Updated for firejail 0.9.64-rc1

author: jc_gargma <jc_gargma@iserlohn-fortress.net> 2020-10-18 20:54:47 -0700
committer: jc_gargma <jc_gargma@iserlohn-fortress.net> 2020-10-18 20:54:47 -0700
commit: 6ea485a808c1bc86cdbff55b99b5e5e9e03ab65b (patch)
tree: 5856536d3208d494856509915436610b4c5c679b
parent: Fix bannerlord profile (diff)
download: firejail-profiles-6ea485a808c1bc86cdbff55b99b5e5e9e03ab65b.tar.xz
42 files changed, 224 insertions, 126 deletions
diff --git a/PKGBUILD b/PKGBUILD
index 3c7c001..9309e81 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -1,7 +1,7 @@
 # Maintainer: jc_gargma <jc_gargma@iserlohn-fortress.net>
 
 pkgname=firejail-profiles
-pkgver=20201012
+pkgver=20201018
 pkgrel=1
 pkgdesc="Additional firejail profiles and locals"
 arch=('any')
@@ -9,7 +9,7 @@ url="https://library.iserlohn-fortress.net/firejail-profiles.git"
 license=('GPLv3')
 depends=('firejail' 'hardened-malloc')
 source=(profiles.tar.gz)
-b2sums=('a9c31ca046b8cd59cf3ae69cd71480c14d0654eb25608354a05a3e8d91c0acb9ae83f8ed2759d24495625e8c42463da413ffad8d87277a68aa2d338267c5eecb')
+b2sums=('e570686f4bfdc9cee3b7169c9fec3b043606071f9ded1ce3c81b68e6a5486897f0e176ee7b7b256ad41b07fa6e446625cbdbbb7e5785d9382506ceb8a17ebfd6')
 
 package() {
   install --directory ${pkgdir}/etc/firejail
diff --git a/profiles/0ad.local b/profiles/0ad.local
index c5e5982..dc9c78f 100644
--- a/profiles/0ad.local
+++ b/profiles/0ad.local
@@ -1,3 +1 @@
 include disable-xdg.inc
-
-private-cache
diff --git a/profiles/mocp.profile b/profiles/abook.profile
index 84ac1d0..85804ed 100644
--- a/profiles/mocp.profile
+++ b/profiles/abook.profile
@@ -1,13 +1,13 @@
+# Firejail profile for abook
+# Description: A powerful & easy to use console audio player
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
-include mocp.local
+include abook.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.moc
-noblacklist ${MUSIC}
-
-blacklist /tmp/.X11-unix
+noblacklist ${HOME}/.abook
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,18 +17,12 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist ${HOME}/.moc
-whitelist ${MUSIC}
-read-only ${MUSIC}
-
+apparmor
 caps.drop all
-# # alsa audio will work with ipc-namespace,
-# # but it hogs the alsa device from other applications
-ignore ipc-namespace
+ipc-namespace
 machine-id
-net none
+netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -41,11 +35,15 @@ seccomp
 shell none
 tracelog
 
-disable-mnt
-private-bin moc,mocp
+private-bin abook,nano
 private-cache
 private-dev
-private-etc asound.conf,group,localtime,machine-id
+private-etc group
 private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
+read-only ${HOME}
+read-write ${HOME}/.abook
diff --git a/profiles/calcurse.profile b/profiles/calcurse.profile
index 2bdde1a..f9649c5 100644
--- a/profiles/calcurse.profile
+++ b/profiles/calcurse.profile
@@ -4,6 +4,9 @@ include calcurse.local
 # Persistent global definitions
 include globals.local
 
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
 noblacklist ${HOME}/.config/calcurse
 noblacklist ${HOME}/.local/share/calcurse
 mkdir ${HOME}/.config/calcurse
@@ -17,7 +20,6 @@ machine-id
 net none
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -40,3 +42,6 @@ private-tmp
 
 # # Use with hardened-malloc package
 env LD_PRELOAD=/usr/lib/libhardened_malloc.so
+
+dbus-user none
+dbus-system none
diff --git a/profiles/disable-programs.local b/profiles/disable-programs.local
index 0f49812..81b82c5 100644
--- a/profiles/disable-programs.local
+++ b/profiles/disable-programs.local
@@ -17,7 +17,6 @@ blacklist ${HOME}/.config/openmw-wizardrc
 blacklist ${HOME}/.config/OpenRCT2
 blacklist ${HOME}/.config/Proxy Studios
 blacklist ${HOME}/.config/Proxy Studios/Pandora
-blacklist ${HOME}/.config/rtv
 blacklist ${HOME}/.config/smolbote
 blacklist ${HOME}/.config/StardewValley
 blacklist ${HOME}/.config/unity3d
@@ -35,7 +34,6 @@ blacklist ${HOME}/.local/share/Almost Human
 blacklist ${HOME}/.local/share/Almost Human/Legend of Grimrock
 blacklist ${HOME}/.local/share/cataclysm-dda
 blacklist ${HOME}/.local/share/endless-sky
-blacklist ${HOME}/.local/share/FasterThanLight
 blacklist ${HOME}/.local/share/Goldhawk Interactive
 blacklist ${HOME}/.local/share/kaddressbook
 blacklist ${HOME}/.local/share/klipper
@@ -47,7 +45,6 @@ blacklist ${HOME}/.local/share/maildir
 blacklist ${HOME}/.local/share/networkmanagement
 blacklist ${HOME}/.local/share/OpenRCT2
 blacklist ${HOME}/.local/share/openmw
-blacklist ${HOME}/.local/share/Paradox Interactive
 blacklist ${HOME}/.local/share/Paradox Interactive/Imperator
 blacklist ${HOME}/.local/share/sddm
 blacklist ${HOME}/.local/share/smolbote
@@ -56,8 +53,7 @@ blacklist ${HOME}/.local/share/wineprefixes/SanctuaryRPG
 blacklist ${HOME}/.local/share/wineprefixes/SimCity4
 blacklist ${HOME}/.local/share/wineprefixes/StarCitizen
 blacklist ${HOME}/.local/share/wineprefixes/Warframe
-blacklist ${HOME}/.mbwarband
-blacklist ${HOME}/.moc
+blacklist ${HOME}/.paradoxinteractive/Crusader Kings II
 blacklist ${HOME}/.renpy
 blacklist ${HOME}/.t4-engine
 blacklist ${HOME}/applications/tor-browser_en-US
diff --git a/profiles/dolphin-emu.profile b/profiles/dolphin-emu.profile
new file mode 100644
index 0000000..74ba6c3
--- /dev/null
+++ b/profiles/dolphin-emu.profile
@@ -0,0 +1,30 @@
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dolphin-emu.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/dolphin-emu
+noblacklist ${HOME}/.local/share/dolphin-emu
+noblacklist ${HOME}/games/Emulators/GCNGAMES
+
+mkdir ${HOME}/.config/dolphin-emu
+mkdir ${HOME}/.local/share/dolphin-emu
+whitelist ${HOME}/.config/dolphin-emu
+whitelist ${HOME}/.local/share/dolphin-emu
+whitelist ${HOME}/games/Emulators/GCNGAMES
+read-only ${HOME}/games/Emulators/GCNGAMES
+include whitelist-common.inc
+
+# machine-id, obs, and alsa don't get along
+#ignore machine-id
+
+protocol unix,netlink
+seccomp !name_to_handle_at
+
+# private-dev breaks joysticks
+ignore private-dev
+
+ignore memory-deny-write-execute
+
+include generic-game.inc
diff --git a/profiles/dosbox.local b/profiles/dosbox.local
index fcfbe11..7e379f7 100644
--- a/profiles/dosbox.local
+++ b/profiles/dosbox.local
@@ -8,7 +8,6 @@ ignore netfilter
 # # nogroups breaks alsa audio when using fluidsynth for midi
 ignore nogroups
 net none
-nodbus
 protocol unix
 
 #Breaks OMF
@@ -16,3 +15,6 @@ ignore private-bin
 
 #Breaks using controllers
 ignore private-dev
+
+dbus-user none
+dbus-system none
diff --git a/profiles/firefox.local b/profiles/firefox.local
index 36d2a32..dd7afe1 100644
--- a/profiles/firefox.local
+++ b/profiles/firefox.local
@@ -28,9 +28,14 @@ private-etc resolv.conf
 
 # # Use for GTK_USE_PORTAL=1 support on KDE
 #private-etc machine-id,passwd,resolv.conf
-#ignore nodbus
+#ignore dbus-user none
+#ignore dbus-system none
 #ignore noroot
 
 # # Use with hardened-malloc package
 # This breaks firefox on polaris10 amdgpu for some reason
 env LD_PRELOAD=/usr/lib/libhardened_malloc.so
+
+ignore dbus-user filter
+ignore dbus-user.own org.mozilla.firefox.*
+ignore dbus-user.own org.mpris.MediaPlayer2.firefox.*
diff --git a/profiles/generic-game.inc b/profiles/generic-game.inc
index 5f9c16d..becdedd 100644
--- a/profiles/generic-game.inc
+++ b/profiles/generic-game.inc
@@ -20,7 +20,6 @@ net none
 # # no3d breaks gpu rendering
 # no3d
 noautopulse
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -40,3 +39,6 @@ private-etc asound.conf,group,localtime,machine-id,pulse
 private-tmp
 
 memory-deny-write-execute
+
+dbus-user none
+dbus-system none
diff --git a/profiles/generic-wine-game.inc b/profiles/generic-wine-game.inc
index 81ffe04..1ed2b27 100644
--- a/profiles/generic-wine-game.inc
+++ b/profiles/generic-wine-game.inc
@@ -5,6 +5,7 @@ include generic-wine-game.local
 noblacklist ${HOME}/.wine
 noblacklist ${HOME}/.config/q4wine
 noblacklist ${HOME}/.local/share/wineprefixes
+noblacklist /tmp/.wine-*
 
 # with >=llvm-4 mesa drivers need llvm stuff
 noblacklist /usr/lib/llvm*
@@ -24,6 +25,7 @@ whitelist ${HOME}/.wine
 whitelist ${HOME}/.config/q4wine
 # whitelist ${HOME}/.local/share/wineprefixes/bottle-name-here
 whitelist ${HOME}/.local/share/wineprefixes/zz_c
+whitelist /tmp/.wine-*
 
 caps.drop all
 # # alsa audio will work with ipc-namespace,
@@ -34,7 +36,6 @@ net none
 # # no3d breaks gpu rendering
 # no3d
 noautopulse
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -54,3 +55,6 @@ private-etc asound.conf,group,localtime,machine-id,passwd,pulse
 private-tmp
 
 memory-deny-write-execute
+
+dbus-user none
+dbus-system none
diff --git a/profiles/gwenview.local b/profiles/gwenview.local
index 1c82bfd..93fa39c 100644
--- a/profiles/gwenview.local
+++ b/profiles/gwenview.local
@@ -5,7 +5,9 @@ ignore noblacklist ${HOME}/.kde4/share/config/gwenviewrc
 
 net none
 ignore netfilter
-nodbus
 # # seccomp breaks integrated file manager on kde applications
 # # due to syscall name_to_handle_at
 seccomp !name_to_handle_at
+
+dbus-user none
+dbus-system none
diff --git a/profiles/karbon.profile b/profiles/karbon.profile
index 330753c..e6b451a 100644
--- a/profiles/karbon.profile
+++ b/profiles/karbon.profile
@@ -10,6 +10,7 @@ ignore noexec ${HOME}
 
 noblacklist ${HOME}/.config/karbonrc
 noblacklist ${HOME}/.local/share/karbon
+noblacklist ${HOME}/.local/share/kxmlgui5/karbon
 noblacklist ${DOCUMENTS}
 noblacklist ${PICTURES}
 
@@ -33,7 +34,6 @@ caps.drop all
 ignore ipc-namespace
 # net none
 netfilter
-# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -51,3 +51,6 @@ shell none
 private-cache
 private-dev
 private-tmp
+
+# dbus-user none
+# dbus-system none
diff --git a/profiles/keepassxc.local b/profiles/keepassxc.local
index 65b4300..23d2118 100644
--- a/profiles/keepassxc.local
+++ b/profiles/keepassxc.local
@@ -1,7 +1,11 @@
 ignore noblacklist ${HOME}/.mozilla
 ignore noblacklist ${DOCUMENTS}
 
+mkdir ${HOME}/.cache/keepassxc
+mkdir ${HOME}/.config/keepassxc
+
 whitelist ${HOME}/.keepassxc
+whitelist ${HOME}/.cache/keepassxc
 whitelist ${HOME}/.config/keepassxc
 whitelist ${HOME}/.config/keepassxcrc
 include whitelist-common.inc
@@ -9,9 +13,6 @@ include whitelist-common.inc
 # # no3d breaks decryption for some reason
 ignore no3d
 
-# # nodbus breaks systray support
-ignore nodbus
-
 # # machine-id and net=none breaks systray support with openrc/eudev
 ignore machine-id
 ignore net
@@ -27,3 +28,15 @@ tracelog
 disable-mnt
 private-bin keepassxc,dbus-launch
 private-etc fonts,ld.so.cache,localtime,machine-id,passwd
+
+# # dbus-user/system breaks systray support
+ignore dbus-user none
+ignore dbus-system none
+
+ignore dbus-user.talk com.canonical.Unity.Session
+ignore dbus-user.talk org.freedesktop.ScreenSaver
+ignore dbus-user.talk org.freedesktop.login1.Manager
+ignore dbus-user.talk org.freedesktop.login1.Session
+ignore dbus-user.talk org.gnome.ScreenSaver
+ignore dbus-user.talk org.gnome.SessionManager
+ignore dbus-user.talk org.gnome.SessionManager.Presence
diff --git a/profiles/kget.local b/profiles/kget.local
index 0ac7a0a..c4252b2 100644
--- a/profiles/kget.local
+++ b/profiles/kget.local
@@ -26,8 +26,6 @@ include whitelist-common.inc
 # ipc-namespace
 # # no3d breaks gpu accelerated rendering
 ignore no3d
-# # nodbus breaks systray support
-ignore nodbus
 # machine-id
 protocol unix,inet,netlink
 # # seccomp breaks integrated file manager on kde applications
@@ -39,3 +37,7 @@ disable-mnt
 private-bin bash,dbus-launch,kget,kdeinit5
 private-cache
 private-etc ca-certificates,fonts,localtime,machine-id,passwd,resolv.conf,ssl,xdg
+
+# # dbus-user/system breaks systray support
+ignore dbus-user none
+ignore dbus-system none
diff --git a/profiles/kmymoney.profile b/profiles/kmymoney.profile
index 1e3b266..d8b2ccd 100644
--- a/profiles/kmymoney.profile
+++ b/profiles/kmymoney.profile
@@ -38,7 +38,6 @@ net none
 netfilter
 # # no3d breaks gpu accelerated rendering
 # no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -62,3 +61,6 @@ private-etc fonts,localtime
 private-tmp
 
 # memory-deny-write-execute
+
+dbus-user none
+dbus-system none
diff --git a/profiles/konqueror.profile b/profiles/konqueror.profile
index 5739120..2334d3e 100644
--- a/profiles/konqueror.profile
+++ b/profiles/konqueror.profile
@@ -46,7 +46,6 @@ ignore ipc-namespace
 ignore machine-id
 netfilter
 ignore no3d
-ignore nodbus
 nodvd
 nogroups
 nonewprivs
@@ -70,3 +69,6 @@ private-etc asound.conf,ca-certificates,group,machine-id,passwd,resolv.conf,ssl
 ignore private-tmp
 
 ignore memory-deny-write-execute
+
+# dbus-user none
+# dbus-system none
diff --git a/profiles/konversation.local b/profiles/konversation.local
index 26bceed..2b8386b 100644
--- a/profiles/konversation.local
+++ b/profiles/konversation.local
@@ -7,12 +7,19 @@ include whitelist-common.inc
 
 whitelist ${HOME}/.config
 whitelist ${HOME}/.config/konversationrc
+whitelist ${HOME}/.config/konversationrc.notifyrc
+
+mkdir ${HOME}/.local/share/konversation
+mkdir ${HOME}/.local/share/kxmlgui5/konversation
 whitelist ${HOME}/.local/share/konversation
+whitelist ${HOME}/.local/share/kxmlgui5/konversation
 
 # ipc-namespace
 machine-id
-nodbus
 protocol unix,inet
 
 private-bin konversation,keditbookmarks
 private-etc asound.conf,group,machine-id,pulse,resolv.conf
+
+dbus-user none
+dbus-system none
diff --git a/profiles/ktorrent.local b/profiles/ktorrent.local
index 1655d6f..515398b 100644
--- a/profiles/ktorrent.local
+++ b/profiles/ktorrent.local
@@ -18,7 +18,6 @@ include disable-xdg.inc
 whitelist ${HOME}/.config
 whitelist ${HOME}/torrents
 
-ignore nodbus
 # # machine-id breaks systray support
 ignore machine-id
 protocol unix,inet,netlink
@@ -34,3 +33,6 @@ private-etc ca-certificates,fonts,machine-id,passwd,resolv.conf,ssl,xdg
 
 # # Use with hardened-malloc package
 env LD_PRELOAD=/usr/lib/libhardened_malloc.so
+
+# ignore dbus-user none
+# ignore dbus-system none
diff --git a/profiles/lgogdownloader.profile b/profiles/lgogdownloader.profile
index a0eadea..7723d1c 100644
--- a/profiles/lgogdownloader.profile
+++ b/profiles/lgogdownloader.profile
@@ -31,7 +31,6 @@ caps.drop all
 ipc-namespace
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -49,3 +48,6 @@ private-bin lgogdownloader
 private-dev
 private-etc ca-certificates,pki,resolv.conf,ssl
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/profiles/mocp.local b/profiles/mocp.local
new file mode 100644
index 0000000..323dbc1
--- /dev/null
+++ b/profiles/mocp.local
@@ -0,0 +1,19 @@
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+whitelist ${HOME}/.moc
+whitelist ${MUSIC}
+read-only ${MUSIC}
+
+# # alsa audio will work with ipc-namespace,
+# # but it hogs the alsa device from other applications
+ignore ipc-namespace
+machine-id
+ignore netfilter
+net none
+
+protocol unix
+
+disable-mnt
+private-bin moc,mocp
+private-etc asound.conf,group,localtime,machine-id
diff --git a/profiles/mount-and-blade-ii.profile b/profiles/mount-and-blade-ii.profile
index 64e5869..4e7e5a4 100644
--- a/profiles/mount-and-blade-ii.profile
+++ b/profiles/mount-and-blade-ii.profile
@@ -7,8 +7,17 @@ include globals.local
 noblacklist ${HOME}/.local/share/wineprefixes/MountAndBladeBannerlord
 whitelist ${HOME}/.local/share/wineprefixes/MountAndBladeBannerlord
 mkfile ${HOME}/.local/share/wineprefixes/MountAndBladeBannerlord/drive_c/GOG Games/Mount And Blade II Bannerlord/bin/Win64_Shipping_Client/Bannerlord.dxvk-cache
+mkfile ${HOME}/.local/share/wineprefixes/MountAndBladeBannerlord/drive_c/GOG Games/Mount And Blade II Bannerlord/bin/Win64_Shipping_Client/Bannerlord_d3d11.log
+mkfile ${HOME}/.local/share/wineprefixes/MountAndBladeBannerlord/drive_c/GOG Games/Mount And Blade II Bannerlord/bin/Win64_Shipping_Client/Bannerlord_dxgi.log
+mkfile ${HOME}/.local/share/wineprefixes/MountAndBladeBannerlord/drive_c/GOG Games/Mount And Blade II Bannerlord/bin/Win64_Shipping_Client/imgui.ini
 read-only ${HOME}/.local/share/wineprefixes/MountAndBladeBannerlord/drive_c/GOG Games/Mount And Blade II Bannerlord
 read-write ${HOME}/.local/share/wineprefixes/MountAndBladeBannerlord/drive_c/GOG Games/Mount And Blade II Bannerlord/bin/Win64_Shipping_Client/Bannerlord.dxvk-cache
+read-write ${HOME}/.local/share/wineprefixes/MountAndBladeBannerlord/drive_c/GOG Games/Mount And Blade II Bannerlord/bin/Win64_Shipping_Client/Bannerlord_d3d11.log
+read-write ${HOME}/.local/share/wineprefixes/MountAndBladeBannerlord/drive_c/GOG Games/Mount And Blade II Bannerlord/bin/Win64_Shipping_Client/Bannerlord_dxgi.log
+read-write ${HOME}/.local/share/wineprefixes/MountAndBladeBannerlord/drive_c/GOG Games/Mount And Blade II Bannerlord/bin/Win64_Shipping_Client/imgui.ini
+
+# machine-id, obs, and alsa don't get along
+#ignore machine-id
 
 # MB2 requires seccomp and ptrace
 seccomp !name_to_handle_at,!ptrace
diff --git a/profiles/mount-and-blade-warband.profile b/profiles/mount-and-blade-warband.profile
index 5a57141..dd69f3d 100644
--- a/profiles/mount-and-blade-warband.profile
+++ b/profiles/mount-and-blade-warband.profile
@@ -11,6 +11,9 @@ read-only ${HOME}/games/Mount and Blade - Warband
 mkdir ${HOME}/.mbwarband
 whitelist ${HOME}/.mbwarband
 
+# machine-id, obs, and alsa don't get along
+#ignore machine-id
+
 seccomp !name_to_handle_at
 
 ignore memory-deny-write-execute
diff --git a/profiles/newsboat.local b/profiles/newsboat.local
index e61a692..e100217 100644
--- a/profiles/newsboat.local
+++ b/profiles/newsboat.local
@@ -5,6 +5,7 @@ whitelist ${HOME}/.w3m
 include allow-perl.inc
 
 blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
 
 ignore private-bin
 private-etc alternatives,ca-certificates,crypto-policies,login.defs,pki,passwd,resolv.conf,ssl,terminfo
@@ -19,5 +20,4 @@ private-etc alternatives,ca-certificates,crypto-policies,login.defs,pki,passwd,r
 # # Use with hardened-malloc package
 # env LD_PRELOAD=/usr/lib/libhardened_malloc.so
 
-
 tracelog
diff --git a/profiles/nyamp.profile b/profiles/nyamp.profile
index 876b869..b523155 100644
--- a/profiles/nyamp.profile
+++ b/profiles/nyamp.profile
@@ -28,7 +28,6 @@ caps.drop all
 # machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -50,3 +49,6 @@ private-etc fonts,machine-id
 private-tmp
 
 memory-deny-write-execute
+
+dbus-user none
+dbus-system none
diff --git a/profiles/okular.local b/profiles/okular.local
index 0252f33..a0c3551 100644
--- a/profiles/okular.local
+++ b/profiles/okular.local
@@ -8,10 +8,12 @@ ignore noblacklist ${HOME}/.kde4/share/config/okularrc
 
 net none
 # no3d
-nodbus
 # # seccomp breaks integrated file manager on kde applications
 # # due to syscall name_to_handle_at
 seccomp !name_to_handle_at
 
 private-cache
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/profiles/pioneer.local b/profiles/pioneer.local
index 4838164..69758a9 100644
--- a/profiles/pioneer.local
+++ b/profiles/pioneer.local
@@ -10,3 +10,6 @@ private-bin pioneer
 private-etc asound.conf,group,localtime,machine-id,pulse
 
 ignore memory-deny-write-execute
+
+ignore dbus-user none
+ignore dbus-system none
diff --git a/profiles/poi.profile b/profiles/poi.profile
index 43e3739..5bfb9b4 100644
--- a/profiles/poi.profile
+++ b/profiles/poi.profile
@@ -42,8 +42,9 @@ caps.drop all
 ## netfilter - Creates a simple but restrictive iptables firewall for any --net device created. Does nothing if --net is not used.
 netfilter
 
-## nodbus - Disable access to dbus.
-nodbus
+## dbus-user/system none - Disable access to dbus.
+dbus-user none
+dbus-system none
 
 ## nodvd - Disable access to optical disk drives.
 nodvd
diff --git a/profiles/ppsspp.local b/profiles/ppsspp.local
new file mode 100644
index 0000000..ae1ac13
--- /dev/null
+++ b/profiles/ppsspp.local
@@ -0,0 +1,10 @@
+whitelist ${HOME}/games/Emulators/PSPGAMES
+whitelist ${HOME}/.config/ppsspp
+
+# machine-id, obs, and alsa don't get along
+#ignore machine-id
+
+ignore netfilter
+net none
+
+seccomp !name_to_handle_at
diff --git a/profiles/qtox.local b/profiles/qtox.local
index a70b3ff..8c49e0a 100644
--- a/profiles/qtox.local
+++ b/profiles/qtox.local
@@ -2,9 +2,6 @@
 # # but it hogs the alsa device from other applications
 ignore ipc-namespace
 
-# # Breaks systray support
-ignore nodbus
-
 # # qtox can make use of a webcam for calls
 # # comment this if you intend to do so
 novideo
diff --git a/profiles/rtv.local b/profiles/rtv.local
new file mode 100644
index 0000000..6b66c04
--- /dev/null
+++ b/profiles/rtv.local
@@ -0,0 +1,17 @@
+noblacklist ${HOME}/.config/rtv
+
+mkdir ${HOME}/.config/rtv
+whitelist ${HOME}/.config/rtv
+whitelist ${HOME}/.local/share/rtv
+
+ipc-namespace
+protocol inet,inet6
+
+# private-bin rtv,python,sh,xdg-settings
+private-etc ca-certificates,resolv.conf,ssl
+private-tmp
+
+# memory-deny-write-execute
+
+# # Use with hardened-malloc package
+env LD_PRELOAD=/usr/lib/libhardened_malloc.so
diff --git a/profiles/rtv.profile b/profiles/rtv.profile
deleted file mode 100644
index e7b7ac0..0000000
--- a/profiles/rtv.profile
+++ /dev/null
@@ -1,61 +0,0 @@
-# This file is overwritten after every install/update
-# Persistent local customizations
-include rtv.local
-# Persistent global definitions
-include globals.local
-
-blacklist /tmp/.X11-unix
-
-noblacklist ${PATH}/python2*
-noblacklist /usr/include/python2*
-noblacklist /usr/lib/python2*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/share/python2*
-noblacklist ${PATH}/python3*
-noblacklist /usr/include/python3*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python3*
-noblacklist /usr/share/python3*
-noblacklist ${HOME}/.config/rtv
-
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-xdg.inc
-
-mkdir ${HOME}/.config/rtv
-whitelist ${HOME}/.config/rtv
-
-caps.drop all
-ipc-namespace
-machine-id
-netfilter
-no3d
-nodbus
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol inet,inet6
-seccomp
-shell none
-tracelog
-
-disable-mnt
-# private-bin rtv,python
-private-cache
-private-dev
-private-etc ca-certificates,resolv.conf,ssl
-private-tmp
-
-# memory-deny-write-execute
-
-# # Use with hardened-malloc package
-env LD_PRELOAD=/usr/lib/libhardened_malloc.so
diff --git a/profiles/strawberry.profile b/profiles/strawberry.local
index cf3da43..cf3da43 100644
--- a/profiles/strawberry.profile
+++ b/profiles/strawberry.local
diff --git a/profiles/toxic.profile b/profiles/toxic.profile
index 32254e7..15203b6 100644
--- a/profiles/toxic.profile
+++ b/profiles/toxic.profile
@@ -29,7 +29,6 @@ caps.drop all
 ignore ipc-namespace
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -52,3 +51,6 @@ private-tmp
 
 memory-deny-write-execute
 # writable-run-user
+
+dbus-user none
+dbus-system none
diff --git a/profiles/vlc.local b/profiles/vlc.local
index ed7d779..d7094d9 100644
--- a/profiles/vlc.local
+++ b/profiles/vlc.local
@@ -1,17 +1,27 @@
 ignore noblacklist ${HOME}/.cache/vlc
+noblacklist ${MUSIC}
+noblacklist ${PICTURES}
+noblacklist ${VIDEOS}
+
+include disable-xdg.inc
+
+whitelist ${MUSIC}
+whitelist ${PICTURES}
+whitelist ${VIDEOS}
+
+read-only ${DOWNLOADS}
+read-only ${MUSIC}
+read-only ${PICTURES}
+read-only ${VIDEOS}
 
 # # alsa audio will work with ipc-namespace,
 # # but it hogs the alsa device from other applications
 ignore ipc-namespace
-nodbus
 
 # # seccomp breaks integrated file manager on kde applications
 # # due to syscall name_to_handle_at
 # # kcmp syscall requied by amdgpu hardware acceleration
 seccomp !name_to_handle_at,!kcmp
 
-read-only ${DOWNLOADS}
-read-only ${MUSIC}
-noblacklist ${PICTURES}
-read-only ${PICTURES}
-read-only ${VIDEOS}
+dbus-user none
+dbus-system none
diff --git a/profiles/w3m.local b/profiles/w3m.local
index 684515f..d925ca3 100644
--- a/profiles/w3m.local
+++ b/profiles/w3m.local
@@ -3,12 +3,14 @@ whitelist ${HOME}/.w3m
 
 ipc-namespace
 machine-id
-nodbus
 protocol inet,inet6
 
 disable-mnt
 
 memory-deny-write-execute
 
+dbus-user none
+dbus-system none
+
 # # Use with hardened-malloc package
 env LD_PRELOAD=/usr/lib/libhardened_malloc.so
diff --git a/profiles/weechat.local b/profiles/weechat.local
index ca330f7..b9185ff 100644
--- a/profiles/weechat.local
+++ b/profiles/weechat.local
@@ -22,7 +22,6 @@ whitelist ${HOME}/.weechat
 ignore ipc-namespace
 machine-id
 no3d
-nodbus
 nodvd
 nogroups
 # nosound
@@ -38,3 +37,6 @@ private-etc asound.conf,ca-certificates,machine-id,resolv.conf,ssl
 private-tmp
 
 # memory-deny-write-execute
+
+dbus-user none
+dbus-system none
diff --git a/profiles/wesnoth.local b/profiles/wesnoth.local
index ca69a8c..6a17869 100644
--- a/profiles/wesnoth.local
+++ b/profiles/wesnoth.local
@@ -22,7 +22,6 @@ machine-id
 ignore net
 netfilter
 ignore no3d
-nodbus
 nogroups
 novideo
 protocol unix,inet,inet6
@@ -35,3 +34,6 @@ private-cache
 private-etc asound.conf,fonts,group,localtime,machine-id,pulse,resolv.conf
 
 ignore memory-deny-write-execute
+
+dbus-user none
+dbus-system none
diff --git a/profiles/wget.local b/profiles/wget.local
index 311e23d..53edfe2 100644
--- a/profiles/wget.local
+++ b/profiles/wget.local
@@ -1,5 +1,3 @@
-machine-id
-nodbus
 protocol inet,inet6
 
 # # Use with hardened-malloc package
diff --git a/profiles/wine.local b/profiles/wine.local
index d3210eb..d2b5003 100644
--- a/profiles/wine.local
+++ b/profiles/wine.local
@@ -9,6 +9,7 @@ mkdir ${HOME}/.local/share/wineprefixes
 whitelist ${HOME}/.wine
 whitelist ${HOME}/.config/q4wine
 whitelist ${HOME}/.local/share/wineprefixes
+whitelist /tmp/.wine-*
 
 machine-id
 
diff --git a/profiles/x4-foundations.profile b/profiles/x4-foundations.profile
index 3bc3b4e..eec47ee 100644
--- a/profiles/x4-foundations.profile
+++ b/profiles/x4-foundations.profile
@@ -13,6 +13,9 @@ whitelist ${HOME}/.config/EgoSoft/X4
 whitelist ${HOME}/games/X-4 Foundations
 read-only ${HOME}/games/X-4 Foundations
 
+# machine-id, obs, and alsa don't get along
+#ignore machine-id
+
 protocol unix,netlink
 seccomp !name_to_handle_at
 
diff --git a/profiles/xcom-2.profile b/profiles/xcom-2.profile
index 6d27ea6..8e874b1 100644
--- a/profiles/xcom-2.profile
+++ b/profiles/xcom-2.profile
@@ -7,6 +7,9 @@ include globals.local
 noblacklist ${HOME}/.local/share/wineprefixes/XCOM2
 whitelist ${HOME}/.local/share/wineprefixes/XCOM2
 
+# machine-id, obs, and alsa don't get along
+#ignore machine-id
+
 # XCOM requires the ptrace syscall or the launcher will crash
 seccomp !name_to_handle_at,!ptrace
 
diff --git a/profiles/youtube-dl.local b/profiles/youtube-dl.local
index 0576904..ee436ee 100644
--- a/profiles/youtube-dl.local
+++ b/profiles/youtube-dl.local
@@ -1,5 +1,3 @@
-blacklist /tmp/.X11-unix
-
 protocol inet,inet6
 
 # # None of that pip garbage
author	jc_gargma <jc_gargma@iserlohn-fortress.net>	2020-10-18 20:54:47 -0700
committer	jc_gargma <jc_gargma@iserlohn-fortress.net>	2020-10-18 20:54:47 -0700
commit	6ea485a808c1bc86cdbff55b99b5e5e9e03ab65b (patch)
tree	5856536d3208d494856509915436610b4c5c679b
parent	Fix bannerlord profile (diff)
download	firejail-profiles-6ea485a808c1bc86cdbff55b99b5e5e9e03ab65b.tar.xz