20 files changed, 35 insertions, 27 deletions

diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index a9dd4921f..ae84ee38a 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -420,6 +420,7 @@ blacklist ${HOME}/.local/share/keyrings
 blacklist ${HOME}/.local/share/kwalletd
 blacklist ${HOME}/.local/share/pki
 blacklist ${HOME}/.local/share/plasma-vault
+blacklist ${HOME}/.minisign
 blacklist ${HOME}/.msmtprc
 blacklist ${HOME}/.mutt
 blacklist ${HOME}/.muttrc
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index a72904b50..4941630a2 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -795,6 +795,7 @@ blacklist ${HOME}/.local/share/wormux
 blacklist ${HOME}/.local/share/xplayer
 blacklist ${HOME}/.local/share/xreader
 blacklist ${HOME}/.local/share/zathura
+blacklist ${HOME}/.local/state/pipewire
 blacklist ${HOME}/.lv2
 blacklist ${HOME}/.lyx
 blacklist ${HOME}/.magicor
diff --git a/etc/inc/whitelist-run-common.inc b/etc/inc/whitelist-run-common.inc
index f47d8a7be..224d21064 100644
--- a/etc/inc/whitelist-run-common.inc
+++ b/etc/inc/whitelist-run-common.inc
@@ -6,5 +6,6 @@ whitelist /run/NetworkManager/resolv.conf
 whitelist /run/cups/cups.sock
 whitelist /run/dbus/system_bus_socket
 whitelist /run/media
+whitelist /run/resolvconf/resolv.conf
 whitelist /run/systemd/resolve/resolv.conf
 whitelist /run/systemd/resolve/stub-resolv.conf
diff --git a/etc/inc/whitelist-runuser-common.inc b/etc/inc/whitelist-runuser-common.inc
index 48309ffe3..a8cab8d07 100644
--- a/etc/inc/whitelist-runuser-common.inc
+++ b/etc/inc/whitelist-runuser-common.inc
@@ -10,7 +10,7 @@ whitelist ${RUNUSER}/gdm/Xauthority
 whitelist ${RUNUSER}/ICEauthority
 whitelist ${RUNUSER}/.mutter-Xwaylandauth.*
 whitelist ${RUNUSER}/pulse/native
-whitelist ${RUNUSER}/wayland-0
-whitelist ${RUNUSER}/wayland-1
+whitelist ${RUNUSER}/pipewire-?
+whitelist ${RUNUSER}/wayland-?
 whitelist ${RUNUSER}/xauth_*
 whitelist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]
diff --git a/etc/inc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc
index fe0097934..0049ce804 100644
--- a/etc/inc/whitelist-usr-share-common.inc
+++ b/etc/inc/whitelist-usr-share-common.inc
@@ -45,6 +45,7 @@ whitelist /usr/share/myspell
 whitelist /usr/share/p11-kit
 whitelist /usr/share/perl
 whitelist /usr/share/perl5
+whitelist /usr/share/pipewire
 whitelist /usr/share/pixmaps
 whitelist /usr/share/pki
 whitelist /usr/share/plasma
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index b35b6ae80..c42243e02 100644
--- a/etc/profile-a-l/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -37,10 +37,6 @@ include whitelist-var-common.inc
 # Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone.
 #include chromium-common-hardened.inc.profile
 
-# Add the next two lines to your chromium-common.local to allow screen sharing under wayland.
-#whitelist ${RUNUSER}/pipewire-0
-#whitelist /usr/share/pipewire/client.conf
-
 apparmor
 caps.keep sys_admin,sys_chroot
 netfilter
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile
index 77fb458ca..19ad5799c 100644
--- a/etc/profile-a-l/evince.profile
+++ b/etc/profile-a-l/evince.profile
@@ -56,7 +56,7 @@ private-cache
 private-dev
 private-etc alternatives,fonts,group,ld.so.cache,machine-id,passwd
 # private-lib might break two-page-view on some systems
-private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*
+private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libarchive.so.*,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*
 private-tmp
 
 # dbus-user filtering might break two-page-view on some systems
diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile
index d282f9a60..b2b7c362a 100644
--- a/etc/profile-a-l/firefox-common-addons.profile
+++ b/etc/profile-a-l/firefox-common-addons.profile
@@ -2,6 +2,7 @@
 # Persistent customizations should go in a .local file.
 include firefox-common-addons.local
 
+ignore whitelist ${RUNUSER}/*firefox*
 ignore include whitelist-runuser-common.inc
 ignore private-cache
 
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index 5a123d081..9138fed90 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -58,10 +58,8 @@ dbus-user.own org.mpris.MediaPlayer2.firefox.*
 #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
 #dbus-user.talk org.kde.JobViewServer
 #dbus-user.talk org.kde.kuiserver
-# Add the next three lines to your firefox.local to allow screen sharing under wayland.
-#whitelist ${RUNUSER}/pipewire-0
-#whitelist /usr/share/pipewire/client.conf
-#dbus-user.talk org.freedesktop.portal.*
+# Add the next line to your firefox.local to allow screen sharing under wayland.
+#dbus-user.talk org.freedesktop.portal.Desktop
 # Add the next line to your firefox.local if screen sharing sharing still does not work
 # with the above lines (might depend on the portal implementation).
 #ignore noroot
diff --git a/etc/profile-a-l/freetube.profile b/etc/profile-a-l/freetube.profile
index 4c28e2aff..7beb2bcba 100644
--- a/etc/profile-a-l/freetube.profile
+++ b/etc/profile-a-l/freetube.profile
@@ -8,12 +8,14 @@ include globals.local
 
 noblacklist ${HOME}/.config/FreeTube
 
+include allow-bin-sh.inc
+
 include disable-shell.inc
 
 mkdir ${HOME}/.config/FreeTube
 whitelist ${HOME}/.config/FreeTube
 
-private-bin electron,electron[0-9],electron[0-9][0-9],freetube
+private-bin electron,electron[0-9],electron[0-9][0-9],freetube,sh
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
 
 # Redirect
diff --git a/etc/profile-a-l/gallery-dl.profile b/etc/profile-a-l/gallery-dl.profile
index b2f482835..9c8200dc4 100644
--- a/etc/profile-a-l/gallery-dl.profile
+++ b/etc/profile-a-l/gallery-dl.profile
@@ -5,7 +5,8 @@ quiet
 # Persistent local customizations
 include gallery-dl.local
 # Persistent global definitions
-include globals.local
+# added by included profile
+#include globals.local
 
 noblacklist ${HOME}/.config/gallery-dl
 noblacklist ${HOME}/.gallery-dl.conf
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile
index 0786da6df..df9c2ac7a 100644
--- a/etc/profile-a-l/gimp.profile
+++ b/etc/profile-a-l/gimp.profile
@@ -13,7 +13,6 @@ include globals.local
 #ignore net
 #protocol unix,inet,inet6
 
-
 # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory
 # If you are not using external plugins, you can add 'noexec ${HOME}' to your gimp.local.
 ignore noexec ${HOME}
@@ -26,6 +25,10 @@ noblacklist ${HOME}/.gimp*
 noblacklist ${DOCUMENTS}
 noblacklist ${PICTURES}
 
+# See issue #4367, gimp 2.10.22-3: gegl:introspect broken
+noblacklist /sbin
+noblacklist /usr/sbin
+
 include disable-common.inc
 include disable-exec.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gnote.profile b/etc/profile-a-l/gnote.profile
index b419a6231..2d4ce2437 100644
--- a/etc/profile-a-l/gnote.profile
+++ b/etc/profile-a-l/gnote.profile
@@ -21,6 +21,7 @@ mkdir ${HOME}/.config/gnote
 mkdir ${HOME}/.local/share/gnote
 whitelist ${HOME}/.config/gnote
 whitelist ${HOME}/.local/share/gnote
+whitelist /usr/libexec/webkit2gtk-4.0
 whitelist /usr/share/gnote
 include whitelist-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index a67ea8d67..b915f6202 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -37,16 +37,22 @@ include disable-xdg.inc
 #mkdir ${HOME}/Documents/KeePassXC
 #whitelist ${HOME}/Documents/KeePassXC
 # Needed for KeePassXC-Browser.
+#mkdir ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts
 #mkfile ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
 #whitelist ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
+#mkdir ${HOME}/.config/chromium/NativeMessagingHosts
 #mkfile ${HOME}/.config/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
 #whitelist ${HOME}/.config/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
+#mkdir ${HOME}/.config/google-chrome/NativeMessagingHosts
 #mkfile ${HOME}/.config/google-chrome/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
 #whitelist ${HOME}/.config/google-chrome/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
+#mkdir ${HOME}/.config/vivaldi/NativeMessagingHosts
 #mkfile ${HOME}/.config/vivaldi/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
 #whitelist ${HOME}/.config/vivaldi/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
+#mkdir ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts
 #mkfile ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
 #whitelist ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
+#mkdir ${HOME}/.mozilla/native-messaging-hosts
 #mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
 #whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
 #mkdir ${HOME}/.cache/keepassxc
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile
index da047357a..c9f5221f7 100644
--- a/etc/profile-a-l/librewolf.profile
+++ b/etc/profile-a-l/librewolf.profile
@@ -44,10 +44,8 @@ dbus-user filter
 #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
 #dbus-user.talk org.kde.JobViewServer
 #dbus-user.talk org.kde.kuiserver
-# Add the next three lines to your librewolf.local to allow screensharing under Wayland.
-#whitelist ${RUNUSER}/pipewire-0
-#whitelist /usr/share/pipewire/client.conf
-#dbus-user.talk org.freedesktop.portal.*
+# Add the next line to your librewolf.local to allow screensharing under Wayland.
+#dbus-user.talk org.freedesktop.portal.Desktop
 # Also add the next line to your librewolf.local if screensharing does not work with
 # the above lines (depends on the portal implementation).
 #ignore noroot
diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile
index 06e19670a..cb499ba34 100644
--- a/etc/profile-m-z/nextcloud.profile
+++ b/etc/profile-m-z/nextcloud.profile
@@ -43,7 +43,6 @@ apparmor
 caps.drop all
 machine-id
 netfilter
-no3d
 nodvd
 nogroups
 noinput
@@ -68,4 +67,6 @@ private-tmp
 
 dbus-user filter
 dbus-user.talk org.freedesktop.secrets
+# Add the next line to your nextcloud.local for tray icon support
+#dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-system none
diff --git a/etc/profile-m-z/pngquant.profile b/etc/profile-m-z/pngquant.profile
index 275496496..0b3d2b44c 100644
--- a/etc/profile-m-z/pngquant.profile
+++ b/etc/profile-m-z/pngquant.profile
@@ -38,9 +38,8 @@ nosound
 notv
 nou2f
 novideo
-# protocol can be empty, but this is not yet supported see #639
-protocol inet
-seccomp
+# block the socket syscall to simulate an be empty protocol line, see #639
+seccomp socket
 shell none
 tracelog
 x11 none
diff --git a/etc/profile-m-z/xournalpp.profile b/etc/profile-m-z/xournalpp.profile
index 1ef789689..a23ad68df 100644
--- a/etc/profile-m-z/xournalpp.profile
+++ b/etc/profile-m-z/xournalpp.profile
@@ -13,7 +13,6 @@ noblacklist ${HOME}/.xournalpp
 
 include allow-lua.inc
 
-whitelist /usr/share/pipewire
 whitelist /usr/share/texlive
 whitelist /usr/share/xournalpp
 whitelist /var/lib/texmf
diff --git a/etc/profile-m-z/yt-dlp.profile b/etc/profile-m-z/yt-dlp.profile
index ab90c837e..1c3382a08 100644
--- a/etc/profile-m-z/yt-dlp.profile
+++ b/etc/profile-m-z/yt-dlp.profile
@@ -5,7 +5,8 @@ quiet
 # Persistent local customizations
 include yt-dlp.local
 # Persistent global definitions
-include globals.local
+# added by included profile
+#include globals.local
 
 noblacklist ${HOME}/.cache/yt-dlp
 noblacklist ${HOME}/.config/yt-dlp
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 02dcefd35..e580a0c0c 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -102,8 +102,6 @@ include globals.local
 #include allow-ssh.inc
 
 ##blacklist PATH
-# Disable X11 (CLI only), see also 'x11 none' below
-#blacklist /tmp/.X11-unix
 # Disable Wayland
 #blacklist ${RUNUSER}/wayland-*
 # Disable RUNUSER (cli only; supersedes Disable Wayland)
@@ -174,7 +172,7 @@ include globals.local
 ##seccomp-error-action log (only for debugging seccomp issues)
 #shell none
 #tracelog
-# Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set
+# Prefer 'x11 none' instead of 'disable-X11.inc' if 'net none' is set
 ##x11 none
 
 #disable-mnt