various profile enhancements

* okular needs kdeinit4 for open file dialog since recently
* memory-deny-write-execute should be a safe addition for
  desktop use of dnscrypt and unbound
* cleanup works

etc/baloo_file.profile

@@ -17,6 +17,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+include /etc/firejail/whitelist-var-common.inc
+
 caps.drop all
 no3d
 nodvd
@@ -29,8 +31,10 @@ novideo
 protocol unix
 # Baloo makes ioprio_set system calls, which are blacklisted by default.
 seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
+shell none
 x11 xorg
 
+private-bin baloo_file,baloo_file_extractor,kbuildsycoca4
 private-dev
 private-tmp
 

etc/disable-programs.inc

@@ -378,6 +378,7 @@ blacklist ${HOME}/.synfig
 blacklist ${HOME}/.tconn
 blacklist ${HOME}/.thunderbird
 blacklist ${HOME}/.tooling
+blacklist ${HOME}/.tor-browser-en
 blacklist ${HOME}/.ts3client
 blacklist ${HOME}/.tuxguitar*
 blacklist ${HOME}/.unknow-horizons

etc/dnscrypt-proxy.profile

@@ -9,7 +9,6 @@ blacklist /tmp/.X11-unix
 
 noblacklist /sbin
 noblacklist /usr/sbin
-noblacklist /var/log
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
@@ -31,4 +30,4 @@ private
 private-dev
 
 # mdwe can break modules/plugins
-# memory-deny-write-execute
+memory-deny-write-execute

etc/dnsmasq.profile

@@ -9,7 +9,6 @@ blacklist /tmp/.X11-unix
 
 noblacklist /sbin
 noblacklist /usr/sbin
-noblacklist /var/log
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc

etc/evince.profile

@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-var-common.inc
 
 caps.drop all
+# net none breaks AppArmor on Ubuntu systems
 netfilter
 no3d
 nodvd
@@ -28,7 +29,6 @@ protocol unix
 seccomp
 shell none
 tracelog
-# net none breaks AppArmor on Ubuntu systems
 
 private-bin evince,evince-previewer,evince-thumbnailer
 private-dev

etc/ffmpeg.profile

@@ -1,4 +1,4 @@
-# Firejail profile for default
+# Firejail profile for ffmpeg
 # This file is overwritten after every install/update
 quiet
 # Persistent local customizations
@@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+include /etc/firejail/whitelist-var-common.inc
+
 caps.drop all
 net none
 no3d
@@ -23,11 +25,11 @@ noroot
 # protocol none - needs to be implemented!
 seccomp
 # seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom
-# memory-deny-write-execute - it breaks old versions of ffmpeg
 shell none
 tracelog
 
-private-tmp
-private-dev
 private-bin ffmpeg
-include /etc/firejail/whitelist-var-common.inc
+private-dev
+private-tmp
+
+# memory-deny-write-execute - it breaks old versions of ffmpeg

etc/okular.profile

@@ -36,7 +36,7 @@ seccomp
 shell none
 tracelog
 
-# private-bin okular,kbuildsycoca4,lpr
+# private-bin okular,kbuildsycoca4,kdeinit4,lpr
 private-dev
 # private-etc fonts,X11
 private-tmp

etc/unbound.profile

@@ -9,7 +9,6 @@ blacklist /tmp/.X11-unix
 
 noblacklist /sbin
 noblacklist /usr/sbin
-noblacklist /var/log
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
@@ -31,4 +30,4 @@ private
 private-dev
 
 # mdwe can break modules/plugins
-# memory-deny-write-execute
+memory-deny-write-execute