diff options
author | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2020-03-31 16:51:02 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-03-31 16:51:02 +0000 |
commit | 4747e0ed7f1d9e39974a1c5a5900db47ab1423aa (patch) | |
tree | ad38bf6fc0a3cb78602891f3aa282d0aa7ae1c52 /etc | |
parent | Mention --seccomp.32 etc in usage (diff) | |
download | firejail-4747e0ed7f1d9e39974a1c5a5900db47ab1423aa.tar.gz firejail-4747e0ed7f1d9e39974a1c5a5900db47ab1423aa.tar.zst firejail-4747e0ed7f1d9e39974a1c5a5900db47ab1423aa.zip |
Whitelist runuser common (#3286)
* introduce whitelist-runuser-common.inc
* If an applications does not need a whitelist it can/should be
nowhitelisted. Example:
nowhitelist ${RUNUSER}/pulse
include whitelist-runuser-common.inc
* ${RUNUSER}/bus is inaccessible with nodbus regardless of the
whitelist. (as it should)
* strange wayland setups with an second wayland-compostior need to
whitelist ${RUNUSER}/wayland-1, ${RUNUSER}/wayland-2 and so on.
* some display-manager store there Xauthority file in ${RUNUSER}.
test results with fedora 31:
- ssdm: ~/.Xauthority is used
- lightdm: /run/lightdm/USER/Xauthority
- gdm: /run/user/UID/gdm/Xauthority
* IMPORTANT: ATM we can only enable this for non-graphical and GTK3
programs because mutter (GNOMEs window-manger) stores the Xauthority
file for Xwayland under /run/user/UID/.mutter-Xwaylandauth.XXXXXX
where XXXXXX is random. Until we have whitelist globbing we can't
whitelist this file. QT/KDE and other toolkits without full wayland
support won't be able to start.
* wru update 1
- add wru to more profiles.
- blacklist ${RUNUSER} works for the most cli programs too.
* add wruc to more profiles
* fixes
* fixes
* wruc: hide pulse pid
* update
* remove wruc from all the x11 profiles
* fixes
* fix ordering
* read-only
* revert read-only
* update
*
Diffstat (limited to 'etc')
73 files changed, 115 insertions, 12 deletions
diff --git a/etc/baobab.profile b/etc/baobab.profile index d87de9d66..a2cfa6d67 100644 --- a/etc/baobab.profile +++ b/etc/baobab.profile | |||
@@ -14,6 +14,8 @@ include disable-passwdmgr.inc | |||
14 | # include disable-programs.inc | 14 | # include disable-programs.inc |
15 | # include disable-xdg.inc | 15 | # include disable-xdg.inc |
16 | 16 | ||
17 | include whitelist-runuser-common.inc | ||
18 | |||
17 | caps.drop all | 19 | caps.drop all |
18 | net none | 20 | net none |
19 | no3d | 21 | no3d |
diff --git a/etc/celluloid.profile b/etc/celluloid.profile index d099ba11e..daed19634 100644 --- a/etc/celluloid.profile +++ b/etc/celluloid.profile | |||
@@ -24,6 +24,7 @@ include disable-passwdmgr.inc | |||
24 | include disable-programs.inc | 24 | include disable-programs.inc |
25 | include disable-xdg.inc | 25 | include disable-xdg.inc |
26 | 26 | ||
27 | include whitelist-runuser-common.inc | ||
27 | include whitelist-usr-share-common.inc | 28 | include whitelist-usr-share-common.inc |
28 | include whitelist-var-common.inc | 29 | include whitelist-var-common.inc |
29 | 30 | ||
diff --git a/etc/curl.profile b/etc/curl.profile index a720aca9b..a33d084ce 100644 --- a/etc/curl.profile +++ b/etc/curl.profile | |||
@@ -10,6 +10,8 @@ include globals.local | |||
10 | noblacklist ${HOME}/.curlrc | 10 | noblacklist ${HOME}/.curlrc |
11 | 11 | ||
12 | blacklist /tmp/.X11-unix | 12 | blacklist /tmp/.X11-unix |
13 | blacklist ${RUNUSER}/wayland-* | ||
14 | blacklist ${RUNUSER} | ||
13 | 15 | ||
14 | include disable-common.inc | 16 | include disable-common.inc |
15 | include disable-exec.inc | 17 | include disable-exec.inc |
diff --git a/etc/d-feet.profile b/etc/d-feet.profile index 897bf5f5d..51df7b455 100644 --- a/etc/d-feet.profile +++ b/etc/d-feet.profile | |||
@@ -24,6 +24,7 @@ mkdir ${HOME}/.config/d-feet | |||
24 | whitelist ${HOME}/.config/d-feet | 24 | whitelist ${HOME}/.config/d-feet |
25 | whitelist /usr/share/d-feet | 25 | whitelist /usr/share/d-feet |
26 | include whitelist-common.inc | 26 | include whitelist-common.inc |
27 | include whitelist-runuser-common.inc | ||
27 | include whitelist-usr-share-common.inc | 28 | include whitelist-usr-share-common.inc |
28 | include whitelist-var-common.inc | 29 | include whitelist-var-common.inc |
29 | 30 | ||
diff --git a/etc/dconf-editor.profile b/etc/dconf-editor.profile index a9d25128f..e7cc66e32 100644 --- a/etc/dconf-editor.profile +++ b/etc/dconf-editor.profile | |||
@@ -16,6 +16,7 @@ include disable-xdg.inc | |||
16 | 16 | ||
17 | whitelist ${HOME}/.local/share/glib-2.0 | 17 | whitelist ${HOME}/.local/share/glib-2.0 |
18 | include whitelist-common.inc | 18 | include whitelist-common.inc |
19 | include whitelist-runuser-common.inc | ||
19 | include whitelist-usr-share-common.inc | 20 | include whitelist-usr-share-common.inc |
20 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
21 | 22 | ||
diff --git a/etc/dig.profile b/etc/dig.profile index e6b7e46d9..270a95c05 100644 --- a/etc/dig.profile +++ b/etc/dig.profile | |||
@@ -11,6 +11,8 @@ noblacklist ${HOME}/.digrc | |||
11 | noblacklist ${PATH}/dig | 11 | noblacklist ${PATH}/dig |
12 | 12 | ||
13 | blacklist /tmp/.X11-unix | 13 | blacklist /tmp/.X11-unix |
14 | blacklist ${RUNUSER}/wayland-* | ||
15 | blacklist ${RUNUSER} | ||
14 | 16 | ||
15 | include disable-common.inc | 17 | include disable-common.inc |
16 | # include disable-devel.inc | 18 | # include disable-devel.inc |
diff --git a/etc/elinks.profile b/etc/elinks.profile index 82d1ba528..2a306d704 100644 --- a/etc/elinks.profile +++ b/etc/elinks.profile | |||
@@ -18,6 +18,8 @@ include disable-passwdmgr.inc | |||
18 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | include disable-xdg.inc | 19 | include disable-xdg.inc |
20 | 20 | ||
21 | include whitelist-runuser-common.inc | ||
22 | |||
21 | caps.drop all | 23 | caps.drop all |
22 | netfilter | 24 | netfilter |
23 | no3d | 25 | no3d |
diff --git a/etc/enchant.profile b/etc/enchant.profile index fa556c7d2..69e8b1e44 100644 --- a/etc/enchant.profile +++ b/etc/enchant.profile | |||
@@ -21,6 +21,7 @@ include disable-xdg.inc | |||
21 | mkdir ${HOME}/.config/enchant | 21 | mkdir ${HOME}/.config/enchant |
22 | whitelist ${HOME}/.config/enchant | 22 | whitelist ${HOME}/.config/enchant |
23 | include whitelist-common.inc | 23 | include whitelist-common.inc |
24 | include whitelist-runuser-common.inc | ||
24 | include whitelist-usr-share-common.inc | 25 | include whitelist-usr-share-common.inc |
25 | include whitelist-var-common.inc | 26 | include whitelist-var-common.inc |
26 | 27 | ||
diff --git a/etc/eo-common.profile b/etc/eo-common.profile index 13f498c03..80c704c6b 100644 --- a/etc/eo-common.profile +++ b/etc/eo-common.profile | |||
@@ -18,6 +18,7 @@ include disable-interpreters.inc | |||
18 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | 20 | ||
21 | include whitelist-runuser-common.inc | ||
21 | include whitelist-usr-share-common.inc | 22 | include whitelist-usr-share-common.inc |
22 | include whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
23 | 24 | ||
diff --git a/etc/evince.profile b/etc/evince.profile index 143a347e6..68ef5eb9a 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -21,6 +21,7 @@ whitelist /usr/share/doc | |||
21 | whitelist /usr/share/evince | 21 | whitelist /usr/share/evince |
22 | whitelist /usr/share/poppler | 22 | whitelist /usr/share/poppler |
23 | whitelist /usr/share/tracker | 23 | whitelist /usr/share/tracker |
24 | include whitelist-runuser-common.inc | ||
24 | include whitelist-usr-share-common.inc | 25 | include whitelist-usr-share-common.inc |
25 | include whitelist-var-common.inc | 26 | include whitelist-var-common.inc |
26 | 27 | ||
diff --git a/etc/evolution.profile b/etc/evolution.profile index 71a7a5600..4740bf935 100644 --- a/etc/evolution.profile +++ b/etc/evolution.profile | |||
@@ -23,6 +23,8 @@ include disable-interpreters.inc | |||
23 | include disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
24 | include disable-programs.inc | 24 | include disable-programs.inc |
25 | 25 | ||
26 | include whitelist-runuser-common.inc | ||
27 | |||
26 | caps.drop all | 28 | caps.drop all |
27 | netfilter | 29 | netfilter |
28 | # no3d breaks under wayland | 30 | # no3d breaks under wayland |
diff --git a/etc/feedreader.profile b/etc/feedreader.profile index 5a72b60ea..7d3c7a8f4 100644 --- a/etc/feedreader.profile +++ b/etc/feedreader.profile | |||
@@ -23,6 +23,7 @@ whitelist ${HOME}/.cache/feedreader | |||
23 | whitelist ${HOME}/.local/share/feedreader | 23 | whitelist ${HOME}/.local/share/feedreader |
24 | whitelist /usr/share/feedreader | 24 | whitelist /usr/share/feedreader |
25 | include whitelist-common.inc | 25 | include whitelist-common.inc |
26 | include whitelist-runuser-common.inc | ||
26 | include whitelist-usr-share-common.inc | 27 | include whitelist-usr-share-common.inc |
27 | include whitelist-var-common.inc | 28 | include whitelist-var-common.inc |
28 | 29 | ||
diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 9d84f07de..70dd030ee 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile | |||
@@ -14,6 +14,7 @@ include disable-passwdmgr.inc | |||
14 | include disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | whitelist /usr/share/file-roller | 16 | whitelist /usr/share/file-roller |
17 | include whitelist-runuser-common.inc | ||
17 | include whitelist-usr-share-common.inc | 18 | include whitelist-usr-share-common.inc |
18 | include whitelist-var-common.inc | 19 | include whitelist-var-common.inc |
19 | 20 | ||
diff --git a/etc/file.profile b/etc/file.profile index 82b161d48..854586354 100644 --- a/etc/file.profile +++ b/etc/file.profile | |||
@@ -8,6 +8,7 @@ include file.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | 10 | blacklist ${RUNUSER}/wayland-* |
11 | blacklist ${RUNUSER} | ||
11 | 12 | ||
12 | include disable-common.inc | 13 | include disable-common.inc |
13 | include disable-exec.inc | 14 | include disable-exec.inc |
diff --git a/etc/filezilla.profile b/etc/filezilla.profile index d8d4c1746..6c7ab8f0d 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile | |||
@@ -17,6 +17,8 @@ include disable-common.inc | |||
17 | include disable-devel.inc | 17 | include disable-devel.inc |
18 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
19 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | |||
21 | include whitelist-runuser-common.inc | ||
20 | include whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
21 | 23 | ||
22 | caps.drop all | 24 | caps.drop all |
diff --git a/etc/flameshot.profile b/etc/flameshot.profile index 3aad9723b..9a3df98f4 100644 --- a/etc/flameshot.profile +++ b/etc/flameshot.profile | |||
@@ -17,6 +17,8 @@ include disable-passwdmgr.inc | |||
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | include disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | include whitelist-runuser-common.inc | ||
21 | |||
20 | caps.drop all | 22 | caps.drop all |
21 | ipc-namespace | 23 | ipc-namespace |
22 | netfilter | 24 | netfilter |
diff --git a/etc/gedit.profile b/etc/gedit.profile index a4471077a..148b98c99 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile | |||
@@ -19,6 +19,7 @@ include disable-exec.inc | |||
19 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
20 | include disable-programs.inc | 20 | include disable-programs.inc |
21 | 21 | ||
22 | include whitelist-runuser-common.inc | ||
22 | include whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
23 | 24 | ||
24 | # apparmor - makes settings immutable | 25 | # apparmor - makes settings immutable |
diff --git a/etc/gfeeds.profile b/etc/gfeeds.profile index d332c1bbe..7de762e0d 100644 --- a/etc/gfeeds.profile +++ b/etc/gfeeds.profile | |||
@@ -29,6 +29,7 @@ whitelist ${HOME}/.cache/org.gabmus.gfeeds | |||
29 | whitelist ${HOME}/.config/org.gabmus.gfeeds.json | 29 | whitelist ${HOME}/.config/org.gabmus.gfeeds.json |
30 | whitelist /usr/share/gfeeds | 30 | whitelist /usr/share/gfeeds |
31 | include whitelist-common.inc | 31 | include whitelist-common.inc |
32 | include whitelist-runuser-common.inc | ||
32 | include whitelist-usr-share-common.inc | 33 | include whitelist-usr-share-common.inc |
33 | include whitelist-var-common.inc | 34 | include whitelist-var-common.inc |
34 | 35 | ||
diff --git a/etc/gitg.profile b/etc/gitg.profile index 3c6f9d72f..68f38c3ce 100644 --- a/etc/gitg.profile +++ b/etc/gitg.profile | |||
@@ -28,6 +28,7 @@ include disable-programs.inc | |||
28 | #include whitelist-common.inc | 28 | #include whitelist-common.inc |
29 | 29 | ||
30 | whitelist /usr/share/gitg | 30 | whitelist /usr/share/gitg |
31 | include whitelist-runuser-common.inc | ||
31 | include whitelist-usr-share-common.inc | 32 | include whitelist-usr-share-common.inc |
32 | include whitelist-var-common.inc | 33 | include whitelist-var-common.inc |
33 | 34 | ||
diff --git a/etc/gjs.profile b/etc/gjs.profile index 85dd57f29..9c8848b8a 100644 --- a/etc/gjs.profile +++ b/etc/gjs.profile | |||
@@ -22,6 +22,7 @@ include disable-interpreters.inc | |||
22 | include disable-passwdmgr.inc | 22 | include disable-passwdmgr.inc |
23 | include disable-programs.inc | 23 | include disable-programs.inc |
24 | 24 | ||
25 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | 26 | include whitelist-usr-share-common.inc |
26 | include whitelist-var-common.inc | 27 | include whitelist-var-common.inc |
27 | 28 | ||
diff --git a/etc/gnome-builder.profile b/etc/gnome-builder.profile index eaf48931d..7a684dd59 100644 --- a/etc/gnome-builder.profile +++ b/etc/gnome-builder.profile | |||
@@ -17,6 +17,8 @@ include disable-common.inc | |||
17 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | 19 | ||
20 | include whitelist-runuser-common.inc | ||
21 | |||
20 | caps.drop all | 22 | caps.drop all |
21 | ipc-namespace | 23 | ipc-namespace |
22 | netfilter | 24 | netfilter |
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index 6709a331e..627ae368a 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile | |||
@@ -16,6 +16,7 @@ include disable-programs.inc | |||
16 | include disable-xdg.inc | 16 | include disable-xdg.inc |
17 | 17 | ||
18 | include whitelist-common.inc | 18 | include whitelist-common.inc |
19 | include whitelist-runuser-common.inc | ||
19 | include whitelist-usr-share-common.inc | 20 | include whitelist-usr-share-common.inc |
20 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
21 | 22 | ||
diff --git a/etc/gnome-characters.profile b/etc/gnome-characters.profile index f02fe13f6..77b0c3c15 100644 --- a/etc/gnome-characters.profile +++ b/etc/gnome-characters.profile | |||
@@ -19,6 +19,7 @@ include disable-xdg.inc | |||
19 | 19 | ||
20 | whitelist /usr/share/org.gnome.Characters | 20 | whitelist /usr/share/org.gnome.Characters |
21 | include whitelist-common.inc | 21 | include whitelist-common.inc |
22 | include whitelist-runuser-common.inc | ||
22 | include whitelist-usr-share-common.inc | 23 | include whitelist-usr-share-common.inc |
23 | include whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
24 | 25 | ||
diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile index 025335a23..b865423c5 100644 --- a/etc/gnome-clocks.profile +++ b/etc/gnome-clocks.profile | |||
@@ -17,6 +17,7 @@ include disable-xdg.inc | |||
17 | whitelist /usr/share/gnome-clocks | 17 | whitelist /usr/share/gnome-clocks |
18 | whitelist /usr/share/libgweather | 18 | whitelist /usr/share/libgweather |
19 | include whitelist-common.inc | 19 | include whitelist-common.inc |
20 | include whitelist-runuser-common.inc | ||
20 | include whitelist-usr-share-common.inc | 21 | include whitelist-usr-share-common.inc |
21 | include whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
22 | 23 | ||
diff --git a/etc/gnome-contacts.profile b/etc/gnome-contacts.profile index ac6d82451..7c1e4bb58 100644 --- a/etc/gnome-contacts.profile +++ b/etc/gnome-contacts.profile | |||
@@ -17,6 +17,7 @@ include disable-programs.inc | |||
17 | include disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | include whitelist-common.inc | 19 | include whitelist-common.inc |
20 | include whitelist-runuser-common.inc | ||
20 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
21 | 22 | ||
22 | caps.drop all | 23 | caps.drop all |
diff --git a/etc/gnome-hexgl.profile b/etc/gnome-hexgl.profile index 386c33d7f..a06ccc9c1 100644 --- a/etc/gnome-hexgl.profile +++ b/etc/gnome-hexgl.profile | |||
@@ -15,9 +15,8 @@ include disable-programs.inc | |||
15 | include disable-xdg.inc | 15 | include disable-xdg.inc |
16 | 16 | ||
17 | mkdir ${HOME}/.cache/mesa_shader_cache | 17 | mkdir ${HOME}/.cache/mesa_shader_cache |
18 | whitelist ${RUNUSER}/pulse | ||
19 | whitelist ${RUNUSER}/wayland-0 | ||
20 | whitelist /usr/share/gnome-hexgl | 18 | whitelist /usr/share/gnome-hexgl |
19 | include whitelist-runuser-common.inc | ||
21 | include whitelist-usr-share-common.inc | 20 | include whitelist-usr-share-common.inc |
22 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
23 | 22 | ||
diff --git a/etc/gnome-latex.profile b/etc/gnome-latex.profile index 1bf48c6ab..ea4151137 100644 --- a/etc/gnome-latex.profile +++ b/etc/gnome-latex.profile | |||
@@ -22,6 +22,7 @@ include disable-programs.inc | |||
22 | whitelist /usr/share/gnome-latex | 22 | whitelist /usr/share/gnome-latex |
23 | whitelist /usr/share/perl5 | 23 | whitelist /usr/share/perl5 |
24 | whitelist /usr/share/texlive | 24 | whitelist /usr/share/texlive |
25 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | 26 | include whitelist-usr-share-common.inc |
26 | # May cause issues. | 27 | # May cause issues. |
27 | #include whitelist-var-common.inc | 28 | #include whitelist-var-common.inc |
diff --git a/etc/gnome-logs.profile b/etc/gnome-logs.profile index 0c5bec144..31b7cfb4f 100644 --- a/etc/gnome-logs.profile +++ b/etc/gnome-logs.profile | |||
@@ -15,6 +15,7 @@ include disable-programs.inc | |||
15 | include disable-xdg.inc | 15 | include disable-xdg.inc |
16 | 16 | ||
17 | whitelist /var/log/journal | 17 | whitelist /var/log/journal |
18 | include whitelist-runuser-common.inc | ||
18 | include whitelist-usr-share-common.inc | 19 | include whitelist-usr-share-common.inc |
19 | include whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
20 | 21 | ||
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile index 12415a937..bf263efa9 100644 --- a/etc/gnome-maps.profile +++ b/etc/gnome-maps.profile | |||
@@ -35,6 +35,7 @@ whitelist ${PICTURES} | |||
35 | whitelist /usr/share/gnome-maps | 35 | whitelist /usr/share/gnome-maps |
36 | whitelist /usr/share/libgweather | 36 | whitelist /usr/share/libgweather |
37 | include whitelist-common.inc | 37 | include whitelist-common.inc |
38 | include whitelist-runuser-common.inc | ||
38 | include whitelist-usr-share-common.inc | 39 | include whitelist-usr-share-common.inc |
39 | include whitelist-var-common.inc | 40 | include whitelist-var-common.inc |
40 | 41 | ||
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile index 9c3131162..36b46897c 100644 --- a/etc/gnome-music.profile +++ b/etc/gnome-music.profile | |||
@@ -21,6 +21,7 @@ include disable-passwdmgr.inc | |||
21 | include disable-programs.inc | 21 | include disable-programs.inc |
22 | include disable-xdg.inc | 22 | include disable-xdg.inc |
23 | 23 | ||
24 | include whitelist-runuser-common.inc | ||
24 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
25 | 26 | ||
26 | apparmor | 27 | apparmor |
diff --git a/etc/gnome-nettool.profile b/etc/gnome-nettool.profile index d15299890..649473679 100644 --- a/etc/gnome-nettool.profile +++ b/etc/gnome-nettool.profile | |||
@@ -16,6 +16,7 @@ include disable-xdg.inc | |||
16 | 16 | ||
17 | whitelist /usr/share/gnome-nettool | 17 | whitelist /usr/share/gnome-nettool |
18 | #include whitelist-common.inc -- see #903 | 18 | #include whitelist-common.inc -- see #903 |
19 | include whitelist-runuser-common.inc | ||
19 | include whitelist-usr-share-common.inc | 20 | include whitelist-usr-share-common.inc |
20 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
21 | 22 | ||
diff --git a/etc/gnome-passwordsafe.profile b/etc/gnome-passwordsafe.profile index de8f6ad7d..555a59d93 100644 --- a/etc/gnome-passwordsafe.profile +++ b/etc/gnome-passwordsafe.profile | |||
@@ -21,13 +21,9 @@ include disable-passwdmgr.inc | |||
21 | include disable-programs.inc | 21 | include disable-programs.inc |
22 | include disable-xdg.inc | 22 | include disable-xdg.inc |
23 | 23 | ||
24 | whitelist ${RUNUSER}/bus | ||
25 | # If you have a second wayland compositor, whitelist its socket here. | ||
26 | whitelist ${RUNUSER}/wayland-0 | ||
27 | whitelist ${RUNUSER}/gdm/Xauthority | ||
28 | |||
29 | whitelist /usr/share/cracklib | 24 | whitelist /usr/share/cracklib |
30 | whitelist /usr/share/passwordsafe | 25 | whitelist /usr/share/passwordsafe |
26 | include whitelist-runuser-common.inc | ||
31 | include whitelist-usr-share-common.inc | 27 | include whitelist-usr-share-common.inc |
32 | include whitelist-var-common.inc | 28 | include whitelist-var-common.inc |
33 | 29 | ||
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile index c28217efb..2af406af9 100644 --- a/etc/gnome-photos.profile +++ b/etc/gnome-photos.profile | |||
@@ -17,6 +17,7 @@ include disable-interpreters.inc | |||
17 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | 19 | ||
20 | include whitelist-runuser-common.inc | ||
20 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
21 | 22 | ||
22 | apparmor | 23 | apparmor |
diff --git a/etc/gnome-schedule.profile b/etc/gnome-schedule.profile index c8dd8ead7..55913a2d7 100644 --- a/etc/gnome-schedule.profile +++ b/etc/gnome-schedule.profile | |||
@@ -39,6 +39,7 @@ whitelist /usr/share/gnome-schedule | |||
39 | whitelist /var/spool/atd | 39 | whitelist /var/spool/atd |
40 | whitelist /var/spool/cron | 40 | whitelist /var/spool/cron |
41 | include whitelist-common.inc | 41 | include whitelist-common.inc |
42 | include whitelist-runuser-common.inc | ||
42 | include whitelist-usr-share-common.inc | 43 | include whitelist-usr-share-common.inc |
43 | include whitelist-var-common.inc | 44 | include whitelist-var-common.inc |
44 | 45 | ||
diff --git a/etc/gnome-screenshot.profile b/etc/gnome-screenshot.profile index c00aefdb7..cc5efb161 100644 --- a/etc/gnome-screenshot.profile +++ b/etc/gnome-screenshot.profile | |||
@@ -17,11 +17,8 @@ include disable-passwdmgr.inc | |||
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | include disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | whitelist ${RUNUSER}/bus | ||
21 | whitelist ${RUNUSER}/pulse | ||
22 | whitelist ${RUNUSER}/gdm/Xauthority | ||
23 | whitelist ${RUNUSER}/wayland-0 | ||
24 | include whitelist-usr-share-common.inc | 20 | include whitelist-usr-share-common.inc |
21 | include whitelist-runuser-common.inc | ||
25 | include whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
26 | 23 | ||
27 | apparmor | 24 | apparmor |
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile index 10db6296b..a181f1b9e 100644 --- a/etc/gnome-weather.profile +++ b/etc/gnome-weather.profile | |||
@@ -21,6 +21,7 @@ include disable-passwdmgr.inc | |||
21 | include disable-programs.inc | 21 | include disable-programs.inc |
22 | include disable-xdg.inc | 22 | include disable-xdg.inc |
23 | 23 | ||
24 | include whitelist-runuser-common.inc | ||
24 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
25 | 26 | ||
26 | caps.drop all | 27 | caps.drop all |
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile index 16bda186e..adc8957e6 100644 --- a/etc/gpg-agent.profile +++ b/etc/gpg-agent.profile | |||
@@ -21,9 +21,12 @@ include disable-xdg.inc | |||
21 | 21 | ||
22 | mkdir ${HOME}/.gnupg | 22 | mkdir ${HOME}/.gnupg |
23 | whitelist ${HOME}/.gnupg | 23 | whitelist ${HOME}/.gnupg |
24 | whitelist ${RUNUSER}/gnupg | ||
25 | whitelist ${RUNUSER}/keyring | ||
24 | whitelist /usr/share/gnupg | 26 | whitelist /usr/share/gnupg |
25 | whitelist /usr/share/gnupg2 | 27 | whitelist /usr/share/gnupg2 |
26 | include whitelist-common.inc | 28 | include whitelist-common.inc |
29 | include whitelist-runuser-common.inc | ||
27 | include whitelist-usr-share-common.inc | 30 | include whitelist-usr-share-common.inc |
28 | include whitelist-var-common.inc | 31 | include whitelist-var-common.inc |
29 | 32 | ||
diff --git a/etc/gpg.profile b/etc/gpg.profile index b408a0123..787f35f9e 100644 --- a/etc/gpg.profile +++ b/etc/gpg.profile | |||
@@ -18,9 +18,12 @@ include disable-interpreters.inc | |||
18 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | 20 | ||
21 | whitelist ${RUNUSER}/gnupg | ||
22 | whitelist ${RUNUSER}/keyring | ||
21 | whitelist /usr/share/gnupg | 23 | whitelist /usr/share/gnupg |
22 | whitelist /usr/share/gnupg2 | 24 | whitelist /usr/share/gnupg2 |
23 | whitelist /usr/share/pacman/keyrings | 25 | whitelist /usr/share/pacman/keyrings |
26 | include whitelist-runuser-common.inc | ||
24 | include whitelist-usr-share-common.inc | 27 | include whitelist-usr-share-common.inc |
25 | include whitelist-var-common.inc | 28 | include whitelist-var-common.inc |
26 | 29 | ||
diff --git a/etc/gucharmap.profile b/etc/gucharmap.profile index b3aa58d29..f3e3ab14d 100644 --- a/etc/gucharmap.profile +++ b/etc/gucharmap.profile | |||
@@ -15,6 +15,7 @@ include disable-programs.inc | |||
15 | include disable-xdg.inc | 15 | include disable-xdg.inc |
16 | 16 | ||
17 | include whitelist-common.inc | 17 | include whitelist-common.inc |
18 | include whitelist-runuser-common.inc | ||
18 | include whitelist-usr-share-common.inc | 19 | include whitelist-usr-share-common.inc |
19 | include whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
20 | 21 | ||
diff --git a/etc/highlight.profile b/etc/highlight.profile index 036de8d99..fc8b2f65a 100644 --- a/etc/highlight.profile +++ b/etc/highlight.profile | |||
@@ -7,6 +7,7 @@ include highlight.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${RUNUSER}/wayland-* | 9 | blacklist ${RUNUSER}/wayland-* |
10 | blacklist ${RUNUSER} | ||
10 | 11 | ||
11 | include disable-common.inc | 12 | include disable-common.inc |
12 | include disable-devel.inc | 13 | include disable-devel.inc |
diff --git a/etc/latex-common.profile b/etc/latex-common.profile index 712ada722..84901e8ef 100644 --- a/etc/latex-common.profile +++ b/etc/latex-common.profile | |||
@@ -14,6 +14,7 @@ include disable-passwdmgr.inc | |||
14 | include disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | whitelist /var/lib | 16 | whitelist /var/lib |
17 | include whitelist-runuser-common.inc | ||
17 | include whitelist-var-common.inc | 18 | include whitelist-var-common.inc |
18 | 19 | ||
19 | caps.drop all | 20 | caps.drop all |
diff --git a/etc/less.profile b/etc/less.profile index 00624e0f1..27e24c852 100644 --- a/etc/less.profile +++ b/etc/less.profile | |||
@@ -8,6 +8,7 @@ include less.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | 10 | blacklist ${RUNUSER}/wayland-* |
11 | blacklist ${RUNUSER} | ||
11 | 12 | ||
12 | noblacklist ${HOME}/.lesshst | 13 | noblacklist ${HOME}/.lesshst |
13 | 14 | ||
diff --git a/etc/links.profile b/etc/links.profile index a31001c87..b2f94d3cf 100644 --- a/etc/links.profile +++ b/etc/links.profile | |||
@@ -24,6 +24,7 @@ include disable-xdg.inc | |||
24 | mkdir ${HOME}/.links | 24 | mkdir ${HOME}/.links |
25 | whitelist ${HOME}/.links | 25 | whitelist ${HOME}/.links |
26 | whitelist ${DOWNLOADS} | 26 | whitelist ${DOWNLOADS} |
27 | include whitelist-runuser-common.inc | ||
27 | include whitelist-var-common.inc | 28 | include whitelist-var-common.inc |
28 | 29 | ||
29 | caps.drop all | 30 | caps.drop all |
diff --git a/etc/lynx.profile b/etc/lynx.profile index fb6fe94ec..dbd0a61e5 100644 --- a/etc/lynx.profile +++ b/etc/lynx.profile | |||
@@ -16,6 +16,8 @@ include disable-passwdmgr.inc | |||
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | include whitelist-runuser-common.inc | ||
20 | |||
19 | caps.drop all | 21 | caps.drop all |
20 | netfilter | 22 | netfilter |
21 | no3d | 23 | no3d |
diff --git a/etc/meld.profile b/etc/meld.profile index 9a320c13d..be13e9643 100644 --- a/etc/meld.profile +++ b/etc/meld.profile | |||
@@ -36,6 +36,8 @@ include disable-passwdmgr.inc | |||
36 | # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-programs.inc. | 36 | # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-programs.inc. |
37 | #include disable-programs.inc | 37 | #include disable-programs.inc |
38 | 38 | ||
39 | include whitelist-runuser-common.inc | ||
40 | |||
39 | # Uncomment the next lines (or put it into your meld.local) if you don't need to compare files in /usr/share. | 41 | # Uncomment the next lines (or put it into your meld.local) if you don't need to compare files in /usr/share. |
40 | #whitelist /usr/share/meld | 42 | #whitelist /usr/share/meld |
41 | #include whitelist-usr-share-common.inc | 43 | #include whitelist-usr-share-common.inc |
diff --git a/etc/mutt.profile b/etc/mutt.profile index 1fc412955..8ff547b52 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile | |||
@@ -40,6 +40,8 @@ include disable-interpreters.inc | |||
40 | include disable-passwdmgr.inc | 40 | include disable-passwdmgr.inc |
41 | include disable-programs.inc | 41 | include disable-programs.inc |
42 | 42 | ||
43 | include whitelist-runuser-common.inc | ||
44 | |||
43 | caps.drop all | 45 | caps.drop all |
44 | netfilter | 46 | netfilter |
45 | no3d | 47 | no3d |
diff --git a/etc/newsboat.profile b/etc/newsboat.profile index e063abe53..eabd17b4b 100644 --- a/etc/newsboat.profile +++ b/etc/newsboat.profile | |||
@@ -19,6 +19,7 @@ include disable-xdg.inc | |||
19 | mkdir ${HOME}/.newsboat | 19 | mkdir ${HOME}/.newsboat |
20 | whitelist ${HOME}/.newsboat | 20 | whitelist ${HOME}/.newsboat |
21 | include whitelist-common.inc | 21 | include whitelist-common.inc |
22 | include whitelist-runuser-common.inc | ||
22 | include whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
23 | 24 | ||
24 | caps.drop all | 25 | caps.drop all |
diff --git a/etc/nslookup.profile b/etc/nslookup.profile index 40cb3b6d8..4aa1cfcbf 100644 --- a/etc/nslookup.profile +++ b/etc/nslookup.profile | |||
@@ -7,6 +7,10 @@ include nslookup.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | ||
11 | blacklist ${RUNUSER}/wayland-* | ||
12 | blacklist ${RUNUSER} | ||
13 | |||
10 | noblacklist ${PATH}/nslookup | 14 | noblacklist ${PATH}/nslookup |
11 | 15 | ||
12 | include disable-common.inc | 16 | include disable-common.inc |
diff --git a/etc/pandoc.profile b/etc/pandoc.profile index 9a8d82a96..9117b0c07 100644 --- a/etc/pandoc.profile +++ b/etc/pandoc.profile | |||
@@ -8,6 +8,7 @@ include pandoc.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | 10 | blacklist ${RUNUSER}/wayland-* |
11 | blacklist ${RUNUSER} | ||
11 | 12 | ||
12 | noblacklist ${DOCUMENTS} | 13 | noblacklist ${DOCUMENTS} |
13 | 14 | ||
diff --git a/etc/patch.profile b/etc/patch.profile index 4a3365378..95c92a3f5 100644 --- a/etc/patch.profile +++ b/etc/patch.profile | |||
@@ -8,6 +8,7 @@ include patch.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | 10 | blacklist ${RUNUSER}/wayland-* |
11 | blacklist ${RUNUSER} | ||
11 | 12 | ||
12 | noblacklist ${DOCUMENTS} | 13 | noblacklist ${DOCUMENTS} |
13 | 14 | ||
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile index 73ebf4615..a7112f1e8 100644 --- a/etc/pdftotext.profile +++ b/etc/pdftotext.profile | |||
@@ -7,6 +7,7 @@ include pdftotext.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${RUNUSER}/wayland-* | 9 | blacklist ${RUNUSER}/wayland-* |
10 | blacklist ${RUNUSER} | ||
10 | 11 | ||
11 | noblacklist ${DOCUMENTS} | 12 | noblacklist ${DOCUMENTS} |
12 | 13 | ||
diff --git a/etc/ping.profile b/etc/ping.profile index 75ad0ee31..3ef8ad64a 100644 --- a/etc/ping.profile +++ b/etc/ping.profile | |||
@@ -7,6 +7,10 @@ include ping.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | ||
11 | blacklist ${RUNUSER}/wayland-* | ||
12 | blacklist ${RUNUSER} | ||
13 | |||
10 | include disable-common.inc | 14 | include disable-common.inc |
11 | include disable-devel.inc | 15 | include disable-devel.inc |
12 | include disable-exec.inc | 16 | include disable-exec.inc |
diff --git a/etc/pitivi.profile b/etc/pitivi.profile index 71032f2ee..c722e29b4 100644 --- a/etc/pitivi.profile +++ b/etc/pitivi.profile | |||
@@ -6,7 +6,6 @@ include pitivi.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | |||
10 | noblacklist ${HOME}/.config/pitivi | 9 | noblacklist ${HOME}/.config/pitivi |
11 | 10 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
@@ -20,6 +19,7 @@ include disable-interpreters.inc | |||
20 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
21 | include disable-programs.inc | 20 | include disable-programs.inc |
22 | 21 | ||
22 | include whitelist-runuser-common.inc | ||
23 | include whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
24 | 24 | ||
25 | apparmor | 25 | apparmor |
diff --git a/etc/pngquant.profile b/etc/pngquant.profile index f9ce43c4c..4695eee71 100644 --- a/etc/pngquant.profile +++ b/etc/pngquant.profile | |||
@@ -16,6 +16,8 @@ include disable-interpreters.inc | |||
16 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | include whitelist-runuser-common.inc | ||
20 | include whitelist-usr-share-common.inc | ||
19 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
20 | 22 | ||
21 | apparmor | 23 | apparmor |
diff --git a/etc/polari.profile b/etc/polari.profile index 939e2537e..87a53775f 100644 --- a/etc/polari.profile +++ b/etc/polari.profile | |||
@@ -28,6 +28,7 @@ whitelist ${HOME}/.local/share/TpLogger | |||
28 | whitelist ${HOME}/.local/share/telepathy | 28 | whitelist ${HOME}/.local/share/telepathy |
29 | whitelist ${HOME}/.purple | 29 | whitelist ${HOME}/.purple |
30 | include whitelist-common.inc | 30 | include whitelist-common.inc |
31 | include whitelist-runuser-common.inc | ||
31 | 32 | ||
32 | caps.drop all | 33 | caps.drop all |
33 | netfilter | 34 | netfilter |
diff --git a/etc/remmina.profile b/etc/remmina.profile index e85ceca13..6311c91df 100644 --- a/etc/remmina.profile +++ b/etc/remmina.profile | |||
@@ -19,6 +19,7 @@ include disable-passwdmgr.inc | |||
19 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | include disable-xdg.inc | 20 | include disable-xdg.inc |
21 | 21 | ||
22 | include whitelist-runuser-common.inc | ||
22 | include whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
23 | 24 | ||
24 | caps.drop all | 25 | caps.drop all |
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index aff8b08e3..689fbe626 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile | |||
@@ -25,6 +25,7 @@ include disable-xdg.inc | |||
25 | whitelist /usr/share/rhythmbox | 25 | whitelist /usr/share/rhythmbox |
26 | whitelist /usr/share/lua | 26 | whitelist /usr/share/lua |
27 | whitelist /usr/share/libquvi-scripts | 27 | whitelist /usr/share/libquvi-scripts |
28 | include whitelist-runuser-common.inc | ||
28 | include whitelist-usr-share-common.inc | 29 | include whitelist-usr-share-common.inc |
29 | include whitelist-var-common.inc | 30 | include whitelist-var-common.inc |
30 | 31 | ||
diff --git a/etc/rsync-download_only.profile b/etc/rsync-download_only.profile index 84147f0a5..500656a4b 100644 --- a/etc/rsync-download_only.profile +++ b/etc/rsync-download_only.profile | |||
@@ -14,6 +14,7 @@ include globals.local | |||
14 | 14 | ||
15 | blacklist /tmp/.X11-unix | 15 | blacklist /tmp/.X11-unix |
16 | blacklist ${RUNUSER}/wayland-* | 16 | blacklist ${RUNUSER}/wayland-* |
17 | blacklist ${RUNUSER} | ||
17 | 18 | ||
18 | include disable-common.inc | 19 | include disable-common.inc |
19 | include disable-devel.inc | 20 | include disable-devel.inc |
diff --git a/etc/seahorse.profile b/etc/seahorse.profile index 5a742d05f..3a69086b5 100644 --- a/etc/seahorse.profile +++ b/etc/seahorse.profile | |||
@@ -31,7 +31,10 @@ whitelist /usr/share/gnupg | |||
31 | whitelist /usr/share/gnupg2 | 31 | whitelist /usr/share/gnupg2 |
32 | whitelist /usr/share/seahorse | 32 | whitelist /usr/share/seahorse |
33 | whitelist /usr/share/seahorse-nautilus | 33 | whitelist /usr/share/seahorse-nautilus |
34 | whitelist ${RUNUSER}/gnupg | ||
35 | whitelist ${RUNUSER}/keyring | ||
34 | #include whitelist-common.inc | 36 | #include whitelist-common.inc |
37 | include whitelist-runuser-common.inc | ||
35 | include whitelist-usr-share-common.inc | 38 | include whitelist-usr-share-common.inc |
36 | include whitelist-var-common.inc | 39 | include whitelist-var-common.inc |
37 | 40 | ||
diff --git a/etc/shellcheck.profile b/etc/shellcheck.profile index 7b4041222..fb43c61e4 100644 --- a/etc/shellcheck.profile +++ b/etc/shellcheck.profile | |||
@@ -8,6 +8,7 @@ include shellcheck.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | 10 | blacklist ${RUNUSER}/wayland-* |
11 | blacklist ${RUNUSER} | ||
11 | 12 | ||
12 | noblacklist ${DOCUMENTS} | 13 | noblacklist ${DOCUMENTS} |
13 | 14 | ||
diff --git a/etc/ssh.profile b/etc/ssh.profile index 1551c3fb6..cbd59c6e0 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile | |||
@@ -18,7 +18,10 @@ include disable-exec.inc | |||
18 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | 20 | ||
21 | whitelist ${RUNUSER}/keyring/ssh | ||
22 | whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh | ||
21 | include whitelist-usr-share-common.inc | 23 | include whitelist-usr-share-common.inc |
24 | include whitelist-runuser-common.inc | ||
22 | 25 | ||
23 | caps.drop all | 26 | caps.drop all |
24 | ipc-namespace | 27 | ipc-namespace |
diff --git a/etc/strings.profile b/etc/strings.profile index 7dc453b1f..7d2d035a4 100644 --- a/etc/strings.profile +++ b/etc/strings.profile | |||
@@ -8,6 +8,7 @@ include strings.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | 10 | blacklist ${RUNUSER}/wayland-* |
11 | blacklist ${RUNUSER} | ||
11 | 12 | ||
12 | #include disable-common.inc | 13 | #include disable-common.inc |
13 | include disable-devel.inc | 14 | include disable-devel.inc |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 0362b82af..4cb40027c 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -27,6 +27,7 @@ | |||
27 | # ALLOW INCLUDES | 27 | # ALLOW INCLUDES |
28 | # BLACKLISTS | 28 | # BLACKLISTS |
29 | # DISABLE INCLUDES | 29 | # DISABLE INCLUDES |
30 | # NOWHITELISTS | ||
30 | # MKDIRS | 31 | # MKDIRS |
31 | # WHITELISTS | 32 | # WHITELISTS |
32 | # WHITELIST INCLUDES | 33 | # WHITELIST INCLUDES |
@@ -62,6 +63,8 @@ include globals.local | |||
62 | #blacklist /tmp/.X11-unix | 63 | #blacklist /tmp/.X11-unix |
63 | # Disable Wayland | 64 | # Disable Wayland |
64 | #blacklist ${RUNUSER}/wayland-* | 65 | #blacklist ${RUNUSER}/wayland-* |
66 | # Disable RUNUSER (cli only) | ||
67 | #blacklist ${RUNUSER} | ||
65 | 68 | ||
66 | # It is common practice to add files/dirs containing program-specific configuration | 69 | # It is common practice to add files/dirs containing program-specific configuration |
67 | # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc | 70 | # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc |
@@ -116,6 +119,7 @@ include globals.local | |||
116 | ##mkfile PATH | 119 | ##mkfile PATH |
117 | #whitelist PATH | 120 | #whitelist PATH |
118 | #include whitelist-common.inc | 121 | #include whitelist-common.inc |
122 | #GTK3 only: include whitelist-runuser-common.inc | ||
119 | #include whitelist-usr-share-common.inc | 123 | #include whitelist-usr-share-common.inc |
120 | #include whitelist-var-common.inc | 124 | #include whitelist-var-common.inc |
121 | 125 | ||
diff --git a/etc/tracker.profile b/etc/tracker.profile index d47185b1d..9030b1e01 100644 --- a/etc/tracker.profile +++ b/etc/tracker.profile | |||
@@ -17,6 +17,8 @@ include disable-interpreters.inc | |||
17 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | 19 | ||
20 | include whitelist-runuser-common.inc | ||
21 | |||
20 | caps.drop all | 22 | caps.drop all |
21 | netfilter | 23 | netfilter |
22 | no3d | 24 | no3d |
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 01bdeb4ef..baa970307 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile | |||
@@ -7,6 +7,8 @@ include transmission-gtk.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | include whitelist-runuser-common.inc | ||
11 | |||
10 | private-bin transmission-gtk | 12 | private-bin transmission-gtk |
11 | 13 | ||
12 | ignore memory-deny-write-execute | 14 | ignore memory-deny-write-execute |
diff --git a/etc/tshark.profile b/etc/tshark.profile index 211f59f29..684a9491d 100644 --- a/etc/tshark.profile +++ b/etc/tshark.profile | |||
@@ -16,6 +16,7 @@ include disable-xdg.inc | |||
16 | 16 | ||
17 | whitelist /usr/share/wireshark | 17 | whitelist /usr/share/wireshark |
18 | include whitelist-common.inc | 18 | include whitelist-common.inc |
19 | include whitelist-runuser-common.inc | ||
19 | include whitelist-usr-share-common.inc | 20 | include whitelist-usr-share-common.inc |
20 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
21 | 22 | ||
diff --git a/etc/vim.profile b/etc/vim.profile index d27a9a633..e9a474239 100644 --- a/etc/vim.profile +++ b/etc/vim.profile | |||
@@ -17,6 +17,8 @@ include disable-common.inc | |||
17 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | 19 | ||
20 | include whitelist-runuser-common.inc | ||
21 | |||
20 | caps.drop all | 22 | caps.drop all |
21 | netfilter | 23 | netfilter |
22 | nodvd | 24 | nodvd |
diff --git a/etc/w3m.profile b/etc/w3m.profile index 97465baa1..5215ee6f5 100644 --- a/etc/w3m.profile +++ b/etc/w3m.profile | |||
@@ -20,6 +20,8 @@ include disable-passwdmgr.inc | |||
20 | include disable-programs.inc | 20 | include disable-programs.inc |
21 | include disable-xdg.inc | 21 | include disable-xdg.inc |
22 | 22 | ||
23 | include whitelist-runuser-common.inc | ||
24 | |||
23 | caps.drop all | 25 | caps.drop all |
24 | netfilter | 26 | netfilter |
25 | no3d | 27 | no3d |
diff --git a/etc/wget.profile b/etc/wget.profile index d402316e9..ad7a14c41 100644 --- a/etc/wget.profile +++ b/etc/wget.profile | |||
@@ -13,6 +13,7 @@ noblacklist ${HOME}/.wgetrc | |||
13 | 13 | ||
14 | blacklist /tmp/.X11-unix | 14 | blacklist /tmp/.X11-unix |
15 | blacklist ${RUNUSER}/wayland-* | 15 | blacklist ${RUNUSER}/wayland-* |
16 | blacklist ${RUNUSER} | ||
16 | 17 | ||
17 | include disable-common.inc | 18 | include disable-common.inc |
18 | include disable-devel.inc | 19 | include disable-devel.inc |
diff --git a/etc/whitelist-runuser-common.inc b/etc/whitelist-runuser-common.inc new file mode 100644 index 000000000..de59d03d3 --- /dev/null +++ b/etc/whitelist-runuser-common.inc | |||
@@ -0,0 +1,10 @@ | |||
1 | # Local customizations come here | ||
2 | include whitelist-runuser-common.local | ||
3 | |||
4 | # common ${RUNUSER} (=/run/user/$UID) whitelist for all profiles | ||
5 | |||
6 | whitelist ${RUNUSER}/bus | ||
7 | whitelist ${RUNUSER}/dconf | ||
8 | whitelist ${RUNUSER}/gdm/Xauthority | ||
9 | whitelist ${RUNUSER}/pulse/native | ||
10 | whitelist ${RUNUSER}/wayland-0 | ||
diff --git a/etc/whois.profile b/etc/whois.profile index 9af6d6843..5fea610d8 100644 --- a/etc/whois.profile +++ b/etc/whois.profile | |||
@@ -9,6 +9,7 @@ include globals.local | |||
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
11 | blacklist ${RUNUSER}/wayland-* | 11 | blacklist ${RUNUSER}/wayland-* |
12 | blacklist ${RUNUSER} | ||
12 | 13 | ||
13 | include disable-common.inc | 14 | include disable-common.inc |
14 | include disable-devel.inc | 15 | include disable-devel.inc |
diff --git a/etc/yelp.profile b/etc/yelp.profile index acd483209..7053f98e8 100644 --- a/etc/yelp.profile +++ b/etc/yelp.profile | |||
@@ -23,6 +23,7 @@ whitelist /usr/share/help | |||
23 | whitelist /usr/share/yelp | 23 | whitelist /usr/share/yelp |
24 | whitelist /usr/share/yelp-xsl | 24 | whitelist /usr/share/yelp-xsl |
25 | include whitelist-common.inc | 25 | include whitelist-common.inc |
26 | include whitelist-runuser-common.inc | ||
26 | include whitelist-usr-share-common.inc | 27 | include whitelist-usr-share-common.inc |
27 | include whitelist-var-common.inc | 28 | include whitelist-var-common.inc |
28 | 29 | ||
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile index 19effef47..6066313a3 100644 --- a/etc/youtube-dl.profile +++ b/etc/youtube-dl.profile | |||
@@ -22,6 +22,7 @@ include allow-python3.inc | |||
22 | 22 | ||
23 | blacklist /tmp/.X11-unix | 23 | blacklist /tmp/.X11-unix |
24 | blacklist ${RUNUSER}/wayland-* | 24 | blacklist ${RUNUSER}/wayland-* |
25 | blacklist ${RUNUSER} | ||
25 | 26 | ||
26 | include disable-common.inc | 27 | include disable-common.inc |
27 | include disable-devel.inc | 28 | include disable-devel.inc |