Refactor archivers (#3820)

* Create archiver-common.inc

* add apparmor to archiver-common.inc

* refactor 7z.profile

* refactor ar.profile

* refactor atool.profile

* refactor bsdtar.profile

* refactor cpio.profile

* refactor gzip.profile

* refactor tar.profile

* refactor unrar.profile

* refactor unzip.profile

* refactor xzdec.profile

* refactor zstd.profile

* rewording

* blacklist ${RUNUSER} in archiver-common.inc

Thanks to @rusty-snake for suggesting this.

* drop non-sensical ${RUNUSER}/wayland-* blacklisting in archiver-common.inc

See discussion in https://github.com/netblue30/firejail/pull/3820#discussion_r543523343

1 files changed, 44 insertions, 0 deletions

diff --git a/etc/inc/archiver-common.inc b/etc/inc/archiver-common.inc
new file mode 100644
index 000000000..2c5e4d8bf
--- /dev/null
+++ b/etc/inc/archiver-common.inc
@@ -0,0 +1,44 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include archiver-common.local
+
+# common profile for archiver/compression tools
+
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+
+apparmor
+caps.drop all
+hostname archiver
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+#noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+private-cache
+private-dev
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute