added ffmpeg.profile, removed ssh-agent from firecfg

README.md

@@ -180,4 +180,4 @@ calligraflow, calligraplan, calligraplanwork, calligrasheets, calligrastage,
 calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd, google-earth,
 imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion, mpd, natron, Natron,
 ricochet, shotcut, teamspeak3, tor, tor-browser-en, Viber, x-terminal-emulator, zart,
-conky, arch-audit
+conky, arch-audit, ffmpeg

etc/ffmpeg.profile

@@ -0,0 +1,33 @@
+# Firejail profile for default
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include /etc/firejail/ffmpeg.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.drop all
+net none
+no3d
+nodvd
+nosound
+notv
+novideo
+nonewprivs
+noroot
+# protocol none - needs to be implemented!
+seccomp
+# seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom
+# memory-deny-write-execute - it breaks old versions of ffmpeg
+shell none
+tracelog
+
+private-tmp
+private-dev
+private-bin ffmpeg
+include /etc/firejail/whitelist-var-common.inc

platform/debian/conffiles

@@ -358,3 +358,4 @@
 /etc/firejail/yandex-browser.profile
 /etc/firejail/itch.profile
 /etc/firejail/whitelist-var-common.inc
+/etc/firejail/ffmpeg

src/firecfg/firecfg.config

@@ -99,6 +99,7 @@ evolution
 exiftool
 fbreader
 feh
+ffmpeg
 file-roller
 filezilla
 firefox
@@ -292,7 +293,7 @@ soundconverter
 spotify
 sqlitebrowser
 ssh
-ssh-agent
+# ssh-agent - problems on Arch with Fish shell (#1568)
 start-tor-browser
 steam
 stellarium