From 96dd956c01e734e8aec007e9e0c13d6908f5fc11 Mon Sep 17 00:00:00 2001
From: jc_gargma <jc_gargma@iserlohn-fortress.net>
Date: Sun, 4 Jul 2021 02:37:18 -0700
Subject: Many updates for firejail 0.9.66
---
PKGBUILD | 6 ++---
profiles/7kaa.profile | 2 ++
profiles/abook.profile | 2 ++
profiles/amfora.profile | 2 ++
profiles/antichamber.profile | 2 ++
profiles/calcurse.profile | 10 +++++++++
profiles/crusader-kings-ii.profile | 2 ++
profiles/crusader-kings-iii.profile | 2 ++
profiles/curl.local | 1 -
profiles/digikam.local | 1 +
profiles/dins-curse.profile | 2 ++
profiles/disable-programs.local | 4 ++--
profiles/divinity-original-sin-ee.profile | 2 ++
profiles/dolphin-emu.local | 16 ++++++++++---
profiles/dosbox.local | 11 +++++----
profiles/factorio.profile | 2 ++
profiles/fceux.profile | 4 ++--
profiles/firefox-common.local | 2 ++
profiles/firefox.local | 3 ++-
profiles/freeciv-qt.profile | 16 +++++--------
profiles/generic-game.inc | 3 +++
profiles/generic-wine-game.inc | 2 ++
profiles/hearts-of-iron-iv.profile | 2 ++
profiles/into-the-breach.profile | 4 ++++
profiles/karbon.local | 1 +
profiles/keepassxc.local | 15 +++++++------
profiles/kget.local | 1 +
profiles/kmymoney.profile | 4 ++++
profiles/konqueror.profile | 3 +++
profiles/kristall.profile | 3 +++
profiles/krita.local | 2 ++
profiles/lgogdownloader.profile | 2 ++
profiles/mgba.profile | 10 ++++-----
profiles/mocp.local | 2 ++
profiles/mount-and-blade-warband.profile | 2 ++
profiles/nyamp.profile | 3 +++
profiles/openmw-launcher.profile | 4 ----
profiles/openmw.local | 17 ++++++++++++++
profiles/openmw.profile | 30 -------------------------
profiles/openrct2.profile | 3 ---
profiles/othercide.profile | 3 +--
profiles/pandora-first-contact.profile | 2 ++
profiles/pioneer.local | 11 ++++++---
profiles/poi.profile | 7 +++++-
profiles/ppsspp.local | 8 +++----
profiles/qimv.profile | 2 ++
profiles/qtox.local | 8 ++++---
profiles/rtorrent.local | 4 +++-
profiles/rtv.local | 6 -----
profiles/starbound.profile | 2 ++
profiles/strawberry.local | 37 +++----------------------------
profiles/tome4.profile | 2 ++
profiles/toxic.profile | 2 ++
profiles/unzip.local | 1 -
profiles/vlc.local | 7 +++---
profiles/w3m.local | 12 ----------
profiles/weechat.local | 2 +-
profiles/wesnoth.local | 4 ++--
profiles/x4-foundations.profile | 2 ++
59 files changed, 175 insertions(+), 152 deletions(-)
delete mode 100644 profiles/curl.local
create mode 100644 profiles/karbon.local
delete mode 100644 profiles/openmw-launcher.profile
create mode 100644 profiles/openmw.local
delete mode 100644 profiles/openmw.profile
delete mode 100644 profiles/unzip.local
diff --git a/PKGBUILD b/PKGBUILD
index 4368bce..869a04c 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -1,15 +1,15 @@
# Maintainer: jc_gargma <jc_gargma@iserlohn-fortress.net>
pkgname=firejail-profiles
-pkgver=20210623
-pkgrel=2
+pkgver=20210704
+pkgrel=1
pkgdesc="Additional firejail profiles and locals"
arch=('any')
url="https://library.iserlohn-fortress.net/firejail-profiles.git"
license=('GPLv3')
depends=('firejail' 'hardened-malloc')
source=(profiles.tar.gz)
-b2sums=('57e3c4f64d5b5cff971ba218e1a52bd213c5164998e1d44ed6009a6d7eedd99f036e8f8ddc941e1d52396346f169a1e964bf743396516c12ada64c9033c86509')
+b2sums=('161cda200f18d68666b590b0f8e29cbf7be1bc64944855bd5ed5c851c95ad37c79f69a37da8be28a3429a1186ad954fcd43f8f0e97add2c408fef42b9ca90243')
package() {
install --directory ${pkgdir}/etc/firejail
diff --git a/profiles/7kaa.profile b/profiles/7kaa.profile
index d996dfa..7e3f8c1 100644
--- a/profiles/7kaa.profile
+++ b/profiles/7kaa.profile
@@ -4,6 +4,8 @@ include 7kaa.local
# Persistent global definitions
include globals.local
+ignore include disable-shell.inc
+
noblacklist ${HOME}/.local/share/7kfans.com
mkdir ${HOME}/.local/share/7kfans.com
diff --git a/profiles/abook.profile b/profiles/abook.profile
index 85804ed..5ebcd86 100644
--- a/profiles/abook.profile
+++ b/profiles/abook.profile
@@ -15,6 +15,7 @@ include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
+include disable-write-mnt.inc
include disable-xdg.inc
apparmor
@@ -25,6 +26,7 @@ netfilter
no3d
nodvd
nogroups
+noinput
nonewprivs
noroot
notv
diff --git a/profiles/amfora.profile b/profiles/amfora.profile
index fcbeb82..65da794 100644
--- a/profiles/amfora.profile
+++ b/profiles/amfora.profile
@@ -18,6 +18,7 @@ include disable-devel.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
+include disable-write-mnt.inc
include disable-xdg.inc
mkdir ${HOME}/.config/amfora
@@ -33,6 +34,7 @@ netfilter
no3d
nodvd
nogroups
+noinput
nonewprivs
noroot
nosound
diff --git a/profiles/antichamber.profile b/profiles/antichamber.profile
index 09fe3ce..cc1136e 100644
--- a/profiles/antichamber.profile
+++ b/profiles/antichamber.profile
@@ -4,6 +4,8 @@ include antichamber.local
# Persistent global definitions
include globals.local
+ignore include disable-shell.inc
+
whitelist ${HOME}/games/Antichamber
read-only ${HOME}/games/Antichamber
mkdir ${HOME}/.local/share/AlexanderBruce
diff --git a/profiles/calcurse.profile b/profiles/calcurse.profile
index f9649c5..250f153 100644
--- a/profiles/calcurse.profile
+++ b/profiles/calcurse.profile
@@ -4,6 +4,15 @@ include calcurse.local
# Persistent global definitions
include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+
blacklist /tmp/.X11-unix
blacklist ${RUNUSER}/wayland-*
@@ -22,6 +31,7 @@ netfilter
no3d
nodvd
nogroups
+noinput
nonewprivs
noroot
nosound
diff --git a/profiles/crusader-kings-ii.profile b/profiles/crusader-kings-ii.profile
index 47d1743..38d3916 100644
--- a/profiles/crusader-kings-ii.profile
+++ b/profiles/crusader-kings-ii.profile
@@ -4,6 +4,8 @@ include crusader-kings-ii.local
# Persistent global definitions
include globals.local
+ignore include disable-shell.inc
+
noblacklist ${HOME}/games/Crusader Kings II
noblacklist ${HOME}/.paradoxinteractive
noblacklist ${HOME}/.paradoxinteractive/Crusader Kings II
diff --git a/profiles/crusader-kings-iii.profile b/profiles/crusader-kings-iii.profile
index af4abb6..4c30307 100644
--- a/profiles/crusader-kings-iii.profile
+++ b/profiles/crusader-kings-iii.profile
@@ -4,6 +4,8 @@ include crusader-kings-iii.local
# Persistent global definitions
include globals.local
+ignore include disable-shell.inc
+
noblacklist ${HOME}/games/Crusader Kings III
noblacklist ${HOME}/.local/share/Paradox Interactive
noblacklist ${HOME}/.local/share/Paradox Interactive/Crusader Kings III
diff --git a/profiles/curl.local b/profiles/curl.local
deleted file mode 100644
index 1e31424..0000000
--- a/profiles/curl.local
+++ /dev/null
@@ -1 +0,0 @@
-machine-id
diff --git a/profiles/digikam.local b/profiles/digikam.local
index 09830a2..1658d72 100644
--- a/profiles/digikam.local
+++ b/profiles/digikam.local
@@ -1,6 +1,7 @@
ignore noblacklist ${HOME}/.kde/share/apps/digikam
ignore noblacklist ${HOME}/.kde4/share/apps/digikam
+ignore netfilter
net none
protocol unix
# # seccomp breaks integrated file manager on kde applications
diff --git a/profiles/dins-curse.profile b/profiles/dins-curse.profile
index 39bbe69..7079096 100644
--- a/profiles/dins-curse.profile
+++ b/profiles/dins-curse.profile
@@ -4,6 +4,8 @@ include dins-curse.local
# Persistent global definitions
include globals.local
+ignore include disable-shell.inc
+
noblacklist ${HOME}/.local/DinsCurse
whitelist ${HOME}/games/Dins Curse
diff --git a/profiles/disable-programs.local b/profiles/disable-programs.local
index 49410f9..fc11926 100644
--- a/profiles/disable-programs.local
+++ b/profiles/disable-programs.local
@@ -2,6 +2,7 @@ blacklist ${HOME}/.aqbanking
blacklist ${HOME}/.cache/kget
blacklist ${HOME}/.cache/kontact
blacklist ${HOME}/.cache/smolbote
+blacklist ${HOME}/.config/cataclysm-bn
blacklist ${HOME}/.config/cataclysm-dda
blacklist ${HOME}/.config/kget_bittorrentfactory.rc
blacklist ${HOME}/.config/kget_metalinkfactory.rc
@@ -12,7 +13,6 @@ blacklist ${HOME}/.config/konq_history
blacklist ${HOME}/.config/konquerorrc
blacklist ${HOME}/.config/lgogdownloader
blacklist ${HOME}/.config/iserlohn-fortress.net/nyamp
-blacklist ${HOME}/.config/openmw
blacklist ${HOME}/.config/openmw-wizardrc
blacklist ${HOME}/.config/OpenRCT2
blacklist ${HOME}/.config/Proxy Studios
@@ -34,6 +34,7 @@ blacklist ${HOME}/.local/DinsCurse
blacklist ${HOME}/.local/share/7kfans.com
blacklist ${HOME}/.local/share/Almost Human
blacklist ${HOME}/.local/share/Almost Human/Legend of Grimrock
+blacklist ${HOME}/.local/share/cataclysm-bn
blacklist ${HOME}/.local/share/cataclysm-dda
blacklist ${HOME}/.local/share/endless-sky
blacklist ${HOME}/.local/share/Goldhawk Interactive
@@ -46,7 +47,6 @@ blacklist ${HOME}/.local/share/korganizer
blacklist ${HOME}/.local/share/maildir
blacklist ${HOME}/.local/share/networkmanagement
blacklist ${HOME}/.local/share/OpenRCT2
-blacklist ${HOME}/.local/share/openmw
blacklist ${HOME}/.local/share/Paradox Interactive/Imperator
blacklist ${HOME}/.local/share/sddm
blacklist ${HOME}/.local/share/smolbote
diff --git a/profiles/divinity-original-sin-ee.profile b/profiles/divinity-original-sin-ee.profile
index 7b847fd..76db611 100644
--- a/profiles/divinity-original-sin-ee.profile
+++ b/profiles/divinity-original-sin-ee.profile
@@ -4,6 +4,8 @@ include divinity-original-sin-ee.local
# Persistent global definitions
include globals.local
+ignore include disable-shell.inc
+
noblacklist ${HOME}/Larian Studios
noblacklist ${HOME}/Larian Studios/Divinity Original Sin Enhanced Edition
diff --git a/profiles/dolphin-emu.local b/profiles/dolphin-emu.local
index 9972519..ce3e7b1 100644
--- a/profiles/dolphin-emu.local
+++ b/profiles/dolphin-emu.local
@@ -3,11 +3,21 @@ noblacklist ${HOME}/games/Emulators/GCNGAMES
whitelist ${HOME}/games/Emulators/GCNGAMES
read-only ${HOME}/games/Emulators/GCNGAMES
-# machine-id, obs, and alsa don't get along
+# # alsa audio will work with ipc-namespace,
+# # but it hogs the alsa device from other applications
+ignore ipc-namespace
+
+# # machine-id, obs, and alsa don't get along
#ignore machine-id
+ignore netfilter
+net none
+
+# # noinput breaks joysticks
+ignore noinput
+
protocol unix,netlink
seccomp !name_to_handle_at
-# private-dev breaks joysticks
-#ignore private-dev
+# # private-dev no longer breaks controllers
+private-dev
diff --git a/profiles/dosbox.local b/profiles/dosbox.local
index 7e379f7..3f292bd 100644
--- a/profiles/dosbox.local
+++ b/profiles/dosbox.local
@@ -1,5 +1,7 @@
ignore noblacklist ${DOCUMENTS}
+include disable-write-mnt.inc
+
whitelist ${HOME}/.dosbox
whitelist ${HOME}/games/Emulators/DOSGAMES
include whitelist-common.inc
@@ -10,11 +12,8 @@ ignore nogroups
net none
protocol unix
-#Breaks OMF
+# # Breaks OMF
ignore private-bin
-#Breaks using controllers
-ignore private-dev
-
-dbus-user none
-dbus-system none
+# # Breaks using controllers
+ignore noinput
diff --git a/profiles/factorio.profile b/profiles/factorio.profile
index 3b168f4..ea999a5 100644
--- a/profiles/factorio.profile
+++ b/profiles/factorio.profile
@@ -11,4 +11,6 @@ whitelist ${HOME}/.local/share/factorio
ignore memory-deny-write-execute
+ignore noexec ${HOME}
+
include generic-game-networked.inc
diff --git a/profiles/fceux.profile b/profiles/fceux.profile
index b63b0b7..d573af7 100644
--- a/profiles/fceux.profile
+++ b/profiles/fceux.profile
@@ -15,8 +15,8 @@ include whitelist-common.inc
seccomp !name_to_handle_at
-# private-dev breaks joysticks
-ignore private-dev
+# noinput breaks joysticks
+ignore noinput
ignore memory-deny-write-execute
diff --git a/profiles/firefox-common.local b/profiles/firefox-common.local
index 0441b7e..e6fdada 100644
--- a/profiles/firefox-common.local
+++ b/profiles/firefox-common.local
@@ -1,4 +1,6 @@
include disable-passwdmgr.inc
+include disable-shell.inc
+include disable-write-mnt.inc
include disable-xdg.inc
ignore noblacklist ${HOME}/.pki
ignore noblacklist ${HOME}/.local/share/pki
diff --git a/profiles/firefox.local b/profiles/firefox.local
index dd7afe1..e906eb8 100644
--- a/profiles/firefox.local
+++ b/profiles/firefox.local
@@ -33,7 +33,8 @@ private-etc resolv.conf
#ignore noroot
# # Use with hardened-malloc package
-# This breaks firefox on polaris10 amdgpu for some reason
+# This breaks firefox on some graphics cards
+# polaris10 amdgpu
env LD_PRELOAD=/usr/lib/libhardened_malloc.so
ignore dbus-user filter
diff --git a/profiles/freeciv-qt.profile b/profiles/freeciv-qt.profile
index e1d7a5a..5aa23ea 100644
--- a/profiles/freeciv-qt.profile
+++ b/profiles/freeciv-qt.profile
@@ -6,22 +6,16 @@ include freeciv-qt.local
# Persistent global definitions
include globals.local
-# No longer required? Test this.
noblacklist ${PATH}/lua*
-noblacklist /usr/lib/lua
noblacklist /usr/include/lua*
-noblacklist /usr/share/lua
+noblacklist /usr/lib/liblua*
+noblacklist /usr/lib/lua
+noblacklist /usr/lib64/liblua*
+noblacklist /usr/lib64/lua
+noblacklist /usr/share/lua*
noblacklist ${HOME}/.freeciv
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-xdg.inc
-
# # alsa audio will work with ipc-namespace,
# # but it hogs the alsa device from other applications
ignore ipc-namespace
diff --git a/profiles/generic-game.inc b/profiles/generic-game.inc
index becdedd..43e72a0 100644
--- a/profiles/generic-game.inc
+++ b/profiles/generic-game.inc
@@ -8,6 +8,8 @@ include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
include disable-xdg.inc
@@ -22,6 +24,7 @@ net none
noautopulse
nodvd
nogroups
+noinput
nonewprivs
noroot
notv
diff --git a/profiles/generic-wine-game.inc b/profiles/generic-wine-game.inc
index 55676a7..27dc93a 100644
--- a/profiles/generic-wine-game.inc
+++ b/profiles/generic-wine-game.inc
@@ -16,6 +16,7 @@ include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
+include disable-write-mnt.inc
include disable-xdg.inc
mkdir ${HOME}/.wine
@@ -38,6 +39,7 @@ net none
noautopulse
nodvd
nogroups
+noinput
nonewprivs
noroot
notv
diff --git a/profiles/hearts-of-iron-iv.profile b/profiles/hearts-of-iron-iv.profile
index 6749b14..49bb746 100644
--- a/profiles/hearts-of-iron-iv.profile
+++ b/profiles/hearts-of-iron-iv.profile
@@ -4,6 +4,8 @@ include hearts-of-iron-iv.local
# Persistent global definitions
include globals.local
+ignore include disable-shell.inc
+
noblacklist ${HOME}/games/Hearts of Iron IV
noblacklist ${HOME}/.local/share/Paradox Interactive
noblacklist ${HOME}/.local/share/Paradox Interactive/Hearts of Iron IV
diff --git a/profiles/into-the-breach.profile b/profiles/into-the-breach.profile
index aacbfeb..f3b46e9 100644
--- a/profiles/into-the-breach.profile
+++ b/profiles/into-the-breach.profile
@@ -4,6 +4,8 @@ include into-the-breach.local
# Persistent global definitions
include globals.local
+ignore include disable-shell.inc
+
noblacklist ${HOME}/.local/share/IntoTheBreach
mkdir ${HOME}/.local/share/IntoTheBreach
@@ -11,6 +13,8 @@ whitelist ${HOME}/.local/share/IntoTheBreach
whitelist ${HOME}/games/Into The Breach
read-only ${HOME}/games/Into The Breach
+# noinput breaks controller support
+ignore noinput
protocol unix,netlink
seccomp !name_to_handle_at
diff --git a/profiles/karbon.local b/profiles/karbon.local
new file mode 100644
index 0000000..62db817
--- /dev/null
+++ b/profiles/karbon.local
@@ -0,0 +1 @@
+ignore net none
diff --git a/profiles/keepassxc.local b/profiles/keepassxc.local
index b936393..6e9dbae 100644
--- a/profiles/keepassxc.local
+++ b/profiles/keepassxc.local
@@ -1,6 +1,13 @@
+ignore noblacklist ${HOME}/.config/BraveSoftware
+ignore noblacklist ${HOME}/.config/chromium
+ignore noblacklist ${HOME}/.config/google-chrome
+ignore noblacklist ${HOME}/.config/vivaldi
+ignore noblacklist ${HOME}/.local/share/torbrowser
ignore noblacklist ${HOME}/.mozilla
ignore noblacklist ${DOCUMENTS}
+include disable-write-mnt.inc
+
mkdir ${HOME}/.cache/keepassxc
mkdir ${HOME}/.config/keepassxc
@@ -19,14 +26,8 @@ ignore net
netfilter
protocol unix
-# # seccomp breaks integrated file manager on kde applications
-# # due to syscall name_to_handle_at
-#seccomp !name_to_handle_at
-
-tracelog
-
disable-mnt
-private-bin keepassxc,dbus-launch
+private-bin keepassxc,dbus-launch,keepassxc-cli,keepassxc-proxy
private-etc fonts,ld.so.cache,localtime,machine-id,passwd
# # dbus-user/system breaks systray support
diff --git a/profiles/kget.local b/profiles/kget.local
index c4252b2..801448a 100644
--- a/profiles/kget.local
+++ b/profiles/kget.local
@@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/kget_metalinkfactory.rc
noblacklist ${HOME}/.config/kget_multisegkiofactory.rc
noblacklist ${VIDEOS}
+include disable-write-mnt.inc
include disable-xdg.inc
whitelist ${DOWNLOADS}
diff --git a/profiles/kmymoney.profile b/profiles/kmymoney.profile
index d8b2ccd..05c75ce 100644
--- a/profiles/kmymoney.profile
+++ b/profiles/kmymoney.profile
@@ -15,6 +15,9 @@ include disable-devel.inc
include disable-exec.inc
include disable-passwdmgr.inc
include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
mkdir ${HOME}/.aqbanking
mkfile ${HOME}/.config/kmymoneyrc
@@ -40,6 +43,7 @@ netfilter
# no3d
nodvd
nogroups
+noinput
nonewprivs
noroot
nosound
diff --git a/profiles/konqueror.profile b/profiles/konqueror.profile
index 2334d3e..0c3cb07 100644
--- a/profiles/konqueror.profile
+++ b/profiles/konqueror.profile
@@ -22,6 +22,8 @@ include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
include disable-xdg.inc
# whitelisting breaks writing to konquerorrc
@@ -48,6 +50,7 @@ netfilter
ignore no3d
nodvd
nogroups
+noinput
nonewprivs
noroot
notv
diff --git a/profiles/kristall.profile b/profiles/kristall.profile
index 4e570b2..b7e3691 100644
--- a/profiles/kristall.profile
+++ b/profiles/kristall.profile
@@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-interpreters.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-shell.inc
+include /etc/firejail/disable-write-mnt.inc
include /etc/firejail/disable-xdg.inc
mkdir ${HOME}/.config/xqTechnologies
@@ -32,6 +34,7 @@ machine-id
netfilter
nodvd
nogroups
+noinput
nonewprivs
noroot
notv
diff --git a/profiles/krita.local b/profiles/krita.local
index cccb449..b02ba9d 100644
--- a/profiles/krita.local
+++ b/profiles/krita.local
@@ -4,8 +4,10 @@ ignore noblacklist /usr/local/lib/python3*
# # ipc-namespace breaks menus
ignore ipc-namespace
+
net none
ignore netfilter
+
# # seccomp breaks integrated file manager on kde applications
# # due to syscall name_to_handle_at
seccomp !name_to_handle_at
diff --git a/profiles/lgogdownloader.profile b/profiles/lgogdownloader.profile
index 7723d1c..e78e347 100644
--- a/profiles/lgogdownloader.profile
+++ b/profiles/lgogdownloader.profile
@@ -17,6 +17,7 @@ include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
+include disable-write-mnt.inc
blacklist /tmp/.X11-unix
@@ -33,6 +34,7 @@ netfilter
no3d
nodvd
nogroups
+noinput
nonewprivs
noroot
nosound
diff --git a/profiles/mgba.profile b/profiles/mgba.profile
index dae77b6..f84044e 100644
--- a/profiles/mgba.profile
+++ b/profiles/mgba.profile
@@ -16,15 +16,15 @@ whitelist ${HOME}/games/Emulators/GBAGAMES
read-only ${HOME}/games/Emulators/GBAGAMES
include whitelist-common.inc
-# name_to_handle_at required for kde file manager
-# kcmp required for amdgpu
-seccomp !name_to_handle_at,!kcmp
+# # seccomp breaks integrated file manager on kde applications
+# # due to syscall name_to_handle_at
+seccomp !name_to_handle_at
# netlink required for controller support
protocol unix,netlink
-# private-dev breaks controllers
-ignore private-dev
+# noinput breaks controllers
+ignore noinput
ignore memory-deny-write-execute
diff --git a/profiles/mocp.local b/profiles/mocp.local
index 323dbc1..e8d27d0 100644
--- a/profiles/mocp.local
+++ b/profiles/mocp.local
@@ -1,6 +1,8 @@
blacklist /tmp/.X11-unix
blacklist ${RUNUSER}/wayland-*
+include disable-write-mnt.inc
+
whitelist ${HOME}/.moc
whitelist ${MUSIC}
read-only ${MUSIC}
diff --git a/profiles/mount-and-blade-warband.profile b/profiles/mount-and-blade-warband.profile
index dd69f3d..bbe1919 100644
--- a/profiles/mount-and-blade-warband.profile
+++ b/profiles/mount-and-blade-warband.profile
@@ -4,6 +4,8 @@ include mount-and-blade-warband.local
# Persistent global definitions
include globals.local
+ignore include disable-shell.inc
+
noblacklist ${HOME}/.mbwarband
whitelist ${HOME}/games/Mount and Blade - Warband
diff --git a/profiles/nyamp.profile b/profiles/nyamp.profile
index b523155..a0fd602 100644
--- a/profiles/nyamp.profile
+++ b/profiles/nyamp.profile
@@ -13,6 +13,8 @@ include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
include disable-xdg.inc
mkdir ${HOME}/.config/iserlohn-fortress.net
@@ -30,6 +32,7 @@ net none
no3d
nodvd
nogroups
+noinput
nonewprivs
noroot
notv
diff --git a/profiles/openmw-launcher.profile b/profiles/openmw-launcher.profile
deleted file mode 100644
index f922019..0000000
--- a/profiles/openmw-launcher.profile
+++ /dev/null
@@ -1,4 +0,0 @@
-# This file is overwritten after every install/update
-
-# Redirect
-include openmw.profile
diff --git a/profiles/openmw.local b/profiles/openmw.local
new file mode 100644
index 0000000..3c6ddb4
--- /dev/null
+++ b/profiles/openmw.local
@@ -0,0 +1,17 @@
+noblacklist ${HOME}/.config/openmw-wizardrc
+
+whitelist ${HOME}/.config
+mkfile ${HOME}/.config/openmw-wizardrc
+whitelist ${HOME}/.config/openmw-wizardrc
+read-only ${HOME}/.local/share/openmw/mods
+ignore whitelist /usr/share/openmw
+whitelist /usr/share/games/openmw
+
+# # alsa audio will work with ipc-namespace,
+# # but it hogs the alsa device from other applications
+ignore ipc-namespace
+seccomp !name_to_handle_at
+
+ignore private-opt none
+
+ignore memory-deny-write-execute
diff --git a/profiles/openmw.profile b/profiles/openmw.profile
deleted file mode 100644
index db331ca..0000000
--- a/profiles/openmw.profile
+++ /dev/null
@@ -1,30 +0,0 @@
-# This file is overwritten after every install/update
-# Persistent local customizations
-include openmw.local
-# Persistent global definitions
-include globals.local
-
-noblacklist ${HOME}/.config/openmw-wizardrc
-noblacklist ${HOME}/.config/openmw
-noblacklist ${HOME}/.local/share/openmw
-
-include whitelist-common.inc
-
-whitelist ${HOME}/.config
-mkfile ${HOME}/.config/openmw-wizardrc
-whitelist ${HOME}/.config/openmw-wizardrc
-mkdir ${HOME}/.config/openmw
-whitelist ${HOME}/.config/openmw
-mkdir ${HOME}/.local/share/openmw
-whitelist ${HOME}/.local/share/openmw
-whitelist ${HOME}/games/Morrowind
-read-only ${HOME}/games/Morrowind
-
-protocol unix,netlink
-seccomp !name_to_handle_at
-
-private-etc asound.conf,group,localtime,machine-id,openmw,pulse
-
-ignore memory-deny-write-execute
-
-include generic-game.inc
diff --git a/profiles/openrct2.profile b/profiles/openrct2.profile
index 8c50325..3dc130b 100644
--- a/profiles/openrct2.profile
+++ b/profiles/openrct2.profile
@@ -5,12 +5,9 @@ include openrct2.local
include globals.local
noblacklist ${HOME}/.config/OpenRCT2
-noblacklist ${HOME}/.local/share/OpenRCT2
mkdir ${HOME}/.config/OpenRCT2
whitelist ${HOME}/.config/OpenRCT2
-whitelist ${HOME}/games/RollerCoaster Tycoon 2
-read-only ${HOME}/games/RollerCoaster Tycoon 2
seccomp !name_to_handle_at
diff --git a/profiles/othercide.profile b/profiles/othercide.profile
index 1469c27..c904949 100644
--- a/profiles/othercide.profile
+++ b/profiles/othercide.profile
@@ -14,9 +14,8 @@ seccomp !name_to_handle_at
# Uncomment these for controller support
-#ignore net none
#protocol unix,inet,inet6,netlink
-#ignore private-dev
+#ignore noinput
ignore memory-deny-write-execute
diff --git a/profiles/pandora-first-contact.profile b/profiles/pandora-first-contact.profile
index e53fa31..a6e5a28 100644
--- a/profiles/pandora-first-contact.profile
+++ b/profiles/pandora-first-contact.profile
@@ -4,6 +4,8 @@ include pandora.local
# Persistent global definitions
include globals.local
+ignore include disable-shell.inc
+
noblacklist ${HOME}/.config/Proxy Studios
noblacklist ${HOME}/.config/Proxy Studios/Pandora
diff --git a/profiles/pioneer.local b/profiles/pioneer.local
index 69758a9..85d0e7f 100644
--- a/profiles/pioneer.local
+++ b/profiles/pioneer.local
@@ -1,12 +1,17 @@
+noblacklist ${PATH}/lua*
+noblacklist /usr/include/lua*
+noblacklist /usr/lib/liblua*
+noblacklist /usr/lib/lua
+noblacklist /usr/lib64/liblua*
+noblacklist /usr/lib64/lua
+noblacklist /usr/share/lua*
+
# # alsa audio will work with ipc-namespace,
# # but it hogs the alsa device from other applications
ignore ipc-namespace
machine-id
-# # no3d breaks gpu rendering
-ignore no3d
seccomp !name_to_handle_at
-private-bin pioneer
private-etc asound.conf,group,localtime,machine-id,pulse
ignore memory-deny-write-execute
diff --git a/profiles/poi.profile b/profiles/poi.profile
index 5bfb9b4..6b133ae 100644
--- a/profiles/poi.profile
+++ b/profiles/poi.profile
@@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-interpreters.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-shell.inc
+include /etc/firejail/disable-write-mnt.inc
include /etc/firejail/disable-xdg.inc
mkdir ${HOME}/.cache/smolbote
@@ -52,6 +54,9 @@ nodvd
## nogroups - The program can only see the current user's main group. Always applied if the program is run as root.
nogroups
+## noinput - Disable access to /dev/input devices. ie, accelerometers, controllers, joysticks, infrared receivers, etc.
+noinput
+
## nownewprivs - Prevents Child processes from requesting additional priviledges. If --seccomp is enabled, --nonewprivs is redundant.
nonewprivs
@@ -90,7 +95,7 @@ disable-mnt
# breaks if installed to /usr/local
private-bin bash,poi
-## private-dev - Create a virtual /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log and shm devices are available.
+## private-dev - Create a virtual /dev directory. Only dri, full, log, input, null, ptmx, pts, random, shm, snd, tty, urandom, video, and zero devices are available.
private-dev
## private-etc - Creates a virtual /etc directory containing only temporary copies of the following files and directories.
diff --git a/profiles/ppsspp.local b/profiles/ppsspp.local
index ae1ac13..bc75bbf 100644
--- a/profiles/ppsspp.local
+++ b/profiles/ppsspp.local
@@ -1,10 +1,10 @@
whitelist ${HOME}/games/Emulators/PSPGAMES
-whitelist ${HOME}/.config/ppsspp
+read-only ${HOME}/games/Emulators/PSPGAMES
# machine-id, obs, and alsa don't get along
#ignore machine-id
-ignore netfilter
-net none
-
seccomp !name_to_handle_at
+
+# # private-dev no longer breaks controllers
+private-dev
diff --git a/profiles/qimv.profile b/profiles/qimv.profile
index e3a7500..f243b20 100644
--- a/profiles/qimv.profile
+++ b/profiles/qimv.profile
@@ -17,6 +17,7 @@ include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
+include disable-write-mnt.inc
#include whitelist-common.inc
#include whitelist-var-common.inc
@@ -28,6 +29,7 @@ net none
# no3d
nodvd
nogroups
+noinput
nonewprivs
noroot
nosound
diff --git a/profiles/qtox.local b/profiles/qtox.local
index b7870f4..70c0e66 100644
--- a/profiles/qtox.local
+++ b/profiles/qtox.local
@@ -13,7 +13,9 @@ seccomp !name_to_handle_at
# # mdwe breaks qtox
ignore memory-deny-write-execute
-private-bin qtox,dbus-launch
+# # qtox requires anotehr binary lately, but I do not know which
+# private-bin qtox,dbus-launch
+ignore private-bin
private-etc asound.conf,fonts,group,ld.so.cache,localtime,machine-id,passwd,pulse,resolv.conf
# nodbus breaks qtox appearing in the systray
@@ -21,6 +23,6 @@ ignore dbus-user none
ignore dbus-system none
# # Use with hardened-malloc package
-# This breaks qtox on polaris10 amdgpu for some reason
-# And on aruba radeon
+# This breaks qtox on some graphics cards
+# polaris10 amdgpu, aruba radeon
env LD_PRELOAD=/usr/lib/libhardened_malloc.so
diff --git a/profiles/rtorrent.local b/profiles/rtorrent.local
index 7af0444..ed8a4d6 100644
--- a/profiles/rtorrent.local
+++ b/profiles/rtorrent.local
@@ -3,6 +3,7 @@ noblacklist ${HOME}/.rtorrent.rc
whitelist ${HOME}/rtorrent
whitelist ${HOME}/.rtorrent.rc
+include disable-write-mnt.inc
include disable-xdg.inc
ipc-namespace
@@ -21,5 +22,6 @@ dbus-user none
dbus-system none
# # Use with hardened-malloc package
-# This breaks rtorrent on aruba radeon for some reason
+# This breaks rtorrent on some graphics cards
+# aruba radeon
env LD_PRELOAD=/usr/lib/libhardened_malloc.so
diff --git a/profiles/rtv.local b/profiles/rtv.local
index 6b66c04..7b53030 100644
--- a/profiles/rtv.local
+++ b/profiles/rtv.local
@@ -1,9 +1,3 @@
-noblacklist ${HOME}/.config/rtv
-
-mkdir ${HOME}/.config/rtv
-whitelist ${HOME}/.config/rtv
-whitelist ${HOME}/.local/share/rtv
-
ipc-namespace
protocol inet,inet6
diff --git a/profiles/starbound.profile b/profiles/starbound.profile
index 36e59dd..cae94bd 100644
--- a/profiles/starbound.profile
+++ b/profiles/starbound.profile
@@ -4,6 +4,8 @@ include starbound.local
# Persistent global definitions
include globals.local
+ignore include disable-shell.inc
+
whitelist ${HOME}/games/Starbound
read-only ${HOME}/games/Starbound
mkdir ${HOME}/games/Starbound/game/storage
diff --git a/profiles/strawberry.local b/profiles/strawberry.local
index cf3da43..a605392 100644
--- a/profiles/strawberry.local
+++ b/profiles/strawberry.local
@@ -1,45 +1,14 @@
-# This file is overwritten after every install/update
-# Persistent local customizations
-include strawberry.local
-# Persistent global definitions
-include globals.local
-
-#noblacklist ${HOME}/.cache/strawberry
-noblacklist ${HOME}/.config/strawberry
-noblacklist ${HOME}/.local/share/strawberry
-noblacklist ${MUSIC}
-#whitelist ${HOME}/.cache/strawberry
+whitelist ${HOME}/.cache/strawberry
whitelist ${HOME}/.config/strawberry
whitelist ${HOME}/.local/share/strawberry
whitelist ${MUSIC}
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-xdg.inc
+include disable-shell.inc
+include disable-write-mnt.inc
-include whitelist-var-common.inc
include whitelist-common.inc
-caps.drop all
#net none
-netfilter
-nonewprivs
-noroot
-notv
-nou2f
-novideo
protocol unix,inet,inet6
-# blacklisting of ioprio_set system calls breaks strawberry
-seccomp !ioprio
-shell none
-tracelog
-# disable-mnt
-private-cache
-private-dev
private-etc asound.conf,group,localtime,machine-id,pulse,resolv.conf
-private-tmp
diff --git a/profiles/tome4.profile b/profiles/tome4.profile
index 7a6e3b4..ced0cbd 100644
--- a/profiles/tome4.profile
+++ b/profiles/tome4.profile
@@ -4,6 +4,8 @@ include tome4.local
# Persistent global definitions
include globals.local
+ignore include disable-shell.inc
+
noblacklist ${PATH}/lua*
noblacklist /usr/lib/lua
noblacklist /usr/include/lua*
diff --git a/profiles/toxic.profile b/profiles/toxic.profile
index 8b6bd53..33d0cde 100644
--- a/profiles/toxic.profile
+++ b/profiles/toxic.profile
@@ -13,6 +13,7 @@ include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
+include disable-write-mnt.inc
include disable-xdg.inc
mkdir ${HOME}/.config/tox
@@ -31,6 +32,7 @@ netfilter
no3d
nodvd
nogroups
+noinput
nonewprivs
noroot
notv
diff --git a/profiles/unzip.local b/profiles/unzip.local
deleted file mode 100644
index 16050b4..0000000
--- a/profiles/unzip.local
+++ /dev/null
@@ -1 +0,0 @@
-noblacklist ${HOME}/packages/games/GOGLibrary
diff --git a/profiles/vlc.local b/profiles/vlc.local
index b57bc82..2785bb6 100644
--- a/profiles/vlc.local
+++ b/profiles/vlc.local
@@ -23,14 +23,13 @@ ignore ipc-namespace
# # seccomp breaks integrated file manager on kde applications
# # due to syscall name_to_handle_at
-# # kcmp syscall required by amdgpu hardware acceleration
-seccomp !name_to_handle_at,!kcmp
+seccomp !name_to_handle_at
dbus-user none
dbus-system none
-# private-dev breaks lirc support
-#ignore private-dev
+# # noinput breaks lirc support
+# ignore noinput
# Allow paths for custom lirc config
#whitelist ${HOME}/.lircrc
diff --git a/profiles/w3m.local b/profiles/w3m.local
index d925ca3..53edfe2 100644
--- a/profiles/w3m.local
+++ b/profiles/w3m.local
@@ -1,16 +1,4 @@
-mkdir ${HOME}/.w3m
-whitelist ${HOME}/.w3m
-
-ipc-namespace
-machine-id
protocol inet,inet6
-disable-mnt
-
-memory-deny-write-execute
-
-dbus-user none
-dbus-system none
-
# # Use with hardened-malloc package
env LD_PRELOAD=/usr/lib/libhardened_malloc.so
diff --git a/profiles/weechat.local b/profiles/weechat.local
index b9185ff..38d8565 100644
--- a/profiles/weechat.local
+++ b/profiles/weechat.local
@@ -13,6 +13,7 @@ include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
+include disable-write-mnt.inc
include disable-xdg.inc
whitelist ${HOME}/.weechat
@@ -22,7 +23,6 @@ whitelist ${HOME}/.weechat
ignore ipc-namespace
machine-id
no3d
-nodvd
nogroups
# nosound
nou2f
diff --git a/profiles/wesnoth.local b/profiles/wesnoth.local
index 6a17869..171c05a 100644
--- a/profiles/wesnoth.local
+++ b/profiles/wesnoth.local
@@ -13,6 +13,8 @@ ignore mkdir ${HOME}/.cache/wesnoth
ignore whitelist ${HOME}/.cache/wesnoth
include disable-exec.inc
+include disable-shell.inc
+include disable-write-mnt.inc
include disable-xdg.inc
# # alsa audio will work with ipc-namespace,
@@ -23,8 +25,6 @@ ignore net
netfilter
ignore no3d
nogroups
-novideo
-protocol unix,inet,inet6
shell none
tracelog
diff --git a/profiles/x4-foundations.profile b/profiles/x4-foundations.profile
index eec47ee..e60b8c9 100644
--- a/profiles/x4-foundations.profile
+++ b/profiles/x4-foundations.profile
@@ -4,6 +4,8 @@ include x4-foundations.local
# Persistent global definitions
include globals.local
+ignore include disable-shell.inc
+
noblacklist ${HOME}/.config/EgoSoft
noblacklist ${HOME}/.config/EgoSoft/X4
--
cgit v1.2.1