4 files changed, 34 insertions, 3 deletions
diff --git a/etc/clamtk.profile b/etc/clamtk.profile
new file mode 100644
index 000000000..d916381b2
--- /dev/null
+++ b/etc/clamtk.profile
@@ -0,0 +1,28 @@
+# Firejail profile for clamtk
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/clamtk.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix
+seccomp
+shell none
+private-dev
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/disable-passwdmgr.inc b/etc/disable-passwdmgr.inc
index 6ef11780e..597fbd1fc 100644
--- a/etc/disable-passwdmgr.inc
+++ b/etc/disable-passwdmgr.inc
@@ -10,6 +10,7 @@ blacklist ${HOME}/.config/Sinew Software Systems
 blacklist ${HOME}/.keepass
 blacklist ${HOME}/.keepassx
 blacklist ${HOME}/.keepassxc
+blacklist ${HOME}/.keepassxc-socket
 blacklist ${HOME}/.lastpass
 blacklist ${HOME}/.local/share/KeePass
 blacklist ${HOME}/.local/share/keepass
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile
index dcd652e55..2073feabb 100644
--- a/etc/keepassxc.profile
+++ b/etc/keepassxc.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/*.kdb
 noblacklist ${HOME}/*.kdbx
 noblacklist ${HOME}/.config/keepassxc
 noblacklist ${HOME}/.keepassxc
+noblacklist ${HOME}/.keepassxc-socket
 # 2.2.4 needs this path when compiled with "Native messaging browser extension"
 noblacklist ${HOME}/.mozilla
 noblacklist ${DOCUMENTS}
@@ -34,7 +35,7 @@ nonewprivs
 noroot
 nosound
 notv
-pnovideo
+novideo
 protocol unix
 seccomp
 shell none
@@ -49,6 +50,7 @@ private-tmp
 noexec ${HOME}
 noexec /tmp
+# Mutex is stored in /tmp by default, which is broken by private-tmp
+# Make a new directory and have it stored there. Fixes #2062
 mkdir ${HOME}/.keepassxc-socket
 env TMPDIR=${HOME}/.keepassxc-socket/
diff --git a/etc/steam.profile b/etc/steam.profile
index 4ebd941dd..8dbe613f8 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -67,5 +67,5 @@ shell none
 # private-dev should be commented for controllers
 private-dev
 # private-etc breaks a small selection of games on some systems, comment to support those
-private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,pki,services,crypto-policies,alternatives
+private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,pki,services,crypto-policies,alternatives,bumblebee,nvidia,os-release
 private-tmp

diff --git a/etc/clamtk.profile b/etc/clamtk.profile new file mode 100644 index 000000000..d916381b2 --- /dev/null +++ b/etc/clamtk.profile
@@ -0,0 +1,28 @@
		1	# Firejail profile for clamtk
		2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include /etc/firejail/clamtk.local
		5	# Persistent global definitions
		6	include /etc/firejail/globals.local
		7
		8	caps.drop all
		9	ipc-namespace
		10	net none
		11	no3d
		12	nodbus
		13	nodvd
		14	nogroups
		15	nonewprivs
		16	noroot
		17	nosound
		18	notv
		19	novideo
		20	protocol unix
		21	seccomp
		22	shell none
		23
		24	private-dev
		25
		26	memory-deny-write-execute
		27	noexec ${HOME}
		28	noexec /tmp


diff --git a/etc/disable-passwdmgr.inc b/etc/disable-passwdmgr.inc index 6ef11780e..597fbd1fc 100644 --- a/etc/disable-passwdmgr.inc +++ b/etc/disable-passwdmgr.inc
@@ -10,6 +10,7 @@ blacklist ${HOME}/.config/Sinew Software Systems
10	blacklist ${HOME}/.keepass	10	blacklist ${HOME}/.keepass
11	blacklist ${HOME}/.keepassx	11	blacklist ${HOME}/.keepassx
12	blacklist ${HOME}/.keepassxc	12	blacklist ${HOME}/.keepassxc
		13	blacklist ${HOME}/.keepassxc-socket
13	blacklist ${HOME}/.lastpass	14	blacklist ${HOME}/.lastpass
14	blacklist ${HOME}/.local/share/KeePass	15	blacklist ${HOME}/.local/share/KeePass
15	blacklist ${HOME}/.local/share/keepass	16	blacklist ${HOME}/.local/share/keepass


diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile index dcd652e55..2073feabb 100644 --- a/etc/keepassxc.profile +++ b/etc/keepassxc.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/*.kdb
10	noblacklist ${HOME}/*.kdbx	10	noblacklist ${HOME}/*.kdbx
11	noblacklist ${HOME}/.config/keepassxc	11	noblacklist ${HOME}/.config/keepassxc
12	noblacklist ${HOME}/.keepassxc	12	noblacklist ${HOME}/.keepassxc
		13	noblacklist ${HOME}/.keepassxc-socket
13	# 2.2.4 needs this path when compiled with "Native messaging browser extension"	14	# 2.2.4 needs this path when compiled with "Native messaging browser extension"
14	noblacklist ${HOME}/.mozilla	15	noblacklist ${HOME}/.mozilla
15	noblacklist ${DOCUMENTS}	16	noblacklist ${DOCUMENTS}
@@ -34,7 +35,7 @@ nonewprivs
34	noroot	35	noroot
35	nosound	36	nosound
36	notv	37	notv
37	pnovideo	38	novideo
38	protocol unix	39	protocol unix
39	seccomp	40	seccomp
40	shell none	41	shell none
@@ -49,6 +50,7 @@ private-tmp
49	noexec ${HOME}	50	noexec ${HOME}
50	noexec /tmp	51	noexec /tmp
51		52
		53	# Mutex is stored in /tmp by default, which is broken by private-tmp
		54	# Make a new directory and have it stored there. Fixes #2062
52	mkdir ${HOME}/.keepassxc-socket	55	mkdir ${HOME}/.keepassxc-socket
53
54	env TMPDIR=${HOME}/.keepassxc-socket/	56	env TMPDIR=${HOME}/.keepassxc-socket/


diff --git a/etc/steam.profile b/etc/steam.profile index 4ebd941dd..8dbe613f8 100644 --- a/etc/steam.profile +++ b/etc/steam.profile
@@ -67,5 +67,5 @@ shell none
67	# private-dev should be commented for controllers	67	# private-dev should be commented for controllers
68	private-dev	68	private-dev
69	# private-etc breaks a small selection of games on some systems, comment to support those	69	# private-etc breaks a small selection of games on some systems, comment to support those
70	private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,pki,services,crypto-policies,alternatives	70	private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,pki,services,crypto-policies,alternatives,bumblebee,nvidia,os-release
71	private-tmp	71	private-tmp