Profile fixes and hardening

 * cheese
   - fix: dbus-user.own org.gnome.Cheese
   - fix: whitelist /usr/share/gstreamer-1.0
   - fix: include allow-python3.inc
   - hardening: include disable-shell.inc
   - hardening: include whitelist-run-common.inc and whitelist /run/udev/data
   - hardening: whitelist /usr/libexec/gstreamer-1.0/gst-plugin-scanner
   - hardening: noinput
   - hardening: nosound
   - hardening: seccomp.block-secondary
   - hardening: private-dev
 * geekbench (closes #4576)
   - fix: noblacklist /sbin and noblacklist /usr/sbin
   - fix: noblacklist, blacklist, mkdir, whitelist, read-write ${HOME}/.geekbench5
   - fix: comment/remove private-bin, private-lib, private-opt
 * inkscape
   - add quiet for cli usage
 * musixmatch (#4518)
   - allow chroot
 * pandoc
   - fix: include allow-bin-sh.inc
   - fix: drop private-bin
   - hardening: include whitelist-runuser-common.inc
   - hardening: seccomp.block-secondary

1 files changed, 4 insertions, 1 deletions

diff --git a/etc/profile-m-z/pandoc.profile b/etc/profile-m-z/pandoc.profile
index b8e8a750f..460f60beb 100644
--- a/etc/profile-m-z/pandoc.profile
+++ b/etc/profile-m-z/pandoc.profile
@@ -11,6 +11,8 @@ blacklist ${RUNUSER}
 
 noblacklist ${DOCUMENTS}
 
+include allow-bin-sh.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -19,6 +21,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
+include whitelist-runuser-common.inc
 # breaks pdf output
 #include whitelist-var-common.inc
 
@@ -39,12 +42,12 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 x11 none
 
 disable-mnt
-private-bin context,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf
 private-cache
 private-dev
 private-etc alternatives,ld.so.preload,texlive,texmf