Tighten multiple profiles.

This adds whitelist-var-common, machine-id, memory-deny-write-execute,
and noexec home and tmp when possible.

etc/gedit.profile

@@ -19,6 +19,7 @@ include /etc/firejail/whitelist-var-common.inc
 
 caps.drop all
 # net none - makes settings immutable
+machine-id
 no3d
 nodvd
 nogroups
@@ -37,5 +38,6 @@ private-dev
 # private-etc fonts
 private-tmp
 
+memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp

etc/gitter.profile

@@ -13,7 +13,13 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+whitelist ${DOWNLOADS}
+whitelist ~/.config/autostart
+whitelist ~/.config/Gitter
+include /etc/firejail/whitelist-var-common.inc
+
 caps.drop all
+machine-id
 netfilter
 nodvd
 nogroups
@@ -25,7 +31,12 @@ protocol unix,inet,inet6,netlink
 seccomp
 shell none
 
+disable-mnt
 private-bin bash,env,gitter
+private-etc fonts,pulse,resolv.conf
 private-opt Gitter
 private-dev
 private-tmp
+
+noexec ${HOME}
+noexec /tmp

etc/google-chrome.profile

@@ -21,6 +21,7 @@ whitelist ~/.cache/google-chrome
 whitelist ~/.config/google-chrome
 whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
 
 caps.keep sys_chroot,sys_admin
 netfilter

etc/handbrake.profile

@@ -19,7 +19,6 @@ netfilter
 nogroups
 nonewprivs
 noroot
-nosound
 novideo
 protocol unix,inet,inet6,netlink
 seccomp

etc/hexchat.profile

@@ -16,8 +16,10 @@ include /etc/firejail/disable-programs.inc
 mkdir ~/.config/hexchat
 whitelist ~/.config/hexchat
 include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
 
 caps.drop all
+machine-id
 netfilter
 no3d
 nodvd
@@ -38,5 +40,6 @@ private-bin hexchat
 private-dev
 private-tmp
 
+memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp

etc/keepassx.profile

@@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+include /etc/firejail/whitelist-var-common.inc
+
 caps.drop all
 machine-id
 net none
@@ -36,5 +38,6 @@ private-dev
 private-etc fonts,machine-id
 private-tmp
 
+memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp

etc/keepassx2.profile

@@ -1,38 +1,5 @@
 # Firejail profile for keepassx2
 # This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/keepassx2.local
-# Persistent global definitions
-include /etc/firejail/globals.local
 
-noblacklist ${HOME}/*.kdb
-noblacklist ${HOME}/*.kdbx
-noblacklist ${HOME}/.config/keepassx
-noblacklist ${HOME}/.keepassx
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-private-bin keepassx2
-private-dev
-private-etc fonts
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
+# Redirects
+include /etc/firejail/keepassx.profile

etc/keepassxc.profile

@@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+include /etc/firejail/whitelist-var-common.inc
+
 caps.drop all
 net none
 no3d

etc/libreoffice.profile

@@ -17,6 +17,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-var-common.inc
 
 caps.drop all
+machine-id
 netfilter
 nodvd
 nogroups
@@ -29,6 +30,7 @@ shell none
 tracelog
 
 private-dev
+private-tmp
 
 noexec ${HOME}
 noexec /tmp

etc/pluma.profile

@@ -12,8 +12,11 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+include /etc/firejail/whitelist-var-common.inc
+
 caps.drop all
 # net none - makes settings immutable
+machine-id
 no3d
 nodvd
 nogroups
@@ -32,5 +35,6 @@ private-dev
 # private-etc fonts
 private-tmp
 
+memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp

etc/qbittorrent.profile

@@ -25,6 +25,7 @@ whitelist ~/.config/qBittorrentrc
 whitelist ~/.config/qt5ct
 whitelist ~/.local/share/data/qBittorrent
 include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
 
 caps.drop all
 machine-id
@@ -44,3 +45,7 @@ seccomp
 private-dev
 # private-etc X11,fonts,xdg,resolv.conf
 private-tmp
+
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp

etc/stellarium.profile

@@ -18,8 +18,10 @@ mkdir ~/.stellarium
 whitelist ~/.config/stellarium
 whitelist ~/.stellarium
 include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
 
 caps.drop all
+machine-id
 netfilter
 nodvd
 nogroups
@@ -36,3 +38,6 @@ disable-mnt
 private-bin stellarium
 private-dev
 private-tmp
+
+noexec ${HOME}
+noexec /tmp

etc/thunderbird.profile

@@ -22,9 +22,11 @@ whitelist ~/.gnupg
 whitelist ~/.icedove
 whitelist ~/.thunderbird
 include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
 
 ignore private-tmp
-
+machine-id
+disable-mnt
 read-only ~/.config/mimeapps.list
 
 # allow browsers

etc/vlc.profile

@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-var-common.inc
 
 caps.drop all
+machine-id
 netfilter
 # nogroups
 nonewprivs

etc/xed.profile

@@ -12,8 +12,11 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+include /etc/firejail/whitelist-var-common.inc
+
 caps.drop all
 # net none - makes settings immutable
+machine-id
 no3d
 nodvd
 nogroups
@@ -32,5 +35,6 @@ private-dev
 # private-etc fonts
 private-tmp
 
+memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp