diff options
| author |  netblue30 <netblue30@protonmail.com> | 2021-07-05 07:23:31 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@protonmail.com> | 2021-07-05 07:23:31 -0400 |
| commit | fe0f975f447d59977d90c3226cc8c623b31b20b3 (patch) | |
| tree | 70897a33cde6c716e273d927d18a6be4b54c18a9 /etc/inc/disable-common.inc | |
| parent | deprecated whitelist=yes/no in /etc/firejail/firejail.config (diff) | |
| download | firejail-fe0f975f447d59977d90c3226cc8c623b31b20b3.tar.gz firejail-fe0f975f447d59977d90c3226cc8c623b31b20b3.tar.zst firejail-fe0f975f447d59977d90c3226cc8c623b31b20b3.zip | |
move whitelist/blacklist to allow/deny
Diffstat (limited to 'etc/inc/disable-common.inc')
| -rw-r--r-- | etc/inc/disable-common.inc | 684 |
1 files changed, 342 insertions, 342 deletions
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 2dc53d311..4c83284ee 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
| @@ -5,63 +5,63 @@ include disable-common.local | |||
| 5 | # The following block breaks trash functionality in file managers | 5 | # The following block breaks trash functionality in file managers |
| 6 | #read-only ${HOME}/.local | 6 | #read-only ${HOME}/.local |
| 7 | #read-write ${HOME}/.local/share | 7 | #read-write ${HOME}/.local/share |
| 8 | blacklist ${HOME}/.local/share/Trash | 8 | deny ${HOME}/.local/share/Trash |
| 9 | 9 | ||
| 10 | # History files in $HOME and clipboard managers | 10 | # History files in $HOME and clipboard managers |
| 11 | blacklist-nolog ${HOME}/.*_history | 11 | deny-nolog ${HOME}/.*_history |
| 12 | blacklist-nolog ${HOME}/.adobe | 12 | deny-nolog ${HOME}/.adobe |
| 13 | blacklist-nolog ${HOME}/.cache/greenclip* | 13 | deny-nolog ${HOME}/.cache/greenclip* |
| 14 | blacklist-nolog ${HOME}/.histfile | 14 | deny-nolog ${HOME}/.histfile |
| 15 | blacklist-nolog ${HOME}/.history | 15 | deny-nolog ${HOME}/.history |
| 16 | blacklist-nolog ${HOME}/.kde/share/apps/klipper | 16 | deny-nolog ${HOME}/.kde/share/apps/klipper |
| 17 | blacklist-nolog ${HOME}/.kde4/share/apps/klipper | 17 | deny-nolog ${HOME}/.kde4/share/apps/klipper |
| 18 | blacklist-nolog ${HOME}/.local/share/fish/fish_history | 18 | deny-nolog ${HOME}/.local/share/fish/fish_history |
| 19 | blacklist-nolog ${HOME}/.local/share/klipper | 19 | deny-nolog ${HOME}/.local/share/klipper |
| 20 | blacklist-nolog ${HOME}/.macromedia | 20 | deny-nolog ${HOME}/.macromedia |
| 21 | blacklist-nolog ${HOME}/.mupdf.history | 21 | deny-nolog ${HOME}/.mupdf.history |
| 22 | blacklist-nolog ${HOME}/.python-history | 22 | deny-nolog ${HOME}/.python-history |
| 23 | blacklist-nolog ${HOME}/.python_history | 23 | deny-nolog ${HOME}/.python_history |
| 24 | blacklist-nolog ${HOME}/.pythonhist | 24 | deny-nolog ${HOME}/.pythonhist |
| 25 | blacklist-nolog ${HOME}/.lesshst | 25 | deny-nolog ${HOME}/.lesshst |
| 26 | blacklist-nolog ${HOME}/.viminfo | 26 | deny-nolog ${HOME}/.viminfo |
| 27 | blacklist-nolog /tmp/clipmenu* | 27 | deny-nolog /tmp/clipmenu* |
| 28 | 28 | ||
| 29 | # X11 session autostart | 29 | # X11 session autostart |
| 30 | # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs | 30 | # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs |
| 31 | blacklist ${HOME}/.Xsession | 31 | deny ${HOME}/.Xsession |
| 32 | blacklist ${HOME}/.blackbox | 32 | deny ${HOME}/.blackbox |
| 33 | blacklist ${HOME}/.config/autostart | 33 | deny ${HOME}/.config/autostart |
| 34 | blacklist ${HOME}/.config/autostart-scripts | 34 | deny ${HOME}/.config/autostart-scripts |
| 35 | blacklist ${HOME}/.config/awesome | 35 | deny ${HOME}/.config/awesome |
| 36 | blacklist ${HOME}/.config/i3 | 36 | deny ${HOME}/.config/i3 |
| 37 | blacklist ${HOME}/.config/sway | 37 | deny ${HOME}/.config/sway |
| 38 | blacklist ${HOME}/.config/lxsession/LXDE/autostart | 38 | deny ${HOME}/.config/lxsession/LXDE/autostart |
| 39 | blacklist ${HOME}/.config/openbox | 39 | deny ${HOME}/.config/openbox |
| 40 | blacklist ${HOME}/.config/plasma-workspace | 40 | deny ${HOME}/.config/plasma-workspace |
| 41 | blacklist ${HOME}/.config/startupconfig | 41 | deny ${HOME}/.config/startupconfig |
| 42 | blacklist ${HOME}/.config/startupconfigkeys | 42 | deny ${HOME}/.config/startupconfigkeys |
| 43 | blacklist ${HOME}/.fluxbox | 43 | deny ${HOME}/.fluxbox |
| 44 | blacklist ${HOME}/.gnomerc | 44 | deny ${HOME}/.gnomerc |
| 45 | blacklist ${HOME}/.kde/Autostart | 45 | deny ${HOME}/.kde/Autostart |
| 46 | blacklist ${HOME}/.kde/env | 46 | deny ${HOME}/.kde/env |
| 47 | blacklist ${HOME}/.kde/share/autostart | 47 | deny ${HOME}/.kde/share/autostart |
| 48 | blacklist ${HOME}/.kde/share/config/startupconfig | 48 | deny ${HOME}/.kde/share/config/startupconfig |
| 49 | blacklist ${HOME}/.kde/share/config/startupconfigkeys | 49 | deny ${HOME}/.kde/share/config/startupconfigkeys |
| 50 | blacklist ${HOME}/.kde/shutdown | 50 | deny ${HOME}/.kde/shutdown |
| 51 | blacklist ${HOME}/.kde4/env | 51 | deny ${HOME}/.kde4/env |
| 52 | blacklist ${HOME}/.kde4/Autostart | 52 | deny ${HOME}/.kde4/Autostart |
| 53 | blacklist ${HOME}/.kde4/share/autostart | 53 | deny ${HOME}/.kde4/share/autostart |
| 54 | blacklist ${HOME}/.kde4/shutdown | 54 | deny ${HOME}/.kde4/shutdown |
| 55 | blacklist ${HOME}/.kde4/share/config/startupconfig | 55 | deny ${HOME}/.kde4/share/config/startupconfig |
| 56 | blacklist ${HOME}/.kde4/share/config/startupconfigkeys | 56 | deny ${HOME}/.kde4/share/config/startupconfigkeys |
| 57 | blacklist ${HOME}/.local/share/autostart | 57 | deny ${HOME}/.local/share/autostart |
| 58 | blacklist ${HOME}/.xinitrc | 58 | deny ${HOME}/.xinitrc |
| 59 | blacklist ${HOME}/.xprofile | 59 | deny ${HOME}/.xprofile |
| 60 | blacklist ${HOME}/.xserverrc | 60 | deny ${HOME}/.xserverrc |
| 61 | blacklist ${HOME}/.xsession | 61 | deny ${HOME}/.xsession |
| 62 | blacklist ${HOME}/.xsessionrc | 62 | deny ${HOME}/.xsessionrc |
| 63 | blacklist /etc/X11/Xsession.d | 63 | deny /etc/X11/Xsession.d |
| 64 | blacklist /etc/xdg/autostart | 64 | deny /etc/xdg/autostart |
| 65 | read-only ${HOME}/.Xauthority | 65 | read-only ${HOME}/.Xauthority |
| 66 | 66 | ||
| 67 | # Session manager | 67 | # Session manager |
| @@ -70,46 +70,46 @@ read-only ${HOME}/.Xauthority | |||
| 70 | #?HAS_X11: blacklist /tmp/.ICE-unix | 70 | #?HAS_X11: blacklist /tmp/.ICE-unix |
| 71 | 71 | ||
| 72 | # KDE config | 72 | # KDE config |
| 73 | blacklist ${HOME}/.cache/konsole | 73 | deny ${HOME}/.cache/konsole |
| 74 | blacklist ${HOME}/.config/khotkeysrc | 74 | deny ${HOME}/.config/khotkeysrc |
| 75 | blacklist ${HOME}/.config/krunnerrc | 75 | deny ${HOME}/.config/krunnerrc |
| 76 | blacklist ${HOME}/.config/kscreenlockerrc | 76 | deny ${HOME}/.config/kscreenlockerrc |
| 77 | blacklist ${HOME}/.config/ksslcertificatemanager | 77 | deny ${HOME}/.config/ksslcertificatemanager |
| 78 | blacklist ${HOME}/.config/kwalletrc | 78 | deny ${HOME}/.config/kwalletrc |
| 79 | blacklist ${HOME}/.config/kwinrc | 79 | deny ${HOME}/.config/kwinrc |
| 80 | blacklist ${HOME}/.config/kwinrulesrc | 80 | deny ${HOME}/.config/kwinrulesrc |
| 81 | blacklist ${HOME}/.config/plasma-locale-settings.sh | 81 | deny ${HOME}/.config/plasma-locale-settings.sh |
| 82 | blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc | 82 | deny ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc |
| 83 | blacklist ${HOME}/.config/plasmashellrc | 83 | deny ${HOME}/.config/plasmashellrc |
| 84 | blacklist ${HOME}/.config/plasmavaultrc | 84 | deny ${HOME}/.config/plasmavaultrc |
| 85 | blacklist ${HOME}/.kde/share/apps/kwin | 85 | deny ${HOME}/.kde/share/apps/kwin |
| 86 | blacklist ${HOME}/.kde/share/apps/plasma | 86 | deny ${HOME}/.kde/share/apps/plasma |
| 87 | blacklist ${HOME}/.kde/share/apps/solid | 87 | deny ${HOME}/.kde/share/apps/solid |
| 88 | blacklist ${HOME}/.kde/share/config/khotkeysrc | 88 | deny ${HOME}/.kde/share/config/khotkeysrc |
| 89 | blacklist ${HOME}/.kde/share/config/krunnerrc | 89 | deny ${HOME}/.kde/share/config/krunnerrc |
| 90 | blacklist ${HOME}/.kde/share/config/kscreensaverrc | 90 | deny ${HOME}/.kde/share/config/kscreensaverrc |
| 91 | blacklist ${HOME}/.kde/share/config/ksslcertificatemanager | 91 | deny ${HOME}/.kde/share/config/ksslcertificatemanager |
| 92 | blacklist ${HOME}/.kde/share/config/kwalletrc | 92 | deny ${HOME}/.kde/share/config/kwalletrc |
| 93 | blacklist ${HOME}/.kde/share/config/kwinrc | 93 | deny ${HOME}/.kde/share/config/kwinrc |
| 94 | blacklist ${HOME}/.kde/share/config/kwinrulesrc | 94 | deny ${HOME}/.kde/share/config/kwinrulesrc |
| 95 | blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc | 95 | deny ${HOME}/.kde/share/config/plasma-desktop-appletsrc |
| 96 | blacklist ${HOME}/.kde4/share/apps/kwin | 96 | deny ${HOME}/.kde4/share/apps/kwin |
| 97 | blacklist ${HOME}/.kde4/share/apps/plasma | 97 | deny ${HOME}/.kde4/share/apps/plasma |
| 98 | blacklist ${HOME}/.kde4/share/apps/solid | 98 | deny ${HOME}/.kde4/share/apps/solid |
| 99 | blacklist ${HOME}/.kde4/share/config/khotkeysrc | 99 | deny ${HOME}/.kde4/share/config/khotkeysrc |
| 100 | blacklist ${HOME}/.kde4/share/config/krunnerrc | 100 | deny ${HOME}/.kde4/share/config/krunnerrc |
| 101 | blacklist ${HOME}/.kde4/share/config/kscreensaverrc | 101 | deny ${HOME}/.kde4/share/config/kscreensaverrc |
| 102 | blacklist ${HOME}/.kde4/share/config/ksslcertificatemanager | 102 | deny ${HOME}/.kde4/share/config/ksslcertificatemanager |
| 103 | blacklist ${HOME}/.kde4/share/config/kwalletrc | 103 | deny ${HOME}/.kde4/share/config/kwalletrc |
| 104 | blacklist ${HOME}/.kde4/share/config/kwinrc | 104 | deny ${HOME}/.kde4/share/config/kwinrc |
| 105 | blacklist ${HOME}/.kde4/share/config/kwinrulesrc | 105 | deny ${HOME}/.kde4/share/config/kwinrulesrc |
| 106 | blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc | 106 | deny ${HOME}/.kde4/share/config/plasma-desktop-appletsrc |
| 107 | blacklist ${HOME}/.local/share/kglobalaccel | 107 | deny ${HOME}/.local/share/kglobalaccel |
| 108 | blacklist ${HOME}/.local/share/kwin | 108 | deny ${HOME}/.local/share/kwin |
| 109 | blacklist ${HOME}/.local/share/plasma | 109 | deny ${HOME}/.local/share/plasma |
| 110 | blacklist ${HOME}/.local/share/plasmashell | 110 | deny ${HOME}/.local/share/plasmashell |
| 111 | blacklist ${HOME}/.local/share/solid | 111 | deny ${HOME}/.local/share/solid |
| 112 | blacklist /tmp/konsole-*.history | 112 | deny /tmp/konsole-*.history |
| 113 | read-only ${HOME}/.cache/ksycoca5_* | 113 | read-only ${HOME}/.cache/ksycoca5_* |
| 114 | read-only ${HOME}/.config/*notifyrc | 114 | read-only ${HOME}/.config/*notifyrc |
| 115 | read-only ${HOME}/.config/kdeglobals | 115 | read-only ${HOME}/.config/kdeglobals |
| @@ -138,124 +138,124 @@ read-only ${HOME}/.local/share/kservices5 | |||
| 138 | read-only ${HOME}/.local/share/kssl | 138 | read-only ${HOME}/.local/share/kssl |
| 139 | 139 | ||
| 140 | # KDE sockets | 140 | # KDE sockets |
| 141 | blacklist ${RUNUSER}/*.slave-socket | 141 | deny ${RUNUSER}/*.slave-socket |
| 142 | blacklist ${RUNUSER}/kdeinit5__* | 142 | deny ${RUNUSER}/kdeinit5__* |
| 143 | blacklist ${RUNUSER}/kdesud_* | 143 | deny ${RUNUSER}/kdesud_* |
| 144 | # see #3358 | 144 | # see #3358 |
| 145 | #?HAS_NODBUS: blacklist ${RUNUSER}/ksocket-* | 145 | #?HAS_NODBUS: blacklist ${RUNUSER}/ksocket-* |
| 146 | #?HAS_NODBUS: blacklist /tmp/ksocket-* | 146 | #?HAS_NODBUS: blacklist /tmp/ksocket-* |
| 147 | 147 | ||
| 148 | # gnome | 148 | # gnome |
| 149 | # contains extensions, last used times of applications, and notifications | 149 | # contains extensions, last used times of applications, and notifications |
| 150 | blacklist ${HOME}/.local/share/gnome-shell | 150 | deny ${HOME}/.local/share/gnome-shell |
| 151 | # contains recently used files and serials of static/removable storage | 151 | # contains recently used files and serials of static/removable storage |
| 152 | blacklist ${HOME}/.local/share/gvfs-metadata | 152 | deny ${HOME}/.local/share/gvfs-metadata |
| 153 | # no direct modification of dconf database | 153 | # no direct modification of dconf database |
| 154 | read-only ${HOME}/.config/dconf | 154 | read-only ${HOME}/.config/dconf |
| 155 | blacklist ${RUNUSER}/gnome-session-leader-fifo | 155 | deny ${RUNUSER}/gnome-session-leader-fifo |
| 156 | blacklist ${RUNUSER}/gnome-shell | 156 | deny ${RUNUSER}/gnome-shell |
| 157 | blacklist ${RUNUSER}/gsconnect | 157 | deny ${RUNUSER}/gsconnect |
| 158 | 158 | ||
| 159 | # systemd | 159 | # systemd |
| 160 | blacklist ${HOME}/.config/systemd | 160 | deny ${HOME}/.config/systemd |
| 161 | blacklist ${HOME}/.local/share/systemd | 161 | deny ${HOME}/.local/share/systemd |
| 162 | blacklist /var/lib/systemd | 162 | deny /var/lib/systemd |
| 163 | blacklist ${PATH}/systemd-run | 163 | deny ${PATH}/systemd-run |
| 164 | blacklist ${RUNUSER}/systemd | 164 | deny ${RUNUSER}/systemd |
| 165 | # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf | 165 | # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf |
| 166 | #blacklist /var/run/systemd | 166 | #blacklist /var/run/systemd |
| 167 | 167 | ||
| 168 | # openrc | 168 | # openrc |
| 169 | blacklist /etc/runlevels/ | 169 | deny /etc/runlevels/ |
| 170 | blacklist /etc/init.d/ | 170 | deny /etc/init.d/ |
| 171 | blacklist /etc/rc.conf | 171 | deny /etc/rc.conf |
| 172 | 172 | ||
| 173 | # VirtualBox | 173 | # VirtualBox |
| 174 | blacklist ${HOME}/.VirtualBox | 174 | deny ${HOME}/.VirtualBox |
| 175 | blacklist ${HOME}/.config/VirtualBox | 175 | deny ${HOME}/.config/VirtualBox |
| 176 | blacklist ${HOME}/VirtualBox VMs | 176 | deny ${HOME}/VirtualBox VMs |
| 177 | 177 | ||
| 178 | # GNOME Boxes | 178 | # GNOME Boxes |
| 179 | blacklist ${HOME}/.config/gnome-boxes | 179 | deny ${HOME}/.config/gnome-boxes |
| 180 | blacklist ${HOME}/.local/share/gnome-boxes | 180 | deny ${HOME}/.local/share/gnome-boxes |
| 181 | 181 | ||
| 182 | # libvirt | 182 | # libvirt |
| 183 | blacklist ${HOME}/.cache/libvirt | 183 | deny ${HOME}/.cache/libvirt |
| 184 | blacklist ${HOME}/.config/libvirt | 184 | deny ${HOME}/.config/libvirt |
| 185 | blacklist ${RUNUSER}/libvirt | 185 | deny ${RUNUSER}/libvirt |
| 186 | blacklist /var/cache/libvirt | 186 | deny /var/cache/libvirt |
| 187 | blacklist /var/lib/libvirt | 187 | deny /var/lib/libvirt |
| 188 | blacklist /var/log/libvirt | 188 | deny /var/log/libvirt |
| 189 | 189 | ||
| 190 | # OCI-Containers / Podman | 190 | # OCI-Containers / Podman |
| 191 | blacklist ${RUNUSER}/containers | 191 | deny ${RUNUSER}/containers |
| 192 | blacklist ${RUNUSER}/crun | 192 | deny ${RUNUSER}/crun |
| 193 | blacklist ${RUNUSER}/libpod | 193 | deny ${RUNUSER}/libpod |
| 194 | blacklist ${RUNUSER}/runc | 194 | deny ${RUNUSER}/runc |
| 195 | blacklist ${RUNUSER}/toolbox | 195 | deny ${RUNUSER}/toolbox |
| 196 | 196 | ||
| 197 | # VeraCrypt | 197 | # VeraCrypt |
| 198 | blacklist ${HOME}/.VeraCrypt | 198 | deny ${HOME}/.VeraCrypt |
| 199 | blacklist ${PATH}/veracrypt | 199 | deny ${PATH}/veracrypt |
| 200 | blacklist ${PATH}/veracrypt-uninstall.sh | 200 | deny ${PATH}/veracrypt-uninstall.sh |
| 201 | blacklist /usr/share/applications/veracrypt.* | 201 | deny /usr/share/applications/veracrypt.* |
| 202 | blacklist /usr/share/pixmaps/veracrypt.* | 202 | deny /usr/share/pixmaps/veracrypt.* |
| 203 | blacklist /usr/share/veracrypt | 203 | deny /usr/share/veracrypt |
| 204 | 204 | ||
| 205 | # TrueCrypt | 205 | # TrueCrypt |
| 206 | blacklist ${HOME}/.TrueCrypt | 206 | deny ${HOME}/.TrueCrypt |
| 207 | blacklist ${PATH}/truecrypt | 207 | deny ${PATH}/truecrypt |
| 208 | blacklist ${PATH}/truecrypt-uninstall.sh | 208 | deny ${PATH}/truecrypt-uninstall.sh |
| 209 | blacklist /usr/share/applications/truecrypt.* | 209 | deny /usr/share/applications/truecrypt.* |
| 210 | blacklist /usr/share/pixmaps/truecrypt.* | 210 | deny /usr/share/pixmaps/truecrypt.* |
| 211 | blacklist /usr/share/truecrypt | 211 | deny /usr/share/truecrypt |
| 212 | 212 | ||
| 213 | # zuluCrypt | 213 | # zuluCrypt |
| 214 | blacklist ${HOME}/.zuluCrypt | 214 | deny ${HOME}/.zuluCrypt |
| 215 | blacklist ${HOME}/.zuluCrypt-socket | 215 | deny ${HOME}/.zuluCrypt-socket |
| 216 | blacklist ${PATH}/zuluCrypt-cli | 216 | deny ${PATH}/zuluCrypt-cli |
| 217 | blacklist ${PATH}/zuluMount-cli | 217 | deny ${PATH}/zuluMount-cli |
| 218 | 218 | ||
| 219 | # var | 219 | # var |
| 220 | blacklist /var/cache/apt | 220 | deny /var/cache/apt |
| 221 | blacklist /var/cache/pacman | 221 | deny /var/cache/pacman |
| 222 | blacklist /var/lib/apt | 222 | deny /var/lib/apt |
| 223 | blacklist /var/lib/clamav | 223 | deny /var/lib/clamav |
| 224 | blacklist /var/lib/dkms | 224 | deny /var/lib/dkms |
| 225 | blacklist /var/lib/mysql/mysql.sock | 225 | deny /var/lib/mysql/mysql.sock |
| 226 | blacklist /var/lib/mysqld/mysql.sock | 226 | deny /var/lib/mysqld/mysql.sock |
| 227 | blacklist /var/lib/pacman | 227 | deny /var/lib/pacman |
| 228 | blacklist /var/lib/upower | 228 | deny /var/lib/upower |
| 229 | # blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for | 229 | # blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for |
| 230 | # every sandbox, unless --writable-var-log switch is activated | 230 | # every sandbox, unless --writable-var-log switch is activated |
| 231 | blacklist /var/mail | 231 | deny /var/mail |
| 232 | blacklist /var/opt | 232 | deny /var/opt |
| 233 | blacklist /var/run/acpid.socket | 233 | deny /var/run/acpid.socket |
| 234 | blacklist /var/run/docker.sock | 234 | deny /var/run/docker.sock |
| 235 | blacklist /var/run/minissdpd.sock | 235 | deny /var/run/minissdpd.sock |
| 236 | blacklist /var/run/mysql/mysqld.sock | 236 | deny /var/run/mysql/mysqld.sock |
| 237 | blacklist /var/run/mysqld/mysqld.sock | 237 | deny /var/run/mysqld/mysqld.sock |
| 238 | blacklist /var/run/rpcbind.sock | 238 | deny /var/run/rpcbind.sock |
| 239 | blacklist /var/run/screens | 239 | deny /var/run/screens |
| 240 | blacklist /var/spool/anacron | 240 | deny /var/spool/anacron |
| 241 | blacklist /var/spool/cron | 241 | deny /var/spool/cron |
| 242 | blacklist /var/spool/mail | 242 | deny /var/spool/mail |
| 243 | 243 | ||
| 244 | # etc | 244 | # etc |
| 245 | blacklist /etc/anacrontab | 245 | deny /etc/anacrontab |
| 246 | blacklist /etc/cron* | 246 | deny /etc/cron* |
| 247 | blacklist /etc/profile.d | 247 | deny /etc/profile.d |
| 248 | blacklist /etc/rc.local | 248 | deny /etc/rc.local |
| 249 | # rc1.d, rc2.d, ... | 249 | # rc1.d, rc2.d, ... |
| 250 | blacklist /etc/rc?.d | 250 | deny /etc/rc?.d |
| 251 | blacklist /etc/kernel* | 251 | deny /etc/kernel* |
| 252 | blacklist /etc/grub* | 252 | deny /etc/grub* |
| 253 | blacklist /etc/dkms | 253 | deny /etc/dkms |
| 254 | blacklist /etc/apparmor* | 254 | deny /etc/apparmor* |
| 255 | blacklist /etc/selinux | 255 | deny /etc/selinux |
| 256 | blacklist /etc/modules* | 256 | deny /etc/modules* |
| 257 | blacklist /etc/logrotate* | 257 | deny /etc/logrotate* |
| 258 | blacklist /etc/adduser.conf | 258 | deny /etc/adduser.conf |
| 259 | 259 | ||
| 260 | # Startup files | 260 | # Startup files |
| 261 | read-only ${HOME}/.antigen | 261 | read-only ${HOME}/.antigen |
| @@ -292,13 +292,13 @@ read-only ${HOME}/.zshrc | |||
| 292 | read-only ${HOME}/.zshrc.local | 292 | read-only ${HOME}/.zshrc.local |
| 293 | 293 | ||
| 294 | # Remote access | 294 | # Remote access |
| 295 | blacklist ${HOME}/.rhosts | 295 | deny ${HOME}/.rhosts |
| 296 | blacklist ${HOME}/.shosts | 296 | deny ${HOME}/.shosts |
| 297 | blacklist ${HOME}/.ssh/authorized_keys | 297 | deny ${HOME}/.ssh/authorized_keys |
| 298 | blacklist ${HOME}/.ssh/authorized_keys2 | 298 | deny ${HOME}/.ssh/authorized_keys2 |
| 299 | blacklist ${HOME}/.ssh/environment | 299 | deny ${HOME}/.ssh/environment |
| 300 | blacklist ${HOME}/.ssh/rc | 300 | deny ${HOME}/.ssh/rc |
| 301 | blacklist /etc/hosts.equiv | 301 | deny /etc/hosts.equiv |
| 302 | read-only ${HOME}/.ssh/config | 302 | read-only ${HOME}/.ssh/config |
| 303 | read-only ${HOME}/.ssh/config.d | 303 | read-only ${HOME}/.ssh/config.d |
| 304 | 304 | ||
| @@ -359,200 +359,200 @@ read-only ${HOME}/.local/share/mime | |||
| 359 | read-only ${HOME}/.local/share/thumbnailers | 359 | read-only ${HOME}/.local/share/thumbnailers |
| 360 | 360 | ||
| 361 | # prevent access to ssh-agent | 361 | # prevent access to ssh-agent |
| 362 | blacklist /tmp/ssh-* | 362 | deny /tmp/ssh-* |
| 363 | 363 | ||
| 364 | # top secret | 364 | # top secret |
| 365 | blacklist ${HOME}/*.kdb | 365 | deny ${HOME}/*.kdb |
| 366 | blacklist ${HOME}/*.kdbx | 366 | deny ${HOME}/*.kdbx |
| 367 | blacklist ${HOME}/*.key | 367 | deny ${HOME}/*.key |
| 368 | blacklist ${HOME}/.Private | 368 | deny ${HOME}/.Private |
| 369 | blacklist ${HOME}/.caff | 369 | deny ${HOME}/.caff |
| 370 | blacklist ${HOME}/.cargo/credentials | 370 | deny ${HOME}/.cargo/credentials |
| 371 | blacklist ${HOME}/.cargo/credentials.toml | 371 | deny ${HOME}/.cargo/credentials.toml |
| 372 | blacklist ${HOME}/.cert | 372 | deny ${HOME}/.cert |
| 373 | blacklist ${HOME}/.config/keybase | 373 | deny ${HOME}/.config/keybase |
| 374 | blacklist ${HOME}/.davfs2/secrets | 374 | deny ${HOME}/.davfs2/secrets |
| 375 | blacklist ${HOME}/.ecryptfs | 375 | deny ${HOME}/.ecryptfs |
| 376 | blacklist ${HOME}/.fetchmailrc | 376 | deny ${HOME}/.fetchmailrc |
| 377 | blacklist ${HOME}/.fscrypt | 377 | deny ${HOME}/.fscrypt |
| 378 | blacklist ${HOME}/.git-credential-cache | 378 | deny ${HOME}/.git-credential-cache |
| 379 | blacklist ${HOME}/.git-credentials | 379 | deny ${HOME}/.git-credentials |
| 380 | blacklist ${HOME}/.gnome2/keyrings | 380 | deny ${HOME}/.gnome2/keyrings |
| 381 | blacklist ${HOME}/.gnupg | 381 | deny ${HOME}/.gnupg |
| 382 | blacklist ${HOME}/.config/hub | 382 | deny ${HOME}/.config/hub |
| 383 | blacklist ${HOME}/.kde/share/apps/kwallet | 383 | deny ${HOME}/.kde/share/apps/kwallet |
| 384 | blacklist ${HOME}/.kde4/share/apps/kwallet | 384 | deny ${HOME}/.kde4/share/apps/kwallet |
| 385 | blacklist ${HOME}/.local/share/keyrings | 385 | deny ${HOME}/.local/share/keyrings |
| 386 | blacklist ${HOME}/.local/share/kwalletd | 386 | deny ${HOME}/.local/share/kwalletd |
| 387 | blacklist ${HOME}/.local/share/plasma-vault | 387 | deny ${HOME}/.local/share/plasma-vault |
| 388 | blacklist ${HOME}/.msmtprc | 388 | deny ${HOME}/.msmtprc |
| 389 | blacklist ${HOME}/.mutt | 389 | deny ${HOME}/.mutt |
| 390 | blacklist ${HOME}/.muttrc | 390 | deny ${HOME}/.muttrc |
| 391 | blacklist ${HOME}/.netrc | 391 | deny ${HOME}/.netrc |
| 392 | blacklist ${HOME}/.nyx | 392 | deny ${HOME}/.nyx |
| 393 | blacklist ${HOME}/.pki | 393 | deny ${HOME}/.pki |
| 394 | blacklist ${HOME}/.local/share/pki | 394 | deny ${HOME}/.local/share/pki |
| 395 | blacklist ${HOME}/.smbcredentials | 395 | deny ${HOME}/.smbcredentials |
| 396 | blacklist ${HOME}/.ssh | 396 | deny ${HOME}/.ssh |
| 397 | blacklist ${HOME}/.vaults | 397 | deny ${HOME}/.vaults |
| 398 | blacklist /.fscrypt | 398 | deny /.fscrypt |
| 399 | blacklist /etc/davfs2/secrets | 399 | deny /etc/davfs2/secrets |
| 400 | blacklist /etc/group+ | 400 | deny /etc/group+ |
| 401 | blacklist /etc/group- | 401 | deny /etc/group- |
| 402 | blacklist /etc/gshadow | 402 | deny /etc/gshadow |
| 403 | blacklist /etc/gshadow+ | 403 | deny /etc/gshadow+ |
| 404 | blacklist /etc/gshadow- | 404 | deny /etc/gshadow- |
| 405 | blacklist /etc/passwd+ | 405 | deny /etc/passwd+ |
| 406 | blacklist /etc/passwd- | 406 | deny /etc/passwd- |
| 407 | blacklist /etc/shadow | 407 | deny /etc/shadow |
| 408 | blacklist /etc/shadow+ | 408 | deny /etc/shadow+ |
| 409 | blacklist /etc/shadow- | 409 | deny /etc/shadow- |
| 410 | blacklist /etc/ssh | 410 | deny /etc/ssh |
| 411 | blacklist /etc/ssh/* | 411 | deny /etc/ssh/* |
| 412 | blacklist /home/.ecryptfs | 412 | deny /home/.ecryptfs |
| 413 | blacklist /home/.fscrypt | 413 | deny /home/.fscrypt |
| 414 | blacklist /var/backup | 414 | deny /var/backup |
| 415 | 415 | ||
| 416 | # cloud provider configuration | 416 | # cloud provider configuration |
| 417 | blacklist ${HOME}/.aws | 417 | deny ${HOME}/.aws |
| 418 | blacklist ${HOME}/.boto | 418 | deny ${HOME}/.boto |
| 419 | blacklist ${HOME}/.config/gcloud | 419 | deny ${HOME}/.config/gcloud |
| 420 | blacklist ${HOME}/.kube | 420 | deny ${HOME}/.kube |
| 421 | blacklist ${HOME}/.passwd-s3fs | 421 | deny ${HOME}/.passwd-s3fs |
| 422 | blacklist ${HOME}/.s3cmd | 422 | deny ${HOME}/.s3cmd |
| 423 | blacklist /etc/boto.cfg | 423 | deny /etc/boto.cfg |
| 424 | 424 | ||
| 425 | # system directories | 425 | # system directories |
| 426 | blacklist /sbin | 426 | deny /sbin |
| 427 | blacklist /usr/local/sbin | 427 | deny /usr/local/sbin |
| 428 | blacklist /usr/sbin | 428 | deny /usr/sbin |
| 429 | 429 | ||
| 430 | # system management | 430 | # system management |
| 431 | blacklist ${PATH}/at | 431 | deny ${PATH}/at |
| 432 | blacklist ${PATH}/busybox | 432 | deny ${PATH}/busybox |
| 433 | blacklist ${PATH}/chage | 433 | deny ${PATH}/chage |
| 434 | blacklist ${PATH}/chfn | 434 | deny ${PATH}/chfn |
| 435 | blacklist ${PATH}/chsh | 435 | deny ${PATH}/chsh |
| 436 | blacklist ${PATH}/crontab | 436 | deny ${PATH}/crontab |
| 437 | blacklist ${PATH}/evtest | 437 | deny ${PATH}/evtest |
| 438 | blacklist ${PATH}/expiry | 438 | deny ${PATH}/expiry |
| 439 | blacklist ${PATH}/fusermount | 439 | deny ${PATH}/fusermount |
| 440 | blacklist ${PATH}/gksu | 440 | deny ${PATH}/gksu |
| 441 | blacklist ${PATH}/gksudo | 441 | deny ${PATH}/gksudo |
| 442 | blacklist ${PATH}/gpasswd | 442 | deny ${PATH}/gpasswd |
| 443 | blacklist ${PATH}/kdesudo | 443 | deny ${PATH}/kdesudo |
| 444 | blacklist ${PATH}/ksu | 444 | deny ${PATH}/ksu |
| 445 | blacklist ${PATH}/mount | 445 | deny ${PATH}/mount |
| 446 | blacklist ${PATH}/mount.ecryptfs_private | 446 | deny ${PATH}/mount.ecryptfs_private |
| 447 | blacklist ${PATH}/nc | 447 | deny ${PATH}/nc |
| 448 | blacklist ${PATH}/ncat | 448 | deny ${PATH}/ncat |
| 449 | blacklist ${PATH}/nmap | 449 | deny ${PATH}/nmap |
| 450 | blacklist ${PATH}/newgidmap | 450 | deny ${PATH}/newgidmap |
| 451 | blacklist ${PATH}/newgrp | 451 | deny ${PATH}/newgrp |
| 452 | blacklist ${PATH}/newuidmap | 452 | deny ${PATH}/newuidmap |
| 453 | blacklist ${PATH}/ntfs-3g | 453 | deny ${PATH}/ntfs-3g |
| 454 | blacklist ${PATH}/pkexec | 454 | deny ${PATH}/pkexec |
| 455 | blacklist ${PATH}/procmail | 455 | deny ${PATH}/procmail |
| 456 | blacklist ${PATH}/sg | 456 | deny ${PATH}/sg |
| 457 | blacklist ${PATH}/strace | 457 | deny ${PATH}/strace |
| 458 | blacklist ${PATH}/su | 458 | deny ${PATH}/su |
| 459 | blacklist ${PATH}/sudo | 459 | deny ${PATH}/sudo |
| 460 | blacklist ${PATH}/tcpdump | 460 | deny ${PATH}/tcpdump |
| 461 | blacklist ${PATH}/umount | 461 | deny ${PATH}/umount |
| 462 | blacklist ${PATH}/unix_chkpwd | 462 | deny ${PATH}/unix_chkpwd |
| 463 | blacklist ${PATH}/xev | 463 | deny ${PATH}/xev |
| 464 | blacklist ${PATH}/xinput | 464 | deny ${PATH}/xinput |
| 465 | 465 | ||
| 466 | # other SUID binaries | 466 | # other SUID binaries |
| 467 | blacklist /usr/lib/virtualbox | 467 | deny /usr/lib/virtualbox |
| 468 | blacklist /usr/lib64/virtualbox | 468 | deny /usr/lib64/virtualbox |
| 469 | 469 | ||
| 470 | # prevent lxterminal connecting to an existing lxterminal session | 470 | # prevent lxterminal connecting to an existing lxterminal session |
| 471 | blacklist /tmp/.lxterminal-socket* | 471 | deny /tmp/.lxterminal-socket* |
| 472 | # prevent tmux connecting to an existing session | 472 | # prevent tmux connecting to an existing session |
| 473 | blacklist /tmp/tmux-* | 473 | deny /tmp/tmux-* |
| 474 | 474 | ||
| 475 | # disable terminals running as server resulting in sandbox escape | 475 | # disable terminals running as server resulting in sandbox escape |
| 476 | blacklist ${PATH}/lxterminal | 476 | deny ${PATH}/lxterminal |
| 477 | blacklist ${PATH}/gnome-terminal | 477 | deny ${PATH}/gnome-terminal |
| 478 | blacklist ${PATH}/gnome-terminal.wrapper | 478 | deny ${PATH}/gnome-terminal.wrapper |
| 479 | blacklist ${PATH}/lilyterm | 479 | deny ${PATH}/lilyterm |
| 480 | blacklist ${PATH}/mate-terminal | 480 | deny ${PATH}/mate-terminal |
| 481 | blacklist ${PATH}/mate-terminal.wrapper | 481 | deny ${PATH}/mate-terminal.wrapper |
| 482 | blacklist ${PATH}/pantheon-terminal | 482 | deny ${PATH}/pantheon-terminal |
| 483 | blacklist ${PATH}/roxterm | 483 | deny ${PATH}/roxterm |
| 484 | blacklist ${PATH}/roxterm-config | 484 | deny ${PATH}/roxterm-config |
| 485 | blacklist ${PATH}/terminix | 485 | deny ${PATH}/terminix |
| 486 | blacklist ${PATH}/tilix | 486 | deny ${PATH}/tilix |
| 487 | blacklist ${PATH}/urxvtc | 487 | deny ${PATH}/urxvtc |
| 488 | blacklist ${PATH}/urxvtcd | 488 | deny ${PATH}/urxvtcd |
| 489 | blacklist ${PATH}/xfce4-terminal | 489 | deny ${PATH}/xfce4-terminal |
| 490 | blacklist ${PATH}/xfce4-terminal.wrapper | 490 | deny ${PATH}/xfce4-terminal.wrapper |
| 491 | # blacklist ${PATH}/konsole | 491 | # blacklist ${PATH}/konsole |
| 492 | # konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 | 492 | # konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 |
| 493 | 493 | ||
| 494 | # kernel files | 494 | # kernel files |
| 495 | blacklist /initrd* | 495 | deny /initrd* |
| 496 | blacklist /vmlinuz* | 496 | deny /vmlinuz* |
| 497 | 497 | ||
| 498 | # snapshot files | 498 | # snapshot files |
| 499 | blacklist /.snapshots | 499 | deny /.snapshots |
| 500 | 500 | ||
| 501 | # flatpak | 501 | # flatpak |
| 502 | blacklist ${HOME}/.cache/flatpak | 502 | deny ${HOME}/.cache/flatpak |
| 503 | blacklist ${HOME}/.config/flatpak | 503 | deny ${HOME}/.config/flatpak |
| 504 | noblacklist ${HOME}/.local/share/flatpak/exports | 504 | nodeny ${HOME}/.local/share/flatpak/exports |
| 505 | read-only ${HOME}/.local/share/flatpak/exports | 505 | read-only ${HOME}/.local/share/flatpak/exports |
| 506 | blacklist ${HOME}/.local/share/flatpak/* | 506 | deny ${HOME}/.local/share/flatpak/* |
| 507 | blacklist ${HOME}/.var | 507 | deny ${HOME}/.var |
| 508 | blacklist ${RUNUSER}/app | 508 | deny ${RUNUSER}/app |
| 509 | blacklist ${RUNUSER}/doc | 509 | deny ${RUNUSER}/doc |
| 510 | blacklist ${RUNUSER}/.dbus-proxy | 510 | deny ${RUNUSER}/.dbus-proxy |
| 511 | blacklist ${RUNUSER}/.flatpak | 511 | deny ${RUNUSER}/.flatpak |
| 512 | blacklist ${RUNUSER}/.flatpak-cache | 512 | deny ${RUNUSER}/.flatpak-cache |
| 513 | blacklist ${RUNUSER}/.flatpak-helper | 513 | deny ${RUNUSER}/.flatpak-helper |
| 514 | blacklist /usr/share/flatpak | 514 | deny /usr/share/flatpak |
| 515 | noblacklist /var/lib/flatpak/exports | 515 | nodeny /var/lib/flatpak/exports |
| 516 | blacklist /var/lib/flatpak/* | 516 | deny /var/lib/flatpak/* |
| 517 | # most of the time bwrap is SUID binary | 517 | # most of the time bwrap is SUID binary |
| 518 | blacklist ${PATH}/bwrap | 518 | deny ${PATH}/bwrap |
| 519 | 519 | ||
| 520 | # snap | 520 | # snap |
| 521 | blacklist ${RUNUSER}/snapd-session-agent.socket | 521 | deny ${RUNUSER}/snapd-session-agent.socket |
| 522 | 522 | ||
| 523 | # mail directories used by mutt | 523 | # mail directories used by mutt |
| 524 | blacklist ${HOME}/.Mail | 524 | deny ${HOME}/.Mail |
| 525 | blacklist ${HOME}/.mail | 525 | deny ${HOME}/.mail |
| 526 | blacklist ${HOME}/.signature | 526 | deny ${HOME}/.signature |
| 527 | blacklist ${HOME}/Mail | 527 | deny ${HOME}/Mail |
| 528 | blacklist ${HOME}/mail | 528 | deny ${HOME}/mail |
| 529 | blacklist ${HOME}/postponed | 529 | deny ${HOME}/postponed |
| 530 | blacklist ${HOME}/sent | 530 | deny ${HOME}/sent |
| 531 | 531 | ||
| 532 | # kernel configuration | 532 | # kernel configuration |
| 533 | blacklist /proc/config.gz | 533 | deny /proc/config.gz |
| 534 | 534 | ||
| 535 | # prevent DNS malware attempting to communicate with the server | 535 | # prevent DNS malware attempting to communicate with the server |
| 536 | # using regular DNS tools | 536 | # using regular DNS tools |
| 537 | blacklist ${PATH}/dig | 537 | deny ${PATH}/dig |
| 538 | blacklist ${PATH}/dlint | 538 | deny ${PATH}/dlint |
| 539 | blacklist ${PATH}/dns2tcp | 539 | deny ${PATH}/dns2tcp |
| 540 | blacklist ${PATH}/dnssec-* | 540 | deny ${PATH}/dnssec-* |
| 541 | blacklist ${PATH}/dnswalk | 541 | deny ${PATH}/dnswalk |
| 542 | blacklist ${PATH}/drill | 542 | deny ${PATH}/drill |
| 543 | blacklist ${PATH}/host | 543 | deny ${PATH}/host |
| 544 | blacklist ${PATH}/iodine | 544 | deny ${PATH}/iodine |
| 545 | blacklist ${PATH}/kdig | 545 | deny ${PATH}/kdig |
| 546 | blacklist ${PATH}/khost | 546 | deny ${PATH}/khost |
| 547 | blacklist ${PATH}/knsupdate | 547 | deny ${PATH}/knsupdate |
| 548 | blacklist ${PATH}/ldns-* | 548 | deny ${PATH}/ldns-* |
| 549 | blacklist ${PATH}/ldnsd | 549 | deny ${PATH}/ldnsd |
| 550 | blacklist ${PATH}/nslookup | 550 | deny ${PATH}/nslookup |
| 551 | blacklist ${PATH}/resolvectl | 551 | deny ${PATH}/resolvectl |
| 552 | blacklist ${PATH}/unbound-host | 552 | deny ${PATH}/unbound-host |
| 553 | 553 | ||
| 554 | # rest of ${RUNUSER} | 554 | # rest of ${RUNUSER} |
| 555 | blacklist ${RUNUSER}/*.lock | 555 | deny ${RUNUSER}/*.lock |
| 556 | blacklist ${RUNUSER}/inaccessible | 556 | deny ${RUNUSER}/inaccessible |
| 557 | blacklist ${RUNUSER}/pk-debconf-socket | 557 | deny ${RUNUSER}/pk-debconf-socket |
| 558 | blacklist ${RUNUSER}/update-notifier.pid | 558 | deny ${RUNUSER}/update-notifier.pid |