From 7165f68e3430ccce0bfa0618200310db19e69d30 Mon Sep 17 00:00:00 2001
From: valoq <valoq@mailbox.org>
Date: Thu, 3 Nov 2016 23:51:36 +0100
Subject: private-tmp changes

---
 etc/deluge.profile           | 3 +--
 etc/evince.profile           | 4 ++++
 etc/fbreader.profile         | 3 +--
 etc/feh.profile              | 2 +-
 etc/filezilla.profile        | 3 +--
 etc/firefox.profile          | 6 +++++-
 etc/gthumb.profile           | 2 +-
 etc/mupdf.profile            | 4 ++++
 etc/pix.profile              | 2 +-
 etc/qbittorrent.profile      | 3 +--
 etc/rtorrent.profile         | 2 +-
 etc/transmission-gtk.profile | 3 +--
 etc/transmission-qt.profile  | 3 +--
 etc/uget-gtk.profile         | 2 +-
 etc/wesnoth.profile          | 3 +--
 etc/zathura.profile          | 3 ++-
 src/man/firejail-profile.txt | 2 +-
 src/man/firejail.txt         | 2 +-
 18 files changed, 29 insertions(+), 23 deletions(-)

diff --git a/etc/deluge.profile b/etc/deluge.profile
index 8fde9acf9..b82bd4936 100644
--- a/etc/deluge.profile
+++ b/etc/deluge.profile
@@ -15,7 +15,6 @@ seccomp
 
 shell none
 private-bin deluge,sh,python,uname
-whitelist /tmp/.X11-unix
 private-dev
-nosound
+private-tmp
 
diff --git a/etc/evince.profile b/etc/evince.profile
index 894c7c70d..9a9113c70 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -5,6 +5,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
+netfilter
+net none
 nogroups
 nonewprivs
 noroot
@@ -16,3 +18,5 @@ tracelog
 
 private-bin evince,evince-previewer,evince-thumbnailer
 private-dev
+private-etc fonts
+private-tmp
\ No newline at end of file
diff --git a/etc/fbreader.profile b/etc/fbreader.profile
index de31ce8de..ec098d5fe 100644
--- a/etc/fbreader.profile
+++ b/etc/fbreader.profile
@@ -16,6 +16,5 @@ seccomp
 
 shell none
 private-bin fbreader,FBReader
-whitelist /tmp/.X11-unix
 private-dev
-nosound
+private-tmp
diff --git a/etc/feh.profile b/etc/feh.profile
index e3b1ec528..2812effc9 100644
--- a/etc/feh.profile
+++ b/etc/feh.profile
@@ -16,6 +16,6 @@ seccomp
 shell none
 
 private-bin feh
-whitelist /tmp/.X11-unix
 private-dev
 private-etc feh
+private-tmp
\ No newline at end of file
diff --git a/etc/filezilla.profile b/etc/filezilla.profile
index fe1d9d20d..a40fceec1 100644
--- a/etc/filezilla.profile
+++ b/etc/filezilla.profile
@@ -17,5 +17,4 @@ shell none
 
 private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp
 private-dev
-
-whitelist /tmp/.X11-unix
+private-tmp
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 170d0fe10..7875ca6b9 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -47,4 +47,8 @@ whitelist ~/.config/pipelight-silverlight5.1
 include /etc/firejail/whitelist-common.inc
 
 # experimental features
-#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
+
+private-bin firefox,which,sh,dbus-launch,dbus-send,env
+private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
+private-dev
+private-tmp
diff --git a/etc/gthumb.profile b/etc/gthumb.profile
index 3ffd10add..055d78935 100644
--- a/etc/gthumb.profile
+++ b/etc/gthumb.profile
@@ -17,5 +17,5 @@ shell none
 tracelog
 
 private-bin gthumb
-whitelist /tmp/.X11-unix
 private-dev
+private-tmp
\ No newline at end of file
diff --git a/etc/mupdf.profile b/etc/mupdf.profile
index d1a157c3c..65e6a8978 100644
--- a/etc/mupdf.profile
+++ b/etc/mupdf.profile
@@ -12,12 +12,16 @@ nosound
 protocol unix
 seccomp
 netfilter
+net none
 shell none
 tracelog
 
+seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev
+
 private-bin mupdf
 private-tmp
 private-dev
+private-etc fonts
 
 # mupdf will never write anything
 read-only ${HOME}
diff --git a/etc/pix.profile b/etc/pix.profile
index e21ddadc6..dc8192b01 100644
--- a/etc/pix.profile
+++ b/etc/pix.profile
@@ -18,5 +18,5 @@ shell none
 tracelog
 
 private-bin pix
-whitelist /tmp/.X11-unix
 private-dev
+private-tmp
\ No newline at end of file
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index 67829c9ca..89e0e4c78 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -16,5 +16,4 @@ seccomp
 #shell none
 #private-bin qbittorrent
 private-dev
-
-whitelist /tmp/.X11-unix
+private-tmp
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile
index 1226a51cd..55bfcd77f 100644
--- a/etc/rtorrent.profile
+++ b/etc/rtorrent.profile
@@ -14,5 +14,5 @@ seccomp
 
 shell none
 private-bin rtorrent
-whitelist /tmp/.X11-unix
 private-dev
+private-tmp
\ No newline at end of file
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index 316cdfec6..fa54ea81b 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -19,5 +19,4 @@ tracelog
 
 private-bin transmission-gtk
 private-dev
-
-whitelist /tmp/.X11-unix
+private-tmp
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile
index 51c58e224..100fadc27 100644
--- a/etc/transmission-qt.profile
+++ b/etc/transmission-qt.profile
@@ -19,5 +19,4 @@ tracelog
 
 private-bin transmission-qt
 private-dev
-
-whitelist /tmp/.X11-unix
+private-tmp
diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile
index f42e6c69a..3ba28f772 100644
--- a/etc/uget-gtk.profile
+++ b/etc/uget-gtk.profile
@@ -16,8 +16,8 @@ shell none
 
 private-bin uget-gtk
 private-dev
+private-tmp
 
-whitelist /tmp/.X11-unix
 whitelist ${DOWNLOADS}
 mkdir ~/.config/uGet
 whitelist ~/.config/uGet
diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile
index 2ddb59d11..bb489ddeb 100644
--- a/etc/wesnoth.profile
+++ b/etc/wesnoth.profile
@@ -15,8 +15,7 @@ protocol unix,inet,inet6
 seccomp
 
 private-dev
-
-whitelist /tmp/.X11-unix
+private-tmp
 
 mkdir ${HOME}/.local/share/wesnoth
 mkdir ${HOME}/.config/wesnoth
diff --git a/etc/zathura.profile b/etc/zathura.profile
index 99a8ea90d..6c93a2480 100644
--- a/etc/zathura.profile
+++ b/etc/zathura.profile
@@ -8,6 +8,7 @@ include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 netfilter
+net none
 nogroups
 nonewprivs
 noroot
@@ -19,7 +20,7 @@ protocol unix
 private-bin zathura
 private-dev
 private-etc fonts
-whitelist /tmp/.X11-unix
+private-tmp
 
 read-only ~/
 read-write ~/.local/share/zathura/
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 09dc46bbc..d6113218c 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -200,7 +200,7 @@ filesystem, and copy the files and directories in the list.
 All modifications are discarded when the sandbox is closed.
 .TP
 \fBprivate-tmp
-Mount an empty temporary filesystem on top of /tmp directory.
+Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix.
 .TP
 \fBread-only file_or_directory
 Make directory or file read-only.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 666a6a8ef..74e8ef4fe 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1180,7 +1180,7 @@ nsswitch.conf,passwd,resolv.conf
 
 .TP
 \fB\-\-private-tmp
-Mount an empty temporary filesystem on top of /tmp directory.
+Mount an empty filesystem on top of /tmp directory whitelisting /tmp/.X11-unix.
 .br
 
 .br
-- 
cgit v1.2.3-54-g00ecf