8 files changed, 74 insertions, 10 deletions
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index f72394810..f033371f8 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -237,6 +237,7 @@ blacklist ${HOME}/.config/gthumb
 blacklist ${HOME}/.config/gummi
 blacklist ${HOME}/.config/gwenviewrc
 blacklist ${HOME}/.config/hexchat
+blacklist ${HOME}/.config/homebank
 blacklist ${HOME}/.config/i2p
 blacklist ${HOME}/.config/inkscape
 blacklist ${HOME}/.config/inox
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile
index cbeef798f..35bea4aaa 100644
--- a/etc/profile-a-l/discord-common.profile
+++ b/etc/profile-a-l/discord-common.profile
@@ -32,7 +32,7 @@ novideo
 protocol unix,inet,inet6,netlink
 seccomp !chroot
-private-bin bash,cut,echo,egrep,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
+private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl
 private-tmp
diff --git a/etc/profile-a-l/gnome-calculator.profile b/etc/profile-a-l/gnome-calculator.profile
index bc6626598..ceb01f2a0 100644
--- a/etc/profile-a-l/gnome-calculator.profile
+++ b/etc/profile-a-l/gnome-calculator.profile
@@ -25,7 +25,7 @@ apparmor
 caps.drop all
 ipc-namespace
 machine-id
-# net none
+#net none -- breaks currency conversion
 netfilter
 no3d
 nodvd
@@ -39,6 +39,7 @@ novideo
 protocol unix,inet,inet6
 seccomp
 shell none
+tracelog
 disable-mnt
 private-bin gnome-calculator
@@ -47,8 +48,7 @@ private-dev
 #private-lib gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*,libgnutls.so.*,libproxy.so.*,librsvg-2.so.*,libxml2.so.*
 private-tmp
-# makes settings immutable
+dbus-user filter
-# dbus-user none
+dbus-user.own org.gnome.Calculator
-# dbus-system none
+dbus-user.talk ca.desrt.dconf
+dbus-system none
-# memory-deny-write-execute
diff --git a/etc/profile-a-l/gnome-pomodoro.profile b/etc/profile-a-l/gnome-pomodoro.profile
index 2a5d2a231..a46e47759 100644
--- a/etc/profile-a-l/gnome-pomodoro.profile
+++ b/etc/profile-a-l/gnome-pomodoro.profile
@@ -50,7 +50,9 @@ private-tmp
 dbus-user filter
 dbus-user.own org.gnome.Pomodoro
 dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.gnome.Mutter.IdleMonitor
 dbus-user.talk org.gnome.Shell
+dbus-user.talk org.freedesktop.Notifications
 dbus-system none
 read-only ${HOME}
diff --git a/etc/profile-a-l/homebank.profile b/etc/profile-a-l/homebank.profile
new file mode 100644
index 000000000..8e600a2d7
--- /dev/null
+++ b/etc/profile-a-l/homebank.profile
@@ -0,0 +1,59 @@
+# Firejail profile for homebank
+# Description: Personal finance manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include homebank.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/homebank
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc 
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-passwdmgr.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/homebank
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/homebank
+whitelist /usr/share/homebank
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+# net none
+netfilter
+nodvd
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin homebank
+private-cache
+private-dev
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11
+private-tmp
+dbus-user none
+dbus-system none
+# memory-deny-write-execute
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile
index 5d9225705..b51a86e7d 100644
--- a/etc/profile-m-z/signal-desktop.profile
+++ b/etc/profile-m-z/signal-desktop.profile
@@ -34,10 +34,12 @@ nodvd
 nogroups
 notv
 nou2f
+novideo
 shell none
 disable-mnt
 private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/teams.profile b/etc/profile-m-z/teams.profile
index 326b97e4b..bd7faa80a 100644
--- a/etc/profile-m-z/teams.profile
+++ b/etc/profile-m-z/teams.profile
@@ -1,14 +1,14 @@
 # Firejail profile for teams
 # Description: Official Microsoft Teams client for Linux using Electron.
 # This file is overwritten after every install/update
-# Known issues:
-#  * if Teams crashes on startup try using "ignore apparmor" in your local config
 # Persistent local customizations
 include teams.local
 # Persistent global definitions
 # added by included profile
 #include globals.local
+# see #3404
+ignore apparmor
 ignore dbus-user none
 ignore dbus-system none
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile
index e3af5600a..8e0741458 100644
--- a/etc/profile-m-z/telegram.profile
+++ b/etc/profile-m-z/telegram.profile
@@ -25,5 +25,5 @@ seccomp
 disable-mnt
 private-cache
+private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp

diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index f72394810..f033371f8 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc
@@ -237,6 +237,7 @@ blacklist ${HOME}/.config/gthumb
237	blacklist ${HOME}/.config/gummi	237	blacklist ${HOME}/.config/gummi
238	blacklist ${HOME}/.config/gwenviewrc	238	blacklist ${HOME}/.config/gwenviewrc
239	blacklist ${HOME}/.config/hexchat	239	blacklist ${HOME}/.config/hexchat
		240	blacklist ${HOME}/.config/homebank
240	blacklist ${HOME}/.config/i2p	241	blacklist ${HOME}/.config/i2p
241	blacklist ${HOME}/.config/inkscape	242	blacklist ${HOME}/.config/inkscape
242	blacklist ${HOME}/.config/inox	243	blacklist ${HOME}/.config/inox


diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile index cbeef798f..35bea4aaa 100644 --- a/etc/profile-a-l/discord-common.profile +++ b/etc/profile-a-l/discord-common.profile
@@ -32,7 +32,7 @@ novideo
32	protocol unix,inet,inet6,netlink	32	protocol unix,inet,inet6,netlink
33	seccomp !chroot	33	seccomp !chroot
34		34
35	private-bin bash,cut,echo,egrep,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh	35	private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
36	private-dev	36	private-dev
37	private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl	37	private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl
38	private-tmp	38	private-tmp


diff --git a/etc/profile-a-l/gnome-calculator.profile b/etc/profile-a-l/gnome-calculator.profile index bc6626598..ceb01f2a0 100644 --- a/etc/profile-a-l/gnome-calculator.profile +++ b/etc/profile-a-l/gnome-calculator.profile
@@ -25,7 +25,7 @@ apparmor
25	caps.drop all	25	caps.drop all
26	ipc-namespace	26	ipc-namespace
27	machine-id	27	machine-id
28	# net none	28	#net none -- breaks currency conversion
29	netfilter	29	netfilter
30	no3d	30	no3d
31	nodvd	31	nodvd
@@ -39,6 +39,7 @@ novideo
39	protocol unix,inet,inet6	39	protocol unix,inet,inet6
40	seccomp	40	seccomp
41	shell none	41	shell none
		42	tracelog
42		43
43	disable-mnt	44	disable-mnt
44	private-bin gnome-calculator	45	private-bin gnome-calculator
@@ -47,8 +48,7 @@ private-dev
47	#private-lib gdk-pixbuf-2.,gio,girepository-1.,gvfs,libgconf-2.so.,libgnutls.so.,libproxy.so.,librsvg-2.so.,libxml2.so.*	48	#private-lib gdk-pixbuf-2.,gio,girepository-1.,gvfs,libgconf-2.so.,libgnutls.so.,libproxy.so.,librsvg-2.so.,libxml2.so.*
48	private-tmp	49	private-tmp
49		50
50	# makes settings immutable	51	dbus-user filter
51	# dbus-user none	52	dbus-user.own org.gnome.Calculator
52	# dbus-system none	53	dbus-user.talk ca.desrt.dconf
53		54	dbus-system none
54	# memory-deny-write-execute


diff --git a/etc/profile-a-l/gnome-pomodoro.profile b/etc/profile-a-l/gnome-pomodoro.profile index 2a5d2a231..a46e47759 100644 --- a/etc/profile-a-l/gnome-pomodoro.profile +++ b/etc/profile-a-l/gnome-pomodoro.profile
@@ -50,7 +50,9 @@ private-tmp
50	dbus-user filter	50	dbus-user filter
51	dbus-user.own org.gnome.Pomodoro	51	dbus-user.own org.gnome.Pomodoro
52	dbus-user.talk ca.desrt.dconf	52	dbus-user.talk ca.desrt.dconf
		53	dbus-user.talk org.gnome.Mutter.IdleMonitor
53	dbus-user.talk org.gnome.Shell	54	dbus-user.talk org.gnome.Shell
		55	dbus-user.talk org.freedesktop.Notifications
54	dbus-system none	56	dbus-system none
55		57
56	read-only ${HOME}	58	read-only ${HOME}


diff --git a/etc/profile-a-l/homebank.profile b/etc/profile-a-l/homebank.profile new file mode 100644 index 000000000..8e600a2d7 --- /dev/null +++ b/etc/profile-a-l/homebank.profile
@@ -0,0 +1,59 @@
		1	# Firejail profile for homebank
		2	# Description: Personal finance manager
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include homebank.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	noblacklist ${HOME}/.config/homebank
		10
		11	include disable-common.inc
		12	include disable-devel.inc
		13	include disable-exec.inc
		14	include disable-interpreters.inc
		15	include disable-programs.inc
		16	include disable-passwdmgr.inc
		17	include disable-shell.inc
		18	include disable-xdg.inc
		19
		20	mkdir ${HOME}/.config/homebank
		21	whitelist ${DOWNLOADS}
		22	whitelist ${HOME}/.config/homebank
		23	whitelist /usr/share/homebank
		24	include whitelist-common.inc
		25	include whitelist-runuser-common.inc
		26	include whitelist-usr-share-common.inc
		27	include whitelist-var-common.inc
		28
		29	apparmor
		30	caps.drop all
		31	machine-id
		32	# net none
		33	netfilter
		34	nodvd
		35	no3d
		36	nodvd
		37	nogroups
		38	nonewprivs
		39	noroot
		40	nosound
		41	notv
		42	nou2f
		43	novideo
		44	protocol unix,inet,inet6
		45	seccomp
		46	shell none
		47	tracelog
		48
		49	disable-mnt
		50	private-bin homebank
		51	private-cache
		52	private-dev
		53	private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11
		54	private-tmp
		55
		56	dbus-user none
		57	dbus-system none
		58
		59	# memory-deny-write-execute


diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile index 5d9225705..b51a86e7d 100644 --- a/etc/profile-m-z/signal-desktop.profile +++ b/etc/profile-m-z/signal-desktop.profile
@@ -34,10 +34,12 @@ nodvd
34	nogroups	34	nogroups
35	notv	35	notv
36	nou2f	36	nou2f
		37	novideo
37	shell none	38	shell none
38		39
39	disable-mnt	40	disable-mnt
40	private-dev	41	private-dev
		42	private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
41	private-tmp	43	private-tmp
42		44
43	dbus-user none	45	dbus-user none


diff --git a/etc/profile-m-z/teams.profile b/etc/profile-m-z/teams.profile index 326b97e4b..bd7faa80a 100644 --- a/etc/profile-m-z/teams.profile +++ b/etc/profile-m-z/teams.profile
@@ -1,14 +1,14 @@
1	# Firejail profile for teams	1	# Firejail profile for teams
2	# Description: Official Microsoft Teams client for Linux using Electron.	2	# Description: Official Microsoft Teams client for Linux using Electron.
3	# This file is overwritten after every install/update	3	# This file is overwritten after every install/update
4	# Known issues:
5	# * if Teams crashes on startup try using "ignore apparmor" in your local config
6	# Persistent local customizations	4	# Persistent local customizations
7	include teams.local	5	include teams.local
8	# Persistent global definitions	6	# Persistent global definitions
9	# added by included profile	7	# added by included profile
10	#include globals.local	8	#include globals.local
11		9
		10	# see #3404
		11	ignore apparmor
12	ignore dbus-user none	12	ignore dbus-user none
13	ignore dbus-system none	13	ignore dbus-system none
14		14


diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile index e3af5600a..8e0741458 100644 --- a/etc/profile-m-z/telegram.profile +++ b/etc/profile-m-z/telegram.profile
@@ -25,5 +25,5 @@ seccomp
25		25
26	disable-mnt	26	disable-mnt
27	private-cache	27	private-cache
		28	private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
28	private-tmp	29	private-tmp
29