diff options
author | 2023-08-11 05:26:05 -0300 | |
---|---|---|
committer | 2023-09-08 04:57:37 -0300 | |
commit | c6d33375cc34e4e5e527ab43c219adfbc8848c62 (patch) | |
tree | 0ccf4359f9b8ab8a5c4e37bd042fbf19314f12a8 /etc/profile-m-z | |
parent | profiles: fix some comments (diff) | |
download | firejail-c6d33375cc34e4e5e527ab43c219adfbc8848c62.tar.gz firejail-c6d33375cc34e4e5e527ab43c219adfbc8848c62.tar.zst firejail-c6d33375cc34e4e5e527ab43c219adfbc8848c62.zip |
profiles: fix commented code and eol comments
Main changes:
* Remove the space after `#` for commented code lines to distinguish
them from normal comments
* Use `#` instead of `-` for comments at the end of the line so that
commented code lines work after being uncommented
Commands used to search and replace:
arg0="$(cat contrib/syntax/lists/profile_commands_arg0.list |
LC_ALL=C sort -u | tr '\n' '|' | sed -e 's/|$//' -e 's/\./\\./g')"
arg1="$(cat contrib/syntax/lists/profile_commands_arg1.list |
LC_ALL=C sort -u | tr '\n' '|' | sed -e 's/|$//' -e 's/\./\\./g')"
git ls-files -z -- etc/inc etc/profile* | xargs -0 -I '{}' \
sh -c "printf '%s\n' \"\$(sed -E \
-e 's/^# ($arg0)( [#-]-? .*)?\$/#\\1\\2/' \
-e 's/^# ($arg1)( [^ ]*)?( [#-]-? .*)?\$/#\\1\\2\\3/' \
-e 's/^# (whitelist \\$)/#\\1/' \
-e 's/^(#[^ ].+) --? /\\1 # /' \
'{}')\" >'{}'"
Commands used to check for leftover entries:
arg0="$(cat contrib/syntax/lists/profile_commands_arg0.list |
LC_ALL=C sort -u | tr '\n' '|' | sed -e 's/|$//' -e 's/\./\\./g')"
arg1="$(cat contrib/syntax/lists/profile_commands_arg1.list |
LC_ALL=C sort -u | tr '\n' '|' | sed -e 's/|$//' -e 's/\./\\./g')"
git grep -E "^# ($arg0|$arg1)( +|$)" -- etc/inc etc/profile*
See also commit 30f9ad908 ("build: improve comments in firecfg.config",
2023-08-05) / PR #5942.
Diffstat (limited to 'etc/profile-m-z')
81 files changed, 191 insertions, 191 deletions
diff --git a/etc/profile-m-z/PCSX2.profile b/etc/profile-m-z/PCSX2.profile index e75de80ac..a6a9ba6bc 100644 --- a/etc/profile-m-z/PCSX2.profile +++ b/etc/profile-m-z/PCSX2.profile | |||
@@ -40,8 +40,8 @@ notv | |||
40 | nou2f | 40 | nou2f |
41 | novideo | 41 | novideo |
42 | protocol unix,netlink | 42 | protocol unix,netlink |
43 | #seccomp - breaks loading with no logs | 43 | #seccomp # breaks loading with no logs |
44 | #tracelog - 32/64 bit incompatibility | 44 | #tracelog # 32/64 bit incompatibility |
45 | 45 | ||
46 | private-bin PCSX2 | 46 | private-bin PCSX2 |
47 | private-cache | 47 | private-cache |
diff --git a/etc/profile-m-z/QMediathekView.profile b/etc/profile-m-z/QMediathekView.profile index 0e18b3cdf..dd5639268 100644 --- a/etc/profile-m-z/QMediathekView.profile +++ b/etc/profile-m-z/QMediathekView.profile | |||
@@ -57,7 +57,7 @@ include whitelist-var-common.inc | |||
57 | apparmor | 57 | apparmor |
58 | caps.drop all | 58 | caps.drop all |
59 | netfilter | 59 | netfilter |
60 | # no3d | 60 | #no3d |
61 | nodvd | 61 | nodvd |
62 | nogroups | 62 | nogroups |
63 | noinput | 63 | noinput |
@@ -81,5 +81,5 @@ private-tmp | |||
81 | dbus-user none | 81 | dbus-user none |
82 | dbus-system none | 82 | dbus-system none |
83 | 83 | ||
84 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 84 | #memory-deny-write-execute # breaks on Arch (see issue #1803) |
85 | restrict-namespaces | 85 | restrict-namespaces |
diff --git a/etc/profile-m-z/Viber.profile b/etc/profile-m-z/Viber.profile index 34d500bb1..fe1f9b877 100644 --- a/etc/profile-m-z/Viber.profile +++ b/etc/profile-m-z/Viber.profile | |||
@@ -35,4 +35,4 @@ private-bin awk,bash,dig,sh,Viber | |||
35 | private-etc @tls-ca,@x11,mailcap,proxychains.conf | 35 | private-etc @tls-ca,@x11,mailcap,proxychains.conf |
36 | private-tmp | 36 | private-tmp |
37 | 37 | ||
38 | # restrict-namespaces | 38 | #restrict-namespaces |
diff --git a/etc/profile-m-z/Xephyr.profile b/etc/profile-m-z/Xephyr.profile index 0c3d4c1da..aae1808dd 100644 --- a/etc/profile-m-z/Xephyr.profile +++ b/etc/profile-m-z/Xephyr.profile | |||
@@ -25,7 +25,7 @@ nogroups | |||
25 | noinput | 25 | noinput |
26 | nonewprivs | 26 | nonewprivs |
27 | # In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix. | 27 | # In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix. |
28 | # noroot | 28 | #noroot |
29 | nosound | 29 | nosound |
30 | notv | 30 | notv |
31 | nou2f | 31 | nou2f |
@@ -35,10 +35,10 @@ seccomp | |||
35 | disable-mnt | 35 | disable-mnt |
36 | # using a private home directory | 36 | # using a private home directory |
37 | private | 37 | private |
38 | # private-bin sh,Xephyr,xkbcomp | 38 | #private-bin sh,Xephyr,xkbcomp |
39 | # private-bin bash,cat,ls,sh,strace,Xephyr,xkbcomp | 39 | #private-bin bash,cat,ls,sh,strace,Xephyr,xkbcomp |
40 | private-dev | 40 | private-dev |
41 | # private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf | 41 | #private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf |
42 | #private-tmp | 42 | #private-tmp |
43 | 43 | ||
44 | restrict-namespaces | 44 | restrict-namespaces |
diff --git a/etc/profile-m-z/Xvfb.profile b/etc/profile-m-z/Xvfb.profile index 2bb9f171a..052ea520d 100644 --- a/etc/profile-m-z/Xvfb.profile +++ b/etc/profile-m-z/Xvfb.profile | |||
@@ -39,8 +39,8 @@ seccomp | |||
39 | disable-mnt | 39 | disable-mnt |
40 | # using a private home directory | 40 | # using a private home directory |
41 | private | 41 | private |
42 | # private-bin sh,xkbcomp,Xvfb | 42 | #private-bin sh,xkbcomp,Xvfb |
43 | # private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb | 43 | #private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb |
44 | private-dev | 44 | private-dev |
45 | private-etc gai.conf,host.conf | 45 | private-etc gai.conf,host.conf |
46 | private-tmp | 46 | private-tmp |
diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile index 266d00395..b6afbad59 100644 --- a/etc/profile-m-z/makepkg.profile +++ b/etc/profile-m-z/makepkg.profile | |||
@@ -14,8 +14,8 @@ blacklist ${RUNUSER}/wayland-* | |||
14 | # for potential issues and their solutions when Firejailing makepkg | 14 | # for potential issues and their solutions when Firejailing makepkg |
15 | 15 | ||
16 | # This profile could be significantly strengthened by adding the following to makepkg.local | 16 | # This profile could be significantly strengthened by adding the following to makepkg.local |
17 | # whitelist ${HOME}/<Your Build Folder> | 17 | #whitelist ${HOME}/<Your Build Folder> |
18 | # whitelist ${HOME}/.gnupg | 18 | #whitelist ${HOME}/.gnupg |
19 | 19 | ||
20 | # Enable severely restricted access to ${HOME}/.gnupg | 20 | # Enable severely restricted access to ${HOME}/.gnupg |
21 | noblacklist ${HOME}/.gnupg | 21 | noblacklist ${HOME}/.gnupg |
diff --git a/etc/profile-m-z/midori.profile b/etc/profile-m-z/midori.profile index d1655fabb..fcc4845df 100644 --- a/etc/profile-m-z/midori.profile +++ b/etc/profile-m-z/midori.profile | |||
@@ -13,8 +13,8 @@ noblacklist ${HOME}/.cache/midori | |||
13 | noblacklist ${HOME}/.config/midori | 13 | noblacklist ${HOME}/.config/midori |
14 | noblacklist ${HOME}/.local/share/midori | 14 | noblacklist ${HOME}/.local/share/midori |
15 | noblacklist ${HOME}/.local/share/pki | 15 | noblacklist ${HOME}/.local/share/pki |
16 | # noblacklist ${HOME}/.local/share/webkit | 16 | #noblacklist ${HOME}/.local/share/webkit |
17 | # noblacklist ${HOME}/.local/share/webkitgtk | 17 | #noblacklist ${HOME}/.local/share/webkitgtk |
18 | noblacklist ${HOME}/.pki | 18 | noblacklist ${HOME}/.pki |
19 | 19 | ||
20 | noblacklist ${HOME}/.cache/gnome-mplayer | 20 | noblacklist ${HOME}/.cache/gnome-mplayer |
@@ -54,7 +54,7 @@ caps.drop all | |||
54 | netfilter | 54 | netfilter |
55 | nodvd | 55 | nodvd |
56 | nonewprivs | 56 | nonewprivs |
57 | # noroot - problems on Ubuntu 14.04 | 57 | #noroot # problems on Ubuntu 14.04 |
58 | notv | 58 | notv |
59 | protocol unix,inet,inet6,netlink | 59 | protocol unix,inet,inet6,netlink |
60 | seccomp | 60 | seccomp |
diff --git a/etc/profile-m-z/mpDris2.profile b/etc/profile-m-z/mpDris2.profile index 86359426b..ab1c93eaf 100644 --- a/etc/profile-m-z/mpDris2.profile +++ b/etc/profile-m-z/mpDris2.profile | |||
@@ -56,7 +56,7 @@ dbus-user filter | |||
56 | dbus-user.own org.mpris.MediaPlayer2.mpd | 56 | dbus-user.own org.mpris.MediaPlayer2.mpd |
57 | dbus-system none | 57 | dbus-system none |
58 | 58 | ||
59 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 59 | #memory-deny-write-execute # breaks on Arch (see issue #1803) |
60 | 60 | ||
61 | read-only ${HOME} | 61 | read-only ${HOME} |
62 | restrict-namespaces | 62 | restrict-namespaces |
diff --git a/etc/profile-m-z/mplayer.profile b/etc/profile-m-z/mplayer.profile index 7d9ff39ad..bdb9fa51d 100644 --- a/etc/profile-m-z/mplayer.profile +++ b/etc/profile-m-z/mplayer.profile | |||
@@ -24,9 +24,9 @@ include whitelist-var-common.inc | |||
24 | 24 | ||
25 | apparmor | 25 | apparmor |
26 | caps.drop all | 26 | caps.drop all |
27 | # net none - mplayer can be used for streaming. | 27 | #net none # mplayer can be used for streaming. |
28 | netfilter | 28 | netfilter |
29 | # nogroups | 29 | #nogroups |
30 | noinput | 30 | noinput |
31 | nonewprivs | 31 | nonewprivs |
32 | noroot | 32 | noroot |
diff --git a/etc/profile-m-z/mullvad-browser.profile b/etc/profile-m-z/mullvad-browser.profile index b9eb57743..cdbb0ae9c 100644 --- a/etc/profile-m-z/mullvad-browser.profile +++ b/etc/profile-m-z/mullvad-browser.profile | |||
@@ -73,13 +73,13 @@ novideo | |||
73 | protocol unix,inet,inet6 | 73 | protocol unix,inet,inet6 |
74 | seccomp !chroot | 74 | seccomp !chroot |
75 | seccomp.block-secondary | 75 | seccomp.block-secondary |
76 | #tracelog - may cause issues, see #1930 | 76 | #tracelog # may cause issues, see #1930 |
77 | 77 | ||
78 | disable-mnt | 78 | disable-mnt |
79 | private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mullvad-browser,mv,python*,rm,sed,sh,tail,tar,tclsh,test,update-desktop-database,xmessage,xz,zenity | 79 | private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mullvad-browser,mv,python*,rm,sed,sh,tail,tar,tclsh,test,update-desktop-database,xmessage,xz,zenity |
80 | private-dev | 80 | private-dev |
81 | private-etc @tls-ca | 81 | private-etc @tls-ca |
82 | #private-opt mullvad-browser - can cause slow startup | 82 | #private-opt mullvad-browser # can cause slow startup |
83 | private-tmp | 83 | private-tmp |
84 | 84 | ||
85 | blacklist ${PATH}/curl | 85 | blacklist ${PATH}/curl |
diff --git a/etc/profile-m-z/multimc5.profile b/etc/profile-m-z/multimc5.profile index 73107680c..41f82bd07 100644 --- a/etc/profile-m-z/multimc5.profile +++ b/etc/profile-m-z/multimc5.profile | |||
@@ -41,12 +41,12 @@ notv | |||
41 | nou2f | 41 | nou2f |
42 | novideo | 42 | novideo |
43 | protocol unix,inet,inet6 | 43 | protocol unix,inet,inet6 |
44 | # seccomp | 44 | #seccomp |
45 | 45 | ||
46 | disable-mnt | 46 | disable-mnt |
47 | # private-bin works, but causes weirdness | 47 | # private-bin works, but causes weirdness |
48 | # private-bin apt-file,awk,bash,chmod,dirname,dnf,grep,java,kdialog,ldd,mkdir,multimc5,pfl,pkgfile,readlink,sort,valgrind,which,yum,zenity,zypper | 48 | #private-bin apt-file,awk,bash,chmod,dirname,dnf,grep,java,kdialog,ldd,mkdir,multimc5,pfl,pkgfile,readlink,sort,valgrind,which,yum,zenity,zypper |
49 | private-dev | 49 | private-dev |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
52 | # restrict-namespaces | 52 | #restrict-namespaces |
diff --git a/etc/profile-m-z/mumble.profile b/etc/profile-m-z/mumble.profile index ef09e6fca..52dc46800 100644 --- a/etc/profile-m-z/mumble.profile +++ b/etc/profile-m-z/mumble.profile | |||
@@ -41,5 +41,5 @@ disable-mnt | |||
41 | private-bin mumble | 41 | private-bin mumble |
42 | private-tmp | 42 | private-tmp |
43 | 43 | ||
44 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 44 | #memory-deny-write-execute # breaks on Arch (see issue #1803) |
45 | restrict-namespaces | 45 | restrict-namespaces |
diff --git a/etc/profile-m-z/musescore.profile b/etc/profile-m-z/musescore.profile index ca951f70c..b62674ad6 100644 --- a/etc/profile-m-z/musescore.profile +++ b/etc/profile-m-z/musescore.profile | |||
@@ -37,7 +37,7 @@ protocol unix,inet,inet6 | |||
37 | seccomp !chroot | 37 | seccomp !chroot |
38 | tracelog | 38 | tracelog |
39 | 39 | ||
40 | # private-bin musescore,mscore | 40 | #private-bin musescore,mscore |
41 | private-tmp | 41 | private-tmp |
42 | 42 | ||
43 | # restrict-namespaces | 43 | #restrict-namespaces |
diff --git a/etc/profile-m-z/musixmatch.profile b/etc/profile-m-z/musixmatch.profile index 7ce7fbd19..d67cd24bd 100644 --- a/etc/profile-m-z/musixmatch.profile +++ b/etc/profile-m-z/musixmatch.profile | |||
@@ -35,4 +35,4 @@ disable-mnt | |||
35 | private-dev | 35 | private-dev |
36 | private-etc @tls-ca | 36 | private-etc @tls-ca |
37 | 37 | ||
38 | # restrict-namespaces | 38 | #restrict-namespaces |
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile index 288ffedf1..f56c2b1e5 100644 --- a/etc/profile-m-z/mutt.profile +++ b/etc/profile-m-z/mutt.profile | |||
@@ -121,7 +121,7 @@ seccomp | |||
121 | seccomp.block-secondary | 121 | seccomp.block-secondary |
122 | tracelog | 122 | tracelog |
123 | 123 | ||
124 | # disable-mnt | 124 | #disable-mnt |
125 | private-cache | 125 | private-cache |
126 | private-dev | 126 | private-dev |
127 | private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gai.conf,gnupg,gnutls,hosts.conf,mail,mailname,nntpserver,terminfo | 127 | private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gai.conf,gnupg,gnutls,hosts.conf,mail,mailname,nntpserver,terminfo |
diff --git a/etc/profile-m-z/nano.profile b/etc/profile-m-z/nano.profile index 6b4074dfb..ba63b2067 100644 --- a/etc/profile-m-z/nano.profile +++ b/etc/profile-m-z/nano.profile | |||
@@ -41,7 +41,7 @@ seccomp | |||
41 | tracelog | 41 | tracelog |
42 | x11 none | 42 | x11 none |
43 | 43 | ||
44 | # disable-mnt | 44 | #disable-mnt |
45 | private-bin nano,rnano | 45 | private-bin nano,rnano |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
diff --git a/etc/profile-m-z/ncdu.profile b/etc/profile-m-z/ncdu.profile index 09687199b..5cfd8290a 100644 --- a/etc/profile-m-z/ncdu.profile +++ b/etc/profile-m-z/ncdu.profile | |||
@@ -29,7 +29,7 @@ seccomp | |||
29 | x11 none | 29 | x11 none |
30 | 30 | ||
31 | private-dev | 31 | private-dev |
32 | # private-tmp | 32 | #private-tmp |
33 | 33 | ||
34 | dbus-user none | 34 | dbus-user none |
35 | dbus-system none | 35 | dbus-system none |
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile index 5bd1e7cba..e028d8d42 100644 --- a/etc/profile-m-z/neomutt.profile +++ b/etc/profile-m-z/neomutt.profile | |||
@@ -113,7 +113,7 @@ seccomp | |||
113 | seccomp.block-secondary | 113 | seccomp.block-secondary |
114 | tracelog | 114 | tracelog |
115 | 115 | ||
116 | # disable-mnt | 116 | #disable-mnt |
117 | private-cache | 117 | private-cache |
118 | private-dev | 118 | private-dev |
119 | private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gnupg,hosts.conf,mail,mailname,neomuttrc,neomuttrc.d,nntpserver | 119 | private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gnupg,hosts.conf,mail,mailname,neomuttrc,neomuttrc.d,nntpserver |
diff --git a/etc/profile-m-z/nitroshare.profile b/etc/profile-m-z/nitroshare.profile index 7a97ca825..254eb789a 100644 --- a/etc/profile-m-z/nitroshare.profile +++ b/etc/profile-m-z/nitroshare.profile | |||
@@ -42,11 +42,11 @@ private-bin awk,grep,nitroshare,nitroshare-cli,nitroshare-nmh,nitroshare-send,ni | |||
42 | private-cache | 42 | private-cache |
43 | private-dev | 43 | private-dev |
44 | private-etc @tls-ca,@x11 | 44 | private-etc @tls-ca,@x11 |
45 | # private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare | 45 | #private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | # dbus-user none | 48 | #dbus-user none |
49 | # dbus-system none | 49 | #dbus-system none |
50 | 50 | ||
51 | # memory-deny-write-execute | 51 | #memory-deny-write-execute |
52 | restrict-namespaces | 52 | restrict-namespaces |
diff --git a/etc/profile-m-z/nuclear.profile b/etc/profile-m-z/nuclear.profile index dec48c827..57fba2693 100644 --- a/etc/profile-m-z/nuclear.profile +++ b/etc/profile-m-z/nuclear.profile | |||
@@ -17,7 +17,7 @@ whitelist ${HOME}/.config/nuclear | |||
17 | 17 | ||
18 | no3d | 18 | no3d |
19 | 19 | ||
20 | # private-bin nuclear | 20 | #private-bin nuclear |
21 | private-etc @tls-ca,@x11,host.conf,mime.types | 21 | private-etc @tls-ca,@x11,host.conf,mime.types |
22 | private-opt nuclear | 22 | private-opt nuclear |
23 | 23 | ||
diff --git a/etc/profile-m-z/okular.profile b/etc/profile-m-z/okular.profile index bf6b9249f..ac573dc47 100644 --- a/etc/profile-m-z/okular.profile +++ b/etc/profile-m-z/okular.profile | |||
@@ -44,7 +44,7 @@ include whitelist-var-common.inc | |||
44 | apparmor | 44 | apparmor |
45 | caps.drop all | 45 | caps.drop all |
46 | machine-id | 46 | machine-id |
47 | # net none | 47 | #net none |
48 | netfilter | 48 | netfilter |
49 | nodvd | 49 | nodvd |
50 | nogroups | 50 | nogroups |
@@ -65,10 +65,10 @@ private-etc @x11,cups | |||
65 | # on KDE we need access to the real /tmp for data exchange with email clients | 65 | # on KDE we need access to the real /tmp for data exchange with email clients |
66 | #private-tmp | 66 | #private-tmp |
67 | 67 | ||
68 | # dbus-user none | 68 | #dbus-user none |
69 | # dbus-system none | 69 | #dbus-system none |
70 | 70 | ||
71 | # memory-deny-write-execute | 71 | #memory-deny-write-execute |
72 | 72 | ||
73 | restrict-namespaces | 73 | restrict-namespaces |
74 | join-or-start okular | 74 | join-or-start okular |
diff --git a/etc/profile-m-z/onionshare-gui.profile b/etc/profile-m-z/onionshare-gui.profile index 47ac9fc05..3338cadf5 100644 --- a/etc/profile-m-z/onionshare-gui.profile +++ b/etc/profile-m-z/onionshare-gui.profile | |||
@@ -50,7 +50,7 @@ novideo | |||
50 | protocol unix,inet,inet6 | 50 | protocol unix,inet,inet6 |
51 | seccomp | 51 | seccomp |
52 | seccomp.block-secondary | 52 | seccomp.block-secondary |
53 | #tracelog - may cause issues, see #1930 | 53 | #tracelog # may cause issues, see #1930 |
54 | 54 | ||
55 | disable-mnt | 55 | disable-mnt |
56 | private-bin onionshare,onionshare-cli,onionshare-gui,python*,tor* | 56 | private-bin onionshare,onionshare-cli,onionshare-gui,python*,tor* |
diff --git a/etc/profile-m-z/openclonk.profile b/etc/profile-m-z/openclonk.profile index 3449ac686..e10f6011b 100644 --- a/etc/profile-m-z/openclonk.profile +++ b/etc/profile-m-z/openclonk.profile | |||
@@ -24,7 +24,7 @@ include whitelist-var-common.inc | |||
24 | apparmor | 24 | apparmor |
25 | caps.drop all | 25 | caps.drop all |
26 | ipc-namespace | 26 | ipc-namespace |
27 | # net none - networked game | 27 | #net none # networked game |
28 | netfilter | 28 | netfilter |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
diff --git a/etc/profile-m-z/orage.profile b/etc/profile-m-z/orage.profile index fa16c05e2..c4849b958 100644 --- a/etc/profile-m-z/orage.profile +++ b/etc/profile-m-z/orage.profile | |||
@@ -24,7 +24,7 @@ nogroups | |||
24 | noinput | 24 | noinput |
25 | nonewprivs | 25 | nonewprivs |
26 | noroot | 26 | noroot |
27 | # nosound - calendar application, It must be able to play sound to wake you up. | 27 | #nosound # calendar application, It must be able to play sound to wake you up. |
28 | notv | 28 | notv |
29 | nou2f | 29 | nou2f |
30 | novideo | 30 | novideo |
diff --git a/etc/profile-m-z/otter-browser.profile b/etc/profile-m-z/otter-browser.profile index a1c0462ba..76d4a2c52 100644 --- a/etc/profile-m-z/otter-browser.profile +++ b/etc/profile-m-z/otter-browser.profile | |||
@@ -57,4 +57,4 @@ private-tmp | |||
57 | 57 | ||
58 | dbus-system none | 58 | dbus-system none |
59 | 59 | ||
60 | # restrict-namespaces | 60 | #restrict-namespaces |
diff --git a/etc/profile-m-z/pidgin.profile b/etc/profile-m-z/pidgin.profile index a852a2a18..5bc0bd700 100644 --- a/etc/profile-m-z/pidgin.profile +++ b/etc/profile-m-z/pidgin.profile | |||
@@ -40,7 +40,7 @@ protocol unix,inet,inet6,netlink | |||
40 | seccomp | 40 | seccomp |
41 | tracelog | 41 | tracelog |
42 | 42 | ||
43 | # private-bin pidgin | 43 | #private-bin pidgin |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-tmp | 46 | private-tmp |
diff --git a/etc/profile-m-z/ping.profile b/etc/profile-m-z/ping.profile index d563064e1..c3aa0a501 100644 --- a/etc/profile-m-z/ping.profile +++ b/etc/profile-m-z/ping.profile | |||
@@ -55,7 +55,7 @@ tracelog | |||
55 | 55 | ||
56 | disable-mnt | 56 | disable-mnt |
57 | private | 57 | private |
58 | #private-bin ping - has mammoth problems with execvp: "No such file or directory" | 58 | #private-bin ping # has mammoth problems with execvp: "No such file or directory" |
59 | private-cache | 59 | private-cache |
60 | private-dev | 60 | private-dev |
61 | private-etc @tls-ca | 61 | private-etc @tls-ca |
diff --git a/etc/profile-m-z/pluma.profile b/etc/profile-m-z/pluma.profile index efcdaa661..6e56208d5 100644 --- a/etc/profile-m-z/pluma.profile +++ b/etc/profile-m-z/pluma.profile | |||
@@ -21,10 +21,10 @@ include disable-shell.inc | |||
21 | 21 | ||
22 | include whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
23 | 23 | ||
24 | # apparmor - makes settings immutable | 24 | #apparmor # makes settings immutable |
25 | caps.drop all | 25 | caps.drop all |
26 | machine-id | 26 | machine-id |
27 | # net none - makes settings immutable | 27 | #net none # makes settings immutable |
28 | no3d | 28 | no3d |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
@@ -45,8 +45,8 @@ private-lib aspell,gconv,libgspell-1.so.*,libreadline.so.*,libtinfo.so.*,pluma | |||
45 | private-tmp | 45 | private-tmp |
46 | 46 | ||
47 | # makes settings immutable | 47 | # makes settings immutable |
48 | # dbus-user none | 48 | #dbus-user none |
49 | # dbus-system none | 49 | #dbus-system none |
50 | 50 | ||
51 | restrict-namespaces | 51 | restrict-namespaces |
52 | join-or-start pluma | 52 | join-or-start pluma |
diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile index 34e18cbd7..38fa01553 100644 --- a/etc/profile-m-z/plv.profile +++ b/etc/profile-m-z/plv.profile | |||
@@ -53,7 +53,7 @@ writable-var-log | |||
53 | dbus-user none | 53 | dbus-user none |
54 | dbus-system none | 54 | dbus-system none |
55 | 55 | ||
56 | #memory-deny-write-execute - breaks opening file-chooser | 56 | #memory-deny-write-execute # breaks opening file-chooser |
57 | read-only ${HOME} | 57 | read-only ${HOME} |
58 | read-write ${HOME}/.config/PacmanLogViewer | 58 | read-write ${HOME}/.config/PacmanLogViewer |
59 | read-only /var/log/pacman.log | 59 | read-only /var/log/pacman.log |
diff --git a/etc/profile-m-z/psi-plus.profile b/etc/profile-m-z/psi-plus.profile index af117c3b5..7a735bba7 100644 --- a/etc/profile-m-z/psi-plus.profile +++ b/etc/profile-m-z/psi-plus.profile | |||
@@ -43,4 +43,4 @@ disable-mnt | |||
43 | private-dev | 43 | private-dev |
44 | private-tmp | 44 | private-tmp |
45 | 45 | ||
46 | # restrict-namespaces | 46 | #restrict-namespaces |
diff --git a/etc/profile-m-z/psi.profile b/etc/profile-m-z/psi.profile index a1a0606b9..1417a87c9 100644 --- a/etc/profile-m-z/psi.profile +++ b/etc/profile-m-z/psi.profile | |||
@@ -62,7 +62,7 @@ novideo | |||
62 | nou2f | 62 | nou2f |
63 | protocol unix,inet,inet6,netlink | 63 | protocol unix,inet,inet6,netlink |
64 | seccomp !chroot | 64 | seccomp !chroot |
65 | #tracelog - breaks on Arch | 65 | #tracelog # breaks on Arch |
66 | 66 | ||
67 | disable-mnt | 67 | disable-mnt |
68 | # Add the next line to your psi.local to enable GPG support. | 68 | # Add the next line to your psi.local to enable GPG support. |
diff --git a/etc/profile-m-z/qbittorrent.profile b/etc/profile-m-z/qbittorrent.profile index 9605da3ac..ae0a2cdf1 100644 --- a/etc/profile-m-z/qbittorrent.profile +++ b/etc/profile-m-z/qbittorrent.profile | |||
@@ -55,12 +55,12 @@ seccomp | |||
55 | 55 | ||
56 | private-bin python*,qbittorrent | 56 | private-bin python*,qbittorrent |
57 | private-dev | 57 | private-dev |
58 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl,X11,xdg | 58 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl,X11,xdg |
59 | private-tmp | 59 | private-tmp |
60 | 60 | ||
61 | # See https://github.com/netblue30/firejail/issues/3707 for tray-icon | 61 | # See https://github.com/netblue30/firejail/issues/3707 for tray-icon |
62 | dbus-user none | 62 | dbus-user none |
63 | dbus-system none | 63 | dbus-system none |
64 | 64 | ||
65 | # memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo | 65 | #memory-deny-write-execute # problems on Arch, see #1690 on GitHub repo |
66 | restrict-namespaces | 66 | restrict-namespaces |
diff --git a/etc/profile-m-z/qmmp.profile b/etc/profile-m-z/qmmp.profile index ecd62a7d1..66c8f3238 100644 --- a/etc/profile-m-z/qmmp.profile +++ b/etc/profile-m-z/qmmp.profile | |||
@@ -18,7 +18,7 @@ include disable-xdg.inc | |||
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | netfilter | 20 | netfilter |
21 | # no3d | 21 | #no3d |
22 | nogroups | 22 | nogroups |
23 | noinput | 23 | noinput |
24 | nonewprivs | 24 | nonewprivs |
diff --git a/etc/profile-m-z/qpdfview.profile b/etc/profile-m-z/qpdfview.profile index 4caa0917f..784d2fafd 100644 --- a/etc/profile-m-z/qpdfview.profile +++ b/etc/profile-m-z/qpdfview.profile | |||
@@ -41,7 +41,7 @@ private-dev | |||
41 | private-tmp | 41 | private-tmp |
42 | 42 | ||
43 | # needs D-Bus when started from a file manager | 43 | # needs D-Bus when started from a file manager |
44 | # dbus-user none | 44 | #dbus-user none |
45 | # dbus-system none | 45 | #dbus-system none |
46 | 46 | ||
47 | restrict-namespaces | 47 | restrict-namespaces |
diff --git a/etc/profile-m-z/qtox.profile b/etc/profile-m-z/qtox.profile index ab0f9425a..20c84c5a8 100644 --- a/etc/profile-m-z/qtox.profile +++ b/etc/profile-m-z/qtox.profile | |||
@@ -48,5 +48,5 @@ private-tmp | |||
48 | dbus-user none | 48 | dbus-user none |
49 | dbus-system none | 49 | dbus-system none |
50 | 50 | ||
51 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 51 | #memory-deny-write-execute # breaks on Arch (see issue #1803) |
52 | restrict-namespaces | 52 | restrict-namespaces |
diff --git a/etc/profile-m-z/quassel.profile b/etc/profile-m-z/quassel.profile index 4589c9e4a..4ec990e95 100644 --- a/etc/profile-m-z/quassel.profile +++ b/etc/profile-m-z/quassel.profile | |||
@@ -25,4 +25,4 @@ seccomp !chroot | |||
25 | private-cache | 25 | private-cache |
26 | private-tmp | 26 | private-tmp |
27 | 27 | ||
28 | # restrict-namespaces | 28 | #restrict-namespaces |
diff --git a/etc/profile-m-z/quiterss.profile b/etc/profile-m-z/quiterss.profile index a59f01f85..4102b1ea0 100644 --- a/etc/profile-m-z/quiterss.profile +++ b/etc/profile-m-z/quiterss.profile | |||
@@ -50,6 +50,6 @@ tracelog | |||
50 | disable-mnt | 50 | disable-mnt |
51 | private-bin quiterss | 51 | private-bin quiterss |
52 | private-dev | 52 | private-dev |
53 | # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl,X11 | 53 | #private-etc alternatives,ca-certificates,crypto-policies,pki,ssl,X11 |
54 | 54 | ||
55 | restrict-namespaces | 55 | restrict-namespaces |
diff --git a/etc/profile-m-z/rssguard.profile b/etc/profile-m-z/rssguard.profile index 81381c205..ce455baba 100644 --- a/etc/profile-m-z/rssguard.profile +++ b/etc/profile-m-z/rssguard.profile | |||
@@ -31,13 +31,13 @@ include whitelist-var-common.inc | |||
31 | apparmor | 31 | apparmor |
32 | caps.drop all | 32 | caps.drop all |
33 | netfilter | 33 | netfilter |
34 | # no3d | 34 | #no3d |
35 | nodvd | 35 | nodvd |
36 | nogroups | 36 | nogroups |
37 | noinput | 37 | noinput |
38 | nonewprivs | 38 | nonewprivs |
39 | noroot | 39 | noroot |
40 | # nosound | 40 | #nosound |
41 | notv | 41 | notv |
42 | nou2f | 42 | nou2f |
43 | novideo | 43 | novideo |
diff --git a/etc/profile-m-z/scribus.profile b/etc/profile-m-z/scribus.profile index 34cf783fe..8e25375b0 100644 --- a/etc/profile-m-z/scribus.profile +++ b/etc/profile-m-z/scribus.profile | |||
@@ -55,7 +55,7 @@ protocol unix | |||
55 | seccomp | 55 | seccomp |
56 | tracelog | 56 | tracelog |
57 | 57 | ||
58 | # private-bin gimp*,gs,scribus | 58 | #private-bin gimp*,gs,scribus |
59 | private-dev | 59 | private-dev |
60 | private-tmp | 60 | private-tmp |
61 | 61 | ||
diff --git a/etc/profile-m-z/seamonkey.profile b/etc/profile-m-z/seamonkey.profile index c2dbbc2c6..1171a52f0 100644 --- a/etc/profile-m-z/seamonkey.profile +++ b/etc/profile-m-z/seamonkey.profile | |||
@@ -55,7 +55,7 @@ seccomp | |||
55 | tracelog | 55 | tracelog |
56 | 56 | ||
57 | disable-mnt | 57 | disable-mnt |
58 | # private-etc adobe,alternatives,asound.conf,ca-certificates,crypto-policies,firefox,fonts,group,gtk-2.0,hostname,hosts,iceweasel,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl | 58 | #private-etc adobe,alternatives,asound.conf,ca-certificates,crypto-policies,firefox,fonts,group,gtk-2.0,hostname,hosts,iceweasel,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl |
59 | writable-run-user | 59 | writable-run-user |
60 | 60 | ||
61 | restrict-namespaces | 61 | restrict-namespaces |
diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile index 667f9c557..74587c992 100644 --- a/etc/profile-m-z/server.profile +++ b/etc/profile-m-z/server.profile | |||
@@ -34,36 +34,36 @@ include globals.local | |||
34 | noblacklist /sbin | 34 | noblacklist /sbin |
35 | noblacklist /usr/sbin | 35 | noblacklist /usr/sbin |
36 | noblacklist /etc/init.d | 36 | noblacklist /etc/init.d |
37 | # noblacklist /var/opt | 37 | #noblacklist /var/opt |
38 | 38 | ||
39 | blacklist /tmp/.X11-unix | 39 | blacklist /tmp/.X11-unix |
40 | blacklist ${RUNUSER}/wayland-* | 40 | blacklist ${RUNUSER}/wayland-* |
41 | 41 | ||
42 | include disable-common.inc | 42 | include disable-common.inc |
43 | # include disable-devel.inc | 43 | #include disable-devel.inc |
44 | # include disable-exec.inc | 44 | #include disable-exec.inc |
45 | # include disable-interpreters.inc | 45 | #include disable-interpreters.inc |
46 | include disable-programs.inc | 46 | include disable-programs.inc |
47 | include disable-write-mnt.inc | 47 | include disable-write-mnt.inc |
48 | include disable-xdg.inc | 48 | include disable-xdg.inc |
49 | 49 | ||
50 | # include whitelist-runuser-common.inc | 50 | #include whitelist-runuser-common.inc |
51 | # include whitelist-usr-share-common.inc | 51 | #include whitelist-usr-share-common.inc |
52 | # include whitelist-var-common.inc | 52 | #include whitelist-var-common.inc |
53 | 53 | ||
54 | # people use to install servers all over the place! | 54 | # people use to install servers all over the place! |
55 | # apparmor runs executable only from default system locations | 55 | # apparmor runs executable only from default system locations |
56 | # apparmor | 56 | #apparmor |
57 | caps | 57 | caps |
58 | # ipc-namespace | 58 | #ipc-namespace |
59 | machine-id | 59 | machine-id |
60 | # netfilter /etc/firejail/webserver.net | 60 | #netfilter /etc/firejail/webserver.net |
61 | no3d | 61 | no3d |
62 | nodvd | 62 | nodvd |
63 | # nogroups | 63 | #nogroups |
64 | noinput | 64 | noinput |
65 | nonewprivs | 65 | nonewprivs |
66 | # noroot | 66 | #noroot |
67 | nosound | 67 | nosound |
68 | notv | 68 | notv |
69 | nou2f | 69 | nou2f |
@@ -74,22 +74,22 @@ tab # allow tab completion | |||
74 | 74 | ||
75 | disable-mnt | 75 | disable-mnt |
76 | private | 76 | private |
77 | # private-bin program | 77 | #private-bin program |
78 | # private-cache | 78 | #private-cache |
79 | private-dev | 79 | private-dev |
80 | # see /usr/share/doc/firejail/profile.template for more common private-etc paths. | 80 | # see /usr/share/doc/firejail/profile.template for more common private-etc paths. |
81 | # private-etc alternatives | 81 | #private-etc alternatives |
82 | # private-lib | 82 | #private-lib |
83 | # private-opt none | 83 | #private-opt none |
84 | private-tmp | 84 | private-tmp |
85 | # writable-run-user | 85 | #writable-run-user |
86 | # writable-var | 86 | #writable-var |
87 | # writable-var-log | 87 | #writable-var-log |
88 | 88 | ||
89 | dbus-user none | 89 | dbus-user none |
90 | # dbus-system none | 90 | #dbus-system none |
91 | 91 | ||
92 | # deterministic-shutdown | 92 | #deterministic-shutdown |
93 | # memory-deny-write-execute | 93 | #memory-deny-write-execute |
94 | # read-only ${HOME} | 94 | #read-only ${HOME} |
95 | # restrict-namespaces | 95 | #restrict-namespaces |
diff --git a/etc/profile-m-z/silentarmy.profile b/etc/profile-m-z/silentarmy.profile index 96e4cf283..154e29ccf 100644 --- a/etc/profile-m-z/silentarmy.profile +++ b/etc/profile-m-z/silentarmy.profile | |||
@@ -7,7 +7,7 @@ include globals.local | |||
7 | 7 | ||
8 | 8 | ||
9 | include disable-common.inc | 9 | include disable-common.inc |
10 | # include disable-devel.inc | 10 | #include disable-devel.inc |
11 | include disable-exec.inc | 11 | include disable-exec.inc |
12 | include disable-interpreters.inc | 12 | include disable-interpreters.inc |
13 | include disable-programs.inc | 13 | include disable-programs.inc |
diff --git a/etc/profile-m-z/simple-scan.profile b/etc/profile-m-z/simple-scan.profile index 14846cf58..f8bcd3c6e 100644 --- a/etc/profile-m-z/simple-scan.profile +++ b/etc/profile-m-z/simple-scan.profile | |||
@@ -28,15 +28,15 @@ nonewprivs | |||
28 | noroot | 28 | noroot |
29 | nosound | 29 | nosound |
30 | notv | 30 | notv |
31 | # novideo | 31 | #novideo |
32 | protocol unix,inet,inet6,netlink | 32 | protocol unix,inet,inet6,netlink |
33 | # blacklisting of ioperm system calls breaks simple-scan | 33 | # blacklisting of ioperm system calls breaks simple-scan |
34 | seccomp !ioperm | 34 | seccomp !ioperm |
35 | tracelog | 35 | tracelog |
36 | 36 | ||
37 | # private-bin simple-scan | 37 | #private-bin simple-scan |
38 | # private-dev | 38 | #private-dev |
39 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl | 39 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl |
40 | # private-tmp | 40 | #private-tmp |
41 | 41 | ||
42 | restrict-namespaces | 42 | restrict-namespaces |
diff --git a/etc/profile-m-z/simutrans.profile b/etc/profile-m-z/simutrans.profile index f88ae65c8..995b59538 100644 --- a/etc/profile-m-z/simutrans.profile +++ b/etc/profile-m-z/simutrans.profile | |||
@@ -33,7 +33,7 @@ novideo | |||
33 | protocol unix | 33 | protocol unix |
34 | seccomp | 34 | seccomp |
35 | 35 | ||
36 | # private-bin simutrans | 36 | #private-bin simutrans |
37 | private-dev | 37 | private-dev |
38 | private-etc @games,@x11 | 38 | private-etc @games,@x11 |
39 | private-tmp | 39 | private-tmp |
diff --git a/etc/profile-m-z/skanlite.profile b/etc/profile-m-z/skanlite.profile index 6b73b2289..3b78f7fd2 100644 --- a/etc/profile-m-z/skanlite.profile +++ b/etc/profile-m-z/skanlite.profile | |||
@@ -22,16 +22,16 @@ nonewprivs | |||
22 | noroot | 22 | noroot |
23 | nosound | 23 | nosound |
24 | notv | 24 | notv |
25 | # novideo | 25 | #novideo |
26 | protocol unix,inet,inet6,netlink | 26 | protocol unix,inet,inet6,netlink |
27 | # blacklisting of ioperm system calls breaks skanlite | 27 | # blacklisting of ioperm system calls breaks skanlite |
28 | seccomp !ioperm | 28 | seccomp !ioperm |
29 | 29 | ||
30 | # private-bin kbuildsycoca4,kdeinit4,skanlite | 30 | #private-bin kbuildsycoca4,kdeinit4,skanlite |
31 | # private-dev | 31 | #private-dev |
32 | # private-tmp | 32 | #private-tmp |
33 | 33 | ||
34 | # dbus-user none | 34 | #dbus-user none |
35 | # dbus-system none | 35 | #dbus-system none |
36 | 36 | ||
37 | restrict-namespaces | 37 | restrict-namespaces |
diff --git a/etc/profile-m-z/smplayer.profile b/etc/profile-m-z/smplayer.profile index 9dd41fd27..ece191b73 100644 --- a/etc/profile-m-z/smplayer.profile +++ b/etc/profile-m-z/smplayer.profile | |||
@@ -36,7 +36,7 @@ include whitelist-var-common.inc | |||
36 | apparmor | 36 | apparmor |
37 | caps.drop all | 37 | caps.drop all |
38 | netfilter | 38 | netfilter |
39 | # nogroups | 39 | #nogroups |
40 | noinput | 40 | noinput |
41 | nonewprivs | 41 | nonewprivs |
42 | noroot | 42 | noroot |
@@ -49,7 +49,7 @@ private-dev | |||
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | # problems with KDE | 51 | # problems with KDE |
52 | # dbus-user none | 52 | #dbus-user none |
53 | # dbus-system none | 53 | #dbus-system none |
54 | 54 | ||
55 | restrict-namespaces | 55 | restrict-namespaces |
diff --git a/etc/profile-m-z/sniffnet.profile b/etc/profile-m-z/sniffnet.profile index eb18c1f01..940c35b2e 100644 --- a/etc/profile-m-z/sniffnet.profile +++ b/etc/profile-m-z/sniffnet.profile | |||
@@ -29,8 +29,8 @@ netfilter | |||
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
31 | noinput | 31 | noinput |
32 | # nonewprivs - breaks network traffic capture for unprivileged users | 32 | #nonewprivs # breaks network traffic capture for unprivileged users |
33 | # noroot | 33 | #noroot |
34 | notv | 34 | notv |
35 | nou2f | 35 | nou2f |
36 | novideo | 36 | novideo |
diff --git a/etc/profile-m-z/sol.profile b/etc/profile-m-z/sol.profile index e2be4e9e0..07f9b0094 100644 --- a/etc/profile-m-z/sol.profile +++ b/etc/profile-m-z/sol.profile | |||
@@ -21,13 +21,13 @@ apparmor | |||
21 | caps.drop all | 21 | caps.drop all |
22 | ipc-namespace | 22 | ipc-namespace |
23 | net none | 23 | net none |
24 | # no3d | 24 | #no3d |
25 | nodvd | 25 | nodvd |
26 | nogroups | 26 | nogroups |
27 | noinput | 27 | noinput |
28 | nonewprivs | 28 | nonewprivs |
29 | noroot | 29 | noroot |
30 | # nosound | 30 | #nosound |
31 | notv | 31 | notv |
32 | nou2f | 32 | nou2f |
33 | novideo | 33 | novideo |
@@ -43,5 +43,5 @@ private-tmp | |||
43 | dbus-user none | 43 | dbus-user none |
44 | dbus-system none | 44 | dbus-system none |
45 | 45 | ||
46 | # memory-deny-write-execute | 46 | #memory-deny-write-execute |
47 | restrict-namespaces | 47 | restrict-namespaces |
diff --git a/etc/profile-m-z/sound-juicer.profile b/etc/profile-m-z/sound-juicer.profile index f5ac6c739..5c5763538 100644 --- a/etc/profile-m-z/sound-juicer.profile +++ b/etc/profile-m-z/sound-juicer.profile | |||
@@ -38,7 +38,7 @@ private-cache | |||
38 | private-dev | 38 | private-dev |
39 | private-tmp | 39 | private-tmp |
40 | 40 | ||
41 | # dbus-user none | 41 | #dbus-user none |
42 | # dbus-system none | 42 | #dbus-system none |
43 | 43 | ||
44 | restrict-namespaces | 44 | restrict-namespaces |
diff --git a/etc/profile-m-z/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile index ce356367f..013c7ac13 100644 --- a/etc/profile-m-z/sqlitebrowser.profile +++ b/etc/profile-m-z/sqlitebrowser.profile | |||
@@ -46,8 +46,8 @@ private-etc @tls-ca | |||
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | # breaks proxy creation | 48 | # breaks proxy creation |
49 | # dbus-user none | 49 | #dbus-user none |
50 | # dbus-system none | 50 | #dbus-system none |
51 | 51 | ||
52 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 52 | #memory-deny-write-execute # breaks on Arch (see issue #1803) |
53 | restrict-namespaces | 53 | restrict-namespaces |
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile index a7956a76e..fde85be64 100644 --- a/etc/profile-m-z/ssh.profile +++ b/etc/profile-m-z/ssh.profile | |||
@@ -32,10 +32,10 @@ nodvd | |||
32 | nogroups | 32 | nogroups |
33 | noinput | 33 | noinput |
34 | nonewprivs | 34 | nonewprivs |
35 | # noroot - see issue #1543 | 35 | #noroot # see issue #1543 |
36 | nosound | 36 | nosound |
37 | notv | 37 | notv |
38 | # nou2f - OpenSSH >= 8.2 supports U2F | 38 | #nou2f # OpenSSH >= 8.2 supports U2F |
39 | novideo | 39 | novideo |
40 | protocol unix,inet,inet6 | 40 | protocol unix,inet,inet6 |
41 | seccomp | 41 | seccomp |
@@ -43,7 +43,7 @@ tracelog | |||
43 | 43 | ||
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | # private-tmp # Breaks when exiting | 46 | #private-tmp # Breaks when exiting |
47 | writable-run-user | 47 | writable-run-user |
48 | 48 | ||
49 | dbus-user none | 49 | dbus-user none |
diff --git a/etc/profile-m-z/standardnotes-desktop.profile b/etc/profile-m-z/standardnotes-desktop.profile index 3fe0963a9..fe4e4b6d7 100644 --- a/etc/profile-m-z/standardnotes-desktop.profile +++ b/etc/profile-m-z/standardnotes-desktop.profile | |||
@@ -47,4 +47,4 @@ private-etc @tls-ca,@x11,host.conf | |||
47 | dbus-user none | 47 | dbus-user none |
48 | dbus-system none | 48 | dbus-system none |
49 | 49 | ||
50 | # restrict-namespaces | 50 | #restrict-namespaces |
diff --git a/etc/profile-m-z/subdownloader.profile b/etc/profile-m-z/subdownloader.profile index 6de288c46..8b5d7e253 100644 --- a/etc/profile-m-z/subdownloader.profile +++ b/etc/profile-m-z/subdownloader.profile | |||
@@ -49,5 +49,5 @@ private-tmp | |||
49 | dbus-user none | 49 | dbus-user none |
50 | dbus-system none | 50 | dbus-system none |
51 | 51 | ||
52 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 52 | #memory-deny-write-execute # breaks on Arch (see issue #1803) |
53 | restrict-namespaces | 53 | restrict-namespaces |
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile index 2ad107f1a..65aea6667 100644 --- a/etc/profile-m-z/supertux2.profile +++ b/etc/profile-m-z/supertux2.profile | |||
@@ -41,7 +41,7 @@ seccomp.block-secondary | |||
41 | tracelog | 41 | tracelog |
42 | 42 | ||
43 | disable-mnt | 43 | disable-mnt |
44 | # private-bin supertux2 | 44 | #private-bin supertux2 |
45 | private-cache | 45 | private-cache |
46 | private-etc | 46 | private-etc |
47 | private-dev | 47 | private-dev |
diff --git a/etc/profile-m-z/sushi.profile b/etc/profile-m-z/sushi.profile index 7b6a87b31..728db012e 100644 --- a/etc/profile-m-z/sushi.profile +++ b/etc/profile-m-z/sushi.profile | |||
@@ -13,7 +13,7 @@ include disable-common.inc | |||
13 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | 14 | include disable-exec.inc |
15 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | # include disable-programs.inc | 16 | #include disable-programs.inc |
17 | include disable-shell.inc | 17 | include disable-shell.inc |
18 | 18 | ||
19 | include whitelist-runuser-common.inc | 19 | include whitelist-runuser-common.inc |
diff --git a/etc/profile-m-z/sylpheed.profile b/etc/profile-m-z/sylpheed.profile index 5fb35aa04..7cef394c2 100644 --- a/etc/profile-m-z/sylpheed.profile +++ b/etc/profile-m-z/sylpheed.profile | |||
@@ -13,7 +13,7 @@ whitelist ${HOME}/.sylpheed-2.0 | |||
13 | 13 | ||
14 | whitelist /usr/share/sylpheed | 14 | whitelist /usr/share/sylpheed |
15 | 15 | ||
16 | # private-bin curl,gpg,gpg2,gpg-agent,gpgsm,pinentry,pinentry-gtk-2,sylpheed | 16 | #private-bin curl,gpg,gpg2,gpg-agent,gpgsm,pinentry,pinentry-gtk-2,sylpheed |
17 | 17 | ||
18 | # Redirect | 18 | # Redirect |
19 | include email-common.profile | 19 | include email-common.profile |
diff --git a/etc/profile-m-z/sysprof.profile b/etc/profile-m-z/sysprof.profile index 726baf336..b0a80fc27 100644 --- a/etc/profile-m-z/sysprof.profile +++ b/etc/profile-m-z/sysprof.profile | |||
@@ -59,11 +59,11 @@ seccomp | |||
59 | tracelog | 59 | tracelog |
60 | 60 | ||
61 | disable-mnt | 61 | disable-mnt |
62 | #private-bin sysprof - breaks help menu | 62 | #private-bin sysprof # breaks help menu |
63 | private-cache | 63 | private-cache |
64 | private-dev | 64 | private-dev |
65 | private-etc @tls-ca | 65 | private-etc @tls-ca |
66 | # private-lib - breaks help menu | 66 | #private-lib # breaks help menu |
67 | #private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so | 67 | #private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so |
68 | private-tmp | 68 | private-tmp |
69 | 69 | ||
@@ -73,5 +73,5 @@ dbus-user.own org.gnome.Yelp | |||
73 | dbus-user.own org.gnome.Sysprof3 | 73 | dbus-user.own org.gnome.Sysprof3 |
74 | dbus-user.talk ca.desrt.dconf | 74 | dbus-user.talk ca.desrt.dconf |
75 | 75 | ||
76 | # memory-deny-write-execute - breaks on Arch | 76 | #memory-deny-write-execute # breaks on Arch |
77 | restrict-namespaces | 77 | restrict-namespaces |
diff --git a/etc/profile-m-z/teamspeak3.profile b/etc/profile-m-z/teamspeak3.profile index 41da4ee13..06b547b3d 100644 --- a/etc/profile-m-z/teamspeak3.profile +++ b/etc/profile-m-z/teamspeak3.profile | |||
@@ -39,4 +39,4 @@ disable-mnt | |||
39 | private-dev | 39 | private-dev |
40 | private-tmp | 40 | private-tmp |
41 | 41 | ||
42 | # restrict-namespaces | 42 | #restrict-namespaces |
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile index 17e2f0856..979971ac2 100644 --- a/etc/profile-m-z/thunderbird.profile +++ b/etc/profile-m-z/thunderbird.profile | |||
@@ -35,7 +35,7 @@ whitelist ${HOME}/.mozilla/firefox/profiles.ini | |||
35 | 35 | ||
36 | noblacklist ${HOME}/.cache/thunderbird | 36 | noblacklist ${HOME}/.cache/thunderbird |
37 | noblacklist ${HOME}/.gnupg | 37 | noblacklist ${HOME}/.gnupg |
38 | # noblacklist ${HOME}/.icedove | 38 | #noblacklist ${HOME}/.icedove |
39 | noblacklist ${HOME}/.thunderbird | 39 | noblacklist ${HOME}/.thunderbird |
40 | 40 | ||
41 | include disable-xdg.inc | 41 | include disable-xdg.inc |
@@ -46,11 +46,11 @@ include disable-xdg.inc | |||
46 | # See https://github.com/netblue30/firejail/issues/2357 | 46 | # See https://github.com/netblue30/firejail/issues/2357 |
47 | mkdir ${HOME}/.cache/thunderbird | 47 | mkdir ${HOME}/.cache/thunderbird |
48 | mkdir ${HOME}/.gnupg | 48 | mkdir ${HOME}/.gnupg |
49 | # mkdir ${HOME}/.icedove | 49 | #mkdir ${HOME}/.icedove |
50 | mkdir ${HOME}/.thunderbird | 50 | mkdir ${HOME}/.thunderbird |
51 | whitelist ${HOME}/.cache/thunderbird | 51 | whitelist ${HOME}/.cache/thunderbird |
52 | whitelist ${HOME}/.gnupg | 52 | whitelist ${HOME}/.gnupg |
53 | # whitelist ${HOME}/.icedove | 53 | #whitelist ${HOME}/.icedove |
54 | whitelist ${HOME}/.thunderbird | 54 | whitelist ${HOME}/.thunderbird |
55 | 55 | ||
56 | whitelist /usr/share/gnupg | 56 | whitelist /usr/share/gnupg |
diff --git a/etc/profile-m-z/tmux.profile b/etc/profile-m-z/tmux.profile index a855ff839..ddd2aa85f 100644 --- a/etc/profile-m-z/tmux.profile +++ b/etc/profile-m-z/tmux.profile | |||
@@ -12,10 +12,10 @@ blacklist ${RUNUSER} | |||
12 | 12 | ||
13 | noblacklist /tmp/tmux-* | 13 | noblacklist /tmp/tmux-* |
14 | 14 | ||
15 | # include disable-common.inc | 15 | #include disable-common.inc |
16 | # include disable-devel.inc | 16 | #include disable-devel.inc |
17 | # include disable-exec.inc | 17 | #include disable-exec.inc |
18 | # include disable-programs.inc | 18 | #include disable-programs.inc |
19 | 19 | ||
20 | caps.drop all | 20 | caps.drop all |
21 | ipc-namespace | 21 | ipc-namespace |
@@ -36,9 +36,9 @@ seccomp | |||
36 | seccomp.block-secondary | 36 | seccomp.block-secondary |
37 | tracelog | 37 | tracelog |
38 | 38 | ||
39 | # private-cache | 39 | #private-cache |
40 | private-dev | 40 | private-dev |
41 | # private-tmp | 41 | #private-tmp |
42 | 42 | ||
43 | dbus-user none | 43 | dbus-user none |
44 | dbus-system none | 44 | dbus-system none |
diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile index 86746c7f1..20ebddb69 100644 --- a/etc/profile-m-z/torbrowser-launcher.profile +++ b/etc/profile-m-z/torbrowser-launcher.profile | |||
@@ -56,13 +56,13 @@ novideo | |||
56 | protocol unix,inet,inet6 | 56 | protocol unix,inet,inet6 |
57 | seccomp !chroot | 57 | seccomp !chroot |
58 | seccomp.block-secondary | 58 | seccomp.block-secondary |
59 | #tracelog - may cause issues, see #1930 | 59 | #tracelog # may cause issues, see #1930 |
60 | 60 | ||
61 | disable-mnt | 61 | disable-mnt |
62 | private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity | 62 | private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity |
63 | private-dev | 63 | private-dev |
64 | private-etc @tls-ca | 64 | private-etc @tls-ca |
65 | #private-opt tor-browser - can cause slow startup | 65 | #private-opt tor-browser # can cause slow startup |
66 | private-tmp | 66 | private-tmp |
67 | 67 | ||
68 | dbus-user none | 68 | dbus-user none |
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile index a4cb49171..73d3b0b6f 100644 --- a/etc/profile-m-z/totem.profile +++ b/etc/profile-m-z/totem.profile | |||
@@ -35,7 +35,7 @@ include whitelist-runuser-common.inc | |||
35 | include whitelist-usr-share-common.inc | 35 | include whitelist-usr-share-common.inc |
36 | include whitelist-var-common.inc | 36 | include whitelist-var-common.inc |
37 | 37 | ||
38 | # apparmor - makes settings immutable | 38 | #apparmor # makes settings immutable |
39 | caps.drop all | 39 | caps.drop all |
40 | netfilter | 40 | netfilter |
41 | nogroups | 41 | nogroups |
@@ -55,7 +55,7 @@ private-etc @tls-ca,@x11,python* | |||
55 | private-tmp | 55 | private-tmp |
56 | 56 | ||
57 | # makes settings immutable | 57 | # makes settings immutable |
58 | # dbus-user none | 58 | #dbus-user none |
59 | dbus-system none | 59 | dbus-system none |
60 | 60 | ||
61 | restrict-namespaces | 61 | restrict-namespaces |
diff --git a/etc/profile-m-z/tracker.profile b/etc/profile-m-z/tracker.profile index f30b0aef6..c46b00fc9 100644 --- a/etc/profile-m-z/tracker.profile +++ b/etc/profile-m-z/tracker.profile | |||
@@ -33,8 +33,8 @@ protocol unix | |||
33 | seccomp | 33 | seccomp |
34 | tracelog | 34 | tracelog |
35 | 35 | ||
36 | # private-bin tracker | 36 | #private-bin tracker |
37 | # private-dev | 37 | #private-dev |
38 | # private-tmp | 38 | #private-tmp |
39 | 39 | ||
40 | restrict-namespaces | 40 | restrict-namespaces |
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile index 2578eb0be..5e9e7f127 100644 --- a/etc/profile-m-z/trojita.profile +++ b/etc/profile-m-z/trojita.profile | |||
@@ -52,7 +52,7 @@ protocol unix,inet,inet6,netlink | |||
52 | seccomp | 52 | seccomp |
53 | tracelog | 53 | tracelog |
54 | 54 | ||
55 | # disable-mnt | 55 | #disable-mnt |
56 | private-bin trojita | 56 | private-bin trojita |
57 | private-cache | 57 | private-cache |
58 | private-dev | 58 | private-dev |
diff --git a/etc/profile-m-z/udiskie.profile b/etc/profile-m-z/udiskie.profile index c182326bb..175ae4591 100644 --- a/etc/profile-m-z/udiskie.profile +++ b/etc/profile-m-z/udiskie.profile | |||
@@ -36,8 +36,8 @@ tracelog | |||
36 | 36 | ||
37 | private-bin awk,cut,dbus-send,egrep,file,grep,head,python*,readlink,sed,sh,udiskie,uname,which,xdg-mime,xdg-open,xprop | 37 | private-bin awk,cut,dbus-send,egrep,file,grep,head,python*,readlink,sed,sh,udiskie,uname,which,xdg-mime,xdg-open,xprop |
38 | # add your configured file browser in udiskie.local, e. g. | 38 | # add your configured file browser in udiskie.local, e. g. |
39 | # private-bin nautilus | 39 | #private-bin nautilus |
40 | # private-bin thunar | 40 | #private-bin thunar |
41 | private-cache | 41 | private-cache |
42 | private-dev | 42 | private-dev |
43 | private-etc @x11,mime.types | 43 | private-etc @x11,mime.types |
diff --git a/etc/profile-m-z/unknown-horizons.profile b/etc/profile-m-z/unknown-horizons.profile index 3e2b28dec..4e7dc3705 100644 --- a/etc/profile-m-z/unknown-horizons.profile +++ b/etc/profile-m-z/unknown-horizons.profile | |||
@@ -34,11 +34,11 @@ protocol unix,inet,inet6,netlink | |||
34 | seccomp | 34 | seccomp |
35 | 35 | ||
36 | disable-mnt | 36 | disable-mnt |
37 | # private-bin unknown-horizons | 37 | #private-bin unknown-horizons |
38 | private-dev | 38 | private-dev |
39 | # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl | 39 | #private-etc alternatives,ca-certificates,crypto-policies,pki,ssl |
40 | private-tmp | 40 | private-tmp |
41 | 41 | ||
42 | # doesn't work - maybe all Tcl/Tk programs have this problem | 42 | # doesn't work - maybe all Tcl/Tk programs have this problem |
43 | # memory-deny-write-execute | 43 | #memory-deny-write-execute |
44 | restrict-namespaces | 44 | restrict-namespaces |
diff --git a/etc/profile-m-z/viewnior.profile b/etc/profile-m-z/viewnior.profile index aa8199442..8c6efaa1c 100644 --- a/etc/profile-m-z/viewnior.profile +++ b/etc/profile-m-z/viewnior.profile | |||
@@ -49,5 +49,5 @@ private-tmp | |||
49 | dbus-user none | 49 | dbus-user none |
50 | dbus-system none | 50 | dbus-system none |
51 | 51 | ||
52 | #memory-deny-write-execute - breaks on Arch (see issues #1803 and #1808) | 52 | #memory-deny-write-execute # breaks on Arch (see issues #1803 and #1808) |
53 | restrict-namespaces | 53 | restrict-namespaces |
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile index ae8afbbf1..b768a635a 100644 --- a/etc/profile-m-z/virtualbox.profile +++ b/etc/profile-m-z/virtualbox.profile | |||
@@ -9,7 +9,7 @@ include globals.local | |||
9 | noblacklist ${HOME}/.VirtualBox | 9 | noblacklist ${HOME}/.VirtualBox |
10 | noblacklist ${HOME}/.config/VirtualBox | 10 | noblacklist ${HOME}/.config/VirtualBox |
11 | noblacklist ${HOME}/VirtualBox VMs | 11 | noblacklist ${HOME}/VirtualBox VMs |
12 | # noblacklist /usr/bin/virtualbox | 12 | #noblacklist /usr/bin/virtualbox |
13 | noblacklist /usr/lib/virtualbox | 13 | noblacklist /usr/lib/virtualbox |
14 | noblacklist /usr/lib64/virtualbox | 14 | noblacklist /usr/lib64/virtualbox |
15 | 15 | ||
diff --git a/etc/profile-m-z/warzone2100.profile b/etc/profile-m-z/warzone2100.profile index 79ba41d44..a7b0f5f1d 100644 --- a/etc/profile-m-z/warzone2100.profile +++ b/etc/profile-m-z/warzone2100.profile | |||
@@ -15,7 +15,7 @@ include disable-devel.inc | |||
15 | include disable-exec.inc | 15 | include disable-exec.inc |
16 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | #include disable-shell.inc - problems on Debian 11 | 18 | #include disable-shell.inc # problems on Debian 11 |
19 | 19 | ||
20 | mkdir ${HOME}/.local/share/warzone2100 | 20 | mkdir ${HOME}/.local/share/warzone2100 |
21 | mkdir ${HOME}/.local/share/warzone2100-3.3.0 | 21 | mkdir ${HOME}/.local/share/warzone2100-3.3.0 |
diff --git a/etc/profile-m-z/wine.profile b/etc/profile-m-z/wine.profile index 1e2b164b9..33f404464 100644 --- a/etc/profile-m-z/wine.profile +++ b/etc/profile-m-z/wine.profile | |||
@@ -20,23 +20,23 @@ include disable-devel.inc | |||
20 | include disable-interpreters.inc | 20 | include disable-interpreters.inc |
21 | include disable-programs.inc | 21 | include disable-programs.inc |
22 | 22 | ||
23 | # whitelist /usr/share/wine | 23 | #whitelist /usr/share/wine |
24 | # include whitelist-usr-share-common.inc | 24 | #include whitelist-usr-share-common.inc |
25 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
26 | 26 | ||
27 | # Some applications don't need allow-debuggers. Add 'ignore allow-debuggers' to your wine.local if you want to override this. | 27 | # Some applications don't need allow-debuggers. Add 'ignore allow-debuggers' to your wine.local if you want to override this. |
28 | allow-debuggers | 28 | allow-debuggers |
29 | caps.drop all | 29 | caps.drop all |
30 | # net none | 30 | #net none |
31 | netfilter | 31 | netfilter |
32 | nodvd | 32 | nodvd |
33 | nogroups | 33 | nogroups |
34 | noinput | 34 | noinput |
35 | nonewprivs | 35 | nonewprivs |
36 | noroot | 36 | noroot |
37 | # nosound | 37 | #nosound |
38 | notv | 38 | notv |
39 | # novideo | 39 | #novideo |
40 | seccomp | 40 | seccomp |
41 | 41 | ||
42 | private-dev | 42 | private-dev |
diff --git a/etc/profile-m-z/wireshark.profile b/etc/profile-m-z/wireshark.profile index dedb78d11..7caac217f 100644 --- a/etc/profile-m-z/wireshark.profile +++ b/etc/profile-m-z/wireshark.profile | |||
@@ -25,14 +25,14 @@ include whitelist-usr-share-common.inc | |||
25 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
26 | 26 | ||
27 | apparmor | 27 | apparmor |
28 | # caps.drop all | 28 | #caps.drop all |
29 | caps.keep dac_override,dac_read_search,net_admin,net_raw | 29 | caps.keep dac_override,dac_read_search,net_admin,net_raw |
30 | netfilter | 30 | netfilter |
31 | no3d | 31 | no3d |
32 | # nogroups - breaks network traffic capture for unprivileged users | 32 | #nogroups # breaks network traffic capture for unprivileged users |
33 | noinput | 33 | noinput |
34 | # nonewprivs - breaks network traffic capture for unprivileged users | 34 | #nonewprivs # breaks network traffic capture for unprivileged users |
35 | # noroot | 35 | #noroot |
36 | nodvd | 36 | nodvd |
37 | nosound | 37 | nosound |
38 | notv | 38 | notv |
@@ -43,12 +43,12 @@ novideo | |||
43 | #seccomp | 43 | #seccomp |
44 | tracelog | 44 | tracelog |
45 | 45 | ||
46 | # private-bin wireshark | 46 | #private-bin wireshark |
47 | private-cache | 47 | private-cache |
48 | # private-dev prevents (some) interfaces from being shown. | 48 | # private-dev prevents (some) interfaces from being shown. |
49 | # Add the below line to your wirehsark.local if you only want to inspect pcap files. | 49 | # Add the below line to your wirehsark.local if you only want to inspect pcap files. |
50 | #private-dev | 50 | #private-dev |
51 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,resolv.conf,ssl | 51 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,resolv.conf,ssl |
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
54 | dbus-user none | 54 | dbus-user none |
diff --git a/etc/profile-m-z/xed.profile b/etc/profile-m-z/xed.profile index dda803bd5..b47437e2d 100644 --- a/etc/profile-m-z/xed.profile +++ b/etc/profile-m-z/xed.profile | |||
@@ -23,10 +23,10 @@ include disable-shell.inc | |||
23 | 23 | ||
24 | include whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
25 | 25 | ||
26 | # apparmor - makes settings immutable | 26 | #apparmor # makes settings immutable |
27 | caps.drop all | 27 | caps.drop all |
28 | machine-id | 28 | machine-id |
29 | # net none - makes settings immutable | 29 | #net none # makes settings immutable |
30 | no3d | 30 | no3d |
31 | nodvd | 31 | nodvd |
32 | nogroups | 32 | nogroups |
@@ -46,9 +46,9 @@ private-dev | |||
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | # makes settings immutable | 48 | # makes settings immutable |
49 | # dbus-user none | 49 | #dbus-user none |
50 | # dbus-system none | 50 | #dbus-system none |
51 | 51 | ||
52 | # xed uses python plugins, memory-deny-write-execute breaks python | 52 | # xed uses python plugins, memory-deny-write-execute breaks python |
53 | # memory-deny-write-execute | 53 | #memory-deny-write-execute |
54 | restrict-namespaces | 54 | restrict-namespaces |
diff --git a/etc/profile-m-z/xfburn.profile b/etc/profile-m-z/xfburn.profile index 141fda909..96edc15ab 100644 --- a/etc/profile-m-z/xfburn.profile +++ b/etc/profile-m-z/xfburn.profile | |||
@@ -25,8 +25,8 @@ protocol unix | |||
25 | seccomp | 25 | seccomp |
26 | tracelog | 26 | tracelog |
27 | 27 | ||
28 | # private-bin xfburn | 28 | #private-bin xfburn |
29 | # private-dev | 29 | #private-dev |
30 | # private-tmp | 30 | #private-tmp |
31 | 31 | ||
32 | restrict-namespaces | 32 | restrict-namespaces |
diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile index 9c4fa8293..6c3a5812b 100644 --- a/etc/profile-m-z/xfce4-mixer.profile +++ b/etc/profile-m-z/xfce4-mixer.profile | |||
@@ -53,5 +53,5 @@ dbus-user.own org.xfce.xfce4-mixer | |||
53 | dbus-user.talk org.xfce.Xfconf | 53 | dbus-user.talk org.xfce.Xfconf |
54 | dbus-system none | 54 | dbus-system none |
55 | 55 | ||
56 | # memory-deny-write-execute - breaks on Arch | 56 | #memory-deny-write-execute # breaks on Arch |
57 | restrict-namespaces | 57 | restrict-namespaces |
diff --git a/etc/profile-m-z/xfce4-screenshooter.profile b/etc/profile-m-z/xfce4-screenshooter.profile index 4d841b35c..9094a7872 100644 --- a/etc/profile-m-z/xfce4-screenshooter.profile +++ b/etc/profile-m-z/xfce4-screenshooter.profile | |||
@@ -47,5 +47,5 @@ private-tmp | |||
47 | dbus-user none | 47 | dbus-user none |
48 | dbus-system none | 48 | dbus-system none |
49 | 49 | ||
50 | # memory-deny-write-execute -- see #3790 | 50 | #memory-deny-write-execute # see #3790 |
51 | restrict-namespaces | 51 | restrict-namespaces |
diff --git a/etc/profile-m-z/xplayer.profile b/etc/profile-m-z/xplayer.profile index a673d6aa3..9741888f0 100644 --- a/etc/profile-m-z/xplayer.profile +++ b/etc/profile-m-z/xplayer.profile | |||
@@ -27,7 +27,7 @@ include whitelist-common.inc | |||
27 | include whitelist-player-common.inc | 27 | include whitelist-player-common.inc |
28 | include whitelist-var-common.inc | 28 | include whitelist-var-common.inc |
29 | 29 | ||
30 | # apparmor - makes settings immutable | 30 | #apparmor # makes settings immutable |
31 | caps.drop all | 31 | caps.drop all |
32 | netfilter | 32 | netfilter |
33 | nogroups | 33 | nogroups |
@@ -41,11 +41,11 @@ tracelog | |||
41 | 41 | ||
42 | private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer | 42 | private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer |
43 | private-dev | 43 | private-dev |
44 | # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl | 44 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl |
45 | private-tmp | 45 | private-tmp |
46 | 46 | ||
47 | # makes settings immutable | 47 | # makes settings immutable |
48 | # dbus-user none | 48 | #dbus-user none |
49 | # dbus-system none | 49 | #dbus-system none |
50 | 50 | ||
51 | restrict-namespaces | 51 | restrict-namespaces |
diff --git a/etc/profile-m-z/xpra.profile b/etc/profile-m-z/xpra.profile index 05c12b9a2..b00307394 100644 --- a/etc/profile-m-z/xpra.profile +++ b/etc/profile-m-z/xpra.profile | |||
@@ -45,11 +45,11 @@ seccomp | |||
45 | 45 | ||
46 | disable-mnt | 46 | disable-mnt |
47 | # private home directory doesn't work on some distros, so we go for a regular home | 47 | # private home directory doesn't work on some distros, so we go for a regular home |
48 | # private | 48 | #private |
49 | # older Xpra versions also use Xvfb | 49 | # older Xpra versions also use Xvfb |
50 | # private-bin bash,cat,dbus-launch,ldconfig,ls,pactl,python*,sh,strace,which,xauth,xkbcomp,Xorg,xpra,Xvfb | 50 | #private-bin bash,cat,dbus-launch,ldconfig,ls,pactl,python*,sh,strace,which,xauth,xkbcomp,Xorg,xpra,Xvfb |
51 | private-dev | 51 | private-dev |
52 | # private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,nsswitch.conf,resolv.conf,X11,xpra | 52 | #private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,nsswitch.conf,resolv.conf,X11,xpra |
53 | private-tmp | 53 | private-tmp |
54 | 54 | ||
55 | restrict-namespaces | 55 | restrict-namespaces |
diff --git a/etc/profile-m-z/xreader.profile b/etc/profile-m-z/xreader.profile index 6edbf9357..cad836fdc 100644 --- a/etc/profile-m-z/xreader.profile +++ b/etc/profile-m-z/xreader.profile | |||
@@ -18,9 +18,9 @@ include disable-programs.inc | |||
18 | include disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | # Breaks xreader on Mint 18.3 | 20 | # Breaks xreader on Mint 18.3 |
21 | # include whitelist-var-common.inc | 21 | #include whitelist-var-common.inc |
22 | 22 | ||
23 | # apparmor | 23 | #apparmor |
24 | caps.drop all | 24 | caps.drop all |
25 | no3d | 25 | no3d |
26 | nodvd | 26 | nodvd |
diff --git a/etc/profile-m-z/xviewer.profile b/etc/profile-m-z/xviewer.profile index 6c31df4a9..575c1bf68 100644 --- a/etc/profile-m-z/xviewer.profile +++ b/etc/profile-m-z/xviewer.profile | |||
@@ -19,9 +19,9 @@ include disable-shell.inc | |||
19 | 19 | ||
20 | include whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
22 | # apparmor - makes settings immutable | 22 | #apparmor # makes settings immutable |
23 | caps.drop all | 23 | caps.drop all |
24 | # net none - makes settings immutable | 24 | #net none # makes settings immutable |
25 | no3d | 25 | no3d |
26 | nodvd | 26 | nodvd |
27 | nogroups | 27 | nogroups |
@@ -42,8 +42,8 @@ private-lib | |||
42 | private-tmp | 42 | private-tmp |
43 | 43 | ||
44 | # makes settings immutable | 44 | # makes settings immutable |
45 | # dbus-user none | 45 | #dbus-user none |
46 | # dbus-system none | 46 | #dbus-system none |
47 | 47 | ||
48 | memory-deny-write-execute | 48 | memory-deny-write-execute |
49 | restrict-namespaces | 49 | restrict-namespaces |
diff --git a/etc/profile-m-z/ytmdesktop.profile b/etc/profile-m-z/ytmdesktop.profile index de07e3ddf..ccf5f1e63 100644 --- a/etc/profile-m-z/ytmdesktop.profile +++ b/etc/profile-m-z/ytmdesktop.profile | |||
@@ -13,9 +13,9 @@ noblacklist ${HOME}/.config/youtube-music-desktop-app | |||
13 | mkdir ${HOME}/.config/youtube-music-desktop-app | 13 | mkdir ${HOME}/.config/youtube-music-desktop-app |
14 | whitelist ${HOME}/.config/youtube-music-desktop-app | 14 | whitelist ${HOME}/.config/youtube-music-desktop-app |
15 | 15 | ||
16 | # private-bin env,ytmdesktop | 16 | #private-bin env,ytmdesktop |
17 | private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types | 17 | private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types |
18 | # private-opt | 18 | #private-opt |
19 | 19 | ||
20 | # Redirect | 20 | # Redirect |
21 | include electron-common.profile | 21 | include electron-common.profile |
diff --git a/etc/profile-m-z/zeal.profile b/etc/profile-m-z/zeal.profile index 09a1d37a3..d576dbefd 100644 --- a/etc/profile-m-z/zeal.profile +++ b/etc/profile-m-z/zeal.profile | |||
@@ -67,5 +67,5 @@ dbus-user.talk org.mozilla.* | |||
67 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher | 67 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher |
68 | dbus-system none | 68 | dbus-system none |
69 | 69 | ||
70 | # memory-deny-write-execute - breaks on Arch | 70 | #memory-deny-write-execute # breaks on Arch |
71 | restrict-namespaces | 71 | restrict-namespaces |