4 files changed, 47 insertions, 1 deletions
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index cd79f43ab..ec700e24e 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -80,11 +80,15 @@ blacklist ${HOME}/.local/share/plasma
 blacklist ${HOME}/.local/share/solid
 read-only ${HOME}/.cache/ksycoca5_*
 read-only ${HOME}/.config/kdeglobals
+read-only ${HOME}/.config/kio_httprc
+read-only ${HOME}/.config/kiorc
 read-only ${HOME}/.config/kioslaverc
 read-only ${HOME}/.kde/share/config/kdeglobals
+read-only ${HOME}/.kde/share/config/kio_httprc
 read-only ${HOME}/.kde/share/config/kioslaverc
 read-only ${HOME}/.kde/share/kde4/services
 read-only ${HOME}/.kde4/share/config/kdeglobals
+read-only ${HOME}/.kde4/share/config/kio_httprc
 read-only ${HOME}/.kde4/share/config/kioslaverc
 read-only ${HOME}/.kde4/share/kde4/services
 read-only ${HOME}/.local/share/kservices5
diff --git a/etc/gwenview.profile b/etc/gwenview.profile
index b6304c812..58e059087 100644
--- a/etc/gwenview.profile
+++ b/etc/gwenview.profile
@@ -39,7 +39,7 @@ tracelog
 private-bin gwenview,gimp*,kbuildsycoca4,kdeinit4
 private-dev
-# private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg
+private-etc fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,xdg
 # memory-deny-write-execute
 noexec ${HOME}
diff --git a/etc/pdfchain.profile b/etc/pdfchain.profile
new file mode 100755
index 000000000..d43c0911e
--- /dev/null
+++ b/etc/pdfchain.profile
@@ -0,0 +1,39 @@
+# Firejail profile for pdfchain
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/pdfchain.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+blacklist /run/user/*/bus
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+net none
+no3d
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix
+seccomp
+shell none
+private-bin pdfchain,pdftk,sh
+private-dev
+private-etc dconf,fonts,gtk-3.0,xdg
+private-tmp
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc
index 3beb11bfb..97846b4a3 100644
--- a/etc/whitelist-common.inc
+++ b/etc/whitelist-common.inc
@@ -55,13 +55,16 @@ whitelist ${HOME}/.config/dconf
 whitelist ${HOME}/.config/Kvantum
 whitelist ${HOME}/.config/Trolltech.conf
 whitelist ${HOME}/.config/kdeglobals
+whitelist ${HOME}/.config/kio_httprc
 whitelist ${HOME}/.config/kioslaverc
 whitelist ${HOME}/.config/qt5ct
 whitelist ${HOME}/.kde/share/config/kdeglobals
+whitelist ${HOME}/.kde/share/config/kio_httprc
 whitelist ${HOME}/.kde/share/config/kioslaverc
 whitelist ${HOME}/.kde/share/config/oxygenrc
 whitelist ${HOME}/.kde/share/icons
 whitelist ${HOME}/.kde4/share/config/kdeglobals
+whitelist ${HOME}/.kde4/share/config/kio_httprc
 whitelist ${HOME}/.kde4/share/config/kioslaverc
 whitelist ${HOME}/.kde4/share/config/oxygenrc
 whitelist ${HOME}/.kde4/share/icons

diff --git a/etc/disable-common.inc b/etc/disable-common.inc index cd79f43ab..ec700e24e 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc
@@ -80,11 +80,15 @@ blacklist ${HOME}/.local/share/plasma
80	blacklist ${HOME}/.local/share/solid	80	blacklist ${HOME}/.local/share/solid
81	read-only ${HOME}/.cache/ksycoca5_*	81	read-only ${HOME}/.cache/ksycoca5_*
82	read-only ${HOME}/.config/kdeglobals	82	read-only ${HOME}/.config/kdeglobals
		83	read-only ${HOME}/.config/kio_httprc
		84	read-only ${HOME}/.config/kiorc
83	read-only ${HOME}/.config/kioslaverc	85	read-only ${HOME}/.config/kioslaverc
84	read-only ${HOME}/.kde/share/config/kdeglobals	86	read-only ${HOME}/.kde/share/config/kdeglobals
		87	read-only ${HOME}/.kde/share/config/kio_httprc
85	read-only ${HOME}/.kde/share/config/kioslaverc	88	read-only ${HOME}/.kde/share/config/kioslaverc
86	read-only ${HOME}/.kde/share/kde4/services	89	read-only ${HOME}/.kde/share/kde4/services
87	read-only ${HOME}/.kde4/share/config/kdeglobals	90	read-only ${HOME}/.kde4/share/config/kdeglobals
		91	read-only ${HOME}/.kde4/share/config/kio_httprc
88	read-only ${HOME}/.kde4/share/config/kioslaverc	92	read-only ${HOME}/.kde4/share/config/kioslaverc
89	read-only ${HOME}/.kde4/share/kde4/services	93	read-only ${HOME}/.kde4/share/kde4/services
90	read-only ${HOME}/.local/share/kservices5	94	read-only ${HOME}/.local/share/kservices5


diff --git a/etc/gwenview.profile b/etc/gwenview.profile index b6304c812..58e059087 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile
@@ -39,7 +39,7 @@ tracelog
39		39
40	private-bin gwenview,gimp*,kbuildsycoca4,kdeinit4	40	private-bin gwenview,gimp*,kbuildsycoca4,kdeinit4
41	private-dev	41	private-dev
42	# private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg	42	private-etc fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,xdg
43		43
44	# memory-deny-write-execute	44	# memory-deny-write-execute
45	noexec ${HOME}	45	noexec ${HOME}


diff --git a/etc/pdfchain.profile b/etc/pdfchain.profile new file mode 100755 index 000000000..d43c0911e --- /dev/null +++ b/etc/pdfchain.profile
@@ -0,0 +1,39 @@
		1	# Firejail profile for pdfchain
		2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include /etc/firejail/pdfchain.local
		5	# Persistent global definitions
		6	include /etc/firejail/globals.local
		7
		8
		9	blacklist /run/user/*/bus
		10
		11	include /etc/firejail/disable-common.inc
		12	include /etc/firejail/disable-programs.inc
		13	include /etc/firejail/disable-devel.inc
		14	include /etc/firejail/disable-passwdmgr.inc
		15
		16	include /etc/firejail/whitelist-var-common.inc
		17
		18	caps.drop all
		19	ipc-namespace
		20	net none
		21	no3d
		22	nogroups
		23	nonewprivs
		24	noroot
		25	nosound
		26	notv
		27	novideo
		28	protocol unix
		29	seccomp
		30	shell none
		31
		32	private-bin pdfchain,pdftk,sh
		33	private-dev
		34	private-etc dconf,fonts,gtk-3.0,xdg
		35	private-tmp
		36
		37	memory-deny-write-execute
		38	noexec ${HOME}
		39	noexec /tmp


diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index 3beb11bfb..97846b4a3 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc
@@ -55,13 +55,16 @@ whitelist ${HOME}/.config/dconf
55	whitelist ${HOME}/.config/Kvantum	55	whitelist ${HOME}/.config/Kvantum
56	whitelist ${HOME}/.config/Trolltech.conf	56	whitelist ${HOME}/.config/Trolltech.conf
57	whitelist ${HOME}/.config/kdeglobals	57	whitelist ${HOME}/.config/kdeglobals
		58	whitelist ${HOME}/.config/kio_httprc
58	whitelist ${HOME}/.config/kioslaverc	59	whitelist ${HOME}/.config/kioslaverc
59	whitelist ${HOME}/.config/qt5ct	60	whitelist ${HOME}/.config/qt5ct
60	whitelist ${HOME}/.kde/share/config/kdeglobals	61	whitelist ${HOME}/.kde/share/config/kdeglobals
		62	whitelist ${HOME}/.kde/share/config/kio_httprc
61	whitelist ${HOME}/.kde/share/config/kioslaverc	63	whitelist ${HOME}/.kde/share/config/kioslaverc
62	whitelist ${HOME}/.kde/share/config/oxygenrc	64	whitelist ${HOME}/.kde/share/config/oxygenrc
63	whitelist ${HOME}/.kde/share/icons	65	whitelist ${HOME}/.kde/share/icons
64	whitelist ${HOME}/.kde4/share/config/kdeglobals	66	whitelist ${HOME}/.kde4/share/config/kdeglobals
		67	whitelist ${HOME}/.kde4/share/config/kio_httprc
65	whitelist ${HOME}/.kde4/share/config/kioslaverc	68	whitelist ${HOME}/.kde4/share/config/kioslaverc
66	whitelist ${HOME}/.kde4/share/config/oxygenrc	69	whitelist ${HOME}/.kde4/share/config/oxygenrc
67	whitelist ${HOME}/.kde4/share/icons	70	whitelist ${HOME}/.kde4/share/icons