recalibrate dbus access, deploy nodbus option

see #1822 and #1825. also systematically replaces
'blacklist /run/user/*/bus' with 'nodbus'.

with contributions from @Fred-Barclay

README.md

@@ -259,9 +259,12 @@ enable/disable apparmor functionality globally. By default the flag is enabled.
 AppArmor deployment: we are starting apparmor by default for the following programs:
 - web browsers: firefox (firefox-common.profile), chromium (chromium-common.profile)
 - torrent clients: transmission-qt, transmission-gtk, qbittorrent
-- media players: vlc, mpv, audacious, totem, rhythmbox
+- media players: vlc, mpv, audacious, totem, rhythmbox, kodi, smplayer, xplayer
 - media editing: kdenlive, audacity, handbrake, gimp, inkscape, krita, openshot
-- etc.: atril, gnome-calculator, galculator, eom, eog
+- image viewers: eom, eog, gwenview, xviewer
+- archive managers: ark, engrampa, file-roller
+- text editors: gedit, kwrite, pluma, xed
+- etc.: digikam, gnome-calculator, galculator, kcalc, okular, libreoffice, asunder
 
 Checking apparmor status:
 `````
@@ -294,4 +297,4 @@ Basilisk browser, Tor Browser language packs, PlayOnLinux, sylpheed, discord-can
 pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain,
 tilp, vivaldi-snapshot, bitcoin-qt, VS Code, falkon, gnome-builder, lobase, asunder,
 gnome-recipes, akonadi_control, evince-previewer, evince-thumbnailer, blender-2.8,
-thunderbird-beta
+thunderbird-beta

etc/7z.profile

@@ -6,12 +6,12 @@ include /etc/firejail/7z.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
 blacklist /tmp/.X11-unix
 
 ignore noroot
 net none
 no3d
+nodbus
 nodvd
 nosound
 notv

etc/apktool.profile

@@ -6,15 +6,14 @@ include /etc/firejail/apktool.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps.drop all
 net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs

etc/ardour5.profile

@@ -5,8 +5,6 @@ include /etc/firejail/ardour5.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.config/ardour4
 noblacklist ${HOME}/.config/ardour5
 noblacklist ${HOME}/.lv2
@@ -20,6 +18,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 ipc-namespace
 net none
+nodbus
 nodvd
 nogroups
 nonewprivs

etc/ark.profile

@@ -5,8 +5,6 @@ include /etc/firejail/ark.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-# blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.config/arkrc
 
 include /etc/firejail/disable-common.inc
@@ -20,6 +18,7 @@ apparmor
 caps.drop all
 # net none
 netfilter
+# nodbus
 nodvd
 nogroups
 nonewprivs

etc/asunder.profile

@@ -20,6 +20,7 @@ include /etc/firejail/whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
+nodbus
 # nogroups
 nonewprivs
 noroot

etc/atom.profile

@@ -5,8 +5,6 @@ include /etc/firejail/atom.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-# blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.atom
 noblacklist ${HOME}/.config/Atom
 

etc/atril.profile

@@ -17,7 +17,7 @@ include /etc/firejail/disable-programs.inc
 
 include /etc/firejail/whitelist-var-common.inc
 
-apparmor
+# apparmor
 caps.drop all
 machine-id
 no3d

etc/audacious.profile

@@ -18,6 +18,7 @@ include /etc/firejail/whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
+nodbus
 nogroups
 nonewprivs
 noroot

etc/audacity.profile

@@ -5,8 +5,6 @@ include /etc/firejail/audacity.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.audacity-data
 
 include /etc/firejail/disable-common.inc
@@ -18,8 +16,9 @@ include /etc/firejail/whitelist-var-common.inc
 
 apparmor
 caps.drop all
-#net none
+net none
 no3d
+# nodbus
 nodvd
 nogroups
 nonewprivs

etc/baobab.profile

@@ -5,8 +5,6 @@ include /etc/firejail/baobab.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
@@ -15,6 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs

etc/bleachbit.profile

@@ -5,8 +5,6 @@ include /etc/firejail/bleachbit.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
@@ -15,6 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs

etc/bless.profile

@@ -5,8 +5,6 @@ include /etc/firejail/bless.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.config/bless
 
 include /etc/firejail/disable-common.inc
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs

etc/bluefish.profile

@@ -5,8 +5,6 @@ include /etc/firejail/bluefish.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
@@ -17,6 +15,7 @@ include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs

etc/calligra.profile

@@ -5,8 +5,6 @@ include /etc/firejail/calligra.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-# blacklist /run/user/*/bus
-
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
@@ -15,6 +13,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 ipc-namespace
 # net none
+# nodbus
 nodvd
 nogroups
 nonewprivs

etc/catfish.profile

@@ -8,8 +8,6 @@ include /etc/firejail/globals.local
 # We can't blacklist much since catfish
 # is for finding files/content
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.config/catfish
 
 include /etc/firejail/disable-common.inc

etc/chromium-common.profile

@@ -20,6 +20,7 @@ include /etc/firejail/whitelist-var-common.inc
 apparmor
 caps.keep sys_chroot,sys_admin
 netfilter
+nodbus
 nodvd
 nogroups
 notv
@@ -31,3 +32,6 @@ private-dev
 
 noexec ${HOME}
 noexec /tmp
+
+# the file dialog needs to work without d-bus
+env NO_CHROME_KDE_FILE_DIALOG=1

etc/cin.profile

@@ -5,8 +5,6 @@ include /etc/firejail/cin.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.bcast5
 
 include /etc/firejail/disable-common.inc
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 ipc-namespace
 net none
+nodbus
 nodvd
 nogroups
 nonewprivs

etc/clamav.profile

@@ -6,12 +6,11 @@ include /etc/firejail/clamav.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 caps.drop all
 ipc-namespace
 net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs

etc/cpio.profile

@@ -6,7 +6,6 @@ include /etc/firejail/cpio.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
 blacklist /tmp/.X11-unix
 
 noblacklist /sbin
@@ -19,6 +18,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 net none
 no3d
+nodbus
 nodvd
 nonewprivs
 nosound

etc/default.profile

@@ -17,6 +17,7 @@ caps.drop all
 # ipc-namespace
 netfilter
 # no3d
+# nodbus
 # nodvd
 # nogroups
 nonewprivs

etc/dex2jar.profile

@@ -6,8 +6,6 @@ include /etc/firejail/dex2jar.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
@@ -16,6 +14,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs

etc/dia.profile

@@ -5,8 +5,6 @@ include /etc/firejail/dia.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.dia
 
 include /etc/firejail/disable-common.inc
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs

etc/digikam.profile

@@ -20,6 +20,7 @@ include /etc/firejail/whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
+# nodbus
 nodvd
 nogroups
 nonewprivs

etc/display.profile

@@ -5,8 +5,6 @@ include /etc/firejail/display.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
@@ -16,6 +14,7 @@ include /etc/firejail/whitelist-var-common.inc
 
 caps.drop all
 net none
+nodbus
 nodvd
 nogroups
 nonewprivs

etc/ebook-viewer.profile

@@ -1,9 +1,8 @@
 # Firejail profile alias for calibre
 # This file is overwritten after every install/update
 
-blacklist /run/user/*/bus
-
 net none
+nodbus
 
 # Redirect
 include /etc/firejail/calibre.profile

etc/engrampa.profile

@@ -5,18 +5,20 @@ include /etc/firejail/engrampa.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-# blacklist /run/user/*/bus - makes settings immutable
-
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 include /etc/firejail/whitelist-var-common.inc
 
+# following line makes settings immutable
+apparmor
 caps.drop all
-# net none - makes settings immutable
+net none
 no3d
+# following line makes settings immutable
+nodbus
 nodvd
 nogroups
 nonewprivs