7 files changed, 30 insertions, 12 deletions
diff --git a/etc/profile-a-l/brave.profile b/etc/profile-a-l/brave.profile
index 09548c761..071a279b0 100644
--- a/etc/profile-a-l/brave.profile
+++ b/etc/profile-a-l/brave.profile
@@ -13,6 +13,8 @@ ignore noexec /tmp
 # you will need to uncomment the 'brave + tor' rule in /etc/apparmor.d/local/firejail-default.
 # Alternatively you can add 'ignore apparmor' to your brave.local.
 ignore noexec ${HOME}
+# Causes slow starts (#4604)
+ignore private-cache
 noblacklist ${HOME}/.cache/BraveSoftware
 noblacklist ${HOME}/.config/BraveSoftware
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
index 2b26b3727..89c44bf76 100644
--- a/etc/profile-a-l/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -65,7 +65,7 @@ tracelog
 # disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,machine-id,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,localtime,machine-id,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg
 private-tmp
 # encrypting and signing email
 writable-run-user
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile
index 21bf7eabf..eec9f86db 100644
--- a/etc/profile-a-l/evince.profile
+++ b/etc/profile-a-l/evince.profile
@@ -6,9 +6,9 @@ include evince.local
 # Persistent global definitions
 include globals.local
-# WARNING: using bookmarks possibly exposes information, including file history from other programs.
+# WARNING: This exposes information like file history from other programs.
-# Add the next line to your evince.local if you need bookmarks support. This also needs additional dbus-user filtering (see below).
+# You can add a blacklist for it in your evince.local for additional hardening if you can live with some restrictions.
-#noblacklist ${HOME}/.local/share/gvfs-metadata
+noblacklist ${HOME}/.local/share/gvfs-metadata
 noblacklist ${HOME}/.config/evince
 noblacklist ${DOCUMENTS}
@@ -59,9 +59,8 @@ private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd
 private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libarchive.so.*,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*
 private-tmp
-# dbus-user filtering might break two-page-view on some systems
 dbus-user filter
-# Add the next two lines to your evince.local if you need bookmarks support.
+dbus-user.talk ca.desrt.dconf
-#dbus-user.talk org.gtk.vfs.Daemon
+dbus-user.talk org.gtk.vfs.Daemon
-#dbus-user.talk org.gtk.vfs.Metadata
+dbus-user.talk org.gtk.vfs.Metadata
 dbus-system none
diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile
index 0562cf430..80cecd056 100644
--- a/etc/profile-a-l/lutris.profile
+++ b/etc/profile-a-l/lutris.profile
@@ -69,7 +69,8 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp
+seccomp !modify_ldt
+seccomp.32 !modify_ldt
 # Add the next line to your lutris.local if you do not need controller support.
 #private-dev
diff --git a/etc/profile-m-z/nicotine.profile b/etc/profile-m-z/nicotine.profile
index bb2a41457..22c8b1782 100644
--- a/etc/profile-m-z/nicotine.profile
+++ b/etc/profile-m-z/nicotine.profile
@@ -8,8 +8,12 @@ include globals.local
 noblacklist ${HOME}/.nicotine
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
+include allow-python3.inc
 include disable-common.inc
 include disable-devel.inc
@@ -37,6 +41,7 @@ nodvd
 nogroups
 noinput
 nonewprivs
+noprinters
 noroot
 nosound
 notv
@@ -47,7 +52,7 @@ seccomp
 tracelog
 disable-mnt
-private-bin nicotine,python2*
+#private-bin nicotine,python2*
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/whalebird.profile b/etc/profile-m-z/whalebird.profile
index 92ebebdae..8a9614fb0 100644
--- a/etc/profile-m-z/whalebird.profile
+++ b/etc/profile-m-z/whalebird.profile
@@ -10,6 +10,7 @@ include globals.local
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
+ignore apparmor
 ignore dbus-user none
 ignore dbus-system none
@@ -21,7 +22,7 @@ whitelist ${HOME}/.config/Whalebird
 no3d
 private-bin electron,electron[0-9],electron[0-9][0-9],whalebird
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile
index 8582e2462..28c219377 100644
--- a/etc/profile-m-z/youtube-viewers-common.profile
+++ b/etc/profile-m-z/youtube-viewers-common.profile
@@ -19,6 +19,13 @@ include allow-perl.inc
 include allow-python2.inc
 include allow-python3.inc
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+read-only ${HOME}/.mozilla/firefox/profiles.ini
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -55,5 +62,8 @@ private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
 private-tmp
-dbus-user none
+dbus-user filter
+# allow D-Bus communication with firefox for opening links
+dbus-user.talk org.mozilla.*
 dbus-system none