hardenings for various profiles (#3160)

* harden devilspie

* harden devilspie2

* harden curl

* harden wget

* harden curl

* harden dig

* harden claws-mail

* harden dnscrypt-proxy

* harden dnscrypt-proxy

* harden dnscrypt-proxy

* harden exfalso

* refactor easystroke as whitelist profile

* refactor enchant as whitelist profile

* safeguard ${DOCUMENTS}

Thanks @rusty-snake for the suggestion.

* drop x11-none

Thanks @rusty-snake for catching this.

* drop x11 none

Thanks @rusty-snake for saving the bacon...

* drop x11 none

Thanks @rusty-snake for catching this.

* drop x11 none

Thanks @rusty-snake for preventing breakage!

* drop ipc-namespace

Better safe than sorry...

1 files changed, 7 insertions, 0 deletions

diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index d0430d5ca..65722b3ef 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -7,6 +7,8 @@ include dnscrypt-proxy.local
 # Persistent global definitions
 include globals.local
 
+blacklist /tmp/.X11-unix
+
 noblacklist /sbin
 noblacklist /usr/sbin
 
@@ -20,10 +22,13 @@ include disable-xdg.inc
 
 whitelist /usr/share/dnscrypt-proxy
 include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 
+apparmor
 caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot
 ipc-namespace
 machine-id
+netfilter
 no3d
 nodbus
 nodvd
@@ -34,6 +39,8 @@ nou2f
 novideo
 protocol inet,inet6
 seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice
+shell none
+tracelog
 
 disable-mnt
 private