aboutsummaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
Diffstat (limited to 'etc')
-rw-r--r--etc/QMediathekView.profile2
-rw-r--r--etc/Xephyr.profile6
-rw-r--r--etc/Xvfb.profile4
-rw-r--r--etc/allow-java.inc2
-rw-r--r--etc/amarok.profile2
-rw-r--r--etc/aosp.profile1
-rw-r--r--etc/arch-audit.profile1
-rw-r--r--etc/archaudit-report.profile3
-rw-r--r--etc/ardour5.profile4
-rw-r--r--etc/arduino.profile1
-rw-r--r--etc/aria2c.profile2
-rw-r--r--etc/ark.profile2
-rw-r--r--etc/assogiate.profile2
-rw-r--r--etc/asunder.profile1
-rw-r--r--etc/bitcoin-qt.profile2
-rw-r--r--etc/bitlbee.profile4
-rw-r--r--etc/bless.profile2
-rw-r--r--etc/brasero.profile1
-rw-r--r--etc/caja.profile1
-rw-r--r--etc/cantata.profile2
-rw-r--r--etc/catfish.profile4
-rw-r--r--etc/chromium-common.profile7
-rw-r--r--etc/curl.profile2
-rw-r--r--etc/cyberfox.profile2
-rw-r--r--etc/dig.profile3
-rw-r--r--etc/digikam.profile5
-rw-r--r--etc/dino.profile2
-rw-r--r--etc/dnscrypt-proxy.profile2
-rw-r--r--etc/elinks.profile2
-rw-r--r--etc/engrampa.profile1
-rw-r--r--etc/evince.profile2
-rw-r--r--etc/feh-network.inc2
-rw-r--r--etc/fetchmail.profile2
-rw-r--r--etc/ffmpeg.profile1
-rw-r--r--etc/file-roller.profile1
-rw-r--r--etc/firefox-common.profile9
-rw-r--r--etc/firefox.profile2
-rw-r--r--etc/freecol.profile1
-rw-r--r--etc/frozen-bubble.profile1
-rw-r--r--etc/gedit.profile3
-rw-r--r--etc/geeqie.profile1
-rw-r--r--etc/github-desktop.profile1
-rw-r--r--etc/gjs.profile4
-rw-r--r--etc/gnome-books.profile3
-rw-r--r--etc/gnome-maps.profile13
-rw-r--r--etc/gnome-nettool.profile4
-rw-r--r--etc/gnome-photos.profile3
-rw-r--r--etc/gnome-schedule.profile1
-rw-r--r--etc/gnome-weather.profile4
-rw-r--r--etc/goobox.profile2
-rw-r--r--etc/highlight.profile1
-rw-r--r--etc/img2txt.profile1
-rw-r--r--etc/jd-gui.profile1
-rw-r--r--etc/kdenlive.profile2
-rw-r--r--etc/kmail.profile5
-rw-r--r--etc/kopete.profile2
-rw-r--r--etc/less.profile2
-rw-r--r--etc/libreoffice.profile1
-rw-r--r--etc/lynx.profile2
-rw-r--r--etc/mediathekview.profile1
-rw-r--r--etc/minetest.profile5
-rw-r--r--etc/mpd.profile2
-rw-r--r--etc/multimc5.profile3
-rw-r--r--etc/mupdf.profile2
-rw-r--r--etc/mutt.profile2
-rw-r--r--etc/nautilus.profile1
-rw-r--r--etc/open-invaders.profile1
-rw-r--r--etc/openarena.profile10
-rw-r--r--etc/pdfsam.profile1
-rw-r--r--etc/peek.profile2
-rw-r--r--etc/ping.profile4
-rw-r--r--etc/pingus.profile1
-rw-r--r--etc/pluma.profile1
-rw-r--r--etc/pycharm-community.profile1
-rw-r--r--etc/qbittorrent.profile3
-rw-r--r--etc/qgis.profile2
-rw-r--r--etc/quiterss.profile2
-rw-r--r--etc/remmina.profile1
-rw-r--r--etc/rhythmbox-client.profile11
-rw-r--r--etc/rhythmbox.profile4
-rw-r--r--etc/ricochet.profile2
-rw-r--r--etc/scribus.profile2
-rw-r--r--etc/seahorse.profile3
-rw-r--r--etc/seamonkey.profile2
-rw-r--r--etc/shotcut.profile8
-rw-r--r--etc/simple-scan.profile2
-rw-r--r--etc/simplescreenrecorder.profile1
-rw-r--r--etc/simutrans.profile1
-rw-r--r--etc/skanlite.profile3
-rw-r--r--etc/skype.profile2
-rw-r--r--etc/ssh.profile2
-rw-r--r--etc/steam.profile3
-rw-r--r--etc/supertux2.profile1
-rw-r--r--etc/synfigstudio.profile2
-rw-r--r--etc/tar.profile4
-rw-r--r--etc/tcpdump.profile4
-rw-r--r--etc/templates/profile.template8
-rw-r--r--etc/terasology.profile1
-rw-r--r--etc/tor.profile5
-rw-r--r--etc/totem.profile2
-rw-r--r--etc/tracker.profile1
-rw-r--r--etc/tshark.profile5
-rw-r--r--etc/tuxguitar.profile1
-rw-r--r--etc/unbound.profile4
-rw-r--r--etc/unknown-horizons.profile4
-rw-r--r--etc/waterfox.profile2
-rw-r--r--etc/webstorm.profile1
-rw-r--r--etc/wget.profile2
-rw-r--r--etc/wireshark.profile2
-rw-r--r--etc/xed.profile1
-rw-r--r--etc/xfburn.profile1
-rw-r--r--etc/xplayer.profile2
-rw-r--r--etc/xpra.profile4
-rw-r--r--etc/xviewer.profile1
-rw-r--r--etc/zaproxy.profile1
115 files changed, 127 insertions, 175 deletions
diff --git a/etc/QMediathekView.profile b/etc/QMediathekView.profile
index ae863b73d..ece681c35 100644
--- a/etc/QMediathekView.profile
+++ b/etc/QMediathekView.profile
@@ -48,8 +48,6 @@ disable-mnt
48private-bin mplayer,mpv,QMediathekView,smplayer,totem,vlc,xplayer 48private-bin mplayer,mpv,QMediathekView,smplayer,totem,vlc,xplayer
49private-cache 49private-cache
50private-dev 50private-dev
51# private-etc alternatives
52# private-lib
53private-tmp 51private-tmp
54 52
55#memory-deny-write-execute - breaks on Arch (see issue #1803) 53#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile
index 230a88472..5ef75022b 100644
--- a/etc/Xephyr.profile
+++ b/etc/Xephyr.profile
@@ -34,8 +34,8 @@ shell none
34disable-mnt 34disable-mnt
35# using a private home directory 35# using a private home directory
36private 36private
37# private-bin Xephyr,sh,xkbcomp 37# private-bin sh,Xephyr,xkbcomp
38# private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls 38# private-bin bash,cat,ls,sh,strace,Xephyr,xkbcomp
39private-dev 39private-dev
40# private-etc alternatives,ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname 40# private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf
41#private-tmp 41#private-tmp
diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile
index 259077d86..3ecda698e 100644
--- a/etc/Xvfb.profile
+++ b/etc/Xvfb.profile
@@ -37,8 +37,8 @@ shell none
37disable-mnt 37disable-mnt
38# using a private home directory 38# using a private home directory
39private 39private
40# private-bin Xvfb,sh,xkbcomp 40# private-bin sh,xkbcomp,Xvfb
41# private-bin Xvfb,sh,xkbcomp,strace,bash,cat,ls 41# private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb
42private-dev 42private-dev
43private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf 43private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf
44private-tmp 44private-tmp
diff --git a/etc/allow-java.inc b/etc/allow-java.inc
index c6ab3b2eb..5204d2dea 100644
--- a/etc/allow-java.inc
+++ b/etc/allow-java.inc
@@ -1,3 +1,5 @@
1noblacklist ${HOME}/.java
2
1noblacklist ${PATH}/java 3noblacklist ${PATH}/java
2noblacklist /usr/lib/java 4noblacklist /usr/lib/java
3noblacklist /etc/java 5noblacklist /etc/java
diff --git a/etc/amarok.profile b/etc/amarok.profile
index 6cec3befc..0b974e9ac 100644
--- a/etc/amarok.profile
+++ b/etc/amarok.profile
@@ -31,5 +31,5 @@ shell none
31 31
32# private-bin amarok 32# private-bin amarok
33private-dev 33private-dev
34# private-etc alternatives,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies 34# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,ssl
35private-tmp 35private-tmp
diff --git a/etc/aosp.profile b/etc/aosp.profile
index bdfefa923..701bf4733 100644
--- a/etc/aosp.profile
+++ b/etc/aosp.profile
@@ -5,7 +5,6 @@ include aosp.local
5# Persistent global definitions 5# Persistent global definitions
6include globals.local 6include globals.local
7 7
8
9noblacklist ${HOME}/.android 8noblacklist ${HOME}/.android
10noblacklist ${HOME}/.bash_history 9noblacklist ${HOME}/.bash_history
11noblacklist ${HOME}/.config/git 10noblacklist ${HOME}/.config/git
diff --git a/etc/arch-audit.profile b/etc/arch-audit.profile
index e353326df..2f08fa169 100644
--- a/etc/arch-audit.profile
+++ b/etc/arch-audit.profile
@@ -7,7 +7,6 @@ include arch-audit.local
7# Persistent global definitions 7# Persistent global definitions
8include globals.local 8include globals.local
9 9
10
11noblacklist /var/lib/pacman 10noblacklist /var/lib/pacman
12 11
13include disable-common.inc 12include disable-common.inc
diff --git a/etc/archaudit-report.profile b/etc/archaudit-report.profile
index bfd110bf2..19c37f90e 100644
--- a/etc/archaudit-report.profile
+++ b/etc/archaudit-report.profile
@@ -6,7 +6,6 @@ include archaudit-report.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9
10noblacklist /var/lib/pacman 9noblacklist /var/lib/pacman
11 10
12include disable-common.inc 11include disable-common.inc
@@ -17,8 +16,6 @@ include disable-passwdmgr.inc
17include disable-programs.inc 16include disable-programs.inc
18include disable-xdg.inc 17include disable-xdg.inc
19 18
20include whitelist-common.inc
21
22caps.drop all 19caps.drop all
23ipc-namespace 20ipc-namespace
24netfilter 21netfilter
diff --git a/etc/ardour5.profile b/etc/ardour5.profile
index 211a32e22..5ebeafa76 100644
--- a/etc/ardour5.profile
+++ b/etc/ardour5.profile
@@ -34,9 +34,9 @@ protocol unix
34seccomp 34seccomp
35shell none 35shell none
36 36
37#private-bin sh,ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm 37#private-bin ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,ldd,nm,sed,sh
38private-cache 38private-cache
39private-dev 39private-dev
40#private-etc alternatives,pulse,X11,alternatives,ardour4,ardour5,fonts,machine-id,asound.conf 40#private-etc alternatives,ardour4,ardour5,asound.conf,fonts,machine-id,pulse,X11
41private-tmp 41private-tmp
42 42
diff --git a/etc/arduino.profile b/etc/arduino.profile
index 26bd3d0a7..fd1ca9a09 100644
--- a/etc/arduino.profile
+++ b/etc/arduino.profile
@@ -7,7 +7,6 @@ include arduino.local
7include globals.local 7include globals.local
8 8
9noblacklist ${HOME}/.arduino15 9noblacklist ${HOME}/.arduino15
10noblacklist ${HOME}/.java
11noblacklist ${HOME}/Arduino 10noblacklist ${HOME}/Arduino
12noblacklist ${DOCUMENTS} 11noblacklist ${DOCUMENTS}
13 12
diff --git a/etc/aria2c.profile b/etc/aria2c.profile
index b952ac8a6..3b9dfc365 100644
--- a/etc/aria2c.profile
+++ b/etc/aria2c.profile
@@ -38,7 +38,7 @@ private-bin aria2c,gzip
38# Uncomment the next line (or put 'private-cache' in your aria2c.local) if you don't use Lutris/winetricks (see issue #2772) 38# Uncomment the next line (or put 'private-cache' in your aria2c.local) if you don't use Lutris/winetricks (see issue #2772)
39#private-cache 39#private-cache
40private-dev 40private-dev
41private-etc alternatives,ca-certificates,resolv.conf,ssl 41private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
42private-lib libreadline.so.* 42private-lib libreadline.so.*
43private-tmp 43private-tmp
44 44
diff --git a/etc/ark.profile b/etc/ark.profile
index ee0899b1d..7f74a4d49 100644
--- a/etc/ark.profile
+++ b/etc/ark.profile
@@ -35,7 +35,7 @@ seccomp
35shell none 35shell none
36 36
37private-bin 7z,ark,bash,lrzip,lsar,lz4,lzop,p7zip,rar,sh,tclsh,unar,unrar,unzip,zip,zipinfo 37private-bin 7z,ark,bash,lrzip,lsar,lz4,lzop,p7zip,rar,sh,tclsh,unar,unrar,unzip,zip,zipinfo
38#private-etc alternatives,smb.conf,samba,mtab,fonts,drirc,kde5rc,passwd,group,xdg 38#private-etc alternatives,drirc,fonts,group,kde5rc,mtab,passwd,samba,smb.conf,xdg
39 39
40private-dev 40private-dev
41private-tmp 41private-tmp
diff --git a/etc/assogiate.profile b/etc/assogiate.profile
index 02a4798f4..074d82955 100644
--- a/etc/assogiate.profile
+++ b/etc/assogiate.profile
@@ -43,7 +43,7 @@ disable-mnt
43private-bin assogiate,gtk-update-icon-cache,update-mime-database 43private-bin assogiate,gtk-update-icon-cache,update-mime-database
44private-cache 44private-cache
45private-dev 45private-dev
46private-lib gnome-vfs-2.0,libattr.so.*,libacl.so.*,libfam.so.* 46private-lib gnome-vfs-2.0,libacl.so.*,libattr.so.*,libfam.so.*
47private-tmp 47private-tmp
48 48
49memory-deny-write-execute 49memory-deny-write-execute
diff --git a/etc/asunder.profile b/etc/asunder.profile
index fa2479051..fc10739aa 100644
--- a/etc/asunder.profile
+++ b/etc/asunder.profile
@@ -34,7 +34,6 @@ protocol unix,inet,inet6
34seccomp 34seccomp
35shell none 35shell none
36 36
37#private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
38private-dev 37private-dev
39private-tmp 38private-tmp
40 39
diff --git a/etc/bitcoin-qt.profile b/etc/bitcoin-qt.profile
index 8aae5d668..ac1e21ba7 100644
--- a/etc/bitcoin-qt.profile
+++ b/etc/bitcoin-qt.profile
@@ -43,7 +43,7 @@ tracelog
43private-bin bitcoin-qt 43private-bin bitcoin-qt
44private-dev 44private-dev
45# Causes problem with loading of libGL.so 45# Causes problem with loading of libGL.so
46#private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies 46#private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
47private-tmp 47private-tmp
48 48
49memory-deny-write-execute 49memory-deny-write-execute
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile
index 287e5f52e..62eeb88f3 100644
--- a/etc/bitlbee.profile
+++ b/etc/bitlbee.profile
@@ -6,12 +6,15 @@ include bitlbee.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9ignore noexec ${HOME}
10
9noblacklist /sbin 11noblacklist /sbin
10noblacklist /usr/sbin 12noblacklist /usr/sbin
11# noblacklist /var/log 13# noblacklist /var/log
12 14
13include disable-common.inc 15include disable-common.inc
14include disable-devel.inc 16include disable-devel.inc
17include disable-exec.inc
15include disable-interpreters.inc 18include disable-interpreters.inc
16include disable-passwdmgr.inc 19include disable-passwdmgr.inc
17include disable-programs.inc 20include disable-programs.inc
@@ -34,5 +37,4 @@ private-cache
34private-dev 37private-dev
35private-tmp 38private-tmp
36 39
37noexec /tmp
38read-write /var/lib/bitlbee 40read-write /var/lib/bitlbee
diff --git a/etc/bless.profile b/etc/bless.profile
index d4ac80db1..35235962e 100644
--- a/etc/bless.profile
+++ b/etc/bless.profile
@@ -33,7 +33,7 @@ protocol unix
33seccomp 33seccomp
34shell none 34shell none
35 35
36# private-bin bless,sh,bash,mono 36# private-bin bash,bless,mono,sh
37private-cache 37private-cache
38private-dev 38private-dev
39private-etc alternatives,fonts,mono 39private-etc alternatives,fonts,mono
diff --git a/etc/brasero.profile b/etc/brasero.profile
index aa838380a..058253308 100644
--- a/etc/brasero.profile
+++ b/etc/brasero.profile
@@ -31,7 +31,6 @@ tracelog
31# private-bin brasero 31# private-bin brasero
32private-cache 32private-cache
33# private-dev 33# private-dev
34# private-etc alternatives,fonts
35# private-tmp 34# private-tmp
36 35
37memory-deny-write-execute 36memory-deny-write-execute
diff --git a/etc/caja.profile b/etc/caja.profile
index 2a95649af..c5cef7b27 100644
--- a/etc/caja.profile
+++ b/etc/caja.profile
@@ -39,5 +39,4 @@ tracelog
39# caja needs to be able to start arbitrary applications so we cannot blacklist their files 39# caja needs to be able to start arbitrary applications so we cannot blacklist their files
40# private-bin caja 40# private-bin caja
41# private-dev 41# private-dev
42# private-etc alternatives,fonts
43# private-tmp 42# private-tmp
diff --git a/etc/cantata.profile b/etc/cantata.profile
index 19abbfea2..c44d56b90 100644
--- a/etc/cantata.profile
+++ b/etc/cantata.profile
@@ -34,6 +34,6 @@ protocol unix,inet,inet6,netlink
34seccomp 34seccomp
35shell none 35shell none
36 36
37# private-etc samba,gcrypt,drirc,fonts,mpd.conf,kde5rc,passwd,xdg,hosts,ssl 37# private-etc drirc,fonts,gcrypt,hosts,kde5rc,mpd.conf,passwd,samba,ssl,xdg
38private-bin cantata,mpd,perl 38private-bin cantata,mpd,perl
39private-dev 39private-dev
diff --git a/etc/catfish.profile b/etc/catfish.profile
index f615b5323..c6c2d7e8a 100644
--- a/etc/catfish.profile
+++ b/etc/catfish.profile
@@ -15,11 +15,11 @@ noblacklist ${HOME}/.config/catfish
15include allow-python2.inc 15include allow-python2.inc
16include allow-python3.inc 16include allow-python3.inc
17 17
18include disable-common.inc 18# include disable-common.inc
19# include disable-devel.inc 19# include disable-devel.inc
20include disable-interpreters.inc 20include disable-interpreters.inc
21include disable-passwdmgr.inc 21include disable-passwdmgr.inc
22include disable-programs.inc 22# include disable-programs.inc
23 23
24whitelist /var/lib/mlocate 24whitelist /var/lib/mlocate
25include whitelist-var-common.inc 25include whitelist-var-common.inc
diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile
index 63983d93b..ba6f9d88c 100644
--- a/etc/chromium-common.profile
+++ b/etc/chromium-common.profile
@@ -27,10 +27,9 @@ include whitelist-common.inc
27include whitelist-var-common.inc 27include whitelist-var-common.inc
28 28
29apparmor 29apparmor
30caps.keep sys_chroot,sys_admin 30caps.keep sys_admin,sys_chroot
31netfilter 31netfilter
32# Breaks Gnome connector - disable if you use that 32# nodbus - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector
33nodbus
34nodvd 33nodvd
35nogroups 34nogroups
36notv 35notv
@@ -42,4 +41,4 @@ private-dev
42# private-tmp - problems with multiple browser sessions 41# private-tmp - problems with multiple browser sessions
43 42
44# the file dialog needs to work without d-bus 43# the file dialog needs to work without d-bus
45env NO_CHROME_KDE_FILE_DIALOG=1 44?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1
diff --git a/etc/curl.profile b/etc/curl.profile
index b8b91d278..76beee46a 100644
--- a/etc/curl.profile
+++ b/etc/curl.profile
@@ -34,5 +34,5 @@ shell none
34# private-bin curl 34# private-bin curl
35private-cache 35private-cache
36private-dev 36private-dev
37# private-etc alternatives,resolv.conf,ca-certificates,ssl,pki,crypto-policies 37# private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
38private-tmp 38private-tmp
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile
index fcb448b30..d1fff0004 100644
--- a/etc/cyberfox.profile
+++ b/etc/cyberfox.profile
@@ -13,7 +13,7 @@ mkdir ${HOME}/.cache/8pecxstudios
13whitelist ${HOME}/.8pecxstudios 13whitelist ${HOME}/.8pecxstudios
14whitelist ${HOME}/.cache/8pecxstudios 14whitelist ${HOME}/.cache/8pecxstudios
15 15
16# private-bin cyberfox,which,sh,dbus-launch,dbus-send,env 16# private-bin cyberfox,dbus-launch,dbus-send,env,sh,which
17# private-etc must first be enabled in firefox-common.profile 17# private-etc must first be enabled in firefox-common.profile
18#private-etc cyberfox 18#private-etc cyberfox
19 19
diff --git a/etc/dig.profile b/etc/dig.profile
index 9bc4ee0ca..6f2c1f755 100644
--- a/etc/dig.profile
+++ b/etc/dig.profile
@@ -17,7 +17,7 @@ include disable-passwdmgr.inc
17include disable-programs.inc 17include disable-programs.inc
18include disable-xdg.inc 18include disable-xdg.inc
19 19
20mkfile ${HOME}/.digrc 20#mkfile ${HOME}/.digrc -- see #903
21whitelist ${HOME}/.digrc 21whitelist ${HOME}/.digrc
22include whitelist-common.inc 22include whitelist-common.inc
23include whitelist-var-common.inc 23include whitelist-var-common.inc
@@ -45,7 +45,6 @@ private
45private-bin bash,dig,sh 45private-bin bash,dig,sh
46private-cache 46private-cache
47private-dev 47private-dev
48# private-etc alternatives,resolv.conf
49private-lib 48private-lib
50private-tmp 49private-tmp
51 50
diff --git a/etc/digikam.profile b/etc/digikam.profile
index e9c89a1b9..1b80981f7 100644
--- a/etc/digikam.profile
+++ b/etc/digikam.profile
@@ -33,11 +33,8 @@ noroot
33notv 33notv
34protocol unix,inet,inet6,netlink 34protocol unix,inet,inet6,netlink
35seccomp 35seccomp
36# seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group
37shell none 36shell none
38 37
39# private-bin program
40# private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device 38# private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device
41# private-etc alternatives,ca-certificates,ssl,pki,crypto-policies 39# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
42private-tmp 40private-tmp
43
diff --git a/etc/dino.profile b/etc/dino.profile
index 2db395e02..f7b220936 100644
--- a/etc/dino.profile
+++ b/etc/dino.profile
@@ -37,6 +37,6 @@ shell none
37disable-mnt 37disable-mnt
38private-bin dino 38private-bin dino
39private-dev 39private-dev
40# private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies # breaks server connection 40# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl -- breaks server connection
41private-tmp 41private-tmp
42 42
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index ffced747b..ae248f2e8 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -26,7 +26,7 @@ nosound
26notv 26notv
27nou2f 27nou2f
28novideo 28novideo
29seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open 29seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice
30 30
31disable-mnt 31disable-mnt
32private 32private
diff --git a/etc/elinks.profile b/etc/elinks.profile
index 980fa7617..94f4179c7 100644
--- a/etc/elinks.profile
+++ b/etc/elinks.profile
@@ -36,5 +36,5 @@ tracelog
36# private-bin elinks 36# private-bin elinks
37private-cache 37private-cache
38private-dev 38private-dev
39# private-etc alternatives,ca-certificates,ssl,pki,crypto-policies 39# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
40private-tmp 40private-tmp
diff --git a/etc/engrampa.profile b/etc/engrampa.profile
index 562e8f542..aaf3e3382 100644
--- a/etc/engrampa.profile
+++ b/etc/engrampa.profile
@@ -35,7 +35,6 @@ tracelog
35 35
36# private-bin engrampa 36# private-bin engrampa
37private-dev 37private-dev
38# private-etc alternatives,fonts
39# private-tmp 38# private-tmp
40 39
41memory-deny-write-execute 40memory-deny-write-execute
diff --git a/etc/evince.profile b/etc/evince.profile
index 1a429d673..c1fbc7a4f 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -43,7 +43,7 @@ private-bin evince,evince-previewer,evince-thumbnailer
43private-cache 43private-cache
44private-dev 44private-dev
45private-etc alternatives,fonts,group,machine-id,passwd 45private-etc alternatives,fonts,group,machine-id,passwd
46private-lib evince,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*,gconv 46private-lib evince,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*
47private-tmp 47private-tmp
48 48
49# memory-deny-write-execute - might break application (https://github.com/netblue30/firejail/issues/1803) 49# memory-deny-write-execute - might break application (https://github.com/netblue30/firejail/issues/1803)
diff --git a/etc/feh-network.inc b/etc/feh-network.inc
index f3876475e..e94e7205c 100644
--- a/etc/feh-network.inc
+++ b/etc/feh-network.inc
@@ -1,4 +1,4 @@
1ignore net none 1ignore net none
2netfilter 2netfilter
3protocol unix,inet,inet6 3protocol unix,inet,inet6
4private-etc resolv.conf,ca-certificates,ssl,pki,hosts,crypto-policies 4private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl
diff --git a/etc/fetchmail.profile b/etc/fetchmail.profile
index 46d0bd08e..d64fe830f 100644
--- a/etc/fetchmail.profile
+++ b/etc/fetchmail.profile
@@ -30,5 +30,5 @@ protocol unix,inet,inet6
30seccomp 30seccomp
31shell none 31shell none
32 32
33#private-bin fetchmail,procmail,bash,chmod 33#private-bin bash,chmod,fetchmail,procmail
34private-dev 34private-dev
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile
index 9c1c5b7de..0771bf6a5 100644
--- a/etc/ffmpeg.profile
+++ b/etc/ffmpeg.profile
@@ -36,7 +36,6 @@ nou2f
36novideo 36novideo
37protocol inet,inet6 37protocol inet,inet6
38seccomp 38seccomp
39# seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom
40shell none 39shell none
41tracelog 40tracelog
42 41
diff --git a/etc/file-roller.profile b/etc/file-roller.profile
index 95accdd36..59d2f3ec8 100644
--- a/etc/file-roller.profile
+++ b/etc/file-roller.profile
@@ -39,7 +39,6 @@ tracelog
39 39
40# private-bin file-roller 40# private-bin file-roller
41private-dev 41private-dev
42# private-etc alternatives,fonts
43# private-tmp 42# private-tmp
44 43
45# memory-deny-write-execute 44# memory-deny-write-execute
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index bccbb3412..961b338e7 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -34,11 +34,8 @@ caps.drop all
34# machine-id breaks pulse audio; it should work fine in setups where sound is not required. 34# machine-id breaks pulse audio; it should work fine in setups where sound is not required.
35#machine-id 35#machine-id
36netfilter 36netfilter
37# Breaks Gnome connector and KDE Connect. 37# nodbus breaks various desktop integration features
38# Also seems to break Ubuntu titlebar menu. 38# among other things global menus, Gnome connector, KDE connect and power management on KDE Plasma
39# Also breaks enigmail apparently?
40# During a stream on Plasma it prevents the mechanism to temporarily bypass the power management, i.e. to keep the screen on.
41# Therefore disable if you use that.
42nodbus 39nodbus
43nodvd 40nodvd
44nogroups 41nogroups
@@ -57,5 +54,5 @@ shell none
57disable-mnt 54disable-mnt
58private-dev 55private-dev
59# private-etc below works fine on most distributions. There are some problems on CentOS. 56# private-etc below works fine on most distributions. There are some problems on CentOS.
60#private-etc alternatives,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies,ld.so.cache 57#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
61private-tmp 58private-tmp
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 830bbc6a7..84c647cb9 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -15,7 +15,7 @@ whitelist ${HOME}/.cache/mozilla/firefox
15whitelist ${HOME}/.mozilla 15whitelist ${HOME}/.mozilla
16 16
17# firefox requires a shell to launch on Arch. 17# firefox requires a shell to launch on Arch.
18#private-bin firefox,which,sh,dbus-launch,dbus-send,env,bash 18#private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which
19# private-etc must first be enabled in firefox-common.profile 19# private-etc must first be enabled in firefox-common.profile
20#private-etc firefox 20#private-etc firefox
21 21
diff --git a/etc/freecol.profile b/etc/freecol.profile
index 2d2853c9c..baeb4c528 100644
--- a/etc/freecol.profile
+++ b/etc/freecol.profile
@@ -7,7 +7,6 @@ include freecol.local
7include globals.local 7include globals.local
8 8
9noblacklist ${HOME}/.freecol 9noblacklist ${HOME}/.freecol
10noblacklist ${HOME}/.java
11noblacklist ${HOME}/.cache/freecol 10noblacklist ${HOME}/.cache/freecol
12noblacklist ${HOME}/.config/freecol 11noblacklist ${HOME}/.config/freecol
13noblacklist ${HOME}/.local/share/freecol 12noblacklist ${HOME}/.local/share/freecol
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile
index 9596bc610..3931aa64a 100644
--- a/etc/frozen-bubble.profile
+++ b/etc/frozen-bubble.profile
@@ -38,5 +38,4 @@ shell none
38disable-mnt 38disable-mnt
39# private-bin frozen-bubble 39# private-bin frozen-bubble
40private-dev 40private-dev
41# private-etc alternatives
42private-tmp 41private-tmp
diff --git a/etc/gedit.profile b/etc/gedit.profile
index ca2cf6e92..8232bbae4 100644
--- a/etc/gedit.profile
+++ b/etc/gedit.profile
@@ -44,7 +44,6 @@ tracelog
44 44
45# private-bin gedit 45# private-bin gedit
46private-dev 46private-dev
47# private-etc alternatives,fonts 47private-lib aspell,gconv,gedit,libgspell-1.so.*,libreadline.so.*,libtinfo.so.*
48private-lib /usr/bin/gedit,libtinfo.so.*,libreadline.so.*,gedit,libgspell-1.so.*,gconv,aspell
49private-tmp 48private-tmp
50 49
diff --git a/etc/geeqie.profile b/etc/geeqie.profile
index adfc3ef1c..8810ca161 100644
--- a/etc/geeqie.profile
+++ b/etc/geeqie.profile
@@ -31,4 +31,3 @@ shell none
31 31
32# private-bin geeqie 32# private-bin geeqie
33private-dev 33private-dev
34# private-etc alternatives,X11
diff --git a/etc/github-desktop.profile b/etc/github-desktop.profile
index 4a969f9ad..b25b138ad 100644
--- a/etc/github-desktop.profile
+++ b/etc/github-desktop.profile
@@ -42,7 +42,6 @@ disable-mnt
42private-cache 42private-cache
43?HAS_APPIMAGE: ignore private-dev 43?HAS_APPIMAGE: ignore private-dev
44private-dev 44private-dev
45# private-etc alternatives
46# private-lib 45# private-lib
47private-tmp 46private-tmp
48 47
diff --git a/etc/gjs.profile b/etc/gjs.profile
index f119e5b34..17b0aa5cf 100644
--- a/etc/gjs.profile
+++ b/etc/gjs.profile
@@ -32,7 +32,7 @@ seccomp
32shell none 32shell none
33tracelog 33tracelog
34 34
35# private-bin gjs,gnome-books,gnome-documents,gnome-photos,gnome-maps,gnome-weather 35# private-bin gjs,gnome-books,gnome-documents,gnome-maps,gnome-photos,gnome-weather
36private-dev 36private-dev
37# private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies 37# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
38private-tmp 38private-tmp
diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile
index 184751132..25cd94f0c 100644
--- a/etc/gnome-books.profile
+++ b/etc/gnome-books.profile
@@ -36,8 +36,7 @@ seccomp
36shell none 36shell none
37tracelog 37tracelog
38 38
39# private-bin gjs gnome-books 39# private-bin gjs,gnome-books
40private-dev 40private-dev
41# private-etc alternatives,fonts
42private-tmp 41private-tmp
43 42
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile
index 97de9c2be..be8e809ce 100644
--- a/etc/gnome-maps.profile
+++ b/etc/gnome-maps.profile
@@ -10,6 +10,7 @@ include globals.local
10 10
11noblacklist ${HOME}/.cache/champlain 11noblacklist ${HOME}/.cache/champlain
12noblacklist ${HOME}/.local/share/flatpak 12noblacklist ${HOME}/.local/share/flatpak
13noblacklist ${HOME}/.local/share/maps-places.json
13 14
14include disable-common.inc 15include disable-common.inc
15include disable-devel.inc 16include disable-devel.inc
@@ -19,6 +20,13 @@ include disable-passwdmgr.inc
19include disable-programs.inc 20include disable-programs.inc
20include disable-xdg.inc 21include disable-xdg.inc
21 22
23mkdir ${HOME}/.cache/champlain
24mkfile ${HOME}/.local/share/maps-places.json
25whitelist ${HOME}/.cache/champlain
26whitelist ${HOME}/.local/share/maps-places.json
27whitelist ${DOWNLOADS}
28whitelist ${PICTURES}
29include whitelist-common.inc
22include whitelist-var-common.inc 30include whitelist-var-common.inc
23 31
24apparmor 32apparmor
@@ -39,8 +47,9 @@ shell none
39tracelog 47tracelog
40 48
41disable-mnt 49disable-mnt
42# private-bin gjs gnome-maps 50private-bin gjs,gnome-maps
51# private-cache -- gnome-maps cache all maps/satelite-images
43private-dev 52private-dev
44# private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies 53private-etc alternatives,ca-certificates,clutter-1.0,crypto-policies,dconf,drirc,fonts,gconf,gcrypt,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pango,pkcs11,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg
45private-tmp 54private-tmp
46 55
diff --git a/etc/gnome-nettool.profile b/etc/gnome-nettool.profile
index 3f28b7efe..001274372 100644
--- a/etc/gnome-nettool.profile
+++ b/etc/gnome-nettool.profile
@@ -14,7 +14,7 @@ include disable-passwdmgr.inc
14include disable-programs.inc 14include disable-programs.inc
15include disable-xdg.inc 15include disable-xdg.inc
16 16
17include whitelist-common.inc 17#include whitelist-common.inc -- see #903
18include whitelist-var-common.inc 18include whitelist-var-common.inc
19 19
20caps.keep net_raw 20caps.keep net_raw
@@ -39,6 +39,6 @@ disable-mnt
39private 39private
40private-cache 40private-cache
41private-dev 41private-dev
42private-lib libgtk-3.so.*,libgtop*,libbind9.so.*,libcrypto.so.*,libdns.so.*,libirs.so.*,liblua.so.*,libssh2.so.*,libssl.so.* 42private-lib libbind9.so.*,libcrypto.so.*,libdns.so.*,libgtk-3.so.*,libgtop*,libirs.so.*,liblua.so.*,libssh2.so.*,libssl.so.*
43private-tmp 43private-tmp
44 44
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile
index 4e5a3b109..3bbad67bb 100644
--- a/etc/gnome-photos.profile
+++ b/etc/gnome-photos.profile
@@ -33,8 +33,7 @@ seccomp
33shell none 33shell none
34tracelog 34tracelog
35 35
36# private-bin gjs gnome-photos 36# private-bin gjs,gnome-photos
37private-dev 37private-dev
38# private-etc alternatives,fonts
39private-tmp 38private-tmp
40 39
diff --git a/etc/gnome-schedule.profile b/etc/gnome-schedule.profile
index 08256f3a5..0fca08505 100644
--- a/etc/gnome-schedule.profile
+++ b/etc/gnome-schedule.profile
@@ -69,6 +69,5 @@ tracelog
69disable-mnt 69disable-mnt
70private-cache 70private-cache
71private-dev 71private-dev
72# private-etc alternatives
73writable-var 72writable-var
74 73
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile
index ef7255130..a43db7e2f 100644
--- a/etc/gnome-weather.profile
+++ b/etc/gnome-weather.profile
@@ -37,8 +37,8 @@ shell none
37tracelog 37tracelog
38 38
39disable-mnt 39disable-mnt
40# private-bin gjs gnome-weather 40# private-bin gjs,gnome-weather
41private-dev 41private-dev
42# private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies 42# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
43private-tmp 43private-tmp
44 44
diff --git a/etc/goobox.profile b/etc/goobox.profile
index be332665e..c932ad528 100644
--- a/etc/goobox.profile
+++ b/etc/goobox.profile
@@ -31,5 +31,5 @@ tracelog
31 31
32# private-bin goobox 32# private-bin goobox
33private-dev 33private-dev
34# private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies 34# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
35# private-tmp 35# private-tmp
diff --git a/etc/highlight.profile b/etc/highlight.profile
index 243643aea..cae8e29d7 100644
--- a/etc/highlight.profile
+++ b/etc/highlight.profile
@@ -34,5 +34,4 @@ tracelog
34private-bin highlight 34private-bin highlight
35private-cache 35private-cache
36private-dev 36private-dev
37# private-etc alternatives
38private-tmp 37private-tmp
diff --git a/etc/img2txt.profile b/etc/img2txt.profile
index ade50048e..a36af8abf 100644
--- a/etc/img2txt.profile
+++ b/etc/img2txt.profile
@@ -38,7 +38,6 @@ tracelog
38# private-bin img2txt 38# private-bin img2txt
39private-cache 39private-cache
40private-dev 40private-dev
41# private-etc alternatives
42private-tmp 41private-tmp
43 42
44memory-deny-write-execute 43memory-deny-write-execute
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile
index 74fadb4a9..5b7275718 100644
--- a/etc/jd-gui.profile
+++ b/etc/jd-gui.profile
@@ -6,7 +6,6 @@ include jd-gui.local
6include globals.local 6include globals.local
7 7
8noblacklist ${HOME}/.config/jd-gui.cfg 8noblacklist ${HOME}/.config/jd-gui.cfg
9noblacklist ${HOME}/.java
10 9
11# Allow java (blacklisted by disable-devel.inc) 10# Allow java (blacklisted by disable-devel.inc)
12include allow-java.inc 11include allow-java.inc
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile
index 710c86e9a..361109127 100644
--- a/etc/kdenlive.profile
+++ b/etc/kdenlive.profile
@@ -35,4 +35,4 @@ shell none
35 35
36private-bin dbus-launch,dvdauthor,ffmpeg,ffplay,ffprobe,genisoimage,kdeinit4,kdeinit4_shutdown,kdeinit4_wrapper,kdeinit5,kdeinit5_shutdown,kdeinit5_wrapper,kdenlive,kdenlive_render,kshell4,kshell5,melt,mlt-melt,vlc,xine 36private-bin dbus-launch,dvdauthor,ffmpeg,ffplay,ffprobe,genisoimage,kdeinit4,kdeinit4_shutdown,kdeinit4_wrapper,kdeinit5,kdeinit5_shutdown,kdeinit5_wrapper,kdenlive,kdenlive_render,kshell4,kshell5,melt,mlt-melt,vlc,xine
37private-dev 37private-dev
38# private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,xdg,X11 38# private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,X11,xdg
diff --git a/etc/kmail.profile b/etc/kmail.profile
index 009b2c063..0b602c79a 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -53,9 +53,8 @@ protocol unix,inet,inet6,netlink
53# we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls 53# we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls
54seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice 54seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
55# tracelog 55# tracelog
56# writable-run-user is needed for signing and encrypting emails
57writable-run-user
58 56
59private-dev 57private-dev
60# private-tmp - interrupts connection to akonadi, breaks opening of email attachments 58# private-tmp - interrupts connection to akonadi, breaks opening of email attachments
61 59# writable-run-user is needed for signing and encrypting emails
60writable-run-user
diff --git a/etc/kopete.profile b/etc/kopete.profile
index 5e931ddac..e0bdce059 100644
--- a/etc/kopete.profile
+++ b/etc/kopete.profile
@@ -31,8 +31,8 @@ notv
31nou2f 31nou2f
32protocol unix,inet,inet6,netlink 32protocol unix,inet,inet6,netlink
33seccomp 33seccomp
34writable-var
35 34
36private-dev 35private-dev
37private-tmp 36private-tmp
37writable-var
38 38
diff --git a/etc/less.profile b/etc/less.profile
index bc85e5ad5..897d38b9d 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -34,7 +34,6 @@ protocol unix
34seccomp 34seccomp
35shell none 35shell none
36tracelog 36tracelog
37writable-var-log
38 37
39# The user can have a custom coloring script configured in ${HOME}/.lessfilter. 38# The user can have a custom coloring script configured in ${HOME}/.lessfilter.
40# Enable private-bin and private-lib if you are not using any filter. 39# Enable private-bin and private-lib if you are not using any filter.
@@ -42,5 +41,6 @@ writable-var-log
42# private-lib 41# private-lib
43private-cache 42private-cache
44private-dev 43private-dev
44writable-var-log
45 45
46memory-deny-write-execute 46memory-deny-write-execute
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
index 05dfd4ca6..b8a6201b2 100644
--- a/etc/libreoffice.profile
+++ b/etc/libreoffice.profile
@@ -6,7 +6,6 @@ include libreoffice.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9noblacklist ${HOME}/.java
10noblacklist /usr/local/sbin 9noblacklist /usr/local/sbin
11noblacklist ${HOME}/.config/libreoffice 10noblacklist ${HOME}/.config/libreoffice
12 11
diff --git a/etc/lynx.profile b/etc/lynx.profile
index 2f043c9b9..063285316 100644
--- a/etc/lynx.profile
+++ b/etc/lynx.profile
@@ -34,5 +34,5 @@ tracelog
34# private-bin lynx 34# private-bin lynx
35private-cache 35private-cache
36private-dev 36private-dev
37# private-etc alternatives,ca-certificates,ssl,pki,crypto-policies 37# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
38private-tmp 38private-tmp
diff --git a/etc/mediathekview.profile b/etc/mediathekview.profile
index 4ebb5429a..95cd673c6 100644
--- a/etc/mediathekview.profile
+++ b/etc/mediathekview.profile
@@ -11,7 +11,6 @@ noblacklist ${HOME}/.config/smplayer
11noblacklist ${HOME}/.config/totem 11noblacklist ${HOME}/.config/totem
12noblacklist ${HOME}/.config/vlc 12noblacklist ${HOME}/.config/vlc
13noblacklist ${HOME}/.config/xplayer 13noblacklist ${HOME}/.config/xplayer
14noblacklist ${HOME}/.java
15noblacklist ${HOME}/.local/share/totem 14noblacklist ${HOME}/.local/share/totem
16noblacklist ${HOME}/.local/share/xplayer 15noblacklist ${HOME}/.local/share/xplayer
17noblacklist ${HOME}/.mediathek3 16noblacklist ${HOME}/.mediathek3
diff --git a/etc/minetest.profile b/etc/minetest.profile
index b3e692446..0439a1ccc 100644
--- a/etc/minetest.profile
+++ b/etc/minetest.profile
@@ -6,6 +6,7 @@ include minetest.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9noblacklist ${HOME}/.cache/minetest
9noblacklist ${HOME}/.minetest 10noblacklist ${HOME}/.minetest
10 11
11include disable-common.inc 12include disable-common.inc
@@ -16,7 +17,9 @@ include disable-passwdmgr.inc
16include disable-programs.inc 17include disable-programs.inc
17include disable-xdg.inc 18include disable-xdg.inc
18 19
20mkdir ${HOME}/.cache/minetest
19mkdir ${HOME}/.minetest 21mkdir ${HOME}/.minetest
22whitelist ${HOME}/.cache/minetest
20whitelist ${HOME}/.minetest 23whitelist ${HOME}/.minetest
21include whitelist-common.inc 24include whitelist-common.inc
22include whitelist-var-common.inc 25include whitelist-var-common.inc
@@ -42,5 +45,5 @@ private-bin minetest
42private-cache 45private-cache
43private-dev 46private-dev
44# private-etc needs to be updated, see #1702 47# private-etc needs to be updated, see #1702
45#private-etc alternatives,asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id 48#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl
46private-tmp 49private-tmp
diff --git a/etc/mpd.profile b/etc/mpd.profile
index 0a98de7c4..0b5ebf705 100644
--- a/etc/mpd.profile
+++ b/etc/mpd.profile
@@ -34,7 +34,7 @@ protocol unix,inet,inet6
34seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice 34seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
35shell none 35shell none
36 36
37#private-bin mpd,bash 37#private-bin bash,mpd
38private-cache 38private-cache
39private-dev 39private-dev
40private-tmp 40private-tmp
diff --git a/etc/multimc5.profile b/etc/multimc5.profile
index 98edf273e..475307418 100644
--- a/etc/multimc5.profile
+++ b/etc/multimc5.profile
@@ -5,7 +5,6 @@ include multimc5.local
5# Persistent global definitions 5# Persistent global definitions
6include globals.local 6include globals.local
7 7
8noblacklist ${HOME}/.java
9noblacklist ${HOME}/.local/share/multimc 8noblacklist ${HOME}/.local/share/multimc
10noblacklist ${HOME}/.local/share/multimc5 9noblacklist ${HOME}/.local/share/multimc5
11noblacklist ${HOME}/.multimc5 10noblacklist ${HOME}/.multimc5
@@ -43,7 +42,7 @@ shell none
43 42
44disable-mnt 43disable-mnt
45# private-bin works, but causes weirdness 44# private-bin works, but causes weirdness
46# private-bin multimc5,bash,mkdir,which,zenity,kdialog,ldd,chmod,valgrind,apt-file,pkgfile,dnf,yum,zypper,pfl,java,grep,sort,awk,readlink,dirname 45# private-bin apt-file,awk,bash,chmod,dirname,dnf,grep,java,kdialog,ldd,mkdir,multimc5,pfl,pkgfile,readlink,sort,valgrind,which,yum,zenity,zypper
47private-dev 46private-dev
48private-tmp 47private-tmp
49 48
diff --git a/etc/mupdf.profile b/etc/mupdf.profile
index 1d5953ff7..673c9fd0b 100644
--- a/etc/mupdf.profile
+++ b/etc/mupdf.profile
@@ -36,7 +36,7 @@ seccomp
36shell none 36shell none
37tracelog 37tracelog
38 38
39# private-bin mupdf,sh,tempfile,rm 39# private-bin mupdf,rm,sh,tempfile
40private-dev 40private-dev
41private-etc alternatives,fonts 41private-etc alternatives,fonts
42private-tmp 42private-tmp
diff --git a/etc/mutt.profile b/etc/mutt.profile
index 419e17e95..c424dbb85 100644
--- a/etc/mutt.profile
+++ b/etc/mutt.profile
@@ -54,6 +54,6 @@ novideo
54protocol unix,inet,inet6 54protocol unix,inet,inet6
55seccomp 55seccomp
56shell none 56shell none
57writable-run-user
58 57
59private-dev 58private-dev
59writable-run-user
diff --git a/etc/nautilus.profile b/etc/nautilus.profile
index b81313b6a..d6d08679b 100644
--- a/etc/nautilus.profile
+++ b/etc/nautilus.profile
@@ -40,5 +40,4 @@ tracelog
40# nautilus needs to be able to start arbitrary applications so we cannot blacklist their files 40# nautilus needs to be able to start arbitrary applications so we cannot blacklist their files
41# private-bin nautilus 41# private-bin nautilus
42# private-dev 42# private-dev
43# private-etc alternatives,fonts
44# private-tmp 43# private-tmp
diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile
index bff42fb19..d80b3d351 100644
--- a/etc/open-invaders.profile
+++ b/etc/open-invaders.profile
@@ -33,5 +33,4 @@ shell none
33 33
34# private-bin open-invaders 34# private-bin open-invaders
35private-dev 35private-dev
36# private-etc alternatives
37private-tmp 36private-tmp
diff --git a/etc/openarena.profile b/etc/openarena.profile
index f36d3270f..c83e78e2c 100644
--- a/etc/openarena.profile
+++ b/etc/openarena.profile
@@ -21,16 +21,12 @@ include whitelist-var-common.inc
21apparmor 21apparmor
22caps.drop all 22caps.drop all
23# ipc-namespace 23# ipc-namespace
24# machine-id
25# net none
26# netfilter 24# netfilter
27# no3d
28# nodbus 25# nodbus
29# nodvd 26# nodvd
30# nogroups 27# nogroups
31nonewprivs 28nonewprivs
32noroot 29noroot
33# nosound
34notv 30notv
35# nou2f 31# nou2f
36novideo 32novideo
@@ -40,12 +36,8 @@ shell none
40# tracelog 36# tracelog
41 37
42# disable-mnt 38# disable-mnt
43# private
44# private-bin openarena 39# private-bin openarena
45private-cache 40private-cache
46private-dev 41private-dev
47# private-etc machine-id,xdg,openal,udev,drirc,passwd,selinux 42# private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg
48# private-lib
49private-tmp 43private-tmp
50
51# memory-deny-write-execute
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile
index adff2af3e..48f424190 100644
--- a/etc/pdfsam.profile
+++ b/etc/pdfsam.profile
@@ -6,7 +6,6 @@ include pdfsam.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9noblacklist ${HOME}/.java
10noblacklist ${DOCUMENTS} 9noblacklist ${DOCUMENTS}
11 10
12# Allow java (blacklisted by disable-devel.inc) 11# Allow java (blacklisted by disable-devel.inc)
diff --git a/etc/peek.profile b/etc/peek.profile
index fd836560e..8cbff0c64 100644
--- a/etc/peek.profile
+++ b/etc/peek.profile
@@ -34,7 +34,7 @@ seccomp
34shell none 34shell none
35 35
36# private-bin breaks gif mode, mp4 and webm mode work fine however 36# private-bin breaks gif mode, mp4 and webm mode work fine however
37# private-bin peek,convert,ffmpeg 37# private-bin convert,ffmpeg,peek
38private-dev 38private-dev
39private-tmp 39private-tmp
40 40
diff --git a/etc/ping.profile b/etc/ping.profile
index 66574bab5..00ac45c5a 100644
--- a/etc/ping.profile
+++ b/etc/ping.profile
@@ -30,10 +30,8 @@ nosound
30notv 30notv
31nou2f 31nou2f
32novideo 32novideo
33
34# protocol command is built using seccomp; nonewprivs will kill it 33# protocol command is built using seccomp; nonewprivs will kill it
35#protocol unix,inet,inet6,netlink,packet 34#protocol unix,inet,inet6,netlink,packet
36
37# killed by no-new-privs 35# killed by no-new-privs
38#seccomp 36#seccomp
39 37
@@ -42,7 +40,7 @@ private
42#private-bin has mammoth problems with execvp: "No such file or directory" 40#private-bin has mammoth problems with execvp: "No such file or directory"
43private-dev 41private-dev
44# /etc/hosts is required in private-etc; however, just adding it to the list doesn't solve the problem! 42# /etc/hosts is required in private-etc; however, just adding it to the list doesn't solve the problem!
45#private-etc resolv.conf,hosts,ca-certificates,ssl,pki,crypto-policies 43#private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl
46private-tmp 44private-tmp
47 45
48# memory-deny-write-execute is built using seccomp; nonewprivs will kill it 46# memory-deny-write-execute is built using seccomp; nonewprivs will kill it
diff --git a/etc/pingus.profile b/etc/pingus.profile
index 6b664248f..782ee200d 100644
--- a/etc/pingus.profile
+++ b/etc/pingus.profile
@@ -33,5 +33,4 @@ shell none
33 33
34# private-bin pingus 34# private-bin pingus
35private-dev 35private-dev
36# private-etc alternatives
37private-tmp 36private-tmp
diff --git a/etc/pluma.profile b/etc/pluma.profile
index 47626753a..91e6edc65 100644
--- a/etc/pluma.profile
+++ b/etc/pluma.profile
@@ -39,7 +39,6 @@ tracelog
39 39
40private-bin pluma 40private-bin pluma
41private-dev 41private-dev
42# private-etc alternatives,fonts
43private-lib pluma 42private-lib pluma
44private-tmp 43private-tmp
45 44
diff --git a/etc/pycharm-community.profile b/etc/pycharm-community.profile
index 0531aee4a..e35d70c46 100644
--- a/etc/pycharm-community.profile
+++ b/etc/pycharm-community.profile
@@ -8,7 +8,6 @@ include globals.local
8noblacklist ${HOME}/.PyCharmCE* 8noblacklist ${HOME}/.PyCharmCE*
9noblacklist ${HOME}/.python-history 9noblacklist ${HOME}/.python-history
10noblacklist ${HOME}/.pythonrc.py 10noblacklist ${HOME}/.pythonrc.py
11noblacklist ${HOME}/.java
12 11
13# Allow java (blacklisted by disable-devel.inc) 12# Allow java (blacklisted by disable-devel.inc)
14include allow-java.inc 13include allow-java.inc
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index d5198ef61..fe9caec77 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -53,8 +53,7 @@ shell none
53 53
54private-bin python*,qbittorrent 54private-bin python*,qbittorrent
55private-dev 55private-dev
56# private-etc alternatives,X11,fonts,xdg,resolv.conf,ca-certificates,ssl,pki,crypto-policies 56# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl,X11,xdg
57# private-lib - problems on Arch
58private-tmp 57private-tmp
59 58
60# memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo 59# memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo
diff --git a/etc/qgis.profile b/etc/qgis.profile
index 15ef4c22a..80a10efce 100644
--- a/etc/qgis.profile
+++ b/etc/qgis.profile
@@ -45,7 +45,7 @@ notv
45nou2f 45nou2f
46novideo 46novideo
47# blacklisting of mbind system calls breaks old version 47# blacklisting of mbind system calls breaks old version
48seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,set_mempolicy,migrate_pages,move_pages,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,vmsplice,umount,userfaultfd,mincore 48seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,migrate_pages,mincore,move_pages,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,set_mempolicy,syslog,umount,userfaultfd,vmsplice
49protocol unix,inet,inet6,netlink 49protocol unix,inet,inet6,netlink
50shell none 50shell none
51tracelog 51tracelog
diff --git a/etc/quiterss.profile b/etc/quiterss.profile
index e2a3c9c23..ca1abcdc9 100644
--- a/etc/quiterss.profile
+++ b/etc/quiterss.profile
@@ -50,5 +50,5 @@ tracelog
50disable-mnt 50disable-mnt
51private-bin quiterss 51private-bin quiterss
52private-dev 52private-dev
53# private-etc alternatives,X11,ssl,pki,ca-certificates,crypto-policies 53# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl,X11
54 54
diff --git a/etc/remmina.profile b/etc/remmina.profile
index a77f2d8aa..e85ceca13 100644
--- a/etc/remmina.profile
+++ b/etc/remmina.profile
@@ -31,7 +31,6 @@ nou2f
31novideo 31novideo
32protocol unix,inet,inet6 32protocol unix,inet,inet6
33seccomp 33seccomp
34# seccomp.keep access,arch_prctl,brk,chmod,clock_getres,clock_gettime,clone,close,connect,dup3,eventfd2,execve,fadvise64,fallocate,fcntl,flock,fstat,fstatfs,fsync,ftruncate,futex,getdents,getegid,geteuid,getgid,getpeername,getpid,getrandom,getresgid,getresuid,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,memfd_create,mmap,mprotect,mremap,munmap,nanosleep,open,openat,pipe,pipe2,poll,prctl,prlimit64,pwrite64,read,readlink,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,sendmmsg,sendmsg,sendto,set_robust_list,setsockopt,set_tid_address,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,tgkill,uname,utimensat,write,writev
35shell none 34shell none
36 35
37private-cache 36private-cache
diff --git a/etc/rhythmbox-client.profile b/etc/rhythmbox-client.profile
new file mode 100644
index 000000000..29e65d716
--- /dev/null
+++ b/etc/rhythmbox-client.profile
@@ -0,0 +1,11 @@
1# Firejail profile for rhythmbox-client
2# Description: controls a running instance of rhythmbox
3# This file is overwritten after every install/update
4# Persistent local customizations
5include rhythmbox-client.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
9
10# Redirect
11include rhythmbox.profile
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile
index 1c9f0e4d1..9bcbdb561 100644
--- a/etc/rhythmbox.profile
+++ b/etc/rhythmbox.profile
@@ -26,7 +26,6 @@ include whitelist-var-common.inc
26# apparmor - makes settings immutable 26# apparmor - makes settings immutable
27caps.drop all 27caps.drop all
28netfilter 28netfilter
29# no3d
30# nodbus - makes settings immutable 29# nodbus - makes settings immutable
31nogroups 30nogroups
32nonewprivs 31nonewprivs
@@ -39,7 +38,6 @@ seccomp
39shell none 38shell none
40tracelog 39tracelog
41 40
42private-bin rhythmbox 41private-bin rhythmbox,rhythmbox-client
43private-dev 42private-dev
44private-tmp 43private-tmp
45
diff --git a/etc/ricochet.profile b/etc/ricochet.profile
index fc770d62d..1b8fbbc97 100644
--- a/etc/ricochet.profile
+++ b/etc/ricochet.profile
@@ -37,5 +37,5 @@ shell none
37disable-mnt 37disable-mnt
38private-bin ricochet,tor 38private-bin ricochet,tor
39private-dev 39private-dev
40#private-etc alternatives,fonts,tor,X11,alternatives,ca-certificates,ssl,pki,crypto-policies 40#private-etc alternatives,alternatives,ca-certificates,crypto-policies,fonts,pki,ssl,tor,X11
41 41
diff --git a/etc/scribus.profile b/etc/scribus.profile
index c50e0861c..e20cd1b5a 100644
--- a/etc/scribus.profile
+++ b/etc/scribus.profile
@@ -56,7 +56,7 @@ seccomp
56shell none 56shell none
57tracelog 57tracelog
58 58
59# private-bin scribus,gs,gimp* 59# private-bin gimp*,gs,scribus
60private-dev 60private-dev
61private-tmp 61private-tmp
62 62
diff --git a/etc/seahorse.profile b/etc/seahorse.profile
index be63f9382..a7c95c073 100644
--- a/etc/seahorse.profile
+++ b/etc/seahorse.profile
@@ -50,6 +50,5 @@ tracelog
50disable-mnt 50disable-mnt
51private-cache 51private-cache
52private-dev 52private-dev
53private-etc ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,hostname,host.conf,hosts,ld.so.preload,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssh,ssl,X11 53private-etc ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssh,ssl,X11
54
55writable-run-user 54writable-run-user
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile
index ca74efe68..807effbeb 100644
--- a/etc/seamonkey.profile
+++ b/etc/seamonkey.profile
@@ -52,4 +52,4 @@ seccomp
52tracelog 52tracelog
53 53
54disable-mnt 54disable-mnt
55# private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies 55# private-etc adobe,alternatives,asound.conf,ca-certificates,crypto-policies,firefox,fonts,group,gtk-2.0,hostname,hosts,iceweasel,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl
diff --git a/etc/shotcut.profile b/etc/shotcut.profile
index 264566dcd..e6c48561f 100644
--- a/etc/shotcut.profile
+++ b/etc/shotcut.profile
@@ -5,10 +5,13 @@ include shotcut.local
5# Persistent global definitions 5# Persistent global definitions
6include globals.local 6include globals.local
7 7
8ignore noexec ${HOME}
9
8noblacklist ${HOME}/.config/Meltytech 10noblacklist ${HOME}/.config/Meltytech
9 11
10include disable-common.inc 12include disable-common.inc
11include disable-devel.inc 13include disable-devel.inc
14include disable-exec.inc
12include disable-interpreters.inc 15include disable-interpreters.inc
13include disable-passwdmgr.inc 16include disable-passwdmgr.inc
14include disable-programs.inc 17include disable-programs.inc
@@ -26,9 +29,6 @@ protocol unix
26seccomp 29seccomp
27shell none 30shell none
28 31
29#private-bin shotcut,melt,qmelt,nice 32#private-bin melt,nice,qmelt,shotcut
30private-cache 33private-cache
31private-dev 34private-dev
32
33#noexec ${HOME}
34noexec /tmp
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile
index 4ad841880..64441483d 100644
--- a/etc/simple-scan.profile
+++ b/etc/simple-scan.profile
@@ -33,5 +33,5 @@ tracelog
33 33
34# private-bin simple-scan 34# private-bin simple-scan
35# private-dev 35# private-dev
36# private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies 36# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
37# private-tmp 37# private-tmp
diff --git a/etc/simplescreenrecorder.profile b/etc/simplescreenrecorder.profile
index ead475e07..a3caedf88 100644
--- a/etc/simplescreenrecorder.profile
+++ b/etc/simplescreenrecorder.profile
@@ -31,7 +31,6 @@ tracelog
31 31
32private-cache 32private-cache
33private-dev 33private-dev
34# private-etc alternatives
35private-tmp 34private-tmp
36 35
37memory-deny-write-execute 36memory-deny-write-execute
diff --git a/etc/simutrans.profile b/etc/simutrans.profile
index c07b1c145..7febcde46 100644
--- a/etc/simutrans.profile
+++ b/etc/simutrans.profile
@@ -33,5 +33,4 @@ shell none
33 33
34# private-bin simutrans 34# private-bin simutrans
35private-dev 35private-dev
36# private-etc alternatives
37private-tmp 36private-tmp
diff --git a/etc/skanlite.profile b/etc/skanlite.profile
index 76b050d18..c10be717b 100644
--- a/etc/skanlite.profile
+++ b/etc/skanlite.profile
@@ -16,7 +16,6 @@ include disable-programs.inc
16include disable-xdg.inc 16include disable-xdg.inc
17 17
18caps.drop all 18caps.drop all
19# net none
20netfilter 19netfilter
21# nodbus 20# nodbus
22nodvd 21nodvd
@@ -31,6 +30,6 @@ protocol unix,inet,inet6,netlink
31seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice 30seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
32shell none 31shell none
33 32
34# private-bin skanlite,kbuildsycoca4,kdeinit4 33# private-bin kbuildsycoca4,kdeinit4,skanlite
35# private-dev 34# private-dev
36# private-tmp 35# private-tmp
diff --git a/etc/skype.profile b/etc/skype.profile
index 55057c546..5fab8bdc7 100644
--- a/etc/skype.profile
+++ b/etc/skype.profile
@@ -28,7 +28,7 @@ seccomp
28shell none 28shell none
29 29
30disable-mnt 30disable-mnt
31#private-bin skype,bash 31#private-bin bash,skype
32private-cache 32private-cache
33private-dev 33private-dev
34private-tmp 34private-tmp
diff --git a/etc/ssh.profile b/etc/ssh.profile
index 17d286b18..ce0e54a0d 100644
--- a/etc/ssh.profile
+++ b/etc/ssh.profile
@@ -37,6 +37,6 @@ tracelog
37private-cache 37private-cache
38private-dev 38private-dev
39# private-tmp # Breaks when exiting 39# private-tmp # Breaks when exiting
40writable-run-user
40 41
41memory-deny-write-execute 42memory-deny-write-execute
42writable-run-user
diff --git a/etc/steam.profile b/etc/steam.profile
index df7bfba85..b6b340980 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -6,7 +6,6 @@ include steam.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9noblacklist ${HOME}/.java
10noblacklist ${HOME}/.killingfloor 9noblacklist ${HOME}/.killingfloor
11noblacklist ${HOME}/.local/share/3909/PapersPlease 10noblacklist ${HOME}/.local/share/3909/PapersPlease
12noblacklist ${HOME}/.local/share/aspyr-media 11noblacklist ${HOME}/.local/share/aspyr-media
@@ -60,7 +59,7 @@ shell none
60#tracelog 59#tracelog
61 60
62# private-bin is disabled while in testing, but has been tested working with multiple games 61# private-bin is disabled while in testing, but has been tested working with multiple games
63#private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lspci,lsof,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity 62#private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lsof,lspci,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity
64# extra programs are available which might be needed for select games 63# extra programs are available which might be needed for select games
65#private-bin java,java-config,mono 64#private-bin java,java-config,mono
66# picture viewers are needed for viewing screenshots 65# picture viewers are needed for viewing screenshots
diff --git a/etc/supertux2.profile b/etc/supertux2.profile
index 793e4126c..287a078b3 100644
--- a/etc/supertux2.profile
+++ b/etc/supertux2.profile
@@ -34,5 +34,4 @@ shell none
34disable-mnt 34disable-mnt
35# private-bin supertux2 35# private-bin supertux2
36private-dev 36private-dev
37# private-etc alternatives
38private-tmp 37private-tmp
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile
index 33086a99d..30b0ad762 100644
--- a/etc/synfigstudio.profile
+++ b/etc/synfigstudio.profile
@@ -31,7 +31,7 @@ protocol unix
31seccomp 31seccomp
32shell none 32shell none
33 33
34#private-bin synfigstudio,synfig,ffmpeg 34#private-bin ffmpeg,synfig,synfigstudio
35private-cache 35private-cache
36private-dev 36private-dev
37private-tmp 37private-tmp
diff --git a/etc/tar.profile b/etc/tar.profile
index 71f7414bc..7e1fa8b92 100644
--- a/etc/tar.profile
+++ b/etc/tar.profile
@@ -43,7 +43,7 @@ private-cache
43private-dev 43private-dev
44private-etc alternatives,group,localtime,passwd 44private-etc alternatives,group,localtime,passwd
45private-lib libfakeroot 45private-lib libfakeroot
46
47memory-deny-write-execute
48# Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) 46# Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
49writable-var 47writable-var
48
49memory-deny-write-execute
diff --git a/etc/tcpdump.profile b/etc/tcpdump.profile
index 7713ac6c0..3c46dfdcb 100644
--- a/etc/tcpdump.profile
+++ b/etc/tcpdump.profile
@@ -8,6 +8,7 @@ include globals.local
8 8
9noblacklist /sbin 9noblacklist /sbin
10noblacklist /usr/sbin 10noblacklist /usr/sbin
11
11include disable-common.inc 12include disable-common.inc
12include disable-devel.inc 13include disable-devel.inc
13include disable-exec.inc 14include disable-exec.inc
@@ -15,6 +16,7 @@ include disable-interpreters.inc
15include disable-passwdmgr.inc 16include disable-passwdmgr.inc
16include disable-programs.inc 17include disable-programs.inc
17include disable-xdg.inc 18include disable-xdg.inc
19
18include whitelist-common.inc 20include whitelist-common.inc
19 21
20caps.keep net_raw 22caps.keep net_raw
@@ -30,7 +32,6 @@ nosound
30notv 32notv
31nou2f 33nou2f
32novideo 34novideo
33
34protocol unix,inet,inet6,netlink,packet 35protocol unix,inet,inet6,netlink,packet
35seccomp 36seccomp
36 37
@@ -38,7 +39,6 @@ disable-mnt
38#private 39#private
39#private-bin tcpdump 40#private-bin tcpdump
40private-dev 41private-dev
41#private-etc
42private-tmp 42private-tmp
43 43
44memory-deny-write-execute 44memory-deny-write-execute
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 9ca711719..0ccb3fae0 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -30,8 +30,8 @@
30# MKDIRS 30# MKDIRS
31# WHITELISTS 31# WHITELISTS
32# WHITELIST INCLUDES 32# WHITELIST INCLUDES
33# OPTIONS (no*) 33# OPTIONS (caps*, net*, no*, protocol, seccomp, shell none, tracelog)
34# PRIVATE OPTIONS (disable-mnt, private-*) 34# PRIVATE OPTIONS (disable-mnt, private-*, writable-*)
35# SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start) 35# SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start)
36# REDIRECT INCLUDES 36# REDIRECT INCLUDES
37# 37#
@@ -98,7 +98,7 @@
98# in PROFILE.local but still be protected by BLACKLISTS section 98# in PROFILE.local but still be protected by BLACKLISTS section
99# (further explanation at https://github.com/netblue30/firejail/issues/1569) 99# (further explanation at https://github.com/netblue30/firejail/issues/1569)
100#mkdir PATH 100#mkdir PATH
101#mkfile PATH 101##mkfile PATH
102#whitelist PATH 102#whitelist PATH
103#include whitelist-common.inc 103#include whitelist-common.inc
104#include whitelist-var-common.inc 104#include whitelist-var-common.inc
@@ -136,7 +136,7 @@
136# private-etc templates (see also #1734, #2093) 136# private-etc templates (see also #1734, #2093)
137# Common: ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,locale,locale.alias,locale.conf,localtime,alternatives,mime.types,xdg 137# Common: ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,locale,locale.alias,locale.conf,localtime,alternatives,mime.types,xdg
138# Extra: magic,magic.mgc,passwd,group 138# Extra: magic,magic.mgc,passwd,group
139# Networking: ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv,conf,hosts,host.conf,hostname,protocols,services,rpc 139# Networking: ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf,hosts,host.conf,hostname,protocols,services,rpc
140# Extra: proxychains.conf,gai.conf 140# Extra: proxychains.conf,gai.conf
141# Sound: alsa,asound.conf,pulse,machine-id 141# Sound: alsa,asound.conf,pulse,machine-id
142# GUI: fonts,pango,X11 142# GUI: fonts,pango,X11
diff --git a/etc/terasology.profile b/etc/terasology.profile
index 7b273c23d..9a8426435 100644
--- a/etc/terasology.profile
+++ b/etc/terasology.profile
@@ -7,7 +7,6 @@ include globals.local
7 7
8ignore noexec /tmp 8ignore noexec /tmp
9 9
10noblacklist ${HOME}/.java
11noblacklist ${HOME}/.local/share/terasology 10noblacklist ${HOME}/.local/share/terasology
12 11
13# Allow java (blacklisted by disable-devel.inc) 12# Allow java (blacklisted by disable-devel.inc)
diff --git a/etc/tor.profile b/etc/tor.profile
index 4aebe0a1e..13d071635 100644
--- a/etc/tor.profile
+++ b/etc/tor.profile
@@ -25,7 +25,7 @@ include disable-passwdmgr.inc
25include disable-programs.inc 25include disable-programs.inc
26include disable-xdg.inc 26include disable-xdg.inc
27 27
28caps.keep setuid,setgid,net_bind_service,dac_read_search 28caps.keep dac_read_search,net_bind_service,setgid,setuid
29ipc-namespace 29ipc-namespace
30machine-id 30machine-id
31netfilter 31netfilter
@@ -40,7 +40,6 @@ novideo
40protocol unix,inet,inet6 40protocol unix,inet,inet6
41seccomp 41seccomp
42shell none 42shell none
43writable-var
44 43
45disable-mnt 44disable-mnt
46private 45private
@@ -49,4 +48,4 @@ private-cache
49private-dev 48private-dev
50private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor 49private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor
51private-tmp 50private-tmp
52 51writable-var
diff --git a/etc/totem.profile b/etc/totem.profile
index 9e6684824..5b74709e3 100644
--- a/etc/totem.profile
+++ b/etc/totem.profile
@@ -40,6 +40,6 @@ private-bin totem
40# totem needs access to ~/.cache/tracker or it exits 40# totem needs access to ~/.cache/tracker or it exits
41#private-cache 41#private-cache
42private-dev 42private-dev
43# private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies 43# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
44private-tmp 44private-tmp
45 45
diff --git a/etc/tracker.profile b/etc/tracker.profile
index c1779ae3e..6e107d99e 100644
--- a/etc/tracker.profile
+++ b/etc/tracker.profile
@@ -33,5 +33,4 @@ tracelog
33 33
34# private-bin tracker 34# private-bin tracker
35# private-dev 35# private-dev
36# private-etc alternatives,fonts
37# private-tmp 36# private-tmp
diff --git a/etc/tshark.profile b/etc/tshark.profile
index 52ee228a3..ea85f4e8a 100644
--- a/etc/tshark.profile
+++ b/etc/tshark.profile
@@ -13,6 +13,7 @@ include disable-interpreters.inc
13include disable-passwdmgr.inc 13include disable-passwdmgr.inc
14include disable-programs.inc 14include disable-programs.inc
15include disable-xdg.inc 15include disable-xdg.inc
16
16include whitelist-common.inc 17include whitelist-common.inc
17 18
18#caps.keep net_raw 19#caps.keep net_raw
@@ -29,7 +30,6 @@ nosound
29notv 30notv
30nou2f 31nou2f
31novideo 32novideo
32
33#protocol unix,inet,inet6,netlink,packet 33#protocol unix,inet,inet6,netlink,packet
34#seccomp 34#seccomp
35 35
@@ -38,7 +38,4 @@ disable-mnt
38private-cache 38private-cache
39#private-bin tshark 39#private-bin tshark
40private-dev 40private-dev
41#private-etc
42private-tmp 41private-tmp
43
44# memory-deny-write-execute
diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile
index 3111a1e22..ae868a022 100644
--- a/etc/tuxguitar.profile
+++ b/etc/tuxguitar.profile
@@ -6,7 +6,6 @@ include tuxguitar.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9noblacklist ${HOME}/.java
10noblacklist ${HOME}/.tuxguitar* 9noblacklist ${HOME}/.tuxguitar*
11noblacklist ${DOCUMENTS} 10noblacklist ${DOCUMENTS}
12noblacklist ${MUSIC} 11noblacklist ${MUSIC}
diff --git a/etc/unbound.profile b/etc/unbound.profile
index 8e7a4a8a8..e152ee7ea 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -29,12 +29,12 @@ nosound
29notv 29notv
30nou2f 30nou2f
31novideo 31novideo
32seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open 32seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice
33writable-var
34 33
35disable-mnt 34disable-mnt
36private 35private
37private-dev 36private-dev
37writable-var
38 38
39# mdwe can break modules/plugins 39# mdwe can break modules/plugins
40memory-deny-write-execute 40memory-deny-write-execute
diff --git a/etc/unknown-horizons.profile b/etc/unknown-horizons.profile
index 36d1319d1..b62d3111d 100644
--- a/etc/unknown-horizons.profile
+++ b/etc/unknown-horizons.profile
@@ -23,11 +23,11 @@ nonewprivs
23noroot 23noroot
24notv 24notv
25nou2f 25nou2f
26protocol unix,netlink,inet,inet6 26protocol unix,inet,inet6,netlink
27seccomp 27seccomp
28shell none 28shell none
29 29
30# private-bin unknown-horizons 30# private-bin unknown-horizons
31private-dev 31private-dev
32# private-etc alternatives,ca-certificates,ssl,pki,crypto-policies 32# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
33private-tmp 33private-tmp
diff --git a/etc/waterfox.profile b/etc/waterfox.profile
index 3dc21958d..b8ee67ae0 100644
--- a/etc/waterfox.profile
+++ b/etc/waterfox.profile
@@ -20,7 +20,7 @@ whitelist ${HOME}/.mozilla
20whitelist ${HOME}/.waterfox 20whitelist ${HOME}/.waterfox
21 21
22# waterfox requires a shell to launch on Arch. We can possibly remove sh though. 22# waterfox requires a shell to launch on Arch. We can possibly remove sh though.
23#private-bin waterfox,which,sh,dbus-launch,dbus-send,env,bash 23#private-bin bash,dbus-launch,dbus-send,env,sh,waterfox,which
24# private-etc must first be enabled in firefox-common.profile 24# private-etc must first be enabled in firefox-common.profile
25#private-etc waterfox 25#private-etc waterfox
26 26
diff --git a/etc/webstorm.profile b/etc/webstorm.profile
index b97ea8d2f..e820bae00 100644
--- a/etc/webstorm.profile
+++ b/etc/webstorm.profile
@@ -11,7 +11,6 @@ noblacklist ${HOME}/.config/git
11noblacklist ${HOME}/.gitconfig 11noblacklist ${HOME}/.gitconfig
12noblacklist ${HOME}/.git-credentials 12noblacklist ${HOME}/.git-credentials
13noblacklist ${HOME}/.gradle 13noblacklist ${HOME}/.gradle
14noblacklist ${HOME}/.java
15noblacklist ${HOME}/.local/share/JetBrains 14noblacklist ${HOME}/.local/share/JetBrains
16noblacklist ${HOME}/.ssh 15noblacklist ${HOME}/.ssh
17noblacklist ${HOME}/.tooling 16noblacklist ${HOME}/.tooling
diff --git a/etc/wget.profile b/etc/wget.profile
index ff10b2316..2d5c0c4d6 100644
--- a/etc/wget.profile
+++ b/etc/wget.profile
@@ -36,6 +36,6 @@ shell none
36 36
37# private-bin wget 37# private-bin wget
38private-dev 38private-dev
39# private-etc alternatives,resolv.conf,ca-certificates,ssl,pki,crypto-policies 39# private-etc alternatives,ca-certificates,crypto-policie,pki,resolv.conf,ssl
40# private-tmp 40# private-tmp
41 41
diff --git a/etc/wireshark.profile b/etc/wireshark.profile
index b44eae128..58ff93750 100644
--- a/etc/wireshark.profile
+++ b/etc/wireshark.profile
@@ -43,6 +43,6 @@ tracelog
43 43
44# private-bin wireshark 44# private-bin wireshark
45private-dev 45private-dev
46# private-etc alternatives,fonts,group,hosts,machine-id,passwd,ca-certificates,ssl,pki,crypto-policies 46# private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,ssl
47private-tmp 47private-tmp
48 48
diff --git a/etc/xed.profile b/etc/xed.profile
index 9a7806b19..2ee299b9a 100644
--- a/etc/xed.profile
+++ b/etc/xed.profile
@@ -42,7 +42,6 @@ tracelog
42 42
43private-bin xed 43private-bin xed
44private-dev 44private-dev
45# private-etc alternatives,fonts
46private-tmp 45private-tmp
47 46
48# xed uses python plugins, memory-deny-write-execute breaks python 47# xed uses python plugins, memory-deny-write-execute breaks python
diff --git a/etc/xfburn.profile b/etc/xfburn.profile
index 1cb7f568a..cd9561e74 100644
--- a/etc/xfburn.profile
+++ b/etc/xfburn.profile
@@ -29,5 +29,4 @@ tracelog
29 29
30# private-bin xfburn 30# private-bin xfburn
31# private-dev 31# private-dev
32# private-etc alternatives,fonts
33# private-tmp 32# private-tmp
diff --git a/etc/xplayer.profile b/etc/xplayer.profile
index 5f4e3bf4c..325ce7627 100644
--- a/etc/xplayer.profile
+++ b/etc/xplayer.profile
@@ -39,6 +39,6 @@ tracelog
39 39
40private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer 40private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer
41private-dev 41private-dev
42# private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies 42# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
43private-tmp 43private-tmp
44 44
diff --git a/etc/xpra.profile b/etc/xpra.profile
index dc8d7a665..6f66b9300 100644
--- a/etc/xpra.profile
+++ b/etc/xpra.profile
@@ -47,7 +47,7 @@ disable-mnt
47# private home directory doesn't work on some distros, so we go for a regular home 47# private home directory doesn't work on some distros, so we go for a regular home
48# private 48# private
49# older Xpra versions also use Xvfb 49# older Xpra versions also use Xvfb
50# private-bin xpra,python*,Xvfb,Xorg,sh,xkbcomp,xauth,dbus-launch,pactl,ldconfig,which,strace,bash,cat,ls 50# private-bin bash,cat,dbus-launch,ldconfig,ls,pactl,python*,sh,strace,which,xauth,xkbcomp,Xorg,xpra,Xvfb
51private-dev 51private-dev
52# private-etc alternatives,ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname,machine-id,xpra,X11 52# private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,nsswitch.conf,resolv.conf,X11,xpra
53private-tmp 53private-tmp
diff --git a/etc/xviewer.profile b/etc/xviewer.profile
index b483e9404..b09bf8ab1 100644
--- a/etc/xviewer.profile
+++ b/etc/xviewer.profile
@@ -39,7 +39,6 @@ tracelog
39 39
40private-bin xviewer 40private-bin xviewer
41private-dev 41private-dev
42#private-etc alternatives,fonts
43private-lib 42private-lib
44private-tmp 43private-tmp
45 44
diff --git a/etc/zaproxy.profile b/etc/zaproxy.profile
index 0598ea18d..6228ff3bd 100644
--- a/etc/zaproxy.profile
+++ b/etc/zaproxy.profile
@@ -6,7 +6,6 @@ include zaproxy.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9noblacklist ${HOME}/.java
10noblacklist ${HOME}/.ZAP 9noblacklist ${HOME}/.ZAP
11 10
12# Allow java (blacklisted by disable-devel.inc) 11# Allow java (blacklisted by disable-devel.inc)
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-04 02:04:54 +0000