35 files changed, 135 insertions, 16 deletions
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 03daaa9a6..65159b951 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -168,8 +168,10 @@ blacklist ${HOME}/.local/share/systemd
 blacklist ${PATH}/systemctl
 blacklist ${PATH}/systemd-run
 blacklist ${RUNUSER}/systemd
+blacklist /etc/credstore*
 blacklist /etc/systemd/network
 blacklist /etc/systemd/system
+blacklist /run/credentials
 blacklist /var/lib/systemd
 # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf
 #blacklist /var/run/systemd
@@ -450,6 +452,9 @@ blacklist ${HOME}/.vaults
 blacklist /run/timeshift
 blacklist /var/backup
+# dm-crypt / LUKS
+blacklist /crypto_keyfile.bin
 # Remove environment variables with auth tokens.
 # Note however that the sandbox might still have access to the
 # files where these variables are set.
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 2a7e1a898..3eb6c03d5 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -605,6 +605,7 @@ blacklist ${HOME}/.config/rpcs3
 blacklist ${HOME}/.config/rtv
 blacklist ${HOME}/.config/scribus
 blacklist ${HOME}/.config/scribusrc
+blacklist ${HOME}/.config/sendgmail
 blacklist ${HOME}/.config/sinew.in
 blacklist ${HOME}/.config/sink
 blacklist ${HOME}/.config/skypeforlinux
@@ -1108,6 +1109,7 @@ blacklist ${HOME}/.sbt
 blacklist ${HOME}/.scorched3d
 blacklist ${HOME}/.scribus
 blacklist ${HOME}/.scribusrc
+blacklist ${HOME}/.sendgmail.*
 blacklist ${HOME}/.simutrans
 blacklist ${HOME}/.smartgit/*/passwords
 blacklist ${HOME}/.ssr
diff --git a/etc/inc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc
index bb0bcd050..dcf941004 100644
--- a/etc/inc/whitelist-usr-share-common.inc
+++ b/etc/inc/whitelist-usr-share-common.inc
@@ -29,6 +29,7 @@ whitelist /usr/share/gtk-engines
 whitelist /usr/share/gtksourceview-3.0
 whitelist /usr/share/gtksourceview-4
 whitelist /usr/share/hunspell
+whitelist /usr/share/hyphen
 whitelist /usr/share/hwdata
 whitelist /usr/share/icons
 whitelist /usr/share/icu
diff --git a/etc/profile-a-l/apostrophe.profile b/etc/profile-a-l/apostrophe.profile
index 4ad6ac6bc..0655c2e6f 100644
--- a/etc/profile-a-l/apostrophe.profile
+++ b/etc/profile-a-l/apostrophe.profile
@@ -35,7 +35,6 @@ whitelist /usr/share/apostrophe
 whitelist /usr/share/texlive
 whitelist /usr/share/texmf
 whitelist /usr/share/pandoc-*
-whitelist /usr/share/perl5
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/archiver-common.profile b/etc/profile-a-l/archiver-common.profile
index b0f83aa32..ef875c5b7 100644
--- a/etc/profile-a-l/archiver-common.profile
+++ b/etc/profile-a-l/archiver-common.profile
@@ -44,6 +44,7 @@ x11 none
 private-cache
 private-dev
+private-etc
 dbus-user none
 dbus-system none
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile
index 371054728..c2a482b61 100644
--- a/etc/profile-a-l/audacity.profile
+++ b/etc/profile-a-l/audacity.profile
@@ -50,6 +50,7 @@ tracelog
 private-bin audacity
 private-dev
+private-etc @x11
 private-tmp
 # problems on Fedora 27
diff --git a/etc/profile-a-l/bibtex.profile b/etc/profile-a-l/bibtex.profile
index e868dcbab..5f12d61f1 100644
--- a/etc/profile-a-l/bibtex.profile
+++ b/etc/profile-a-l/bibtex.profile
@@ -9,4 +9,3 @@ private-bin bibtex
 # Redirect
 include latex-common.profile
diff --git a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
index f4533b537..6177b52c0 100644
--- a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
+++ b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
@@ -2,7 +2,7 @@
 # Description: Simple and modern GTK eBook reader
 # This file is overwritten after every install/update
 # Persistent local customizations
-include foliate.local
+include com.github.johnfactotum.Foliate.local
 # Persistent global definitions
 include globals.local
@@ -28,7 +28,6 @@ whitelist ${HOME}/.local/share/com.github.johnfactotum.Foliate
 whitelist ${DOCUMENTS}
 whitelist ${DOWNLOADS}
 whitelist /usr/share/com.github.johnfactotum.Foliate
-whitelist /usr/share/hyphen
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/dosbox.profile b/etc/profile-a-l/dosbox.profile
index 1edbb7ca0..882709808 100644
--- a/etc/profile-a-l/dosbox.profile
+++ b/etc/profile-a-l/dosbox.profile
@@ -37,6 +37,7 @@ tracelog
 private-bin dosbox
 private-dev
+private-etc @games
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/electron-hardened.inc.profile b/etc/profile-a-l/electron-hardened.inc.profile
index eacf5cebe..a9e1756d9 100644
--- a/etc/profile-a-l/electron-hardened.inc.profile
+++ b/etc/profile-a-l/electron-hardened.inc.profile
@@ -7,4 +7,4 @@ include electron-hardened.inc.local
 #include globals.local
 # Redirect
-include chrome-common-hardened.inc.profile
+include chromium-common-hardened.inc.profile
diff --git a/etc/profile-a-l/etr.profile b/etc/profile-a-l/etr.profile
index 7d27f12c9..5b9892af3 100644
--- a/etc/profile-a-l/etr.profile
+++ b/etc/profile-a-l/etr.profile
@@ -49,6 +49,7 @@ private-bin etr
 private-cache
 private-dev
 # private-etc alternatives,drirc,machine-id,openal,passwd
+private-etc @games,@x11
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/fix-qdf.profile b/etc/profile-a-l/fix-qdf.profile
new file mode 100644
index 000000000..2dbb44e1d
--- /dev/null
+++ b/etc/profile-a-l/fix-qdf.profile
@@ -0,0 +1,13 @@
+# Firejail profile for fix-qdf
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include fix-qdf.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+private-bin fix-qdf
+# Redirect
+include qpdf.profile
diff --git a/etc/profile-a-l/frozen-bubble.profile b/etc/profile-a-l/frozen-bubble.profile
index 86a8a8fc6..f162a4a31 100644
--- a/etc/profile-a-l/frozen-bubble.profile
+++ b/etc/profile-a-l/frozen-bubble.profile
@@ -22,6 +22,7 @@ mkdir ${HOME}/.frozen-bubble
 whitelist ${HOME}/.frozen-bubble
 include whitelist-common.inc
 include whitelist-runuser-common.inc
+whitelist /usr/share/games
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -42,6 +43,7 @@ tracelog
 disable-mnt
 # private-bin frozen-bubble
 private-dev
+private-etc @games,@x11
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile
index 717519112..6f350f8ac 100644
--- a/etc/profile-a-l/gimp.profile
+++ b/etc/profile-a-l/gimp.profile
@@ -59,7 +59,7 @@ seccomp !mbind
 tracelog
 private-dev
-private-etc @tls-ca,@x11,python*
+private-etc @x11,python*
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/gnome-calculator.profile b/etc/profile-a-l/gnome-calculator.profile
index 3926146ff..e5c6022e8 100644
--- a/etc/profile-a-l/gnome-calculator.profile
+++ b/etc/profile-a-l/gnome-calculator.profile
@@ -45,6 +45,7 @@ disable-mnt
 private-bin gnome-calculator
 private-cache
 private-dev
+private-etc @x11
 #private-lib gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*,libgnutls.so.*,libproxy.so.*,librsvg-2.so.*,libxml2.so.*
 private-tmp
diff --git a/etc/profile-a-l/hasher-common.profile b/etc/profile-a-l/hasher-common.profile
index fd8246aae..96e69d6cf 100644
--- a/etc/profile-a-l/hasher-common.profile
+++ b/etc/profile-a-l/hasher-common.profile
@@ -48,6 +48,7 @@ x11 none
 # Add the next line to your hasher-common.local if you don't need to hash files in ~/.cache.
 #private-cache
 private-dev
+private-etc
 # Add the next line to your hasher-common.local if you don't need to hash files in /tmp.
 #private-tmp
diff --git a/etc/profile-a-l/iagno.profile b/etc/profile-a-l/iagno.profile
index e16f3f1d5..82cba7887 100644
--- a/etc/profile-a-l/iagno.profile
+++ b/etc/profile-a-l/iagno.profile
@@ -13,6 +13,13 @@ include disable-interpreters.inc
 include disable-programs.inc
 include disable-shell.inc
+whitelist ${HOME}/.local/share/glib-2.0/schemas
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+whitelist /usr/share/iagno
+whitelist /usr/share/gdm
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 apparmor
@@ -28,11 +35,12 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 disable-mnt
-private
 private-bin iagno
 private-dev
+private-etc @x11,gconf
 private-tmp
 # dbus-user none
diff --git a/etc/profile-a-l/kdiff3.profile b/etc/profile-a-l/kdiff3.profile
index e0b3eadfd..d9e4480f5 100644
--- a/etc/profile-a-l/kdiff3.profile
+++ b/etc/profile-a-l/kdiff3.profile
@@ -52,6 +52,7 @@ disable-mnt
 private-bin kdiff3
 private-cache
 private-dev
+private-etc @x11
 dbus-user none
 dbus-system none
diff --git a/etc/profile-a-l/latex.profile b/etc/profile-a-l/latex.profile
index 2230dd570..f6e625d35 100644
--- a/etc/profile-a-l/latex.profile
+++ b/etc/profile-a-l/latex.profile
@@ -9,4 +9,3 @@ private-bin latex
 # Redirect
 include latex-common.profile
diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile
index 518928876..d7144d8c3 100644
--- a/etc/profile-a-l/libreoffice.profile
+++ b/etc/profile-a-l/libreoffice.profile
@@ -50,6 +50,7 @@ tracelog
 #private-bin libreoffice,sh,uname,dirname,grep,sed,basename,ls
 private-cache
 private-dev
+private-etc @tls-ca,@x11,cups,gnupg,libreoffice,papersize,ssh
 private-tmp
 dbus-system none
diff --git a/etc/profile-m-z/open-invaders.profile b/etc/profile-m-z/open-invaders.profile
index f6b070ab3..498a4f6c8 100644
--- a/etc/profile-m-z/open-invaders.profile
+++ b/etc/profile-m-z/open-invaders.profile
@@ -35,6 +35,7 @@ seccomp
 private-bin open-invaders
 private-dev
+private-etc @x11
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/pdflatex.profile b/etc/profile-m-z/pdflatex.profile
index caf980d4d..ddf6d0990 100644
--- a/etc/profile-m-z/pdflatex.profile
+++ b/etc/profile-m-z/pdflatex.profile
@@ -9,4 +9,3 @@ private-bin pdflatex
 # Redirect
 include latex-common.profile
diff --git a/etc/profile-m-z/presentations18.profile b/etc/profile-m-z/presentations18.profile
index 65d684c40..ac844d1af 100644
--- a/etc/profile-m-z/presentations18.profile
+++ b/etc/profile-m-z/presentations18.profile
@@ -8,4 +8,3 @@ include globals.local
 # Redirect
 include softmaker-common.profile
diff --git a/etc/profile-m-z/qpdf.profile b/etc/profile-m-z/qpdf.profile
new file mode 100644
index 000000000..0c1e09e92
--- /dev/null
+++ b/etc/profile-m-z/qpdf.profile
@@ -0,0 +1,68 @@
+# Firejail profile for qpdf
+# Description: A Content-Preserving PDF Transformation System
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include qpdf.local
+# Persistent global definitions
+include globals.local
+blacklist ${RUNUSER}/wayland-*
+noblacklist ${DOCUMENTS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-X11.inc
+include disable-xdg.inc
+whitelist ${DOCUMENTS}
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+hostname qpdf
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+nosound
+notv
+nou2f
+novideo
+# block the socket syscall to simulate an be empty protocol line, see #639
+seccomp socket
+tracelog
+x11 none
+private-bin qpdf
+private-cache
+private-dev
+private-etc
+private-lib libqpdf.so.*
+#private-tmp # breaks on Arch Linux
+dbus-user none
+dbus-system none
+memory-deny-write-execute
+restrict-namespaces
+read-only ${HOME}
+read-write ${DOCUMENTS}
+read-write ${DOWNLOADS}
diff --git a/etc/profile-m-z/qutebrowser.profile b/etc/profile-m-z/qutebrowser.profile
index e83484ae5..0d35dbbad 100644
--- a/etc/profile-m-z/qutebrowser.profile
+++ b/etc/profile-m-z/qutebrowser.profile
@@ -18,6 +18,8 @@ include allow-bin-sh.inc
 include allow-python2.inc
 include allow-python3.inc
+ignore noexec ${HOME}
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -41,7 +43,7 @@ include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
-apparmor
+#apparmor # breaks userscripts under ${HOME}, see #5639
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/profile-m-z/rhythmbox.profile b/etc/profile-m-z/rhythmbox.profile
index dccd93429..77c032a53 100644
--- a/etc/profile-m-z/rhythmbox.profile
+++ b/etc/profile-m-z/rhythmbox.profile
@@ -51,6 +51,7 @@ tracelog
 private-bin rhythmbox,rhythmbox-client
 private-cache
 private-dev
+private-etc @tls-ca,@x11,python*
 private-tmp
 dbus-user filter
diff --git a/etc/profile-m-z/rpcs3.profile b/etc/profile-m-z/rpcs3.profile
index 186e31b46..405ab818d 100644
--- a/etc/profile-m-z/rpcs3.profile
+++ b/etc/profile-m-z/rpcs3.profile
@@ -2,7 +2,7 @@
 # Description: RPCS3 emulator
 # This file is overwritten after every install/update
 # Persistent local customizations
-include rpcs3.local 
+include rpcs3.local
 # Persistent global definitions
 include globals.local
diff --git a/etc/profile-m-z/simutrans.profile b/etc/profile-m-z/simutrans.profile
index 6ba735556..f88ae65c8 100644
--- a/etc/profile-m-z/simutrans.profile
+++ b/etc/profile-m-z/simutrans.profile
@@ -35,6 +35,7 @@ seccomp
 # private-bin simutrans
 private-dev
+private-etc @games,@x11
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/tex.profile b/etc/profile-m-z/tex.profile
index f56c3038e..c850cf5c3 100644
--- a/etc/profile-m-z/tex.profile
+++ b/etc/profile-m-z/tex.profile
@@ -9,4 +9,3 @@ private-bin tex
 # Redirect
 include latex-common.profile
diff --git a/etc/profile-m-z/textmaker18.profile b/etc/profile-m-z/textmaker18.profile
index e5a4b6454..8284df791 100644
--- a/etc/profile-m-z/textmaker18.profile
+++ b/etc/profile-m-z/textmaker18.profile
@@ -8,4 +8,3 @@ include globals.local
 # Redirect
 include softmaker-common.profile
diff --git a/etc/profile-m-z/textmaker18free.profile b/etc/profile-m-z/textmaker18free.profile
index 0e918bf0a..ad945ca55 100644
--- a/etc/profile-m-z/textmaker18free.profile
+++ b/etc/profile-m-z/textmaker18free.profile
@@ -8,4 +8,3 @@ include globals.local
 # Redirect
 include softmaker-common.profile
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile
index e21d37040..a4cb49171 100644
--- a/etc/profile-m-z/totem.profile
+++ b/etc/profile-m-z/totem.profile
@@ -51,7 +51,7 @@ private-bin totem
 # totem needs access to ~/.cache/tracker or it exits
 #private-cache
 private-dev
-# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
+private-etc @tls-ca,@x11,python*
 private-tmp
 # makes settings immutable
diff --git a/etc/profile-m-z/transmission-cli.profile b/etc/profile-m-z/transmission-cli.profile
index edb4db8aa..5c0690b1d 100644
--- a/etc/profile-m-z/transmission-cli.profile
+++ b/etc/profile-m-z/transmission-cli.profile
@@ -7,6 +7,8 @@ include transmission-cli.local
 # Persistent global definitions
 include globals.local
+whitelist /usr/share/transmission
 private-bin transmission-cli
 private-etc @tls-ca
diff --git a/etc/profile-m-z/transmission-common.profile b/etc/profile-m-z/transmission-common.profile
index 0a9029c97..d80eb708b 100644
--- a/etc/profile-m-z/transmission-common.profile
+++ b/etc/profile-m-z/transmission-common.profile
@@ -44,6 +44,7 @@ tracelog
 private-cache
 private-dev
+private-etc @tls-ca,@x11
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/zlib-flate.profile b/etc/profile-m-z/zlib-flate.profile
new file mode 100644
index 000000000..48a2c9845
--- /dev/null
+++ b/etc/profile-m-z/zlib-flate.profile
@@ -0,0 +1,13 @@
+# Firejail profile for zlib-flate
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include zlib-flate.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+private-bin zlib-flate
+# Redirect
+include qpdf.profile