add firejail profiles

.config/firejail/brave.profile

@@ -0,0 +1,34 @@
+# Firejail profile for brave
+# Description: Web browser that blocks ads and trackers by default.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include brave.local
+# Persistent global definitions
+include globals.local
+
+# noexec /tmp is included in chromium-common.profile and breaks Brave
+ignore noexec /tmp
+
+noblacklist ${HOME}/.cache/BraveSoftware
+noblacklist ${HOME}/.config/BraveSoftware
+noblacklist ${HOME}/.config/brave
+noblacklist ${HOME}/.config/brave-flags.conf
+# brave uses gpg for built-in password manager
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/dl
+
+mkdir ${HOME}/.cache/BraveSoftware
+mkdir ${HOME}/.config/BraveSoftware
+mkdir ${HOME}/.config/brave
+whitelist ${HOME}/.cache/BraveSoftware
+whitelist ${HOME}/.config/BraveSoftware
+whitelist ${HOME}/.config/brave
+whitelist ${HOME}/.config/brave-flags.conf
+whitelist ${HOME}/.gnupg
+whitelist ${HOME}/dl
+
+# Brave sandbox needs read access to /proc/config.gz
+noblacklist /proc/config.gz
+
+# Redirect
+include chromium-common.profile

.config/firejail/discord.profile

@@ -0,0 +1,23 @@
+# Firejail profile for discord
+# This file is overwritten after every install/update
+# Persistent local customizations
+include discord.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/discord
+noblacklist ${HOME}/pix/keyboards
+noblacklist ${HOME}/pix/memes
+noblacklist ${HOME}/pix/screengrabs
+
+mkdir ${HOME}/.config/discord
+whitelist ${HOME}/.config/discord
+whitelist ${HOME}/pix/memes
+whitelist ${HOME}/pix/sreengrabs
+whitelist ${HOME}/pix/keyboards
+
+private-bin discord
+private-opt discord
+
+# Redirect
+include discord-common.profile

.config/firejail/firefox-common.profile

@@ -0,0 +1,60 @@
+# Firejail profile for firefox-common
+# This file is overwritten after every install/update
+# Persistent local customizations
+include firefox-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+# noexec ${HOME} breaks DRM binaries.
+?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
+
+# Uncomment the following line (or put it in your firefox-common.local) to allow access to common programs/addons/plugins.
+#include firefox-common-addons.inc
+
+noblacklist ${HOME}/.pki
+noblacklist ${HOME}/.local/share/pki
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.pki
+mkdir ${HOME}/.local/share/pki
+whitelist ${HOME}/dl
+whitelist ${HOME}/.pki
+whitelist ${HOME}/.local/share/pki
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+# machine-id breaks pulse audio; it should work fine in setups where sound is not required.
+#machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+# noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506.
+noroot
+notv
+?BROWSER_DISABLE_U2F: nou2f
+protocol unix,inet,inet6,netlink
+# The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds.
+seccomp !chroot
+shell none
+# Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930.
+#tracelog
+
+disable-mnt
+?BROWSER_DISABLE_U2F: private-dev
+# private-etc below works fine on most distributions. There are some problems on CentOS.
+#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-tmp
+
+# breaks various desktop integration features
+# among other things global menus, native notifications, Gnome connector, KDE connect and power management on KDE Plasma
+dbus-user none
+dbus-system none

.config/firejail/kdenlive.profile

@@ -0,0 +1,43 @@
+# Firejail profile for kdenlive
+# Description: Non-linear video editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kdenlive.local
+# Persistent global definitions
+include globals.local
+
+ignore noexec ${HOME}
+
+noblacklist ${HOME}/.cache/kdenlive
+noblacklist ${HOME}/.config/kdenliverc
+noblacklist ${HOME}/.local/share/kdenlive
+noblacklist ${HOME}/.local/share/kxmlgui5/kdenlive
+noblacklist ${HOME}/dox
+whitelist ${HOME}/dox
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+#apparmor
+caps.drop all
+# net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,netlink
+seccomp
+shell none
+
+private-bin dbus-launch,dvdauthor,ffmpeg,ffplay,ffprobe,genisoimage,kdeinit4,kdeinit4_shutdown,kdeinit4_wrapper,kdeinit5,kdeinit5_shutdown,kdeinit5_wrapper,kdenlive,kdenlive_render,kshell4,kshell5,melt,mlt-melt,vlc,xine
+private-dev
+# private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,X11,xdg
+
+# dbus-user none
+# dbus-system none

.config/firejail/libreoffice.profile

@@ -0,0 +1,53 @@
+# Firejail profile for libreoffice
+# Description: Office productivity suite
+# This file is overwritten after every install/update
+# Persistent local customizations
+include libreoffice.local
+# Persistent global definitions
+include globals.local
+
+noblacklist /usr/local/sbin
+noblacklist ${HOME}/.config/libreoffice
+noblacklist ${HOME}/dox
+whitelist ${HOME}/dox
+
+# libreoffice uses java for some certain operations
+# comment if you don't care about java functionality
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+include whitelist-var-common.inc
+
+# ubuntu 18.04 comes with its own apparmor profile, but it is not in enforce mode.
+# comment the next line to use the ubuntu profile instead of firejail's apparmor profile
+#apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+# comment nonewprivs when using the ubuntu 18.04/debian 10 apparmor profile
+#nonewprivs
+noroot
+notv
+nou2f
+novideo
+# comment the protocol line when using the ubuntu 18.04/debian 10 apparmor profile
+protocol unix,inet,inet6
+# comment seccomp when using the ubuntu 18.04/debian 10 apparmor profile
+seccomp
+shell none
+# comment tracelog when using the ubuntu 18.04/debian 10 apparmor profile
+tracelog
+
+private-dev
+private-tmp
+
+dbus-system none
+
+join-or-start libreoffice

.config/firejail/newsboat.profile

@@ -0,0 +1,50 @@
+# Firejail profile for Newsboat
+# Description: RSS program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include newsboat.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/newsboat
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/newsboat
+whitelist ${HOME}/.config/newsboat
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-bin newsboat
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,terminfo
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute

.config/firejail/transmission-common.profile

@@ -0,0 +1,56 @@
+# Firejail profile for transmission-common
+# Description: Fast, easy and free BitTorrent client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include transmission-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+noblacklist ${HOME}/.cache/transmission
+noblacklist ${HOME}/.config/transmission
+noblacklist ${HOME}/dox/torrents
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.cache/transmission
+mkdir ${HOME}/.config/transmission
+mkdir ${HOME}/dox/torrents
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/transmission
+whitelist ${HOME}/.config/transmission
+whitelist ${HOME}/dox/torrents
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-lib
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute

.config/firejail/virtualbox.profile

@@ -0,0 +1,50 @@
+# Firejail profile for virtualbox
+# Description: x86 virtualization solution
+# This file is overwritten after every install/update
+# Persistent local customizations
+include virtualbox.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.VirtualBox
+noblacklist ${HOME}/.config/VirtualBox
+noblacklist ${HOME}/VirtualBox VMs
+# noblacklist /usr/bin/virtualbox
+noblacklist /usr/lib/virtualbox
+noblacklist /usr/lib64/virtualbox
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/VirtualBox
+mkdir ${HOME}/VirtualBox VMs
+whitelist ${HOME}/.config/VirtualBox
+whitelist ${HOME}/VirtualBox VMs
+whitelist ${DOWNLOADS}
+whitelist /usr/share/virtualbox
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+# For host-only network sys_admin is needed. See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630
+
+caps.keep net_raw,sys_nice
+netfilter
+nodvd
+#nogroups
+notv
+shell none
+tracelog
+
+#disable-mnt
+private-cache
+private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
+
+dbus-user none
+dbus-system none

.config/firejail/vlc.profile

@@ -0,0 +1,53 @@
+# Firejail profile for vlc
+# Description: Multimedia player and streamer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include vlc.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/vlc
+noblacklist ${HOME}/.config/vlc
+noblacklist ${HOME}/.local/share/vlc
+noblacklist ${HOME}/vidz
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+read-only ${DESKTOP}
+mkdir ${HOME}/.cache/vlc
+mkdir ${HOME}/.config/vlc
+mkdir ${HOME}/.local/share/vlc
+whitelist ${HOME}/.cache/vlc
+whitelist ${HOME}/.config/vlc
+whitelist ${HOME}/.local/share/vlc
+whitelist ${HOME}/vidz
+include whitelist-common.inc
+include whitelist-players.inc
+include whitelist-var-common.inc
+
+#apparmor - on Ubuntu 18.04 it refuses to start without dbus access
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+private-bin cvlc,nvlc,qvlc,rvlc,svlc,vlc
+private-dev
+private-tmp
+
+# dbus needed for MPRIS
+# dbus-user none
+# dbus-system none
+
+# mdwe is disabled due to breaking hardware accelerated decoding
+#memory-deny-write-execute

.config/firejail/zoom.local

@@ -0,0 +1 @@
+protocol unix,inet,inet6,netlink\nignore seccomp\nseccomp \x21chroot