6 files changed, 8 insertions, 14 deletions
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile
index 7c324a34b..d16e7c067 100644
--- a/etc/cherrytree.profile
+++ b/etc/cherrytree.profile
@@ -1,6 +1,7 @@
 # cherrytree note taking application
 noblacklist /usr/bin/python2*
 noblacklist /usr/lib/python3*
+noblacklist ${HOME}/.config/cherrytree/
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
@@ -15,13 +16,4 @@ seccomp
 protocol unix,inet,inet6,netlink
 tracelog
-include /etc/firejail/whitelist-common.inc
-# no private-bin support for various reasons:
-#10:25:34 exec 11249 (root) NEW SANDBOX: /usr/bin/firejail /usr/bin/cherrytree 
-#10:25:34 exec 11252 (netblue) /bin/bash -c "/usr/bin/cherrytree"  
-#10:25:34 exec 11252 (netblue) /usr/bin/python /usr/bin/cherrytree 
-#10:25:34 exec 11253 (netblue) sh -c /sbin/ldconfig -p 2>/dev/null 
-#10:25:34 exec 11255 (netblue) sh -c if type gcc >/dev/null 2>&1; then CC=gcc; elif type cc >/dev/null 2>&1; then CC=cc;else exit 10; fi;LANG=C LC_ALL=C $CC -Wl,-t -o /tmp/tmpiYr44S 2>&1 -llibc 
-# it requires acces to browser to show the online help
-# it doesn't play nicely with expect
diff --git a/etc/evince.profile b/etc/evince.profile
index 374fa4aaa..894c7c70d 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -15,5 +15,4 @@ shell none
 tracelog
 private-bin evince,evince-previewer,evince-thumbnailer
-whitelist /tmp/.X11-unix
 private-dev
diff --git a/etc/firejail-default b/etc/firejail-default
index 0b771f834..1b0eb7658 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -31,6 +31,9 @@ profile firejail-default {
 /{,var/}run/user/**/pulse/ rw,
 /{,var/}run/user/**/pulse/** rw,
 /{,var/}run/firejail/mnt/fslogger r,
+/{,var/}run/firejail/appimage r,
+/{,var/}run/firejail/appimage/** r,
+/{,var/}run/firejail/appimage/** ix,
 /{run,dev}/shm/ r,
 /{run,dev}/shm/** rmwk,
diff --git a/etc/keepass.profile b/etc/keepass.profile
index b2085f53d..23f9a7b40 100644
--- a/etc/keepass.profile
+++ b/etc/keepass.profile
@@ -13,7 +13,7 @@ nogroups
 nonewprivs
 noroot
 nosound
-protocol unix
+protocol unix,inet,inet6
 seccomp
 netfilter
 shell none
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
index 75a52e9ff..d6aceb7a8 100644
--- a/etc/libreoffice.profile
+++ b/etc/libreoffice.profile
@@ -1,5 +1,6 @@
 # Firejail profile for LibreOffice
 noblacklist ~/.config/libreoffice
+noblacklist /usr/local/sbin
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
@@ -10,9 +11,9 @@ netfilter
 nogroups
 nonewprivs
 noroot
-protocol unix,inet,inet6,netlink
+protocol unix,inet,inet6
 seccomp
 tracelog
 private-dev
-whitelist /tmp/.X11-unix/
+# whitelist /tmp/.X11-unix/
diff --git a/etc/vlc.profile b/etc/vlc.profile
index cdd098dd5..446e47864 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -14,7 +14,6 @@ noroot
 protocol unix,inet,inet6
 seccomp
 shell none
-tracelog
 private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
 private-dev

diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 7c324a34b..d16e7c067 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile
@@ -1,6 +1,7 @@
1	# cherrytree note taking application	1	# cherrytree note taking application
2	noblacklist /usr/bin/python2*	2	noblacklist /usr/bin/python2*
3	noblacklist /usr/lib/python3*	3	noblacklist /usr/lib/python3*
		4	noblacklist ${HOME}/.config/cherrytree/
4	include /etc/firejail/disable-common.inc	5	include /etc/firejail/disable-common.inc
5	include /etc/firejail/disable-programs.inc	6	include /etc/firejail/disable-programs.inc
6	include /etc/firejail/disable-devel.inc	7	include /etc/firejail/disable-devel.inc
@@ -15,13 +16,4 @@ seccomp
15	protocol unix,inet,inet6,netlink	16	protocol unix,inet,inet6,netlink
16	tracelog	17	tracelog
17		18
18	include /etc/firejail/whitelist-common.inc
19		19
20	# no private-bin support for various reasons:
21	#10:25:34 exec 11249 (root) NEW SANDBOX: /usr/bin/firejail /usr/bin/cherrytree
22	#10:25:34 exec 11252 (netblue) /bin/bash -c "/usr/bin/cherrytree"
23	#10:25:34 exec 11252 (netblue) /usr/bin/python /usr/bin/cherrytree
24	#10:25:34 exec 11253 (netblue) sh -c /sbin/ldconfig -p 2>/dev/null
25	#10:25:34 exec 11255 (netblue) sh -c if type gcc >/dev/null 2>&1; then CC=gcc; elif type cc >/dev/null 2>&1; then CC=cc;else exit 10; fi;LANG=C LC_ALL=C $CC -Wl,-t -o /tmp/tmpiYr44S 2>&1 -llibc
26	# it requires acces to browser to show the online help
27	# it doesn't play nicely with expect


diff --git a/etc/evince.profile b/etc/evince.profile index 374fa4aaa..894c7c70d 100644 --- a/etc/evince.profile +++ b/etc/evince.profile
@@ -15,5 +15,4 @@ shell none
15	tracelog	15	tracelog
16		16
17	private-bin evince,evince-previewer,evince-thumbnailer	17	private-bin evince,evince-previewer,evince-thumbnailer
18	whitelist /tmp/.X11-unix
19	private-dev	18	private-dev


diff --git a/etc/firejail-default b/etc/firejail-default index 0b771f834..1b0eb7658 100644 --- a/etc/firejail-default +++ b/etc/firejail-default
@@ -31,6 +31,9 @@ profile firejail-default {
31	/{,var/}run/user/**/pulse/ rw,	31	/{,var/}run/user/**/pulse/ rw,
32	/{,var/}run/user//pulse/ rw,	32	/{,var/}run/user//pulse/ rw,
33	/{,var/}run/firejail/mnt/fslogger r,	33	/{,var/}run/firejail/mnt/fslogger r,
		34	/{,var/}run/firejail/appimage r,
		35	/{,var/}run/firejail/appimage/** r,
		36	/{,var/}run/firejail/appimage/** ix,
34	/{run,dev}/shm/ r,	37	/{run,dev}/shm/ r,
35	/{run,dev}/shm/** rmwk,	38	/{run,dev}/shm/** rmwk,
36		39


diff --git a/etc/keepass.profile b/etc/keepass.profile index b2085f53d..23f9a7b40 100644 --- a/etc/keepass.profile +++ b/etc/keepass.profile
@@ -13,7 +13,7 @@ nogroups
13	nonewprivs	13	nonewprivs
14	noroot	14	noroot
15	nosound	15	nosound
16	protocol unix	16	protocol unix,inet,inet6
17	seccomp	17	seccomp
18	netfilter	18	netfilter
19	shell none	19	shell none


diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 75a52e9ff..d6aceb7a8 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile
@@ -1,5 +1,6 @@
1	# Firejail profile for LibreOffice	1	# Firejail profile for LibreOffice
2	noblacklist ~/.config/libreoffice	2	noblacklist ~/.config/libreoffice
		3	noblacklist /usr/local/sbin
3	include /etc/firejail/disable-common.inc	4	include /etc/firejail/disable-common.inc
4	include /etc/firejail/disable-programs.inc	5	include /etc/firejail/disable-programs.inc
5	include /etc/firejail/disable-devel.inc	6	include /etc/firejail/disable-devel.inc
@@ -10,9 +11,9 @@ netfilter
10	nogroups	11	nogroups
11	nonewprivs	12	nonewprivs
12	noroot	13	noroot
13	protocol unix,inet,inet6,netlink	14	protocol unix,inet,inet6
14	seccomp	15	seccomp
15	tracelog	16	tracelog
16		17
17	private-dev	18	private-dev
18	whitelist /tmp/.X11-unix/	19	# whitelist /tmp/.X11-unix/


diff --git a/etc/vlc.profile b/etc/vlc.profile index cdd098dd5..446e47864 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile
@@ -14,7 +14,6 @@ noroot
14	protocol unix,inet,inet6	14	protocol unix,inet,inet6
15	seccomp	15	seccomp
16	shell none	16	shell none
17	tracelog
18		17
19	private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc	18	private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
20	private-dev	19	private-dev