..101ce2f17
--- /dev/null
+++ b/etc/conplay.profile
@@ -0,0 +1,14 @@
+# Firejail profile for conplay
+# Persistent local customizations
+include conplay.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+## system-wide profile
+#+ overrides
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+# Redirect
+include mpg123.profile
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index ae82d72b5..7ca5a6b89 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -134,6 +134,8 @@ blacklist ${RUNUSER}/kdesud_*
 # gnome
 # contains extensions, last used times of applications, and notifications
 blacklist ${HOME}/.local/share/gnome-shell
+# no direct modification of dconf database
+read-only ${HOME}/.config/dconf
 # systemd
 blacklist ${HOME}/.config/systemd
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 3e6706101..c061e94a2 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -319,6 +319,7 @@ blacklist ${HOME}/.config/xviewer
 blacklist ${HOME}/.config/yandex-browser
 blacklist ${HOME}/.config/yandex-browser-beta
 blacklist ${HOME}/.config/yelp
+blacklist ${HOME}/.config/youtube-dl
 blacklist ${HOME}/.config/zathura
 blacklist ${HOME}/.config/zoomus.conf
 blacklist ${HOME}/.conkeror.mozdev.org
diff --git a/etc/firejail.config b/etc/firejail.config
index dbe4fb1ea..4c0cb2a41 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -2,6 +2,9 @@
 # keyword-argument pairs, one per line. Most features are enabled by default.
 # Use 'yes' or 'no' as configuration values.
+# Allow symbolic links in path of user home directories, default disabled.
+# homedir-symlink no
 # Enable AppArmor functionality, default enabled.
 # apparmor yes
@@ -35,6 +38,11 @@
 # cannot be overridden by --noblacklist or --ignore.
 # disable-mnt no
+# Set the limit for file copy in several --private-* options. The size is set
+# in megabytes. By default we allow up to 500MB.
+# Note: the files are copied in RAM.
+# file-copy-limit 500
 # Enable or disable file transfer support, default enabled.
 # file-transfer yes
diff --git a/etc/gajim.profile b/etc/gajim.profile
index 74ab9f8b7..85d9b9bd9 100644
--- a/etc/gajim.profile
+++ b/etc/gajim.profile
@@ -20,6 +20,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+# Comment the following line if you need to whitelist other folders than ~/Downloads
 include disable-xdg.inc
 mkdir ${HOME}/.cache/gajim
diff --git a/etc/galculator.profile b/etc/galculator.profile
index 3dda48192..f757aed69 100644
--- a/etc/galculator.profile
+++ b/etc/galculator.profile
@@ -47,4 +47,4 @@ private-etc alternatives,fonts
 private-lib
 private-tmp
-memory-deny-write-execute
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/less.profile b/etc/less.profile
index e6366ad28..0f31d344b 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -8,13 +8,13 @@ include less.local
 include globals.local
 noblacklist ${HOME}/.lesshst
+read-only ${HOME}
+read-write ${HOME}/.lesshst
-include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
-include disable-programs.inc
 apparmor
 caps.drop all
diff --git a/etc/mpg123-alsa.profile b/etc/mpg123-alsa.profile
new file mode 100644
index 000000000..378435af1
--- /dev/null
+++ b/etc/mpg123-alsa.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mpg123-alsa
+# Persistent local customizations
+include mpg123-alsa.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include mpg123.profile
diff --git a/etc/mpg123-id3dump.profile b/etc/mpg123-id3dump.profile
new file mode 100644
index 000000000..370a57b3c
--- /dev/null
+++ b/etc/mpg123-id3dump.profile
@@ -0,0 +1,12 @@
+# Firejail profile for mpg123-id3dump
+# Persistent local customizations
+include mpg123-id3dump.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+machine-id
+nosound
+# Redirect
+include mpg123.profile
diff --git a/etc/mpg123-jack.profile b/etc/mpg123-jack.profile
new file mode 100644
index 000000000..e36a2e5b3
--- /dev/null
+++ b/etc/mpg123-jack.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mpg123-jack
+# Persistent local customizations
+include mpg123-jack.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include mpg123.profile
diff --git a/etc/mpg123-nas.profile b/etc/mpg123-nas.profile
new file mode 100644
index 000000000..cdbf0b1d2
--- /dev/null
+++ b/etc/mpg123-nas.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mpg123-nas
+# Persistent local customizations
+include mpg123-nas.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include mpg123.profile
diff --git a/etc/mpg123-openal.profile b/etc/mpg123-openal.profile
new file mode 100644
index 000000000..e5585feaa
--- /dev/null
+++ b/etc/mpg123-openal.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mpg123-openal
+# Persistent local customizations
+include mpg123-openal.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include mpg123.profile
diff --git a/etc/mpg123-oss.profile b/etc/mpg123-oss.profile
new file mode 100644
index 000000000..dcb92ecd6
--- /dev/null
+++ b/etc/mpg123-oss.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mpg123-oss
+# Persistent local customizations
+include mpg123-oss.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include mpg123.profile
diff --git a/etc/mpg123-portaudio.profile b/etc/mpg123-portaudio.profile
new file mode 100644
index 000000000..319843504
--- /dev/null
+++ b/etc/mpg123-portaudio.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mpg123-portaudio
+# Persistent local customizations
+include mpg123-portaudio.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include mpg123.profile
diff --git a/etc/mpg123-pulse.profile b/etc/mpg123-pulse.profile
new file mode 100644
index 000000000..31063a96b
--- /dev/null
+++ b/etc/mpg123-pulse.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mpg123-pulse
+# Persistent local customizations
+include mpg123-pulse.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include mpg123.profile
diff --git a/etc/mpg123-strip.profile b/etc/mpg123-strip.profile
new file mode 100644
index 000000000..62de57c22
--- /dev/null
+++ b/etc/mpg123-strip.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mpg123-strip
+# Persistent local customizations
+include mpg123-strip.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include mpg123.profile
diff --git a/etc/mpg123.bin.profile b/etc/mpg123.bin.profile
new file mode 100644
index 000000000..0a01d0829
--- /dev/null
+++ b/etc/mpg123.bin.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mpg123.bin
+# Persistent local customizations
+include mpg123.bin.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include mpg123.profile
diff --git a/etc/mpg123.profile b/etc/mpg123.profile
new file mode 100644
index 000000000..8a8907c39
--- /dev/null
+++ b/etc/mpg123.profile
@@ -0,0 +1,38 @@
+# Firejail profile for mpg123
+# Description: MPEG audio player/decoder
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mpg123.local
+# Persistent global definitions
+include globals.local
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+nodbus
+nogroups
+nonewprivs
+noroot
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+#private-bin mpg123*
+private-dev
+private-tmp
+memory-deny-write-execute
diff --git a/etc/mpsyt.profile b/etc/mpsyt.profile
index f0309da9a..878a5f654 100644
--- a/etc/mpsyt.profile
+++ b/etc/mpsyt.profile
@@ -8,6 +8,7 @@ include globals.local
 noblacklist ${HOME}/.config/mps-youtube
 noblacklist ${HOME}/.config/mpv
+noblacklist ${HOME}/.config/youtube-dl
 noblacklist ${HOME}/.mplayer
 noblacklist ${HOME}/.netrc
 noblacklist ${HOME}/mps
@@ -29,10 +30,12 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/mps-youtube
 mkdir ${HOME}/.config/mpv
+mkdir ${HOME}/.config/youtube-dl
 mkdir ${HOME}/.mplayer
 mkdir ${HOME}/mps
 whitelist ${HOME}/.config/mps-youtube
 whitelist ${HOME}/.config/mpv
+whitelist ${HOME}/.config/youtube-dl
 whitelist ${HOME}/.mplayer
 whitelist ${HOME}/.netrc
 whitelist ${HOME}/mps
diff --git a/etc/mpv.profile b/etc/mpv.profile
index 07a6ba42b..d8163d20a 100644
--- a/etc/mpv.profile
+++ b/etc/mpv.profile
@@ -8,6 +8,7 @@ include mpv.local
 include globals.local
 noblacklist ${HOME}/.config/mpv
+noblacklist ${HOME}/.config/youtube-dl
 noblacklist ${HOME}/.netrc
 # Allow python (blacklisted by disable-interpreters.inc)
@@ -42,5 +43,6 @@ shell none
 tracelog
 private-bin env,mpv,python*,youtube-dl
-private-cache
+# Causes slow OSD, see #2838
+#private-cache
 private-dev
diff --git a/etc/mumble.profile b/etc/mumble.profile
index 2d8607e53..94ccbad0c 100644
--- a/etc/mumble.profile
+++ b/etc/mumble.profile
@@ -43,4 +43,4 @@ disable-mnt
 private-bin mumble
 private-tmp
-memory-deny-write-execute
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/obs.profile b/etc/obs.profile
index 038242cae..4277bdab3 100644
--- a/etc/obs.profile
+++ b/etc/obs.profile
@@ -36,7 +36,7 @@ seccomp
 shell none
 tracelog
-private-bin obs,python*
+private-bin bash,obs,obs-ffmpeg-mux,python*,sh
 private-cache
 private-dev
 private-tmp
diff --git a/etc/out123.profile b/etc/out123.profile
new file mode 100644
index 000000000..4754c05ba
--- /dev/null
+++ b/etc/out123.profile
@@ -0,0 +1,9 @@
+# Firejail profile for out123
+# Persistent local customizations
+include out123.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include mpg123.profile
diff --git a/etc/pavucontrol.profile b/etc/pavucontrol.profile
index 621fef49f..e74394b22 100644
--- a/etc/pavucontrol.profile
+++ b/etc/pavucontrol.profile
@@ -45,4 +45,4 @@ private-etc alternatives,asound.conf,avahi,fonts,machine-id,pulse
 private-lib
 private-tmp
-memory-deny-write-execute
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile
index 6cb3fe4cd..abbd76aff 100644
--- a/etc/qpdfview.profile
+++ b/etc/qpdfview.profile
@@ -22,6 +22,7 @@ include whitelist-var-common.inc
 caps.drop all
 machine-id
+nodbus
 nodvd
 nogroups
 nonewprivs
@@ -38,5 +39,3 @@ tracelog
 private-bin qpdfview
 private-dev
 private-tmp
-memory-deny-write-execute
diff --git a/etc/riot-desktop.profile b/etc/riot-desktop.profile
index e91d25196..e6af4c2cb 100644
--- a/etc/riot-desktop.profile
+++ b/etc/riot-desktop.profile
@@ -7,5 +7,8 @@ include riot-desktop.local
 # added by included profile
 #include globals.local
+ignore seccomp
+seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mincore,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 # Redirect
 include riot-web.profile
diff --git a/etc/smplayer.profile b/etc/smplayer.profile
index f83caee8a..c7324e6ca 100644
--- a/etc/smplayer.profile
+++ b/etc/smplayer.profile
@@ -7,6 +7,7 @@ include smplayer.local
 include globals.local
 noblacklist ${HOME}/.config/smplayer
+noblacklist ${HOME}/.config/youtube-dl
 noblacklist ${HOME}/.mplayer
 # Allow python (blacklisted by disable-interpreters.inc)
diff --git a/etc/wire-desktop.profile b/etc/wire-desktop.profile
index f41453bf3..490255fa6 100644
--- a/etc/wire-desktop.profile
+++ b/etc/wire-desktop.profile
@@ -34,7 +34,7 @@ shell none
 # it is not in PATH. To use Wire with firejail, run "firejail /opt/wire-desktop/wire-desktop"
 disable-mnt
-private-bin bash,electron,env,sh,wire-desktop
+private-bin bash,electron,electron4,env,sh,wire-desktop
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl
 private-tmp
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile
index 28b5f2376..6fc519bee 100644
--- a/etc/youtube-dl.profile
+++ b/etc/youtube-dl.profile
@@ -7,9 +7,10 @@ include youtube-dl.local
 # Persistent global definitions
 include globals.local
-# breaks when installed via pip
+# breaks when installed under ${HOME} via `pip install --user` (see #2833)
 ignore noexec ${HOME}
+noblacklist ${HOME}/.config/youtube-dl
 noblacklist ${HOME}/.netrc
 noblacklist ${MUSIC}
 noblacklist ${VIDEOS}
@@ -48,7 +49,6 @@ seccomp
 shell none
 tracelog
-disable-mnt
 private-bin env,ffmpeg,python*,youtube-dl
 private-cache
 private-dev

diff --git a/etc/celluloid.profile b/etc/celluloid.profile index 89543d6cc..6b7db6b44 100644 --- a/etc/celluloid.profile +++ b/etc/celluloid.profile
@@ -6,8 +6,9 @@ include celluloid.local
6	# Persistent global definitions	6	# Persistent global definitions
7	include globals.local	7	include globals.local
8		8
9	noblacklist ${HOME}/.config/gnome-mpv
10	noblacklist ${HOME}/.config/celluloid	9	noblacklist ${HOME}/.config/celluloid
		10	noblacklist ${HOME}/.config/gnome-mpv
		11	noblacklist ${HOME}/.config/youtube-dl
11	noblacklist ${MUSIC}	12	noblacklist ${MUSIC}
12	noblacklist ${VIDEOS}	13	noblacklist ${VIDEOS}
13		14


diff --git a/etc/conplay.profile b/etc/conplay.profile new file mode 100644 index 000000000..101ce2f17 --- /dev/null +++ b/etc/conplay.profile
@@ -0,0 +1,14 @@
		1	# Firejail profile for conplay
		2	# Persistent local customizations
		3	include conplay.local
		4	# Persistent global definitions
		5	# added by included profile
		6	#include globals.local
		7
		8	## system-wide profile
		9	#+ overrides
		10	# Allow perl (blacklisted by disable-interpreters.inc)
		11	include allow-perl.inc
		12
		13	# Redirect
		14	include mpg123.profile


diff --git a/etc/disable-common.inc b/etc/disable-common.inc index ae82d72b5..7ca5a6b89 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc
@@ -134,6 +134,8 @@ blacklist ${RUNUSER}/kdesud_*
134	# gnome	134	# gnome
135	# contains extensions, last used times of applications, and notifications	135	# contains extensions, last used times of applications, and notifications
136	blacklist ${HOME}/.local/share/gnome-shell	136	blacklist ${HOME}/.local/share/gnome-shell
		137	# no direct modification of dconf database
		138	read-only ${HOME}/.config/dconf
137		139
138	# systemd	140	# systemd
139	blacklist ${HOME}/.config/systemd	141	blacklist ${HOME}/.config/systemd


diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 3e6706101..c061e94a2 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc
@@ -319,6 +319,7 @@ blacklist ${HOME}/.config/xviewer
319	blacklist ${HOME}/.config/yandex-browser	319	blacklist ${HOME}/.config/yandex-browser
320	blacklist ${HOME}/.config/yandex-browser-beta	320	blacklist ${HOME}/.config/yandex-browser-beta
321	blacklist ${HOME}/.config/yelp	321	blacklist ${HOME}/.config/yelp
		322	blacklist ${HOME}/.config/youtube-dl
322	blacklist ${HOME}/.config/zathura	323	blacklist ${HOME}/.config/zathura
323	blacklist ${HOME}/.config/zoomus.conf	324	blacklist ${HOME}/.config/zoomus.conf
324	blacklist ${HOME}/.conkeror.mozdev.org	325	blacklist ${HOME}/.conkeror.mozdev.org


diff --git a/etc/firejail.config b/etc/firejail.config index dbe4fb1ea..4c0cb2a41 100644 --- a/etc/firejail.config +++ b/etc/firejail.config
@@ -2,6 +2,9 @@
2	# keyword-argument pairs, one per line. Most features are enabled by default.	2	# keyword-argument pairs, one per line. Most features are enabled by default.
3	# Use 'yes' or 'no' as configuration values.	3	# Use 'yes' or 'no' as configuration values.
4		4
		5	# Allow symbolic links in path of user home directories, default disabled.
		6	# homedir-symlink no
		7
5	# Enable AppArmor functionality, default enabled.	8	# Enable AppArmor functionality, default enabled.
6	# apparmor yes	9	# apparmor yes
7		10
@@ -35,6 +38,11 @@
35	# cannot be overridden by --noblacklist or --ignore.	38	# cannot be overridden by --noblacklist or --ignore.
36	# disable-mnt no	39	# disable-mnt no
37		40
		41	# Set the limit for file copy in several --private-* options. The size is set
		42	# in megabytes. By default we allow up to 500MB.
		43	# Note: the files are copied in RAM.
		44	# file-copy-limit 500
		45
38	# Enable or disable file transfer support, default enabled.	46	# Enable or disable file transfer support, default enabled.
39	# file-transfer yes	47	# file-transfer yes
40		48


diff --git a/etc/gajim.profile b/etc/gajim.profile index 74ab9f8b7..85d9b9bd9 100644 --- a/etc/gajim.profile +++ b/etc/gajim.profile
@@ -20,6 +20,7 @@ include disable-exec.inc
20	include disable-interpreters.inc	20	include disable-interpreters.inc
21	include disable-passwdmgr.inc	21	include disable-passwdmgr.inc
22	include disable-programs.inc	22	include disable-programs.inc
		23	# Comment the following line if you need to whitelist other folders than ~/Downloads
23	include disable-xdg.inc	24	include disable-xdg.inc
24		25
25	mkdir ${HOME}/.cache/gajim	26	mkdir ${HOME}/.cache/gajim


diff --git a/etc/galculator.profile b/etc/galculator.profile index 3dda48192..f757aed69 100644 --- a/etc/galculator.profile +++ b/etc/galculator.profile
@@ -47,4 +47,4 @@ private-etc alternatives,fonts
47	private-lib	47	private-lib
48	private-tmp	48	private-tmp
49		49
50	memory-deny-write-execute	50	#memory-deny-write-execute - breaks on Arch (see issue #1803)


diff --git a/etc/less.profile b/etc/less.profile index e6366ad28..0f31d344b 100644 --- a/etc/less.profile +++ b/etc/less.profile
@@ -8,13 +8,13 @@ include less.local
8	include globals.local	8	include globals.local
9		9
10	noblacklist ${HOME}/.lesshst	10	noblacklist ${HOME}/.lesshst
		11	read-only ${HOME}
		12	read-write ${HOME}/.lesshst
11		13
12	include disable-common.inc
13	include disable-devel.inc	14	include disable-devel.inc
14	include disable-exec.inc	15	include disable-exec.inc
15	include disable-interpreters.inc	16	include disable-interpreters.inc
16	include disable-passwdmgr.inc	17	include disable-passwdmgr.inc
17	include disable-programs.inc
18		18
19	apparmor	19	apparmor
20	caps.drop all	20	caps.drop all


diff --git a/etc/mpg123-alsa.profile b/etc/mpg123-alsa.profile new file mode 100644 index 000000000..378435af1 --- /dev/null +++ b/etc/mpg123-alsa.profile
@@ -0,0 +1,9 @@
		1	# Firejail profile for mpg123-alsa
		2	# Persistent local customizations
		3	include mpg123-alsa.local
		4	# Persistent global definitions
		5	# added by included profile
		6	#include globals.local
		7
		8	# Redirect
		9	include mpg123.profile


diff --git a/etc/mpg123-id3dump.profile b/etc/mpg123-id3dump.profile new file mode 100644 index 000000000..370a57b3c --- /dev/null +++ b/etc/mpg123-id3dump.profile
@@ -0,0 +1,12 @@
		1	# Firejail profile for mpg123-id3dump
		2	# Persistent local customizations
		3	include mpg123-id3dump.local
		4	# Persistent global definitions
		5	# added by included profile
		6	#include globals.local
		7
		8	machine-id
		9	nosound
		10
		11	# Redirect
		12	include mpg123.profile


diff --git a/etc/mpg123-jack.profile b/etc/mpg123-jack.profile new file mode 100644 index 000000000..e36a2e5b3 --- /dev/null +++ b/etc/mpg123-jack.profile
@@ -0,0 +1,9 @@
		1	# Firejail profile for mpg123-jack
		2	# Persistent local customizations
		3	include mpg123-jack.local
		4	# Persistent global definitions
		5	# added by included profile
		6	#include globals.local
		7
		8	# Redirect
		9	include mpg123.profile


diff --git a/etc/mpg123-nas.profile b/etc/mpg123-nas.profile new file mode 100644 index 000000000..cdbf0b1d2 --- /dev/null +++ b/etc/mpg123-nas.profile
@@ -0,0 +1,9 @@
		1	# Firejail profile for mpg123-nas
		2	# Persistent local customizations
		3	include mpg123-nas.local
		4	# Persistent global definitions
		5	# added by included profile
		6	#include globals.local
		7
		8	# Redirect
		9	include mpg123.profile


diff --git a/etc/mpg123-openal.profile b/etc/mpg123-openal.profile new file mode 100644 index 000000000..e5585feaa --- /dev/null +++ b/etc/mpg123-openal.profile
@@ -0,0 +1,9 @@
		1	# Firejail profile for mpg123-openal
		2	# Persistent local customizations
		3	include mpg123-openal.local
		4	# Persistent global definitions
		5	# added by included profile
		6	#include globals.local
		7
		8	# Redirect
		9	include mpg123.profile


diff --git a/etc/mpg123-oss.profile b/etc/mpg123-oss.profile new file mode 100644 index 000000000..dcb92ecd6 --- /dev/null +++ b/etc/mpg123-oss.profile
@@ -0,0 +1,9 @@
		1	# Firejail profile for mpg123-oss
		2	# Persistent local customizations
		3	include mpg123-oss.local
		4	# Persistent global definitions
		5	# added by included profile
		6	#include globals.local
		7
		8	# Redirect
		9	include mpg123.profile


diff --git a/etc/mpg123-portaudio.profile b/etc/mpg123-portaudio.profile new file mode 100644 index 000000000..319843504 --- /dev/null +++ b/etc/mpg123-portaudio.profile
@@ -0,0 +1,9 @@
		1	# Firejail profile for mpg123-portaudio
		2	# Persistent local customizations
		3	include mpg123-portaudio.local
		4	# Persistent global definitions
		5	# added by included profile
		6	#include globals.local
		7
		8	# Redirect
		9	include mpg123.profile


diff --git a/etc/mpg123-pulse.profile b/etc/mpg123-pulse.profile new file mode 100644 index 000000000..31063a96b --- /dev/null +++ b/etc/mpg123-pulse.profile
@@ -0,0 +1,9 @@
		1	# Firejail profile for mpg123-pulse
		2	# Persistent local customizations
		3	include mpg123-pulse.local
		4	# Persistent global definitions
		5	# added by included profile
		6	#include globals.local
		7
		8	# Redirect
		9	include mpg123.profile


diff --git a/etc/mpg123-strip.profile b/etc/mpg123-strip.profile new file mode 100644 index 000000000..62de57c22 --- /dev/null +++ b/etc/mpg123-strip.profile
@@ -0,0 +1,9 @@
		1	# Firejail profile for mpg123-strip
		2	# Persistent local customizations
		3	include mpg123-strip.local
		4	# Persistent global definitions
		5	# added by included profile
		6	#include globals.local
		7
		8	# Redirect
		9	include mpg123.profile


diff --git a/etc/mpg123.bin.profile b/etc/mpg123.bin.profile new file mode 100644 index 000000000..0a01d0829 --- /dev/null +++ b/etc/mpg123.bin.profile
@@ -0,0 +1,9 @@
		1	# Firejail profile for mpg123.bin
		2	# Persistent local customizations
		3	include mpg123.bin.local
		4	# Persistent global definitions
		5	# added by included profile
		6	#include globals.local
		7
		8	# Redirect
		9	include mpg123.profile


diff --git a/etc/mpg123.profile b/etc/mpg123.profile new file mode 100644 index 000000000..8a8907c39 --- /dev/null +++ b/etc/mpg123.profile
@@ -0,0 +1,38 @@
		1	# Firejail profile for mpg123
		2	# Description: MPEG audio player/decoder
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include mpg123.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	noblacklist ${MUSIC}
		10	noblacklist ${VIDEOS}
		11
		12	include disable-common.inc
		13	include disable-devel.inc
		14	include disable-exec.inc
		15	include disable-interpreters.inc
		16	include disable-passwdmgr.inc
		17	include disable-programs.inc
		18	include disable-xdg.inc
		19
		20	include whitelist-var-common.inc
		21
		22	apparmor
		23	caps.drop all
		24	netfilter
		25	nodbus
		26	nogroups
		27	nonewprivs
		28	noroot
		29	nou2f
		30	protocol unix,inet,inet6,netlink
		31	seccomp
		32	shell none
		33
		34	#private-bin mpg123*
		35	private-dev
		36	private-tmp
		37
		38	memory-deny-write-execute


diff --git a/etc/mpsyt.profile b/etc/mpsyt.profile index f0309da9a..878a5f654 100644 --- a/etc/mpsyt.profile +++ b/etc/mpsyt.profile
@@ -8,6 +8,7 @@ include globals.local
8		8
9	noblacklist ${HOME}/.config/mps-youtube	9	noblacklist ${HOME}/.config/mps-youtube
10	noblacklist ${HOME}/.config/mpv	10	noblacklist ${HOME}/.config/mpv
		11	noblacklist ${HOME}/.config/youtube-dl
11	noblacklist ${HOME}/.mplayer	12	noblacklist ${HOME}/.mplayer
12	noblacklist ${HOME}/.netrc	13	noblacklist ${HOME}/.netrc
13	noblacklist ${HOME}/mps	14	noblacklist ${HOME}/mps
@@ -29,10 +30,12 @@ include disable-xdg.inc
29		30
30	mkdir ${HOME}/.config/mps-youtube	31	mkdir ${HOME}/.config/mps-youtube
31	mkdir ${HOME}/.config/mpv	32	mkdir ${HOME}/.config/mpv
		33	mkdir ${HOME}/.config/youtube-dl
32	mkdir ${HOME}/.mplayer	34	mkdir ${HOME}/.mplayer
33	mkdir ${HOME}/mps	35	mkdir ${HOME}/mps
34	whitelist ${HOME}/.config/mps-youtube	36	whitelist ${HOME}/.config/mps-youtube
35	whitelist ${HOME}/.config/mpv	37	whitelist ${HOME}/.config/mpv
		38	whitelist ${HOME}/.config/youtube-dl
36	whitelist ${HOME}/.mplayer	39	whitelist ${HOME}/.mplayer
37	whitelist ${HOME}/.netrc	40	whitelist ${HOME}/.netrc
38	whitelist ${HOME}/mps	41	whitelist ${HOME}/mps


diff --git a/etc/mpv.profile b/etc/mpv.profile index 07a6ba42b..d8163d20a 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile
@@ -8,6 +8,7 @@ include mpv.local
8	include globals.local	8	include globals.local
9		9
10	noblacklist ${HOME}/.config/mpv	10	noblacklist ${HOME}/.config/mpv
		11	noblacklist ${HOME}/.config/youtube-dl
11	noblacklist ${HOME}/.netrc	12	noblacklist ${HOME}/.netrc
12		13
13	# Allow python (blacklisted by disable-interpreters.inc)	14	# Allow python (blacklisted by disable-interpreters.inc)
@@ -42,5 +43,6 @@ shell none
42	tracelog	43	tracelog
43		44
44	private-bin env,mpv,python*,youtube-dl	45	private-bin env,mpv,python*,youtube-dl
45	private-cache	46	# Causes slow OSD, see #2838
		47	#private-cache
46	private-dev	48	private-dev


diff --git a/etc/mumble.profile b/etc/mumble.profile index 2d8607e53..94ccbad0c 100644 --- a/etc/mumble.profile +++ b/etc/mumble.profile
@@ -43,4 +43,4 @@ disable-mnt
43	private-bin mumble	43	private-bin mumble
44	private-tmp	44	private-tmp
45		45
46	memory-deny-write-execute	46	#memory-deny-write-execute - breaks on Arch (see issue #1803)


diff --git a/etc/obs.profile b/etc/obs.profile index 038242cae..4277bdab3 100644 --- a/etc/obs.profile +++ b/etc/obs.profile
@@ -36,7 +36,7 @@ seccomp
36	shell none	36	shell none
37	tracelog	37	tracelog
38		38
39	private-bin obs,python*	39	private-bin bash,obs,obs-ffmpeg-mux,python*,sh
40	private-cache	40	private-cache
41	private-dev	41	private-dev
42	private-tmp	42	private-tmp


diff --git a/etc/out123.profile b/etc/out123.profile new file mode 100644 index 000000000..4754c05ba --- /dev/null +++ b/etc/out123.profile
@@ -0,0 +1,9 @@
		1	# Firejail profile for out123
		2	# Persistent local customizations
		3	include out123.local
		4	# Persistent global definitions
		5	# added by included profile
		6	#include globals.local
		7
		8	# Redirect
		9	include mpg123.profile


diff --git a/etc/pavucontrol.profile b/etc/pavucontrol.profile index 621fef49f..e74394b22 100644 --- a/etc/pavucontrol.profile +++ b/etc/pavucontrol.profile
@@ -45,4 +45,4 @@ private-etc alternatives,asound.conf,avahi,fonts,machine-id,pulse
45	private-lib	45	private-lib
46	private-tmp	46	private-tmp
47		47
48	memory-deny-write-execute	48	#memory-deny-write-execute - breaks on Arch (see issue #1803)


diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile index 6cb3fe4cd..abbd76aff 100644 --- a/etc/qpdfview.profile +++ b/etc/qpdfview.profile
@@ -22,6 +22,7 @@ include whitelist-var-common.inc
22		22
23	caps.drop all	23	caps.drop all
24	machine-id	24	machine-id
		25	nodbus
25	nodvd	26	nodvd
26	nogroups	27	nogroups
27	nonewprivs	28	nonewprivs
@@ -38,5 +39,3 @@ tracelog
38	private-bin qpdfview	39	private-bin qpdfview
39	private-dev	40	private-dev
40	private-tmp	41	private-tmp
41
42	memory-deny-write-execute


diff --git a/etc/riot-desktop.profile b/etc/riot-desktop.profile index e91d25196..e6af4c2cb 100644 --- a/etc/riot-desktop.profile +++ b/etc/riot-desktop.profile
@@ -7,5 +7,8 @@ include riot-desktop.local
7	# added by included profile	7	# added by included profile
8	#include globals.local	8	#include globals.local
9		9
		10	ignore seccomp
		11	seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mincore,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
		12
10	# Redirect	13	# Redirect
11	include riot-web.profile	14	include riot-web.profile


diff --git a/etc/smplayer.profile b/etc/smplayer.profile index f83caee8a..c7324e6ca 100644 --- a/etc/smplayer.profile +++ b/etc/smplayer.profile
@@ -7,6 +7,7 @@ include smplayer.local
7	include globals.local	7	include globals.local
8		8
9	noblacklist ${HOME}/.config/smplayer	9	noblacklist ${HOME}/.config/smplayer
		10	noblacklist ${HOME}/.config/youtube-dl
10	noblacklist ${HOME}/.mplayer	11	noblacklist ${HOME}/.mplayer
11		12
12	# Allow python (blacklisted by disable-interpreters.inc)	13	# Allow python (blacklisted by disable-interpreters.inc)


diff --git a/etc/wire-desktop.profile b/etc/wire-desktop.profile index f41453bf3..490255fa6 100644 --- a/etc/wire-desktop.profile +++ b/etc/wire-desktop.profile
@@ -34,7 +34,7 @@ shell none
34	# it is not in PATH. To use Wire with firejail, run "firejail /opt/wire-desktop/wire-desktop"	34	# it is not in PATH. To use Wire with firejail, run "firejail /opt/wire-desktop/wire-desktop"
35		35
36	disable-mnt	36	disable-mnt
37	private-bin bash,electron,env,sh,wire-desktop	37	private-bin bash,electron,electron4,env,sh,wire-desktop
38	private-dev	38	private-dev
39	private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl	39	private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl
40	private-tmp	40	private-tmp


diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile index 28b5f2376..6fc519bee 100644 --- a/etc/youtube-dl.profile +++ b/etc/youtube-dl.profile
@@ -7,9 +7,10 @@ include youtube-dl.local
7	# Persistent global definitions	7	# Persistent global definitions
8	include globals.local	8	include globals.local
9		9
10	# breaks when installed via pip	10	# breaks when installed under ${HOME} via `pip install --user` (see #2833)
11	ignore noexec ${HOME}	11	ignore noexec ${HOME}
12		12
		13	noblacklist ${HOME}/.config/youtube-dl
13	noblacklist ${HOME}/.netrc	14	noblacklist ${HOME}/.netrc
14	noblacklist ${MUSIC}	15	noblacklist ${MUSIC}
15	noblacklist ${VIDEOS}	16	noblacklist ${VIDEOS}
@@ -48,7 +49,6 @@ seccomp
48	shell none	49	shell none
49	tracelog	50	tracelog
50		51
51	disable-mnt
52	private-bin env,ffmpeg,python*,youtube-dl	52	private-bin env,ffmpeg,python*,youtube-dl
53	private-cache	53	private-cache
54	private-dev	54	private-dev