6 files changed, 12 insertions, 4 deletions

diff --git a/etc/firejail.config b/etc/firejail.config
index f5b3d5efa..43db49422 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -113,6 +113,10 @@
 # Enable or disable seccomp support, default enabled.
 # seccomp yes
 
+# Add rules to the default seccomp filter. Same syntax as for --seccomp=
+# None by default; this is an example.
+# seccomp-filter-add !chroot,kcmp,mincore
+
 # Seccomp error action, kill, log or errno (EPERM, ENOSYS etc)
 # seccomp-error-action EPERM
 
diff --git a/etc/profile-a-l/cargo.profile b/etc/profile-a-l/cargo.profile
index 043fd6718..7cf04c550 100644
--- a/etc/profile-a-l/cargo.profile
+++ b/etc/profile-a-l/cargo.profile
@@ -34,6 +34,7 @@ include disable-xdg.inc
 #whitelist ${HOME}/.cargo
 #whitelist ${HOME}/.rustup
 #include whitelist-common.inc
+whitelist /usr/share/pkgconfig
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index f7493aa82..b0e0254d4 100644
--- a/etc/profile-a-l/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -37,8 +37,9 @@ include whitelist-var-common.inc
 # Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone.
 #include chromium-common-hardened.inc.profile
 
-# Add the next line to your chromium-common.local to allow screen sharing under wayland.
+# Add the next two lines to your chromium-common.local to allow screen sharing under wayland.
 #whitelist ${RUNUSER}/pipewire-0
+#whitelist /usr/share/pipewire/client.conf
 
 apparmor
 caps.keep sys_admin,sys_chroot
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index 7874c882f..3ad67734d 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -56,8 +56,9 @@ dbus-user.own org.mpris.MediaPlayer2.firefox.*
 #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
 #dbus-user.talk org.kde.JobViewServer
 #dbus-user.talk org.kde.kuiserver
-# Add the next two lines to your firefox.local to allow screen sharing under wayland.
+# Add the next three lines to your firefox.local to allow screen sharing under wayland.
 #whitelist ${RUNUSER}/pipewire-0
+#whitelist /usr/share/pipewire/client.conf
 #dbus-user.talk org.freedesktop.portal.*
 # Add the next line to your firefox.local if screen sharing sharing still does not work
 # with the above lines (might depend on the portal implementation).
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile
index 8e3e58f19..da047357a 100644
--- a/etc/profile-a-l/librewolf.profile
+++ b/etc/profile-a-l/librewolf.profile
@@ -44,8 +44,9 @@ dbus-user filter
 #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
 #dbus-user.talk org.kde.JobViewServer
 #dbus-user.talk org.kde.kuiserver
-# Add the next lines to your librewolf.local to allow screensharing under Wayland.
+# Add the next three lines to your librewolf.local to allow screensharing under Wayland.
 #whitelist ${RUNUSER}/pipewire-0
+#whitelist /usr/share/pipewire/client.conf
 #dbus-user.talk org.freedesktop.portal.*
 # Also add the next line to your librewolf.local if screensharing does not work with
 # the above lines (depends on the portal implementation).
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt
index 0775f60ff..3992c984a 100644
--- a/etc/templates/syscalls.txt
+++ b/etc/templates/syscalls.txt
@@ -33,7 +33,7 @@ Definition of groups
 @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime
 @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old
 @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext
-@default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup
+@default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup
 @default-nodebuggers=@default,ptrace,personality,process_vm_readv
 @default-keep=execveat,execve,prctl
 @file-system=access,chdir,chmod,close,creat,faccessat,faccessat2,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes