diff options
| author |  Kelvin M. Klann <kmk3.code@protonmail.com> | 2024-03-22 13:44:53 -0300 |
|---|---|---|
| committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2024-03-24 03:42:59 -0300 |
| commit | 04efbb27631e2f4abb5f1c0a915612e8cc98397c (patch) | |
| tree | 3b0c5d360a796880024a1c14e251522fb36ea5d7 | |
| parent | sstmp.profile: sort disable includes (diff) | |
| download | firejail-04efbb27631e2f4abb5f1c0a915612e8cc98397c.tar.gz firejail-04efbb27631e2f4abb5f1c0a915612e8cc98397c.tar.zst firejail-04efbb27631e2f4abb5f1c0a915612e8cc98397c.zip | |
profiles: replace x11 socket blacklist with disable-X11.inc
Replace all occurrences of `blacklist /tmp/.X11-unix` with
`include disable-X11.inc`, which blacklists more X11-related files.
Commands used to search and replace:
$ git grep -Ilz '^blacklist /tmp/.X11-unix' -- \
etc/profile*/*.profile | xargs -0 perl -0 -pi -e '\
s/\nblacklist \/tmp\/.X11-unix\n/\n/; \
s/(\ninclude disable-xdg.inc\n)/\ninclude disable-X11.inc$1/; \
s/(\ninclude disable-[^Xx\n]+\n)(\n|# )/$1include disable-X11.inc\n$2/'
Note: The following files were also edited manually:
* etc/profile-a-l/erd.profile
* etc/profile-a-l/links-common.profile
* etc/profile-m-z/termshark.profile
* etc/profile-m-z/tmux.profile
* etc/profile-m-z/tshark.profile
Relates to #4462 #4854.
48 files changed, 50 insertions, 49 deletions
diff --git a/etc/profile-a-l/agetpkg.profile b/etc/profile-a-l/agetpkg.profile index 9ebbf1cb0..e455a17db 100644 --- a/etc/profile-a-l/agetpkg.profile +++ b/etc/profile-a-l/agetpkg.profile | |||
| @@ -7,7 +7,6 @@ include agetpkg.local | |||
| 7 | # Persistent global definitions | 7 | # Persistent global definitions |
| 8 | include globals.local | 8 | include globals.local |
| 9 | 9 | ||
| 10 | blacklist /tmp/.X11-unix | ||
| 11 | blacklist ${RUNUSER}/wayland-* | 10 | blacklist ${RUNUSER}/wayland-* |
| 12 | 11 | ||
| 13 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
| @@ -20,6 +19,7 @@ include disable-exec.inc | |||
| 20 | include disable-interpreters.inc | 19 | include disable-interpreters.inc |
| 21 | include disable-programs.inc | 20 | include disable-programs.inc |
| 22 | include disable-shell.inc | 21 | include disable-shell.inc |
| 22 | include disable-X11.inc | ||
| 23 | include disable-xdg.inc | 23 | include disable-xdg.inc |
| 24 | 24 | ||
| 25 | whitelist ${DOWNLOADS} | 25 | whitelist ${DOWNLOADS} |
diff --git a/etc/profile-a-l/alpine.profile b/etc/profile-a-l/alpine.profile index 5ccb9896f..2ded32959 100644 --- a/etc/profile-a-l/alpine.profile +++ b/etc/profile-a-l/alpine.profile | |||
| @@ -30,7 +30,6 @@ noblacklist ${HOME}/.pinercex | |||
| 30 | noblacklist ${HOME}/.signature | 30 | noblacklist ${HOME}/.signature |
| 31 | noblacklist ${HOME}/mail | 31 | noblacklist ${HOME}/mail |
| 32 | 32 | ||
| 33 | blacklist /tmp/.X11-unix | ||
| 34 | blacklist ${RUNUSER}/wayland-* | 33 | blacklist ${RUNUSER}/wayland-* |
| 35 | 34 | ||
| 36 | include disable-common.inc | 35 | include disable-common.inc |
| @@ -39,6 +38,7 @@ include disable-exec.inc | |||
| 39 | include disable-interpreters.inc | 38 | include disable-interpreters.inc |
| 40 | include disable-programs.inc | 39 | include disable-programs.inc |
| 41 | include disable-shell.inc | 40 | include disable-shell.inc |
| 41 | include disable-X11.inc | ||
| 42 | include disable-xdg.inc | 42 | include disable-xdg.inc |
| 43 | 43 | ||
| 44 | #whitelist ${DOCUMENTS} | 44 | #whitelist ${DOCUMENTS} |
diff --git a/etc/profile-a-l/aria2c.profile b/etc/profile-a-l/aria2c.profile index 65ffdfa1b..0d70cf381 100644 --- a/etc/profile-a-l/aria2c.profile +++ b/etc/profile-a-l/aria2c.profile | |||
| @@ -11,7 +11,6 @@ noblacklist ${HOME}/.cache/winetricks # XXX: See #5238 | |||
| 11 | noblacklist ${HOME}/.config/aria2 | 11 | noblacklist ${HOME}/.config/aria2 |
| 12 | noblacklist ${HOME}/.netrc | 12 | noblacklist ${HOME}/.netrc |
| 13 | 13 | ||
| 14 | blacklist /tmp/.X11-unix | ||
| 15 | blacklist ${RUNUSER}/wayland-* | 14 | blacklist ${RUNUSER}/wayland-* |
| 16 | 15 | ||
| 17 | include disable-common.inc | 16 | include disable-common.inc |
| @@ -19,6 +18,7 @@ include disable-devel.inc | |||
| 19 | include disable-exec.inc | 18 | include disable-exec.inc |
| 20 | include disable-interpreters.inc | 19 | include disable-interpreters.inc |
| 21 | include disable-programs.inc | 20 | include disable-programs.inc |
| 21 | include disable-X11.inc | ||
| 22 | 22 | ||
| 23 | include whitelist-usr-share-common.inc | 23 | include whitelist-usr-share-common.inc |
| 24 | include whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
diff --git a/etc/profile-a-l/bpftop.profile b/etc/profile-a-l/bpftop.profile index 1bcfce06c..8c64a77c6 100644 --- a/etc/profile-a-l/bpftop.profile +++ b/etc/profile-a-l/bpftop.profile | |||
| @@ -7,7 +7,6 @@ include bpftop.local | |||
| 7 | # Persistent global definitions | 7 | # Persistent global definitions |
| 8 | include globals.local | 8 | include globals.local |
| 9 | 9 | ||
| 10 | blacklist /tmp/.X11-unix | ||
| 11 | blacklist /usr/libexec | 10 | blacklist /usr/libexec |
| 12 | blacklist ${RUNUSER} | 11 | blacklist ${RUNUSER} |
| 13 | 12 | ||
| @@ -18,6 +17,7 @@ include disable-interpreters.inc | |||
| 18 | include disable-proc.inc | 17 | include disable-proc.inc |
| 19 | include disable-programs.inc | 18 | include disable-programs.inc |
| 20 | include disable-shell.inc | 19 | include disable-shell.inc |
| 20 | include disable-X11.inc | ||
| 21 | include disable-xdg.inc | 21 | include disable-xdg.inc |
| 22 | 22 | ||
| 23 | include whitelist-common.inc | 23 | include whitelist-common.inc |
diff --git a/etc/profile-a-l/cloneit.profile b/etc/profile-a-l/cloneit.profile index b5328a807..445ef4890 100644 --- a/etc/profile-a-l/cloneit.profile +++ b/etc/profile-a-l/cloneit.profile | |||
| @@ -7,7 +7,6 @@ include cloneit.local | |||
| 7 | # Persistent global definitions | 7 | # Persistent global definitions |
| 8 | include globals.local | 8 | include globals.local |
| 9 | 9 | ||
| 10 | blacklist /tmp/.X11-unix | ||
| 11 | blacklist /usr/libexec | 10 | blacklist /usr/libexec |
| 12 | blacklist ${RUNUSER} | 11 | blacklist ${RUNUSER} |
| 13 | 12 | ||
| @@ -18,6 +17,7 @@ include disable-interpreters.inc | |||
| 18 | include disable-proc.inc | 17 | include disable-proc.inc |
| 19 | include disable-programs.inc | 18 | include disable-programs.inc |
| 20 | include disable-shell.inc | 19 | include disable-shell.inc |
| 20 | include disable-X11.inc | ||
| 21 | include disable-xdg.inc | 21 | include disable-xdg.inc |
| 22 | 22 | ||
| 23 | include whitelist-run-common.inc | 23 | include whitelist-run-common.inc |
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile index 417abcc91..1d9ec5fa4 100644 --- a/etc/profile-a-l/curl.profile +++ b/etc/profile-a-l/curl.profile | |||
| @@ -16,7 +16,6 @@ noblacklist ${HOME}/.config/curlrc # since curl 7.73.0 | |||
| 16 | noblacklist ${HOME}/.curl-hsts | 16 | noblacklist ${HOME}/.curl-hsts |
| 17 | noblacklist ${HOME}/.curlrc | 17 | noblacklist ${HOME}/.curlrc |
| 18 | 18 | ||
| 19 | blacklist /tmp/.X11-unix | ||
| 20 | blacklist ${RUNUSER} | 19 | blacklist ${RUNUSER} |
| 21 | 20 | ||
| 22 | # If you use nvm, add the below lines to your curl.local | 21 | # If you use nvm, add the below lines to your curl.local |
| @@ -26,6 +25,7 @@ blacklist ${RUNUSER} | |||
| 26 | include disable-common.inc | 25 | include disable-common.inc |
| 27 | include disable-exec.inc | 26 | include disable-exec.inc |
| 28 | include disable-programs.inc | 27 | include disable-programs.inc |
| 28 | include disable-X11.inc | ||
| 29 | # Depending on workflow you can add 'include disable-xdg.inc' to your curl.local. | 29 | # Depending on workflow you can add 'include disable-xdg.inc' to your curl.local. |
| 30 | #include disable-xdg.inc | 30 | #include disable-xdg.inc |
| 31 | 31 | ||
diff --git a/etc/profile-a-l/dbus-send.profile b/etc/profile-a-l/dbus-send.profile index 70bd7370d..3a552b929 100644 --- a/etc/profile-a-l/dbus-send.profile +++ b/etc/profile-a-l/dbus-send.profile | |||
| @@ -7,7 +7,6 @@ include dbus-send.local | |||
| 7 | # Persistent global definitions | 7 | # Persistent global definitions |
| 8 | include globals.local | 8 | include globals.local |
| 9 | 9 | ||
| 10 | blacklist /tmp/.X11-unix | ||
| 11 | blacklist ${RUNUSER}/wayland-* | 10 | blacklist ${RUNUSER}/wayland-* |
| 12 | 11 | ||
| 13 | include disable-common.inc | 12 | include disable-common.inc |
| @@ -17,6 +16,7 @@ include disable-interpreters.inc | |||
| 17 | include disable-programs.inc | 16 | include disable-programs.inc |
| 18 | include disable-shell.inc | 17 | include disable-shell.inc |
| 19 | include disable-write-mnt.inc | 18 | include disable-write-mnt.inc |
| 19 | include disable-X11.inc | ||
| 20 | include disable-xdg.inc | 20 | include disable-xdg.inc |
| 21 | 21 | ||
| 22 | #include whitelist-common.inc # see #903 | 22 | #include whitelist-common.inc # see #903 |
diff --git a/etc/profile-a-l/deadlink.profile b/etc/profile-a-l/deadlink.profile index 2e3fe9e0c..f7535c597 100644 --- a/etc/profile-a-l/deadlink.profile +++ b/etc/profile-a-l/deadlink.profile | |||
| @@ -6,7 +6,6 @@ include deadlink.local | |||
| 6 | # Persistent global definitions | 6 | # Persistent global definitions |
| 7 | include globals.local | 7 | include globals.local |
| 8 | 8 | ||
| 9 | blacklist /tmp/.X11-unix | ||
| 10 | blacklist /usr/libexec | 9 | blacklist /usr/libexec |
| 11 | blacklist ${RUNUSER} | 10 | blacklist ${RUNUSER} |
| 12 | 11 | ||
| @@ -23,6 +22,7 @@ include disable-interpreters.inc | |||
| 23 | include disable-proc.inc | 22 | include disable-proc.inc |
| 24 | include disable-programs.inc | 23 | include disable-programs.inc |
| 25 | include disable-shell.inc | 24 | include disable-shell.inc |
| 25 | include disable-X11.inc | ||
| 26 | include disable-xdg.inc | 26 | include disable-xdg.inc |
| 27 | 27 | ||
| 28 | include whitelist-run-common.inc | 28 | include whitelist-run-common.inc |
diff --git a/etc/profile-a-l/dexios.profile b/etc/profile-a-l/dexios.profile index 4dfccd685..55d6c83ce 100644 --- a/etc/profile-a-l/dexios.profile +++ b/etc/profile-a-l/dexios.profile | |||
| @@ -7,7 +7,6 @@ include dexios.local | |||
| 7 | # Persistent global definitions | 7 | # Persistent global definitions |
| 8 | include globals.local | 8 | include globals.local |
| 9 | 9 | ||
| 10 | blacklist /tmp/.X11-unix | ||
| 11 | blacklist /usr/libexec | 10 | blacklist /usr/libexec |
| 12 | blacklist ${RUNUSER} | 11 | blacklist ${RUNUSER} |
| 13 | 12 | ||
| @@ -18,6 +17,7 @@ include disable-interpreters.inc | |||
| 18 | include disable-proc.inc | 17 | include disable-proc.inc |
| 19 | include disable-programs.inc | 18 | include disable-programs.inc |
| 20 | include disable-shell.inc | 19 | include disable-shell.inc |
| 20 | include disable-X11.inc | ||
| 21 | include disable-xdg.inc | 21 | include disable-xdg.inc |
| 22 | 22 | ||
| 23 | whitelist ${DOWNLOADS} | 23 | whitelist ${DOWNLOADS} |
diff --git a/etc/profile-a-l/dig.profile b/etc/profile-a-l/dig.profile index 781dfdcbc..80eef569c 100644 --- a/etc/profile-a-l/dig.profile +++ b/etc/profile-a-l/dig.profile | |||
| @@ -10,7 +10,6 @@ include globals.local | |||
| 10 | noblacklist ${HOME}/.digrc | 10 | noblacklist ${HOME}/.digrc |
| 11 | noblacklist ${PATH}/dig | 11 | noblacklist ${PATH}/dig |
| 12 | 12 | ||
| 13 | blacklist /tmp/.X11-unix | ||
| 14 | blacklist ${RUNUSER} | 13 | blacklist ${RUNUSER} |
| 15 | 14 | ||
| 16 | include disable-common.inc | 15 | include disable-common.inc |
| @@ -18,6 +17,7 @@ include disable-common.inc | |||
| 18 | include disable-exec.inc | 17 | include disable-exec.inc |
| 19 | #include disable-interpreters.inc | 18 | #include disable-interpreters.inc |
| 20 | include disable-programs.inc | 19 | include disable-programs.inc |
| 20 | include disable-X11.inc | ||
| 21 | include disable-xdg.inc | 21 | include disable-xdg.inc |
| 22 | 22 | ||
| 23 | #mkfile ${HOME}/.digrc # see #903 | 23 | #mkfile ${HOME}/.digrc # see #903 |
diff --git a/etc/profile-a-l/dnscrypt-proxy.profile b/etc/profile-a-l/dnscrypt-proxy.profile index 50b56fb2d..e27fa202b 100644 --- a/etc/profile-a-l/dnscrypt-proxy.profile +++ b/etc/profile-a-l/dnscrypt-proxy.profile | |||
| @@ -7,7 +7,6 @@ include dnscrypt-proxy.local | |||
| 7 | # Persistent global definitions | 7 | # Persistent global definitions |
| 8 | include globals.local | 8 | include globals.local |
| 9 | 9 | ||
| 10 | blacklist /tmp/.X11-unix | ||
| 11 | blacklist ${RUNUSER}/wayland-* | 10 | blacklist ${RUNUSER}/wayland-* |
| 12 | 11 | ||
| 13 | noblacklist /sbin | 12 | noblacklist /sbin |
| @@ -18,6 +17,7 @@ include disable-devel.inc | |||
| 18 | include disable-exec.inc | 17 | include disable-exec.inc |
| 19 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
| 20 | include disable-programs.inc | 19 | include disable-programs.inc |
| 20 | include disable-X11.inc | ||
| 21 | include disable-xdg.inc | 21 | include disable-xdg.inc |
| 22 | 22 | ||
| 23 | whitelist /usr/share/dnscrypt-proxy | 23 | whitelist /usr/share/dnscrypt-proxy |
diff --git a/etc/profile-a-l/dnsmasq.profile b/etc/profile-a-l/dnsmasq.profile index 40ccab8c7..b41eff3ae 100644 --- a/etc/profile-a-l/dnsmasq.profile +++ b/etc/profile-a-l/dnsmasq.profile | |||
| @@ -11,13 +11,13 @@ noblacklist /sbin | |||
| 11 | noblacklist /usr/sbin | 11 | noblacklist /usr/sbin |
| 12 | noblacklist /var/lib/libvirt | 12 | noblacklist /var/lib/libvirt |
| 13 | 13 | ||
| 14 | blacklist /tmp/.X11-unix | ||
| 15 | blacklist ${RUNUSER} | 14 | blacklist ${RUNUSER} |
| 16 | 15 | ||
| 17 | include disable-common.inc | 16 | include disable-common.inc |
| 18 | include disable-devel.inc | 17 | include disable-devel.inc |
| 19 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
| 20 | include disable-programs.inc | 19 | include disable-programs.inc |
| 20 | include disable-X11.inc | ||
| 21 | include disable-xdg.inc | 21 | include disable-xdg.inc |
| 22 | 22 | ||
| 23 | whitelist /var/lib/libvirt/dnsmasq | 23 | whitelist /var/lib/libvirt/dnsmasq |
diff --git a/etc/profile-a-l/drill.profile b/etc/profile-a-l/drill.profile index 63dfd6c0d..95e86e5b9 100644 --- a/etc/profile-a-l/drill.profile +++ b/etc/profile-a-l/drill.profile | |||
| @@ -9,7 +9,6 @@ include globals.local | |||
| 9 | 9 | ||
| 10 | noblacklist ${PATH}/drill | 10 | noblacklist ${PATH}/drill |
| 11 | 11 | ||
| 12 | blacklist /tmp/.X11-unix | ||
| 13 | blacklist ${RUNUSER} | 12 | blacklist ${RUNUSER} |
| 14 | 13 | ||
| 15 | include disable-common.inc | 14 | include disable-common.inc |
| @@ -17,6 +16,7 @@ include disable-common.inc | |||
| 17 | include disable-exec.inc | 16 | include disable-exec.inc |
| 18 | #include disable-interpreters.inc | 17 | #include disable-interpreters.inc |
| 19 | include disable-programs.inc | 18 | include disable-programs.inc |
| 19 | include disable-X11.inc | ||
| 20 | include disable-xdg.inc | 20 | include disable-xdg.inc |
| 21 | 21 | ||
| 22 | #include whitelist-common.inc # see #903 | 22 | #include whitelist-common.inc # see #903 |
diff --git a/etc/profile-a-l/editorconfiger.profile b/etc/profile-a-l/editorconfiger.profile index 452ca7e6e..a921ae2d5 100644 --- a/etc/profile-a-l/editorconfiger.profile +++ b/etc/profile-a-l/editorconfiger.profile | |||
| @@ -6,7 +6,6 @@ include editorconfiger.local | |||
| 6 | # Persistent global definitions | 6 | # Persistent global definitions |
| 7 | include globals.local | 7 | include globals.local |
| 8 | 8 | ||
| 9 | blacklist /tmp/.X11-unix | ||
| 10 | blacklist /usr/libexec | 9 | blacklist /usr/libexec |
| 11 | blacklist ${RUNUSER} | 10 | blacklist ${RUNUSER} |
| 12 | 11 | ||
| @@ -17,6 +16,7 @@ include disable-interpreters.inc | |||
| 17 | include disable-proc.inc | 16 | include disable-proc.inc |
| 18 | include disable-programs.inc | 17 | include disable-programs.inc |
| 19 | include disable-shell.inc | 18 | include disable-shell.inc |
| 19 | include disable-X11.inc | ||
| 20 | include disable-xdg.inc | 20 | include disable-xdg.inc |
| 21 | 21 | ||
| 22 | apparmor | 22 | apparmor |
diff --git a/etc/profile-a-l/erd.profile b/etc/profile-a-l/erd.profile index 8ab145016..d821f5882 100644 --- a/etc/profile-a-l/erd.profile +++ b/etc/profile-a-l/erd.profile | |||
| @@ -7,9 +7,8 @@ include erd.local | |||
| 7 | # Persistent global definitions | 7 | # Persistent global definitions |
| 8 | include globals.local | 8 | include globals.local |
| 9 | 9 | ||
| 10 | blacklist /tmp/.X11-unix | ||
| 11 | |||
| 12 | include disable-exec.inc | 10 | include disable-exec.inc |
| 11 | #include disable-X11.inc # x11 none | ||
| 13 | 12 | ||
| 14 | apparmor | 13 | apparmor |
| 15 | caps.drop all | 14 | caps.drop all |
diff --git a/etc/profile-a-l/fdns.profile b/etc/profile-a-l/fdns.profile index e9d5709ec..cacd7025d 100644 --- a/etc/profile-a-l/fdns.profile +++ b/etc/profile-a-l/fdns.profile | |||
| @@ -8,7 +8,6 @@ include globals.local | |||
| 8 | noblacklist /sbin | 8 | noblacklist /sbin |
| 9 | noblacklist /usr/sbin | 9 | noblacklist /usr/sbin |
| 10 | 10 | ||
| 11 | blacklist /tmp/.X11-unix | ||
| 12 | blacklist ${RUNUSER}/wayland-* | 11 | blacklist ${RUNUSER}/wayland-* |
| 13 | 12 | ||
| 14 | include disable-common.inc | 13 | include disable-common.inc |
| @@ -16,6 +15,7 @@ include disable-devel.inc | |||
| 16 | include disable-exec.inc | 15 | include disable-exec.inc |
| 17 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
| 18 | include disable-programs.inc | 17 | include disable-programs.inc |
| 18 | include disable-X11.inc | ||
| 19 | include disable-xdg.inc | 19 | include disable-xdg.inc |
| 20 | 20 | ||
| 21 | #include whitelist-usr-share-common.inc | 21 | #include whitelist-usr-share-common.inc |
diff --git a/etc/profile-a-l/gget.profile b/etc/profile-a-l/gget.profile index 11d5f620c..e0268a68c 100644 --- a/etc/profile-a-l/gget.profile +++ b/etc/profile-a-l/gget.profile | |||
| @@ -7,7 +7,6 @@ include gget.local | |||
| 7 | # Persistent global definitions | 7 | # Persistent global definitions |
| 8 | include globals.local | 8 | include globals.local |
| 9 | 9 | ||
| 10 | blacklist /tmp/.X11-unix | ||
| 11 | blacklist ${RUNUSER} | 10 | blacklist ${RUNUSER} |
| 12 | 11 | ||
| 13 | include disable-common.inc | 12 | include disable-common.inc |
| @@ -16,6 +15,7 @@ include disable-exec.inc | |||
| 16 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
| 17 | include disable-programs.inc | 16 | include disable-programs.inc |
| 18 | include disable-shell.inc | 17 | include disable-shell.inc |
| 18 | include disable-X11.inc | ||
| 19 | include disable-xdg.inc | 19 | include disable-xdg.inc |
| 20 | 20 | ||
| 21 | whitelist ${DOWNLOADS} | 21 | whitelist ${DOWNLOADS} |
diff --git a/etc/profile-a-l/gist.profile b/etc/profile-a-l/gist.profile index 6eea076f7..c7be8dcc5 100644 --- a/etc/profile-a-l/gist.profile +++ b/etc/profile-a-l/gist.profile | |||
| @@ -7,7 +7,6 @@ include gist.local | |||
| 7 | # Persistent global definitions | 7 | # Persistent global definitions |
| 8 | include globals.local | 8 | include globals.local |
| 9 | 9 | ||
| 10 | blacklist /tmp/.X11-unix | ||
| 11 | blacklist ${RUNUSER}/wayland-* | 10 | blacklist ${RUNUSER}/wayland-* |
| 12 | 11 | ||
| 13 | noblacklist ${HOME}/.gist | 12 | noblacklist ${HOME}/.gist |
| @@ -20,6 +19,7 @@ include disable-devel.inc | |||
| 20 | include disable-exec.inc | 19 | include disable-exec.inc |
| 21 | include disable-interpreters.inc | 20 | include disable-interpreters.inc |
| 22 | include disable-programs.inc | 21 | include disable-programs.inc |
| 22 | include disable-X11.inc | ||
| 23 | include disable-xdg.inc | 23 | include disable-xdg.inc |
| 24 | 24 | ||
| 25 | mkdir ${HOME}/.gist | 25 | mkdir ${HOME}/.gist |
diff --git a/etc/profile-a-l/git.profile b/etc/profile-a-l/git.profile index 78d6cb2a1..a900e10f3 100644 --- a/etc/profile-a-l/git.profile +++ b/etc/profile-a-l/git.profile | |||
| @@ -28,12 +28,12 @@ ignore rmenv GITHUB_ENTERPRISE_TOKEN | |||
| 28 | # Allow ssh (blacklisted by disable-common.inc) | 28 | # Allow ssh (blacklisted by disable-common.inc) |
| 29 | include allow-ssh.inc | 29 | include allow-ssh.inc |
| 30 | 30 | ||
| 31 | blacklist /tmp/.X11-unix | ||
| 32 | blacklist ${RUNUSER}/wayland-* | 31 | blacklist ${RUNUSER}/wayland-* |
| 33 | 32 | ||
| 34 | include disable-common.inc | 33 | include disable-common.inc |
| 35 | include disable-exec.inc | 34 | include disable-exec.inc |
| 36 | include disable-programs.inc | 35 | include disable-programs.inc |
| 36 | include disable-X11.inc | ||
| 37 | 37 | ||
| 38 | whitelist /usr/share/git | 38 | whitelist /usr/share/git |
| 39 | whitelist /usr/share/git-core | 39 | whitelist /usr/share/git-core |
diff --git a/etc/profile-a-l/gnome-keyring-daemon.profile b/etc/profile-a-l/gnome-keyring-daemon.profile index 41ea136a6..0370b0472 100644 --- a/etc/profile-a-l/gnome-keyring-daemon.profile +++ b/etc/profile-a-l/gnome-keyring-daemon.profile | |||
| @@ -7,7 +7,6 @@ include gnome-keyring-daemon.local | |||
| 7 | # Persistent global definitions | 7 | # Persistent global definitions |
| 8 | include globals.local | 8 | include globals.local |
| 9 | 9 | ||
| 10 | blacklist /tmp/.X11-unix | ||
| 11 | blacklist ${RUNUSER}/wayland-* | 10 | blacklist ${RUNUSER}/wayland-* |
| 12 | 11 | ||
| 13 | include disable-common.inc | 12 | include disable-common.inc |
| @@ -16,6 +15,7 @@ include disable-exec.inc | |||
| 16 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
| 17 | include disable-programs.inc | 16 | include disable-programs.inc |
| 18 | #include disable-X11.inc # x11 none | 17 | #include disable-X11.inc # x11 none |
| 18 | include disable-X11.inc | ||
| 19 | include disable-xdg.inc | 19 | include disable-xdg.inc |
| 20 | 20 | ||
| 21 | whitelist ${RUNUSER}/gnupg | 21 | whitelist ${RUNUSER}/gnupg |
diff --git a/etc/profile-a-l/googler-common.profile b/etc/profile-a-l/googler-common.profile index 58769643a..e1ec5f4b9 100644 --- a/etc/profile-a-l/googler-common.profile +++ b/etc/profile-a-l/googler-common.profile | |||
| @@ -7,7 +7,6 @@ include googler-common.local | |||
| 7 | # added by caller profile | 7 | # added by caller profile |
| 8 | #include globals.local | 8 | #include globals.local |
| 9 | 9 | ||
| 10 | blacklist /tmp/.X11-unix | ||
| 11 | blacklist ${RUNUSER} | 10 | blacklist ${RUNUSER} |
| 12 | 11 | ||
| 13 | noblacklist ${HOME}/.w3m | 12 | noblacklist ${HOME}/.w3m |
| @@ -23,6 +22,7 @@ include disable-exec.inc | |||
| 23 | include disable-interpreters.inc | 22 | include disable-interpreters.inc |
| 24 | include disable-programs.inc | 23 | include disable-programs.inc |
| 25 | include disable-shell.inc | 24 | include disable-shell.inc |
| 25 | include disable-X11.inc | ||
| 26 | include disable-xdg.inc | 26 | include disable-xdg.inc |
| 27 | 27 | ||
| 28 | whitelist ${HOME}/.w3m | 28 | whitelist ${HOME}/.w3m |
diff --git a/etc/profile-a-l/gpg-agent.profile b/etc/profile-a-l/gpg-agent.profile index 3b623a338..29249cf21 100644 --- a/etc/profile-a-l/gpg-agent.profile +++ b/etc/profile-a-l/gpg-agent.profile | |||
| @@ -9,13 +9,13 @@ include globals.local | |||
| 9 | 9 | ||
| 10 | noblacklist ${HOME}/.gnupg | 10 | noblacklist ${HOME}/.gnupg |
| 11 | 11 | ||
| 12 | blacklist /tmp/.X11-unix | ||
| 13 | blacklist ${RUNUSER}/wayland-* | 12 | blacklist ${RUNUSER}/wayland-* |
| 14 | 13 | ||
| 15 | include disable-common.inc | 14 | include disable-common.inc |
| 16 | include disable-devel.inc | 15 | include disable-devel.inc |
| 17 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
| 18 | include disable-programs.inc | 17 | include disable-programs.inc |
| 18 | include disable-X11.inc | ||
| 19 | include disable-xdg.inc | 19 | include disable-xdg.inc |
| 20 | 20 | ||
| 21 | mkdir ${HOME}/.gnupg | 21 | mkdir ${HOME}/.gnupg |
diff --git a/etc/profile-a-l/gpg.profile b/etc/profile-a-l/gpg.profile index bf4a1c60b..02dd3b076 100644 --- a/etc/profile-a-l/gpg.profile +++ b/etc/profile-a-l/gpg.profile | |||
| @@ -9,13 +9,13 @@ include globals.local | |||
| 9 | 9 | ||
| 10 | noblacklist ${HOME}/.gnupg | 10 | noblacklist ${HOME}/.gnupg |
| 11 | 11 | ||
| 12 | blacklist /tmp/.X11-unix | ||
| 13 | blacklist ${RUNUSER}/wayland-* | 12 | blacklist ${RUNUSER}/wayland-* |
| 14 | 13 | ||
| 15 | include disable-common.inc | 14 | include disable-common.inc |
| 16 | include disable-devel.inc | 15 | include disable-devel.inc |
| 17 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
| 18 | include disable-programs.inc | 17 | include disable-programs.inc |
| 18 | include disable-X11.inc | ||
| 19 | 19 | ||
| 20 | whitelist ${RUNUSER}/gnupg | 20 | whitelist ${RUNUSER}/gnupg |
| 21 | whitelist ${RUNUSER}/keyring | 21 | whitelist ${RUNUSER}/keyring |
diff --git a/etc/profile-a-l/links-common.profile b/etc/profile-a-l/links-common.profile index 636560789..4bab6b0cc 100644 --- a/etc/profile-a-l/links-common.profile +++ b/etc/profile-a-l/links-common.profile | |||
| @@ -4,7 +4,6 @@ include links-common.local | |||
| 4 | 4 | ||
| 5 | # common profile for links browsers | 5 | # common profile for links browsers |
| 6 | 6 | ||
| 7 | blacklist /tmp/.X11-unix | ||
| 8 | blacklist ${RUNUSER}/wayland-* | 7 | blacklist ${RUNUSER}/wayland-* |
| 9 | 8 | ||
| 10 | include disable-common.inc | 9 | include disable-common.inc |
| @@ -14,6 +13,7 @@ include disable-interpreters.inc | |||
| 14 | # Additional noblacklist files/directories (blacklisted in disable-programs.inc) | 13 | # Additional noblacklist files/directories (blacklisted in disable-programs.inc) |
| 15 | # used as associated programs can be added in your links-common.local. | 14 | # used as associated programs can be added in your links-common.local. |
| 16 | include disable-programs.inc | 15 | include disable-programs.inc |
| 16 | include disable-X11.inc | ||
| 17 | include disable-xdg.inc | 17 | include disable-xdg.inc |
| 18 | 18 | ||
| 19 | whitelist ${DOWNLOADS} | 19 | whitelist ${DOWNLOADS} |
diff --git a/etc/profile-a-l/lynx.profile b/etc/profile-a-l/lynx.profile index 248061b3f..2c61147ec 100644 --- a/etc/profile-a-l/lynx.profile +++ b/etc/profile-a-l/lynx.profile | |||
| @@ -7,13 +7,13 @@ include lynx.local | |||
| 7 | # Persistent global definitions | 7 | # Persistent global definitions |
| 8 | include globals.local | 8 | include globals.local |
| 9 | 9 | ||
| 10 | blacklist /tmp/.X11-unix | ||
| 11 | blacklist ${RUNUSER}/wayland-* | 10 | blacklist ${RUNUSER}/wayland-* |
| 12 | 11 | ||
| 13 | include disable-common.inc | 12 | include disable-common.inc |
| 14 | include disable-devel.inc | 13 | include disable-devel.inc |
| 15 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
| 16 | include disable-programs.inc | 15 | include disable-programs.inc |
| 16 | include disable-X11.inc | ||
| 17 | include disable-xdg.inc | 17 | include disable-xdg.inc |
| 18 | 18 | ||
| 19 | include whitelist-runuser-common.inc | 19 | include whitelist-runuser-common.inc |
diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile index 49e84dedb..3bda47fad 100644 --- a/etc/profile-m-z/makepkg.profile +++ b/etc/profile-m-z/makepkg.profile | |||
| @@ -7,7 +7,6 @@ include makepkg.local | |||
| 7 | # Persistent global definitions | 7 | # Persistent global definitions |
| 8 | include globals.local | 8 | include globals.local |
| 9 | 9 | ||
| 10 | blacklist /tmp/.X11-unix | ||
| 11 | blacklist ${RUNUSER}/wayland-* | 10 | blacklist ${RUNUSER}/wayland-* |
| 12 | 11 | ||
| 13 | # Note: see this Arch forum discussion https://bbs.archlinux.org/viewtopic.php?pid=1743138 | 12 | # Note: see this Arch forum discussion https://bbs.archlinux.org/viewtopic.php?pid=1743138 |
| @@ -33,6 +32,7 @@ noblacklist /var/lib/pacman | |||
| 33 | include disable-common.inc | 32 | include disable-common.inc |
| 34 | include disable-exec.inc | 33 | include disable-exec.inc |
| 35 | include disable-programs.inc | 34 | include disable-programs.inc |
| 35 | include disable-X11.inc | ||
| 36 | 36 | ||
| 37 | caps.drop all | 37 | caps.drop all |
| 38 | ipc-namespace | 38 | ipc-namespace |
diff --git a/etc/profile-m-z/mimetype.profile b/etc/profile-m-z/mimetype.profile index 9902da882..4b62624bb 100644 --- a/etc/profile-m-z/mimetype.profile +++ b/etc/profile-m-z/mimetype.profile | |||
| @@ -7,11 +7,11 @@ include mimetype.local | |||
| 7 | # Persistent global definitions | 7 | # Persistent global definitions |
| 8 | include globals.local | 8 | include globals.local |
| 9 | 9 | ||
| 10 | blacklist /tmp/.X11-unix | ||
| 11 | blacklist ${RUNUSER}/wayland-* | 10 | blacklist ${RUNUSER}/wayland-* |
| 12 | 11 | ||
| 13 | include disable-exec.inc | 12 | include disable-exec.inc |
| 14 | include disable-proc.inc | 13 | include disable-proc.inc |
| 14 | include disable-X11.inc | ||
| 15 | 15 | ||
| 16 | apparmor | 16 | apparmor |
| 17 | caps.drop all | 17 | caps.drop all |
diff --git a/etc/profile-m-z/mocp.profile b/etc/profile-m-z/mocp.profile index 0a5e4255a..d80e263b6 100644 --- a/etc/profile-m-z/mocp.profile +++ b/etc/profile-m-z/mocp.profile | |||
| @@ -10,7 +10,6 @@ include globals.local | |||
| 10 | noblacklist ${HOME}/.moc | 10 | noblacklist ${HOME}/.moc |
| 11 | noblacklist ${MUSIC} | 11 | noblacklist ${MUSIC} |
| 12 | 12 | ||
| 13 | blacklist /tmp/.X11-unix | ||
| 14 | blacklist ${RUNUSER}/wayland-* | 13 | blacklist ${RUNUSER}/wayland-* |
| 15 | 14 | ||
| 16 | include disable-common.inc | 15 | include disable-common.inc |
| @@ -19,6 +18,7 @@ include disable-exec.inc | |||
| 19 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
| 20 | include disable-proc.inc | 19 | include disable-proc.inc |
| 21 | include disable-programs.inc | 20 | include disable-programs.inc |
| 21 | include disable-X11.inc | ||
| 22 | include disable-xdg.inc | 22 | include disable-xdg.inc |
| 23 | 23 | ||
| 24 | mkdir ${HOME}/.moc | 24 | mkdir ${HOME}/.moc |
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile index 097ce6e83..447301d46 100644 --- a/etc/profile-m-z/mutt.profile +++ b/etc/profile-m-z/mutt.profile | |||
| @@ -38,7 +38,6 @@ noblacklist ${HOME}/postponed | |||
| 38 | noblacklist ${HOME}/sent | 38 | noblacklist ${HOME}/sent |
| 39 | noblacklist /etc/msmtprc | 39 | noblacklist /etc/msmtprc |
| 40 | 40 | ||
| 41 | blacklist /tmp/.X11-unix | ||
| 42 | blacklist ${RUNUSER}/wayland-* | 41 | blacklist ${RUNUSER}/wayland-* |
| 43 | 42 | ||
| 44 | # Add the next lines to your mutt.local for oauth.py,S/MIME support. | 43 | # Add the next lines to your mutt.local for oauth.py,S/MIME support. |
| @@ -51,6 +50,7 @@ include disable-devel.inc | |||
| 51 | include disable-exec.inc | 50 | include disable-exec.inc |
| 52 | include disable-interpreters.inc | 51 | include disable-interpreters.inc |
| 53 | include disable-programs.inc | 52 | include disable-programs.inc |
| 53 | include disable-X11.inc | ||
| 54 | include disable-xdg.inc | 54 | include disable-xdg.inc |
| 55 | 55 | ||
| 56 | mkdir ${HOME}/.Mail | 56 | mkdir ${HOME}/.Mail |
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile index 51e2e43bf..22720422b 100644 --- a/etc/profile-m-z/neomutt.profile +++ b/etc/profile-m-z/neomutt.profile | |||
| @@ -39,7 +39,6 @@ noblacklist /etc/msmtprc | |||
| 39 | noblacklist /var/mail | 39 | noblacklist /var/mail |
| 40 | noblacklist /var/spool/mail | 40 | noblacklist /var/spool/mail |
| 41 | 41 | ||
| 42 | blacklist /tmp/.X11-unix | ||
| 43 | blacklist ${RUNUSER}/wayland-* | 42 | blacklist ${RUNUSER}/wayland-* |
| 44 | 43 | ||
| 45 | include allow-lua.inc | 44 | include allow-lua.inc |
| @@ -49,6 +48,7 @@ include disable-devel.inc | |||
| 49 | include disable-exec.inc | 48 | include disable-exec.inc |
| 50 | include disable-interpreters.inc | 49 | include disable-interpreters.inc |
| 51 | include disable-programs.inc | 50 | include disable-programs.inc |
| 51 | include disable-X11.inc | ||
| 52 | include disable-xdg.inc | 52 | include disable-xdg.inc |
| 53 | 53 | ||
| 54 | mkdir ${HOME}/.Mail | 54 | mkdir ${HOME}/.Mail |
diff --git a/etc/profile-m-z/nslookup.profile b/etc/profile-m-z/nslookup.profile index dcd76f2ad..aae506b0b 100644 --- a/etc/profile-m-z/nslookup.profile +++ b/etc/profile-m-z/nslookup.profile | |||
| @@ -7,7 +7,6 @@ include nslookup.local | |||
| 7 | # Persistent global definitions | 7 | # Persistent global definitions |
| 8 | include globals.local | 8 | include globals.local |
| 9 | 9 | ||
| 10 | blacklist /tmp/.X11-unix | ||
| 11 | blacklist ${RUNUSER} | 10 | blacklist ${RUNUSER} |
| 12 | 11 | ||
| 13 | noblacklist ${PATH}/nslookup | 12 | noblacklist ${PATH}/nslookup |
| @@ -17,6 +16,7 @@ include disable-devel.inc | |||
| 17 | include disable-exec.inc | 16 | include disable-exec.inc |
| 18 | include disable-interpreters.inc | 17 | include disable-interpreters.inc |
| 19 | include disable-programs.inc | 18 | include disable-programs.inc |
| 19 | include disable-X11.inc | ||
| 20 | include disable-xdg.inc | 20 | include disable-xdg.inc |
| 21 | 21 | ||
| 22 | whitelist ${HOME}/.nslookuprc | 22 | whitelist ${HOME}/.nslookuprc |
diff --git a/etc/profile-m-z/rsync-download_only.profile b/etc/profile-m-z/rsync-download_only.profile index ce90012e3..52ccb4309 100644 --- a/etc/profile-m-z/rsync-download_only.profile +++ b/etc/profile-m-z/rsync-download_only.profile | |||
| @@ -11,7 +11,6 @@ include globals.local | |||
| 11 | # not as a daemon (rsync --daemon) nor to create backups. | 11 | # not as a daemon (rsync --daemon) nor to create backups. |
| 12 | # Usage: firejail --profile=rsync-download_only rsync | 12 | # Usage: firejail --profile=rsync-download_only rsync |
| 13 | 13 | ||
| 14 | blacklist /tmp/.X11-unix | ||
| 15 | blacklist ${RUNUSER} | 14 | blacklist ${RUNUSER} |
| 16 | 15 | ||
| 17 | include disable-common.inc | 16 | include disable-common.inc |
| @@ -20,6 +19,7 @@ include disable-exec.inc | |||
| 20 | include disable-interpreters.inc | 19 | include disable-interpreters.inc |
| 21 | include disable-programs.inc | 20 | include disable-programs.inc |
| 22 | include disable-shell.inc | 21 | include disable-shell.inc |
| 22 | include disable-X11.inc | ||
| 23 | include disable-xdg.inc | 23 | include disable-xdg.inc |
| 24 | 24 | ||
| 25 | # Add the next line to your rsync-download_only.local to enable extra hardening. | 25 | # Add the next line to your rsync-download_only.local to enable extra hardening. |
diff --git a/etc/profile-m-z/rtv.profile b/etc/profile-m-z/rtv.profile index 0d57e6916..e719b0d0d 100644 --- a/etc/profile-m-z/rtv.profile +++ b/etc/profile-m-z/rtv.profile | |||
| @@ -6,7 +6,6 @@ include rtv.local | |||
| 6 | # Persistent global definitions | 6 | # Persistent global definitions |
| 7 | include globals.local | 7 | include globals.local |
| 8 | 8 | ||
| 9 | blacklist /tmp/.X11-unix | ||
| 10 | blacklist ${RUNUSER}/wayland-* | 9 | blacklist ${RUNUSER}/wayland-* |
| 11 | 10 | ||
| 12 | noblacklist ${HOME}/.config/rtv | 11 | noblacklist ${HOME}/.config/rtv |
| @@ -28,6 +27,7 @@ include disable-devel.inc | |||
| 28 | include disable-exec.inc | 27 | include disable-exec.inc |
| 29 | include disable-interpreters.inc | 28 | include disable-interpreters.inc |
| 30 | include disable-programs.inc | 29 | include disable-programs.inc |
| 30 | include disable-X11.inc | ||
| 31 | include disable-xdg.inc | 31 | include disable-xdg.inc |
| 32 | 32 | ||
| 33 | mkdir ${HOME}/.config/rtv | 33 | mkdir ${HOME}/.config/rtv |
diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile index 74587c992..a77cf7e0b 100644 --- a/etc/profile-m-z/server.profile +++ b/etc/profile-m-z/server.profile | |||
| @@ -36,7 +36,6 @@ noblacklist /usr/sbin | |||
| 36 | noblacklist /etc/init.d | 36 | noblacklist /etc/init.d |
| 37 | #noblacklist /var/opt | 37 | #noblacklist /var/opt |
| 38 | 38 | ||
| 39 | blacklist /tmp/.X11-unix | ||
| 40 | blacklist ${RUNUSER}/wayland-* | 39 | blacklist ${RUNUSER}/wayland-* |
| 41 | 40 | ||
| 42 | include disable-common.inc | 41 | include disable-common.inc |
| @@ -45,6 +44,7 @@ include disable-common.inc | |||
| 45 | #include disable-interpreters.inc | 44 | #include disable-interpreters.inc |
| 46 | include disable-programs.inc | 45 | include disable-programs.inc |
| 47 | include disable-write-mnt.inc | 46 | include disable-write-mnt.inc |
| 47 | include disable-X11.inc | ||
| 48 | include disable-xdg.inc | 48 | include disable-xdg.inc |
| 49 | 49 | ||
| 50 | #include whitelist-runuser-common.inc | 50 | #include whitelist-runuser-common.inc |
diff --git a/etc/profile-m-z/signal-cli.profile b/etc/profile-m-z/signal-cli.profile index d881db714..979d71b33 100644 --- a/etc/profile-m-z/signal-cli.profile +++ b/etc/profile-m-z/signal-cli.profile | |||
| @@ -6,7 +6,6 @@ include signal-cli.local | |||
| 6 | # Persistent global definitions | 6 | # Persistent global definitions |
| 7 | include globals.local | 7 | include globals.local |
| 8 | 8 | ||
| 9 | blacklist /tmp/.X11-unix | ||
| 10 | blacklist ${RUNUSER}/wayland-* | 9 | blacklist ${RUNUSER}/wayland-* |
| 11 | 10 | ||
| 12 | noblacklist ${HOME}/.local/share/signal-cli | 11 | noblacklist ${HOME}/.local/share/signal-cli |
| @@ -18,6 +17,7 @@ include disable-devel.inc | |||
| 18 | include disable-exec.inc | 17 | include disable-exec.inc |
| 19 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
| 20 | include disable-programs.inc | 19 | include disable-programs.inc |
| 20 | include disable-X11.inc | ||
| 21 | include disable-xdg.inc | 21 | include disable-xdg.inc |
| 22 | 22 | ||
| 23 | mkdir ${HOME}/.local/share/signal-cli | 23 | mkdir ${HOME}/.local/share/signal-cli |
diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile index 76755def4..6630244be 100644 --- a/etc/profile-m-z/ssh-agent.profile +++ b/etc/profile-m-z/ssh-agent.profile | |||
| @@ -9,11 +9,11 @@ include globals.local | |||
| 9 | # Allow ssh (blacklisted by disable-common.inc) | 9 | # Allow ssh (blacklisted by disable-common.inc) |
| 10 | include allow-ssh.inc | 10 | include allow-ssh.inc |
| 11 | 11 | ||
| 12 | blacklist /tmp/.X11-unix | ||
| 13 | blacklist ${RUNUSER}/wayland-* | 12 | blacklist ${RUNUSER}/wayland-* |
| 14 | 13 | ||
| 15 | include disable-common.inc | 14 | include disable-common.inc |
| 16 | include disable-programs.inc | 15 | include disable-programs.inc |
| 16 | include disable-X11.inc | ||
| 17 | 17 | ||
| 18 | include whitelist-usr-share-common.inc | 18 | include whitelist-usr-share-common.inc |
| 19 | 19 | ||
diff --git a/etc/profile-m-z/statusof.profile b/etc/profile-m-z/statusof.profile index 7463b90f5..25c8df680 100644 --- a/etc/profile-m-z/statusof.profile +++ b/etc/profile-m-z/statusof.profile | |||
| @@ -7,7 +7,6 @@ include statusof.local | |||
| 7 | # Persistent global definitions | 7 | # Persistent global definitions |
| 8 | include globals.local | 8 | include globals.local |
| 9 | 9 | ||
| 10 | blacklist /tmp/.X11-unix | ||
| 11 | blacklist /usr/libexec | 10 | blacklist /usr/libexec |
| 12 | blacklist ${RUNUSER} | 11 | blacklist ${RUNUSER} |
| 13 | 12 | ||
| @@ -21,6 +20,7 @@ include disable-interpreters.inc | |||
| 21 | include disable-proc.inc | 20 | include disable-proc.inc |
| 22 | include disable-programs.inc | 21 | include disable-programs.inc |
| 23 | include disable-shell.inc | 22 | include disable-shell.inc |
| 23 | include disable-X11.inc | ||
| 24 | include disable-xdg.inc | 24 | include disable-xdg.inc |
| 25 | 25 | ||
| 26 | include whitelist-common.inc | 26 | include whitelist-common.inc |
diff --git a/etc/profile-m-z/termshark.profile b/etc/profile-m-z/termshark.profile index 630d5dda6..bdee14e64 100644 --- a/etc/profile-m-z/termshark.profile +++ b/etc/profile-m-z/termshark.profile | |||
| @@ -8,8 +8,9 @@ include termshark.local | |||
| 8 | # added by included profile | 8 | # added by included profile |
| 9 | #include globals.local | 9 | #include globals.local |
| 10 | 10 | ||
| 11 | blacklist /tmp/.X11-unix | ||
| 12 | blacklist ${RUNUSER} | 11 | blacklist ${RUNUSER} |
| 13 | 12 | ||
| 13 | include disable-X11.inc | ||
| 14 | |||
| 14 | # Redirect | 15 | # Redirect |
| 15 | include wireshark.profile | 16 | include wireshark.profile |
diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile index 35ff14e88..7c1d534e9 100644 --- a/etc/profile-m-z/tin.profile +++ b/etc/profile-m-z/tin.profile | |||
| @@ -9,7 +9,6 @@ include globals.local | |||
| 9 | noblacklist ${HOME}/.newsrc | 9 | noblacklist ${HOME}/.newsrc |
| 10 | noblacklist ${HOME}/.tin | 10 | noblacklist ${HOME}/.tin |
| 11 | 11 | ||
| 12 | blacklist /tmp/.X11-unix | ||
| 13 | blacklist ${RUNUSER} | 12 | blacklist ${RUNUSER} |
| 14 | blacklist /usr/libexec | 13 | blacklist /usr/libexec |
| 15 | 14 | ||
| @@ -19,6 +18,7 @@ include disable-exec.inc | |||
| 19 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
| 20 | include disable-programs.inc | 19 | include disable-programs.inc |
| 21 | include disable-shell.inc | 20 | include disable-shell.inc |
| 21 | include disable-X11.inc | ||
| 22 | include disable-xdg.inc | 22 | include disable-xdg.inc |
| 23 | 23 | ||
| 24 | mkdir ${HOME}/.tin | 24 | mkdir ${HOME}/.tin |
diff --git a/etc/profile-m-z/tmux.profile b/etc/profile-m-z/tmux.profile index ddd2aa85f..55d84a618 100644 --- a/etc/profile-m-z/tmux.profile +++ b/etc/profile-m-z/tmux.profile | |||
| @@ -7,7 +7,6 @@ include tmux.local | |||
| 7 | # Persistent global definitions | 7 | # Persistent global definitions |
| 8 | include globals.local | 8 | include globals.local |
| 9 | 9 | ||
| 10 | blacklist /tmp/.X11-unix | ||
| 11 | blacklist ${RUNUSER} | 10 | blacklist ${RUNUSER} |
| 12 | 11 | ||
| 13 | noblacklist /tmp/tmux-* | 12 | noblacklist /tmp/tmux-* |
| @@ -16,6 +15,7 @@ noblacklist /tmp/tmux-* | |||
| 16 | #include disable-devel.inc | 15 | #include disable-devel.inc |
| 17 | #include disable-exec.inc | 16 | #include disable-exec.inc |
| 18 | #include disable-programs.inc | 17 | #include disable-programs.inc |
| 18 | include disable-X11.inc | ||
| 19 | 19 | ||
| 20 | caps.drop all | 20 | caps.drop all |
| 21 | ipc-namespace | 21 | ipc-namespace |
diff --git a/etc/profile-m-z/tracker.profile b/etc/profile-m-z/tracker.profile index c46b00fc9..8a3464496 100644 --- a/etc/profile-m-z/tracker.profile +++ b/etc/profile-m-z/tracker.profile | |||
| @@ -8,7 +8,6 @@ include globals.local | |||
| 8 | 8 | ||
| 9 | # Tracker is started by systemd on most systems. Therefore it is not firejailed by default | 9 | # Tracker is started by systemd on most systems. Therefore it is not firejailed by default |
| 10 | 10 | ||
| 11 | blacklist /tmp/.X11-unix | ||
| 12 | blacklist ${RUNUSER}/wayland-* | 11 | blacklist ${RUNUSER}/wayland-* |
| 13 | 12 | ||
| 14 | include disable-common.inc | 13 | include disable-common.inc |
| @@ -16,6 +15,7 @@ include disable-devel.inc | |||
| 16 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
| 17 | include disable-programs.inc | 16 | include disable-programs.inc |
| 18 | include disable-shell.inc | 17 | include disable-shell.inc |
| 18 | include disable-X11.inc | ||
| 19 | 19 | ||
| 20 | include whitelist-runuser-common.inc | 20 | include whitelist-runuser-common.inc |
| 21 | 21 | ||
diff --git a/etc/profile-m-z/tshark.profile b/etc/profile-m-z/tshark.profile index f2273e6a7..fab45a334 100644 --- a/etc/profile-m-z/tshark.profile +++ b/etc/profile-m-z/tshark.profile | |||
| @@ -7,8 +7,9 @@ include tshark.local | |||
| 7 | # added by included profile | 7 | # added by included profile |
| 8 | #include globals.local | 8 | #include globals.local |
| 9 | 9 | ||
| 10 | blacklist /tmp/.X11-unix | ||
| 11 | blacklist ${RUNUSER} | 10 | blacklist ${RUNUSER} |
| 12 | 11 | ||
| 12 | include disable-X11.inc | ||
| 13 | |||
| 13 | # Redirect | 14 | # Redirect |
| 14 | include wireshark.profile | 15 | include wireshark.profile |
diff --git a/etc/profile-m-z/tvnamer.profile b/etc/profile-m-z/tvnamer.profile index ccfd07e40..24439672a 100644 --- a/etc/profile-m-z/tvnamer.profile +++ b/etc/profile-m-z/tvnamer.profile | |||
| @@ -6,7 +6,6 @@ include tvnamer.local | |||
| 6 | # Persistent global definitions | 6 | # Persistent global definitions |
| 7 | include globals.local | 7 | include globals.local |
| 8 | 8 | ||
| 9 | blacklist /tmp/.X11-unix | ||
| 10 | blacklist /usr/libexec | 9 | blacklist /usr/libexec |
| 11 | blacklist ${RUNUSER} | 10 | blacklist ${RUNUSER} |
| 12 | 11 | ||
| @@ -24,6 +23,7 @@ include disable-interpreters.inc | |||
| 24 | include disable-programs.inc | 23 | include disable-programs.inc |
| 25 | include disable-proc.inc | 24 | include disable-proc.inc |
| 26 | include disable-shell.inc | 25 | include disable-shell.inc |
| 26 | include disable-X11.inc | ||
| 27 | include disable-xdg.inc | 27 | include disable-xdg.inc |
| 28 | 28 | ||
| 29 | mkdir ${HOME}/.config/tvnamer | 29 | mkdir ${HOME}/.config/tvnamer |
diff --git a/etc/profile-m-z/unbound.profile b/etc/profile-m-z/unbound.profile index 63d84688c..dfce92e2d 100644 --- a/etc/profile-m-z/unbound.profile +++ b/etc/profile-m-z/unbound.profile | |||
| @@ -9,7 +9,6 @@ include globals.local | |||
| 9 | noblacklist /sbin | 9 | noblacklist /sbin |
| 10 | noblacklist /usr/sbin | 10 | noblacklist /usr/sbin |
| 11 | 11 | ||
| 12 | blacklist /tmp/.X11-unix | ||
| 13 | blacklist ${RUNUSER} | 12 | blacklist ${RUNUSER} |
| 14 | 13 | ||
| 15 | include disable-common.inc | 14 | include disable-common.inc |
| @@ -17,6 +16,7 @@ include disable-devel.inc | |||
| 17 | include disable-exec.inc | 16 | include disable-exec.inc |
| 18 | include disable-interpreters.inc | 17 | include disable-interpreters.inc |
| 19 | include disable-programs.inc | 18 | include disable-programs.inc |
| 19 | include disable-X11.inc | ||
| 20 | include disable-xdg.inc | 20 | include disable-xdg.inc |
| 21 | 21 | ||
| 22 | whitelist /usr/share/dns | 22 | whitelist /usr/share/dns |
diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile index edc08ca44..4e2f1bb3e 100644 --- a/etc/profile-m-z/w3m.profile +++ b/etc/profile-m-z/w3m.profile | |||
| @@ -14,7 +14,6 @@ include globals.local | |||
| 14 | 14 | ||
| 15 | noblacklist ${HOME}/.w3m | 15 | noblacklist ${HOME}/.w3m |
| 16 | 16 | ||
| 17 | blacklist /tmp/.X11-unix | ||
| 18 | blacklist ${RUNUSER}/wayland-* | 17 | blacklist ${RUNUSER}/wayland-* |
| 19 | 18 | ||
| 20 | # Allow /bin/sh (blacklisted by disable-shell.inc) | 19 | # Allow /bin/sh (blacklisted by disable-shell.inc) |
| @@ -29,6 +28,7 @@ include disable-exec.inc | |||
| 29 | include disable-interpreters.inc | 28 | include disable-interpreters.inc |
| 30 | include disable-programs.inc | 29 | include disable-programs.inc |
| 31 | include disable-shell.inc | 30 | include disable-shell.inc |
| 31 | include disable-X11.inc | ||
| 32 | include disable-xdg.inc | 32 | include disable-xdg.inc |
| 33 | 33 | ||
| 34 | mkdir ${HOME}/.w3m | 34 | mkdir ${HOME}/.w3m |
diff --git a/etc/profile-m-z/wget.profile b/etc/profile-m-z/wget.profile index 5e1823593..90a1d3d7a 100644 --- a/etc/profile-m-z/wget.profile +++ b/etc/profile-m-z/wget.profile | |||
| @@ -15,7 +15,6 @@ noblacklist ${HOME}/.wgetrc | |||
| 15 | #ignore read-only ${HOME}/.nvm | 15 | #ignore read-only ${HOME}/.nvm |
| 16 | #noblacklist ${HOME}/.nvm | 16 | #noblacklist ${HOME}/.nvm |
| 17 | 17 | ||
| 18 | blacklist /tmp/.X11-unix | ||
| 19 | blacklist ${RUNUSER} | 18 | blacklist ${RUNUSER} |
| 20 | 19 | ||
| 21 | include disable-common.inc | 20 | include disable-common.inc |
| @@ -24,6 +23,7 @@ include disable-exec.inc | |||
| 24 | include disable-interpreters.inc | 23 | include disable-interpreters.inc |
| 25 | include disable-programs.inc | 24 | include disable-programs.inc |
| 26 | include disable-shell.inc | 25 | include disable-shell.inc |
| 26 | include disable-X11.inc | ||
| 27 | # Depending on workflow you can add the next line to your wget.local. | 27 | # Depending on workflow you can add the next line to your wget.local. |
| 28 | #include disable-xdg.inc | 28 | #include disable-xdg.inc |
| 29 | 29 | ||
diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile index 8265e1ff8..e7f66cf76 100644 --- a/etc/profile-m-z/whois.profile +++ b/etc/profile-m-z/whois.profile | |||
| @@ -7,7 +7,6 @@ include whois.local | |||
| 7 | # Persistent global definitions | 7 | # Persistent global definitions |
| 8 | include globals.local | 8 | include globals.local |
| 9 | 9 | ||
| 10 | blacklist /tmp/.X11-unix | ||
| 11 | blacklist ${RUNUSER} | 10 | blacklist ${RUNUSER} |
| 12 | 11 | ||
| 13 | include disable-common.inc | 12 | include disable-common.inc |
| @@ -15,6 +14,7 @@ include disable-devel.inc | |||
| 15 | include disable-exec.inc | 14 | include disable-exec.inc |
| 16 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
| 17 | include disable-programs.inc | 16 | include disable-programs.inc |
| 17 | include disable-X11.inc | ||
| 18 | include disable-xdg.inc | 18 | include disable-xdg.inc |
| 19 | 19 | ||
| 20 | include whitelist-usr-share-common.inc | 20 | include whitelist-usr-share-common.inc |
diff --git a/etc/profile-m-z/yt-dlp.profile b/etc/profile-m-z/yt-dlp.profile index 97f9e620a..6dd9d03a3 100644 --- a/etc/profile-m-z/yt-dlp.profile +++ b/etc/profile-m-z/yt-dlp.profile | |||
| @@ -29,7 +29,6 @@ noblacklist ${VIDEOS} | |||
| 29 | # Allow python (blacklisted by disable-interpreters.inc) | 29 | # Allow python (blacklisted by disable-interpreters.inc) |
| 30 | include allow-python3.inc | 30 | include allow-python3.inc |
| 31 | 31 | ||
| 32 | blacklist /tmp/.X11-unix | ||
| 33 | blacklist ${RUNUSER} | 32 | blacklist ${RUNUSER} |
| 34 | 33 | ||
| 35 | include disable-common.inc | 34 | include disable-common.inc |
| @@ -38,6 +37,7 @@ include disable-exec.inc | |||
| 38 | include disable-interpreters.inc | 37 | include disable-interpreters.inc |
| 39 | include disable-programs.inc | 38 | include disable-programs.inc |
| 40 | include disable-shell.inc | 39 | include disable-shell.inc |
| 40 | include disable-X11.inc | ||
| 41 | include disable-xdg.inc | 41 | include disable-xdg.inc |
| 42 | 42 | ||
| 43 | include whitelist-usr-share-common.inc | 43 | include whitelist-usr-share-common.inc |