21 files changed, 26 insertions, 11 deletions
diff --git a/etc/apktool.profile b/etc/apktool.profile
index b4ff45c7c..bdd711964 100644
--- a/etc/apktool.profile
+++ b/etc/apktool.profile
@@ -25,6 +25,7 @@ protocol unix
 seccomp
 shell none
+private-bin apktool,bash,java,dirname,basename,expr
 private-dev
 noexec ${HOME}
diff --git a/etc/arm.profile b/etc/arm.profile
index 5845958fa..53d290b49 100644
--- a/etc/arm.profile
+++ b/etc/arm.profile
@@ -33,7 +33,7 @@ shell none
 tracelog
 disable-mnt
-# private-bin arm,tor,sh,python2,python2.7,ps,lsof,ldconfig
+# private-bin arm,tor,sh,bash,python2,python2.7,ps,lsof,ldconfig
 private-dev
 private-etc tor,passwd
 private-tmp
diff --git a/etc/baobab.profile b/etc/baobab.profile
index 014f8869c..ef733632d 100644
--- a/etc/baobab.profile
+++ b/etc/baobab.profile
@@ -25,6 +25,7 @@ protocol unix
 seccomp
 shell none
+private-bin baobab
 private-dev
 private-tmp
diff --git a/etc/bless.profile b/etc/bless.profile
index 8285e4473..e4d2f0730 100644
--- a/etc/bless.profile
+++ b/etc/bless.profile
@@ -26,6 +26,7 @@ protocol unix
 seccomp
 shell none
+# private-bin bless,sh,bash,mono
 private-dev
 private-etc fonts,mono
 private-tmp
diff --git a/etc/chromium.profile b/etc/chromium.profile
index 37b2e51a6..9be99e68a 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -11,8 +11,7 @@ noblacklist ~/.config/chromium-flags.conf
 noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
-# chromium is distributed with a perl script on Arch
+include /etc/firejail/disable-devel.inc
-# include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-programs.inc
 mkdir ~/.cache/chromium
@@ -32,6 +31,7 @@ nogroups
 notv
 shell none
+# private-bin chromium,chromium-browser,chromedriver
 private-dev
 # private-tmp - problems with multiple browser sessions
diff --git a/etc/dex2jar.profile b/etc/dex2jar.profile
index 858baba6d..5261bb865 100644
--- a/etc/dex2jar.profile
+++ b/etc/dex2jar.profile
@@ -26,6 +26,7 @@ protocol unix
 seccomp
 shell none
+private-bin dex2jar,java,sh,bash,expr,dirname,ls,uname,grep
 private-dev
 noexec ${HOME}
diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile
index 8a8337802..18db4c597 100644
--- a/etc/flashpeak-slimjet.profile
+++ b/etc/flashpeak-slimjet.profile
@@ -15,8 +15,7 @@ noblacklist ~/.config/slimjet
 noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
-# chromium is distributed with a perl script on Arch
+include /etc/firejail/disable-devel.inc
-# include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-programs.inc
 mkdir ~/.cache/slimjet
diff --git a/etc/gitg.profile b/etc/gitg.profile
index 869c4a6f5..1a731d507 100644
--- a/etc/gitg.profile
+++ b/etc/gitg.profile
@@ -27,6 +27,7 @@ protocol unix,inet,inet6
 seccomp
 shell none
+private-bin gitg,git,ssh
 private-dev
 private-tmp
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile
index a3fdb214a..ac457b92f 100644
--- a/etc/google-chrome-beta.profile
+++ b/etc/google-chrome-beta.profile
@@ -10,8 +10,7 @@ noblacklist ~/.config/google-chrome-beta
 noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
-# chromium is distributed with a perl script on Arch
+include /etc/firejail/disable-devel.inc
-# include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-programs.inc
 mkdir ~/.cache/google-chrome-beta
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile
index 8de3c5262..3d7a9a715 100644
--- a/etc/google-chrome-unstable.profile
+++ b/etc/google-chrome-unstable.profile
@@ -10,8 +10,7 @@ noblacklist ~/.config/google-chrome-unstable
 noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
-# chromium is distributed with a perl script on Arch
+include /etc/firejail/disable-devel.inc
-# include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-programs.inc
 mkdir ~/.cache/google-chrome-unstable
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile
index 1a86c546e..a50e0e89d 100644
--- a/etc/google-chrome.profile
+++ b/etc/google-chrome.profile
@@ -10,8 +10,7 @@ noblacklist ~/.config/google-chrome
 noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
-# chromium is distributed with a perl script on Arch
+include /etc/firejail/disable-devel.inc
-# include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-programs.inc
 mkdir ~/.cache/google-chrome
diff --git a/etc/hashcat.profile b/etc/hashcat.profile
index ae631054b..5f08d7cb8 100644
--- a/etc/hashcat.profile
+++ b/etc/hashcat.profile
@@ -7,8 +7,10 @@ include /etc/firejail/hashcat.local
 include /etc/firejail/globals.local
 noblacklist ${HOME}/.hashcat
+noblacklist /usr/include
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
@@ -26,6 +28,7 @@ seccomp
 shell none
 disable-mnt
+private-bin hashcat
 private-dev
 private-tmp
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile
index c9af51596..5cb1e1828 100644
--- a/etc/jd-gui.profile
+++ b/etc/jd-gui.profile
@@ -27,6 +27,7 @@ protocol unix
 seccomp
 shell none
+private-bin jd-gui,sh,bash
 private-dev
 private-tmp
diff --git a/etc/meld.profile b/etc/meld.profile
index 488b2e365..f1910d0f4 100644
--- a/etc/meld.profile
+++ b/etc/meld.profile
@@ -26,6 +26,7 @@ protocol unix
 seccomp
 shell none
+# private-bin meld,python2,python2.7
 private-dev
 private-tmp
diff --git a/etc/multimc5.profile b/etc/multimc5.profile
index fcb351b4d..91a269ffb 100644
--- a/etc/multimc5.profile
+++ b/etc/multimc5.profile
@@ -33,6 +33,8 @@ protocol unix,inet,inet6
 shell none
 disable-mnt
+# private-bin works, but causes weirdness
+# private-bin multimc5,bash,mkdir,which,zenity,kdialog,ldd,chmod,valgrind,apt-file,pkgfile,dnf,yum,zypper,pfl,java,grep,sort,awk,readlink,dirname
 private-dev
 private-tmp
diff --git a/etc/obs.profile b/etc/obs.profile
index 101d5c28a..187862752 100644
--- a/etc/obs.profile
+++ b/etc/obs.profile
@@ -23,6 +23,7 @@ seccomp
 shell none
 tracelog
+private-bin obs
 private-dev
 private-tmp
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile
index b156513dc..fd52fb9ee 100644
--- a/etc/pdfsam.profile
+++ b/etc/pdfsam.profile
@@ -26,6 +26,7 @@ protocol unix
 seccomp
 shell none
+private-bin pdfsam,sh,bash,java,archlinux-java,grep,awk,dirname,uname,which,sort,find,readlink,expr,ls,java-config
 private-dev
 private-tmp
diff --git a/etc/peek.profile b/etc/peek.profile
index a7ad9865c..13c0c72e0 100644
--- a/etc/peek.profile
+++ b/etc/peek.profile
@@ -26,6 +26,7 @@ protocol unix
 seccomp
 shell none
+# private-bin breaks gif mode, mp4 and webm mode work fine however
 # private-bin peek,convert,ffmpeg
 private-dev
 private-tmp
diff --git a/etc/pithos.profile b/etc/pithos.profile
index e7c316a39..b81e0b634 100644
--- a/etc/pithos.profile
+++ b/etc/pithos.profile
@@ -26,6 +26,7 @@ seccomp
 shell none
 disable-mnt
+# private-bin pithos,python,python3,python3.6
 private-dev
 private-tmp
diff --git a/etc/sdat2img.profile b/etc/sdat2img.profile
index 30c2509eb..ce4c4d416 100644
--- a/etc/sdat2img.profile
+++ b/etc/sdat2img.profile
@@ -26,6 +26,7 @@ protocol unix
 seccomp
 shell none
+# private-bin sdat2img,env,python,python3,python3.6
 private-dev
 noexec ${HOME}
diff --git a/etc/strings.profile b/etc/strings.profile
index f203b963c..83561cae5 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -18,7 +18,9 @@ novideo
 shell none
 tracelog
+private-bin strings
 private-dev
+private-lib
 memory-deny-write-execute

diff --git a/etc/apktool.profile b/etc/apktool.profile index b4ff45c7c..bdd711964 100644 --- a/etc/apktool.profile +++ b/etc/apktool.profile
@@ -25,6 +25,7 @@ protocol unix
25	seccomp	25	seccomp
26	shell none	26	shell none
27		27
		28	private-bin apktool,bash,java,dirname,basename,expr
28	private-dev	29	private-dev
29		30
30	noexec ${HOME}	31	noexec ${HOME}


diff --git a/etc/arm.profile b/etc/arm.profile index 5845958fa..53d290b49 100644 --- a/etc/arm.profile +++ b/etc/arm.profile
@@ -33,7 +33,7 @@ shell none
33	tracelog	33	tracelog
34		34
35	disable-mnt	35	disable-mnt
36	# private-bin arm,tor,sh,python2,python2.7,ps,lsof,ldconfig	36	# private-bin arm,tor,sh,bash,python2,python2.7,ps,lsof,ldconfig
37	private-dev	37	private-dev
38	private-etc tor,passwd	38	private-etc tor,passwd
39	private-tmp	39	private-tmp


diff --git a/etc/baobab.profile b/etc/baobab.profile index 014f8869c..ef733632d 100644 --- a/etc/baobab.profile +++ b/etc/baobab.profile
@@ -25,6 +25,7 @@ protocol unix
25	seccomp	25	seccomp
26	shell none	26	shell none
27		27
		28	private-bin baobab
28	private-dev	29	private-dev
29	private-tmp	30	private-tmp
30		31


diff --git a/etc/bless.profile b/etc/bless.profile index 8285e4473..e4d2f0730 100644 --- a/etc/bless.profile +++ b/etc/bless.profile
@@ -26,6 +26,7 @@ protocol unix
26	seccomp	26	seccomp
27	shell none	27	shell none
28		28
		29	# private-bin bless,sh,bash,mono
29	private-dev	30	private-dev
30	private-etc fonts,mono	31	private-etc fonts,mono
31	private-tmp	32	private-tmp


diff --git a/etc/chromium.profile b/etc/chromium.profile index 37b2e51a6..9be99e68a 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile
@@ -11,8 +11,7 @@ noblacklist ~/.config/chromium-flags.conf
11	noblacklist ~/.pki	11	noblacklist ~/.pki
12		12
13	include /etc/firejail/disable-common.inc	13	include /etc/firejail/disable-common.inc
14	# chromium is distributed with a perl script on Arch	14	include /etc/firejail/disable-devel.inc
15	# include /etc/firejail/disable-devel.inc
16	include /etc/firejail/disable-programs.inc	15	include /etc/firejail/disable-programs.inc
17		16
18	mkdir ~/.cache/chromium	17	mkdir ~/.cache/chromium
@@ -32,6 +31,7 @@ nogroups
32	notv	31	notv
33	shell none	32	shell none
34		33
		34	# private-bin chromium,chromium-browser,chromedriver
35	private-dev	35	private-dev
36	# private-tmp - problems with multiple browser sessions	36	# private-tmp - problems with multiple browser sessions
37		37


diff --git a/etc/dex2jar.profile b/etc/dex2jar.profile index 858baba6d..5261bb865 100644 --- a/etc/dex2jar.profile +++ b/etc/dex2jar.profile
@@ -26,6 +26,7 @@ protocol unix
26	seccomp	26	seccomp
27	shell none	27	shell none
28		28
		29	private-bin dex2jar,java,sh,bash,expr,dirname,ls,uname,grep
29	private-dev	30	private-dev
30		31
31	noexec ${HOME}	32	noexec ${HOME}


diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile index 8a8337802..18db4c597 100644 --- a/etc/flashpeak-slimjet.profile +++ b/etc/flashpeak-slimjet.profile
@@ -15,8 +15,7 @@ noblacklist ~/.config/slimjet
15	noblacklist ~/.pki	15	noblacklist ~/.pki
16		16
17	include /etc/firejail/disable-common.inc	17	include /etc/firejail/disable-common.inc
18	# chromium is distributed with a perl script on Arch	18	include /etc/firejail/disable-devel.inc
19	# include /etc/firejail/disable-devel.inc
20	include /etc/firejail/disable-programs.inc	19	include /etc/firejail/disable-programs.inc
21		20
22	mkdir ~/.cache/slimjet	21	mkdir ~/.cache/slimjet


diff --git a/etc/gitg.profile b/etc/gitg.profile index 869c4a6f5..1a731d507 100644 --- a/etc/gitg.profile +++ b/etc/gitg.profile
@@ -27,6 +27,7 @@ protocol unix,inet,inet6
27	seccomp	27	seccomp
28	shell none	28	shell none
29		29
		30	private-bin gitg,git,ssh
30	private-dev	31	private-dev
31	private-tmp	32	private-tmp
32		33


diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile index a3fdb214a..ac457b92f 100644 --- a/etc/google-chrome-beta.profile +++ b/etc/google-chrome-beta.profile
@@ -10,8 +10,7 @@ noblacklist ~/.config/google-chrome-beta
10	noblacklist ~/.pki	10	noblacklist ~/.pki
11		11
12	include /etc/firejail/disable-common.inc	12	include /etc/firejail/disable-common.inc
13	# chromium is distributed with a perl script on Arch	13	include /etc/firejail/disable-devel.inc
14	# include /etc/firejail/disable-devel.inc
15	include /etc/firejail/disable-programs.inc	14	include /etc/firejail/disable-programs.inc
16		15
17	mkdir ~/.cache/google-chrome-beta	16	mkdir ~/.cache/google-chrome-beta


diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile index 8de3c5262..3d7a9a715 100644 --- a/etc/google-chrome-unstable.profile +++ b/etc/google-chrome-unstable.profile
@@ -10,8 +10,7 @@ noblacklist ~/.config/google-chrome-unstable
10	noblacklist ~/.pki	10	noblacklist ~/.pki
11		11
12	include /etc/firejail/disable-common.inc	12	include /etc/firejail/disable-common.inc
13	# chromium is distributed with a perl script on Arch	13	include /etc/firejail/disable-devel.inc
14	# include /etc/firejail/disable-devel.inc
15	include /etc/firejail/disable-programs.inc	14	include /etc/firejail/disable-programs.inc
16		15
17	mkdir ~/.cache/google-chrome-unstable	16	mkdir ~/.cache/google-chrome-unstable


diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index 1a86c546e..a50e0e89d 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile
@@ -10,8 +10,7 @@ noblacklist ~/.config/google-chrome
10	noblacklist ~/.pki	10	noblacklist ~/.pki
11		11
12	include /etc/firejail/disable-common.inc	12	include /etc/firejail/disable-common.inc
13	# chromium is distributed with a perl script on Arch	13	include /etc/firejail/disable-devel.inc
14	# include /etc/firejail/disable-devel.inc
15	include /etc/firejail/disable-programs.inc	14	include /etc/firejail/disable-programs.inc
16		15
17	mkdir ~/.cache/google-chrome	16	mkdir ~/.cache/google-chrome


diff --git a/etc/hashcat.profile b/etc/hashcat.profile index ae631054b..5f08d7cb8 100644 --- a/etc/hashcat.profile +++ b/etc/hashcat.profile
@@ -7,8 +7,10 @@ include /etc/firejail/hashcat.local
7	include /etc/firejail/globals.local	7	include /etc/firejail/globals.local
8		8
9	noblacklist ${HOME}/.hashcat	9	noblacklist ${HOME}/.hashcat
		10	noblacklist /usr/include
10		11
11	include /etc/firejail/disable-common.inc	12	include /etc/firejail/disable-common.inc
		13	include /etc/firejail/disable-devel.inc
12	include /etc/firejail/disable-passwdmgr.inc	14	include /etc/firejail/disable-passwdmgr.inc
13	include /etc/firejail/disable-programs.inc	15	include /etc/firejail/disable-programs.inc
14		16
@@ -26,6 +28,7 @@ seccomp
26	shell none	28	shell none
27		29
28	disable-mnt	30	disable-mnt
		31	private-bin hashcat
29	private-dev	32	private-dev
30	private-tmp	33	private-tmp
31		34


diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index c9af51596..5cb1e1828 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile
@@ -27,6 +27,7 @@ protocol unix
27	seccomp	27	seccomp
28	shell none	28	shell none
29		29
		30	private-bin jd-gui,sh,bash
30	private-dev	31	private-dev
31	private-tmp	32	private-tmp
32		33


diff --git a/etc/meld.profile b/etc/meld.profile index 488b2e365..f1910d0f4 100644 --- a/etc/meld.profile +++ b/etc/meld.profile
@@ -26,6 +26,7 @@ protocol unix
26	seccomp	26	seccomp
27	shell none	27	shell none
28		28
		29	# private-bin meld,python2,python2.7
29	private-dev	30	private-dev
30	private-tmp	31	private-tmp
31		32


diff --git a/etc/multimc5.profile b/etc/multimc5.profile index fcb351b4d..91a269ffb 100644 --- a/etc/multimc5.profile +++ b/etc/multimc5.profile
@@ -33,6 +33,8 @@ protocol unix,inet,inet6
33	shell none	33	shell none
34		34
35	disable-mnt	35	disable-mnt
		36	# private-bin works, but causes weirdness
		37	# private-bin multimc5,bash,mkdir,which,zenity,kdialog,ldd,chmod,valgrind,apt-file,pkgfile,dnf,yum,zypper,pfl,java,grep,sort,awk,readlink,dirname
36	private-dev	38	private-dev
37	private-tmp	39	private-tmp
38		40


diff --git a/etc/obs.profile b/etc/obs.profile index 101d5c28a..187862752 100644 --- a/etc/obs.profile +++ b/etc/obs.profile
@@ -23,6 +23,7 @@ seccomp
23	shell none	23	shell none
24	tracelog	24	tracelog
25		25
		26	private-bin obs
26	private-dev	27	private-dev
27	private-tmp	28	private-tmp
28		29


diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile index b156513dc..fd52fb9ee 100644 --- a/etc/pdfsam.profile +++ b/etc/pdfsam.profile
@@ -26,6 +26,7 @@ protocol unix
26	seccomp	26	seccomp
27	shell none	27	shell none
28		28
		29	private-bin pdfsam,sh,bash,java,archlinux-java,grep,awk,dirname,uname,which,sort,find,readlink,expr,ls,java-config
29	private-dev	30	private-dev
30	private-tmp	31	private-tmp
31		32


diff --git a/etc/peek.profile b/etc/peek.profile index a7ad9865c..13c0c72e0 100644 --- a/etc/peek.profile +++ b/etc/peek.profile
@@ -26,6 +26,7 @@ protocol unix
26	seccomp	26	seccomp
27	shell none	27	shell none
28		28
		29	# private-bin breaks gif mode, mp4 and webm mode work fine however
29	# private-bin peek,convert,ffmpeg	30	# private-bin peek,convert,ffmpeg
30	private-dev	31	private-dev
31	private-tmp	32	private-tmp


diff --git a/etc/pithos.profile b/etc/pithos.profile index e7c316a39..b81e0b634 100644 --- a/etc/pithos.profile +++ b/etc/pithos.profile
@@ -26,6 +26,7 @@ seccomp
26	shell none	26	shell none
27		27
28	disable-mnt	28	disable-mnt
		29	# private-bin pithos,python,python3,python3.6
29	private-dev	30	private-dev
30	private-tmp	31	private-tmp
31		32


diff --git a/etc/sdat2img.profile b/etc/sdat2img.profile index 30c2509eb..ce4c4d416 100644 --- a/etc/sdat2img.profile +++ b/etc/sdat2img.profile
@@ -26,6 +26,7 @@ protocol unix
26	seccomp	26	seccomp
27	shell none	27	shell none
28		28
		29	# private-bin sdat2img,env,python,python3,python3.6
29	private-dev	30	private-dev
30		31
31	noexec ${HOME}	32	noexec ${HOME}


diff --git a/etc/strings.profile b/etc/strings.profile index f203b963c..83561cae5 100644 --- a/etc/strings.profile +++ b/etc/strings.profile
@@ -18,7 +18,9 @@ novideo
18	shell none	18	shell none
19	tracelog	19	tracelog
20		20
		21	private-bin strings
21	private-dev	22	private-dev
		23	private-lib
22		24
23	memory-deny-write-execute	25	memory-deny-write-execute
24		26