profile fixes (2)

author: rusty-snake <41237666+rusty-snake@users.noreply.github.com> 2020-08-09 20:16:35 +0200
committer: rusty-snake <41237666+rusty-snake@users.noreply.github.com> 2020-08-09 20:16:35 +0200
commit: 613dad2103e5690e621a9182a520890f17b69a3c (patch)
tree: 8b43e1dc007907a8787b8b880261feb504dfb368
parent: profile fixes (1) (diff)
download: firejail-613dad2103e5690e621a9182a520890f17b69a3c.tar.gz
firejail-613dad2103e5690e621a9182a520890f17b69a3c.tar.zst
firejail-613dad2103e5690e621a9182a520890f17b69a3c.zip
23 files changed, 43 insertions, 26 deletions
diff --git a/etc/allow-ruby.inc b/etc/allow-ruby.inc
new file mode 100644
index 000000000..3165a981a
--- /dev/null
+++ b/etc/allow-ruby.inc
@@ -0,0 +1,2 @@
+noblacklist ${PATH}/ruby
+noblacklist /usr/lib/ruby
diff --git a/etc/anki.profile b/etc/anki.profile
index c349376ff..a0a79ef48 100644
--- a/etc/anki.profile
+++ b/etc/anki.profile
@@ -42,7 +42,8 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6
-seccomp
+# QtWebengine needs chroot to set up its own sandbox
+seccomp !chroot
 shell none
 tracelog
diff --git a/etc/artha.profile b/etc/artha.profile
index f1d30a415..e7278fe10 100644
--- a/etc/artha.profile
+++ b/etc/artha.profile
@@ -16,7 +16,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-mkdir ${HOME}/.config/artha.conf
+mkfile ${HOME}/.config/artha.conf
 mkdir ${HOME}/.config/enchant
 whitelist ${HOME}/.config/artha.conf
 whitelist ${HOME}/.config/enchant
diff --git a/etc/baobab.profile b/etc/baobab.profile
index c419aa202..eb0064115 100644
--- a/etc/baobab.profile
+++ b/etc/baobab.profile
@@ -16,7 +16,7 @@ include disable-passwdmgr.inc
 caps.drop all
 net none
 no3d
-nodbus
+#nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/celluloid.profile b/etc/celluloid.profile
index d06eb7a65..ab68c7f13 100644
--- a/etc/celluloid.profile
+++ b/etc/celluloid.profile
@@ -41,7 +41,7 @@ tracelog
 private-bin celluloid,env,gnome-mpv,python*,youtube-dl
 private-cache
-private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg
 private-dev
 private-tmp
diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile
index 33c0a3369..1790b0b17 100644
--- a/etc/claws-mail.profile
+++ b/etc/claws-mail.profile
@@ -16,7 +16,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-whitelist /usr/share/doc
+whitelist /usr/share/doc/claws-mail
 whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
 include whitelist-usr-share-common.inc
diff --git a/etc/cmus.profile b/etc/cmus.profile
index 7e12a06de..fa1e5d722 100644
--- a/etc/cmus.profile
+++ b/etc/cmus.profile
@@ -27,4 +27,4 @@ seccomp
 shell none
 private-bin cmus
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,ssl
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,resolv.conf,ssl
diff --git a/etc/digikam.profile b/etc/digikam.profile
index 1b80981f7..e66434444 100644
--- a/etc/digikam.profile
+++ b/etc/digikam.profile
@@ -32,7 +32,8 @@ nonewprivs
 noroot
 notv
 protocol unix,inet,inet6,netlink
-seccomp
+# QtWebengine needs chroot to set up its own sandbox
+seccomp !chroot
 shell none
 # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device
diff --git a/etc/evince.profile b/etc/evince.profile
index ba68e45b4..143a347e6 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -47,7 +47,7 @@ tracelog
 private-bin evince,evince-previewer,evince-thumbnailer
 private-cache
 private-dev
-private-etc alternatives,fonts,group,machine-id,passwd
+private-etc alternatives,fonts,group,ld.so.cache,machine-id,passwd
 # private-lib might break two-page-view on some systems
-private-lib evince,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*
+private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*
 private-tmp
diff --git a/etc/exiftool.profile b/etc/exiftool.profile
index e455d32c7..e9c7d290a 100644
--- a/etc/exiftool.profile
+++ b/etc/exiftool.profile
@@ -17,6 +17,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 whitelist /usr/share/perl5
+whitelist /usr/share/perl-image-exiftool
 include whitelist-usr-share-common.inc
 apparmor
diff --git a/etc/freecad.profile b/etc/freecad.profile
index 079c85fb1..6f0f52a55 100644
--- a/etc/freecad.profile
+++ b/etc/freecad.profile
@@ -9,6 +9,10 @@ include globals.local
 noblacklist ${HOME}/.config/FreeCAD
 noblacklist ${DOCUMENTS}
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -33,7 +37,7 @@ protocol unix
 seccomp
 shell none
-private-bin freecad,freecadcmd
+private-bin freecad,freecadcmd,python*
 private-cache
 private-dev
 private-tmp
diff --git a/etc/gedit.profile b/etc/gedit.profile
index 6d575e850..7dd6f270e 100644
--- a/etc/gedit.profile
+++ b/etc/gedit.profile
@@ -42,6 +42,6 @@ tracelog
 # private-bin gedit
 private-dev
-private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-3.0.so.*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.*
+private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.*
 private-tmp
diff --git a/etc/hexchat.profile b/etc/hexchat.profile
index d032c93e6..835205f03 100644
--- a/etc/hexchat.profile
+++ b/etc/hexchat.profile
@@ -26,14 +26,12 @@ include whitelist-common.inc
 include whitelist-var-common.inc
 caps.drop all
-machine-id
 netfilter
 no3d
 nodvd
 nogroups
 nonewprivs
 noroot
-nosound
 notv
 nou2f
 novideo
diff --git a/etc/mpv.profile b/etc/mpv.profile
index 6e587fc6a..56cd66199 100644
--- a/etc/mpv.profile
+++ b/etc/mpv.profile
@@ -27,6 +27,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+whitelist /usr/share/vulkan
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/mupdf.profile b/etc/mupdf.profile
index 673c9fd0b..99945bdc9 100644
--- a/etc/mupdf.profile
+++ b/etc/mupdf.profile
@@ -32,14 +32,13 @@ nou2f
 novideo
 protocol unix
 seccomp
-# seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev
 shell none
 tracelog
 # private-bin mupdf,rm,sh,tempfile
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
 private-tmp
-memory-deny-write-execute
+# memory-deny-write-execute
 read-only ${HOME}
diff --git a/etc/musescore.profile b/etc/musescore.profile
index 9750a31f4..b3693c956 100644
--- a/etc/musescore.profile
+++ b/etc/musescore.profile
@@ -33,7 +33,8 @@ noroot
 notv
 novideo
 protocol unix,inet,inet6
-seccomp
+# QtWebengine needs chroot to set up its own sandbox
+seccomp !chroot
 shell none
 tracelog
diff --git a/etc/neverputt.profile b/etc/neverputt.profile
index 93fb14e07..d370d1218 100644
--- a/etc/neverputt.profile
+++ b/etc/neverputt.profile
@@ -5,5 +5,7 @@ include neverputt.local
 # added by included profile
 #include globals.local
+private-bin neverputt
 # Redirect
 include neverball.profile
diff --git a/etc/pavucontrol.profile b/etc/pavucontrol.profile
index 5bbe1386f..0ae9f08af 100644
--- a/etc/pavucontrol.profile
+++ b/etc/pavucontrol.profile
@@ -16,11 +16,12 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-mkfile ${HOME}/.config/pavucontrol.ini
+# whitelisting in ${HOME} is broken, see #3112
-whitelist ${HOME}/.config/pavucontrol.ini
+#mkfile ${HOME}/.config/pavucontrol.ini
+#whitelist ${HOME}/.config/pavucontrol.ini
 whitelist /usr/share/pavucontrol
 whitelist /usr/share/pavucontrol-qt
-include whitelist-common.inc
+#include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -39,6 +40,7 @@ novideo
 protocol unix,inet,inet6
 seccomp
 shell none
+tracelog
 disable-mnt
 private-bin pavucontrol
@@ -48,4 +50,5 @@ private-etc alternatives,asound.conf,avahi,fonts,machine-id,pulse
 private-lib
 private-tmp
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+# mdwe is broken under Wayland, but works under Xorg.
+#memory-deny-write-execute
diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile
index 087f90966..16fffe517 100644
--- a/etc/psi-plus.profile
+++ b/etc/psi-plus.profile
@@ -36,10 +36,10 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6
-seccomp
+# QtWebengine needs chroot to set up its own sandbox
+seccomp !chroot
 shell none
 disable-mnt
 private-dev
 private-tmp
diff --git a/etc/quassel.profile b/etc/quassel.profile
index a78d1edcd..c65089e20 100644
--- a/etc/quassel.profile
+++ b/etc/quassel.profile
@@ -19,7 +19,8 @@ nonewprivs
 noroot
 notv
 protocol unix,inet,inet6
-seccomp
+# QtWebengine needs chroot to set up its own sandbox
+seccomp !chroot
 private-cache
 private-tmp
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index dcf6dd201..7bfc3cf0d 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -87,6 +87,9 @@ include globals.local
 # Allow lua (blacklisted by disable-interpreters.inc)
 #include allow-lua.inc
+# Allow ruby (blacklisted by disable-interpreters.inc)
+#include allow-ruby.inc
 # Allows files commonly used by IDEs
 #include allow-common-devel.inc
diff --git a/etc/wget.profile b/etc/wget.profile
index 4bf354652..9c2cddb67 100644
--- a/etc/wget.profile
+++ b/etc/wget.profile
@@ -35,6 +35,6 @@ shell none
 # private-bin wget
 private-dev
-# private-etc alternatives,ca-certificates,crypto-policie,pki,resolv.conf,ssl
+# private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
 # private-tmp
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile
index 74c07d96b..5fa72c9dc 100644
--- a/etc/youtube-dl.profile
+++ b/etc/youtube-dl.profile
@@ -56,7 +56,7 @@ tracelog
 private-bin env,ffmpeg,python*,youtube-dl
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,mime.types,pki,resolv.conf,ssl,youtube-dl.conf
+private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,mime.types,pki,resolv.conf,ssl,youtube-dl.conf
 private-tmp
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
author	rusty-snake <41237666+rusty-snake@users.noreply.github.com>	2020-08-09 20:16:35 +0200
committer	rusty-snake <41237666+rusty-snake@users.noreply.github.com>	2020-08-09 20:16:35 +0200
commit	613dad2103e5690e621a9182a520890f17b69a3c (patch)
tree	8b43e1dc007907a8787b8b880261feb504dfb368
parent	profile fixes (1) (diff)
download	firejail-613dad2103e5690e621a9182a520890f17b69a3c.tar.gz firejail-613dad2103e5690e621a9182a520890f17b69a3c.tar.zst firejail-613dad2103e5690e621a9182a520890f17b69a3c.zip

diff --git a/etc/allow-ruby.inc b/etc/allow-ruby.inc new file mode 100644 index 000000000..3165a981a --- /dev/null +++ b/etc/allow-ruby.inc
@@ -0,0 +1,2 @@
		1	noblacklist ${PATH}/ruby
		2	noblacklist /usr/lib/ruby


diff --git a/etc/anki.profile b/etc/anki.profile index c349376ff..a0a79ef48 100644 --- a/etc/anki.profile +++ b/etc/anki.profile
@@ -42,7 +42,8 @@ notv
42	nou2f	42	nou2f
43	novideo	43	novideo
44	protocol unix,inet,inet6	44	protocol unix,inet,inet6
45	seccomp	45	# QtWebengine needs chroot to set up its own sandbox
		46	seccomp !chroot
46	shell none	47	shell none
47	tracelog	48	tracelog
48		49


diff --git a/etc/artha.profile b/etc/artha.profile index f1d30a415..e7278fe10 100644 --- a/etc/artha.profile +++ b/etc/artha.profile
@@ -16,7 +16,7 @@ include disable-interpreters.inc
16	include disable-passwdmgr.inc	16	include disable-passwdmgr.inc
17	include disable-programs.inc	17	include disable-programs.inc
18		18
19	mkdir ${HOME}/.config/artha.conf	19	mkfile ${HOME}/.config/artha.conf
20	mkdir ${HOME}/.config/enchant	20	mkdir ${HOME}/.config/enchant
21	whitelist ${HOME}/.config/artha.conf	21	whitelist ${HOME}/.config/artha.conf
22	whitelist ${HOME}/.config/enchant	22	whitelist ${HOME}/.config/enchant


diff --git a/etc/baobab.profile b/etc/baobab.profile index c419aa202..eb0064115 100644 --- a/etc/baobab.profile +++ b/etc/baobab.profile
@@ -16,7 +16,7 @@ include disable-passwdmgr.inc
16	caps.drop all	16	caps.drop all
17	net none	17	net none
18	no3d	18	no3d
19	nodbus	19	#nodbus
20	nodvd	20	nodvd
21	nogroups	21	nogroups
22	nonewprivs	22	nonewprivs


diff --git a/etc/celluloid.profile b/etc/celluloid.profile index d06eb7a65..ab68c7f13 100644 --- a/etc/celluloid.profile +++ b/etc/celluloid.profile
@@ -41,7 +41,7 @@ tracelog
41		41
42	private-bin celluloid,env,gnome-mpv,python*,youtube-dl	42	private-bin celluloid,env,gnome-mpv,python*,youtube-dl
43	private-cache	43	private-cache
44	private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg	44	private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg
45	private-dev	45	private-dev
46	private-tmp	46	private-tmp
47		47


diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile index 33c0a3369..1790b0b17 100644 --- a/etc/claws-mail.profile +++ b/etc/claws-mail.profile
@@ -16,7 +16,7 @@ include disable-interpreters.inc
16	include disable-passwdmgr.inc	16	include disable-passwdmgr.inc
17	include disable-programs.inc	17	include disable-programs.inc
18		18
19	whitelist /usr/share/doc	19	whitelist /usr/share/doc/claws-mail
20	whitelist /usr/share/gnupg	20	whitelist /usr/share/gnupg
21	whitelist /usr/share/gnupg2	21	whitelist /usr/share/gnupg2
22	include whitelist-usr-share-common.inc	22	include whitelist-usr-share-common.inc


diff --git a/etc/cmus.profile b/etc/cmus.profile index 7e12a06de..fa1e5d722 100644 --- a/etc/cmus.profile +++ b/etc/cmus.profile
@@ -27,4 +27,4 @@ seccomp
27	shell none	27	shell none
28		28
29	private-bin cmus	29	private-bin cmus
30	private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,ssl	30	private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,resolv.conf,ssl


diff --git a/etc/digikam.profile b/etc/digikam.profile index 1b80981f7..e66434444 100644 --- a/etc/digikam.profile +++ b/etc/digikam.profile
@@ -32,7 +32,8 @@ nonewprivs
32	noroot	32	noroot
33	notv	33	notv
34	protocol unix,inet,inet6,netlink	34	protocol unix,inet,inet6,netlink
35	seccomp	35	# QtWebengine needs chroot to set up its own sandbox
		36	seccomp !chroot
36	shell none	37	shell none
37		38
38	# private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device	39	# private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device


diff --git a/etc/evince.profile b/etc/evince.profile index ba68e45b4..143a347e6 100644 --- a/etc/evince.profile +++ b/etc/evince.profile
@@ -47,7 +47,7 @@ tracelog
47	private-bin evince,evince-previewer,evince-thumbnailer	47	private-bin evince,evince-previewer,evince-thumbnailer
48	private-cache	48	private-cache
49	private-dev	49	private-dev
50	private-etc alternatives,fonts,group,machine-id,passwd	50	private-etc alternatives,fonts,group,ld.so.cache,machine-id,passwd
51	# private-lib might break two-page-view on some systems	51	# private-lib might break two-page-view on some systems
52	private-lib evince,gconv,gdk-pixbuf-2.,gio,gvfs/libgvfscommon.so,libdjvulibre.so.,libgconf-2.so.,libgraphite2.so.,libpoppler-glib.so.,librsvg-2.so.,libspectre.so.*	52	private-lib evince,gcc///libgcc_s.so.,gcc///libstdc++.so.,gconv,gdk-pixbuf-2.,gio,gvfs/libgvfscommon.so,libdjvulibre.so.,libgconf-2.so.,libgraphite2.so.,libpoppler-glib.so.,librsvg-2.so.,libspectre.so.*
53	private-tmp	53	private-tmp


diff --git a/etc/exiftool.profile b/etc/exiftool.profile index e455d32c7..e9c7d290a 100644 --- a/etc/exiftool.profile +++ b/etc/exiftool.profile
@@ -17,6 +17,7 @@ include disable-passwdmgr.inc
17	include disable-programs.inc	17	include disable-programs.inc
18		18
19	whitelist /usr/share/perl5	19	whitelist /usr/share/perl5
		20	whitelist /usr/share/perl-image-exiftool
20	include whitelist-usr-share-common.inc	21	include whitelist-usr-share-common.inc
21		22
22	apparmor	23	apparmor


diff --git a/etc/freecad.profile b/etc/freecad.profile index 079c85fb1..6f0f52a55 100644 --- a/etc/freecad.profile +++ b/etc/freecad.profile
@@ -9,6 +9,10 @@ include globals.local
9	noblacklist ${HOME}/.config/FreeCAD	9	noblacklist ${HOME}/.config/FreeCAD
10	noblacklist ${DOCUMENTS}	10	noblacklist ${DOCUMENTS}
11		11
		12	# Allow python (blacklisted by disable-interpreters.inc)
		13	include allow-python2.inc
		14	include allow-python3.inc
		15
12	include disable-common.inc	16	include disable-common.inc
13	include disable-devel.inc	17	include disable-devel.inc
14	include disable-exec.inc	18	include disable-exec.inc
@@ -33,7 +37,7 @@ protocol unix
33	seccomp	37	seccomp
34	shell none	38	shell none
35		39
36	private-bin freecad,freecadcmd	40	private-bin freecad,freecadcmd,python*
37	private-cache	41	private-cache
38	private-dev	42	private-dev
39	private-tmp	43	private-tmp


diff --git a/etc/gedit.profile b/etc/gedit.profile index 6d575e850..7dd6f270e 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile
@@ -42,6 +42,6 @@ tracelog
42		42
43	# private-bin gedit	43	# private-bin gedit
44	private-dev	44	private-dev
45	private-lib aspell,gconv,gedit,libgspell-1.so.,libgtksourceview-3.0.so.,libpeas-gtk-1.0.so.,libreadline.so.,libtinfo.so.*	45	private-lib aspell,gconv,gedit,libgspell-1.so.,libgtksourceview-,libpeas-gtk-1.0.so.,libreadline.so.,libtinfo.so.*
46	private-tmp	46	private-tmp
47		47


diff --git a/etc/hexchat.profile b/etc/hexchat.profile index d032c93e6..835205f03 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile
@@ -26,14 +26,12 @@ include whitelist-common.inc
26	include whitelist-var-common.inc	26	include whitelist-var-common.inc
27		27
28	caps.drop all	28	caps.drop all
29	machine-id
30	netfilter	29	netfilter
31	no3d	30	no3d
32	nodvd	31	nodvd
33	nogroups	32	nogroups
34	nonewprivs	33	nonewprivs
35	noroot	34	noroot
36	nosound
37	notv	35	notv
38	nou2f	36	nou2f
39	novideo	37	novideo


diff --git a/etc/mpv.profile b/etc/mpv.profile index 6e587fc6a..56cd66199 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile
@@ -27,6 +27,7 @@ include disable-passwdmgr.inc
27	include disable-programs.inc	27	include disable-programs.inc
28	include disable-xdg.inc	28	include disable-xdg.inc
29		29
		30	whitelist /usr/share/vulkan
30	include whitelist-usr-share-common.inc	31	include whitelist-usr-share-common.inc
31	include whitelist-var-common.inc	32	include whitelist-var-common.inc
32		33


diff --git a/etc/mupdf.profile b/etc/mupdf.profile index 673c9fd0b..99945bdc9 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile
@@ -32,14 +32,13 @@ nou2f
32	novideo	32	novideo
33	protocol unix	33	protocol unix
34	seccomp	34	seccomp
35	# seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev
36	shell none	35	shell none
37	tracelog	36	tracelog
38		37
39	# private-bin mupdf,rm,sh,tempfile	38	# private-bin mupdf,rm,sh,tempfile
40	private-dev	39	private-dev
41	private-etc alternatives,fonts	40	private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
42	private-tmp	41	private-tmp
43		42
44	memory-deny-write-execute	43	# memory-deny-write-execute
45	read-only ${HOME}	44	read-only ${HOME}


diff --git a/etc/musescore.profile b/etc/musescore.profile index 9750a31f4..b3693c956 100644 --- a/etc/musescore.profile +++ b/etc/musescore.profile
@@ -33,7 +33,8 @@ noroot
33	notv	33	notv
34	novideo	34	novideo
35	protocol unix,inet,inet6	35	protocol unix,inet,inet6
36	seccomp	36	# QtWebengine needs chroot to set up its own sandbox
		37	seccomp !chroot
37	shell none	38	shell none
38	tracelog	39	tracelog
39		40


diff --git a/etc/neverputt.profile b/etc/neverputt.profile index 93fb14e07..d370d1218 100644 --- a/etc/neverputt.profile +++ b/etc/neverputt.profile
@@ -5,5 +5,7 @@ include neverputt.local
5	# added by included profile	5	# added by included profile
6	#include globals.local	6	#include globals.local
7		7
		8	private-bin neverputt
		9
8	# Redirect	10	# Redirect
9	include neverball.profile	11	include neverball.profile


diff --git a/etc/pavucontrol.profile b/etc/pavucontrol.profile index 5bbe1386f..0ae9f08af 100644 --- a/etc/pavucontrol.profile +++ b/etc/pavucontrol.profile
@@ -16,11 +16,12 @@ include disable-passwdmgr.inc
16	include disable-programs.inc	16	include disable-programs.inc
17	include disable-xdg.inc	17	include disable-xdg.inc
18		18
19	mkfile ${HOME}/.config/pavucontrol.ini	19	# whitelisting in ${HOME} is broken, see #3112
20	whitelist ${HOME}/.config/pavucontrol.ini	20	#mkfile ${HOME}/.config/pavucontrol.ini
		21	#whitelist ${HOME}/.config/pavucontrol.ini
21	whitelist /usr/share/pavucontrol	22	whitelist /usr/share/pavucontrol
22	whitelist /usr/share/pavucontrol-qt	23	whitelist /usr/share/pavucontrol-qt
23	include whitelist-common.inc	24	#include whitelist-common.inc
24	include whitelist-usr-share-common.inc	25	include whitelist-usr-share-common.inc
25	include whitelist-var-common.inc	26	include whitelist-var-common.inc
26		27
@@ -39,6 +40,7 @@ novideo
39	protocol unix,inet,inet6	40	protocol unix,inet,inet6
40	seccomp	41	seccomp
41	shell none	42	shell none
		43	tracelog
42		44
43	disable-mnt	45	disable-mnt
44	private-bin pavucontrol	46	private-bin pavucontrol
@@ -48,4 +50,5 @@ private-etc alternatives,asound.conf,avahi,fonts,machine-id,pulse
48	private-lib	50	private-lib
49	private-tmp	51	private-tmp
50		52
51	#memory-deny-write-execute - breaks on Arch (see issue #1803)	53	# mdwe is broken under Wayland, but works under Xorg.
		54	#memory-deny-write-execute


diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile index 087f90966..16fffe517 100644 --- a/etc/psi-plus.profile +++ b/etc/psi-plus.profile
@@ -36,10 +36,10 @@ notv
36	nou2f	36	nou2f
37	novideo	37	novideo
38	protocol unix,inet,inet6	38	protocol unix,inet,inet6
39	seccomp	39	# QtWebengine needs chroot to set up its own sandbox
		40	seccomp !chroot
40	shell none	41	shell none
41		42
42	disable-mnt	43	disable-mnt
43	private-dev	44	private-dev
44	private-tmp	45	private-tmp
45


diff --git a/etc/quassel.profile b/etc/quassel.profile index a78d1edcd..c65089e20 100644 --- a/etc/quassel.profile +++ b/etc/quassel.profile
@@ -19,7 +19,8 @@ nonewprivs
19	noroot	19	noroot
20	notv	20	notv
21	protocol unix,inet,inet6	21	protocol unix,inet,inet6
22	seccomp	22	# QtWebengine needs chroot to set up its own sandbox
		23	seccomp !chroot
23		24
24	private-cache	25	private-cache
25	private-tmp	26	private-tmp


diff --git a/etc/templates/profile.template b/etc/templates/profile.template index dcf6dd201..7bfc3cf0d 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template
@@ -87,6 +87,9 @@ include globals.local
87	# Allow lua (blacklisted by disable-interpreters.inc)	87	# Allow lua (blacklisted by disable-interpreters.inc)
88	#include allow-lua.inc	88	#include allow-lua.inc
89		89
		90	# Allow ruby (blacklisted by disable-interpreters.inc)
		91	#include allow-ruby.inc
		92
90	# Allows files commonly used by IDEs	93	# Allows files commonly used by IDEs
91	#include allow-common-devel.inc	94	#include allow-common-devel.inc
92		95


diff --git a/etc/wget.profile b/etc/wget.profile index 4bf354652..9c2cddb67 100644 --- a/etc/wget.profile +++ b/etc/wget.profile
@@ -35,6 +35,6 @@ shell none
35		35
36	# private-bin wget	36	# private-bin wget
37	private-dev	37	private-dev
38	# private-etc alternatives,ca-certificates,crypto-policie,pki,resolv.conf,ssl	38	# private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
39	# private-tmp	39	# private-tmp
40		40


diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile index 74c07d96b..5fa72c9dc 100644 --- a/etc/youtube-dl.profile +++ b/etc/youtube-dl.profile
@@ -56,7 +56,7 @@ tracelog
56	private-bin env,ffmpeg,python*,youtube-dl	56	private-bin env,ffmpeg,python*,youtube-dl
57	private-cache	57	private-cache
58	private-dev	58	private-dev
59	private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,mime.types,pki,resolv.conf,ssl,youtube-dl.conf	59	private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,mime.types,pki,resolv.conf,ssl,youtube-dl.conf
60	private-tmp	60	private-tmp
61		61
62	#memory-deny-write-execute - breaks on Arch (see issue #1803)	62	#memory-deny-write-execute - breaks on Arch (see issue #1803)