6 files changed, 74 insertions, 2 deletions
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index ea334c289..c7605d660 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -16,6 +16,7 @@ blacklist ${HOME}/.LuminanceHDR
 blacklist ${HOME}/.Mathematica
 blacklist ${HOME}/.Natron
 blacklist ${HOME}/.PyCharm*
+blacklist ${HOME}/.Sayonara
 blacklist ${HOME}/.Skype
 blacklist ${HOME}/.Steam
 blacklist ${HOME}/.Steampath
@@ -465,6 +466,7 @@ blacklist ${HOME}/.passwd-s3fs
 blacklist ${HOME}/.pingus
 blacklist ${HOME}/.purple
 blacklist ${HOME}/.qemu-launcher
+blacklist ${HOME}/.qmmp
 blacklist ${HOME}/.redeclipse
 blacklist ${HOME}/.remmina
 blacklist ${HOME}/.repo_.gitconfig.json
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index 9ebcdba6c..b0de1f1a3 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -35,7 +35,8 @@ notv
 protocol unix,inet,inet6,netlink
 seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 shell none
-tracelog
+#disable tracelog, it breaks or causes major issues with many firefox based browsers, see github issue #1930
+#tracelog
 disable-mnt
 private-dev
diff --git a/etc/picard.profile b/etc/picard.profile
index 9e0d4ab55..484b0e6b2 100644
--- a/etc/picard.profile
+++ b/etc/picard.profile
@@ -9,7 +9,9 @@ noblacklist ${HOME}/.cache/MusicBrainz
 noblacklist ${HOME}/.config/MusicBrainz
 # Allow python (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
 include /etc/firejail/disable-common.inc
diff --git a/etc/qmmp.profile b/etc/qmmp.profile
new file mode 100644
index 000000000..d785ddbbe
--- /dev/null
+++ b/etc/qmmp.profile
@@ -0,0 +1,34 @@
+# Firejail profile for qmmp
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/qmmp.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.qmmp
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+caps.drop all
+netfilter
+# no3d
+nodbus
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-bin qmmp
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/sayonara.profile b/etc/sayonara.profile
new file mode 100644
index 000000000..756bd99eb
--- /dev/null
+++ b/etc/sayonara.profile
@@ -0,0 +1,33 @@
+# Firejail profile for sayonara player
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/sayonara.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.Sayonara
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+caps.drop all
+netfilter
+no3d
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-bin sayonara
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile
index a63798731..a33707ee4 100644
--- a/etc/torbrowser-launcher.profile
+++ b/etc/torbrowser-launcher.profile
@@ -41,7 +41,7 @@ shell none
 tracelog
 disable-mnt
-private-bin bash,cp,dirname,env,expr,file,getconf,gpg,grep,id,ln,mkdir,python*,readlink,rm,sed,sh,tail,test,tor-browser-en,torbrowser-launcher
+private-bin bash,cp,dirname,env,expr,file,getconf,gpg,grep,id,ln,mkdir,python*,readlink,rm,sed,sh,tail,tclsh,test,tor-browser-en,torbrowser-launcher
 private-dev
 private-etc fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache
 private-tmp

diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index ea334c289..c7605d660 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc
@@ -16,6 +16,7 @@ blacklist ${HOME}/.LuminanceHDR
16	blacklist ${HOME}/.Mathematica	16	blacklist ${HOME}/.Mathematica
17	blacklist ${HOME}/.Natron	17	blacklist ${HOME}/.Natron
18	blacklist ${HOME}/.PyCharm*	18	blacklist ${HOME}/.PyCharm*
		19	blacklist ${HOME}/.Sayonara
19	blacklist ${HOME}/.Skype	20	blacklist ${HOME}/.Skype
20	blacklist ${HOME}/.Steam	21	blacklist ${HOME}/.Steam
21	blacklist ${HOME}/.Steampath	22	blacklist ${HOME}/.Steampath
@@ -465,6 +466,7 @@ blacklist ${HOME}/.passwd-s3fs
465	blacklist ${HOME}/.pingus	466	blacklist ${HOME}/.pingus
466	blacklist ${HOME}/.purple	467	blacklist ${HOME}/.purple
467	blacklist ${HOME}/.qemu-launcher	468	blacklist ${HOME}/.qemu-launcher
		469	blacklist ${HOME}/.qmmp
468	blacklist ${HOME}/.redeclipse	470	blacklist ${HOME}/.redeclipse
469	blacklist ${HOME}/.remmina	471	blacklist ${HOME}/.remmina
470	blacklist ${HOME}/.repo_.gitconfig.json	472	blacklist ${HOME}/.repo_.gitconfig.json


diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile index 9ebcdba6c..b0de1f1a3 100644 --- a/etc/firefox-common.profile +++ b/etc/firefox-common.profile
@@ -35,7 +35,8 @@ notv
35	protocol unix,inet,inet6,netlink	35	protocol unix,inet,inet6,netlink
36	seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice	36	seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
37	shell none	37	shell none
38	tracelog	38	#disable tracelog, it breaks or causes major issues with many firefox based browsers, see github issue #1930
		39	#tracelog
39		40
40	disable-mnt	41	disable-mnt
41	private-dev	42	private-dev


diff --git a/etc/picard.profile b/etc/picard.profile index 9e0d4ab55..484b0e6b2 100644 --- a/etc/picard.profile +++ b/etc/picard.profile
@@ -9,7 +9,9 @@ noblacklist ${HOME}/.cache/MusicBrainz
9	noblacklist ${HOME}/.config/MusicBrainz	9	noblacklist ${HOME}/.config/MusicBrainz
10		10
11	# Allow python (blacklisted by disable-interpreters.inc)	11	# Allow python (blacklisted by disable-interpreters.inc)
		12	noblacklist ${PATH}/python2*
12	noblacklist ${PATH}/python3*	13	noblacklist ${PATH}/python3*
		14	noblacklist /usr/lib/python2*
13	noblacklist /usr/lib/python3*	15	noblacklist /usr/lib/python3*
14		16
15	include /etc/firejail/disable-common.inc	17	include /etc/firejail/disable-common.inc


diff --git a/etc/qmmp.profile b/etc/qmmp.profile new file mode 100644 index 000000000..d785ddbbe --- /dev/null +++ b/etc/qmmp.profile
@@ -0,0 +1,34 @@
		1	# Firejail profile for qmmp
		2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include /etc/firejail/qmmp.local
		5	# Persistent global definitions
		6	include /etc/firejail/globals.local
		7
		8	noblacklist ${HOME}/.qmmp
		9
		10	include /etc/firejail/disable-common.inc
		11	include /etc/firejail/disable-devel.inc
		12	include /etc/firejail/disable-passwdmgr.inc
		13	include /etc/firejail/disable-programs.inc
		14
		15	caps.drop all
		16	netfilter
		17	# no3d
		18	nodbus
		19	nogroups
		20	nonewprivs
		21	noroot
		22	notv
		23	novideo
		24	protocol unix,inet,inet6
		25	seccomp
		26	shell none
		27	tracelog
		28
		29	private-bin qmmp
		30	private-dev
		31	private-tmp
		32
		33	noexec ${HOME}
		34	noexec /tmp


diff --git a/etc/sayonara.profile b/etc/sayonara.profile new file mode 100644 index 000000000..756bd99eb --- /dev/null +++ b/etc/sayonara.profile
@@ -0,0 +1,33 @@
		1	# Firejail profile for sayonara player
		2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include /etc/firejail/sayonara.local
		5	# Persistent global definitions
		6	include /etc/firejail/globals.local
		7
		8	noblacklist ${HOME}/.Sayonara
		9
		10	include /etc/firejail/disable-common.inc
		11	include /etc/firejail/disable-devel.inc
		12	include /etc/firejail/disable-passwdmgr.inc
		13	include /etc/firejail/disable-programs.inc
		14
		15	caps.drop all
		16	netfilter
		17	no3d
		18	nogroups
		19	nonewprivs
		20	noroot
		21	notv
		22	novideo
		23	protocol unix,inet,inet6
		24	seccomp
		25	shell none
		26	tracelog
		27
		28	private-bin sayonara
		29	private-dev
		30	private-tmp
		31
		32	noexec ${HOME}
		33	noexec /tmp


diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile index a63798731..a33707ee4 100644 --- a/etc/torbrowser-launcher.profile +++ b/etc/torbrowser-launcher.profile
@@ -41,7 +41,7 @@ shell none
41	tracelog	41	tracelog
42		42
43	disable-mnt	43	disable-mnt
44	private-bin bash,cp,dirname,env,expr,file,getconf,gpg,grep,id,ln,mkdir,python*,readlink,rm,sed,sh,tail,test,tor-browser-en,torbrowser-launcher	44	private-bin bash,cp,dirname,env,expr,file,getconf,gpg,grep,id,ln,mkdir,python*,readlink,rm,sed,sh,tail,tclsh,test,tor-browser-en,torbrowser-launcher
45	private-dev	45	private-dev
46	private-etc fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache	46	private-etc fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache
47	private-tmp	47	private-tmp