5 files changed, 36 insertions, 17 deletions
diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc
index 4e460fc10..9576239f3 100644
--- a/etc/inc/allow-common-devel.inc
+++ b/etc/inc/allow-common-devel.inc
@@ -8,8 +8,13 @@ noblacklist ${HOME}/.gitconfig
 noblacklist ${HOME}/.git-credentials
 # Java
+noblacklist ${HOME}/.ammonite
+noblacklist ${HOME}/.config/jgit
+noblacklist ${HOME}/.g8
 noblacklist ${HOME}/.gradle
+noblacklist ${HOME}/.ivy2
 noblacklist ${HOME}/.java
+noblacklist ${HOME}/.sbt
 # Node.js
 noblacklist ${HOME}/.node-gyp
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index fcd385cae..efe1b2572 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -175,6 +175,7 @@ blacklist ${HOME}/.cache/mypaint
 blacklist ${HOME}/.cache/netsurf
 blacklist ${HOME}/.cache/nheko
 blacklist ${HOME}/.cache/nvim
+blacklist ${HOME}/.cache/ocenaudio
 blacklist ${HOME}/.cache/okular
 blacklist ${HOME}/.cache/opera
 blacklist ${HOME}/.cache/opera-beta
diff --git a/etc/profile-a-l/cmake.profile b/etc/profile-a-l/cmake.profile
index 26cc2a00a..acc03e93f 100644
--- a/etc/profile-a-l/cmake.profile
+++ b/etc/profile-a-l/cmake.profile
@@ -1,12 +1,15 @@
-# Firejail profile for cargo
+# Firejail profile for cmake
-# Description: The Rust package manager
+# Description: A cross-platform open-source make system
 # This file is overwritten after every install/update
 quiet
 # Persistent local customizations
-include cargo.local
+include cmake.local
 # Persistent global definitions
 include globals.local
+whitelist /usr/share/cmake
+whitelist /usr/share/cmake-*
 memory-deny-write-execute
 # Redirect
diff --git a/etc/profile-m-z/ocenaudio.profile b/etc/profile-m-z/ocenaudio.profile
index 0bfb35333..080b4c92b 100644
--- a/etc/profile-m-z/ocenaudio.profile
+++ b/etc/profile-m-z/ocenaudio.profile
@@ -6,8 +6,9 @@ include ocenaudio.local
 # Persistent global definitions
 include globals.local
+noblacklist ${HOME}/.cache/ocenaudio
 noblacklist ${HOME}/.local/share/ocenaudio
-noblacklist ${DOCUMENTS}
 noblacklist ${MUSIC}
 include disable-common.inc
@@ -18,38 +19,44 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
+mkdir ${HOME}/.cache/ocenaudio
+mkdir ${HOME}/.local/share/ocenaudio
+whitelist ${HOME}/.cache/ocenaudio
+whitelist ${HOME}/.local/share/ocenaudio
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 apparmor
 caps.drop all
-ipc-namespace
+#ipc-namespace
-# net none - breaks update functionality and AppArmor on Ubuntu systems
-# Add 'net none' to your ocenaudio.local when you want that functionality.
-#net none
 netfilter
 no3d
 nodvd
 nogroups
 noinput
 nonewprivs
+noprinters
 noroot
 notv
 nou2f
 novideo
-protocol unix
+# Add `protocol unix\nignore protocol` to your ocenaudio.local to disable networking.
+protocol unix,inet,inet6
 seccomp
 shell none
 tracelog
-private-bin ocenaudio
+private-bin ocenaudio,ocenvst
 private-cache
 private-dev
-private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,pulse
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
+private-opt ocenaudio
 private-tmp
-# breaks preferences
+dbus-user none
-# dbus-user none
+dbus-system none
-# dbus-system none
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-m-z/pip.profile b/etc/profile-m-z/pip.profile
index a0926371f..560957d47 100644
--- a/etc/profile-m-z/pip.profile
+++ b/etc/profile-m-z/pip.profile
@@ -3,7 +3,7 @@
 # This file is overwritten after every install/update
 quiet
 # Persistent local customizations
-include meson.local
+include pip.local
 # Persistent global definitions
 include globals.local
@@ -12,6 +12,9 @@ ignore read-only ${HOME}/.local/lib
 # Allow python3 (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
+noblacklist ${HOME}/.cache/pip
+#whitelist ${HOME}/.cache/pip
 #whitelist ${HOME}/.local/lib/python*
 # Redirect

diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc index 4e460fc10..9576239f3 100644 --- a/etc/inc/allow-common-devel.inc +++ b/etc/inc/allow-common-devel.inc
@@ -8,8 +8,13 @@ noblacklist ${HOME}/.gitconfig
8	noblacklist ${HOME}/.git-credentials	8	noblacklist ${HOME}/.git-credentials
9		9
10	# Java	10	# Java
		11	noblacklist ${HOME}/.ammonite
		12	noblacklist ${HOME}/.config/jgit
		13	noblacklist ${HOME}/.g8
11	noblacklist ${HOME}/.gradle	14	noblacklist ${HOME}/.gradle
		15	noblacklist ${HOME}/.ivy2
12	noblacklist ${HOME}/.java	16	noblacklist ${HOME}/.java
		17	noblacklist ${HOME}/.sbt
13		18
14	# Node.js	19	# Node.js
15	noblacklist ${HOME}/.node-gyp	20	noblacklist ${HOME}/.node-gyp


diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index fcd385cae..efe1b2572 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc
@@ -175,6 +175,7 @@ blacklist ${HOME}/.cache/mypaint
175	blacklist ${HOME}/.cache/netsurf	175	blacklist ${HOME}/.cache/netsurf
176	blacklist ${HOME}/.cache/nheko	176	blacklist ${HOME}/.cache/nheko
177	blacklist ${HOME}/.cache/nvim	177	blacklist ${HOME}/.cache/nvim
		178	blacklist ${HOME}/.cache/ocenaudio
178	blacklist ${HOME}/.cache/okular	179	blacklist ${HOME}/.cache/okular
179	blacklist ${HOME}/.cache/opera	180	blacklist ${HOME}/.cache/opera
180	blacklist ${HOME}/.cache/opera-beta	181	blacklist ${HOME}/.cache/opera-beta


diff --git a/etc/profile-a-l/cmake.profile b/etc/profile-a-l/cmake.profile index 26cc2a00a..acc03e93f 100644 --- a/etc/profile-a-l/cmake.profile +++ b/etc/profile-a-l/cmake.profile
@@ -1,12 +1,15 @@
1	# Firejail profile for cargo	1	# Firejail profile for cmake
2	# Description: The Rust package manager	2	# Description: A cross-platform open-source make system
3	# This file is overwritten after every install/update	3	# This file is overwritten after every install/update
4	quiet	4	quiet
5	# Persistent local customizations	5	# Persistent local customizations
6	include cargo.local	6	include cmake.local
7	# Persistent global definitions	7	# Persistent global definitions
8	include globals.local	8	include globals.local
9		9
		10	whitelist /usr/share/cmake
		11	whitelist /usr/share/cmake-*
		12
10	memory-deny-write-execute	13	memory-deny-write-execute
11		14
12	# Redirect	15	# Redirect


diff --git a/etc/profile-m-z/ocenaudio.profile b/etc/profile-m-z/ocenaudio.profile index 0bfb35333..080b4c92b 100644 --- a/etc/profile-m-z/ocenaudio.profile +++ b/etc/profile-m-z/ocenaudio.profile
@@ -6,8 +6,9 @@ include ocenaudio.local
6	# Persistent global definitions	6	# Persistent global definitions
7	include globals.local	7	include globals.local
8		8
		9	noblacklist ${HOME}/.cache/ocenaudio
9	noblacklist ${HOME}/.local/share/ocenaudio	10	noblacklist ${HOME}/.local/share/ocenaudio
10	noblacklist ${DOCUMENTS}	11
11	noblacklist ${MUSIC}	12	noblacklist ${MUSIC}
12		13
13	include disable-common.inc	14	include disable-common.inc
@@ -18,38 +19,44 @@ include disable-programs.inc
18	include disable-shell.inc	19	include disable-shell.inc
19	include disable-xdg.inc	20	include disable-xdg.inc
20		21
		22	mkdir ${HOME}/.cache/ocenaudio
		23	mkdir ${HOME}/.local/share/ocenaudio
		24	whitelist ${HOME}/.cache/ocenaudio
		25	whitelist ${HOME}/.local/share/ocenaudio
		26	whitelist ${DOWNLOADS}
		27	whitelist ${MUSIC}
		28	include whitelist-common.inc
		29	include whitelist-run-common.inc
		30	include whitelist-runuser-common.inc
21	include whitelist-usr-share-common.inc	31	include whitelist-usr-share-common.inc
22	include whitelist-var-common.inc	32	include whitelist-var-common.inc
23		33
24	apparmor	34	apparmor
25	caps.drop all	35	caps.drop all
26	ipc-namespace	36	#ipc-namespace
27	# net none - breaks update functionality and AppArmor on Ubuntu systems
28	# Add 'net none' to your ocenaudio.local when you want that functionality.
29	#net none
30	netfilter	37	netfilter
31	no3d	38	no3d
32	nodvd	39	nodvd
33	nogroups	40	nogroups
34	noinput	41	noinput
35	nonewprivs	42	nonewprivs
		43	noprinters
36	noroot	44	noroot
37	notv	45	notv
38	nou2f	46	nou2f
39	novideo	47	novideo
40	protocol unix	48	# Add `protocol unix\nignore protocol` to your ocenaudio.local to disable networking.
		49	protocol unix,inet,inet6
41	seccomp	50	seccomp
42	shell none	51	shell none
43	tracelog	52	tracelog
44		53
45	private-bin ocenaudio	54	private-bin ocenaudio,ocenvst
46	private-cache	55	private-cache
47	private-dev	56	private-dev
48	private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,pulse	57	private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
		58	private-opt ocenaudio
49	private-tmp	59	private-tmp
50		60
51	# breaks preferences	61	dbus-user none
52	# dbus-user none	62	dbus-system none
53	# dbus-system none
54
55	#memory-deny-write-execute - breaks on Arch (see issue #1803)


diff --git a/etc/profile-m-z/pip.profile b/etc/profile-m-z/pip.profile index a0926371f..560957d47 100644 --- a/etc/profile-m-z/pip.profile +++ b/etc/profile-m-z/pip.profile
@@ -3,7 +3,7 @@
3	# This file is overwritten after every install/update	3	# This file is overwritten after every install/update
4	quiet	4	quiet
5	# Persistent local customizations	5	# Persistent local customizations
6	include meson.local	6	include pip.local
7	# Persistent global definitions	7	# Persistent global definitions
8	include globals.local	8	include globals.local
9		9
@@ -12,6 +12,9 @@ ignore read-only ${HOME}/.local/lib
12	# Allow python3 (blacklisted by disable-interpreters.inc)	12	# Allow python3 (blacklisted by disable-interpreters.inc)
13	include allow-python3.inc	13	include allow-python3.inc
14		14
		15	noblacklist ${HOME}/.cache/pip
		16
		17	#whitelist ${HOME}/.cache/pip
15	#whitelist ${HOME}/.local/lib/python*	18	#whitelist ${HOME}/.local/lib/python*
16		19
17	# Redirect	20	# Redirect