16 files changed, 190 insertions, 27 deletions
diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default
index 04a38f0ce..68e20d9b9 100644
--- a/etc/apparmor/firejail-default
+++ b/etc/apparmor/firejail-default
@@ -157,5 +157,5 @@ capability setfcap,
 #capability mac_admin,
 # Site-specific additions and overrides. See local/README for details.
-#include <local/firejail-local>
+#include <local/firejail-default>
 }
diff --git a/etc/firejail.config b/etc/firejail.config
index b2a96612f..731e744dd 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -107,7 +107,7 @@
 # Enable or disable seccomp support, default enabled.
 # seccomp yes
-# Seccomp error action, kill or errno (EPERM, ENOSYS etc)
+# Seccomp error action, kill, log or errno (EPERM, ENOSYS etc)
 # seccomp-error-action EPERM
 # Enable or disable user namespace support, default enabled.
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index e911be93a..e5dd9cb59 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -396,6 +396,7 @@ blacklist ${HOME}/.config/yandex-browser
 blacklist ${HOME}/.config/yandex-browser-beta
 blacklist ${HOME}/.config/yelp
 blacklist ${HOME}/.config/youtube-dl
+blacklist ${HOME}/.config/youtube-viewer
 blacklist ${HOME}/.config/zathura
 blacklist ${HOME}/.config/zoomus.conf
 blacklist ${HOME}/.config/Zulip
diff --git a/etc/inc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc
index c9c8bdedf..ceeb14dcc 100644
--- a/etc/inc/whitelist-usr-share-common.inc
+++ b/etc/inc/whitelist-usr-share-common.inc
@@ -41,6 +41,8 @@ whitelist /usr/share/misc
 whitelist /usr/share/Modules
 whitelist /usr/share/myspell
 whitelist /usr/share/p11-kit
+whitelist /usr/share/perl
+whitelist /usr/share/perl5
 whitelist /usr/share/pixmaps
 whitelist /usr/share/pki
 whitelist /usr/share/plasma
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile
index 567bd912a..54d3f742f 100644
--- a/etc/profile-a-l/celluloid.profile
+++ b/etc/profile-a-l/celluloid.profile
@@ -9,8 +9,6 @@ include globals.local
 noblacklist ${HOME}/.config/celluloid
 noblacklist ${HOME}/.config/gnome-mpv
 noblacklist ${HOME}/.config/youtube-dl
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -22,8 +20,20 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-include disable-xdg.inc
+read-only ${DESKTOP}
+mkdir ${HOME}/.config/celluloid
+mkdir ${HOME}/.config/gnome-mpv
+mkdir ${HOME}/.config/youtube-dl
+whitelist ${HOME}/.config/celluloid
+whitelist ${HOME}/.config/gnome-mpv
+whitelist ${HOME}/.config/youtube-dl
+whitelist ${DESKTOP}
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+whitelist ${PICTURES}
+whitelist ${VIDEOS}
+include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gtk-youtube-viewer b/etc/profile-a-l/gtk-youtube-viewer
new file mode 100644
index 000000000..023f10d3d
--- /dev/null
+++ b/etc/profile-a-l/gtk-youtube-viewer
@@ -0,0 +1,18 @@
+# Firejail profile for gtk-youtube-viewer
+# Description: Gtk front-end to youtube-viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtk-youtube-viewer.local
+# Persistent global definitions
+# include globals.local
+ignore quiet
+noblacklist /tmp/.X11-unix
+noblacklist ${RUNUSER}/wayland-*
+noblacklist ${RUNUSER}
+include whitelist-runuser-common.inc
+# Redirect
+include youtube-viewer.profile
+\ No newline at end of file
diff --git a/etc/profile-a-l/gtk2-youtube-viewer b/etc/profile-a-l/gtk2-youtube-viewer
new file mode 100644
index 000000000..331e73218
--- /dev/null
+++ b/etc/profile-a-l/gtk2-youtube-viewer
@@ -0,0 +1,18 @@
+# Firejail profile for gtk2-youtube-viewer
+# Description: Gtk front-end to youtube-viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtk2-youtube-viewer.local
+# Persistent global definitions
+# include globals.local
+ignore quiet
+noblacklist /tmp/.X11-unix
+noblacklist ${RUNUSER}/wayland-*
+noblacklist ${RUNUSER}
+include whitelist-runuser-common.inc
+# Redirect
+include youtube-viewer.profile
+\ No newline at end of file
diff --git a/etc/profile-a-l/gtk3-youtube-viewer b/etc/profile-a-l/gtk3-youtube-viewer
new file mode 100644
index 000000000..4c5bde55f
--- /dev/null
+++ b/etc/profile-a-l/gtk3-youtube-viewer
@@ -0,0 +1,18 @@
+# Firejail profile for gtk3-youtube-viewer
+# Description: Gtk front-end to youtube-viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtk3-youtube-viewer.local
+# Persistent global definitions
+# include globals.local
+ignore quiet
+noblacklist /tmp/.X11-unix
+noblacklist ${RUNUSER}/wayland-*
+noblacklist ${RUNUSER}
+include whitelist-runuser-common.inc
+# Redirect
+include youtube-viewer.profile
+\ No newline at end of file
diff --git a/etc/profile-m-z/mplayer.profile b/etc/profile-m-z/mplayer.profile
index cd25d6c0b..f4f862cb9 100644
--- a/etc/profile-m-z/mplayer.profile
+++ b/etc/profile-m-z/mplayer.profile
@@ -7,8 +7,6 @@ include mplayer.local
 include globals.local
 noblacklist ${HOME}/.mplayer
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
 include disable-common.inc
 include disable-devel.inc
@@ -16,8 +14,16 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-include disable-xdg.inc
+read-only ${DESKTOP}
+mkdir ${HOME}/.mplayer
+whitelist ${HOME}/.mplayer
+whitelist ${DESKTOP}
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+whitelist ${PICTURES}
+whitelist ${VIDEOS}
+include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -36,4 +42,3 @@ shell none
 private-bin mplayer
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index 2fc027257..5ca684eb5 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -7,6 +7,10 @@ include mpv.local
 # Persistent global definitions
 include globals.local
+# In order to save screenshots to a persistent location,
+# edit ~/.config/mpv/foobar.conf:
+#    screenshot-directory=~/Pictures
 noblacklist ${HOME}/.config/mpv
 noblacklist ${HOME}/.config/youtube-dl
 noblacklist ${HOME}/.netrc
@@ -17,10 +21,6 @@ include allow-lua.inc
 include allow-python2.inc
 include allow-python3.inc
-noblacklist ${MUSIC}
-noblacklist ${PICTURES}
-noblacklist ${VIDEOS}
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -28,8 +28,20 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
-include disable-xdg.inc
+read-only ${DESKTOP}
+mkdir ${HOME}/.config/mpv
+mkdir ${HOME}/.config/youtube-dl
+mkfile ${HOME}/.netrc
+whitelist ${HOME}/.config/mpv
+whitelist ${HOME}/.config/youtube-dl
+whitelist ${HOME}/.netrc
+whitelist ${DESKTOP}
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+whitelist ${PICTURES}
+whitelist ${VIDEOS}
+include whitelist-common.inc
 whitelist /usr/share/lua
 whitelist /usr/share/lua*
 whitelist /usr/share/vulkan
diff --git a/etc/profile-m-z/nomacs.profile b/etc/profile-m-z/nomacs.profile
index 7a7ff504a..d081c9cb7 100644
--- a/etc/profile-m-z/nomacs.profile
+++ b/etc/profile-m-z/nomacs.profile
@@ -43,5 +43,3 @@ private-cache
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,login.defs,machine-id,pki,resolv.conf,ssl
 private-tmp
-memory-deny-write-execute
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile
index b51a86e7d..c28571270 100644
--- a/etc/profile-m-z/signal-desktop.profile
+++ b/etc/profile-m-z/signal-desktop.profile
@@ -34,7 +34,6 @@ nodvd
 nogroups
 notv
 nou2f
-novideo
 shell none
 disable-mnt
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile
index b8f4ca765..abbbba6c3 100644
--- a/etc/profile-m-z/totem.profile
+++ b/etc/profile-m-z/totem.profile
@@ -14,9 +14,6 @@ include allow-python3.inc
 noblacklist ${HOME}/.config/totem
 noblacklist ${HOME}/.local/share/totem
-noblacklist ${MUSIC}
-noblacklist ${PICTURES}
-noblacklist ${VIDEOS}
 include disable-common.inc
 include disable-devel.inc
@@ -25,8 +22,18 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
-include disable-xdg.inc
+read-only ${DESKTOP}
+mkdir ${HOME}/.config/totem
+mkdir ${HOME}/.local/share/totem
+whitelist ${HOME}/.config/totem
+whitelist ${HOME}/.local/share/totem
+whitelist ${DESKTOP}
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+whitelist ${PICTURES}
+whitelist ${VIDEOS}
+include whitelist-common.inc
 include whitelist-var-common.inc
 # apparmor - makes settings immutable
diff --git a/etc/profile-m-z/vlc.profile b/etc/profile-m-z/vlc.profile
index 0069ebeae..07a1b5fc0 100644
--- a/etc/profile-m-z/vlc.profile
+++ b/etc/profile-m-z/vlc.profile
@@ -9,8 +9,6 @@ include globals.local
 noblacklist ${HOME}/.cache/vlc
 noblacklist ${HOME}/.config/vlc
 noblacklist ${HOME}/.local/share/vlc
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +16,20 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-include disable-xdg.inc
+read-only ${DESKTOP}
+mkdir ${HOME}/.cache/vlc
+mkdir ${HOME}/.config/vlc
+mkdir ${HOME}/.local/share/vlc
+whitelist ${HOME}/.cache/vlc
+whitelist ${HOME}/.config/vlc
+whitelist ${HOME}/.local/share/vlc
+whitelist ${DESKTOP}
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+whitelist ${PICTURES}
+whitelist ${VIDEOS}
+include whitelist-common.inc
 include whitelist-var-common.inc
 #apparmor - on Ubuntu 18.04 it refuses to start without dbus access
diff --git a/etc/profile-m-z/xplayer.profile b/etc/profile-m-z/xplayer.profile
index 28df73ea5..555d8e9a4 100644
--- a/etc/profile-m-z/xplayer.profile
+++ b/etc/profile-m-z/xplayer.profile
@@ -7,8 +7,6 @@ include globals.local
 noblacklist ${HOME}/.config/xplayer
 noblacklist ${HOME}/.local/share/xplayer
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -20,8 +18,18 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-include disable-xdg.inc
+read-only ${DESKTOP}
+mkdir ${HOME}/.config/xplayer
+mkdir ${HOME}/.local/share/xplayer
+whitelist ${HOME}/.config/xplayer
+whitelist ${HOME}/.local/share/xplayer
+whitelist ${DESKTOP}
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+whitelist ${PICTURES}
+whitelist ${VIDEOS}
+include whitelist-common.inc
 include whitelist-var-common.inc
 # apparmor - makes settings immutable
diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile
new file mode 100644
index 000000000..513cb0f6e
--- /dev/null
+++ b/etc/profile-m-z/youtube-viewer.profile
@@ -0,0 +1,57 @@
+# Firejail profile for youtube-viewer
+# Description: Trizen's CLI Youtube viewer with login support
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include youtube-viewer.local
+# Persistent global definitions
+include globals.local
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
+noblacklist ${HOME}/.config/youtube-viewer
+include allow-perl.inc
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/youtube-viewer
+whitelist ${HOME}/.config/youtube-viewer
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+# private-bin ffmpeg,ffprobe,firefox,gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,mpv,python*,smplayer,sh,which,vlc,youtube-dl,youtube-viewer
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
+private-tmp
+dbus-user none
+dbus-system none
+\ No newline at end of file

diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default index 04a38f0ce..68e20d9b9 100644 --- a/etc/apparmor/firejail-default +++ b/etc/apparmor/firejail-default
@@ -157,5 +157,5 @@ capability setfcap,
157	#capability mac_admin,	157	#capability mac_admin,
158		158
159	# Site-specific additions and overrides. See local/README for details.	159	# Site-specific additions and overrides. See local/README for details.
160	#include <local/firejail-local>	160	#include <local/firejail-default>
161	}	161	}


diff --git a/etc/firejail.config b/etc/firejail.config index b2a96612f..731e744dd 100644 --- a/etc/firejail.config +++ b/etc/firejail.config
@@ -107,7 +107,7 @@
107	# Enable or disable seccomp support, default enabled.	107	# Enable or disable seccomp support, default enabled.
108	# seccomp yes	108	# seccomp yes
109		109
110	# Seccomp error action, kill or errno (EPERM, ENOSYS etc)	110	# Seccomp error action, kill, log or errno (EPERM, ENOSYS etc)
111	# seccomp-error-action EPERM	111	# seccomp-error-action EPERM
112		112
113	# Enable or disable user namespace support, default enabled.	113	# Enable or disable user namespace support, default enabled.


diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index e911be93a..e5dd9cb59 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc
@@ -396,6 +396,7 @@ blacklist ${HOME}/.config/yandex-browser
396	blacklist ${HOME}/.config/yandex-browser-beta	396	blacklist ${HOME}/.config/yandex-browser-beta
397	blacklist ${HOME}/.config/yelp	397	blacklist ${HOME}/.config/yelp
398	blacklist ${HOME}/.config/youtube-dl	398	blacklist ${HOME}/.config/youtube-dl
		399	blacklist ${HOME}/.config/youtube-viewer
399	blacklist ${HOME}/.config/zathura	400	blacklist ${HOME}/.config/zathura
400	blacklist ${HOME}/.config/zoomus.conf	401	blacklist ${HOME}/.config/zoomus.conf
401	blacklist ${HOME}/.config/Zulip	402	blacklist ${HOME}/.config/Zulip


diff --git a/etc/inc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc index c9c8bdedf..ceeb14dcc 100644 --- a/etc/inc/whitelist-usr-share-common.inc +++ b/etc/inc/whitelist-usr-share-common.inc
@@ -41,6 +41,8 @@ whitelist /usr/share/misc
41	whitelist /usr/share/Modules	41	whitelist /usr/share/Modules
42	whitelist /usr/share/myspell	42	whitelist /usr/share/myspell
43	whitelist /usr/share/p11-kit	43	whitelist /usr/share/p11-kit
		44	whitelist /usr/share/perl
		45	whitelist /usr/share/perl5
44	whitelist /usr/share/pixmaps	46	whitelist /usr/share/pixmaps
45	whitelist /usr/share/pki	47	whitelist /usr/share/pki
46	whitelist /usr/share/plasma	48	whitelist /usr/share/plasma


diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile index 567bd912a..54d3f742f 100644 --- a/etc/profile-a-l/celluloid.profile +++ b/etc/profile-a-l/celluloid.profile
@@ -9,8 +9,6 @@ include globals.local
9	noblacklist ${HOME}/.config/celluloid	9	noblacklist ${HOME}/.config/celluloid
10	noblacklist ${HOME}/.config/gnome-mpv	10	noblacklist ${HOME}/.config/gnome-mpv
11	noblacklist ${HOME}/.config/youtube-dl	11	noblacklist ${HOME}/.config/youtube-dl
12	noblacklist ${MUSIC}
13	noblacklist ${VIDEOS}
14		12
15	# Allow python (blacklisted by disable-interpreters.inc)	13	# Allow python (blacklisted by disable-interpreters.inc)
16	include allow-python2.inc	14	include allow-python2.inc
@@ -22,8 +20,20 @@ include disable-exec.inc
22	include disable-interpreters.inc	20	include disable-interpreters.inc
23	include disable-passwdmgr.inc	21	include disable-passwdmgr.inc
24	include disable-programs.inc	22	include disable-programs.inc
25	include disable-xdg.inc
26		23
		24	read-only ${DESKTOP}
		25	mkdir ${HOME}/.config/celluloid
		26	mkdir ${HOME}/.config/gnome-mpv
		27	mkdir ${HOME}/.config/youtube-dl
		28	whitelist ${HOME}/.config/celluloid
		29	whitelist ${HOME}/.config/gnome-mpv
		30	whitelist ${HOME}/.config/youtube-dl
		31	whitelist ${DESKTOP}
		32	whitelist ${DOWNLOADS}
		33	whitelist ${MUSIC}
		34	whitelist ${PICTURES}
		35	whitelist ${VIDEOS}
		36	include whitelist-common.inc
27	include whitelist-runuser-common.inc	37	include whitelist-runuser-common.inc
28	include whitelist-usr-share-common.inc	38	include whitelist-usr-share-common.inc
29	include whitelist-var-common.inc	39	include whitelist-var-common.inc


diff --git a/etc/profile-a-l/gtk-youtube-viewer b/etc/profile-a-l/gtk-youtube-viewer new file mode 100644 index 000000000..023f10d3d --- /dev/null +++ b/etc/profile-a-l/gtk-youtube-viewer
@@ -0,0 +1,18 @@
		1	# Firejail profile for gtk-youtube-viewer
		2	# Description: Gtk front-end to youtube-viewer
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include gtk-youtube-viewer.local
		6	# Persistent global definitions
		7	# include globals.local
		8
		9	ignore quiet
		10
		11	noblacklist /tmp/.X11-unix
		12	noblacklist ${RUNUSER}/wayland-*
		13	noblacklist ${RUNUSER}
		14
		15	include whitelist-runuser-common.inc
		16
		17	# Redirect
		18	include youtube-viewer.profile \ No newline at end of file


diff --git a/etc/profile-a-l/gtk2-youtube-viewer b/etc/profile-a-l/gtk2-youtube-viewer new file mode 100644 index 000000000..331e73218 --- /dev/null +++ b/etc/profile-a-l/gtk2-youtube-viewer
@@ -0,0 +1,18 @@
		1	# Firejail profile for gtk2-youtube-viewer
		2	# Description: Gtk front-end to youtube-viewer
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include gtk2-youtube-viewer.local
		6	# Persistent global definitions
		7	# include globals.local
		8
		9	ignore quiet
		10
		11	noblacklist /tmp/.X11-unix
		12	noblacklist ${RUNUSER}/wayland-*
		13	noblacklist ${RUNUSER}
		14
		15	include whitelist-runuser-common.inc
		16
		17	# Redirect
		18	include youtube-viewer.profile \ No newline at end of file


diff --git a/etc/profile-a-l/gtk3-youtube-viewer b/etc/profile-a-l/gtk3-youtube-viewer new file mode 100644 index 000000000..4c5bde55f --- /dev/null +++ b/etc/profile-a-l/gtk3-youtube-viewer
@@ -0,0 +1,18 @@
		1	# Firejail profile for gtk3-youtube-viewer
		2	# Description: Gtk front-end to youtube-viewer
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include gtk3-youtube-viewer.local
		6	# Persistent global definitions
		7	# include globals.local
		8
		9	ignore quiet
		10
		11	noblacklist /tmp/.X11-unix
		12	noblacklist ${RUNUSER}/wayland-*
		13	noblacklist ${RUNUSER}
		14
		15	include whitelist-runuser-common.inc
		16
		17	# Redirect
		18	include youtube-viewer.profile \ No newline at end of file


diff --git a/etc/profile-m-z/mplayer.profile b/etc/profile-m-z/mplayer.profile index cd25d6c0b..f4f862cb9 100644 --- a/etc/profile-m-z/mplayer.profile +++ b/etc/profile-m-z/mplayer.profile
@@ -7,8 +7,6 @@ include mplayer.local
7	include globals.local	7	include globals.local
8		8
9	noblacklist ${HOME}/.mplayer	9	noblacklist ${HOME}/.mplayer
10	noblacklist ${MUSIC}
11	noblacklist ${VIDEOS}
12		10
13	include disable-common.inc	11	include disable-common.inc
14	include disable-devel.inc	12	include disable-devel.inc
@@ -16,8 +14,16 @@ include disable-exec.inc
16	include disable-interpreters.inc	14	include disable-interpreters.inc
17	include disable-passwdmgr.inc	15	include disable-passwdmgr.inc
18	include disable-programs.inc	16	include disable-programs.inc
19	include disable-xdg.inc
20		17
		18	read-only ${DESKTOP}
		19	mkdir ${HOME}/.mplayer
		20	whitelist ${HOME}/.mplayer
		21	whitelist ${DESKTOP}
		22	whitelist ${DOWNLOADS}
		23	whitelist ${MUSIC}
		24	whitelist ${PICTURES}
		25	whitelist ${VIDEOS}
		26	include whitelist-common.inc
21	include whitelist-usr-share-common.inc	27	include whitelist-usr-share-common.inc
22	include whitelist-var-common.inc	28	include whitelist-var-common.inc
23		29
@@ -36,4 +42,3 @@ shell none
36	private-bin mplayer	42	private-bin mplayer
37	private-dev	43	private-dev
38	private-tmp	44	private-tmp
39


diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index 2fc027257..5ca684eb5 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile
@@ -7,6 +7,10 @@ include mpv.local
7	# Persistent global definitions	7	# Persistent global definitions
8	include globals.local	8	include globals.local
9		9
		10	# In order to save screenshots to a persistent location,
		11	# edit ~/.config/mpv/foobar.conf:
		12	# screenshot-directory=~/Pictures
		13
10	noblacklist ${HOME}/.config/mpv	14	noblacklist ${HOME}/.config/mpv
11	noblacklist ${HOME}/.config/youtube-dl	15	noblacklist ${HOME}/.config/youtube-dl
12	noblacklist ${HOME}/.netrc	16	noblacklist ${HOME}/.netrc
@@ -17,10 +21,6 @@ include allow-lua.inc
17	include allow-python2.inc	21	include allow-python2.inc
18	include allow-python3.inc	22	include allow-python3.inc
19		23
20	noblacklist ${MUSIC}
21	noblacklist ${PICTURES}
22	noblacklist ${VIDEOS}
23
24	include disable-common.inc	24	include disable-common.inc
25	include disable-devel.inc	25	include disable-devel.inc
26	include disable-exec.inc	26	include disable-exec.inc
@@ -28,8 +28,20 @@ include disable-interpreters.inc
28	include disable-passwdmgr.inc	28	include disable-passwdmgr.inc
29	include disable-programs.inc	29	include disable-programs.inc
30	include disable-shell.inc	30	include disable-shell.inc
31	include disable-xdg.inc
32		31
		32	read-only ${DESKTOP}
		33	mkdir ${HOME}/.config/mpv
		34	mkdir ${HOME}/.config/youtube-dl
		35	mkfile ${HOME}/.netrc
		36	whitelist ${HOME}/.config/mpv
		37	whitelist ${HOME}/.config/youtube-dl
		38	whitelist ${HOME}/.netrc
		39	whitelist ${DESKTOP}
		40	whitelist ${DOWNLOADS}
		41	whitelist ${MUSIC}
		42	whitelist ${PICTURES}
		43	whitelist ${VIDEOS}
		44	include whitelist-common.inc
33	whitelist /usr/share/lua	45	whitelist /usr/share/lua
34	whitelist /usr/share/lua*	46	whitelist /usr/share/lua*
35	whitelist /usr/share/vulkan	47	whitelist /usr/share/vulkan


diff --git a/etc/profile-m-z/nomacs.profile b/etc/profile-m-z/nomacs.profile index 7a7ff504a..d081c9cb7 100644 --- a/etc/profile-m-z/nomacs.profile +++ b/etc/profile-m-z/nomacs.profile
@@ -43,5 +43,3 @@ private-cache
43	private-dev	43	private-dev
44	private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,login.defs,machine-id,pki,resolv.conf,ssl	44	private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,login.defs,machine-id,pki,resolv.conf,ssl
45	private-tmp	45	private-tmp
46
47	memory-deny-write-execute


diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile index b51a86e7d..c28571270 100644 --- a/etc/profile-m-z/signal-desktop.profile +++ b/etc/profile-m-z/signal-desktop.profile
@@ -34,7 +34,6 @@ nodvd
34	nogroups	34	nogroups
35	notv	35	notv
36	nou2f	36	nou2f
37	novideo
38	shell none	37	shell none
39		38
40	disable-mnt	39	disable-mnt


diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile index b8f4ca765..abbbba6c3 100644 --- a/etc/profile-m-z/totem.profile +++ b/etc/profile-m-z/totem.profile
@@ -14,9 +14,6 @@ include allow-python3.inc
14		14
15	noblacklist ${HOME}/.config/totem	15	noblacklist ${HOME}/.config/totem
16	noblacklist ${HOME}/.local/share/totem	16	noblacklist ${HOME}/.local/share/totem
17	noblacklist ${MUSIC}
18	noblacklist ${PICTURES}
19	noblacklist ${VIDEOS}
20		17
21	include disable-common.inc	18	include disable-common.inc
22	include disable-devel.inc	19	include disable-devel.inc
@@ -25,8 +22,18 @@ include disable-interpreters.inc
25	include disable-passwdmgr.inc	22	include disable-passwdmgr.inc
26	include disable-programs.inc	23	include disable-programs.inc
27	include disable-shell.inc	24	include disable-shell.inc
28	include disable-xdg.inc
29		25
		26	read-only ${DESKTOP}
		27	mkdir ${HOME}/.config/totem
		28	mkdir ${HOME}/.local/share/totem
		29	whitelist ${HOME}/.config/totem
		30	whitelist ${HOME}/.local/share/totem
		31	whitelist ${DESKTOP}
		32	whitelist ${DOWNLOADS}
		33	whitelist ${MUSIC}
		34	whitelist ${PICTURES}
		35	whitelist ${VIDEOS}
		36	include whitelist-common.inc
30	include whitelist-var-common.inc	37	include whitelist-var-common.inc
31		38
32	# apparmor - makes settings immutable	39	# apparmor - makes settings immutable


diff --git a/etc/profile-m-z/vlc.profile b/etc/profile-m-z/vlc.profile index 0069ebeae..07a1b5fc0 100644 --- a/etc/profile-m-z/vlc.profile +++ b/etc/profile-m-z/vlc.profile
@@ -9,8 +9,6 @@ include globals.local
9	noblacklist ${HOME}/.cache/vlc	9	noblacklist ${HOME}/.cache/vlc
10	noblacklist ${HOME}/.config/vlc	10	noblacklist ${HOME}/.config/vlc
11	noblacklist ${HOME}/.local/share/vlc	11	noblacklist ${HOME}/.local/share/vlc
12	noblacklist ${MUSIC}
13	noblacklist ${VIDEOS}
14		12
15	include disable-common.inc	13	include disable-common.inc
16	include disable-devel.inc	14	include disable-devel.inc
@@ -18,8 +16,20 @@ include disable-exec.inc
18	include disable-interpreters.inc	16	include disable-interpreters.inc
19	include disable-passwdmgr.inc	17	include disable-passwdmgr.inc
20	include disable-programs.inc	18	include disable-programs.inc
21	include disable-xdg.inc
22		19
		20	read-only ${DESKTOP}
		21	mkdir ${HOME}/.cache/vlc
		22	mkdir ${HOME}/.config/vlc
		23	mkdir ${HOME}/.local/share/vlc
		24	whitelist ${HOME}/.cache/vlc
		25	whitelist ${HOME}/.config/vlc
		26	whitelist ${HOME}/.local/share/vlc
		27	whitelist ${DESKTOP}
		28	whitelist ${DOWNLOADS}
		29	whitelist ${MUSIC}
		30	whitelist ${PICTURES}
		31	whitelist ${VIDEOS}
		32	include whitelist-common.inc
23	include whitelist-var-common.inc	33	include whitelist-var-common.inc
24		34
25	#apparmor - on Ubuntu 18.04 it refuses to start without dbus access	35	#apparmor - on Ubuntu 18.04 it refuses to start without dbus access


diff --git a/etc/profile-m-z/xplayer.profile b/etc/profile-m-z/xplayer.profile index 28df73ea5..555d8e9a4 100644 --- a/etc/profile-m-z/xplayer.profile +++ b/etc/profile-m-z/xplayer.profile
@@ -7,8 +7,6 @@ include globals.local
7		7
8	noblacklist ${HOME}/.config/xplayer	8	noblacklist ${HOME}/.config/xplayer
9	noblacklist ${HOME}/.local/share/xplayer	9	noblacklist ${HOME}/.local/share/xplayer
10	noblacklist ${MUSIC}
11	noblacklist ${VIDEOS}
12		10
13	# Allow python (blacklisted by disable-interpreters.inc)	11	# Allow python (blacklisted by disable-interpreters.inc)
14	include allow-python2.inc	12	include allow-python2.inc
@@ -20,8 +18,18 @@ include disable-exec.inc
20	include disable-interpreters.inc	18	include disable-interpreters.inc
21	include disable-passwdmgr.inc	19	include disable-passwdmgr.inc
22	include disable-programs.inc	20	include disable-programs.inc
23	include disable-xdg.inc
24		21
		22	read-only ${DESKTOP}
		23	mkdir ${HOME}/.config/xplayer
		24	mkdir ${HOME}/.local/share/xplayer
		25	whitelist ${HOME}/.config/xplayer
		26	whitelist ${HOME}/.local/share/xplayer
		27	whitelist ${DESKTOP}
		28	whitelist ${DOWNLOADS}
		29	whitelist ${MUSIC}
		30	whitelist ${PICTURES}
		31	whitelist ${VIDEOS}
		32	include whitelist-common.inc
25	include whitelist-var-common.inc	33	include whitelist-var-common.inc
26		34
27	# apparmor - makes settings immutable	35	# apparmor - makes settings immutable


diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile new file mode 100644 index 000000000..513cb0f6e --- /dev/null +++ b/etc/profile-m-z/youtube-viewer.profile
@@ -0,0 +1,57 @@
		1	# Firejail profile for youtube-viewer
		2	# Description: Trizen's CLI Youtube viewer with login support
		3	# This file is overwritten after every install/update
		4	quiet
		5	# Persistent local customizations
		6	include youtube-viewer.local
		7	# Persistent global definitions
		8	include globals.local
		9
		10	blacklist /tmp/.X11-unix
		11	blacklist ${RUNUSER}/wayland-*
		12	blacklist ${RUNUSER}
		13
		14	noblacklist ${HOME}/.config/youtube-viewer
		15
		16	include allow-perl.inc
		17	include allow-python2.inc
		18	include allow-python3.inc
		19
		20	include disable-common.inc
		21	include disable-devel.inc
		22	include disable-exec.inc
		23	include disable-interpreters.inc
		24	include disable-passwdmgr.inc
		25	include disable-programs.inc
		26	include disable-xdg.inc
		27
		28	mkdir ${HOME}/.config/youtube-viewer
		29	whitelist ${HOME}/.config/youtube-viewer
		30	include whitelist-common.inc
		31	include whitelist-usr-share-common.inc
		32	include whitelist-var-common.inc
		33
		34	apparmor
		35	caps.drop all
		36	netfilter
		37	nodvd
		38	nogroups
		39	nonewprivs
		40	noroot
		41	notv
		42	nou2f
		43	novideo
		44	protocol unix,inet,inet6
		45	seccomp
		46	shell none
		47	tracelog
		48
		49	disable-mnt
		50	# private-bin ffmpeg,ffprobe,firefox,gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,mpv,python*,smplayer,sh,which,vlc,youtube-dl,youtube-viewer
		51	private-cache
		52	private-dev
		53	private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
		54	private-tmp
		55
		56	dbus-user none
		57	dbus-system none \ No newline at end of file