From 1094e1a6fbcacfda8a259b630927546f1ba585d3 Mon Sep 17 00:00:00 2001
From: kortewegdevries <kortewegdevries@protonmail.ch>
Date: Fri, 13 Nov 2020 09:07:38 +0000
Subject: [PATCH 1/4] Add profile for authenticator-rs, improve falkon, balsa

---
 etc/inc/disable-programs.inc             |  1 +
 etc/profile-a-l/authenticator-rs.profile | 55 ++++++++++++++++++++++++
 etc/profile-a-l/balsa.profile            |  5 ++-
 etc/profile-a-l/falkon.profile           | 16 +++++--
 src/firecfg/firecfg.config               |  1 +
 5 files changed, 73 insertions(+), 5 deletions(-)
 create mode 100644 etc/profile-a-l/authenticator-rs.profile

diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 7e3c0b657ac..32976f24173 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -584,6 +584,7 @@ blacklist ${HOME}/.local/share/agenda
 blacklist ${HOME}/.local/share/apps/korganizer
 blacklist ${HOME}/.local/share/aspyr-media
 blacklist ${HOME}/.local/share/autokey
+blacklist ${HOME}/.local/share/authenticator-rs 
 blacklist ${HOME}/.local/share/backintime
 blacklist ${HOME}/.local/share/baloo
 blacklist ${HOME}/.local/share/barrier
diff --git a/etc/profile-a-l/authenticator-rs.profile b/etc/profile-a-l/authenticator-rs.profile
new file mode 100644
index 00000000000..fe0bb54f48e
--- /dev/null
+++ b/etc/profile-a-l/authenticator-rs.profile
@@ -0,0 +1,55 @@
+# Firejail profile for authenticator-rs
+# Description: Rust based 2FA authentication program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include authenticator-rs.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/authenticator-rs 
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.local/share/authenticator-rs
+whitelist ${HOME}/.local/share/authenticator-rs 
+whitelist ${DOWNLOADS} 
+whitelist /usr/share/uk.co.grumlimited.authenticator-rs
+include whitelist-common.inc 
+include whitelist-runuser-common.inc 
+include whitelist-usr-share-common.inc 
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin authenticator-rs
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,pki,resolv.conf,ssl,xdg
+private-tmp
+
+dbus-user filter
+dbus-user.own uk.co.grumlimited.authenticator-rs
+dbus-system none
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile
index a401ac5922c..75e496de50b 100644
--- a/etc/profile-a-l/balsa.profile
+++ b/etc/profile-a-l/balsa.profile
@@ -69,10 +69,11 @@ writable-run-user
 writable-var
 
 dbus-user filter
-dbus-user.own org.desktop.Balsa
 dbus-user.talk ca.desrt.dconf
-dbus-user.talk org.freedesktop.secrets
+dbus-user.own org.desktop.Balsa
 dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.gnome.Keyring.SystemPrompter
 dbus-system none
 
 read-only ${HOME}/.mozilla/firefox/profiles.ini
diff --git a/etc/profile-a-l/falkon.profile b/etc/profile-a-l/falkon.profile
index 0024b6660bd..70a2226024c 100644
--- a/etc/profile-a-l/falkon.profile
+++ b/etc/profile-a-l/falkon.profile
@@ -15,15 +15,20 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.cache/falkon
 mkdir ${HOME}/.config/falkon
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/falkon
 whitelist ${HOME}/.config/falkon
+whitelist /usr/share/falkon
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 nodvd
@@ -31,13 +36,18 @@ nogroups
 nonewprivs
 noroot
 notv
-nou2f
+?BROWSER_DISABLE_U2F: nou2f
 protocol unix,inet,inet6,netlink
 # blacklisting of chroot system calls breaks falkon
 seccomp !chroot
 # tracelog
 
-private-dev
-# private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies
+disable-mnt
+private-cache
+?BROWSER_DISABLE_U2F: private-dev
+private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
 # private-tmp - interferes with the opening of downloaded files
 
+dbus-user filter
+dbus-user.own org.kde.Falkon
+dbus-system none
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index b0a223911e2..10ef0ecba6a 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -63,6 +63,7 @@ audacious
 audacity
 audio-recorder
 authenticator
+authenticator-rs
 autokey-gtk
 autokey-qt
 autokey-run

From d93534b94cdec4e58777fff810de4d2ed545e8cc Mon Sep 17 00:00:00 2001
From: kortewegdevries <kortewegdevries@protonmail.ch>
Date: Thu, 19 Nov 2020 11:08:52 +0000
Subject: [PATCH 2/4] Fix

---
 etc/profile-a-l/authenticator-rs.profile | 2 +-
 etc/profile-a-l/balsa.profile            | 2 +-
 etc/profile-a-l/falkon.profile           | 8 ++++----
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/etc/profile-a-l/authenticator-rs.profile b/etc/profile-a-l/authenticator-rs.profile
index fe0bb54f48e..1eb802d9bd6 100644
--- a/etc/profile-a-l/authenticator-rs.profile
+++ b/etc/profile-a-l/authenticator-rs.profile
@@ -51,5 +51,5 @@ private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk
 private-tmp
 
 dbus-user filter
-dbus-user.own uk.co.grumlimited.authenticator-rs
+dbus-user.talk ca.desrt.dconf
 dbus-system none
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile
index 75e496de50b..04de896a57e 100644
--- a/etc/profile-a-l/balsa.profile
+++ b/etc/profile-a-l/balsa.profile
@@ -69,8 +69,8 @@ writable-run-user
 writable-var
 
 dbus-user filter
-dbus-user.talk ca.desrt.dconf
 dbus-user.own org.desktop.Balsa
+dbus-user.talk ca.desrt.dconf
 dbus-user.talk org.freedesktop.Notifications
 dbus-user.talk org.freedesktop.secrets
 dbus-user.talk org.gnome.Keyring.SystemPrompter
diff --git a/etc/profile-a-l/falkon.profile b/etc/profile-a-l/falkon.profile
index 70a2226024c..47c93374c40 100644
--- a/etc/profile-a-l/falkon.profile
+++ b/etc/profile-a-l/falkon.profile
@@ -36,7 +36,7 @@ nogroups
 nonewprivs
 noroot
 notv
-?BROWSER_DISABLE_U2F: nou2f
+nou2f
 protocol unix,inet,inet6,netlink
 # blacklisting of chroot system calls breaks falkon
 seccomp !chroot
@@ -44,10 +44,10 @@ seccomp !chroot
 
 disable-mnt
 private-cache
-?BROWSER_DISABLE_U2F: private-dev
+private-dev
 private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
 # private-tmp - interferes with the opening of downloaded files
 
-dbus-user filter
-dbus-user.own org.kde.Falkon
+# dbus-user filter
+# dbus-user.own org.kde.Falkon
 dbus-system none

From 9264e3d9f479f9c0b8ace4e9073a7ca56aecdf9f Mon Sep 17 00:00:00 2001
From: kortewegdevries <kortewegdevries@protonmail.ch>
Date: Mon, 23 Nov 2020 10:42:42 +0000
Subject: [PATCH 3/4] Add private-tmp to falkon

---
 etc/profile-a-l/falkon.profile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/etc/profile-a-l/falkon.profile b/etc/profile-a-l/falkon.profile
index 47c93374c40..640b0e485bc 100644
--- a/etc/profile-a-l/falkon.profile
+++ b/etc/profile-a-l/falkon.profile
@@ -43,10 +43,11 @@ seccomp !chroot
 # tracelog
 
 disable-mnt
+# private-bin falkon
 private-cache
 private-dev
 private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
-# private-tmp - interferes with the opening of downloaded files
+private-tmp
 
 # dbus-user filter
 # dbus-user.own org.kde.Falkon

From 4d2185090ad22fe5afb8b92de74d67d8474ca743 Mon Sep 17 00:00:00 2001
From: kortewegdevries <kortewegdevries@protonmail.ch>
Date: Mon, 7 Dec 2020 03:42:40 +0000
Subject: [PATCH 4/4] Revert balsa

---
 etc/profile-a-l/balsa.profile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile
index 04de896a57e..a401ac5922c 100644
--- a/etc/profile-a-l/balsa.profile
+++ b/etc/profile-a-l/balsa.profile
@@ -71,9 +71,8 @@ writable-var
 dbus-user filter
 dbus-user.own org.desktop.Balsa
 dbus-user.talk ca.desrt.dconf
-dbus-user.talk org.freedesktop.Notifications
 dbus-user.talk org.freedesktop.secrets
-dbus-user.talk org.gnome.Keyring.SystemPrompter
+dbus-user.talk org.freedesktop.Notifications
 dbus-system none
 
 read-only ${HOME}/.mozilla/firefox/profiles.ini