From f12c7af205ddd6c0d75587702f01688dc62a86c5 Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Tue, 22 Aug 2017 01:54:31 +0200
Subject: various profile fixes

---
 etc/atril.profile         |  9 ++++++++-
 etc/audacious.profile     |  3 +++
 etc/audacity.profile      |  1 +
 etc/engrampa.profile      |  7 ++++++-
 etc/eog.profile           |  2 +-
 etc/eom.profile           |  4 ++++
 etc/file-roller.profile   |  2 +-
 etc/fossamail.profile     |  5 ++---
 etc/gedit.profile         |  3 ++-
 etc/goobox.profile        |  2 +-
 etc/handbrake.profile     |  1 -
 etc/konversation.profile  |  1 +
 etc/mediathekview.profile |  3 +++
 etc/pluma.profile         |  9 ++++++++-
 etc/qpdfview.profile      |  3 +++
 etc/scribus.profile       |  1 +
 etc/simple-scan.profile   |  2 +-
 etc/skanlite.profile      |  2 +-
 etc/vlc.profile           |  1 +
 etc/xed.profile           |  9 ++++++++-
 etc/xfburn.profile        |  2 +-
 etc/xplayer.profile       |  5 ++++-
 etc/xreader.profile       | 12 ++++++++++--
 etc/xviewer.profile       |  5 +++++
 24 files changed, 76 insertions(+), 18 deletions(-)

diff --git a/etc/atril.profile b/etc/atril.profile
index 7109d343e..6b0eed2db 100644
--- a/etc/atril.profile
+++ b/etc/atril.profile
@@ -14,6 +14,7 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps.drop all
+no3d
 nodvd
 nogroups
 nonewprivs
@@ -28,4 +29,10 @@ tracelog
 
 private-bin atril, atril-previewer, atril-thumbnailer
 private-dev
-private-tmp
+private-etc fonts
+# atril needs access to /tmp/mozilla* to work in firefox
+# private-tmp
+
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/audacious.profile b/etc/audacious.profile
index 3baa0ddba..eddc100ca 100644
--- a/etc/audacious.profile
+++ b/etc/audacious.profile
@@ -25,4 +25,7 @@ shell none
 tracelog
 
 private-bin audacious
+private-dev
 private-tmp
+
+memory-deny-write-execute
diff --git a/etc/audacity.profile b/etc/audacity.profile
index b5a15b04c..9fbc2b16d 100644
--- a/etc/audacity.profile
+++ b/etc/audacity.profile
@@ -30,5 +30,6 @@ private-bin audacity
 private-dev
 private-tmp
 
+memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/engrampa.profile b/etc/engrampa.profile
index e10fd6084..7bc5e7481 100644
--- a/etc/engrampa.profile
+++ b/etc/engrampa.profile
@@ -12,7 +12,8 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps.drop all
-netfilter
+# net none - makes settings immutable
+no3d
 nodvd
 nogroups
 nonewprivs
@@ -29,3 +30,7 @@ tracelog
 private-dev
 # private-etc fonts
 # private-tmp
+
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/eog.profile b/etc/eog.profile
index 54d5a1a88..e5161b313 100644
--- a/etc/eog.profile
+++ b/etc/eog.profile
@@ -16,7 +16,7 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps.drop all
-net none
+# net none - makes settings immutable
 no3d
 nodvd
 nogroups
diff --git a/etc/eom.profile b/etc/eom.profile
index 6fd069b5c..3fb1fcaf4 100644
--- a/etc/eom.profile
+++ b/etc/eom.profile
@@ -16,6 +16,8 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps.drop all
+# net none - makes settings immutable
+no3d
 nodvd
 nogroups
 nonewprivs
@@ -30,7 +32,9 @@ tracelog
 
 private-bin eom
 private-dev
+private-etc fonts
 private-tmp
 
+memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/file-roller.profile b/etc/file-roller.profile
index 1ecb3c632..8484aa162 100644
--- a/etc/file-roller.profile
+++ b/etc/file-roller.profile
@@ -12,7 +12,7 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps.drop all
-net none
+# net none - makes settings immutable
 no3d
 nodvd
 nogroups
diff --git a/etc/fossamail.profile b/etc/fossamail.profile
index 74073d8d1..cef522c53 100644
--- a/etc/fossamail.profile
+++ b/etc/fossamail.profile
@@ -17,7 +17,6 @@ whitelist ~/.fossamail
 whitelist ~/.gnupg
 include /etc/firejail/whitelist-common.inc
 
-nodvd
-notv
-
+# allow browsers
+# Redirect
 include /etc/firejail/firefox.profile
diff --git a/etc/gedit.profile b/etc/gedit.profile
index 418575e09..3d7af1496 100644
--- a/etc/gedit.profile
+++ b/etc/gedit.profile
@@ -15,7 +15,7 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps.drop all
-net none
+# net none - makes settings immutable
 no3d
 nodvd
 nogroups
@@ -23,6 +23,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/goobox.profile b/etc/goobox.profile
index 9bedaa431..60ffe0594 100644
--- a/etc/goobox.profile
+++ b/etc/goobox.profile
@@ -13,11 +13,11 @@ include /etc/firejail/disable-programs.inc
 
 caps.drop all
 netfilter
-nodvd
 nogroups
 nonewprivs
 noroot
 notv
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/handbrake.profile b/etc/handbrake.profile
index 2b32abca6..2b33051e2 100644
--- a/etc/handbrake.profile
+++ b/etc/handbrake.profile
@@ -18,7 +18,6 @@ nogroups
 nonewprivs
 noroot
 nosound
-notv
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
diff --git a/etc/konversation.profile b/etc/konversation.profile
index 212aa8817..1a08c3d83 100644
--- a/etc/konversation.profile
+++ b/etc/konversation.profile
@@ -23,4 +23,5 @@ protocol unix,inet,inet6
 seccomp
 tracelog
 
+private-dev
 private-tmp
diff --git a/etc/mediathekview.profile b/etc/mediathekview.profile
index b90e21e66..1cda5022d 100644
--- a/etc/mediathekview.profile
+++ b/etc/mediathekview.profile
@@ -9,8 +9,10 @@ noblacklist ~/.config/mpv
 noblacklist ~/.config/smplayer
 noblacklist ~/.config/totem
 noblacklist ~/.config/vlc
+noblacklist ~/.config/xplayer
 noblacklist ~/.java
 noblacklist ~/.local/share/totem
+noblacklist ~/.local/share/xplayer
 noblacklist ~/.mediathek3
 noblacklist ~/.mplayer
 
@@ -22,6 +24,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 netfilter
 nodvd
+nogroups
 nonewprivs
 noroot
 notv
diff --git a/etc/pluma.profile b/etc/pluma.profile
index d17a64d1d..718dee440 100644
--- a/etc/pluma.profile
+++ b/etc/pluma.profile
@@ -13,17 +13,24 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps.drop all
-net none
+# net none - makes settings immutable
+no3d
 nodvd
 nogroups
 nonewprivs
 noroot
 nosound
 notv
+novideo
+protocol unix
 seccomp
 shell none
 tracelog
 
 private-bin pluma
 private-dev
+# private-etc fonts
 private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile
index 2c652c688..7d69f38f9 100644
--- a/etc/qpdfview.profile
+++ b/etc/qpdfview.profile
@@ -21,6 +21,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
@@ -29,3 +30,5 @@ tracelog
 private-bin qpdfview
 private-dev
 private-tmp
+
+memory-deny-write-execute
diff --git a/etc/scribus.profile b/etc/scribus.profile
index acd6b2239..e4c88be49 100644
--- a/etc/scribus.profile
+++ b/etc/scribus.profile
@@ -28,6 +28,7 @@ include /etc/firejail/disable-programs.inc
 
 caps.drop all
 nodvd
+nogroups
 nonewprivs
 noroot
 nosound
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile
index de43f2a56..edd4db861 100644
--- a/etc/simple-scan.profile
+++ b/etc/simple-scan.profile
@@ -20,7 +20,7 @@ nonewprivs
 noroot
 nosound
 notv
-novideo
+# novideo
 protocol unix,inet,inet6,netlink
 # simple-scan makes ioperm system calls, which are blacklisted by default.
 seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
diff --git a/etc/skanlite.profile b/etc/skanlite.profile
index 1d590a142..1a53cc71c 100644
--- a/etc/skanlite.profile
+++ b/etc/skanlite.profile
@@ -20,7 +20,7 @@ nonewprivs
 noroot
 nosound
 notv
-novideo
+# novideo
 protocol unix,netlink
 # skanlite makes ioperm system calls, which are blacklisted by default.
 seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
diff --git a/etc/vlc.profile b/etc/vlc.profile
index a41f367dd..01ddfa8a9 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -25,5 +25,6 @@ private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
 private-dev
 private-tmp
 
+# memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/xed.profile b/etc/xed.profile
index 758fb5526..42a42ef5f 100644
--- a/etc/xed.profile
+++ b/etc/xed.profile
@@ -13,17 +13,24 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps.drop all
-net none
+# net none - makes settings immutable
+no3d
 nodvd
 nogroups
 nonewprivs
 noroot
 nosound
 notv
+novideo
+protocol unix
 seccomp
 shell none
 tracelog
 
 private-bin xed
 private-dev
+# private-etc fonts
 private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/xfburn.profile b/etc/xfburn.profile
index e80685f0e..ec1aca75f 100644
--- a/etc/xfburn.profile
+++ b/etc/xfburn.profile
@@ -14,12 +14,12 @@ include /etc/firejail/disable-programs.inc
 
 caps.drop all
 netfilter
-nodvd
 nogroups
 nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/xplayer.profile b/etc/xplayer.profile
index 0722768d1..5c845e977 100644
--- a/etc/xplayer.profile
+++ b/etc/xplayer.profile
@@ -18,7 +18,6 @@ netfilter
 nogroups
 nonewprivs
 noroot
-notv
 protocol unix,inet,inet6
 seccomp
 shell none
@@ -26,4 +25,8 @@ tracelog
 
 private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer
 private-dev
+# private-etc fonts
 private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/xreader.profile b/etc/xreader.profile
index 107cefe5e..615256102 100644
--- a/etc/xreader.profile
+++ b/etc/xreader.profile
@@ -15,17 +15,25 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps.drop all
+no3d
 nodvd
 nogroups
 nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
 tracelog
 
-private-bin xreader, xreader-previewer, xreader-thumbnailer
+private-bin xreader,xreader-previewer,xreader-thumbnailer
 private-dev
-private-tmp
+private-etc fonts
+# xreader needs access to /tmp/mozilla* to work in firefox
+# private-tmp
+
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/xviewer.profile b/etc/xviewer.profile
index 70ad3b895..b9ff3948a 100644
--- a/etc/xviewer.profile
+++ b/etc/xviewer.profile
@@ -16,12 +16,15 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps.drop all
+# net none - makes settings immutable
+no3d
 nodvd
 nogroups
 nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
@@ -29,7 +32,9 @@ tracelog
 
 private-bin xviewer
 private-dev
+private-etc fonts
 private-tmp
 
+memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
-- 
cgit v1.2.3-54-g00ecf