19 files changed, 188 insertions, 17 deletions

diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile
index b71f66ba5..240573f44 100644
--- a/etc/baloo_file.profile
+++ b/etc/baloo_file.profile
@@ -35,7 +35,7 @@ seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fano
 shell none
 # x11 xorg
 
-private-bin baloo_file,baloo_file_extractor,kbuildsycoca4
+private-bin baloo_file,baloo_file_extractor,baloo_filemetadata_temp_extractor,kbuildsycoca4
 private-dev
 private-tmp
 
diff --git a/etc/baloo_filemetadata_temp_extractor.profile b/etc/baloo_filemetadata_temp_extractor.profile
new file mode 100644
index 000000000..6d09ecf40
--- /dev/null
+++ b/etc/baloo_filemetadata_temp_extractor.profile
@@ -0,0 +1,11 @@
+# Firejail profile for baloo_filemetadata_temp_extractor
+# This file is overwritten after every install/update
+# Persistent local customizations
+quiet
+include /etc/firejail/baloo_filemetadata_temp_extractor.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+
+# Redirect
+include /etc/firejail/baloo_file.profile
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile
index b6baa66bc..1cd5d6a69 100644
--- a/etc/bitlbee.profile
+++ b/etc/bitlbee.profile
@@ -28,7 +28,6 @@ seccomp
 disable-mnt
 private
 private-dev
-private-dev
 private-tmp
 read-write /var/lib/bitlbee
 
diff --git a/etc/clion.profile b/etc/clion.profile
new file mode 100644
index 000000000..115df72c4
--- /dev/null
+++ b/etc/clion.profile
@@ -0,0 +1,34 @@
+# Firejail profile for CLion
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/clion.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+noblacklist ${HOME}/.CLion*
+noblacklist ${HOME}/.gitconfig
+noblacklist ${HOME}/.java
+noblacklist ${HOME}/.local/share/JetBrains
+noblacklist ${HOME}/.ssh
+noblacklist ${HOME}/.tooling
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-dev
+# private-tmp
+
+noexec /tmp
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index ff5dc7b6b..71d4ad97b 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -116,6 +116,10 @@ blacklist /run/user/*/kdeinit5__*
 # blacklist /tmp/ksocket-*/kdeinit4__*
 #  - causes issues when kdeinit4 gets killed; enable on KDE Plasma 4
 
+# gnome
+# contains extensions, last used times of applications, and notifications
+blacklist ${HOME}/.local/share/gnome-shell
+
 # systemd
 blacklist ${HOME}/.config/systemd
 blacklist ${HOME}/.local/share/systemd
@@ -160,7 +164,7 @@ blacklist /var/lib/mysql/mysql.sock
 blacklist /var/lib/mysqld/mysql.sock
 blacklist /var/lib/pacman
 blacklist /var/lib/upower
-# blacklist /var/log - a virtual /var/log directory (mostly empty) is buid up by default for
+# blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for
 #          every sandbox, unless --writeble-var-log switch is activated
 blacklist /var/mail
 blacklist /var/opt
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index b68dde0c4..d3dc87089 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -8,6 +8,7 @@ blacklist ${HOME}/.*coin
 blacklist ${HOME}/.8pecxstudios
 blacklist ${HOME}/.AndroidStudio*
 blacklist ${HOME}/.Atom
+blacklist ${HOME}/.CLion*
 blacklist ${HOME}/.FBReader
 blacklist ${HOME}/.FontForge
 blacklist ${HOME}/.IdeaIC*
@@ -188,6 +189,7 @@ blacklist ${HOME}/.config/Pinta
 blacklist ${HOME}/.config/pitivi
 blacklist ${HOME}/.config/pix
 blacklist ${HOME}/.config/pluma
+blacklist ${HOME}/.config/ppsspp
 blacklist ${HOME}/.config/psi+
 blacklist ${HOME}/.config/qBittorrent
 blacklist ${HOME}/.config/qBittorrentrc
@@ -429,6 +431,7 @@ blacklist ${HOME}/.local/share/telepathy
 blacklist ${HOME}/.local/share/terasology
 blacklist ${HOME}/.local/share/torbrowser
 blacklist ${HOME}/.local/share/totem
+blacklist ${HOME}/.local/share/uzbl
 blacklist ${HOME}/.local/share/vlc
 blacklist ${HOME}/.local/share/vpltd
 blacklist ${HOME}/.local/share/vulkan
diff --git a/etc/discord.profile b/etc/discord.profile
index bb59ed42d..40deae2fc 100644
--- a/etc/discord.profile
+++ b/etc/discord.profile
@@ -24,9 +24,9 @@ novideo
 protocol unix,inet,inet6,netlink
 seccomp
 
-private-bin discord,sh,xdg-mime
+private-bin discord,sh,xdg-mime,tr,sed,echo,head,cut,xdg-open,grep,egrep
 private-dev
-private-etc fonts
+private-etc fonts,machine-id
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/firefox-common-addons.inc b/etc/firefox-common-addons.inc
index b237c3c05..f5fd4aa5b 100644
--- a/etc/firefox-common-addons.inc
+++ b/etc/firefox-common-addons.inc
@@ -16,7 +16,6 @@ noblacklist ${HOME}/.kde4/share/apps/okular
 noblacklist ${HOME}/.kde4/share/config/kgetrc
 noblacklist ${HOME}/.kde4/share/config/okularpartrc
 noblacklist ${HOME}/.kde4/share/config/okularrc
-# noblacklist ${HOME}/.local/share/gnome-shell/extensions
 noblacklist ${HOME}/.local/share/kget
 noblacklist ${HOME}/.local/share/okular
 noblacklist ${HOME}/.local/share/qpdfview
@@ -41,7 +40,6 @@ whitelist ${HOME}/.kde4/share/config/okularpartrc
 whitelist ${HOME}/.kde4/share/config/okularrc
 whitelist ${HOME}/.keysnail.js
 whitelist ${HOME}/.lastpass
-whitelist ${HOME}/.local/share/gnome-shell/extensions
 whitelist ${HOME}/.local/share/kget
 whitelist ${HOME}/.local/share/okular
 whitelist ${HOME}/.local/share/qpdfview
@@ -53,3 +51,14 @@ whitelist ${HOME}/.wine-pipelight
 whitelist ${HOME}/.wine-pipelight64
 whitelist ${HOME}/.zotero
 whitelist ${HOME}/dwhelper
+
+# GNOME Shell integration (chrome-gnome-shell) needs dbus and python 3 (blacklisted by disable-interpreters.inc)
+noblacklist ${HOME}/.local/share/gnome-shell
+whitelist ${HOME}/.local/share/gnome-shell
+ignore nodbus
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python3*
+
+# Flash plugin
+# private-etc must first be enabled in firefox-common.profile and in profiles including it.
+#private-etc adobe
diff --git a/etc/firejail-default b/etc/firejail-default
index 2e48439f5..5cfb1b5ea 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -21,10 +21,10 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) {
 #dbus,
 
 ##########
-# Allows to attach to a running program and modify the process memory.
-# May be needed by chromium crash handler. Uncomment if you need it.
+# With ptrace it is possible to inspect and hijack running programs. Usually this
+# is needed only for debugging. To allow ptrace, uncomment the following line
 ##########
-#ptrace (trace tracedby),
+#ptrace,
 
 ##########
 # Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes
@@ -133,8 +133,8 @@ network raw,
 signal,
 
 ##########
-# We let Firejail deal with capabilities,
-# but mac_admin should be dropped in any case.
+# We let Firejail deal with capabilities, but ensure that
+# some AppArmor related capabilities will not be available.
 ##########
 capability chown,
 capability dac_override,
diff --git a/etc/flowblade.profile b/etc/flowblade.profile
index bad8538cf..e06107f0f 100644
--- a/etc/flowblade.profile
+++ b/etc/flowblade.profile
@@ -8,6 +8,12 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.config/flowblade
 noblacklist ${HOME}/.flowblade
 
+# Allow python (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python2*
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python2*
+noblacklist /usr/lib/python3*
+
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-interpreters.inc
diff --git a/etc/less.profile b/etc/less.profile
index e2616ba4f..9b04329f2 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -20,7 +20,7 @@ shell none
 tracelog
 writable-var-log
 
-# The user can have a custom coloring scritps configured in ${HOME}/.lessfilter.
+# The user can have a custom coloring script configured in ${HOME}/.lessfilter.
 # Enable private-bin and private-lib if you are not using any filter.
 # private-bin less
 # private-lib
diff --git a/etc/musixmatch.profile b/etc/musixmatch.profile
index 1a3ee5e6f..fce60e89e 100644
--- a/etc/musixmatch.profile
+++ b/etc/musixmatch.profile
@@ -24,7 +24,6 @@ notv
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
-shell none
 
 disable-mnt
 private-dev
diff --git a/etc/openshot.profile b/etc/openshot.profile
index 114580f1e..832008564 100644
--- a/etc/openshot.profile
+++ b/etc/openshot.profile
@@ -8,6 +8,12 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.openshot
 noblacklist ${HOME}/.openshot_qt
 
+# Allow python (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python2*
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python2*
+noblacklist /usr/lib/python3*
+
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-interpreters.inc
diff --git a/etc/ppsspp.profile b/etc/ppsspp.profile
new file mode 100644
index 000000000..e19a7b42a
--- /dev/null
+++ b/etc/ppsspp.profile
@@ -0,0 +1,42 @@
+# Firejail profile for ppsspp
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/ppsspp.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+noblacklist ${HOME}/.config/ppsspp
+# with >=llvm-4 mesa drivers need llvm stuff
+noblacklist /usr/lib/llvm*
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+include /etc/firejail/whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+net none
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,netlink
+seccomp
+shell none
+
+# private-dev is disabled to allow controller support
+#private-dev
+private-etc asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies
+private-opt ppsspp
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/ranger.profile b/etc/ranger.profile
index 94b282669..ff65a057b 100644
--- a/etc/ranger.profile
+++ b/etc/ranger.profile
@@ -5,11 +5,19 @@ include /etc/firejail/ranger.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+noblacklist ${HOME}/.config/ranger
+
+# Allow python (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python2*
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python2*
+noblacklist /usr/lib/python3*
+
+# Allow perl
 # noblacklist ${PATH}/cpan*
 noblacklist ${PATH}/perl
 noblacklist /usr/lib/perl*
 noblacklist /usr/share/perl*
-noblacklist ${HOME}/.config/ranger
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/scallion.profile b/etc/scallion.profile
new file mode 100644
index 000000000..645f0423c
--- /dev/null
+++ b/etc/scallion.profile
@@ -0,0 +1,42 @@
+# Firejail profile for scallion
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include /etc/firejail/scallion.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+noblacklist ${PATH}/llvm*
+noblacklist /usr/lib/llvm*
+noblacklist ${PATH}/openssl
+noblacklist ${PATH}/openssl-1.0
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+include /etc/firejail/whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix
+seccomp
+shell none
+
+disable-mnt
+private
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile
index 015709247..c2270ce39 100644
--- a/etc/skypeforlinux.profile
+++ b/etc/skypeforlinux.profile
@@ -25,7 +25,7 @@ seccomp
 shell none
 
 disable-mnt
-#private-dev
+# private-dev - needs /dev/disk
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/uzbl-browser.profile b/etc/uzbl-browser.profile
index 0a3549c97..b8a3fa497 100644
--- a/etc/uzbl-browser.profile
+++ b/etc/uzbl-browser.profile
@@ -7,6 +7,13 @@ include /etc/firejail/globals.local
 
 noblacklist ${HOME}/.config/uzbl
 noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.local/share/uzbl
+
+# Allow python (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python2*
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python2*
+noblacklist /usr/lib/python3*
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/zathura.profile b/etc/zathura.profile
index b47aeb0da..028e15ef5 100644
--- a/etc/zathura.profile
+++ b/etc/zathura.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps.drop all
+machine-id
 # net none
 # nodbus
 nodvd
@@ -29,7 +30,7 @@ shell none
 
 private-bin zathura
 private-dev
-private-etc fonts
+private-etc fonts,machine-id
 private-tmp
 
 read-only ${HOME}/