10 files changed, 313 insertions, 1 deletions
diff --git a/etc/QMediathekView.profile b/etc/QMediathekView.profile
new file mode 100644
index 000000000..558f62f0e
--- /dev/null
+++ b/etc/QMediathekView.profile
@@ -0,0 +1,54 @@
+# Firejail profile for QMediathekView
+# Description: Search, download or stream files from mediathek.de
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/QMediathekView.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.config/QMediathekView
+noblacklist ${HOME}/.local/share/QMediathekView
+noblacklist ${HOME}/.config/mpv
+noblacklist ${HOME}/.config/smplayer
+noblacklist ${HOME}/.config/totem
+noblacklist ${HOME}/.config/vlc
+noblacklist ${HOME}/.config/xplayer
+noblacklist ${HOME}/.local/share/totem
+noblacklist ${HOME}/.local/share/xplayer
+noblacklist ${HOME}/.mplayer
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
+caps.drop all
+netfilter
+# no3d
+# nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin QMediathekView,mplayer,mpv,smplayer,totem,vlc,xplayer
+private-cache
+private-dev
+# private-etc none
+# private-lib
+private-tmp
+# memory-deny-write-execute - breaks on Arch
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/aria2c.profile b/etc/aria2c.profile
new file mode 100644
index 000000000..4231c58ff
--- /dev/null
+++ b/etc/aria2c.profile
@@ -0,0 +1,45 @@
+# Firejail profile for aria2c
+# Description: Download utility that supports HTTP(S), FTP, BitTorrent and Metalink
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/aria2c.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.aria2
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-xdg.inc
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+disable-mnt
+# private
+private-bin aria2c,gzip
+private-cache
+private-dev
+private-etc ca-certificates,ssl
+private-lib libreadline.so.*
+private-tmp
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/authenticator.profile b/etc/authenticator.profile
new file mode 100644
index 000000000..f10abdda8
--- /dev/null
+++ b/etc/authenticator.profile
@@ -0,0 +1,49 @@
+# Firejail profile for authenticator
+# Description: 2FA code generator for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/authenticator.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+# blacklisted in 'disable-programs.local'
+noblacklist ${HOME}/.config/Authenticator
+# Allow python 3.x (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python3*
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+# apparmor
+caps.drop all
+net none
+no3d
+# nodbus - makes settings immutable
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+# novideo
+nou2f
+protocol unix
+seccomp
+shell none
+disable-mnt
+# private-bin authenticator
+private-cache
+private-dev
+private-etc fonts,ld.so.cache
+# private-lib
+private-tmp
+# memory-deny-write-execute - breaks on Arch
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/checkbashisms.profile b/etc/checkbashisms.profile
new file mode 100644
index 000000000..c8b8be04e
--- /dev/null
+++ b/etc/checkbashisms.profile
@@ -0,0 +1,49 @@
+# Firejail profile for checkbashisms
+# Description: Lint tool for shell scripts
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include /etc/firejail/checkbashisms.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${DOCUMENTS}
+# Allow perl (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/cpan*
+noblacklist ${PATH}/core_perl
+noblacklist ${PATH}/perl
+noblacklist /usr/lib/perl*
+noblacklist /usr/share/perl*
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-xdg.inc
+include /etc/firejail/whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix
+seccomp
+shell none
+private-dev
+private-tmp
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile
index cb8ae6a80..0274fd66b 100644
--- a/etc/claws-mail.profile
+++ b/etc/claws-mail.profile
@@ -16,19 +16,24 @@ include /etc/firejail/disable-interpreters.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-common.inc
 caps.drop all
 netfilter
+no3d
 nodvd
 nogroups
 nonewprivs
 noroot
 nosound
 notv
+nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
 shell none
+private-cache
 private-dev
 private-tmp
diff --git a/etc/devilspie.profile b/etc/devilspie.profile
new file mode 100644
index 000000000..dbfb05798
--- /dev/null
+++ b/etc/devilspie.profile
@@ -0,0 +1,49 @@
+# Firejail profile for devilspie
+# Description: Window matching daemon
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/devilspie.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.devilspie
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin devilspie
+private-cache
+private-dev
+private-etc none
+private-lib gconv
+private-tmp
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
+# devilspie will never write anything
+read-only ${HOME}
diff --git a/etc/devilspie2.profile b/etc/devilspie2.profile
new file mode 100644
index 000000000..3a9a9659a
--- /dev/null
+++ b/etc/devilspie2.profile
@@ -0,0 +1,49 @@
+# Firejail profile for devilspie2
+# Description: Window matching daemon (Lua)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/devilspie2.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.config/devilspie2
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin devilspie2
+private-cache
+private-dev
+private-etc none
+private-lib gconv
+private-tmp
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
+# devilspie2 will never write anything
+read-only ${HOME}
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 7dd99dba3..0b445301d 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -32,6 +32,7 @@ blacklist ${HOME}/.aMule
 blacklist ${HOME}/.android
 blacklist ${HOME}/.anydesk
 blacklist ${HOME}/.arduino15
+blacklist ${HOME}/.aria2
 blacklist ${HOME}/.arm
 blacklist ${HOME}/.asunder_album_genre
 blacklist ${HOME}/.asunder_album_title
@@ -46,6 +47,7 @@ blacklist ${HOME}/.config/0ad
 blacklist ${HOME}/.config/2048-qt
 blacklist ${HOME}/.config/Atom
 blacklist ${HOME}/.config/Audaciousrc
+blacklist ${HOME}/.config/Authenticator
 blacklist ${HOME}/.config/Beaker Browser
 blacklist ${HOME}/.config/Brackets
 blacklist ${HOME}/.config/Clementine
@@ -70,6 +72,7 @@ blacklist ${HOME}/.config/MuseScore
 blacklist ${HOME}/.config/MusicBrainz
 blacklist ${HOME}/.config/Nylas Mail
 blacklist ${HOME}/.config/Qlipper
+blacklist ${HOME}/.config/QMediathekView
 blacklist ${HOME}/.config/QuiteRss
 blacklist ${HOME}/.config/QuiteRssrc
 blacklist ${HOME}/.config/Rambox
@@ -111,6 +114,7 @@ blacklist ${HOME}/.config/corebird
 blacklist ${HOME}/.config/darktable
 blacklist ${HOME}/.config/deadbeef
 blacklist ${HOME}/.config/deluge
+blacklist ${HOME}/.config/devilspie2
 blacklist ${HOME}/.config/digikam
 blacklist ${HOME}/.config/digikamrc
 blacklist ${HOME}/.config/discord
@@ -252,6 +256,7 @@ blacklist ${HOME}/.config/zoomus.conf
 blacklist ${HOME}/.conkeror.mozdev.org
 blacklist ${HOME}/.curlrc
 blacklist ${HOME}/.dashcore
+blacklist ${HOME}/.devilspie
 blacklist ${HOME}/.dia
 blacklist ${HOME}/.dillo
 blacklist ${HOME}/.dooble
@@ -361,6 +366,7 @@ blacklist ${HOME}/.local/share/3909/PapersPlease
 blacklist ${HOME}/.local/share/Empathy
 blacklist ${HOME}/.local/share/JetBrains
 blacklist ${HOME}/.local/share/Mumble
+blacklist ${HOME}/.local/share/QMediathekView
 blacklist ${HOME}/.local/share/QuiteRss
 blacklist ${HOME}/.local/share/Ricochet
 blacklist ${HOME}/.local/share/Steam
diff --git a/etc/file.profile b/etc/file.profile
index 5d1227520..00e18de20 100644
--- a/etc/file.profile
+++ b/etc/file.profile
@@ -30,10 +30,12 @@ shell none
 tracelog
 x11 none
-private-bin file
+#private-bin file
+private-cache
 private-dev
 private-etc magic.mgc,magic,localtime
 private-lib
+private-tmp
 memory-deny-write-execute
 noexec ${HOME}
diff --git a/etc/strings.profile b/etc/strings.profile
index 5bea9525f..ae2fbf18f 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -21,9 +21,13 @@ shell none
 tracelog
 private-bin strings
+private-cache
 private-dev
+private-etc none
 private-lib
 memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
 include /etc/firejail/default.profile

diff --git a/etc/QMediathekView.profile b/etc/QMediathekView.profile new file mode 100644 index 000000000..558f62f0e --- /dev/null +++ b/etc/QMediathekView.profile
@@ -0,0 +1,54 @@
		1	# Firejail profile for QMediathekView
		2	# Description: Search, download or stream files from mediathek.de
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include /etc/firejail/QMediathekView.local
		6	# Persistent global definitions
		7	include /etc/firejail/globals.local
		8
		9	noblacklist ${HOME}/.config/QMediathekView
		10	noblacklist ${HOME}/.local/share/QMediathekView
		11
		12	noblacklist ${HOME}/.config/mpv
		13	noblacklist ${HOME}/.config/smplayer
		14	noblacklist ${HOME}/.config/totem
		15	noblacklist ${HOME}/.config/vlc
		16	noblacklist ${HOME}/.config/xplayer
		17	noblacklist ${HOME}/.local/share/totem
		18	noblacklist ${HOME}/.local/share/xplayer
		19	noblacklist ${HOME}/.mplayer
		20
		21	include /etc/firejail/disable-common.inc
		22	include /etc/firejail/disable-devel.inc
		23	include /etc/firejail/disable-interpreters.inc
		24	include /etc/firejail/disable-passwdmgr.inc
		25	include /etc/firejail/disable-programs.inc
		26
		27	include /etc/firejail/whitelist-var-common.inc
		28
		29	caps.drop all
		30	netfilter
		31	# no3d
		32	# nodbus
		33	nodvd
		34	nogroups
		35	nonewprivs
		36	noroot
		37	notv
		38	nou2f
		39	protocol unix,inet,inet6
		40	seccomp
		41	shell none
		42	tracelog
		43
		44	disable-mnt
		45	private-bin QMediathekView,mplayer,mpv,smplayer,totem,vlc,xplayer
		46	private-cache
		47	private-dev
		48	# private-etc none
		49	# private-lib
		50	private-tmp
		51
		52	# memory-deny-write-execute - breaks on Arch
		53	noexec ${HOME}
		54	noexec /tmp


diff --git a/etc/aria2c.profile b/etc/aria2c.profile new file mode 100644 index 000000000..4231c58ff --- /dev/null +++ b/etc/aria2c.profile
@@ -0,0 +1,45 @@
		1	# Firejail profile for aria2c
		2	# Description: Download utility that supports HTTP(S), FTP, BitTorrent and Metalink
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include /etc/firejail/aria2c.local
		6	# Persistent global definitions
		7	include /etc/firejail/globals.local
		8
		9	noblacklist ${HOME}/.aria2
		10
		11	include /etc/firejail/disable-common.inc
		12	include /etc/firejail/disable-devel.inc
		13	include /etc/firejail/disable-interpreters.inc
		14	include /etc/firejail/disable-passwdmgr.inc
		15	include /etc/firejail/disable-programs.inc
		16	include /etc/firejail/disable-xdg.inc
		17
		18	caps.drop all
		19	ipc-namespace
		20	netfilter
		21	no3d
		22	nodbus
		23	nodvd
		24	nogroups
		25	nonewprivs
		26	noroot
		27	nosound
		28	notv
		29	novideo
		30	protocol unix,inet,inet6
		31	seccomp
		32	shell none
		33
		34	disable-mnt
		35	# private
		36	private-bin aria2c,gzip
		37	private-cache
		38	private-dev
		39	private-etc ca-certificates,ssl
		40	private-lib libreadline.so.*
		41	private-tmp
		42
		43	memory-deny-write-execute
		44	noexec ${HOME}
		45	noexec /tmp


diff --git a/etc/authenticator.profile b/etc/authenticator.profile new file mode 100644 index 000000000..f10abdda8 --- /dev/null +++ b/etc/authenticator.profile
@@ -0,0 +1,49 @@
		1	# Firejail profile for authenticator
		2	# Description: 2FA code generator for GNOME
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include /etc/firejail/authenticator.local
		6	# Persistent global definitions
		7	include /etc/firejail/globals.local
		8
		9	# blacklisted in 'disable-programs.local'
		10	noblacklist ${HOME}/.config/Authenticator
		11
		12	# Allow python 3.x (blacklisted by disable-interpreters.inc)
		13	noblacklist ${PATH}/python3*
		14	noblacklist /usr/lib/python3*
		15
		16	include /etc/firejail/disable-common.inc
		17	include /etc/firejail/disable-devel.inc
		18	include /etc/firejail/disable-interpreters.inc
		19	include /etc/firejail/disable-passwdmgr.inc
		20	include /etc/firejail/disable-programs.inc
		21
		22	# apparmor
		23	caps.drop all
		24	net none
		25	no3d
		26	# nodbus - makes settings immutable
		27	nodvd
		28	nogroups
		29	nonewprivs
		30	noroot
		31	nosound
		32	notv
		33	# novideo
		34	nou2f
		35	protocol unix
		36	seccomp
		37	shell none
		38
		39	disable-mnt
		40	# private-bin authenticator
		41	private-cache
		42	private-dev
		43	private-etc fonts,ld.so.cache
		44	# private-lib
		45	private-tmp
		46
		47	# memory-deny-write-execute - breaks on Arch
		48	noexec ${HOME}
		49	noexec /tmp


diff --git a/etc/checkbashisms.profile b/etc/checkbashisms.profile new file mode 100644 index 000000000..c8b8be04e --- /dev/null +++ b/etc/checkbashisms.profile
@@ -0,0 +1,49 @@
		1	# Firejail profile for checkbashisms
		2	# Description: Lint tool for shell scripts
		3	# This file is overwritten after every install/update
		4	quiet
		5	# Persistent local customizations
		6	include /etc/firejail/checkbashisms.local
		7	# Persistent global definitions
		8	include /etc/firejail/globals.local
		9
		10	noblacklist ${DOCUMENTS}
		11
		12	# Allow perl (blacklisted by disable-interpreters.inc)
		13	noblacklist ${PATH}/cpan*
		14	noblacklist ${PATH}/core_perl
		15	noblacklist ${PATH}/perl
		16	noblacklist /usr/lib/perl*
		17	noblacklist /usr/share/perl*
		18
		19	include /etc/firejail/disable-common.inc
		20	include /etc/firejail/disable-devel.inc
		21	include /etc/firejail/disable-interpreters.inc
		22	include /etc/firejail/disable-passwdmgr.inc
		23	include /etc/firejail/disable-programs.inc
		24	include /etc/firejail/disable-xdg.inc
		25
		26	include /etc/firejail/whitelist-var-common.inc
		27
		28	caps.drop all
		29	ipc-namespace
		30	net none
		31	no3d
		32	nodbus
		33	nodvd
		34	nogroups
		35	nonewprivs
		36	noroot
		37	nosound
		38	notv
		39	novideo
		40	protocol unix
		41	seccomp
		42	shell none
		43
		44	private-dev
		45	private-tmp
		46
		47	memory-deny-write-execute
		48	noexec ${HOME}
		49	noexec /tmp


diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile index cb8ae6a80..0274fd66b 100644 --- a/etc/claws-mail.profile +++ b/etc/claws-mail.profile
@@ -16,19 +16,24 @@ include /etc/firejail/disable-interpreters.inc
16	include /etc/firejail/disable-passwdmgr.inc	16	include /etc/firejail/disable-passwdmgr.inc
17	include /etc/firejail/disable-programs.inc	17	include /etc/firejail/disable-programs.inc
18		18
		19	include /etc/firejail/whitelist-common.inc
		20
19	caps.drop all	21	caps.drop all
20	netfilter	22	netfilter
		23	no3d
21	nodvd	24	nodvd
22	nogroups	25	nogroups
23	nonewprivs	26	nonewprivs
24	noroot	27	noroot
25	nosound	28	nosound
26	notv	29	notv
		30	nou2f
27	novideo	31	novideo
28	protocol unix,inet,inet6	32	protocol unix,inet,inet6
29	seccomp	33	seccomp
30	shell none	34	shell none
31		35
		36	private-cache
32	private-dev	37	private-dev
33	private-tmp	38	private-tmp
34		39


diff --git a/etc/devilspie.profile b/etc/devilspie.profile new file mode 100644 index 000000000..dbfb05798 --- /dev/null +++ b/etc/devilspie.profile
@@ -0,0 +1,49 @@
		1	# Firejail profile for devilspie
		2	# Description: Window matching daemon
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include /etc/firejail/devilspie.local
		6	# Persistent global definitions
		7	include /etc/firejail/globals.local
		8
		9	noblacklist ${HOME}/.devilspie
		10
		11	include /etc/firejail/disable-common.inc
		12	include /etc/firejail/disable-devel.inc
		13	include /etc/firejail/disable-interpreters.inc
		14	include /etc/firejail/disable-passwdmgr.inc
		15	include /etc/firejail/disable-programs.inc
		16
		17	caps.drop all
		18	ipc-namespace
		19	machine-id
		20	net none
		21	no3d
		22	nodbus
		23	nodvd
		24	nogroups
		25	nonewprivs
		26	noroot
		27	nosound
		28	notv
		29	nou2f
		30	novideo
		31	protocol unix
		32	seccomp
		33	shell none
		34	tracelog
		35
		36	disable-mnt
		37	private-bin devilspie
		38	private-cache
		39	private-dev
		40	private-etc none
		41	private-lib gconv
		42	private-tmp
		43
		44	memory-deny-write-execute
		45	noexec ${HOME}
		46	noexec /tmp
		47
		48	# devilspie will never write anything
		49	read-only ${HOME}


diff --git a/etc/devilspie2.profile b/etc/devilspie2.profile new file mode 100644 index 000000000..3a9a9659a --- /dev/null +++ b/etc/devilspie2.profile
@@ -0,0 +1,49 @@
		1	# Firejail profile for devilspie2
		2	# Description: Window matching daemon (Lua)
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include /etc/firejail/devilspie2.local
		6	# Persistent global definitions
		7	include /etc/firejail/globals.local
		8
		9	noblacklist ${HOME}/.config/devilspie2
		10
		11	include /etc/firejail/disable-common.inc
		12	include /etc/firejail/disable-devel.inc
		13	include /etc/firejail/disable-interpreters.inc
		14	include /etc/firejail/disable-passwdmgr.inc
		15	include /etc/firejail/disable-programs.inc
		16
		17	caps.drop all
		18	ipc-namespace
		19	machine-id
		20	net none
		21	no3d
		22	nodbus
		23	nodvd
		24	nogroups
		25	nonewprivs
		26	noroot
		27	nosound
		28	notv
		29	nou2f
		30	novideo
		31	protocol unix
		32	seccomp
		33	shell none
		34	tracelog
		35
		36	disable-mnt
		37	private-bin devilspie2
		38	private-cache
		39	private-dev
		40	private-etc none
		41	private-lib gconv
		42	private-tmp
		43
		44	memory-deny-write-execute
		45	noexec ${HOME}
		46	noexec /tmp
		47
		48	# devilspie2 will never write anything
		49	read-only ${HOME}


diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 7dd99dba3..0b445301d 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc
@@ -32,6 +32,7 @@ blacklist ${HOME}/.aMule
32	blacklist ${HOME}/.android	32	blacklist ${HOME}/.android
33	blacklist ${HOME}/.anydesk	33	blacklist ${HOME}/.anydesk
34	blacklist ${HOME}/.arduino15	34	blacklist ${HOME}/.arduino15
		35	blacklist ${HOME}/.aria2
35	blacklist ${HOME}/.arm	36	blacklist ${HOME}/.arm
36	blacklist ${HOME}/.asunder_album_genre	37	blacklist ${HOME}/.asunder_album_genre
37	blacklist ${HOME}/.asunder_album_title	38	blacklist ${HOME}/.asunder_album_title
@@ -46,6 +47,7 @@ blacklist ${HOME}/.config/0ad
46	blacklist ${HOME}/.config/2048-qt	47	blacklist ${HOME}/.config/2048-qt
47	blacklist ${HOME}/.config/Atom	48	blacklist ${HOME}/.config/Atom
48	blacklist ${HOME}/.config/Audaciousrc	49	blacklist ${HOME}/.config/Audaciousrc
		50	blacklist ${HOME}/.config/Authenticator
49	blacklist ${HOME}/.config/Beaker Browser	51	blacklist ${HOME}/.config/Beaker Browser
50	blacklist ${HOME}/.config/Brackets	52	blacklist ${HOME}/.config/Brackets
51	blacklist ${HOME}/.config/Clementine	53	blacklist ${HOME}/.config/Clementine
@@ -70,6 +72,7 @@ blacklist ${HOME}/.config/MuseScore
70	blacklist ${HOME}/.config/MusicBrainz	72	blacklist ${HOME}/.config/MusicBrainz
71	blacklist ${HOME}/.config/Nylas Mail	73	blacklist ${HOME}/.config/Nylas Mail
72	blacklist ${HOME}/.config/Qlipper	74	blacklist ${HOME}/.config/Qlipper
		75	blacklist ${HOME}/.config/QMediathekView
73	blacklist ${HOME}/.config/QuiteRss	76	blacklist ${HOME}/.config/QuiteRss
74	blacklist ${HOME}/.config/QuiteRssrc	77	blacklist ${HOME}/.config/QuiteRssrc
75	blacklist ${HOME}/.config/Rambox	78	blacklist ${HOME}/.config/Rambox
@@ -111,6 +114,7 @@ blacklist ${HOME}/.config/corebird
111	blacklist ${HOME}/.config/darktable	114	blacklist ${HOME}/.config/darktable
112	blacklist ${HOME}/.config/deadbeef	115	blacklist ${HOME}/.config/deadbeef
113	blacklist ${HOME}/.config/deluge	116	blacklist ${HOME}/.config/deluge
		117	blacklist ${HOME}/.config/devilspie2
114	blacklist ${HOME}/.config/digikam	118	blacklist ${HOME}/.config/digikam
115	blacklist ${HOME}/.config/digikamrc	119	blacklist ${HOME}/.config/digikamrc
116	blacklist ${HOME}/.config/discord	120	blacklist ${HOME}/.config/discord
@@ -252,6 +256,7 @@ blacklist ${HOME}/.config/zoomus.conf
252	blacklist ${HOME}/.conkeror.mozdev.org	256	blacklist ${HOME}/.conkeror.mozdev.org
253	blacklist ${HOME}/.curlrc	257	blacklist ${HOME}/.curlrc
254	blacklist ${HOME}/.dashcore	258	blacklist ${HOME}/.dashcore
		259	blacklist ${HOME}/.devilspie
255	blacklist ${HOME}/.dia	260	blacklist ${HOME}/.dia
256	blacklist ${HOME}/.dillo	261	blacklist ${HOME}/.dillo
257	blacklist ${HOME}/.dooble	262	blacklist ${HOME}/.dooble
@@ -361,6 +366,7 @@ blacklist ${HOME}/.local/share/3909/PapersPlease
361	blacklist ${HOME}/.local/share/Empathy	366	blacklist ${HOME}/.local/share/Empathy
362	blacklist ${HOME}/.local/share/JetBrains	367	blacklist ${HOME}/.local/share/JetBrains
363	blacklist ${HOME}/.local/share/Mumble	368	blacklist ${HOME}/.local/share/Mumble
		369	blacklist ${HOME}/.local/share/QMediathekView
364	blacklist ${HOME}/.local/share/QuiteRss	370	blacklist ${HOME}/.local/share/QuiteRss
365	blacklist ${HOME}/.local/share/Ricochet	371	blacklist ${HOME}/.local/share/Ricochet
366	blacklist ${HOME}/.local/share/Steam	372	blacklist ${HOME}/.local/share/Steam


diff --git a/etc/file.profile b/etc/file.profile index 5d1227520..00e18de20 100644 --- a/etc/file.profile +++ b/etc/file.profile
@@ -30,10 +30,12 @@ shell none
30	tracelog	30	tracelog
31	x11 none	31	x11 none
32		32
33	private-bin file	33	#private-bin file
		34	private-cache
34	private-dev	35	private-dev
35	private-etc magic.mgc,magic,localtime	36	private-etc magic.mgc,magic,localtime
36	private-lib	37	private-lib
		38	private-tmp
37		39
38	memory-deny-write-execute	40	memory-deny-write-execute
39	noexec ${HOME}	41	noexec ${HOME}


diff --git a/etc/strings.profile b/etc/strings.profile index 5bea9525f..ae2fbf18f 100644 --- a/etc/strings.profile +++ b/etc/strings.profile
@@ -21,9 +21,13 @@ shell none
21	tracelog	21	tracelog
22		22
23	private-bin strings	23	private-bin strings
		24	private-cache
24	private-dev	25	private-dev
		26	private-etc none
25	private-lib	27	private-lib
26		28
27	memory-deny-write-execute	29	memory-deny-write-execute
		30	noexec ${HOME}
		31	noexec /tmp
28		32
29	include /etc/firejail/default.profile	33	include /etc/firejail/default.profile