29 files changed, 112 insertions, 36 deletions
diff --git a/etc/inc/disable-proc.inc b/etc/inc/disable-proc.inc
new file mode 100644
index 000000000..81a8883f3
--- /dev/null
+++ b/etc/inc/disable-proc.inc
@@ -0,0 +1,82 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include disable-proc.local
+blacklist /proc/acpi
+blacklist /proc/asound
+blacklist /proc/bootconfig
+blacklist /proc/buddyinfo
+blacklist /proc/cgroups
+blacklist /proc/cmdline
+blacklist /proc/config.gz
+blacklist /proc/consoles
+#blacklist /proc/cpuinfo
+blacklist /proc/crypto
+blacklist /proc/devices
+blacklist /proc/diskstats
+blacklist /proc/dma
+#blacklist /proc/driver
+blacklist /proc/dynamic_debug
+blacklist /proc/execdomains
+blacklist /proc/fb
+#blacklist /proc/filesystems
+blacklist /proc/fs
+blacklist /proc/i8k
+blacklist /proc/interrupts
+blacklist /proc/iomem
+blacklist /proc/ioports
+blacklist /proc/irq
+blacklist /proc/kallsyms
+blacklist /proc/kcore
+blacklist /proc/keys
+blacklist /proc/key-users
+blacklist /proc/kmsg
+blacklist /proc/kpagecgroup
+blacklist /proc/kpagecount
+blacklist /proc/kpageflags
+blacklist /proc/latency_stats
+#blacklist /proc/loadavg
+blacklist /proc/locks
+blacklist /proc/mdstat
+#blacklist /proc/meminfo
+blacklist /proc/misc
+#blacklist /proc/modules
+#blacklist /proc/mounts
+blacklist /proc/mtrr
+#blacklist /proc/net
+blacklist /proc/partitions
+blacklist /proc/pressure
+blacklist /proc/sched_debug
+blacklist /proc/schedstat
+blacklist /proc/scsi
+#blacklist /proc/self
+blacklist /proc/slabinfo
+blacklist /proc/softirqs
+blacklist /proc/spl
+#blacklist /proc/stat
+blacklist /proc/swaps
+#blacklist /proc/sys
+blacklist /proc/sysrq-trigger
+blacklist /proc/sysvipc
+#blacklist /proc/thread-self
+blacklist /proc/timer_list
+blacklist /proc/tty
+#blacklist /proc/uptime
+#blacklist /proc/version
+blacklist /proc/version_signature
+blacklist /proc/vmallocinfo
+#blacklist /proc/vmstat
+#blacklist /proc/zoneinfo
+blacklist /proc/sys/abi
+blacklist /proc/sys/crypto
+blacklist /proc/sys/debug
+blacklist /proc/sys/dev
+blacklist /proc/sys/fs
+blacklist /proc/sys/net
+blacklist /proc/sys/user
+blacklist /proc/sys/vm
+noblacklist /proc/sys/kernel/osrelease
+noblacklist /proc/sys/kernel/yama
+blacklist /proc/sys/*/*
diff --git a/etc/inc/whitelist-run-common.inc b/etc/inc/whitelist-run-common.inc
index 224d21064..0d87657a9 100644
--- a/etc/inc/whitelist-run-common.inc
+++ b/etc/inc/whitelist-run-common.inc
@@ -7,5 +7,6 @@ whitelist /run/cups/cups.sock
 whitelist /run/dbus/system_bus_socket
 whitelist /run/media
 whitelist /run/resolvconf/resolv.conf
+whitelist /run/shm
 whitelist /run/systemd/resolve/resolv.conf
 whitelist /run/systemd/resolve/stub-resolv.conf
diff --git a/etc/profile-a-l/Books.profile b/etc/profile-a-l/Books.profile
index 76fd21d32..a256e942f 100644
--- a/etc/profile-a-l/Books.profile
+++ b/etc/profile-a-l/Books.profile
@@ -1,5 +1,10 @@
 # Firejail profile for gnome-books
 # This file is overwritten after every install/update
+# Persistent local customizations
+include Books.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
 # Temporary fix for https://github.com/netblue30/firejail/issues/2624
diff --git a/etc/profile-a-l/alienarena.profile b/etc/profile-a-l/alienarena.profile
index 62857a3e2..68512e37b 100644
--- a/etc/profile-a-l/alienarena.profile
+++ b/etc/profile-a-l/alienarena.profile
@@ -29,7 +29,6 @@ caps.drop all
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/amarok.profile b/etc/profile-a-l/amarok.profile
index e7b78f7d0..7d8ec481d 100644
--- a/etc/profile-a-l/amarok.profile
+++ b/etc/profile-a-l/amarok.profile
@@ -39,7 +39,7 @@ dbus-user.own org.kde.amarok
 dbus-user.own org.mpris.amarok
 dbus-user.own org.mpris.MediaPlayer2.amarok
 dbus-user.talk org.freedesktop.Notifications
-dbus-user.talk org.kde.StatusNotifierWatcher
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
 # If you're not on kde-plasma add the next lines to your amarok.local.
 #dbus-user.own org.kde.kded
 #dbus-user.own org.kde.klauncher
diff --git a/etc/profile-a-l/blobwars.profile b/etc/profile-a-l/blobwars.profile
index 683a7858b..66f38b358 100644
--- a/etc/profile-a-l/blobwars.profile
+++ b/etc/profile-a-l/blobwars.profile
@@ -19,6 +19,7 @@ include disable-xdg.inc
 mkdir ${HOME}/.parallelrealities/blobwars
 whitelist ${HOME}/.parallelrealities/blobwars
 whitelist /usr/share/blobwars
+whitelist /usr/share/games/blobwars
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -28,7 +29,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile
index 5c7bc03d8..862ef6ab6 100644
--- a/etc/profile-a-l/flameshot.profile
+++ b/etc/profile-a-l/flameshot.profile
@@ -63,6 +63,6 @@ dbus-user.talk org.freedesktop.Notifications
 dbus-user.talk org.freedesktop.portal.Desktop
 dbus-user.talk org.gnome.Shell
 dbus-user.talk org.kde.KWin
-dbus-user.talk org.kde.StatusNotifierWatcher
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
-dbus-user.own org.kde.*
+?ALLOW_TRAY: dbus-user.own org.kde.*
 dbus-system none
diff --git a/etc/profile-a-l/frozen-bubble.profile b/etc/profile-a-l/frozen-bubble.profile
index bb35c9447..88943760a 100644
--- a/etc/profile-a-l/frozen-bubble.profile
+++ b/etc/profile-a-l/frozen-bubble.profile
@@ -30,7 +30,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/funnyboat.profile b/etc/profile-a-l/funnyboat.profile
index 1009f345b..4a08fca9b 100644
--- a/etc/profile-a-l/funnyboat.profile
+++ b/etc/profile-a-l/funnyboat.profile
@@ -35,7 +35,6 @@ ipc-namespace
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/gl-117.profile b/etc/profile-a-l/gl-117.profile
index 35d969e6d..edb85048b 100644
--- a/etc/profile-a-l/gl-117.profile
+++ b/etc/profile-a-l/gl-117.profile
@@ -29,7 +29,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/glaxium.profile b/etc/profile-a-l/glaxium.profile
index dec0daef2..b5f98b411 100644
--- a/etc/profile-a-l/glaxium.profile
+++ b/etc/profile-a-l/glaxium.profile
@@ -29,7 +29,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/jumpnbump-menu.profile b/etc/profile-a-l/jumpnbump-menu.profile
index 8d391b90f..59d762f55 100644
--- a/etc/profile-a-l/jumpnbump-menu.profile
+++ b/etc/profile-a-l/jumpnbump-menu.profile
@@ -10,7 +10,7 @@ include jumpnbump-menu.local
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
-private-bin jumpnbump-menu,python3*
+private-bin env,jumpnbump-menu,python3*
 # Redirect
 include jumpnbump.profile
diff --git a/etc/profile-a-l/jumpnbump.profile b/etc/profile-a-l/jumpnbump.profile
index b9bc8f219..9726ff6fe 100644
--- a/etc/profile-a-l/jumpnbump.profile
+++ b/etc/profile-a-l/jumpnbump.profile
@@ -27,7 +27,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index 0f3e6605b..45a707071 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -98,11 +98,10 @@ dbus-user.talk org.freedesktop.ScreenSaver
 dbus-user.talk org.gnome.ScreenSaver
 dbus-user.talk org.gnome.SessionManager
 dbus-user.talk org.xfce.ScreenSaver
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+?ALLOW_TRAY: dbus-user.own org.kde.*
 # Add the next line to your keepassxc.local to allow notifications.
 #dbus-user.talk org.freedesktop.Notifications
-# Add the next line to your keepassxc.local to allow the tray menu.
-#dbus-user.talk org.kde.StatusNotifierWatcher
-#dbus-user.own org.kde.*
 dbus-system filter
 dbus-system.talk org.freedesktop.login1
diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile
index 16dc97d0c..5b5902563 100644
--- a/etc/profile-m-z/mrrescue.profile
+++ b/etc/profile-m-z/mrrescue.profile
@@ -37,7 +37,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/neochat.profile b/etc/profile-m-z/neochat.profile
index 58cc716d9..0f55b674f 100644
--- a/etc/profile-m-z/neochat.profile
+++ b/etc/profile-m-z/neochat.profile
@@ -60,6 +60,6 @@ private-tmp
 dbus-user filter
 dbus-user.own org.kde.neochat
 dbus-user.talk org.freedesktop.Notifications
-dbus-user.talk org.kde.StatusNotifierWatcher
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-user.talk org.kde.kwalletd5
 dbus-system none
diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile
index d0eef9704..354d3351e 100644
--- a/etc/profile-m-z/nextcloud.profile
+++ b/etc/profile-m-z/nextcloud.profile
@@ -67,6 +67,5 @@ private-tmp
 dbus-user filter
 dbus-user.talk org.freedesktop.secrets
-# Add the next line to your nextcloud.local for tray icon support
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
-#dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-system none
diff --git a/etc/profile-m-z/nheko.profile b/etc/profile-m-z/nheko.profile
index 2f305dae9..89a146a09 100644
--- a/etc/profile-m-z/nheko.profile
+++ b/etc/profile-m-z/nheko.profile
@@ -53,8 +53,7 @@ private-tmp
 dbus-user filter
 dbus-user.talk org.freedesktop.secrets
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
 # Add the next line to your nheko.local to enable notification support.
 #dbus-user.talk org.freedesktop.Notifications
-# Add the next line to your nheko.local to enable tray icon support.
-#dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-system none
diff --git a/etc/profile-m-z/open-invaders.profile b/etc/profile-m-z/open-invaders.profile
index 12c7ea3d0..c2c22f42d 100644
--- a/etc/profile-m-z/open-invaders.profile
+++ b/etc/profile-m-z/open-invaders.profile
@@ -25,7 +25,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/openclonk.profile b/etc/profile-m-z/openclonk.profile
index 253465991..68362cbc8 100644
--- a/etc/profile-m-z/openclonk.profile
+++ b/etc/profile-m-z/openclonk.profile
@@ -28,7 +28,6 @@ ipc-namespace
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/spectral.profile b/etc/profile-m-z/spectral.profile
index 5f17b73dc..3f7f68009 100644
--- a/etc/profile-m-z/spectral.profile
+++ b/etc/profile-m-z/spectral.profile
@@ -49,10 +49,8 @@ private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-tmp
-dbus-user none
+dbus-user filter
-# Add the next lines to your spectral.local to enable notification support.
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
-#ignore dbus-user none
+# Add the next line to your spectral.local to enable notification support.
-#dbus-user filter
 #dbus-user.talk org.freedesktop.Notifications
-#dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-system none
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile
index 323849e35..d48065c4b 100644
--- a/etc/profile-m-z/supertux2.profile
+++ b/etc/profile-m-z/supertux2.profile
@@ -30,7 +30,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/teeworlds.profile b/etc/profile-m-z/teeworlds.profile
index df54fb9ba..d0fb0d43e 100644
--- a/etc/profile-m-z/teeworlds.profile
+++ b/etc/profile-m-z/teeworlds.profile
@@ -26,7 +26,6 @@ ipc-namespace
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile
index fd4b82524..dc1f77664 100644
--- a/etc/profile-m-z/telegram.profile
+++ b/etc/profile-m-z/telegram.profile
@@ -50,7 +50,7 @@ private-tmp
 dbus-user filter
 dbus-user.own org.telegram.desktop.*
 dbus-user.talk org.freedesktop.Notifications
-dbus-user.talk org.kde.StatusNotifierWatcher
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-user.talk org.gnome.Mutter.IdleMonitor
 dbus-user.talk org.freedesktop.ScreenSaver
 dbus-system none
diff --git a/etc/profile-m-z/torcs.profile b/etc/profile-m-z/torcs.profile
index a7ebaf2af..19e586db4 100644
--- a/etc/profile-m-z/torcs.profile
+++ b/etc/profile-m-z/torcs.profile
@@ -28,7 +28,6 @@ ipc-namespace
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/tremulous.profile b/etc/profile-m-z/tremulous.profile
index 4e16df553..96541ae25 100644
--- a/etc/profile-m-z/tremulous.profile
+++ b/etc/profile-m-z/tremulous.profile
@@ -8,6 +8,9 @@ include globals.local
 noblacklist ${HOME}/.tremulous
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -41,7 +44,7 @@ shell none
 tracelog
 disable-mnt
-private-bin tremded,tremulous,tremulous-wrapper
+private-bin env,sh,tremded,tremulous,tremulous-wrapper
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/warsow.profile b/etc/profile-m-z/warsow.profile
index 5659ec69c..2f818b733 100644
--- a/etc/profile-m-z/warsow.profile
+++ b/etc/profile-m-z/warsow.profile
@@ -11,6 +11,9 @@ ignore noexec ${HOME}
 noblacklist ${HOME}/.cache/warsow-2.1
 noblacklist ${HOME}/.local/share/warsow-2.1
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -34,19 +37,18 @@ ipc-namespace
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
 nou2f
 novideo
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
 shell none
 tracelog
 disable-mnt
-private-bin warsow
+private-bin basename,bash,dirname,sed,sh,uname,warsow
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/xonotic.profile b/etc/profile-m-z/xonotic.profile
index 6ffe9ece9..7c2b38d1d 100644
--- a/etc/profile-m-z/xonotic.profile
+++ b/etc/profile-m-z/xonotic.profile
@@ -32,7 +32,6 @@ caps.drop all
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 7628313e0..44197b547 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -116,6 +116,7 @@ include globals.local
 #include disable-devel.inc
 #include disable-exec.inc
 #include disable-interpreters.inc
+#include disable-proc.inc
 #include disable-programs.inc
 #include disable-shell.inc
 #include disable-write-mnt.inc

diff --git a/etc/inc/disable-proc.inc b/etc/inc/disable-proc.inc new file mode 100644 index 000000000..81a8883f3 --- /dev/null +++ b/etc/inc/disable-proc.inc
@@ -0,0 +1,82 @@
		1	# This file is overwritten during software install.
		2	# Persistent customizations should go in a .local file.
		3	include disable-proc.local
		4
		5	blacklist /proc/acpi
		6	blacklist /proc/asound
		7	blacklist /proc/bootconfig
		8	blacklist /proc/buddyinfo
		9	blacklist /proc/cgroups
		10	blacklist /proc/cmdline
		11	blacklist /proc/config.gz
		12	blacklist /proc/consoles
		13	#blacklist /proc/cpuinfo
		14	blacklist /proc/crypto
		15	blacklist /proc/devices
		16	blacklist /proc/diskstats
		17	blacklist /proc/dma
		18	#blacklist /proc/driver
		19	blacklist /proc/dynamic_debug
		20	blacklist /proc/execdomains
		21	blacklist /proc/fb
		22	#blacklist /proc/filesystems
		23	blacklist /proc/fs
		24	blacklist /proc/i8k
		25	blacklist /proc/interrupts
		26	blacklist /proc/iomem
		27	blacklist /proc/ioports
		28	blacklist /proc/irq
		29	blacklist /proc/kallsyms
		30	blacklist /proc/kcore
		31	blacklist /proc/keys
		32	blacklist /proc/key-users
		33	blacklist /proc/kmsg
		34	blacklist /proc/kpagecgroup
		35	blacklist /proc/kpagecount
		36	blacklist /proc/kpageflags
		37	blacklist /proc/latency_stats
		38	#blacklist /proc/loadavg
		39	blacklist /proc/locks
		40	blacklist /proc/mdstat
		41	#blacklist /proc/meminfo
		42	blacklist /proc/misc
		43	#blacklist /proc/modules
		44	#blacklist /proc/mounts
		45	blacklist /proc/mtrr
		46	#blacklist /proc/net
		47	blacklist /proc/partitions
		48	blacklist /proc/pressure
		49	blacklist /proc/sched_debug
		50	blacklist /proc/schedstat
		51	blacklist /proc/scsi
		52	#blacklist /proc/self
		53	blacklist /proc/slabinfo
		54	blacklist /proc/softirqs
		55	blacklist /proc/spl
		56	#blacklist /proc/stat
		57	blacklist /proc/swaps
		58	#blacklist /proc/sys
		59	blacklist /proc/sysrq-trigger
		60	blacklist /proc/sysvipc
		61	#blacklist /proc/thread-self
		62	blacklist /proc/timer_list
		63	blacklist /proc/tty
		64	#blacklist /proc/uptime
		65	#blacklist /proc/version
		66	blacklist /proc/version_signature
		67	blacklist /proc/vmallocinfo
		68	#blacklist /proc/vmstat
		69	#blacklist /proc/zoneinfo
		70
		71	blacklist /proc/sys/abi
		72	blacklist /proc/sys/crypto
		73	blacklist /proc/sys/debug
		74	blacklist /proc/sys/dev
		75	blacklist /proc/sys/fs
		76	blacklist /proc/sys/net
		77	blacklist /proc/sys/user
		78	blacklist /proc/sys/vm
		79
		80	noblacklist /proc/sys/kernel/osrelease
		81	noblacklist /proc/sys/kernel/yama
		82	blacklist /proc/sys//


diff --git a/etc/inc/whitelist-run-common.inc b/etc/inc/whitelist-run-common.inc index 224d21064..0d87657a9 100644 --- a/etc/inc/whitelist-run-common.inc +++ b/etc/inc/whitelist-run-common.inc
@@ -7,5 +7,6 @@ whitelist /run/cups/cups.sock
7	whitelist /run/dbus/system_bus_socket	7	whitelist /run/dbus/system_bus_socket
8	whitelist /run/media	8	whitelist /run/media
9	whitelist /run/resolvconf/resolv.conf	9	whitelist /run/resolvconf/resolv.conf
		10	whitelist /run/shm
10	whitelist /run/systemd/resolve/resolv.conf	11	whitelist /run/systemd/resolve/resolv.conf
11	whitelist /run/systemd/resolve/stub-resolv.conf	12	whitelist /run/systemd/resolve/stub-resolv.conf


diff --git a/etc/profile-a-l/Books.profile b/etc/profile-a-l/Books.profile index 76fd21d32..a256e942f 100644 --- a/etc/profile-a-l/Books.profile +++ b/etc/profile-a-l/Books.profile
@@ -1,5 +1,10 @@
1	# Firejail profile for gnome-books	1	# Firejail profile for gnome-books
2	# This file is overwritten after every install/update	2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include Books.local
		5	# Persistent global definitions
		6	# added by included profile
		7	#include globals.local
3		8
4		9
5	# Temporary fix for https://github.com/netblue30/firejail/issues/2624	10	# Temporary fix for https://github.com/netblue30/firejail/issues/2624


diff --git a/etc/profile-a-l/alienarena.profile b/etc/profile-a-l/alienarena.profile index 62857a3e2..68512e37b 100644 --- a/etc/profile-a-l/alienarena.profile +++ b/etc/profile-a-l/alienarena.profile
@@ -29,7 +29,6 @@ caps.drop all
29	netfilter	29	netfilter
30	nodvd	30	nodvd
31	nogroups	31	nogroups
32	noinput
33	nonewprivs	32	nonewprivs
34	noroot	33	noroot
35	notv	34	notv


diff --git a/etc/profile-a-l/amarok.profile b/etc/profile-a-l/amarok.profile index e7b78f7d0..7d8ec481d 100644 --- a/etc/profile-a-l/amarok.profile +++ b/etc/profile-a-l/amarok.profile
@@ -39,7 +39,7 @@ dbus-user.own org.kde.amarok
39	dbus-user.own org.mpris.amarok	39	dbus-user.own org.mpris.amarok
40	dbus-user.own org.mpris.MediaPlayer2.amarok	40	dbus-user.own org.mpris.MediaPlayer2.amarok
41	dbus-user.talk org.freedesktop.Notifications	41	dbus-user.talk org.freedesktop.Notifications
42	dbus-user.talk org.kde.StatusNotifierWatcher	42	?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
43	# If you're not on kde-plasma add the next lines to your amarok.local.	43	# If you're not on kde-plasma add the next lines to your amarok.local.
44	#dbus-user.own org.kde.kded	44	#dbus-user.own org.kde.kded
45	#dbus-user.own org.kde.klauncher	45	#dbus-user.own org.kde.klauncher


diff --git a/etc/profile-a-l/blobwars.profile b/etc/profile-a-l/blobwars.profile index 683a7858b..66f38b358 100644 --- a/etc/profile-a-l/blobwars.profile +++ b/etc/profile-a-l/blobwars.profile
@@ -19,6 +19,7 @@ include disable-xdg.inc
19	mkdir ${HOME}/.parallelrealities/blobwars	19	mkdir ${HOME}/.parallelrealities/blobwars
20	whitelist ${HOME}/.parallelrealities/blobwars	20	whitelist ${HOME}/.parallelrealities/blobwars
21	whitelist /usr/share/blobwars	21	whitelist /usr/share/blobwars
		22	whitelist /usr/share/games/blobwars
22	include whitelist-common.inc	23	include whitelist-common.inc
23	include whitelist-usr-share-common.inc	24	include whitelist-usr-share-common.inc
24	include whitelist-var-common.inc	25	include whitelist-var-common.inc
@@ -28,7 +29,6 @@ caps.drop all
28	net none	29	net none
29	nodvd	30	nodvd
30	nogroups	31	nogroups
31	noinput
32	nonewprivs	32	nonewprivs
33	noroot	33	noroot
34	notv	34	notv


diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile index 5c7bc03d8..862ef6ab6 100644 --- a/etc/profile-a-l/flameshot.profile +++ b/etc/profile-a-l/flameshot.profile
@@ -63,6 +63,6 @@ dbus-user.talk org.freedesktop.Notifications
63	dbus-user.talk org.freedesktop.portal.Desktop	63	dbus-user.talk org.freedesktop.portal.Desktop
64	dbus-user.talk org.gnome.Shell	64	dbus-user.talk org.gnome.Shell
65	dbus-user.talk org.kde.KWin	65	dbus-user.talk org.kde.KWin
66	dbus-user.talk org.kde.StatusNotifierWatcher	66	?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
67	dbus-user.own org.kde.*	67	?ALLOW_TRAY: dbus-user.own org.kde.*
68	dbus-system none	68	dbus-system none


diff --git a/etc/profile-a-l/frozen-bubble.profile b/etc/profile-a-l/frozen-bubble.profile index bb35c9447..88943760a 100644 --- a/etc/profile-a-l/frozen-bubble.profile +++ b/etc/profile-a-l/frozen-bubble.profile
@@ -30,7 +30,6 @@ caps.drop all
30	net none	30	net none
31	nodvd	31	nodvd
32	nogroups	32	nogroups
33	noinput
34	nonewprivs	33	nonewprivs
35	noroot	34	noroot
36	notv	35	notv


diff --git a/etc/profile-a-l/funnyboat.profile b/etc/profile-a-l/funnyboat.profile index 1009f345b..4a08fca9b 100644 --- a/etc/profile-a-l/funnyboat.profile +++ b/etc/profile-a-l/funnyboat.profile
@@ -35,7 +35,6 @@ ipc-namespace
35	netfilter	35	netfilter
36	nodvd	36	nodvd
37	nogroups	37	nogroups
38	noinput
39	nonewprivs	38	nonewprivs
40	noroot	39	noroot
41	notv	40	notv


diff --git a/etc/profile-a-l/gl-117.profile b/etc/profile-a-l/gl-117.profile index 35d969e6d..edb85048b 100644 --- a/etc/profile-a-l/gl-117.profile +++ b/etc/profile-a-l/gl-117.profile
@@ -29,7 +29,6 @@ caps.drop all
29	net none	29	net none
30	nodvd	30	nodvd
31	nogroups	31	nogroups
32	noinput
33	nonewprivs	32	nonewprivs
34	noroot	33	noroot
35	notv	34	notv


diff --git a/etc/profile-a-l/glaxium.profile b/etc/profile-a-l/glaxium.profile index dec0daef2..b5f98b411 100644 --- a/etc/profile-a-l/glaxium.profile +++ b/etc/profile-a-l/glaxium.profile
@@ -29,7 +29,6 @@ caps.drop all
29	net none	29	net none
30	nodvd	30	nodvd
31	nogroups	31	nogroups
32	noinput
33	nonewprivs	32	nonewprivs
34	noroot	33	noroot
35	notv	34	notv


diff --git a/etc/profile-a-l/jumpnbump-menu.profile b/etc/profile-a-l/jumpnbump-menu.profile index 8d391b90f..59d762f55 100644 --- a/etc/profile-a-l/jumpnbump-menu.profile +++ b/etc/profile-a-l/jumpnbump-menu.profile
@@ -10,7 +10,7 @@ include jumpnbump-menu.local
10	# Allow python (blacklisted by disable-interpreters.inc)	10	# Allow python (blacklisted by disable-interpreters.inc)
11	include allow-python3.inc	11	include allow-python3.inc
12		12
13	private-bin jumpnbump-menu,python3*	13	private-bin env,jumpnbump-menu,python3*
14		14
15	# Redirect	15	# Redirect
16	include jumpnbump.profile	16	include jumpnbump.profile


diff --git a/etc/profile-a-l/jumpnbump.profile b/etc/profile-a-l/jumpnbump.profile index b9bc8f219..9726ff6fe 100644 --- a/etc/profile-a-l/jumpnbump.profile +++ b/etc/profile-a-l/jumpnbump.profile
@@ -27,7 +27,6 @@ caps.drop all
27	net none	27	net none
28	nodvd	28	nodvd
29	nogroups	29	nogroups
30	noinput
31	nonewprivs	30	nonewprivs
32	noroot	31	noroot
33	notv	32	notv


diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile index 0f3e6605b..45a707071 100644 --- a/etc/profile-a-l/keepassxc.profile +++ b/etc/profile-a-l/keepassxc.profile
@@ -98,11 +98,10 @@ dbus-user.talk org.freedesktop.ScreenSaver
98	dbus-user.talk org.gnome.ScreenSaver	98	dbus-user.talk org.gnome.ScreenSaver
99	dbus-user.talk org.gnome.SessionManager	99	dbus-user.talk org.gnome.SessionManager
100	dbus-user.talk org.xfce.ScreenSaver	100	dbus-user.talk org.xfce.ScreenSaver
		101	?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
		102	?ALLOW_TRAY: dbus-user.own org.kde.*
101	# Add the next line to your keepassxc.local to allow notifications.	103	# Add the next line to your keepassxc.local to allow notifications.
102	#dbus-user.talk org.freedesktop.Notifications	104	#dbus-user.talk org.freedesktop.Notifications
103	# Add the next line to your keepassxc.local to allow the tray menu.
104	#dbus-user.talk org.kde.StatusNotifierWatcher
105	#dbus-user.own org.kde.*
106	dbus-system filter	105	dbus-system filter
107	dbus-system.talk org.freedesktop.login1	106	dbus-system.talk org.freedesktop.login1
108		107


diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile index 16dc97d0c..5b5902563 100644 --- a/etc/profile-m-z/mrrescue.profile +++ b/etc/profile-m-z/mrrescue.profile
@@ -37,7 +37,6 @@ caps.drop all
37	net none	37	net none
38	nodvd	38	nodvd
39	nogroups	39	nogroups
40	noinput
41	nonewprivs	40	nonewprivs
42	noroot	41	noroot
43	notv	42	notv


diff --git a/etc/profile-m-z/neochat.profile b/etc/profile-m-z/neochat.profile index 58cc716d9..0f55b674f 100644 --- a/etc/profile-m-z/neochat.profile +++ b/etc/profile-m-z/neochat.profile
@@ -60,6 +60,6 @@ private-tmp
60	dbus-user filter	60	dbus-user filter
61	dbus-user.own org.kde.neochat	61	dbus-user.own org.kde.neochat
62	dbus-user.talk org.freedesktop.Notifications	62	dbus-user.talk org.freedesktop.Notifications
63	dbus-user.talk org.kde.StatusNotifierWatcher	63	?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
64	dbus-user.talk org.kde.kwalletd5	64	dbus-user.talk org.kde.kwalletd5
65	dbus-system none	65	dbus-system none


diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile index d0eef9704..354d3351e 100644 --- a/etc/profile-m-z/nextcloud.profile +++ b/etc/profile-m-z/nextcloud.profile
@@ -67,6 +67,5 @@ private-tmp
67		67
68	dbus-user filter	68	dbus-user filter
69	dbus-user.talk org.freedesktop.secrets	69	dbus-user.talk org.freedesktop.secrets
70	# Add the next line to your nextcloud.local for tray icon support	70	?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
71	#dbus-user.talk org.kde.StatusNotifierWatcher
72	dbus-system none	71	dbus-system none


diff --git a/etc/profile-m-z/nheko.profile b/etc/profile-m-z/nheko.profile index 2f305dae9..89a146a09 100644 --- a/etc/profile-m-z/nheko.profile +++ b/etc/profile-m-z/nheko.profile
@@ -53,8 +53,7 @@ private-tmp
53		53
54	dbus-user filter	54	dbus-user filter
55	dbus-user.talk org.freedesktop.secrets	55	dbus-user.talk org.freedesktop.secrets
		56	?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
56	# Add the next line to your nheko.local to enable notification support.	57	# Add the next line to your nheko.local to enable notification support.
57	#dbus-user.talk org.freedesktop.Notifications	58	#dbus-user.talk org.freedesktop.Notifications
58	# Add the next line to your nheko.local to enable tray icon support.
59	#dbus-user.talk org.kde.StatusNotifierWatcher
60	dbus-system none	59	dbus-system none


diff --git a/etc/profile-m-z/open-invaders.profile b/etc/profile-m-z/open-invaders.profile index 12c7ea3d0..c2c22f42d 100644 --- a/etc/profile-m-z/open-invaders.profile +++ b/etc/profile-m-z/open-invaders.profile
@@ -25,7 +25,6 @@ caps.drop all
25	net none	25	net none
26	nodvd	26	nodvd
27	nogroups	27	nogroups
28	noinput
29	nonewprivs	28	nonewprivs
30	noroot	29	noroot
31	notv	30	notv


diff --git a/etc/profile-m-z/openclonk.profile b/etc/profile-m-z/openclonk.profile index 253465991..68362cbc8 100644 --- a/etc/profile-m-z/openclonk.profile +++ b/etc/profile-m-z/openclonk.profile
@@ -28,7 +28,6 @@ ipc-namespace
28	netfilter	28	netfilter
29	nodvd	29	nodvd
30	nogroups	30	nogroups
31	noinput
32	nonewprivs	31	nonewprivs
33	noroot	32	noroot
34	notv	33	notv


diff --git a/etc/profile-m-z/spectral.profile b/etc/profile-m-z/spectral.profile index 5f17b73dc..3f7f68009 100644 --- a/etc/profile-m-z/spectral.profile +++ b/etc/profile-m-z/spectral.profile
@@ -49,10 +49,8 @@ private-dev
49	private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg	49	private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
50	private-tmp	50	private-tmp
51		51
52	dbus-user none	52	dbus-user filter
53	# Add the next lines to your spectral.local to enable notification support.	53	?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
54	#ignore dbus-user none	54	# Add the next line to your spectral.local to enable notification support.
55	#dbus-user filter
56	#dbus-user.talk org.freedesktop.Notifications	55	#dbus-user.talk org.freedesktop.Notifications
57	#dbus-user.talk org.kde.StatusNotifierWatcher
58	dbus-system none	56	dbus-system none


diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile index 323849e35..d48065c4b 100644 --- a/etc/profile-m-z/supertux2.profile +++ b/etc/profile-m-z/supertux2.profile
@@ -30,7 +30,6 @@ caps.drop all
30	net none	30	net none
31	nodvd	31	nodvd
32	nogroups	32	nogroups
33	noinput
34	nonewprivs	33	nonewprivs
35	noroot	34	noroot
36	notv	35	notv


diff --git a/etc/profile-m-z/teeworlds.profile b/etc/profile-m-z/teeworlds.profile index df54fb9ba..d0fb0d43e 100644 --- a/etc/profile-m-z/teeworlds.profile +++ b/etc/profile-m-z/teeworlds.profile
@@ -26,7 +26,6 @@ ipc-namespace
26	netfilter	26	netfilter
27	nodvd	27	nodvd
28	nogroups	28	nogroups
29	noinput
30	nonewprivs	29	nonewprivs
31	noroot	30	noroot
32	notv	31	notv


diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile index fd4b82524..dc1f77664 100644 --- a/etc/profile-m-z/telegram.profile +++ b/etc/profile-m-z/telegram.profile
@@ -50,7 +50,7 @@ private-tmp
50	dbus-user filter	50	dbus-user filter
51	dbus-user.own org.telegram.desktop.*	51	dbus-user.own org.telegram.desktop.*
52	dbus-user.talk org.freedesktop.Notifications	52	dbus-user.talk org.freedesktop.Notifications
53	dbus-user.talk org.kde.StatusNotifierWatcher	53	?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
54	dbus-user.talk org.gnome.Mutter.IdleMonitor	54	dbus-user.talk org.gnome.Mutter.IdleMonitor
55	dbus-user.talk org.freedesktop.ScreenSaver	55	dbus-user.talk org.freedesktop.ScreenSaver
56	dbus-system none	56	dbus-system none


diff --git a/etc/profile-m-z/torcs.profile b/etc/profile-m-z/torcs.profile index a7ebaf2af..19e586db4 100644 --- a/etc/profile-m-z/torcs.profile +++ b/etc/profile-m-z/torcs.profile
@@ -28,7 +28,6 @@ ipc-namespace
28	net none	28	net none
29	nodvd	29	nodvd
30	nogroups	30	nogroups
31	noinput
32	nonewprivs	31	nonewprivs
33	noroot	32	noroot
34	notv	33	notv


diff --git a/etc/profile-m-z/tremulous.profile b/etc/profile-m-z/tremulous.profile index 4e16df553..96541ae25 100644 --- a/etc/profile-m-z/tremulous.profile +++ b/etc/profile-m-z/tremulous.profile
@@ -8,6 +8,9 @@ include globals.local
8		8
9	noblacklist ${HOME}/.tremulous	9	noblacklist ${HOME}/.tremulous
10		10
		11	# Allow /bin/sh (blacklisted by disable-shell.inc)
		12	include allow-bin-sh.inc
		13
11	include disable-common.inc	14	include disable-common.inc
12	include disable-devel.inc	15	include disable-devel.inc
13	include disable-exec.inc	16	include disable-exec.inc
@@ -41,7 +44,7 @@ shell none
41	tracelog	44	tracelog
42		45
43	disable-mnt	46	disable-mnt
44	private-bin tremded,tremulous,tremulous-wrapper	47	private-bin env,sh,tremded,tremulous,tremulous-wrapper
45	private-cache	48	private-cache
46	private-dev	49	private-dev
47	private-tmp	50	private-tmp


diff --git a/etc/profile-m-z/warsow.profile b/etc/profile-m-z/warsow.profile index 5659ec69c..2f818b733 100644 --- a/etc/profile-m-z/warsow.profile +++ b/etc/profile-m-z/warsow.profile
@@ -11,6 +11,9 @@ ignore noexec ${HOME}
11	noblacklist ${HOME}/.cache/warsow-2.1	11	noblacklist ${HOME}/.cache/warsow-2.1
12	noblacklist ${HOME}/.local/share/warsow-2.1	12	noblacklist ${HOME}/.local/share/warsow-2.1
13		13
		14	# Allow /bin/sh (blacklisted by disable-shell.inc)
		15	include allow-bin-sh.inc
		16
14	include disable-common.inc	17	include disable-common.inc
15	include disable-devel.inc	18	include disable-devel.inc
16	include disable-exec.inc	19	include disable-exec.inc
@@ -34,19 +37,18 @@ ipc-namespace
34	netfilter	37	netfilter
35	nodvd	38	nodvd
36	nogroups	39	nogroups
37	noinput
38	nonewprivs	40	nonewprivs
39	noroot	41	noroot
40	notv	42	notv
41	nou2f	43	nou2f
42	novideo	44	novideo
43	protocol unix,inet,inet6	45	protocol unix,inet,inet6,netlink
44	seccomp	46	seccomp
45	shell none	47	shell none
46	tracelog	48	tracelog
47		49
48	disable-mnt	50	disable-mnt
49	private-bin warsow	51	private-bin basename,bash,dirname,sed,sh,uname,warsow
50	private-cache	52	private-cache
51	private-dev	53	private-dev
52	private-tmp	54	private-tmp


diff --git a/etc/profile-m-z/xonotic.profile b/etc/profile-m-z/xonotic.profile index 6ffe9ece9..7c2b38d1d 100644 --- a/etc/profile-m-z/xonotic.profile +++ b/etc/profile-m-z/xonotic.profile
@@ -32,7 +32,6 @@ caps.drop all
32	netfilter	32	netfilter
33	nodvd	33	nodvd
34	nogroups	34	nogroups
35	noinput
36	nonewprivs	35	nonewprivs
37	noroot	36	noroot
38	notv	37	notv


diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 7628313e0..44197b547 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template
@@ -116,6 +116,7 @@ include globals.local
116	#include disable-devel.inc	116	#include disable-devel.inc
117	#include disable-exec.inc	117	#include disable-exec.inc
118	#include disable-interpreters.inc	118	#include disable-interpreters.inc
		119	#include disable-proc.inc
119	#include disable-programs.inc	120	#include disable-programs.inc
120	#include disable-shell.inc	121	#include disable-shell.inc
121	#include disable-write-mnt.inc	122	#include disable-write-mnt.inc