Merge pull request #6286 from kmk3/x11-none-improvements

profiles: replace x11 socket blacklist with disable-X11.inc

24 files changed, 26 insertions, 24 deletions

diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile
index 49e84dedb..3bda47fad 100644
--- a/etc/profile-m-z/makepkg.profile
+++ b/etc/profile-m-z/makepkg.profile
@@ -7,7 +7,6 @@ include makepkg.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
 
 # Note: see this Arch forum discussion https://bbs.archlinux.org/viewtopic.php?pid=1743138
@@ -33,6 +32,7 @@ noblacklist /var/lib/pacman
 include disable-common.inc
 include disable-exec.inc
 include disable-programs.inc
+include disable-X11.inc
 
 caps.drop all
 ipc-namespace
diff --git a/etc/profile-m-z/mimetype.profile b/etc/profile-m-z/mimetype.profile
index 9902da882..4b62624bb 100644
--- a/etc/profile-m-z/mimetype.profile
+++ b/etc/profile-m-z/mimetype.profile
@@ -7,11 +7,11 @@ include mimetype.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
 
 include disable-exec.inc
 include disable-proc.inc
+include disable-X11.inc
 
 apparmor
 caps.drop all
diff --git a/etc/profile-m-z/mocp.profile b/etc/profile-m-z/mocp.profile
index 0a5e4255a..d80e263b6 100644
--- a/etc/profile-m-z/mocp.profile
+++ b/etc/profile-m-z/mocp.profile
@@ -10,7 +10,6 @@ include globals.local
 noblacklist ${HOME}/.moc
 noblacklist ${MUSIC}
 
-blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
 
 include disable-common.inc
@@ -19,6 +18,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-proc.inc
 include disable-programs.inc
+include disable-X11.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.moc
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile
index 097ce6e83..447301d46 100644
--- a/etc/profile-m-z/mutt.profile
+++ b/etc/profile-m-z/mutt.profile
@@ -38,7 +38,6 @@ noblacklist ${HOME}/postponed
 noblacklist ${HOME}/sent
 noblacklist /etc/msmtprc
 
-blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
 
 # Add the next lines to your mutt.local for oauth.py,S/MIME support.
@@ -51,6 +50,7 @@ include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
+include disable-X11.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.Mail
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile
index 51e2e43bf..22720422b 100644
--- a/etc/profile-m-z/neomutt.profile
+++ b/etc/profile-m-z/neomutt.profile
@@ -39,7 +39,6 @@ noblacklist /etc/msmtprc
 noblacklist /var/mail
 noblacklist /var/spool/mail
 
-blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
 
 include allow-lua.inc
@@ -49,6 +48,7 @@ include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
+include disable-X11.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.Mail
diff --git a/etc/profile-m-z/nslookup.profile b/etc/profile-m-z/nslookup.profile
index dcd76f2ad..aae506b0b 100644
--- a/etc/profile-m-z/nslookup.profile
+++ b/etc/profile-m-z/nslookup.profile
@@ -7,7 +7,6 @@ include nslookup.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}
 
 noblacklist ${PATH}/nslookup
@@ -17,6 +16,7 @@ include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
+include disable-X11.inc
 include disable-xdg.inc
 
 whitelist ${HOME}/.nslookuprc
diff --git a/etc/profile-m-z/rsync-download_only.profile b/etc/profile-m-z/rsync-download_only.profile
index ce90012e3..52ccb4309 100644
--- a/etc/profile-m-z/rsync-download_only.profile
+++ b/etc/profile-m-z/rsync-download_only.profile
@@ -11,7 +11,6 @@ include globals.local
 # not as a daemon (rsync --daemon) nor to create backups.
 # Usage: firejail --profile=rsync-download_only rsync
 
-blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}
 
 include disable-common.inc
@@ -20,6 +19,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
 include disable-shell.inc
+include disable-X11.inc
 include disable-xdg.inc
 
 # Add the next line to your rsync-download_only.local to enable extra hardening.
diff --git a/etc/profile-m-z/rtv.profile b/etc/profile-m-z/rtv.profile
index 0d57e6916..e719b0d0d 100644
--- a/etc/profile-m-z/rtv.profile
+++ b/etc/profile-m-z/rtv.profile
@@ -6,7 +6,6 @@ include rtv.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
 
 noblacklist ${HOME}/.config/rtv
@@ -28,6 +27,7 @@ include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
+include disable-X11.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/rtv
diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile
index 74587c992..a77cf7e0b 100644
--- a/etc/profile-m-z/server.profile
+++ b/etc/profile-m-z/server.profile
@@ -36,7 +36,6 @@ noblacklist /usr/sbin
 noblacklist /etc/init.d
 #noblacklist /var/opt
 
-blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
 
 include disable-common.inc
@@ -45,6 +44,7 @@ include disable-common.inc
 #include disable-interpreters.inc
 include disable-programs.inc
 include disable-write-mnt.inc
+include disable-X11.inc
 include disable-xdg.inc
 
 #include whitelist-runuser-common.inc
diff --git a/etc/profile-m-z/signal-cli.profile b/etc/profile-m-z/signal-cli.profile
index d881db714..979d71b33 100644
--- a/etc/profile-m-z/signal-cli.profile
+++ b/etc/profile-m-z/signal-cli.profile
@@ -6,7 +6,6 @@ include signal-cli.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
 
 noblacklist ${HOME}/.local/share/signal-cli
@@ -18,6 +17,7 @@ include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
+include disable-X11.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.local/share/signal-cli
diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile
index 76755def4..6630244be 100644
--- a/etc/profile-m-z/ssh-agent.profile
+++ b/etc/profile-m-z/ssh-agent.profile
@@ -9,11 +9,11 @@ include globals.local
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
 
-blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-programs.inc
+include disable-X11.inc
 
 include whitelist-usr-share-common.inc
 
diff --git a/etc/profile-m-z/ssmtp.profile b/etc/profile-m-z/ssmtp.profile
index b87f514f9..356a732e7 100644
--- a/etc/profile-m-z/ssmtp.profile
+++ b/etc/profile-m-z/ssmtp.profile
@@ -24,8 +24,8 @@ include disable-interpreters.inc
 include disable-proc.inc
 include disable-programs.inc
 include disable-shell.inc
-include disable-xdg.inc
 include disable-X11.inc
+include disable-xdg.inc
 
 mkfile ${HOME}/dead.letter
 whitelist ${HOME}/dead.letter
diff --git a/etc/profile-m-z/statusof.profile b/etc/profile-m-z/statusof.profile
index 7463b90f5..25c8df680 100644
--- a/etc/profile-m-z/statusof.profile
+++ b/etc/profile-m-z/statusof.profile
@@ -7,7 +7,6 @@ include statusof.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
 blacklist /usr/libexec
 blacklist ${RUNUSER}
 
@@ -21,6 +20,7 @@ include disable-interpreters.inc
 include disable-proc.inc
 include disable-programs.inc
 include disable-shell.inc
+include disable-X11.inc
 include disable-xdg.inc
 
 include whitelist-common.inc
diff --git a/etc/profile-m-z/termshark.profile b/etc/profile-m-z/termshark.profile
index 630d5dda6..bdee14e64 100644
--- a/etc/profile-m-z/termshark.profile
+++ b/etc/profile-m-z/termshark.profile
@@ -8,8 +8,9 @@ include termshark.local
 # added by included profile
 #include globals.local
 
-blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}
 
+include disable-X11.inc
+
 # Redirect
 include wireshark.profile
diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile
index 35ff14e88..7c1d534e9 100644
--- a/etc/profile-m-z/tin.profile
+++ b/etc/profile-m-z/tin.profile
@@ -9,7 +9,6 @@ include globals.local
 noblacklist ${HOME}/.newsrc
 noblacklist ${HOME}/.tin
 
-blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}
 blacklist /usr/libexec
 
@@ -19,6 +18,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
 include disable-shell.inc
+include disable-X11.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.tin
diff --git a/etc/profile-m-z/tmux.profile b/etc/profile-m-z/tmux.profile
index ddd2aa85f..55d84a618 100644
--- a/etc/profile-m-z/tmux.profile
+++ b/etc/profile-m-z/tmux.profile
@@ -7,7 +7,6 @@ include tmux.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}
 
 noblacklist /tmp/tmux-*
@@ -16,6 +15,7 @@ noblacklist /tmp/tmux-*
 #include disable-devel.inc
 #include disable-exec.inc
 #include disable-programs.inc
+include disable-X11.inc
 
 caps.drop all
 ipc-namespace
diff --git a/etc/profile-m-z/tracker.profile b/etc/profile-m-z/tracker.profile
index c46b00fc9..8a3464496 100644
--- a/etc/profile-m-z/tracker.profile
+++ b/etc/profile-m-z/tracker.profile
@@ -8,7 +8,6 @@ include globals.local
 
 # Tracker is started by systemd on most systems. Therefore it is not firejailed by default
 
-blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
 
 include disable-common.inc
@@ -16,6 +15,7 @@ include disable-devel.inc
 include disable-interpreters.inc
 include disable-programs.inc
 include disable-shell.inc
+include disable-X11.inc
 
 include whitelist-runuser-common.inc
 
diff --git a/etc/profile-m-z/tshark.profile b/etc/profile-m-z/tshark.profile
index f2273e6a7..fab45a334 100644
--- a/etc/profile-m-z/tshark.profile
+++ b/etc/profile-m-z/tshark.profile
@@ -7,8 +7,9 @@ include tshark.local
 # added by included profile
 #include globals.local
 
-blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}
 
+include disable-X11.inc
+
 # Redirect
 include wireshark.profile
diff --git a/etc/profile-m-z/tvnamer.profile b/etc/profile-m-z/tvnamer.profile
index ccfd07e40..24439672a 100644
--- a/etc/profile-m-z/tvnamer.profile
+++ b/etc/profile-m-z/tvnamer.profile
@@ -6,7 +6,6 @@ include tvnamer.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
 blacklist /usr/libexec
 blacklist ${RUNUSER}
 
@@ -24,6 +23,7 @@ include disable-interpreters.inc
 include disable-programs.inc
 include disable-proc.inc
 include disable-shell.inc
+include disable-X11.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/tvnamer
diff --git a/etc/profile-m-z/unbound.profile b/etc/profile-m-z/unbound.profile
index 63d84688c..dfce92e2d 100644
--- a/etc/profile-m-z/unbound.profile
+++ b/etc/profile-m-z/unbound.profile
@@ -9,7 +9,6 @@ include globals.local
 noblacklist /sbin
 noblacklist /usr/sbin
 
-blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}
 
 include disable-common.inc
@@ -17,6 +16,7 @@ include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
+include disable-X11.inc
 include disable-xdg.inc
 
 whitelist /usr/share/dns
diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile
index edc08ca44..4e2f1bb3e 100644
--- a/etc/profile-m-z/w3m.profile
+++ b/etc/profile-m-z/w3m.profile
@@ -14,7 +14,6 @@ include globals.local
 
 noblacklist ${HOME}/.w3m
 
-blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
 
 # Allow /bin/sh (blacklisted by disable-shell.inc)
@@ -29,6 +28,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
 include disable-shell.inc
+include disable-X11.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.w3m
diff --git a/etc/profile-m-z/wget.profile b/etc/profile-m-z/wget.profile
index 5e1823593..90a1d3d7a 100644
--- a/etc/profile-m-z/wget.profile
+++ b/etc/profile-m-z/wget.profile
@@ -15,7 +15,6 @@ noblacklist ${HOME}/.wgetrc
 #ignore read-only ${HOME}/.nvm
 #noblacklist ${HOME}/.nvm
 
-blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}
 
 include disable-common.inc
@@ -24,6 +23,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
 include disable-shell.inc
+include disable-X11.inc
 # Depending on workflow you can add the next line to your wget.local.
 #include disable-xdg.inc
 
diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile
index 8265e1ff8..e7f66cf76 100644
--- a/etc/profile-m-z/whois.profile
+++ b/etc/profile-m-z/whois.profile
@@ -7,7 +7,6 @@ include whois.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}
 
 include disable-common.inc
@@ -15,6 +14,7 @@ include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
+include disable-X11.inc
 include disable-xdg.inc
 
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/yt-dlp.profile b/etc/profile-m-z/yt-dlp.profile
index 97f9e620a..6dd9d03a3 100644
--- a/etc/profile-m-z/yt-dlp.profile
+++ b/etc/profile-m-z/yt-dlp.profile
@@ -29,7 +29,6 @@ noblacklist ${VIDEOS}
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
 
-blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}
 
 include disable-common.inc
@@ -38,6 +37,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
 include disable-shell.inc
+include disable-X11.inc
 include disable-xdg.inc
 
 include whitelist-usr-share-common.inc