from my overrides

- add seccomp.block-secondary to a lot profiles - add wruc to firefox-common and ignore it in TB and firefox-common-addons - harden dia, gnome-keyring, libreoffice, megaglest, pngquant, ghostwriter, rhythmbox, sqlitebrowser
author: rusty-snake <41237666+rusty-snake@users.noreply.github.com> 2020-11-16 11:41:35 +0100
committer: rusty-snake <41237666+rusty-snake@users.noreply.github.com> 2020-11-16 11:41:35 +0100
commit: 096d0de5f8bb253d0c1035796464bc5982f06f81 (patch)
tree: d9634d1c26afca63ada52f66dd55eb09a46647dd /etc/profile-a-l
parent: Add XAUTHORITY file of sddm from openSUSE Tumblew… (diff)
download: firejail-096d0de5f8bb253d0c1035796464bc5982f06f81.tar.gz
firejail-096d0de5f8bb253d0c1035796464bc5982f06f81.tar.zst
firejail-096d0de5f8bb253d0c1035796464bc5982f06f81.zip
35 files changed, 56 insertions, 5 deletions
diff --git a/etc/profile-a-l/0ad.profile b/etc/profile-a-l/0ad.profile
index 6869ea631..c4e820078 100644
--- a/etc/profile-a-l/0ad.profile
+++ b/etc/profile-a-l/0ad.profile
@@ -16,6 +16,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 mkdir ${HOME}/.cache/0ad
 mkdir ${HOME}/.config/0ad
@@ -40,6 +41,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
diff --git a/etc/profile-a-l/baobab.profile b/etc/profile-a-l/baobab.profile
index 3937e1966..4401c9dfd 100644
--- a/etc/profile-a-l/baobab.profile
+++ b/etc/profile-a-l/baobab.profile
@@ -30,6 +30,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile
index c1c338536..dbde3e4de 100644
--- a/etc/profile-a-l/bijiben.profile
+++ b/etc/profile-a-l/bijiben.profile
@@ -41,6 +41,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile
index 8bf086ab4..56709a466 100644
--- a/etc/profile-a-l/celluloid.profile
+++ b/etc/profile-a-l/celluloid.profile
@@ -46,6 +46,7 @@ noroot
 nou2f
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile
index d6541850d..b41a73916 100644
--- a/etc/profile-a-l/dconf-editor.profile
+++ b/etc/profile-a-l/dconf-editor.profile
@@ -35,6 +35,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
diff --git a/etc/profile-a-l/dia.profile b/etc/profile-a-l/dia.profile
index 52bf1c7f8..e409eb044 100644
--- a/etc/profile-a-l/dia.profile
+++ b/etc/profile-a-l/dia.profile
@@ -9,16 +9,24 @@ include globals.local
 noblacklist ${HOME}/.dia
 noblacklist ${DOCUMENTS}
+include allow-python2.inc
+include allow-python3.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
-include allow-python2.inc
-include allow-python3.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+#mkdir ${HOME}/.dia
+#whitelist ${HOME}/.dia
+#whitelist ${DOCUMENTS}
+#include whitelist-common.inc
+whitelist /usr/share/dia
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 apparmor
@@ -36,6 +44,7 @@ novideo
 protocol unix
 seccomp
 shell none
+tracelog
 disable-mnt
 #private-bin dia
diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile
index e8b49a395..e059f3b74 100644
--- a/etc/profile-a-l/eo-common.profile
+++ b/etc/profile-a-l/eo-common.profile
@@ -27,6 +27,7 @@ apparmor
 caps.drop all
 ipc-namespace
 machine-id
+net none
 no3d
 nodvd
 nogroups
@@ -38,6 +39,7 @@ nou2f
 novideo
 protocol unix,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile
index 77a48f0ba..c0c16e929 100644
--- a/etc/profile-a-l/evince.profile
+++ b/etc/profile-a-l/evince.profile
@@ -41,6 +41,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
diff --git a/etc/profile-a-l/ffmpeg.profile b/etc/profile-a-l/ffmpeg.profile
index fb5c9ee57..c6e9ba095 100644
--- a/etc/profile-a-l/ffmpeg.profile
+++ b/etc/profile-a-l/ffmpeg.profile
@@ -41,6 +41,7 @@ novideo
 protocol inet,inet6
 # allow set_mempolicy, which is required to encode using libx265
 seccomp !set_mempolicy
+seccomp.block-secondary
 shell none
 tracelog
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile
index 745b8b8e9..2a1eb2001 100644
--- a/etc/profile-a-l/file-roller.profile
+++ b/etc/profile-a-l/file-roller.profile
@@ -34,6 +34,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile
index 7c343c26d..fe0a27828 100644
--- a/etc/profile-a-l/firefox-common.profile
+++ b/etc/profile-a-l/firefox-common.profile
@@ -27,6 +27,7 @@ whitelist ${DOWNLOADS}
 whitelist ${HOME}/.pki
 whitelist ${HOME}/.local/share/pki
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 apparmor
diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile
index 357354e70..851a7c747 100644
--- a/etc/profile-a-l/flameshot.profile
+++ b/etc/profile-a-l/flameshot.profile
@@ -45,6 +45,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile
index 653272499..23d259337 100644
--- a/etc/profile-a-l/frogatto.profile
+++ b/etc/profile-a-l/frogatto.profile
@@ -36,6 +36,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile
index 74b468020..e339f6abb 100644
--- a/etc/profile-a-l/gapplication.profile
+++ b/etc/profile-a-l/gapplication.profile
@@ -38,6 +38,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 x11 none
diff --git a/etc/profile-a-l/gedit.profile b/etc/profile-a-l/gedit.profile
index 17b7ad563..30251fbe5 100644
--- a/etc/profile-a-l/gedit.profile
+++ b/etc/profile-a-l/gedit.profile
@@ -37,6 +37,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
diff --git a/etc/profile-a-l/gfeeds.profile b/etc/profile-a-l/gfeeds.profile
index d97ab530b..b8d1b9608 100644
--- a/etc/profile-a-l/gfeeds.profile
+++ b/etc/profile-a-l/gfeeds.profile
@@ -49,6 +49,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile
index 5bb410278..c15174815 100644
--- a/etc/profile-a-l/ghostwriter.profile
+++ b/etc/profile-a-l/ghostwriter.profile
@@ -26,6 +26,7 @@ whitelist /usr/share/texlive
 whitelist /usr/share/pandoc*
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 apparmor
 caps.drop all
@@ -41,6 +42,7 @@ nou2f
 novideo
 protocol unix,inet,inet6,netlink
 seccomp !chroot
+seccomp.block-secondary
 shell none
 #tracelog -- breaks
diff --git a/etc/profile-a-l/gitg.profile b/etc/profile-a-l/gitg.profile
index 71b8e9b11..3d80c1ed2 100644
--- a/etc/profile-a-l/gitg.profile
+++ b/etc/profile-a-l/gitg.profile
@@ -45,6 +45,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
diff --git a/etc/profile-a-l/gnome-calculator.profile b/etc/profile-a-l/gnome-calculator.profile
index ceb01f2a0..7780dfa65 100644
--- a/etc/profile-a-l/gnome-calculator.profile
+++ b/etc/profile-a-l/gnome-calculator.profile
@@ -38,6 +38,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile
index 3e815234c..9927fb869 100644
--- a/etc/profile-a-l/gnome-calendar.profile
+++ b/etc/profile-a-l/gnome-calendar.profile
@@ -36,6 +36,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
diff --git a/etc/profile-a-l/gnome-characters.profile b/etc/profile-a-l/gnome-characters.profile
index f4f3ae2d7..4d53a67dd 100644
--- a/etc/profile-a-l/gnome-characters.profile
+++ b/etc/profile-a-l/gnome-characters.profile
@@ -39,6 +39,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
diff --git a/etc/profile-a-l/gnome-contacts.profile b/etc/profile-a-l/gnome-contacts.profile
index 7a38bdc8a..03b89e394 100644
--- a/etc/profile-a-l/gnome-contacts.profile
+++ b/etc/profile-a-l/gnome-contacts.profile
@@ -32,6 +32,7 @@ nou2f
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
+seccomp.block-secondary
 disable-mnt
 private-dev
diff --git a/etc/profile-a-l/gnome-hexgl.profile b/etc/profile-a-l/gnome-hexgl.profile
index 5ae7bbe01..bb5ef0eab 100644
--- a/etc/profile-a-l/gnome-hexgl.profile
+++ b/etc/profile-a-l/gnome-hexgl.profile
@@ -33,6 +33,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
diff --git a/etc/profile-a-l/gnome-keyring.profile b/etc/profile-a-l/gnome-keyring.profile
index ecbb74158..a0b9ef04e 100644
--- a/etc/profile-a-l/gnome-keyring.profile
+++ b/etc/profile-a-l/gnome-keyring.profile
@@ -9,8 +9,6 @@ include globals.local
 noblacklist ${HOME}/.gnupg
-whitelist ${HOME}/.gnupg
-whitelist ${DOWNLOADS}
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -19,9 +17,15 @@ include disable-interpreters.inc
 include disable-programs.inc
 include disable-xdg.inc
+mkdir ${HOME}/.gnupg
+whitelist ${HOME}/.gnupg
+whitelist ${DOWNLOADS}
+whitelist ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/keyring
 whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -41,6 +45,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
@@ -52,6 +57,6 @@ private-dev
 private-tmp
 # dbus-user none
-# dbus-system none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/profile-a-l/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile
index 11d184bc6..87376da40 100644
--- a/etc/profile-a-l/gnome-latex.profile
+++ b/etc/profile-a-l/gnome-latex.profile
@@ -41,6 +41,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
diff --git a/etc/profile-a-l/gnome-maps.profile b/etc/profile-a-l/gnome-maps.profile
index eb0030dda..23629df95 100644
--- a/etc/profile-a-l/gnome-maps.profile
+++ b/etc/profile-a-l/gnome-maps.profile
@@ -54,6 +54,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile
index ed430b654..073de47b9 100644
--- a/etc/profile-a-l/gnome-passwordsafe.profile
+++ b/etc/profile-a-l/gnome-passwordsafe.profile
@@ -43,6 +43,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
diff --git a/etc/profile-a-l/gnome-photos.profile b/etc/profile-a-l/gnome-photos.profile
index 2af406af9..65cc23b5f 100644
--- a/etc/profile-a-l/gnome-photos.profile
+++ b/etc/profile-a-l/gnome-photos.profile
@@ -33,6 +33,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
diff --git a/etc/profile-a-l/gnome-screenshot.profile b/etc/profile-a-l/gnome-screenshot.profile
index 82fb1b658..2534eed5a 100644
--- a/etc/profile-a-l/gnome-screenshot.profile
+++ b/etc/profile-a-l/gnome-screenshot.profile
@@ -35,6 +35,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
diff --git a/etc/profile-a-l/gnome-sound-recorder.profile b/etc/profile-a-l/gnome-sound-recorder.profile
index a64ec25a9..2e063ebfe 100644
--- a/etc/profile-a-l/gnome-sound-recorder.profile
+++ b/etc/profile-a-l/gnome-sound-recorder.profile
@@ -33,6 +33,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
diff --git a/etc/profile-a-l/gnome-weather.profile b/etc/profile-a-l/gnome-weather.profile
index a181f1b9e..beed92a7d 100644
--- a/etc/profile-a-l/gnome-weather.profile
+++ b/etc/profile-a-l/gnome-weather.profile
@@ -37,6 +37,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
diff --git a/etc/profile-a-l/gnome_games-common.profile b/etc/profile-a-l/gnome_games-common.profile
index c46fbc1d9..56ed7a436 100644
--- a/etc/profile-a-l/gnome_games-common.profile
+++ b/etc/profile-a-l/gnome_games-common.profile
@@ -34,6 +34,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
diff --git a/etc/profile-a-l/gucharmap.profile b/etc/profile-a-l/gucharmap.profile
index c0254b5ec..3df42d209 100644
--- a/etc/profile-a-l/gucharmap.profile
+++ b/etc/profile-a-l/gucharmap.profile
@@ -35,6 +35,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index 06447c3e6..58db056b2 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -55,6 +55,7 @@ nou2f
 novideo
 protocol unix,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile
index f9c92f6f6..031f0e19f 100644
--- a/etc/profile-a-l/libreoffice.profile
+++ b/etc/profile-a-l/libreoffice.profile
@@ -43,6 +43,8 @@ shell none
 # comment tracelog when using the ubuntu 18.04/debian 10 apparmor profile
 tracelog
+#private-bin libreoffice,sh,uname,dirname,grep,sed,basename,ls
+private-cache
 private-dev
 private-tmp
author	rusty-snake <41237666+rusty-snake@users.noreply.github.com>	2020-11-16 11:41:35 +0100
committer	rusty-snake <41237666+rusty-snake@users.noreply.github.com>	2020-11-16 11:41:35 +0100
commit	096d0de5f8bb253d0c1035796464bc5982f06f81 (patch)
tree	d9634d1c26afca63ada52f66dd55eb09a46647dd /etc/profile-a-l
parent	Add XAUTHORITY file of sddm from openSUSE Tumblew… (diff)
download	firejail-096d0de5f8bb253d0c1035796464bc5982f06f81.tar.gz firejail-096d0de5f8bb253d0c1035796464bc5982f06f81.tar.zst firejail-096d0de5f8bb253d0c1035796464bc5982f06f81.zip

diff --git a/etc/profile-a-l/0ad.profile b/etc/profile-a-l/0ad.profile index 6869ea631..c4e820078 100644 --- a/etc/profile-a-l/0ad.profile +++ b/etc/profile-a-l/0ad.profile
@@ -16,6 +16,7 @@ include disable-exec.inc
16	include disable-interpreters.inc	16	include disable-interpreters.inc
17	include disable-passwdmgr.inc	17	include disable-passwdmgr.inc
18	include disable-programs.inc	18	include disable-programs.inc
		19	include disable-xdg.inc
19		20
20	mkdir ${HOME}/.cache/0ad	21	mkdir ${HOME}/.cache/0ad
21	mkdir ${HOME}/.config/0ad	22	mkdir ${HOME}/.config/0ad
@@ -40,6 +41,7 @@ nou2f
40	novideo	41	novideo
41	protocol unix,inet,inet6	42	protocol unix,inet,inet6
42	seccomp	43	seccomp
		44	seccomp.block-secondary
43	shell none	45	shell none
44	tracelog	46	tracelog
45		47


diff --git a/etc/profile-a-l/baobab.profile b/etc/profile-a-l/baobab.profile index 3937e1966..4401c9dfd 100644 --- a/etc/profile-a-l/baobab.profile +++ b/etc/profile-a-l/baobab.profile
@@ -30,6 +30,7 @@ nou2f
30	novideo	30	novideo
31	protocol unix	31	protocol unix
32	seccomp	32	seccomp
		33	seccomp.block-secondary
33	shell none	34	shell none
34	tracelog	35	tracelog
35		36


diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile index c1c338536..dbde3e4de 100644 --- a/etc/profile-a-l/bijiben.profile +++ b/etc/profile-a-l/bijiben.profile
@@ -41,6 +41,7 @@ nou2f
41	novideo	41	novideo
42	protocol unix	42	protocol unix
43	seccomp	43	seccomp
		44	seccomp.block-secondary
44	shell none	45	shell none
45	tracelog	46	tracelog
46		47


diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile index 8bf086ab4..56709a466 100644 --- a/etc/profile-a-l/celluloid.profile +++ b/etc/profile-a-l/celluloid.profile
@@ -46,6 +46,7 @@ noroot
46	nou2f	46	nou2f
47	protocol unix,inet,inet6	47	protocol unix,inet,inet6
48	seccomp	48	seccomp
		49	seccomp.block-secondary
49	shell none	50	shell none
50	tracelog	51	tracelog
51		52


diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile index d6541850d..b41a73916 100644 --- a/etc/profile-a-l/dconf-editor.profile +++ b/etc/profile-a-l/dconf-editor.profile
@@ -35,6 +35,7 @@ nou2f
35	novideo	35	novideo
36	protocol unix	36	protocol unix
37	seccomp	37	seccomp
		38	seccomp.block-secondary
38	shell none	39	shell none
39	tracelog	40	tracelog
40		41


diff --git a/etc/profile-a-l/dia.profile b/etc/profile-a-l/dia.profile index 52bf1c7f8..e409eb044 100644 --- a/etc/profile-a-l/dia.profile +++ b/etc/profile-a-l/dia.profile
@@ -9,16 +9,24 @@ include globals.local
9	noblacklist ${HOME}/.dia	9	noblacklist ${HOME}/.dia
10	noblacklist ${DOCUMENTS}	10	noblacklist ${DOCUMENTS}
11		11
		12	include allow-python2.inc
		13	include allow-python3.inc
		14
12	include disable-common.inc	15	include disable-common.inc
13	include disable-devel.inc	16	include disable-devel.inc
14	include disable-exec.inc	17	include disable-exec.inc
15	include allow-python2.inc
16	include allow-python3.inc
17	include disable-interpreters.inc	18	include disable-interpreters.inc
18	include disable-passwdmgr.inc	19	include disable-passwdmgr.inc
19	include disable-programs.inc	20	include disable-programs.inc
20	include disable-xdg.inc	21	include disable-xdg.inc
21		22
		23	#mkdir ${HOME}/.dia
		24	#whitelist ${HOME}/.dia
		25	#whitelist ${DOCUMENTS}
		26	#include whitelist-common.inc
		27	whitelist /usr/share/dia
		28	include whitelist-runuser-common.inc
		29	include whitelist-usr-share-common.inc
22	include whitelist-var-common.inc	30	include whitelist-var-common.inc
23		31
24	apparmor	32	apparmor
@@ -36,6 +44,7 @@ novideo
36	protocol unix	44	protocol unix
37	seccomp	45	seccomp
38	shell none	46	shell none
		47	tracelog
39		48
40	disable-mnt	49	disable-mnt
41	#private-bin dia	50	#private-bin dia


diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile index e8b49a395..e059f3b74 100644 --- a/etc/profile-a-l/eo-common.profile +++ b/etc/profile-a-l/eo-common.profile
@@ -27,6 +27,7 @@ apparmor
27	caps.drop all	27	caps.drop all
28	ipc-namespace	28	ipc-namespace
29	machine-id	29	machine-id
		30	net none
30	no3d	31	no3d
31	nodvd	32	nodvd
32	nogroups	33	nogroups
@@ -38,6 +39,7 @@ nou2f
38	novideo	39	novideo
39	protocol unix,netlink	40	protocol unix,netlink
40	seccomp	41	seccomp
		42	seccomp.block-secondary
41	shell none	43	shell none
42	tracelog	44	tracelog
43		45


diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile index 77a48f0ba..c0c16e929 100644 --- a/etc/profile-a-l/evince.profile +++ b/etc/profile-a-l/evince.profile
@@ -41,6 +41,7 @@ nou2f
41	novideo	41	novideo
42	protocol unix	42	protocol unix
43	seccomp	43	seccomp
		44	seccomp.block-secondary
44	shell none	45	shell none
45	tracelog	46	tracelog
46		47


diff --git a/etc/profile-a-l/ffmpeg.profile b/etc/profile-a-l/ffmpeg.profile index fb5c9ee57..c6e9ba095 100644 --- a/etc/profile-a-l/ffmpeg.profile +++ b/etc/profile-a-l/ffmpeg.profile
@@ -41,6 +41,7 @@ novideo
41	protocol inet,inet6	41	protocol inet,inet6
42	# allow set_mempolicy, which is required to encode using libx265	42	# allow set_mempolicy, which is required to encode using libx265
43	seccomp !set_mempolicy	43	seccomp !set_mempolicy
		44	seccomp.block-secondary
44	shell none	45	shell none
45	tracelog	46	tracelog
46		47


diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile index 745b8b8e9..2a1eb2001 100644 --- a/etc/profile-a-l/file-roller.profile +++ b/etc/profile-a-l/file-roller.profile
@@ -34,6 +34,7 @@ nou2f
34	novideo	34	novideo
35	protocol unix	35	protocol unix
36	seccomp	36	seccomp
		37	seccomp.block-secondary
37	shell none	38	shell none
38	tracelog	39	tracelog
39		40


diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index 7c343c26d..fe0a27828 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile
@@ -27,6 +27,7 @@ whitelist ${DOWNLOADS}
27	whitelist ${HOME}/.pki	27	whitelist ${HOME}/.pki
28	whitelist ${HOME}/.local/share/pki	28	whitelist ${HOME}/.local/share/pki
29	include whitelist-common.inc	29	include whitelist-common.inc
		30	include whitelist-runuser-common.inc
30	include whitelist-var-common.inc	31	include whitelist-var-common.inc
31		32
32	apparmor	33	apparmor


diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile index 357354e70..851a7c747 100644 --- a/etc/profile-a-l/flameshot.profile +++ b/etc/profile-a-l/flameshot.profile
@@ -45,6 +45,7 @@ nou2f
45	novideo	45	novideo
46	protocol unix,inet,inet6	46	protocol unix,inet,inet6
47	seccomp	47	seccomp
		48	seccomp.block-secondary
48	shell none	49	shell none
49	tracelog	50	tracelog
50		51


diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile index 653272499..23d259337 100644 --- a/etc/profile-a-l/frogatto.profile +++ b/etc/profile-a-l/frogatto.profile
@@ -36,6 +36,7 @@ nou2f
36	novideo	36	novideo
37	protocol unix	37	protocol unix
38	seccomp	38	seccomp
		39	seccomp.block-secondary
39	shell none	40	shell none
40	tracelog	41	tracelog
41		42


diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile index 74b468020..e339f6abb 100644 --- a/etc/profile-a-l/gapplication.profile +++ b/etc/profile-a-l/gapplication.profile
@@ -38,6 +38,7 @@ nou2f
38	novideo	38	novideo
39	protocol unix	39	protocol unix
40	seccomp	40	seccomp
		41	seccomp.block-secondary
41	shell none	42	shell none
42	tracelog	43	tracelog
43	x11 none	44	x11 none


diff --git a/etc/profile-a-l/gedit.profile b/etc/profile-a-l/gedit.profile index 17b7ad563..30251fbe5 100644 --- a/etc/profile-a-l/gedit.profile +++ b/etc/profile-a-l/gedit.profile
@@ -37,6 +37,7 @@ nou2f
37	novideo	37	novideo
38	protocol unix	38	protocol unix
39	seccomp	39	seccomp
		40	seccomp.block-secondary
40	shell none	41	shell none
41	tracelog	42	tracelog
42		43


diff --git a/etc/profile-a-l/gfeeds.profile b/etc/profile-a-l/gfeeds.profile index d97ab530b..b8d1b9608 100644 --- a/etc/profile-a-l/gfeeds.profile +++ b/etc/profile-a-l/gfeeds.profile
@@ -49,6 +49,7 @@ nou2f
49	novideo	49	novideo
50	protocol unix,inet,inet6	50	protocol unix,inet,inet6
51	seccomp	51	seccomp
		52	seccomp.block-secondary
52	shell none	53	shell none
53	tracelog	54	tracelog
54		55


diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile index 5bb410278..c15174815 100644 --- a/etc/profile-a-l/ghostwriter.profile +++ b/etc/profile-a-l/ghostwriter.profile
@@ -26,6 +26,7 @@ whitelist /usr/share/texlive
26	whitelist /usr/share/pandoc*	26	whitelist /usr/share/pandoc*
27	include whitelist-runuser-common.inc	27	include whitelist-runuser-common.inc
28	include whitelist-usr-share-common.inc	28	include whitelist-usr-share-common.inc
		29	include whitelist-var-common.inc
29		30
30	apparmor	31	apparmor
31	caps.drop all	32	caps.drop all
@@ -41,6 +42,7 @@ nou2f
41	novideo	42	novideo
42	protocol unix,inet,inet6,netlink	43	protocol unix,inet,inet6,netlink
43	seccomp !chroot	44	seccomp !chroot
		45	seccomp.block-secondary
44	shell none	46	shell none
45	#tracelog -- breaks	47	#tracelog -- breaks
46		48


diff --git a/etc/profile-a-l/gitg.profile b/etc/profile-a-l/gitg.profile index 71b8e9b11..3d80c1ed2 100644 --- a/etc/profile-a-l/gitg.profile +++ b/etc/profile-a-l/gitg.profile
@@ -45,6 +45,7 @@ nou2f
45	novideo	45	novideo
46	protocol unix,inet,inet6	46	protocol unix,inet,inet6
47	seccomp	47	seccomp
		48	seccomp.block-secondary
48	shell none	49	shell none
49	tracelog	50	tracelog
50		51


diff --git a/etc/profile-a-l/gnome-calculator.profile b/etc/profile-a-l/gnome-calculator.profile index ceb01f2a0..7780dfa65 100644 --- a/etc/profile-a-l/gnome-calculator.profile +++ b/etc/profile-a-l/gnome-calculator.profile
@@ -38,6 +38,7 @@ nou2f
38	novideo	38	novideo
39	protocol unix,inet,inet6	39	protocol unix,inet,inet6
40	seccomp	40	seccomp
		41	seccomp.block-secondary
41	shell none	42	shell none
42	tracelog	43	tracelog
43		44


diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile index 3e815234c..9927fb869 100644 --- a/etc/profile-a-l/gnome-calendar.profile +++ b/etc/profile-a-l/gnome-calendar.profile
@@ -36,6 +36,7 @@ nou2f
36	novideo	36	novideo
37	protocol unix,inet,inet6	37	protocol unix,inet,inet6
38	seccomp	38	seccomp
		39	seccomp.block-secondary
39	shell none	40	shell none
40	tracelog	41	tracelog
41		42


diff --git a/etc/profile-a-l/gnome-characters.profile b/etc/profile-a-l/gnome-characters.profile index f4f3ae2d7..4d53a67dd 100644 --- a/etc/profile-a-l/gnome-characters.profile +++ b/etc/profile-a-l/gnome-characters.profile
@@ -39,6 +39,7 @@ nou2f
39	novideo	39	novideo
40	protocol unix	40	protocol unix
41	seccomp	41	seccomp
		42	seccomp.block-secondary
42	shell none	43	shell none
43	tracelog	44	tracelog
44		45


diff --git a/etc/profile-a-l/gnome-contacts.profile b/etc/profile-a-l/gnome-contacts.profile index 7a38bdc8a..03b89e394 100644 --- a/etc/profile-a-l/gnome-contacts.profile +++ b/etc/profile-a-l/gnome-contacts.profile
@@ -32,6 +32,7 @@ nou2f
32	novideo	32	novideo
33	protocol unix,inet,inet6,netlink	33	protocol unix,inet,inet6,netlink
34	seccomp	34	seccomp
		35	seccomp.block-secondary
35		36
36	disable-mnt	37	disable-mnt
37	private-dev	38	private-dev


diff --git a/etc/profile-a-l/gnome-hexgl.profile b/etc/profile-a-l/gnome-hexgl.profile index 5ae7bbe01..bb5ef0eab 100644 --- a/etc/profile-a-l/gnome-hexgl.profile +++ b/etc/profile-a-l/gnome-hexgl.profile
@@ -33,6 +33,7 @@ nou2f
33	novideo	33	novideo
34	protocol unix	34	protocol unix
35	seccomp	35	seccomp
		36	seccomp.block-secondary
36	shell none	37	shell none
37	tracelog	38	tracelog
38		39


diff --git a/etc/profile-a-l/gnome-keyring.profile b/etc/profile-a-l/gnome-keyring.profile index ecbb74158..a0b9ef04e 100644 --- a/etc/profile-a-l/gnome-keyring.profile +++ b/etc/profile-a-l/gnome-keyring.profile
@@ -9,8 +9,6 @@ include globals.local
9		9
10	noblacklist ${HOME}/.gnupg	10	noblacklist ${HOME}/.gnupg
11		11
12	whitelist ${HOME}/.gnupg
13	whitelist ${DOWNLOADS}
14	include disable-common.inc	12	include disable-common.inc
15	include disable-devel.inc	13	include disable-devel.inc
16	include disable-exec.inc	14	include disable-exec.inc
@@ -19,9 +17,15 @@ include disable-interpreters.inc
19	include disable-programs.inc	17	include disable-programs.inc
20	include disable-xdg.inc	18	include disable-xdg.inc
21		19
		20	mkdir ${HOME}/.gnupg
		21	whitelist ${HOME}/.gnupg
		22	whitelist ${DOWNLOADS}
		23	whitelist ${RUNUSER}/gnupg
		24	whitelist ${RUNUSER}/keyring
22	whitelist /usr/share/gnupg	25	whitelist /usr/share/gnupg
23	whitelist /usr/share/gnupg2	26	whitelist /usr/share/gnupg2
24	include whitelist-common.inc	27	include whitelist-common.inc
		28	include whitelist-runuser-common.inc
25	include whitelist-usr-share-common.inc	29	include whitelist-usr-share-common.inc
26	include whitelist-var-common.inc	30	include whitelist-var-common.inc
27		31
@@ -41,6 +45,7 @@ nou2f
41	novideo	45	novideo
42	protocol unix,inet,inet6	46	protocol unix,inet,inet6
43	seccomp	47	seccomp
		48	seccomp.block-secondary
44	shell none	49	shell none
45	tracelog	50	tracelog
46		51
@@ -52,6 +57,6 @@ private-dev
52	private-tmp	57	private-tmp
53		58
54	# dbus-user none	59	# dbus-user none
55	# dbus-system none	60	dbus-system none
56		61
57	memory-deny-write-execute	62	memory-deny-write-execute


diff --git a/etc/profile-a-l/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile index 11d184bc6..87376da40 100644 --- a/etc/profile-a-l/gnome-latex.profile +++ b/etc/profile-a-l/gnome-latex.profile
@@ -41,6 +41,7 @@ nou2f
41	novideo	41	novideo
42	protocol unix	42	protocol unix
43	seccomp	43	seccomp
		44	seccomp.block-secondary
44	shell none	45	shell none
45	tracelog	46	tracelog
46		47


diff --git a/etc/profile-a-l/gnome-maps.profile b/etc/profile-a-l/gnome-maps.profile index eb0030dda..23629df95 100644 --- a/etc/profile-a-l/gnome-maps.profile +++ b/etc/profile-a-l/gnome-maps.profile
@@ -54,6 +54,7 @@ nou2f
54	novideo	54	novideo
55	protocol unix,inet,inet6	55	protocol unix,inet,inet6
56	seccomp	56	seccomp
		57	seccomp.block-secondary
57	shell none	58	shell none
58	tracelog	59	tracelog
59		60


diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile index ed430b654..073de47b9 100644 --- a/etc/profile-a-l/gnome-passwordsafe.profile +++ b/etc/profile-a-l/gnome-passwordsafe.profile
@@ -43,6 +43,7 @@ nou2f
43	novideo	43	novideo
44	protocol unix	44	protocol unix
45	seccomp	45	seccomp
		46	seccomp.block-secondary
46	shell none	47	shell none
47	tracelog	48	tracelog
48		49


diff --git a/etc/profile-a-l/gnome-photos.profile b/etc/profile-a-l/gnome-photos.profile index 2af406af9..65cc23b5f 100644 --- a/etc/profile-a-l/gnome-photos.profile +++ b/etc/profile-a-l/gnome-photos.profile
@@ -33,6 +33,7 @@ nou2f
33	novideo	33	novideo
34	protocol unix	34	protocol unix
35	seccomp	35	seccomp
		36	seccomp.block-secondary
36	shell none	37	shell none
37	tracelog	38	tracelog
38		39


diff --git a/etc/profile-a-l/gnome-screenshot.profile b/etc/profile-a-l/gnome-screenshot.profile index 82fb1b658..2534eed5a 100644 --- a/etc/profile-a-l/gnome-screenshot.profile +++ b/etc/profile-a-l/gnome-screenshot.profile
@@ -35,6 +35,7 @@ nou2f
35	novideo	35	novideo
36	protocol unix	36	protocol unix
37	seccomp	37	seccomp
		38	seccomp.block-secondary
38	shell none	39	shell none
39	tracelog	40	tracelog
40		41


diff --git a/etc/profile-a-l/gnome-sound-recorder.profile b/etc/profile-a-l/gnome-sound-recorder.profile index a64ec25a9..2e063ebfe 100644 --- a/etc/profile-a-l/gnome-sound-recorder.profile +++ b/etc/profile-a-l/gnome-sound-recorder.profile
@@ -33,6 +33,7 @@ nou2f
33	novideo	33	novideo
34	protocol unix	34	protocol unix
35	seccomp	35	seccomp
		36	seccomp.block-secondary
36	shell none	37	shell none
37	tracelog	38	tracelog
38		39


diff --git a/etc/profile-a-l/gnome-weather.profile b/etc/profile-a-l/gnome-weather.profile index a181f1b9e..beed92a7d 100644 --- a/etc/profile-a-l/gnome-weather.profile +++ b/etc/profile-a-l/gnome-weather.profile
@@ -37,6 +37,7 @@ nou2f
37	novideo	37	novideo
38	protocol unix,inet,inet6	38	protocol unix,inet,inet6
39	seccomp	39	seccomp
		40	seccomp.block-secondary
40	shell none	41	shell none
41	tracelog	42	tracelog
42		43


diff --git a/etc/profile-a-l/gnome_games-common.profile b/etc/profile-a-l/gnome_games-common.profile index c46fbc1d9..56ed7a436 100644 --- a/etc/profile-a-l/gnome_games-common.profile +++ b/etc/profile-a-l/gnome_games-common.profile
@@ -34,6 +34,7 @@ nou2f
34	novideo	34	novideo
35	protocol unix	35	protocol unix
36	seccomp	36	seccomp
		37	seccomp.block-secondary
37	shell none	38	shell none
38	tracelog	39	tracelog
39		40


diff --git a/etc/profile-a-l/gucharmap.profile b/etc/profile-a-l/gucharmap.profile index c0254b5ec..3df42d209 100644 --- a/etc/profile-a-l/gucharmap.profile +++ b/etc/profile-a-l/gucharmap.profile
@@ -35,6 +35,7 @@ nou2f
35	novideo	35	novideo
36	protocol unix	36	protocol unix
37	seccomp	37	seccomp
		38	seccomp.block-secondary
38	shell none	39	shell none
39	tracelog	40	tracelog
40		41


diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile index 06447c3e6..58db056b2 100644 --- a/etc/profile-a-l/keepassxc.profile +++ b/etc/profile-a-l/keepassxc.profile
@@ -55,6 +55,7 @@ nou2f
55	novideo	55	novideo
56	protocol unix,netlink	56	protocol unix,netlink
57	seccomp	57	seccomp
		58	seccomp.block-secondary
58	shell none	59	shell none
59	tracelog	60	tracelog
60		61


diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile index f9c92f6f6..031f0e19f 100644 --- a/etc/profile-a-l/libreoffice.profile +++ b/etc/profile-a-l/libreoffice.profile
@@ -43,6 +43,8 @@ shell none
43	# comment tracelog when using the ubuntu 18.04/debian 10 apparmor profile	43	# comment tracelog when using the ubuntu 18.04/debian 10 apparmor profile
44	tracelog	44	tracelog
45		45
		46	#private-bin libreoffice,sh,uname,dirname,grep,sed,basename,ls
		47	private-cache
46	private-dev	48	private-dev
47	private-tmp	49	private-tmp
48		50