profile fixes (3)

24 files changed, 68 insertions, 36 deletions

diff --git a/etc/allow-common-devel.inc b/etc/allow-common-devel.inc
index 1d794462c..63174eda6 100644
--- a/etc/allow-common-devel.inc
+++ b/etc/allow-common-devel.inc
@@ -1,17 +1,21 @@
-# Rust
-noblacklist ${HOME}/.cargo/config
-noblacklist ${HOME}/.cargo/registry
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-common-devel.local
 
 # Git
 noblacklist ${HOME}/.config/git
 noblacklist ${HOME}/.gitconfig
 noblacklist ${HOME}/.git-credentials
 
+# Java
+noblacklist ${HOME}/.gradle
+noblacklist ${HOME}/.java
+
 # Python
 noblacklist ${HOME}/.python-history
 noblacklist ${HOME}/.python_history
 noblacklist ${HOME}/.pythonhist
 
-# Java
-noblacklist ${HOME}/.gradle
-noblacklist ${HOME}/.java
+# Rust
+noblacklist ${HOME}/.cargo/config
+noblacklist ${HOME}/.cargo/registry
diff --git a/etc/allow-java.inc b/etc/allow-java.inc
index 5204d2dea..24d18fb77 100644
--- a/etc/allow-java.inc
+++ b/etc/allow-java.inc
@@ -1,6 +1,9 @@
-noblacklist ${HOME}/.java
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-java.local
 
+noblacklist ${HOME}/.java
 noblacklist ${PATH}/java
-noblacklist /usr/lib/java
 noblacklist /etc/java
+noblacklist /usr/lib/java
 noblacklist /usr/share/java
diff --git a/etc/allow-lua.inc b/etc/allow-lua.inc
index 51d76f9b1..fbdee22ee 100644
--- a/etc/allow-lua.inc
+++ b/etc/allow-lua.inc
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-lua.local
+
 noblacklist ${PATH}/lua*
 noblacklist /usr/include/lua*
 noblacklist /usr/lib/lua
diff --git a/etc/allow-perl.inc b/etc/allow-perl.inc
index d37328936..f44e1e3cc 100644
--- a/etc/allow-perl.inc
+++ b/etc/allow-perl.inc
@@ -1,5 +1,9 @@
-noblacklist ${PATH}/cpan*
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-perl.local
+
 noblacklist ${PATH}/core_perl
+noblacklist ${PATH}/cpan*
 noblacklist ${PATH}/perl
 noblacklist ${PATH}/site_perl
 noblacklist ${PATH}/vendor_perl
diff --git a/etc/allow-php.inc b/etc/allow-php.inc
new file mode 100644
index 000000000..a0950dc26
--- /dev/null
+++ b/etc/allow-php.inc
@@ -0,0 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-php.local
+
+noblacklist ${PATH}/php*
+noblacklist /usr/lib/php*
+noblacklist /usr/share/php*
diff --git a/etc/allow-python2.inc b/etc/allow-python2.inc
index 8ea61648b..b0525e2e1 100644
--- a/etc/allow-python2.inc
+++ b/etc/allow-python2.inc
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-python2.local
+
 noblacklist ${PATH}/python2*
 noblacklist /usr/include/python2*
 noblacklist /usr/lib/python2*
diff --git a/etc/allow-python3.inc b/etc/allow-python3.inc
index 91c7ffca4..c5660a97d 100644
--- a/etc/allow-python3.inc
+++ b/etc/allow-python3.inc
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-python3.local
+
 noblacklist ${PATH}/python3*
 noblacklist /usr/include/python3*
 noblacklist /usr/lib/python3*
diff --git a/etc/allow-ruby.inc b/etc/allow-ruby.inc
index 3165a981a..a8c701219 100644
--- a/etc/allow-ruby.inc
+++ b/etc/allow-ruby.inc
@@ -1,2 +1,6 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-ruby.local
+
 noblacklist ${PATH}/ruby
 noblacklist /usr/lib/ruby
diff --git a/etc/aria2c.profile b/etc/aria2c.profile
index 72e577d56..c478bbae9 100644
--- a/etc/aria2c.profile
+++ b/etc/aria2c.profile
@@ -7,6 +7,8 @@ include aria2c.local
 include globals.local
 
 noblacklist ${HOME}/.aria2
+noblacklist ${HOME}/.config/aria2
+noblacklist ${HOME}/.netrc
 
 include disable-common.inc
 include disable-devel.inc
@@ -35,6 +37,7 @@ seccomp
 shell none
 
 # disable-mnt
+# Add your custom event hook commands to 'private-bin' in your aria2c.local
 private-bin aria2c,gzip
 # Uncomment the next line (or put 'private-cache' in your aria2c.local) if you don't use Lutris/winetricks (see issue #2772)
 #private-cache
diff --git a/etc/baobab.profile b/etc/baobab.profile
index eb0064115..e8287b448 100644
--- a/etc/baobab.profile
+++ b/etc/baobab.profile
@@ -6,7 +6,7 @@ include baobab.local
 # Persistent global definitions
 include globals.local
 
-include disable-common.inc
+# include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
diff --git a/etc/beaker.profile b/etc/beaker.profile
index 21eeac4b3..cc1886a49 100644
--- a/etc/beaker.profile
+++ b/etc/beaker.profile
@@ -13,7 +13,6 @@ include disable-interpreters.inc
 
 mkdir ${HOME}/.config/Beaker Browser
 whitelist ${HOME}/.config/Beaker Browser
-whitelist ${DOWNLOADS}
 include whitelist-common.inc
 
 # Redirect
diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile
index 7b88e417a..c54fb0e19 100644
--- a/etc/chromium-common.profile
+++ b/etc/chromium-common.profile
@@ -37,7 +37,7 @@ notv
 shell none
 
 disable-mnt
-private-dev
+?BROWSER_DISABLE_U2F: private-dev
 # private-tmp - problems with multiple browser sessions
 
 # the file dialog needs to work without d-bus
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index a489a8fbb..207ee32e5 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -119,6 +119,7 @@ blacklist ${HOME}/.config/akonadi*
 blacklist ${HOME}/.config/akregatorrc
 blacklist ${HOME}/.config/ardour4
 blacklist ${HOME}/.config/ardour5
+blacklist ${HOME}/.config/aria2
 blacklist ${HOME}/.config/arkrc
 blacklist ${HOME}/.config/artha.conf
 blacklist ${HOME}/.config/asunder
diff --git a/etc/ephemeral.profile b/etc/ephemeral.profile
index fa7746da5..c688c2324 100644
--- a/etc/ephemeral.profile
+++ b/etc/ephemeral.profile
@@ -55,7 +55,7 @@ tracelog
 
 disable-mnt
 private-cache
-private-dev
+?BROWSER_DISABLE_U2F: private-dev
 # private-etc below works fine on most distributions. There are some problems on CentOS.
 #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,login.defs,machine-id,mailcap,mime.types,nsswitch.conf,os-release,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-tmp
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile
index 67c0ed311..b392087e8 100644
--- a/etc/ffmpeg.profile
+++ b/etc/ffmpeg.profile
@@ -47,7 +47,7 @@ tracelog
 private-bin ffmpeg
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,hosts,pkcs11,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pkcs11,pki,resolv.conf,ssl
 private-tmp
 
 # memory-deny-write-execute - it breaks old versions of ffmpeg
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index 7777d07ce..323070289 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -52,7 +52,7 @@ shell none
 #tracelog
 
 disable-mnt
-private-dev
+?BROWSER_DISABLE_U2F: private-dev
 # private-etc below works fine on most distributions. There are some problems on CentOS.
-#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-tmp
diff --git a/etc/i2prouter.profile b/etc/i2prouter.profile
index e46fb3317..d9e7f1c8f 100644
--- a/etc/i2prouter.profile
+++ b/etc/i2prouter.profile
@@ -6,19 +6,19 @@ include i2prouter.local
 # Persistent global definitions
 include globals.local
 
-# Notice: default browser will not be able to automatically open, due to sandbox.
+# Notice: default browser will most likely not be able to automatically open, due to sandbox.
 # Auto-opening default browser can be disabled in the I2P router console.
-# This profile will not currently work with any Arch User Repository i2p packages,
-# use the distro-independent official java installer instead
+# This profile will not currently work with any Arch User Repository I2P packages,
+# use the distro-independent official I2P java installer instead
 
-# Only needed if i2prouter binary is in home directory, java installer does this
+# Only needed if i2prouter binary is in home directory, official I2P java installer does this
 ignore noexec ${HOME}
 
 noblacklist ${HOME}/.config/i2p
 noblacklist ${HOME}/.i2p
 noblacklist ${HOME}/.local/share/i2p
 noblacklist ${HOME}/i2p
-# Only needed if wrapper is placed in /usr/sbin/, ubuntu official ppa package does this
+# Only needed if wrapper is placed in /usr/sbin/, ubuntu official I2P ppa package does this
 noblacklist /usr/sbin
 
 # Allow java (blacklisted by disable-devel.inc)
@@ -40,13 +40,13 @@ whitelist ${HOME}/.config/i2p
 whitelist ${HOME}/.i2p
 whitelist ${HOME}/.local/share/i2p
 whitelist ${HOME}/i2p
-# Only needed if wrapper is placed in /usr/sbin/, ubuntu official ppa package does this
+# Only needed if wrapper is placed in /usr/sbin/, ubuntu official I2P ppa package does this
 whitelist /usr/sbin/wrapper*
 
 include whitelist-common.inc
 
-# May break I2P if wrapper is placed in the home directory
-# If using ubuntu official ppa, this should be fine to uncomment, as it puts wrapper in /usr/sbin/
+# May break I2P if wrapper is placed in the home directory; official I2P java installer does this
+# If using ubuntu official I2P ppa, this should be fine to uncomment, as it puts wrapper in /usr/sbin/
 #apparmor
 caps.drop all
 ipc-namespace
@@ -67,5 +67,5 @@ shell none
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,i2p,java-8-openjdk,pki,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,group,hostname,hosts,i2p,java-8-openjdk,java-9-openjdk,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-openjdk,ld.so.cache,localtime,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl
 private-tmp
diff --git a/etc/keepass.profile b/etc/keepass.profile
index 57a24d821..9852f8a79 100644
--- a/etc/keepass.profile
+++ b/etc/keepass.profile
@@ -34,7 +34,7 @@ nosound
 notv
 nou2f
 novideo
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
 shell none
 
diff --git a/etc/standardnotes-desktop.profile b/etc/standardnotes-desktop.profile
index aa6902854..a402aca5a 100644
--- a/etc/standardnotes-desktop.profile
+++ b/etc/standardnotes-desktop.profile
@@ -39,5 +39,5 @@ seccomp !chroot
 disable-mnt
 private-dev
 private-tmp
-private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,pki,resolv.conf,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,pki,resolv.conf,ssl,xdg
 
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile
index a8b5d109e..f9daf8f09 100644
--- a/etc/start-tor-browser.profile
+++ b/etc/start-tor-browser.profile
@@ -36,5 +36,5 @@ shell none
 disable-mnt
 private-bin bash,cat,cp,cut,dirname,env,getconf,gpg,grep,gxmessage,id,kdialog,ln,mkdir,pwd,readlink,realpath,rm,sed,sh,tail,test,update-desktop-database,xmessage,zenity
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile
index 1183cd2f7..b40a18fa3 100644
--- a/etc/torbrowser-launcher.profile
+++ b/etc/torbrowser-launcher.profile
@@ -50,5 +50,5 @@ shell none
 disable-mnt
 private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
diff --git a/etc/udiskie.profile b/etc/udiskie.profile
index f6e85d60e..265f6429d 100644
--- a/etc/udiskie.profile
+++ b/etc/udiskie.profile
@@ -31,7 +31,7 @@ notv
 nou2f
 novideo
 protocol unix
-seccomp
+seccomp !request_key
 shell none
 tracelog
 
diff --git a/etc/wire-desktop.profile b/etc/wire-desktop.profile
index 490255fa6..a56ecef1b 100644
--- a/etc/wire-desktop.profile
+++ b/etc/wire-desktop.profile
@@ -18,16 +18,12 @@ whitelist ${HOME}/.config/Wire
 whitelist ${DOWNLOADS}
 include whitelist-common.inc
 
-caps.drop all
+caps.keep sys_admin,sys_chroot
 netfilter
 nodvd
 nogroups
-nonewprivs
-noroot
 notv
 nou2f
-protocol unix,inet,inet6,netlink
-seccomp
 shell none
 
 # Note: The current version of Wire is located in /opt/wire-desktop/wire-desktop, and therefore
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 97148c6b6..e3d7a35a1 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -295,7 +295,6 @@ hedgewars
 hexchat
 highlight
 hugin
-i2prouter
 icecat
 icedove
 iceweasel