21 files changed, 281 insertions, 17 deletions
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 72fc13103..6f3d5bbdb 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -121,6 +121,7 @@ blacklist ${HOME}/.config/Nathan Osman
 blacklist ${HOME}/.config/Nextcloud
 blacklist ${HOME}/.config/Nylas Mail
 blacklist ${HOME}/.config/PacmanLogViewer
+blacklist ${HOME}/.config/PawelStolowski
 blacklist ${HOME}/.config/PBE
 blacklist ${HOME}/.config/Philipp Schmieder
 blacklist ${HOME}/.config/QGIS
@@ -166,6 +167,7 @@ blacklist ${HOME}/.config/aweather
 blacklist ${HOME}/.config/backintime
 blacklist ${HOME}/.config/baloofilerc
 blacklist ${HOME}/.config/baloorc
+blacklist ${HOME}/.config/bcompare
 blacklist ${HOME}/.config/blender
 blacklist ${HOME}/.config/bless
 blacklist ${HOME}/.config/bnox
@@ -312,6 +314,7 @@ blacklist ${HOME}/.config/mate-calc
 blacklist ${HOME}/.config/mate/eom
 blacklist ${HOME}/.config/mate/mate-dictionary
 blacklist ${HOME}/.config/matrix-mirage
+blacklist ${HOME}/.config/mcomix
 blacklist ${HOME}/.config/meld
 blacklist ${HOME}/.config/meteo-qt
 blacklist ${HOME}/.config/menulibre.cfg
@@ -360,6 +363,7 @@ blacklist ${HOME}/.config/pavucontrol.ini
 blacklist ${HOME}/.config/pcmanfm
 blacklist ${HOME}/.config/pdfmod
 blacklist ${HOME}/.config/Pinta
+blacklist ${HOME}/.config/pipe-viewer
 blacklist ${HOME}/.config/pitivi
 blacklist ${HOME}/.config/pix
 blacklist ${HOME}/.config/pluma
@@ -589,6 +593,7 @@ blacklist ${HOME}/.local/share/Mendeley Ltd.
 blacklist ${HOME}/.local/share/Mumble
 blacklist ${HOME}/.local/share/Nextcloud
 blacklist ${HOME}/.local/share/PBE
+blacklist ${HOME}/.local/share/PawelStolowski
 blacklist ${HOME}/.local/share/Psi
 blacklist ${HOME}/.local/share/QGIS
 blacklist ${HOME}/.local/share/QMediathekView
@@ -694,6 +699,7 @@ blacklist ${HOME}/.local/share/man
 blacklist ${HOME}/.local/share/mana
 blacklist ${HOME}/.local/share/maps-places.json
 blacklist ${HOME}/.local/share/matrix-mirage
+blacklist ${HOME}/.local/share/mcomix
 blacklist ${HOME}/.local/share/meld
 blacklist ${HOME}/.local/share/midori
 blacklist ${HOME}/.local/share/minder
@@ -709,6 +715,7 @@ blacklist ${HOME}/.local/share/nemo-python
 blacklist ${HOME}/.local/share/news-flash
 blacklist ${HOME}/.local/share/newsbeuter
 blacklist ${HOME}/.local/share/newsboat
+blacklist ${HOME}/.local/share/nheko
 blacklist ${HOME}/.local/share/nomacs
 blacklist ${HOME}/.local/share/notes
 blacklist ${HOME}/.local/share/ocenaudio
@@ -901,6 +908,7 @@ blacklist ${HOME}/.cache/INRIA
 blacklist ${HOME}/.cache/MusicBrainz
 blacklist ${HOME}/.cache/NewsFlashGTK
 blacklist ${HOME}/.cache/Otter
+blacklist ${HOME}/.cache/PawelStolowski
 blacklist ${HOME}/.cache/Psi
 blacklist ${HOME}/.cache/QuiteRss
 blacklist ${HOME}/.cache/Quotient/quaternion
@@ -1009,6 +1017,7 @@ blacklist ${HOME}/.cache/org.gnome.Maps
 blacklist ${HOME}/.cache/pdfmod
 blacklist ${HOME}/.cache/peek
 blacklist ${HOME}/.cache/pip
+blacklist ${HOME}/.cache/pipe-viewer
 blacklist ${HOME}/.cache/plasmashell
 blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite*
 blacklist ${HOME}/.cache/psi
@@ -1044,3 +1053,4 @@ blacklist ${HOME}/.cache/xreader
 blacklist ${HOME}/.cache/yandex-browser
 blacklist ${HOME}/.cache/yandex-browser-beta
 blacklist ${HOME}/.cache/youtube-dl
+blacklist ${HOME}/.cache/youtube-viewer
diff --git a/etc/profile-a-l/b2sum.profile b/etc/profile-a-l/b2sum.profile
new file mode 100644
index 000000000..48cb9619b
--- /dev/null
+++ b/etc/profile-a-l/b2sum.profile
@@ -0,0 +1,13 @@
+# Firejail profile for b2sum
+# Description: compute and check BLAKE2 message digest
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include b2sum.local
+# Persistent global definitions
+include globals.local
+private-bin b2sum
+# Redirect
+include hasher-common.profile
diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile
new file mode 100644
index 000000000..178e2dc9f
--- /dev/null
+++ b/etc/profile-a-l/bcompare.profile
@@ -0,0 +1,62 @@
+# Firejail profile for Beyond Compare by Scooter Software
+# Description: directory and file compare utility
+# Disables the network, which only impacts checking for updates.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include bcompare.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/bcompare
+# In case the user decides to include disable-programs.inc, still allow
+# KDE's Gwenview to view images via right click -> Open With -> Associated Application
+noblacklist ${HOME}/.config/gwenviewrc
+# Uncomment the next line (or put it into your bcompare.local) if you don't need to compare files in disable-common.inc
+#include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+# Uncomment the next line (or put it into your bcompare.local) if you don't need to compare files in disable-programs.inc
+#include disable-programs.inc
+# Uncommenting this breaks launch
+# include disable-shell.inc
+include disable-write-mnt.inc
+# Don't disable ${DOCUMENTS}, ${MUSIC}, ${PICTURES}, ${VIDEOS}
+# include disable-xdg.inc
+# include whitelist-common.inc
+# include whitelist-runuser-common.inc
+# include whitelist-usr-share-common.inc
+# include whitelist-var-common.inc
+apparmor
+caps.drop all
+# Uncommenting might break Pulse Audio
+#machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+# Allow applications launched on sound files to play them
+#nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+private-cache
+private-dev
+# see /usr/share/doc/firejail/profile.template for more common private-etc paths.
+# private-etc alternatives,fonts,machine-id
+# Necessary because of the `include disable-exec.inc` line. Prevents error "Error fstat: fs.c:504 fs_remount_simple: Transport endpoint is not connected ... cannot sync with peer: unexpected EOF Peer [...] unexpectedly exited with status 1"
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/cksum.profile b/etc/profile-a-l/cksum.profile
new file mode 100644
index 000000000..2baeed2ed
--- /dev/null
+++ b/etc/profile-a-l/cksum.profile
@@ -0,0 +1,13 @@
+# Firejail profile for cksum
+# Description: checksum and count the bytes in a file
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include cksum.local
+# Persistent global definitions
+include globals.local
+private-bin cksum
+# Redirect
+include hasher-common.profile
diff --git a/etc/profile-a-l/clawsker.profile b/etc/profile-a-l/clawsker.profile
index ac74d25c9..f71b35c26 100644
--- a/etc/profile-a-l/clawsker.profile
+++ b/etc/profile-a-l/clawsker.profile
@@ -45,7 +45,7 @@ private-bin bash,clawsker,perl,sh,which
 private-cache
 private-dev
 private-etc alternatives,fonts
-private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl*
+private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-3.so.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl*
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/engrampa.profile b/etc/profile-a-l/engrampa.profile
index 54fe6a0f9..7ec611293 100644
--- a/etc/profile-a-l/engrampa.profile
+++ b/etc/profile-a-l/engrampa.profile
@@ -17,6 +17,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
+net none
 no3d
 nodvd
 nogroups
@@ -35,4 +36,6 @@ tracelog
 private-dev
 # private-tmp
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
 dbus-system none
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index 20bd9824c..68dd350ca 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -14,6 +14,11 @@ mkdir ${HOME}/.mozilla
 whitelist ${HOME}/.cache/mozilla/firefox
 whitelist ${HOME}/.mozilla
+# Uncomment or put in your firefox.local one of the following whitelist to enable KeePassXC Plugin
+# NOTE: start KeePassXC before Firefox and keep it open to allow communication between them
+#whitelist ${RUNUSER}/kpxc_server
+#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
 whitelist /usr/share/doc
 whitelist /usr/share/firefox
 whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini
diff --git a/etc/profile-a-l/gnome-logs.profile b/etc/profile-a-l/gnome-logs.profile
index 41218d3f7..d29c7609e 100644
--- a/etc/profile-a-l/gnome-logs.profile
+++ b/etc/profile-a-l/gnome-logs.profile
@@ -26,12 +26,7 @@ ipc-namespace
 net none
 no3d
 nodvd
-# When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html),
-# comment both 'nogroups' and 'noroot'
-# or put 'ignore nogroups' and 'ignore noroot' in your gnome-logs.local.
-nogroups
 nonewprivs
-noroot
 nosound
 notv
 nou2f
@@ -50,7 +45,9 @@ private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.s
 private-tmp
 writable-var-log
-dbus-user none
+dbus-user filter
+dbus-user.own org.gnome.Logs
+dbus-user.talk ca.desrt.dconf
 dbus-system none
 # comment this if you export logs to a file in your ${HOME}
diff --git a/etc/profile-a-l/hasher-common.profile b/etc/profile-a-l/hasher-common.profile
new file mode 100644
index 000000000..2f684349d
--- /dev/null
+++ b/etc/profile-a-l/hasher-common.profile
@@ -0,0 +1,60 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include hasher-common.local
+# common profile for hasher/checksum tools
+blacklist ${RUNUSER}
+# WARNING:
+# Users can (un)restrict file access for **all** hashers by commenting/uncommenting the needed
+# include file(s) here or by putting those into hasher-common.local.
+# Another option is to do this **per hasher** in the relevant <hasher>.local.
+# Just beware that things tend to break when overtightening profiles. For example, because you only
+# need to hash/check files in ${DOWNLOADS}, other applications may need access to ${HOME}/.local/share.
+# Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in disable-common.inc.
+#include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+# Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in disable-programs.inc.
+#include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+# Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in disable-xdg.inc.
+#include disable-xdg.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+x11 none
+# Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in /tmp.
+#private-cache
+private-dev
+# Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in /tmp.
+#private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute
+read-only ${HOME}
diff --git a/etc/profile-a-l/k3b.profile b/etc/profile-a-l/k3b.profile
index 86292744c..3e686a454 100644
--- a/etc/profile-a-l/k3b.profile
+++ b/etc/profile-a-l/k3b.profile
@@ -21,7 +21,7 @@ include disable-xdg.inc
 include whitelist-var-common.inc
-caps.keep ipc_lock,sys_nice,sys_rawio,sys_resource
+caps.keep chown,dac_override,ipc_lock,net_bind_service,sys_admin,sys_nice,sys_rawio,sys_resource
 # net none
 netfilter
 no3d
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile
index 965750bf0..678bb0b8a 100644
--- a/etc/profile-m-z/man.profile
+++ b/etc/profile-m-z/man.profile
@@ -19,16 +19,16 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-mkdir ${HOME}/.local/share/man
+#mkdir ${HOME}/.local/share/man
-whitelist ${HOME}/.local/share/man
+#whitelist ${HOME}/.local/share/man
-whitelist ${HOME}/.manpath
+#whitelist ${HOME}/.manpath
 whitelist /usr/share/groff
 whitelist /usr/share/info
 whitelist /usr/share/lintian
 whitelist /usr/share/locale
 whitelist /usr/share/man
 whitelist /var/cache/man
-include whitelist-common.inc
+#include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -58,9 +58,11 @@ disable-mnt
 private-cache
 private-dev
 private-etc alternatives,fonts,groff,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg
-private-tmp
+#private-tmp
 dbus-user none
 dbus-system none
 memory-deny-write-execute
+read-only ${HOME}
+read-only /tmp
diff --git a/etc/profile-m-z/md5sum.profile b/etc/profile-m-z/md5sum.profile
new file mode 100644
index 000000000..3612c73fd
--- /dev/null
+++ b/etc/profile-m-z/md5sum.profile
@@ -0,0 +1,13 @@
+# Firejail profile for md5sum
+# Description: compute and check MD5 message digest
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include md5sum.local
+# Persistent global definitions
+include globals.local
+private-bin md5sum
+# Redirect
+include hasher-common.profile
diff --git a/etc/profile-m-z/nheko.profile b/etc/profile-m-z/nheko.profile
index 42e7e92fc..2fbbef832 100644
--- a/etc/profile-m-z/nheko.profile
+++ b/etc/profile-m-z/nheko.profile
@@ -6,8 +6,9 @@ include nheko.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.config/nheko
 noblacklist ${HOME}/.cache/nheko
+noblacklist ${HOME}/.config/nheko
+noblacklist ${HOME}/.local/share/nheko
 include disable-common.inc
 include disable-devel.inc
@@ -18,10 +19,12 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
+mkdir ${HOME}/.cache/nheko
 mkdir ${HOME}/.config/nheko
-mkdir ${HOME}/.cache/nheko/nheko
+mkdir ${HOME}/.local/share/nheko
-whitelist ${HOME}/.config/nheko
 whitelist ${HOME}/.cache/nheko
+whitelist ${HOME}/.config/nheko
+whitelist ${HOME}/.local/share/nheko
 whitelist ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile
index c12fc9a78..202905631 100644
--- a/etc/profile-m-z/nodejs-common.profile
+++ b/etc/profile-m-z/nodejs-common.profile
@@ -1,5 +1,5 @@
 # Firejail profile for Node.js
-# Description: Common profile for npm/yarn
+# Description: Asynchronous event-driven JavaScript runtime
 # This file is overwritten after every install/update
 # Persistent local customizations
 include nodejs-common.local
@@ -45,7 +45,9 @@ shell none
 disable-mnt
 private-dev
+# May need to add `passwd` to `private-etc` below to enable debugging with some IDEs
 private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,xdg
+# May need to be commented out in order to enable debugging with some IDEs
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/sha1sum.profile b/etc/profile-m-z/sha1sum.profile
new file mode 100644
index 000000000..b2064b95d
--- /dev/null
+++ b/etc/profile-m-z/sha1sum.profile
@@ -0,0 +1,13 @@
+# Firejail profile for sha1sum
+# Description: compute and check SHA1 message digest
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include sha1sum.local
+# Persistent global definitions
+include globals.local
+private-bin sha1sum
+# Redirect
+include hasher-common.profile
diff --git a/etc/profile-m-z/sha224sum.profile b/etc/profile-m-z/sha224sum.profile
new file mode 100644
index 000000000..cb26cc5ff
--- /dev/null
+++ b/etc/profile-m-z/sha224sum.profile
@@ -0,0 +1,13 @@
+# Firejail profile for sha224sum
+# Description: compute and check SHA224 message digest
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include sha224sum.local
+# Persistent global definitions
+include globals.local
+private-bin sha224sum
+# Redirect
+include hasher-common.profile
diff --git a/etc/profile-m-z/sha256sum.profile b/etc/profile-m-z/sha256sum.profile
new file mode 100644
index 000000000..48944ebea
--- /dev/null
+++ b/etc/profile-m-z/sha256sum.profile
@@ -0,0 +1,13 @@
+# Firejail profile for sha256sum
+# Description: compute and check SHA256 message digest
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include sha256sum.local
+# Persistent global definitions
+include globals.local
+private-bin sha256sum
+# Redirect
+include hasher-common.profile
diff --git a/etc/profile-m-z/sha384sum.profile b/etc/profile-m-z/sha384sum.profile
new file mode 100644
index 000000000..6d876daed
--- /dev/null
+++ b/etc/profile-m-z/sha384sum.profile
@@ -0,0 +1,13 @@
+# Firejail profile for sha384sum
+# Description: compute and check SHA384 message digest
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include sha384sum.local
+# Persistent global definitions
+include globals.local
+private-bin sha384sum
+# Redirect
+include hasher-common.profile
diff --git a/etc/profile-m-z/sha512sum.profile b/etc/profile-m-z/sha512sum.profile
new file mode 100644
index 000000000..7ebaf3540
--- /dev/null
+++ b/etc/profile-m-z/sha512sum.profile
@@ -0,0 +1,13 @@
+# Firejail profile for sha512sum
+# Description: compute and check SHA512 message digest
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include sha512sum.local
+# Persistent global definitions
+include globals.local
+private-bin sha512sum
+# Redirect
+include hasher-common.profile
diff --git a/etc/profile-m-z/sum.profile b/etc/profile-m-z/sum.profile
new file mode 100644
index 000000000..cd73af919
--- /dev/null
+++ b/etc/profile-m-z/sum.profile
@@ -0,0 +1,13 @@
+# Firejail profile for sum
+# Description: checksum and count the blocks in a file
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include sum.local
+# Persistent global definitions
+include globals.local
+private-bin sum
+# Redirect
+include hasher-common.profile
diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile
index e8fe4a360..b8f97db1d 100644
--- a/etc/profile-m-z/youtube-viewer.profile
+++ b/etc/profile-m-z/youtube-viewer.profile
@@ -7,6 +7,7 @@ include youtube-viewer.local
 # Persistent global definitions
 include globals.local
+noblacklist ${HOME}/.cache/youtube-viewer
 noblacklist ${HOME}/.config/youtube-viewer
 # Allow perl (blacklisted by disable-interpreters.inc)
@@ -24,7 +25,9 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+mkdir ${HOME}/.cache/youtube-viewer
 mkdir ${HOME}/.config/youtube-viewer
+whitelist ${HOME}/.cache/youtube-viewer
 whitelist ${HOME}/.config/youtube-viewer
 include whitelist-common.inc
 include whitelist-usr-share-common.inc