5 files changed, 55 insertions, 3 deletions

diff --git a/etc/allow-gjs.inc b/etc/allow-gjs.inc
index f552ede9d..f4f9926cd 100644
--- a/etc/allow-gjs.inc
+++ b/etc/allow-gjs.inc
@@ -8,3 +8,4 @@ noblacklist /usr/lib/gjs
 noblacklist /usr/lib64/gjs
 noblacklist /usr/lib/libgjs*
 noblacklist /usr/lib64/libgjs*
+noblacklist /usr/lib64/libmozjs-*
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 59eac1ee8..ffe60e283 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -501,6 +501,7 @@ blacklist ${HOME}/.local/share/QGIS
 blacklist ${HOME}/.local/share/QMediathekView
 blacklist ${HOME}/.local/share/QuiteRss
 blacklist ${HOME}/.local/share/Ricochet
+blacklist ${HOME}/.local/share/Shortwave
 blacklist ${HOME}/.local/share/Steam
 blacklist ${HOME}/.local/share/SuperHexagon
 blacklist ${HOME}/.local/share/TelegramDesktop
@@ -759,6 +760,7 @@ blacklist ${HOME}/.cache/Franz
 blacklist ${HOME}/.cache/INRIA
 blacklist ${HOME}/.cache/MusicBrainz
 blacklist ${HOME}/.cache/QuiteRss
+blacklist ${HOME}/.cache/Shortwave
 blacklist ${HOME}/.cache/Tox
 blacklist ${HOME}/.cache/Zeal
 blacklist ${HOME}/.cache/agenda
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index bc64a5abf..7c343c26d 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -44,8 +44,7 @@ notv
 protocol unix,inet,inet6,netlink
 # The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds.
 seccomp !chroot
-# Uncomment the next line (or put it into your firefox-common.local) if your firefox doesn't require a shell to lauch.
-#shell none
+shell none
 # Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930.
 #tracelog
 
diff --git a/etc/shortwave.profile b/etc/shortwave.profile
new file mode 100644
index 000000000..ee2314833
--- /dev/null
+++ b/etc/shortwave.profile
@@ -0,0 +1,50 @@
+# Firejail profile for shortwave
+# Description: Listen to internet radio
+# This file is overwritten after every install/update
+# Persistent local customizations
+include shortwave.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/Shortwave
+noblacklist ${HOME}/.local/share/Shortwave
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/Shortwave
+mkdir ${HOME}/.local/share/Shortwave
+whitelist ${HOME}/.cache/Shortwave
+whitelist ${HOME}/.local/share/Shortwave
+whitelist /usr/share/shortwave
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin shortwave
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gconf,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
+private-tmp
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index b3ebd4996..d339ce476 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -119,7 +119,7 @@ include globals.local
 ##mkfile PATH
 #whitelist PATH
 #include whitelist-common.inc
-#GTK3 only: include whitelist-runuser-common.inc
+#include whitelist-runuser-common.inc
 #include whitelist-usr-share-common.inc
 #include whitelist-var-common.inc