14 files changed, 111 insertions, 29 deletions
diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default
index b4e7f642a..3cc771ed7 100644
--- a/etc/apparmor/firejail-default
+++ b/etc/apparmor/firejail-default
@@ -33,6 +33,7 @@ owner /{,var/}run/firejail/dbus/[0-9]*/[0-9]*-user w,
 #ptrace,
 # Allow obtaining some process information, but not ptrace(2)
 ptrace (read,readby) peer=@{profile_name},
+ptrace (read,readby) peer=@{profile_name}//&unconfined,
 ##########
 # Allow read access to whole filesystem and control it from firejail.
@@ -123,6 +124,7 @@ network packet,
 ##########
 # There is no equivalent in Firejail for filtering signals.
 ##########
+signal (send) peer=@{profile_name}//&unconfined,
 signal (send) peer=@{profile_name},
 signal (receive),
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 79da8d5f5..7ad491460 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -156,6 +156,7 @@ blacklist ${HOME}/.cache/liferea
 blacklist ${HOME}/.cache/lutris
 blacklist ${HOME}/.cache/marker
 blacklist ${HOME}/.cache/matrix-mirage
+blacklist ${HOME}/.cache/microsoft-edge
 blacklist ${HOME}/.cache/microsoft-edge-beta
 blacklist ${HOME}/.cache/microsoft-edge-dev
 blacklist ${HOME}/.cache/midori
@@ -522,6 +523,7 @@ blacklist ${HOME}/.config/meld
 blacklist ${HOME}/.config/menulibre.cfg
 blacklist ${HOME}/.config/meteo-qt
 blacklist ${HOME}/.config/mfusion
+blacklist ${HOME}/.config/microsoft-edge
 blacklist ${HOME}/.config/microsoft-edge-beta
 blacklist ${HOME}/.config/microsoft-edge-dev
 blacklist ${HOME}/.config/midori
@@ -622,6 +624,7 @@ blacklist ${HOME}/.config/tox
 blacklist ${HOME}/.config/transgui
 blacklist ${HOME}/.config/transmission
 blacklist ${HOME}/.config/truecraft
+blacklist ${HOME}/.config/tuir
 blacklist ${HOME}/.config/tuta_integration
 blacklist ${HOME}/.config/tutanota-desktop
 blacklist ${HOME}/.config/tvbrowser
@@ -995,6 +998,7 @@ blacklist ${HOME}/.local/share/telepathy
 blacklist ${HOME}/.local/share/terasology
 blacklist ${HOME}/.local/share/torbrowser
 blacklist ${HOME}/.local/share/totem
+blacklist ${HOME}/.local/share/tuir
 blacklist ${HOME}/.local/share/uzbl
 blacklist ${HOME}/.local/share/vlc
 blacklist ${HOME}/.local/share/vpltd
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile
index b517620db..2831fec72 100644
--- a/etc/profile-a-l/audacity.profile
+++ b/etc/profile-a-l/audacity.profile
@@ -20,7 +20,8 @@ include disable-xdg.inc
 include whitelist-var-common.inc
-apparmor
+## Enabling App Armor appears to break some Fedora / Arch installs
+#apparmor
 caps.drop all
 net none
 no3d
diff --git a/etc/profile-a-l/gdu.profile b/etc/profile-a-l/gdu.profile
new file mode 100644
index 000000000..783183bea
--- /dev/null
+++ b/etc/profile-a-l/gdu.profile
@@ -0,0 +1,46 @@
+# Firejail profile for gdu
+# Description: Fast disk usage analyzer with console interface
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gdu.local
+# Persistent global definitions
+include globals.local
+blacklist ${RUNUSER}/wayland-*
+include disable-exec.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+# block the socket syscall to simulate an be empty protocol line, see #639
+seccomp socket
+seccomp.block-secondary
+x11 none
+private-dev
+dbus-user none
+dbus-system none
+memory-deny-write-execute
+# gdu has built-in delete (d), empty (e) dir/file support and shell spawning (b) features.
+# Depending on workflow and use case the sandbox can be hardened by adding the
+# lines below to your gdu.local if you don't need/want these functionalities.
+#include disable-shell.inc
+#private-bin gdu
+#read-only ${HOME}
diff --git a/etc/profile-m-z/makedeb.profile b/etc/profile-m-z/makedeb.profile
new file mode 100644
index 000000000..f45bfca3a
--- /dev/null
+++ b/etc/profile-m-z/makedeb.profile
@@ -0,0 +1,13 @@
+# Firejail profile for makedeb
+# Description: A utility to automate the building of Debian packages
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include makedeb.local
+# Persistent global definitions
+#include globals.local
+ignore noblacklist /var/lib/pacman
+# Redirect
+include makepkg.profile
diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile
index dd2f0b318..4ec6ef82e 100644
--- a/etc/profile-m-z/makepkg.profile
+++ b/etc/profile-m-z/makepkg.profile
@@ -1,4 +1,5 @@
 # Firejail profile for makepkg
+# Description: A utility to automate the building of Arch Linux packages
 # This file is overwritten after every install/update
 quiet
 # Persistent local customizations
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile
index bdc6e3451..b8d221dc3 100644
--- a/etc/profile-m-z/man.profile
+++ b/etc/profile-m-z/man.profile
@@ -56,7 +56,7 @@ disable-mnt
 #private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim
 private-cache
 private-dev
-private-etc alternatives,fonts,groff,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg
+private-etc alternatives,fonts,groff,group,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,login.defs,man_db.conf,manpath.config,passwd,selinux,sysless,xdg
 #private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/microsoft-edge-beta.profile b/etc/profile-m-z/microsoft-edge-beta.profile
index 095038f08..63844ad70 100644
--- a/etc/profile-m-z/microsoft-edge-beta.profile
+++ b/etc/profile-m-z/microsoft-edge-beta.profile
@@ -14,7 +14,7 @@ mkdir ${HOME}/.config/microsoft-edge-beta
 whitelist ${HOME}/.cache/microsoft-edge-beta
 whitelist ${HOME}/.config/microsoft-edge-beta
-private-opt microsoft
+whitelist /opt/microsoft/msedge-beta
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-m-z/microsoft-edge-dev.profile b/etc/profile-m-z/microsoft-edge-dev.profile
index 039cd36a8..b01fd7c25 100644
--- a/etc/profile-m-z/microsoft-edge-dev.profile
+++ b/etc/profile-m-z/microsoft-edge-dev.profile
@@ -14,7 +14,7 @@ mkdir ${HOME}/.config/microsoft-edge-dev
 whitelist ${HOME}/.cache/microsoft-edge-dev
 whitelist ${HOME}/.config/microsoft-edge-dev
-private-opt microsoft
+whitelist /opt/microsoft/msedge-dev
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-m-z/microsoft-edge.profile b/etc/profile-m-z/microsoft-edge.profile
index f427507d1..4cd8c85a5 100644
--- a/etc/profile-m-z/microsoft-edge.profile
+++ b/etc/profile-m-z/microsoft-edge.profile
@@ -1,11 +1,20 @@
 # Firejail profile for Microsoft Edge
-# Description: Web browser from Microsoft
+# Description: Web browser from Microsoft,stable channel
 # This file is overwritten after every install/update
 # Persistent local customizations
 include microsoft-edge.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
+noblacklist ${HOME}/.cache/microsoft-edge
+noblacklist ${HOME}/.config/microsoft-edge
+mkdir ${HOME}/.cache/microsoft-edge
+mkdir ${HOME}/.config/microsoft-edge
+whitelist ${HOME}/.cache/microsoft-edge
+whitelist ${HOME}/.config/microsoft-edge
+whitelist /opt/microsoft/msedge
 # Redirect
-include microsoft-edge-dev.profile
+include chromium-common.profile
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile
index 5d482adca..9000b7972 100644
--- a/etc/profile-m-z/neomutt.profile
+++ b/etc/profile-m-z/neomutt.profile
@@ -50,31 +50,11 @@ include disable-programs.inc
 include disable-xdg.inc
 mkdir ${HOME}/.Mail
-mkdir ${HOME}/.bogofilter
-mkdir ${HOME}/.config/mutt
-mkdir ${HOME}/.config/nano
-mkdir ${HOME}/.config/neomutt
-mkdir ${HOME}/.elinks
-mkdir ${HOME}/.emacs.d
-mkdir ${HOME}/.gnupg
 mkdir ${HOME}/.mail
-mkdir ${HOME}/.mutt
-mkdir ${HOME}/.neomutt
-mkdir ${HOME}/.vim
-mkdir ${HOME}/.w3m
 mkdir ${HOME}/Mail
 mkdir ${HOME}/mail
 mkdir ${HOME}/postponed
 mkdir ${HOME}/sent
-mkfile ${HOME}/.emacs
-mkfile ${HOME}/.mailcap
-mkfile ${HOME}/.msmtprc
-mkfile ${HOME}/.muttrc
-mkfile ${HOME}/.nanorc
-mkfile ${HOME}/.neomuttrc
-mkfile ${HOME}/.signature
-mkfile ${HOME}/.viminfo
-mkfile ${HOME}/.vimrc
 whitelist ${DOCUMENTS}
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.Mail
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index 30f9aafcb..5e5a8e9bb 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -156,7 +156,10 @@ protocol unix,inet,inet6,netlink
 # seccomp sometimes causes issues (see #2951, #3267).
 # Add 'ignore seccomp' to your steam.local if you experience this.
 # mount, name_to_handle_at, pivot_root and umount2 are used by Proton >= 5.13
+# (see #4366).
 seccomp !chroot,!mount,!name_to_handle_at,!pivot_root,!ptrace,!umount2
+# process_vm_readv is used by GE-Proton7-18 (see #5185).
+seccomp.32 !process_vm_readv
 # tracelog breaks integrated browser
 #tracelog
diff --git a/etc/profile-m-z/tuir.profile b/etc/profile-m-z/tuir.profile
new file mode 100644
index 000000000..b441503c6
--- /dev/null
+++ b/etc/profile-m-z/tuir.profile
@@ -0,0 +1,23 @@
+# Firejail profile for tuir
+# Description: Browse Reddit from your terminal (rtv fork)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tuir.local
+# Persistent global definitions
+#include globals.local
+ignore mkdir ${HOME}/.config/rtv
+ignore mkdir ${HOME}/.local/share/rtv
+noblacklist ${HOME}/.config/tuir
+noblacklist ${HOME}/.local/share/tuir
+mkdir ${HOME}/.config/tuir
+mkdir ${HOME}/.local/share/tuir
+whitelist ${HOME}/.config/tuir
+whitelist ${HOME}/.local/share/tuir
+private-bin tuir
+# Redirect
+include rtv.profile
diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile
index 627bb57a8..74c951fe6 100644
--- a/etc/profile-m-z/vmware.profile
+++ b/etc/profile-m-z/vmware.profile
@@ -38,6 +38,6 @@ tracelog
 #disable-mnt
 # Add the next line to your vmware.local to enable private-bin.
 #private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-*
-private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
+private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mtab,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
 dbus-user none
 dbus-system none

diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default index b4e7f642a..3cc771ed7 100644 --- a/etc/apparmor/firejail-default +++ b/etc/apparmor/firejail-default
@@ -33,6 +33,7 @@ owner /{,var/}run/firejail/dbus/[0-9]/[0-9]-user w,
33	#ptrace,	33	#ptrace,
34	# Allow obtaining some process information, but not ptrace(2)	34	# Allow obtaining some process information, but not ptrace(2)
35	ptrace (read,readby) peer=@{profile_name},	35	ptrace (read,readby) peer=@{profile_name},
		36	ptrace (read,readby) peer=@{profile_name}//&unconfined,
36		37
37	##########	38	##########
38	# Allow read access to whole filesystem and control it from firejail.	39	# Allow read access to whole filesystem and control it from firejail.
@@ -123,6 +124,7 @@ network packet,
123	##########	124	##########
124	# There is no equivalent in Firejail for filtering signals.	125	# There is no equivalent in Firejail for filtering signals.
125	##########	126	##########
		127	signal (send) peer=@{profile_name}//&unconfined,
126	signal (send) peer=@{profile_name},	128	signal (send) peer=@{profile_name},
127	signal (receive),	129	signal (receive),
128		130


diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 79da8d5f5..7ad491460 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc
@@ -156,6 +156,7 @@ blacklist ${HOME}/.cache/liferea
156	blacklist ${HOME}/.cache/lutris	156	blacklist ${HOME}/.cache/lutris
157	blacklist ${HOME}/.cache/marker	157	blacklist ${HOME}/.cache/marker
158	blacklist ${HOME}/.cache/matrix-mirage	158	blacklist ${HOME}/.cache/matrix-mirage
		159	blacklist ${HOME}/.cache/microsoft-edge
159	blacklist ${HOME}/.cache/microsoft-edge-beta	160	blacklist ${HOME}/.cache/microsoft-edge-beta
160	blacklist ${HOME}/.cache/microsoft-edge-dev	161	blacklist ${HOME}/.cache/microsoft-edge-dev
161	blacklist ${HOME}/.cache/midori	162	blacklist ${HOME}/.cache/midori
@@ -522,6 +523,7 @@ blacklist ${HOME}/.config/meld
522	blacklist ${HOME}/.config/menulibre.cfg	523	blacklist ${HOME}/.config/menulibre.cfg
523	blacklist ${HOME}/.config/meteo-qt	524	blacklist ${HOME}/.config/meteo-qt
524	blacklist ${HOME}/.config/mfusion	525	blacklist ${HOME}/.config/mfusion
		526	blacklist ${HOME}/.config/microsoft-edge
525	blacklist ${HOME}/.config/microsoft-edge-beta	527	blacklist ${HOME}/.config/microsoft-edge-beta
526	blacklist ${HOME}/.config/microsoft-edge-dev	528	blacklist ${HOME}/.config/microsoft-edge-dev
527	blacklist ${HOME}/.config/midori	529	blacklist ${HOME}/.config/midori
@@ -622,6 +624,7 @@ blacklist ${HOME}/.config/tox
622	blacklist ${HOME}/.config/transgui	624	blacklist ${HOME}/.config/transgui
623	blacklist ${HOME}/.config/transmission	625	blacklist ${HOME}/.config/transmission
624	blacklist ${HOME}/.config/truecraft	626	blacklist ${HOME}/.config/truecraft
		627	blacklist ${HOME}/.config/tuir
625	blacklist ${HOME}/.config/tuta_integration	628	blacklist ${HOME}/.config/tuta_integration
626	blacklist ${HOME}/.config/tutanota-desktop	629	blacklist ${HOME}/.config/tutanota-desktop
627	blacklist ${HOME}/.config/tvbrowser	630	blacklist ${HOME}/.config/tvbrowser
@@ -995,6 +998,7 @@ blacklist ${HOME}/.local/share/telepathy
995	blacklist ${HOME}/.local/share/terasology	998	blacklist ${HOME}/.local/share/terasology
996	blacklist ${HOME}/.local/share/torbrowser	999	blacklist ${HOME}/.local/share/torbrowser
997	blacklist ${HOME}/.local/share/totem	1000	blacklist ${HOME}/.local/share/totem
		1001	blacklist ${HOME}/.local/share/tuir
998	blacklist ${HOME}/.local/share/uzbl	1002	blacklist ${HOME}/.local/share/uzbl
999	blacklist ${HOME}/.local/share/vlc	1003	blacklist ${HOME}/.local/share/vlc
1000	blacklist ${HOME}/.local/share/vpltd	1004	blacklist ${HOME}/.local/share/vpltd


diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile index b517620db..2831fec72 100644 --- a/etc/profile-a-l/audacity.profile +++ b/etc/profile-a-l/audacity.profile
@@ -20,7 +20,8 @@ include disable-xdg.inc
20		20
21	include whitelist-var-common.inc	21	include whitelist-var-common.inc
22		22
23	apparmor	23	## Enabling App Armor appears to break some Fedora / Arch installs
		24	#apparmor
24	caps.drop all	25	caps.drop all
25	net none	26	net none
26	no3d	27	no3d


diff --git a/etc/profile-a-l/gdu.profile b/etc/profile-a-l/gdu.profile new file mode 100644 index 000000000..783183bea --- /dev/null +++ b/etc/profile-a-l/gdu.profile
@@ -0,0 +1,46 @@
		1	# Firejail profile for gdu
		2	# Description: Fast disk usage analyzer with console interface
		3	# This file is overwritten after every install/update
		4	quiet
		5	# Persistent local customizations
		6	include gdu.local
		7	# Persistent global definitions
		8	include globals.local
		9
		10	blacklist ${RUNUSER}/wayland-*
		11
		12	include disable-exec.inc
		13
		14	apparmor
		15	caps.drop all
		16	ipc-namespace
		17	machine-id
		18	net none
		19	no3d
		20	nodvd
		21	nogroups
		22	noinput
		23	nonewprivs
		24	noroot
		25	nosound
		26	notv
		27	nou2f
		28	novideo
		29	# block the socket syscall to simulate an be empty protocol line, see #639
		30	seccomp socket
		31	seccomp.block-secondary
		32	x11 none
		33
		34	private-dev
		35
		36	dbus-user none
		37	dbus-system none
		38
		39	memory-deny-write-execute
		40
		41	# gdu has built-in delete (d), empty (e) dir/file support and shell spawning (b) features.
		42	# Depending on workflow and use case the sandbox can be hardened by adding the
		43	# lines below to your gdu.local if you don't need/want these functionalities.
		44	#include disable-shell.inc
		45	#private-bin gdu
		46	#read-only ${HOME}


diff --git a/etc/profile-m-z/makedeb.profile b/etc/profile-m-z/makedeb.profile new file mode 100644 index 000000000..f45bfca3a --- /dev/null +++ b/etc/profile-m-z/makedeb.profile
@@ -0,0 +1,13 @@
		1	# Firejail profile for makedeb
		2	# Description: A utility to automate the building of Debian packages
		3	# This file is overwritten after every install/update
		4	quiet
		5	# Persistent local customizations
		6	include makedeb.local
		7	# Persistent global definitions
		8	#include globals.local
		9
		10	ignore noblacklist /var/lib/pacman
		11
		12	# Redirect
		13	include makepkg.profile


diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile index dd2f0b318..4ec6ef82e 100644 --- a/etc/profile-m-z/makepkg.profile +++ b/etc/profile-m-z/makepkg.profile
@@ -1,4 +1,5 @@
1	# Firejail profile for makepkg	1	# Firejail profile for makepkg
		2	# Description: A utility to automate the building of Arch Linux packages
2	# This file is overwritten after every install/update	3	# This file is overwritten after every install/update
3	quiet	4	quiet
4	# Persistent local customizations	5	# Persistent local customizations


diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile index bdc6e3451..b8d221dc3 100644 --- a/etc/profile-m-z/man.profile +++ b/etc/profile-m-z/man.profile
@@ -56,7 +56,7 @@ disable-mnt
56	#private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim	56	#private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim
57	private-cache	57	private-cache
58	private-dev	58	private-dev
59	private-etc alternatives,fonts,groff,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg	59	private-etc alternatives,fonts,groff,group,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,login.defs,man_db.conf,manpath.config,passwd,selinux,sysless,xdg
60	#private-tmp	60	#private-tmp
61		61
62	dbus-user none	62	dbus-user none


diff --git a/etc/profile-m-z/microsoft-edge-beta.profile b/etc/profile-m-z/microsoft-edge-beta.profile index 095038f08..63844ad70 100644 --- a/etc/profile-m-z/microsoft-edge-beta.profile +++ b/etc/profile-m-z/microsoft-edge-beta.profile
@@ -14,7 +14,7 @@ mkdir ${HOME}/.config/microsoft-edge-beta
14	whitelist ${HOME}/.cache/microsoft-edge-beta	14	whitelist ${HOME}/.cache/microsoft-edge-beta
15	whitelist ${HOME}/.config/microsoft-edge-beta	15	whitelist ${HOME}/.config/microsoft-edge-beta
16		16
17	private-opt microsoft	17	whitelist /opt/microsoft/msedge-beta
18		18
19	# Redirect	19	# Redirect
20	include chromium-common.profile	20	include chromium-common.profile


diff --git a/etc/profile-m-z/microsoft-edge-dev.profile b/etc/profile-m-z/microsoft-edge-dev.profile index 039cd36a8..b01fd7c25 100644 --- a/etc/profile-m-z/microsoft-edge-dev.profile +++ b/etc/profile-m-z/microsoft-edge-dev.profile
@@ -14,7 +14,7 @@ mkdir ${HOME}/.config/microsoft-edge-dev
14	whitelist ${HOME}/.cache/microsoft-edge-dev	14	whitelist ${HOME}/.cache/microsoft-edge-dev
15	whitelist ${HOME}/.config/microsoft-edge-dev	15	whitelist ${HOME}/.config/microsoft-edge-dev
16		16
17	private-opt microsoft	17	whitelist /opt/microsoft/msedge-dev
18		18
19	# Redirect	19	# Redirect
20	include chromium-common.profile	20	include chromium-common.profile


diff --git a/etc/profile-m-z/microsoft-edge.profile b/etc/profile-m-z/microsoft-edge.profile index f427507d1..4cd8c85a5 100644 --- a/etc/profile-m-z/microsoft-edge.profile +++ b/etc/profile-m-z/microsoft-edge.profile
@@ -1,11 +1,20 @@
1	# Firejail profile for Microsoft Edge	1	# Firejail profile for Microsoft Edge
2	# Description: Web browser from Microsoft	2	# Description: Web browser from Microsoft,stable channel
3	# This file is overwritten after every install/update	3	# This file is overwritten after every install/update
4	# Persistent local customizations	4	# Persistent local customizations
5	include microsoft-edge.local	5	include microsoft-edge.local
6	# Persistent global definitions	6	# Persistent global definitions
7	# added by included profile	7	include globals.local
8	#include globals.local	8
		9	noblacklist ${HOME}/.cache/microsoft-edge
		10	noblacklist ${HOME}/.config/microsoft-edge
		11
		12	mkdir ${HOME}/.cache/microsoft-edge
		13	mkdir ${HOME}/.config/microsoft-edge
		14	whitelist ${HOME}/.cache/microsoft-edge
		15	whitelist ${HOME}/.config/microsoft-edge
		16
		17	whitelist /opt/microsoft/msedge
9		18
10	# Redirect	19	# Redirect
11	include microsoft-edge-dev.profile	20	include chromium-common.profile


diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile index 5d482adca..9000b7972 100644 --- a/etc/profile-m-z/neomutt.profile +++ b/etc/profile-m-z/neomutt.profile
@@ -50,31 +50,11 @@ include disable-programs.inc
50	include disable-xdg.inc	50	include disable-xdg.inc
51		51
52	mkdir ${HOME}/.Mail	52	mkdir ${HOME}/.Mail
53	mkdir ${HOME}/.bogofilter
54	mkdir ${HOME}/.config/mutt
55	mkdir ${HOME}/.config/nano
56	mkdir ${HOME}/.config/neomutt
57	mkdir ${HOME}/.elinks
58	mkdir ${HOME}/.emacs.d
59	mkdir ${HOME}/.gnupg
60	mkdir ${HOME}/.mail	53	mkdir ${HOME}/.mail
61	mkdir ${HOME}/.mutt
62	mkdir ${HOME}/.neomutt
63	mkdir ${HOME}/.vim
64	mkdir ${HOME}/.w3m
65	mkdir ${HOME}/Mail	54	mkdir ${HOME}/Mail
66	mkdir ${HOME}/mail	55	mkdir ${HOME}/mail
67	mkdir ${HOME}/postponed	56	mkdir ${HOME}/postponed
68	mkdir ${HOME}/sent	57	mkdir ${HOME}/sent
69	mkfile ${HOME}/.emacs
70	mkfile ${HOME}/.mailcap
71	mkfile ${HOME}/.msmtprc
72	mkfile ${HOME}/.muttrc
73	mkfile ${HOME}/.nanorc
74	mkfile ${HOME}/.neomuttrc
75	mkfile ${HOME}/.signature
76	mkfile ${HOME}/.viminfo
77	mkfile ${HOME}/.vimrc
78	whitelist ${DOCUMENTS}	58	whitelist ${DOCUMENTS}
79	whitelist ${DOWNLOADS}	59	whitelist ${DOWNLOADS}
80	whitelist ${HOME}/.Mail	60	whitelist ${HOME}/.Mail


diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index 30f9aafcb..5e5a8e9bb 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile
@@ -156,7 +156,10 @@ protocol unix,inet,inet6,netlink
156	# seccomp sometimes causes issues (see #2951, #3267).	156	# seccomp sometimes causes issues (see #2951, #3267).
157	# Add 'ignore seccomp' to your steam.local if you experience this.	157	# Add 'ignore seccomp' to your steam.local if you experience this.
158	# mount, name_to_handle_at, pivot_root and umount2 are used by Proton >= 5.13	158	# mount, name_to_handle_at, pivot_root and umount2 are used by Proton >= 5.13
		159	# (see #4366).
159	seccomp !chroot,!mount,!name_to_handle_at,!pivot_root,!ptrace,!umount2	160	seccomp !chroot,!mount,!name_to_handle_at,!pivot_root,!ptrace,!umount2
		161	# process_vm_readv is used by GE-Proton7-18 (see #5185).
		162	seccomp.32 !process_vm_readv
160	# tracelog breaks integrated browser	163	# tracelog breaks integrated browser
161	#tracelog	164	#tracelog
162		165


diff --git a/etc/profile-m-z/tuir.profile b/etc/profile-m-z/tuir.profile new file mode 100644 index 000000000..b441503c6 --- /dev/null +++ b/etc/profile-m-z/tuir.profile
@@ -0,0 +1,23 @@
		1	# Firejail profile for tuir
		2	# Description: Browse Reddit from your terminal (rtv fork)
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include tuir.local
		6	# Persistent global definitions
		7	#include globals.local
		8
		9	ignore mkdir ${HOME}/.config/rtv
		10	ignore mkdir ${HOME}/.local/share/rtv
		11
		12	noblacklist ${HOME}/.config/tuir
		13	noblacklist ${HOME}/.local/share/tuir
		14
		15	mkdir ${HOME}/.config/tuir
		16	mkdir ${HOME}/.local/share/tuir
		17	whitelist ${HOME}/.config/tuir
		18	whitelist ${HOME}/.local/share/tuir
		19
		20	private-bin tuir
		21
		22	# Redirect
		23	include rtv.profile


diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile index 627bb57a8..74c951fe6 100644 --- a/etc/profile-m-z/vmware.profile +++ b/etc/profile-m-z/vmware.profile
@@ -38,6 +38,6 @@ tracelog
38	#disable-mnt	38	#disable-mnt
39	# Add the next line to your vmware.local to enable private-bin.	39	# Add the next line to your vmware.local to enable private-bin.
40	#private-bin env,bash,sh,ovftool,vmafossexec,vmaf_,vmnet-,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-*	40	#private-bin env,bash,sh,ovftool,vmafossexec,vmaf_,vmnet-,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-*
41	private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix	41	private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mtab,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
42	dbus-user none	42	dbus-user none
43	dbus-system none	43	dbus-system none