many profile cleanups

20 files changed, 83 insertions, 65 deletions

diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile
index b4325cd74..230a88472 100644
--- a/etc/Xephyr.profile
+++ b/etc/Xephyr.profile
@@ -14,9 +14,6 @@ include globals.local
 # or run "sudo firecfg"
 #
 
-
-blacklist /media
-
 whitelist /var/lib/xkb
 include whitelist-common.inc
 
@@ -34,6 +31,7 @@ protocol unix
 seccomp
 shell none
 
+disable-mnt
 # using a private home directory
 private
 # private-bin Xephyr,sh,xkbcomp
diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile
index b2413ac73..3580f8336 100644
--- a/etc/Xvfb.profile
+++ b/etc/Xvfb.profile
@@ -17,8 +17,6 @@ include globals.local
 # some Linux distributions. Also, older versions of Xpra use Xvfb.
 #
 
-blacklist /media
-
 whitelist /var/lib/xkb
 include whitelist-common.inc
 
@@ -36,6 +34,7 @@ protocol unix
 seccomp
 shell none
 
+disable-mnt
 # using a private home directory
 private
 # private-bin Xvfb,sh,xkbcomp
diff --git a/etc/bitwarden.profile b/etc/bitwarden.profile
index 2a6fe9d42..609543e14 100644
--- a/etc/bitwarden.profile
+++ b/etc/bitwarden.profile
@@ -6,9 +6,10 @@ include bitwarden.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Bitwarden
 ignore noexec /tmp
 
+noblacklist ${HOME}/.config/Bitwarden
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -17,11 +18,11 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-include whitelist-common.inc
-include whitelist-var-common.inc
-
+mkdir ${HOME}/.config/Bitwarden
 whitelist ${HOME}/.config/Bitwarden
 whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-var-common.inc
 
 apparmor
 caps.drop all
diff --git a/etc/brave-browser.profile b/etc/brave-browser.profile
index 6d9d162fd..e223ecf87 100644
--- a/etc/brave-browser.profile
+++ b/etc/brave-browser.profile
@@ -1,6 +1,5 @@
 # Firejail profile alias for brave
 # This file is overwritten after every install/update
 
-
 # Redirect
 include brave.profile
diff --git a/etc/brave.profile b/etc/brave.profile
index cc003d49a..984fab5a8 100644
--- a/etc/brave.profile
+++ b/etc/brave.profile
@@ -6,6 +6,9 @@ include brave.local
 # Persistent global definitions
 include globals.local
 
+# noexec /tmp is included in chromium-common.profile and breaks Brave
+ignore noexec /tmp
+
 noblacklist ${HOME}/.config/brave
 noblacklist ${HOME}/.config/BraveSoftware
 # brave uses gpg for built-in password manager
@@ -17,8 +20,5 @@ whitelist ${HOME}/.config/brave
 whitelist ${HOME}/.config/BraveSoftware
 whitelist ${HOME}/.gnupg
 
-# noexec /tmp is included in chromium-common.profile and breaks Brave
-ignore noexec /tmp
-
 # Redirect
 include chromium-common.profile
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index c8e85cf1f..d03a709ca 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -197,6 +197,7 @@ blacklist ${HOME}/.config/katerc
 blacklist ${HOME}/.config/kateschemarc
 blacklist ${HOME}/.config/katesyntaxhighlightingrc
 blacklist ${HOME}/.config/katevirc
+blacklist ${HOME}/.config/kdeconnect
 blacklist ${HOME}/.config/kdenliverc
 blacklist ${HOME}/.config/kgetrc
 blacklist ${HOME}/.config/kid3rc
@@ -204,13 +205,12 @@ blacklist ${HOME}/.config/klavaro
 blacklist ${HOME}/.config/klipperrc
 blacklist ${HOME}/.config/kmail2rc
 blacklist ${HOME}/.config/kmailsearchindexingrc
-blacklist ${HOME}/.config/kritarc
-blacklist ${HOME}/.config/kwriterc
-blacklist ${HOME}/.config/kdeconnect
 blacklist ${HOME}/.config/knotesrc
 blacklist ${HOME}/.config/konversationrc
+blacklist ${HOME}/.config/kritarc
 blacklist ${HOME}/.config/ktorrentrc
 blacklist ${HOME}/.config/ktouch2rc
+blacklist ${HOME}/.config/kwriterc
 blacklist ${HOME}/.config/leafpad
 blacklist ${HOME}/.config/libreoffice
 blacklist ${HOME}/.config/liferea
@@ -275,17 +275,17 @@ blacklist ${HOME}/.config/smtube
 blacklist ${HOME}/.config/snox
 blacklist ${HOME}/.config/specialmailcollectionsrc
 blacklist ${HOME}/.config/spotify
-blacklist ${HOME}/.config/supertuxkart
 blacklist ${HOME}/.config/sqlitebrowser
 blacklist ${HOME}/.config/stellarium
+blacklist ${HOME}/.config/supertuxkart
 blacklist ${HOME}/.config/synfig
 blacklist ${HOME}/.config/telepathy-account-widgets
 blacklist ${HOME}/.config/torbrowser
 blacklist ${HOME}/.config/totem
 blacklist ${HOME}/.config/tox
 blacklist ${HOME}/.config/transgui
-blacklist ${HOME}/.config/truecraft
 blacklist ${HOME}/.config/transmission
+blacklist ${HOME}/.config/truecraft
 blacklist ${HOME}/.config/uGet
 blacklist ${HOME}/.config/uzbl
 blacklist ${HOME}/.config/viewnior
@@ -328,7 +328,6 @@ blacklist ${HOME}/.electron-cache
 blacklist ${HOME}/.electrum*
 blacklist ${HOME}/.elinks
 blacklist ${HOME}/.emacs
-blacklist ${HOME}/.emacs
 blacklist ${HOME}/.emacs.d
 blacklist ${HOME}/.ethereum
 blacklist ${HOME}/.etr
@@ -374,7 +373,6 @@ blacklist ${HOME}/.kde/share/apps/klatexformula
 blacklist ${HOME}/.kde/share/apps/konqsidebartng
 blacklist ${HOME}/.kde/share/apps/konqueror
 blacklist ${HOME}/.kde/share/apps/kopete
-blacklist ${HOME}/.kde/share/apps/khtml
 blacklist ${HOME}/.kde/share/apps/ktorrent
 blacklist ${HOME}/.kde/share/apps/okular
 blacklist ${HOME}/.kde/share/config/baloofilerc
@@ -499,8 +497,8 @@ blacklist ${HOME}/.local/share/klavaro
 blacklist ${HOME}/.local/share/kmail2
 blacklist ${HOME}/.local/share/knotes
 blacklist ${HOME}/.local/share/krita
-blacklist ${HOME}/.local/share/ktorrentrc
 blacklist ${HOME}/.local/share/ktorrent
+blacklist ${HOME}/.local/share/ktorrentrc
 blacklist ${HOME}/.local/share/ktouch
 blacklist ${HOME}/.local/share/kwrite
 blacklist ${HOME}/.local/share/liferea
@@ -525,13 +523,13 @@ blacklist ${HOME}/.local/share/ocenaudio
 blacklist ${HOME}/.local/share/okular
 blacklist ${HOME}/.local/share/orage
 blacklist ${HOME}/.local/share/org.kde.gwenview
-blacklist ${HOME}/.local/share/rhythmbox
 blacklist ${HOME}/.local/share/pix
 blacklist ${HOME}/.local/share/plasma_notes
 blacklist ${HOME}/.local/share/psi+
 blacklist ${HOME}/.local/share/qpdfview
 blacklist ${HOME}/.local/share/qutebrowser
 blacklist ${HOME}/.local/share/remmina
+blacklist ${HOME}/.local/share/rhythmbox
 blacklist ${HOME}/.local/share/scribus
 blacklist ${HOME}/.local/share/spotify
 blacklist ${HOME}/.local/share/steam
@@ -632,8 +630,8 @@ blacklist ${HOME}/.wget-hsts
 blacklist ${HOME}/.wgetrc
 blacklist ${HOME}/.widelands
 blacklist ${HOME}/.wine
-blacklist ${HOME}/.wireshark
 blacklist ${HOME}/.wine64
+blacklist ${HOME}/.wireshark
 blacklist ${HOME}/.xiphos
 blacklist ${HOME}/.xmind
 blacklist ${HOME}/.xmms
diff --git a/etc/geary.profile b/etc/geary.profile
index a21eed9f1..a446c81d0 100644
--- a/etc/geary.profile
+++ b/etc/geary.profile
@@ -4,27 +4,25 @@
 # Persistent local customizations
 include geary.local
 # Persistent global definitions
-include globals.local
+# added by included profile
+#include globals.local
 
 # Users have Geary set to open a browser by clicking a link in an email
 # We are not allowed to blacklist browser-specific directories
 
+ignore nodbus
+ignore private-tmp
+
 noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.local/share/geary
 
 mkdir ${HOME}/.gnupg
 mkdir ${HOME}/.config/geary
 mkdir ${HOME}/.local/share/geary
-
 whitelist ${HOME}/.gnupg
 whitelist ${HOME}/.config/geary
 whitelist ${HOME}/.local/share/geary
 
-include whitelist-common.inc
-
-ignore nodbus
-ignore private-tmp
-
 read-only ${HOME}/.config/mimeapps.list
 
 # allow browsers
diff --git a/etc/gzip.profile b/etc/gzip.profile
index 27e262f87..810684eae 100644
--- a/etc/gzip.profile
+++ b/etc/gzip.profile
@@ -9,12 +9,15 @@ include globals.local
 
 blacklist /tmp/.X11-unix
 
+include disable-common.inc
+include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-
-ignore noroot
+include disable-passwdmgr.inc
+include disable-programs.inc
 
 apparmor
+caps.drop all
 hostname gzip
 ipc-namespace
 machine-id
@@ -23,10 +26,14 @@ no3d
 nodbus
 nodvd
 nogroups
+nonewprivs
+#noroot
 nosound
 notv
 nou2f
 novideo
+protocol unix
+seccomp
 shell none
 tracelog
 
@@ -34,5 +41,3 @@ private-cache
 private-dev
 
 memory-deny-write-execute
-
-include default.profile
diff --git a/etc/less.profile b/etc/less.profile
index 5ad7cb959..bc85e5ad5 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -5,24 +5,33 @@ quiet
 # Persistent local customizations
 include less.local
 # Persistent global definitions
-# added by included profile
-#include globals.local
+include globals.local
 
 blacklist /tmp/.X11-unix
+
+include disable-common.inc
+include disable-devel.inc
 include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
 
-ignore noroot
 apparmor
+caps.drop all
 ipc-namespace
 machine-id
 net none
 no3d
 nodbus
 nodvd
+nonewprivs
+#noroot
 nosound
 notv
 nou2f
 novideo
+protocol unix
+seccomp
 shell none
 tracelog
 writable-var-log
@@ -35,5 +44,3 @@ private-cache
 private-dev
 
 memory-deny-write-execute
-
-include default.profile
diff --git a/etc/meld.profile b/etc/meld.profile
index 8aa30feff..34b1f22de 100644
--- a/etc/meld.profile
+++ b/etc/meld.profile
@@ -54,3 +54,4 @@ private-dev
 #private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion
 private-tmp
 
+read-only ${HOME}/.ssh
diff --git a/etc/midori.profile b/etc/midori.profile
index e4d39cd70..ffae4919f 100644
--- a/etc/midori.profile
+++ b/etc/midori.profile
@@ -6,6 +6,9 @@ include midori.local
 # Persistent global definitions
 include globals.local
 
+# noexec ${HOME} breaks DRM binaries.
+?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
+
 noblacklist ${HOME}/.config/midori
 noblacklist ${HOME}/.local/share/midori
 # noblacklist ${HOME}/.local/share/webkit
@@ -13,9 +16,6 @@ noblacklist ${HOME}/.local/share/midori
 noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
 
-# noexec ${HOME} breaks DRM binaries.
-?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
-
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/ms-skype.profile b/etc/ms-skype.profile
index 02084d923..df1618361 100644
--- a/etc/ms-skype.profile
+++ b/etc/ms-skype.profile
@@ -3,10 +3,13 @@
 # Persistent local customizations
 include ms-skype.local
 # Persistent global definitions
-include globals.local
+# added by included profile
+#include globals.local
 
-noblacklist ${HOME}/.cache/ms-skype-online
 ignore novideo
+
+noblacklist ${HOME}/.cache/ms-skype-online
+
 private-bin ms-skype
 
 # Redirect
diff --git a/etc/pidgin.profile b/etc/pidgin.profile
index bdd5404f5..299f807af 100644
--- a/etc/pidgin.profile
+++ b/etc/pidgin.profile
@@ -6,11 +6,11 @@ include pidgin.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.purple
-
 ignore noexec ${RUNUSER}
 ignore noexec /dev/shm
 
+noblacklist ${HOME}/.purple
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/strings.profile b/etc/strings.profile
index 0caecdf7b..ace0d9351 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -4,30 +4,43 @@ quiet
 # Persistent local customizations
 include strings.local
 # Persistent global definitions
-# added by included profile
-#include globals.local
+include globals.local
 
 blacklist /tmp/.X11-unix
+
+include disable-common.inc
+include disable-devel.inc
 include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
 
-ignore noroot
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
 net none
 no3d
 nodbus
 nodvd
+nogroups
+nonewprivs
+#noroot
 nosound
 notv
 nou2f
 novideo
+protocol unix
+seccomp
 shell none
 tracelog
 
+#private
 private-bin strings
 private-cache
 private-dev
 private-etc alternatives
 private-lib libfakeroot
+private-tmp
 
 memory-deny-write-execute
-
-include default.profile
diff --git a/etc/templates/redirect_alias-profile.template b/etc/templates/redirect_alias-profile.template
index 5a00933a5..0a0788e96 100644
--- a/etc/templates/redirect_alias-profile.template
+++ b/etc/templates/redirect_alias-profile.template
@@ -31,8 +31,6 @@ include PROFILE.local
 
 # Additional options (if needed)
 
-
-
 # Additional private-options (if needed)
 # Add programs to private-bin (if needed)
 #private-bin PROGRAMS
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt
index ec8247517..2464df9ee 100644
--- a/etc/templates/syscalls.txt
+++ b/etc/templates/syscalls.txt
@@ -4,19 +4,19 @@ Hints for writing seccomp.drop lines
 @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime
 @module=delete_module,finit_module,init_module
 @raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write
-@reboot=kexec_load,kexec_file_load,reboot,
-@swap=swapon,swapoff
+@reboot=kexec_file_load,kexec_load,reboot
+@swap=swapoff,swapon
 
 @privileged=@clock,@module,@raw-io,@reboot,@swap,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup
 
 @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old
 @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext
 @obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver
-@resources=set_mempolicy,migrate_pages,move_pages,mbind
+@resources=mbind,migrate_pages,move_pages,set_mempolicy
 
-@default=@cpu-emulation,@debug,@obsolete,@privileged,@resources,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,vmsplice,umount,userfaultfd,mincore
+@default=@cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,ioprio_set,io_setup,io_submit,kcmp,keyctl,mincore,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
 
-@default-nodebuggers=@default,ptrace,personality,process_vm_readv
+@default-nodebuggers=@default,personality,process_vm_readv,ptrace
 
 @default-keep=execve,prctl
 
diff --git a/etc/xlinks.profile b/etc/xlinks.profile
index 775d6f8ed..ad1511791 100644
--- a/etc/xlinks.profile
+++ b/etc/xlinks.profile
@@ -15,4 +15,4 @@ private-bin xlinks
 private-etc fonts
 
 # Redirect
-include links.profile
\ No newline at end of file
+include links.profile
diff --git a/etc/xpra.profile b/etc/xpra.profile
index fc861176f..dc8d7a665 100644
--- a/etc/xpra.profile
+++ b/etc/xpra.profile
@@ -14,8 +14,6 @@ include globals.local
 #
 # or run "sudo firecfg"
 
-blacklist /media
-
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
@@ -45,6 +43,7 @@ protocol unix
 seccomp
 shell none
 
+disable-mnt
 # private home directory doesn't work on some distros, so we go for a regular home
 # private
 # older Xpra versions also use Xvfb
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile
index 237f24fd1..1c2bad51c 100644
--- a/etc/youtube-dl.profile
+++ b/etc/youtube-dl.profile
@@ -7,6 +7,9 @@ include youtube-dl.local
 # Persistent global definitions
 include globals.local
 
+# breaks when installed via pip
+ignore noexec ${HOME}
+
 noblacklist ${HOME}/.netrc
 noblacklist ${MUSIC}
 noblacklist ${VIDEOS}
@@ -15,9 +18,6 @@ noblacklist ${VIDEOS}
 include allow-python2.inc
 include allow-python3.inc
 
-# breaks when installed via pip
-ignore noexec ${HOME}
-
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/zpaq.profile b/etc/zpaq.profile
index 6d4501e4f..6bf3605eb 100644
--- a/etc/zpaq.profile
+++ b/etc/zpaq.profile
@@ -10,6 +10,5 @@ include zpaq.local
 # mdwx breaks 'list' functionality
 ignore memory-deny-write-execute
 
-
 # Redirect
 include cpio.profile