Profile fixes

- Fix #4157 -- [Feature] Should rmenv GitHub auth tokens
  There are still more token variables from other program that should be
  added.
- Fix #4093 -- darktable needs read access to liblua*
- Fix #4383 -- move noblacklist ${HOME}/.bogofilter to email-common.profile for claws-mail (and other mailers)
- Fix xournalpp.profile
- syscalls.txt: ausyscall i386 -> firejail --debug-syscalls32

etc/inc/disable-passwdmgr.inc

@@ -17,3 +17,11 @@ blacklist ${HOME}/.lastpass
 blacklist ${HOME}/.local/share/KeePass
 blacklist ${HOME}/.local/share/keepass
 blacklist ${HOME}/.password-store
+
+# Remove environment variables with auth tokens.
+# Note however that the sandbox might still have access to the
+# files where these variables are set.
+rmenv GH_TOKEN
+rmenv GITHUB_TOKEN
+rmenv GH_ENTERPRISE_TOKEN
+rmenv GITHUB_ENTERPRISE_TOKEN

etc/inc/disable-programs.inc

@@ -438,6 +438,7 @@ blacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
 blacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
 blacklist ${HOME}/.config/xiaoyong
 blacklist ${HOME}/.config/xmms2
+blacklist ${HOME}/.config/xournalpp
 blacklist ${HOME}/.config/xplayer
 blacklist ${HOME}/.config/xreader
 blacklist ${HOME}/.config/xviewer
@@ -1099,6 +1100,7 @@ blacklist ${HOME}/.cache/waterfox
 blacklist ${HOME}/.cache/wesnoth
 blacklist ${HOME}/.cache/winetricks
 blacklist ${HOME}/.cache/xmms2
+blacklist ${HOME}/.cache/xournalpp
 blacklist ${HOME}/.cache/xreader
 blacklist ${HOME}/.cache/yandex-browser
 blacklist ${HOME}/.cache/yandex-browser-beta

etc/profile-a-l/darktable.profile

@@ -10,6 +10,8 @@ noblacklist ${HOME}/.cache/darktable
 noblacklist ${HOME}/.config/darktable
 noblacklist ${PICTURES}
 
+include allow-lua.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc

etc/profile-a-l/email-common.profile

@@ -7,6 +7,7 @@ include email-common.local
 # added by caller profile
 #include globals.local
 
+noblacklist ${HOME}/.bogofilter
 noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.mozilla
 noblacklist ${HOME}/.signature

etc/profile-m-z/xournalpp.profile

@@ -7,23 +7,29 @@ include xournalpp.local
 # added by included profile
 #include globals.local
 
+noblacklist ${HOME}/.cache/xournalpp
+noblacklist ${HOME}/.config/xournalpp
 noblacklist ${HOME}/.xournalpp
 
 include allow-lua.inc
 
+whitelist /usr/share/pipewire
 whitelist /usr/share/texlive
 whitelist /usr/share/xournalpp
 whitelist /var/lib/texmf
 include whitelist-runuser-common.inc
 
-#mkdir ${HOME}/.xournalpp
+#mkdir ${HOME}/.cache/xournalpp
+#mkdir ${HOME}/.config/xournalpp
+#whitelist ${HOME}/.cache/xournalpp
+#whitelist ${HOME}/.config/xournalpp
 #whitelist ${HOME}/.xournalpp
 #whitelist ${HOME}/.texlive20*
 #whitelist ${DOCUMENTS}
 #include whitelist-common.inc
 
 private-bin kpsewhich,pdflatex,xournalpp
-private-etc latexmk.conf,texlive
+private-etc alternatives,latexmk.conf,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,texlive
 
 # Redirect
 include xournal.profile

etc/templates/syscalls.txt

@@ -95,7 +95,7 @@ Now switch back to the first terminal (where `journalctl` is running) and look
 for the numbers of the blocked syscall(s) (`syscall=<NUMBER>`). As soon as you
 have found them, you can stop `journalctl` (^C) and execute
 `firejail --debug-syscalls | grep NUMBER` to get the name of the syscall.
-In the particular case that it is a 32bit syscall on a 64bit system, use `ausyscall i386 NUMBER`.
+In the particular case that it is a 32bit syscall on a 64bit system, use `firejail --debug-syscalls32 | grep NUMBER`.
 Now you can add a seccomp exception using `seccomp !NAME`.
 
 If the blocked syscall is ptrace, consider to add allow-debuggers to the profile.