diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2023-09-08 20:28:39 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-09-08 20:28:39 +0000 |
commit | 032aa1ff1b992c5c1395ae1ee23c52fde41fbcd1 (patch) | |
tree | 2387d9f2fbd71a280a9ba9cb317217c31c7797e6 /etc | |
parent | transgui: hardening (#5989) (diff) | |
parent | profiles: fix commented code and eol comments (diff) | |
download | firejail-032aa1ff1b992c5c1395ae1ee23c52fde41fbcd1.tar.gz firejail-032aa1ff1b992c5c1395ae1ee23c52fde41fbcd1.tar.zst firejail-032aa1ff1b992c5c1395ae1ee23c52fde41fbcd1.zip |
Merge pull request #5987 from kmk3/profiles-fix-eol-comments
profiles: fix commented code and eol comments
Diffstat (limited to 'etc')
231 files changed, 555 insertions, 547 deletions
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 1b0e00bc6..b688647b5 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -33,7 +33,8 @@ blacklist-nolog ${HOME}/.viminfo | |||
33 | blacklist-nolog /tmp/clipmenu* | 33 | blacklist-nolog /tmp/clipmenu* |
34 | 34 | ||
35 | # X11 session autostart | 35 | # X11 session autostart |
36 | # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs | 36 | # this will kill --x11=xpra cmdline option for all programs |
37 | #blacklist ${HOME}/.xpra | ||
37 | blacklist ${HOME}/.Xsession | 38 | blacklist ${HOME}/.Xsession |
38 | blacklist ${HOME}/.blackbox | 39 | blacklist ${HOME}/.blackbox |
39 | blacklist ${HOME}/.config/autostart | 40 | blacklist ${HOME}/.config/autostart |
@@ -241,8 +242,9 @@ blacklist /var/lib/mysql/mysql.sock | |||
241 | blacklist /var/lib/mysqld/mysql.sock | 242 | blacklist /var/lib/mysqld/mysql.sock |
242 | blacklist /var/lib/pacman | 243 | blacklist /var/lib/pacman |
243 | blacklist /var/lib/upower | 244 | blacklist /var/lib/upower |
244 | # blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for | 245 | # a virtual /var/log directory (mostly empty) is build up by default for every |
245 | # every sandbox, unless --writable-var-log switch is activated | 246 | # sandbox, unless --writable-var-log switch is activated |
247 | #blacklist /var/log | ||
246 | blacklist /var/mail | 248 | blacklist /var/mail |
247 | blacklist /var/opt | 249 | blacklist /var/opt |
248 | blacklist /var/run/acpid.socket | 250 | blacklist /var/run/acpid.socket |
@@ -562,7 +564,7 @@ blacklist ${PATH}/bmon | |||
562 | blacklist ${PATH}/fping | 564 | blacklist ${PATH}/fping |
563 | blacklist ${PATH}/fping6 | 565 | blacklist ${PATH}/fping6 |
564 | blacklist ${PATH}/hostname | 566 | blacklist ${PATH}/hostname |
565 | # blacklist ${PATH}/ip - breaks --ip=dhcp | 567 | #blacklist ${PATH}/ip # breaks --ip=dhcp |
566 | blacklist ${PATH}/mtr | 568 | blacklist ${PATH}/mtr |
567 | blacklist ${PATH}/mtr-packet | 569 | blacklist ${PATH}/mtr-packet |
568 | blacklist ${PATH}/netstat | 570 | blacklist ${PATH}/netstat |
@@ -611,8 +613,8 @@ blacklist /tmp/tmux-* | |||
611 | blacklist ${PATH}/gnome-terminal | 613 | blacklist ${PATH}/gnome-terminal |
612 | blacklist ${PATH}/gnome-terminal.wrapper | 614 | blacklist ${PATH}/gnome-terminal.wrapper |
613 | blacklist ${PATH}/kgx | 615 | blacklist ${PATH}/kgx |
614 | # blacklist ${PATH}/konsole | ||
615 | # konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 | 616 | # konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 |
617 | #blacklist ${PATH}/konsole | ||
616 | blacklist ${PATH}/lilyterm | 618 | blacklist ${PATH}/lilyterm |
617 | blacklist ${PATH}/lxterminal | 619 | blacklist ${PATH}/lxterminal |
618 | blacklist ${PATH}/mate-terminal | 620 | blacklist ${PATH}/mate-terminal |
diff --git a/etc/profile-a-l/abiword.profile b/etc/profile-a-l/abiword.profile index a0eed24ca..dcd1259cf 100644 --- a/etc/profile-a-l/abiword.profile +++ b/etc/profile-a-l/abiword.profile | |||
@@ -44,7 +44,7 @@ private-dev | |||
44 | private-etc @x11 | 44 | private-etc @x11 |
45 | private-tmp | 45 | private-tmp |
46 | 46 | ||
47 | # dbus-user none | 47 | #dbus-user none |
48 | # dbus-system none | 48 | #dbus-system none |
49 | 49 | ||
50 | restrict-namespaces | 50 | restrict-namespaces |
diff --git a/etc/profile-a-l/akonadi_control.profile b/etc/profile-a-l/akonadi_control.profile index 184036f24..275ff41ef 100644 --- a/etc/profile-a-l/akonadi_control.profile +++ b/etc/profile-a-l/akonadi_control.profile | |||
@@ -34,7 +34,7 @@ include whitelist-var-common.inc | |||
34 | # disabled options below are not compatible with the apparmor profile for mysqld-akonadi. | 34 | # disabled options below are not compatible with the apparmor profile for mysqld-akonadi. |
35 | # this affects ubuntu and debian currently | 35 | # this affects ubuntu and debian currently |
36 | 36 | ||
37 | # apparmor | 37 | #apparmor |
38 | caps.drop all | 38 | caps.drop all |
39 | ipc-namespace | 39 | ipc-namespace |
40 | netfilter | 40 | netfilter |
@@ -42,17 +42,17 @@ no3d | |||
42 | nodvd | 42 | nodvd |
43 | nogroups | 43 | nogroups |
44 | noinput | 44 | noinput |
45 | # nonewprivs | 45 | #nonewprivs |
46 | noroot | 46 | noroot |
47 | nosound | 47 | nosound |
48 | notv | 48 | notv |
49 | nou2f | 49 | nou2f |
50 | novideo | 50 | novideo |
51 | # protocol unix,inet,inet6,netlink | 51 | #protocol unix,inet,inet6,netlink |
52 | # seccomp !io_destroy,!io_getevents,!io_setup,!io_submit,!ioprio_set | 52 | #seccomp !io_destroy,!io_getevents,!io_setup,!io_submit,!ioprio_set |
53 | tracelog | 53 | tracelog |
54 | 54 | ||
55 | private-dev | 55 | private-dev |
56 | # private-tmp - breaks programs that depend on akonadi | 56 | #private-tmp # breaks programs that depend on akonadi |
57 | 57 | ||
58 | # restrict-namespaces | 58 | #restrict-namespaces |
diff --git a/etc/profile-a-l/akregator.profile b/etc/profile-a-l/akregator.profile index d88a1fcad..9de992a76 100644 --- a/etc/profile-a-l/akregator.profile +++ b/etc/profile-a-l/akregator.profile | |||
@@ -49,4 +49,4 @@ private-dev | |||
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | deterministic-shutdown | 51 | deterministic-shutdown |
52 | # restrict-namespaces | 52 | #restrict-namespaces |
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile index 22a303cdd..14c425cc6 100644 --- a/etc/profile-a-l/alacarte.profile +++ b/etc/profile-a-l/alacarte.profile | |||
@@ -49,7 +49,7 @@ seccomp.block-secondary | |||
49 | tracelog | 49 | tracelog |
50 | 50 | ||
51 | disable-mnt | 51 | disable-mnt |
52 | # private-bin alacarte,bash,python*,sh | 52 | #private-bin alacarte,bash,python*,sh |
53 | private-cache | 53 | private-cache |
54 | private-dev | 54 | private-dev |
55 | private-etc @tls-ca,@x11,mime.types | 55 | private-etc @tls-ca,@x11,mime.types |
diff --git a/etc/profile-a-l/amarok.profile b/etc/profile-a-l/amarok.profile index 389aae602..0c78ab20d 100644 --- a/etc/profile-a-l/amarok.profile +++ b/etc/profile-a-l/amarok.profile | |||
@@ -26,11 +26,11 @@ notv | |||
26 | nou2f | 26 | nou2f |
27 | novideo | 27 | novideo |
28 | protocol unix,inet,inet6 | 28 | protocol unix,inet,inet6 |
29 | # seccomp | 29 | #seccomp |
30 | 30 | ||
31 | # private-bin amarok | 31 | #private-bin amarok |
32 | private-dev | 32 | private-dev |
33 | # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,resolv.conf,ssl | 33 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,resolv.conf,ssl |
34 | private-tmp | 34 | private-tmp |
35 | 35 | ||
36 | dbus-user filter | 36 | dbus-user filter |
@@ -45,4 +45,4 @@ dbus-user.talk org.freedesktop.Notifications | |||
45 | #dbus-user.talk org.kde.knotify | 45 | #dbus-user.talk org.kde.knotify |
46 | dbus-system none | 46 | dbus-system none |
47 | 47 | ||
48 | # restrict-namespaces | 48 | #restrict-namespaces |
diff --git a/etc/profile-a-l/android-studio.profile b/etc/profile-a-l/android-studio.profile index 3dfa0f95a..09289ace1 100644 --- a/etc/profile-a-l/android-studio.profile +++ b/etc/profile-a-l/android-studio.profile | |||
@@ -36,7 +36,7 @@ protocol unix,inet,inet6 | |||
36 | seccomp | 36 | seccomp |
37 | 37 | ||
38 | private-cache | 38 | private-cache |
39 | # private-tmp | 39 | #private-tmp |
40 | 40 | ||
41 | # noexec /tmp breaks 'Android Profiler' | 41 | # noexec /tmp breaks 'Android Profiler' |
42 | #noexec /tmp | 42 | #noexec /tmp |
diff --git a/etc/profile-a-l/anki.profile b/etc/profile-a-l/anki.profile index 2d0bfcb6c..acf52509c 100644 --- a/etc/profile-a-l/anki.profile +++ b/etc/profile-a-l/anki.profile | |||
@@ -55,4 +55,4 @@ private-tmp | |||
55 | dbus-user none | 55 | dbus-user none |
56 | dbus-system none | 56 | dbus-system none |
57 | 57 | ||
58 | # restrict-namespaces | 58 | #restrict-namespaces |
diff --git a/etc/profile-a-l/arduino.profile b/etc/profile-a-l/arduino.profile index 85ea76939..a925e223f 100644 --- a/etc/profile-a-l/arduino.profile +++ b/etc/profile-a-l/arduino.profile | |||
@@ -21,7 +21,7 @@ caps.drop all | |||
21 | netfilter | 21 | netfilter |
22 | no3d | 22 | no3d |
23 | nodvd | 23 | nodvd |
24 | # nogroups | 24 | #nogroups |
25 | nonewprivs | 25 | nonewprivs |
26 | noroot | 26 | noroot |
27 | nosound | 27 | nosound |
diff --git a/etc/profile-a-l/aria2c.profile b/etc/profile-a-l/aria2c.profile index 7f9463c4f..65ffdfa1b 100644 --- a/etc/profile-a-l/aria2c.profile +++ b/etc/profile-a-l/aria2c.profile | |||
@@ -39,7 +39,7 @@ novideo | |||
39 | protocol unix,inet,inet6,netlink | 39 | protocol unix,inet,inet6,netlink |
40 | seccomp | 40 | seccomp |
41 | 41 | ||
42 | # disable-mnt | 42 | #disable-mnt |
43 | # Add your custom event hook commands to 'private-bin' in your aria2c.local. | 43 | # Add your custom event hook commands to 'private-bin' in your aria2c.local. |
44 | private-bin aria2c,gzip | 44 | private-bin aria2c,gzip |
45 | # Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772). | 45 | # Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772). |
diff --git a/etc/profile-a-l/ark.profile b/etc/profile-a-l/ark.profile index 272e06219..65e965248 100644 --- a/etc/profile-a-l/ark.profile +++ b/etc/profile-a-l/ark.profile | |||
@@ -22,7 +22,7 @@ include whitelist-var-common.inc | |||
22 | 22 | ||
23 | apparmor | 23 | apparmor |
24 | caps.drop all | 24 | caps.drop all |
25 | # net none | 25 | #net none |
26 | netfilter | 26 | netfilter |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
@@ -42,7 +42,7 @@ private-bin 7z,ark,bash,lrzip,lsar,lz4,lzop,p7zip,rar,sh,tclsh,unar,unrar,unzip, | |||
42 | private-dev | 42 | private-dev |
43 | private-tmp | 43 | private-tmp |
44 | 44 | ||
45 | # dbus-user none | 45 | #dbus-user none |
46 | # dbus-system none | 46 | #dbus-system none |
47 | 47 | ||
48 | restrict-namespaces | 48 | restrict-namespaces |
diff --git a/etc/profile-a-l/artha.profile b/etc/profile-a-l/artha.profile index 897140857..f6369eb86 100644 --- a/etc/profile-a-l/artha.profile +++ b/etc/profile-a-l/artha.profile | |||
@@ -35,7 +35,7 @@ include whitelist-var-common.inc | |||
35 | apparmor | 35 | apparmor |
36 | caps.drop all | 36 | caps.drop all |
37 | ipc-namespace | 37 | ipc-namespace |
38 | # net none - breaks on Ubuntu | 38 | #net none # breaks on Ubuntu |
39 | no3d | 39 | no3d |
40 | nodvd | 40 | nodvd |
41 | nogroups | 41 | nogroups |
diff --git a/etc/profile-a-l/asunder.profile b/etc/profile-a-l/asunder.profile index c09ad7936..601ef5c13 100644 --- a/etc/profile-a-l/asunder.profile +++ b/etc/profile-a-l/asunder.profile | |||
@@ -26,7 +26,7 @@ apparmor | |||
26 | caps.drop all | 26 | caps.drop all |
27 | netfilter | 27 | netfilter |
28 | no3d | 28 | no3d |
29 | # nogroups | 29 | #nogroups |
30 | noinput | 30 | noinput |
31 | nonewprivs | 31 | nonewprivs |
32 | noroot | 32 | noroot |
@@ -44,5 +44,5 @@ dbus-user none | |||
44 | dbus-system none | 44 | dbus-system none |
45 | 45 | ||
46 | # mdwe is disabled due to breaking hardware accelerated decoding | 46 | # mdwe is disabled due to breaking hardware accelerated decoding |
47 | # memory-deny-write-execute | 47 | #memory-deny-write-execute |
48 | restrict-namespaces | 48 | restrict-namespaces |
diff --git a/etc/profile-a-l/atom.profile b/etc/profile-a-l/atom.profile index 8e8f8515f..f21a8c34a 100644 --- a/etc/profile-a-l/atom.profile +++ b/etc/profile-a-l/atom.profile | |||
@@ -26,7 +26,7 @@ noblacklist ${HOME}/.config/Atom | |||
26 | # Allows files commonly used by IDEs | 26 | # Allows files commonly used by IDEs |
27 | include allow-common-devel.inc | 27 | include allow-common-devel.inc |
28 | 28 | ||
29 | # net none | 29 | #net none |
30 | nosound | 30 | nosound |
31 | 31 | ||
32 | # Redirect | 32 | # Redirect |
diff --git a/etc/profile-a-l/atril.profile b/etc/profile-a-l/atril.profile index d0513d2a7..26b978158 100644 --- a/etc/profile-a-l/atril.profile +++ b/etc/profile-a-l/atril.profile | |||
@@ -22,7 +22,7 @@ include disable-xdg.inc | |||
22 | 22 | ||
23 | include whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
24 | 24 | ||
25 | # apparmor | 25 | #apparmor |
26 | caps.drop all | 26 | caps.drop all |
27 | machine-id | 27 | machine-id |
28 | no3d | 28 | no3d |
@@ -44,7 +44,7 @@ private-dev | |||
44 | private-etc | 44 | private-etc |
45 | # atril uses webkit gtk to display epub files | 45 | # atril uses webkit gtk to display epub files |
46 | # waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0 | 46 | # waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0 |
47 | #private-lib webkit2gtk-4.0 - problems on Arch with the new version of WebKit | 47 | #private-lib webkit2gtk-4.0 # problems on Arch with the new version of WebKit |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
50 | # webkit gtk killed by memory-deny-write-execute | 50 | # webkit gtk killed by memory-deny-write-execute |
diff --git a/etc/profile-a-l/audacious.profile b/etc/profile-a-l/audacious.profile index 6abd87c92..6d1a07e2d 100644 --- a/etc/profile-a-l/audacious.profile +++ b/etc/profile-a-l/audacious.profile | |||
@@ -36,7 +36,7 @@ protocol unix,inet,inet6 | |||
36 | seccomp | 36 | seccomp |
37 | tracelog | 37 | tracelog |
38 | 38 | ||
39 | # private-bin audacious | 39 | #private-bin audacious |
40 | private-cache | 40 | private-cache |
41 | private-dev | 41 | private-dev |
42 | private-tmp | 42 | private-tmp |
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile index c2a482b61..e70215891 100644 --- a/etc/profile-a-l/audacity.profile +++ b/etc/profile-a-l/audacity.profile | |||
@@ -54,7 +54,7 @@ private-etc @x11 | |||
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
56 | # problems on Fedora 27 | 56 | # problems on Fedora 27 |
57 | # dbus-user none | 57 | #dbus-user none |
58 | # dbus-system none | 58 | #dbus-system none |
59 | 59 | ||
60 | restrict-namespaces | 60 | restrict-namespaces |
diff --git a/etc/profile-a-l/audio-recorder.profile b/etc/profile-a-l/audio-recorder.profile index deba11a47..816852a71 100644 --- a/etc/profile-a-l/audio-recorder.profile +++ b/etc/profile-a-l/audio-recorder.profile | |||
@@ -41,7 +41,7 @@ seccomp | |||
41 | tracelog | 41 | tracelog |
42 | 42 | ||
43 | disable-mnt | 43 | disable-mnt |
44 | # private-bin audio-recorder | 44 | #private-bin audio-recorder |
45 | private-cache | 45 | private-cache |
46 | private-etc | 46 | private-etc |
47 | private-tmp | 47 | private-tmp |
@@ -50,5 +50,5 @@ dbus-user filter | |||
50 | dbus-user.talk ca.desrt.dconf | 50 | dbus-user.talk ca.desrt.dconf |
51 | dbus-system none | 51 | dbus-system none |
52 | 52 | ||
53 | # memory-deny-write-execute - breaks on Arch | 53 | #memory-deny-write-execute # breaks on Arch |
54 | restrict-namespaces | 54 | restrict-namespaces |
diff --git a/etc/profile-a-l/authenticator.profile b/etc/profile-a-l/authenticator.profile index 96c70a838..cbd97449d 100644 --- a/etc/profile-a-l/authenticator.profile +++ b/etc/profile-a-l/authenticator.profile | |||
@@ -19,7 +19,7 @@ include disable-exec.inc | |||
19 | include disable-interpreters.inc | 19 | include disable-interpreters.inc |
20 | include disable-programs.inc | 20 | include disable-programs.inc |
21 | 21 | ||
22 | # apparmor | 22 | #apparmor |
23 | caps.drop all | 23 | caps.drop all |
24 | netfilter | 24 | netfilter |
25 | no3d | 25 | no3d |
@@ -31,19 +31,19 @@ noroot | |||
31 | nosound | 31 | nosound |
32 | notv | 32 | notv |
33 | nou2f | 33 | nou2f |
34 | # novideo | 34 | #novideo |
35 | protocol unix,inet,inet6 | 35 | protocol unix,inet,inet6 |
36 | seccomp | 36 | seccomp |
37 | 37 | ||
38 | disable-mnt | 38 | disable-mnt |
39 | # private-bin authenticator,python* | 39 | #private-bin authenticator,python* |
40 | private-dev | 40 | private-dev |
41 | private-etc @tls-ca | 41 | private-etc @tls-ca |
42 | private-tmp | 42 | private-tmp |
43 | 43 | ||
44 | # makes settings immutable | 44 | # makes settings immutable |
45 | # dbus-user none | 45 | #dbus-user none |
46 | # dbus-system none | 46 | #dbus-system none |
47 | 47 | ||
48 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 48 | #memory-deny-write-execute # breaks on Arch (see issue #1803) |
49 | restrict-namespaces | 49 | restrict-namespaces |
diff --git a/etc/profile-a-l/autokey-common.profile b/etc/profile-a-l/autokey-common.profile index 834eac11a..bc47b26a9 100644 --- a/etc/profile-a-l/autokey-common.profile +++ b/etc/profile-a-l/autokey-common.profile | |||
@@ -38,5 +38,5 @@ private-cache | |||
38 | private-dev | 38 | private-dev |
39 | private-tmp | 39 | private-tmp |
40 | 40 | ||
41 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 41 | #memory-deny-write-execute # breaks on Arch (see issue #1803) |
42 | restrict-namespaces | 42 | restrict-namespaces |
diff --git a/etc/profile-a-l/baloo_file.profile b/etc/profile-a-l/baloo_file.profile index 084b7c702..de4004724 100644 --- a/etc/profile-a-l/baloo_file.profile +++ b/etc/profile-a-l/baloo_file.profile | |||
@@ -7,10 +7,10 @@ include globals.local | |||
7 | 7 | ||
8 | # Make home directory read-only and allow writing only to ${HOME}/.local/share/baloo | 8 | # Make home directory read-only and allow writing only to ${HOME}/.local/share/baloo |
9 | # Note: Baloo will not be able to update the "first run" key in its configuration files. | 9 | # Note: Baloo will not be able to update the "first run" key in its configuration files. |
10 | # mkdir ${HOME}/.local/share/baloo | 10 | #mkdir ${HOME}/.local/share/baloo |
11 | # read-only ${HOME} | 11 | #read-only ${HOME} |
12 | # read-write ${HOME}/.local/share/baloo | 12 | #read-write ${HOME}/.local/share/baloo |
13 | # ignore read-write | 13 | #ignore read-write |
14 | 14 | ||
15 | noblacklist ${HOME}/.config/baloofilerc | 15 | noblacklist ${HOME}/.config/baloofilerc |
16 | noblacklist ${HOME}/.kde/share/config/baloofilerc | 16 | noblacklist ${HOME}/.kde/share/config/baloofilerc |
@@ -31,7 +31,7 @@ include whitelist-var-common.inc | |||
31 | apparmor | 31 | apparmor |
32 | caps.drop all | 32 | caps.drop all |
33 | machine-id | 33 | machine-id |
34 | # net none | 34 | #net none |
35 | netfilter | 35 | netfilter |
36 | no3d | 36 | no3d |
37 | nodvd | 37 | nodvd |
@@ -46,7 +46,7 @@ novideo | |||
46 | protocol unix | 46 | protocol unix |
47 | # blacklisting of ioprio_set system calls breaks baloo_file | 47 | # blacklisting of ioprio_set system calls breaks baloo_file |
48 | seccomp !ioprio_set | 48 | seccomp !ioprio_set |
49 | # x11 xorg | 49 | #x11 xorg |
50 | 50 | ||
51 | private-bin baloo_file,baloo_file_extractor,baloo_filemetadata_temp_extractor,kbuildsycoca4 | 51 | private-bin baloo_file,baloo_file_extractor,baloo_filemetadata_temp_extractor,kbuildsycoca4 |
52 | private-cache | 52 | private-cache |
diff --git a/etc/profile-a-l/baobab.profile b/etc/profile-a-l/baobab.profile index 31ef66a58..942d82941 100644 --- a/etc/profile-a-l/baobab.profile +++ b/etc/profile-a-l/baobab.profile | |||
@@ -6,13 +6,13 @@ include baobab.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # include disable-common.inc | 9 | #include disable-common.inc |
10 | include disable-devel.inc | 10 | include disable-devel.inc |
11 | include disable-exec.inc | 11 | include disable-exec.inc |
12 | include disable-interpreters.inc | 12 | include disable-interpreters.inc |
13 | # include disable-programs.inc | 13 | #include disable-programs.inc |
14 | include disable-shell.inc | 14 | include disable-shell.inc |
15 | # include disable-xdg.inc | 15 | #include disable-xdg.inc |
16 | 16 | ||
17 | include whitelist-runuser-common.inc | 17 | include whitelist-runuser-common.inc |
18 | 18 | ||
@@ -37,8 +37,8 @@ private-bin baobab | |||
37 | private-dev | 37 | private-dev |
38 | private-tmp | 38 | private-tmp |
39 | 39 | ||
40 | # dbus-user none | 40 | #dbus-user none |
41 | # dbus-system none | 41 | #dbus-system none |
42 | 42 | ||
43 | read-only ${HOME} | 43 | read-only ${HOME} |
44 | restrict-namespaces | 44 | restrict-namespaces |
diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile index d566b94e8..c0e024445 100644 --- a/etc/profile-a-l/bcompare.profile +++ b/etc/profile-a-l/bcompare.profile | |||
@@ -19,7 +19,7 @@ include disable-exec.inc | |||
19 | include disable-interpreters.inc | 19 | include disable-interpreters.inc |
20 | # Add the next line to your bcompare.local if you don't need to compare files in disable-programs.inc. | 20 | # Add the next line to your bcompare.local if you don't need to compare files in disable-programs.inc. |
21 | #include disable-programs.inc | 21 | #include disable-programs.inc |
22 | #include disable-shell.inc - breaks launch | 22 | #include disable-shell.inc # breaks launch |
23 | include disable-write-mnt.inc | 23 | include disable-write-mnt.inc |
24 | 24 | ||
25 | apparmor | 25 | apparmor |
diff --git a/etc/profile-a-l/bibletime.profile b/etc/profile-a-l/bibletime.profile index 3fb2a82c3..dcef2bff1 100644 --- a/etc/profile-a-l/bibletime.profile +++ b/etc/profile-a-l/bibletime.profile | |||
@@ -48,7 +48,7 @@ protocol unix,inet,inet6,netlink | |||
48 | seccomp !chroot | 48 | seccomp !chroot |
49 | 49 | ||
50 | disable-mnt | 50 | disable-mnt |
51 | # private-bin bibletime | 51 | #private-bin bibletime |
52 | private-cache | 52 | private-cache |
53 | private-dev | 53 | private-dev |
54 | private-etc @tls-ca,sword,sword.conf | 54 | private-etc @tls-ca,sword,sword.conf |
@@ -57,4 +57,4 @@ private-tmp | |||
57 | dbus-user none | 57 | dbus-user none |
58 | dbus-system none | 58 | dbus-system none |
59 | 59 | ||
60 | # restrict-namespaces | 60 | #restrict-namespaces |
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile index 53d212e34..e596ec9d2 100644 --- a/etc/profile-a-l/bijiben.profile +++ b/etc/profile-a-l/bijiben.profile | |||
@@ -48,7 +48,7 @@ tracelog | |||
48 | 48 | ||
49 | disable-mnt | 49 | disable-mnt |
50 | private-bin bijiben | 50 | private-bin bijiben |
51 | # private-cache -- access to .cache/tracker is required | 51 | #private-cache # access to .cache/tracker is required |
52 | private-dev | 52 | private-dev |
53 | private-etc @x11 | 53 | private-etc @x11 |
54 | private-tmp | 54 | private-tmp |
diff --git a/etc/profile-a-l/bitlbee.profile b/etc/profile-a-l/bitlbee.profile index 988a1479e..0f10c7ce0 100644 --- a/etc/profile-a-l/bitlbee.profile +++ b/etc/profile-a-l/bitlbee.profile | |||
@@ -10,7 +10,7 @@ ignore noexec ${HOME} | |||
10 | 10 | ||
11 | noblacklist /sbin | 11 | noblacklist /sbin |
12 | noblacklist /usr/sbin | 12 | noblacklist /usr/sbin |
13 | # noblacklist /var/log | 13 | #noblacklist /var/log |
14 | 14 | ||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | include disable-devel.inc | 16 | include disable-devel.inc |
diff --git a/etc/profile-a-l/bleachbit.profile b/etc/profile-a-l/bleachbit.profile index 52d970d89..cd1b059b4 100644 --- a/etc/profile-a-l/bleachbit.profile +++ b/etc/profile-a-l/bleachbit.profile | |||
@@ -18,7 +18,7 @@ include disable-common.inc | |||
18 | include disable-devel.inc | 18 | include disable-devel.inc |
19 | include disable-exec.inc | 19 | include disable-exec.inc |
20 | include disable-interpreters.inc | 20 | include disable-interpreters.inc |
21 | # include disable-programs.inc | 21 | #include disable-programs.inc |
22 | 22 | ||
23 | caps.drop all | 23 | caps.drop all |
24 | net none | 24 | net none |
@@ -36,11 +36,11 @@ protocol unix | |||
36 | seccomp | 36 | seccomp |
37 | 37 | ||
38 | private-dev | 38 | private-dev |
39 | # private-tmp | 39 | #private-tmp |
40 | 40 | ||
41 | dbus-user none | 41 | dbus-user none |
42 | dbus-system none | 42 | dbus-system none |
43 | 43 | ||
44 | # memory-deny-write-execute breaks some systems, see issue #1850 | 44 | # memory-deny-write-execute breaks some systems, see issue #1850 |
45 | # memory-deny-write-execute | 45 | #memory-deny-write-execute |
46 | restrict-namespaces | 46 | restrict-namespaces |
diff --git a/etc/profile-a-l/bless.profile b/etc/profile-a-l/bless.profile index 6dd540943..85f232751 100644 --- a/etc/profile-a-l/bless.profile +++ b/etc/profile-a-l/bless.profile | |||
@@ -31,7 +31,7 @@ novideo | |||
31 | protocol unix | 31 | protocol unix |
32 | seccomp | 32 | seccomp |
33 | 33 | ||
34 | # private-bin bash,bless,mono,sh | 34 | #private-bin bash,bless,mono,sh |
35 | private-cache | 35 | private-cache |
36 | private-dev | 36 | private-dev |
37 | private-etc mono | 37 | private-etc mono |
diff --git a/etc/profile-a-l/brackets.profile b/etc/profile-a-l/brackets.profile index a483c2b0a..684504937 100644 --- a/etc/profile-a-l/brackets.profile +++ b/etc/profile-a-l/brackets.profile | |||
@@ -32,4 +32,4 @@ seccomp !chroot,!ioperm | |||
32 | private-cache | 32 | private-cache |
33 | private-dev | 33 | private-dev |
34 | 34 | ||
35 | # restrict-namespaces | 35 | #restrict-namespaces |
diff --git a/etc/profile-a-l/brasero.profile b/etc/profile-a-l/brasero.profile index 12d7062ab..92184ef18 100644 --- a/etc/profile-a-l/brasero.profile +++ b/etc/profile-a-l/brasero.profile | |||
@@ -29,9 +29,9 @@ protocol unix | |||
29 | seccomp | 29 | seccomp |
30 | tracelog | 30 | tracelog |
31 | 31 | ||
32 | # private-bin brasero | 32 | #private-bin brasero |
33 | private-cache | 33 | private-cache |
34 | # private-dev | 34 | #private-dev |
35 | # private-tmp | 35 | #private-tmp |
36 | 36 | ||
37 | restrict-namespaces | 37 | restrict-namespaces |
diff --git a/etc/profile-a-l/build-systems-common.profile b/etc/profile-a-l/build-systems-common.profile index cf5f462ae..8616996d2 100644 --- a/etc/profile-a-l/build-systems-common.profile +++ b/etc/profile-a-l/build-systems-common.profile | |||
@@ -39,7 +39,7 @@ include whitelist-var-common.inc | |||
39 | caps.drop all | 39 | caps.drop all |
40 | ipc-namespace | 40 | ipc-namespace |
41 | machine-id | 41 | machine-id |
42 | # net none | 42 | #net none |
43 | netfilter | 43 | netfilter |
44 | no3d | 44 | no3d |
45 | nodvd | 45 | nodvd |
diff --git a/etc/profile-a-l/calibre.profile b/etc/profile-a-l/calibre.profile index b347941d7..cb9c92ffb 100644 --- a/etc/profile-a-l/calibre.profile +++ b/etc/profile-a-l/calibre.profile | |||
@@ -36,4 +36,4 @@ seccomp !chroot | |||
36 | private-dev | 36 | private-dev |
37 | private-tmp | 37 | private-tmp |
38 | 38 | ||
39 | # restrict-namespaces | 39 | #restrict-namespaces |
diff --git a/etc/profile-a-l/calligra.profile b/etc/profile-a-l/calligra.profile index c2972f902..ffb83b2ed 100644 --- a/etc/profile-a-l/calligra.profile +++ b/etc/profile-a-l/calligra.profile | |||
@@ -15,7 +15,7 @@ include disable-programs.inc | |||
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | ipc-namespace | 17 | ipc-namespace |
18 | # net none | 18 | #net none |
19 | netfilter | 19 | netfilter |
20 | nodvd | 20 | nodvd |
21 | nogroups | 21 | nogroups |
@@ -32,9 +32,9 @@ seccomp.block-secondary | |||
32 | private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligragemini,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch,kbuildsycoca4,kdeinit4 | 32 | private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligragemini,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch,kbuildsycoca4,kdeinit4 |
33 | private-dev | 33 | private-dev |
34 | 34 | ||
35 | # dbus-user none | 35 | #dbus-user none |
36 | # dbus-system none | 36 | #dbus-system none |
37 | 37 | ||
38 | # noexec ${HOME} | 38 | #noexec ${HOME} |
39 | noexec /tmp | 39 | noexec /tmp |
40 | restrict-namespaces | 40 | restrict-namespaces |
diff --git a/etc/profile-a-l/cameramonitor.profile b/etc/profile-a-l/cameramonitor.profile index df94ac859..4f8fd7187 100644 --- a/etc/profile-a-l/cameramonitor.profile +++ b/etc/profile-a-l/cameramonitor.profile | |||
@@ -48,8 +48,8 @@ private-cache | |||
48 | private-etc | 48 | private-etc |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | # dbus-user none | 51 | #dbus-user none |
52 | # dbus-system none | 52 | #dbus-system none |
53 | 53 | ||
54 | # memory-deny-write-execute - breaks on Arch | 54 | #memory-deny-write-execute # breaks on Arch |
55 | restrict-namespaces | 55 | restrict-namespaces |
diff --git a/etc/profile-a-l/cantata.profile b/etc/profile-a-l/cantata.profile index 7cb56efee..36c7c1091 100644 --- a/etc/profile-a-l/cantata.profile +++ b/etc/profile-a-l/cantata.profile | |||
@@ -22,7 +22,7 @@ include disable-programs.inc | |||
22 | include disable-shell.inc | 22 | include disable-shell.inc |
23 | include disable-xdg.inc | 23 | include disable-xdg.inc |
24 | 24 | ||
25 | # apparmor | 25 | #apparmor |
26 | caps.drop all | 26 | caps.drop all |
27 | ipc-namespace | 27 | ipc-namespace |
28 | netfilter | 28 | netfilter |
@@ -34,7 +34,7 @@ novideo | |||
34 | protocol unix,inet,inet6,netlink | 34 | protocol unix,inet,inet6,netlink |
35 | seccomp | 35 | seccomp |
36 | 36 | ||
37 | # private-etc alternatives,drirc,fonts,gcrypt,hosts,kde5rc,mpd.conf,passwd,samba,ssl,xdg | 37 | #private-etc alternatives,drirc,fonts,gcrypt,hosts,kde5rc,mpd.conf,passwd,samba,ssl,xdg |
38 | private-bin cantata,mpd,perl | 38 | private-bin cantata,mpd,perl |
39 | private-dev | 39 | private-dev |
40 | 40 | ||
diff --git a/etc/profile-a-l/catfish.profile b/etc/profile-a-l/catfish.profile index e2df341e9..037f6ee40 100644 --- a/etc/profile-a-l/catfish.profile +++ b/etc/profile-a-l/catfish.profile | |||
@@ -15,10 +15,10 @@ noblacklist ${HOME}/.config/catfish | |||
15 | include allow-python2.inc | 15 | include allow-python2.inc |
16 | include allow-python3.inc | 16 | include allow-python3.inc |
17 | 17 | ||
18 | # include disable-common.inc | 18 | #include disable-common.inc |
19 | # include disable-devel.inc | 19 | #include disable-devel.inc |
20 | include disable-interpreters.inc | 20 | include disable-interpreters.inc |
21 | # include disable-programs.inc | 21 | #include disable-programs.inc |
22 | 22 | ||
23 | whitelist /var/lib/mlocate | 23 | whitelist /var/lib/mlocate |
24 | include whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
@@ -40,9 +40,9 @@ tracelog | |||
40 | 40 | ||
41 | # These options work but are disabled in case | 41 | # These options work but are disabled in case |
42 | # a users wants to search in these directories. | 42 | # a users wants to search in these directories. |
43 | # private-bin bash,catfish,env,locate,ls,mlocate,python* | 43 | #private-bin bash,catfish,env,locate,ls,mlocate,python* |
44 | # private-dev | 44 | #private-dev |
45 | # private-tmp | 45 | #private-tmp |
46 | 46 | ||
47 | dbus-user none | 47 | dbus-user none |
48 | dbus-system none | 48 | dbus-system none |
diff --git a/etc/profile-a-l/cawbird.profile b/etc/profile-a-l/cawbird.profile index 17887b6cc..7fdbc3881 100644 --- a/etc/profile-a-l/cawbird.profile +++ b/etc/profile-a-l/cawbird.profile | |||
@@ -41,7 +41,7 @@ private-dev | |||
41 | private-etc @tls-ca,@x11,host.conf,mime.types | 41 | private-etc @tls-ca,@x11,host.conf,mime.types |
42 | private-tmp | 42 | private-tmp |
43 | 43 | ||
44 | # dbus-user none | 44 | #dbus-user none |
45 | dbus-system none | 45 | dbus-system none |
46 | 46 | ||
47 | restrict-namespaces | 47 | restrict-namespaces |
diff --git a/etc/profile-a-l/chromium-browser-privacy.profile b/etc/profile-a-l/chromium-browser-privacy.profile index 8803a4d9d..67a3a43af 100644 --- a/etc/profile-a-l/chromium-browser-privacy.profile +++ b/etc/profile-a-l/chromium-browser-privacy.profile | |||
@@ -13,7 +13,7 @@ mkdir ${HOME}/.config/ungoogled-chromium | |||
13 | whitelist ${HOME}/.cache/ungoogled-chromium | 13 | whitelist ${HOME}/.cache/ungoogled-chromium |
14 | whitelist ${HOME}/.config/ungoogled-chromium | 14 | whitelist ${HOME}/.config/ungoogled-chromium |
15 | 15 | ||
16 | # private-bin basename,bash,cat,chromium-browser-privacy,dirname,mkdir,readlink,sed,touch,which,xdg-settings | 16 | #private-bin basename,bash,cat,chromium-browser-privacy,dirname,mkdir,readlink,sed,touch,which,xdg-settings |
17 | 17 | ||
18 | # Redirect | 18 | # Redirect |
19 | include chromium.profile | 19 | include chromium.profile |
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index 878e0fe1d..37bfa0bfe 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile | |||
@@ -33,13 +33,15 @@ include whitelist-run-common.inc | |||
33 | ?BROWSER_DISABLE_U2F: nou2f | 33 | ?BROWSER_DISABLE_U2F: nou2f |
34 | 34 | ||
35 | ?BROWSER_DISABLE_U2F: private-dev | 35 | ?BROWSER_DISABLE_U2F: private-dev |
36 | #private-tmp - issues when using multiple browser sessions | 36 | #private-tmp # issues when using multiple browser sessions |
37 | 37 | ||
38 | blacklist ${PATH}/curl | 38 | blacklist ${PATH}/curl |
39 | blacklist ${PATH}/wget | 39 | blacklist ${PATH}/wget |
40 | blacklist ${PATH}/wget2 | 40 | blacklist ${PATH}/wget2 |
41 | 41 | ||
42 | #dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector. | 42 | # This prevents access to passwords saved in GNOME Keyring and KWallet, also |
43 | # breaks Gnome connector. | ||
44 | #dbus-user none | ||
43 | 45 | ||
44 | # The file dialog needs to work without d-bus. | 46 | # The file dialog needs to work without d-bus. |
45 | ?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1 | 47 | ?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1 |
diff --git a/etc/profile-a-l/chromium.profile b/etc/profile-a-l/chromium.profile index 14f1bbe64..8c43aac9c 100644 --- a/etc/profile-a-l/chromium.profile +++ b/etc/profile-a-l/chromium.profile | |||
@@ -17,7 +17,7 @@ whitelist ${HOME}/.config/chromium | |||
17 | whitelist ${HOME}/.config/chromium-flags.conf | 17 | whitelist ${HOME}/.config/chromium-flags.conf |
18 | whitelist /usr/share/chromium | 18 | whitelist /usr/share/chromium |
19 | 19 | ||
20 | # private-bin chromium,chromium-browser,chromedriver | 20 | #private-bin chromium,chromium-browser,chromedriver |
21 | 21 | ||
22 | # Redirect | 22 | # Redirect |
23 | include chromium-common.profile | 23 | include chromium-common.profile |
diff --git a/etc/profile-a-l/clac.profile b/etc/profile-a-l/clac.profile index b654b3890..cd2b2522d 100644 --- a/etc/profile-a-l/clac.profile +++ b/etc/profile-a-l/clac.profile | |||
@@ -16,10 +16,10 @@ include disable-interpreters.inc | |||
16 | include disable-proc.inc | 16 | include disable-proc.inc |
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | include disable-shell.inc | 18 | include disable-shell.inc |
19 | #include disable-X11.inc - x11 none | 19 | #include disable-X11.inc # x11 none |
20 | include disable-xdg.inc | 20 | include disable-xdg.inc |
21 | 21 | ||
22 | #include whitelist-common.inc - see #903 | 22 | #include whitelist-common.inc # see #903 |
23 | include whitelist-run-common.inc | 23 | include whitelist-run-common.inc |
24 | include whitelist-runuser-common.inc | 24 | include whitelist-runuser-common.inc |
25 | include whitelist-usr-share-common.inc | 25 | include whitelist-usr-share-common.inc |
diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile index 7fefc68b1..53db480a4 100644 --- a/etc/profile-a-l/claws-mail.profile +++ b/etc/profile-a-l/claws-mail.profile | |||
@@ -18,7 +18,7 @@ whitelist ${HOME}/.claws-mail | |||
18 | 18 | ||
19 | whitelist /usr/share/doc/claws-mail | 19 | whitelist /usr/share/doc/claws-mail |
20 | 20 | ||
21 | # private-bin claws-mail,curl,gpg,gpg2,gpg-agent,gpgsm,gpgme-config,pinentry,pinentry-gtk-2 | 21 | #private-bin claws-mail,curl,gpg,gpg2,gpg-agent,gpgsm,gpgme-config,pinentry,pinentry-gtk-2 |
22 | 22 | ||
23 | # Redirect | 23 | # Redirect |
24 | include email-common.profile | 24 | include email-common.profile |
diff --git a/etc/profile-a-l/clawsker.profile b/etc/profile-a-l/clawsker.profile index 3b8eb7bbd..37d9e9e3a 100644 --- a/etc/profile-a-l/clawsker.profile +++ b/etc/profile-a-l/clawsker.profile | |||
@@ -50,5 +50,5 @@ private-tmp | |||
50 | dbus-user none | 50 | dbus-user none |
51 | dbus-system none | 51 | dbus-system none |
52 | 52 | ||
53 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 53 | #memory-deny-write-execute # breaks on Arch (see issue #1803) |
54 | restrict-namespaces | 54 | restrict-namespaces |
diff --git a/etc/profile-a-l/clementine.profile b/etc/profile-a-l/clementine.profile index ee01fa653..3e9363bb4 100644 --- a/etc/profile-a-l/clementine.profile +++ b/etc/profile-a-l/clementine.profile | |||
@@ -37,6 +37,6 @@ private-dev | |||
37 | private-tmp | 37 | private-tmp |
38 | 38 | ||
39 | dbus-system none | 39 | dbus-system none |
40 | # dbus-user none | 40 | #dbus-user none |
41 | 41 | ||
42 | restrict-namespaces | 42 | restrict-namespaces |
diff --git a/etc/profile-a-l/clion.profile b/etc/profile-a-l/clion.profile index 652809f1b..0cea1c7d4 100644 --- a/etc/profile-a-l/clion.profile +++ b/etc/profile-a-l/clion.profile | |||
@@ -37,7 +37,7 @@ seccomp | |||
37 | 37 | ||
38 | private-cache | 38 | private-cache |
39 | private-dev | 39 | private-dev |
40 | # private-tmp | 40 | #private-tmp |
41 | 41 | ||
42 | noexec /tmp | 42 | noexec /tmp |
43 | restrict-namespaces | 43 | restrict-namespaces |
diff --git a/etc/profile-a-l/clipgrab.profile b/etc/profile-a-l/clipgrab.profile index 3f3748e1a..2657876b8 100644 --- a/etc/profile-a-l/clipgrab.profile +++ b/etc/profile-a-l/clipgrab.profile | |||
@@ -46,7 +46,7 @@ private-dev | |||
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | # 'dbus-user none' breaks tray menu - add 'dbus-user none' to your clipgrab.local if you don't need it. | 48 | # 'dbus-user none' breaks tray menu - add 'dbus-user none' to your clipgrab.local if you don't need it. |
49 | # dbus-user none | 49 | #dbus-user none |
50 | # dbus-system none | 50 | #dbus-system none |
51 | 51 | ||
52 | # restrict-namespaces | 52 | #restrict-namespaces |
diff --git a/etc/profile-a-l/code.profile b/etc/profile-a-l/code.profile index 19862bc92..1b69effc3 100644 --- a/etc/profile-a-l/code.profile +++ b/etc/profile-a-l/code.profile | |||
@@ -35,7 +35,7 @@ nosound | |||
35 | # Disabling noexec ${HOME} for now since it will | 35 | # Disabling noexec ${HOME} for now since it will |
36 | # probably interfere with running some programmes | 36 | # probably interfere with running some programmes |
37 | # in VS Code | 37 | # in VS Code |
38 | # noexec ${HOME} | 38 | #noexec ${HOME} |
39 | noexec /tmp | 39 | noexec /tmp |
40 | 40 | ||
41 | # Redirect | 41 | # Redirect |
diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile index 180282869..b1275e96b 100644 --- a/etc/profile-a-l/com.github.bleakgrey.tootle.profile +++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile | |||
@@ -48,9 +48,9 @@ private-etc @tls-ca,@x11,host.conf,mime.types | |||
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
50 | # Settings are immutable | 50 | # Settings are immutable |
51 | # dbus-user filter | 51 | #dbus-user filter |
52 | # dbus-user.own com.github.bleakgrey.tootle | 52 | #dbus-user.own com.github.bleakgrey.tootle |
53 | # dbus-user.talk ca.desrt.dconf | 53 | #dbus-user.talk ca.desrt.dconf |
54 | dbus-system none | 54 | dbus-system none |
55 | 55 | ||
56 | restrict-namespaces | 56 | restrict-namespaces |
diff --git a/etc/profile-a-l/cower.profile b/etc/profile-a-l/cower.profile index 9b05b4416..c280cf22a 100644 --- a/etc/profile-a-l/cower.profile +++ b/etc/profile-a-l/cower.profile | |||
@@ -19,8 +19,8 @@ include disable-shell.inc | |||
19 | include disable-xdg.inc | 19 | include disable-xdg.inc |
20 | 20 | ||
21 | # This profile could be significantly strengthened by adding the following to cower.local | 21 | # This profile could be significantly strengthened by adding the following to cower.local |
22 | # whitelist ${HOME}/<Your Build Folder> | 22 | #whitelist ${HOME}/<Your Build Folder> |
23 | # whitelist ${HOME}/.config/cower | 23 | #whitelist ${HOME}/.config/cower |
24 | 24 | ||
25 | caps.drop all | 25 | caps.drop all |
26 | ipc-namespace | 26 | ipc-namespace |
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile index bfe8764d5..42ade7ce9 100644 --- a/etc/profile-a-l/curl.profile +++ b/etc/profile-a-l/curl.profile | |||
@@ -50,10 +50,10 @@ protocol inet,inet6 | |||
50 | seccomp | 50 | seccomp |
51 | tracelog | 51 | tracelog |
52 | 52 | ||
53 | # private-bin curl | 53 | #private-bin curl |
54 | private-cache | 54 | private-cache |
55 | private-dev | 55 | private-dev |
56 | # private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl | 56 | #private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl |
57 | private-etc @tls-ca | 57 | private-etc @tls-ca |
58 | private-tmp | 58 | private-tmp |
59 | 59 | ||
diff --git a/etc/profile-a-l/cyberfox.profile b/etc/profile-a-l/cyberfox.profile index a303c5979..c7a42e0eb 100644 --- a/etc/profile-a-l/cyberfox.profile +++ b/etc/profile-a-l/cyberfox.profile | |||
@@ -15,7 +15,7 @@ whitelist ${HOME}/.cache/8pecxstudios | |||
15 | whitelist /usr/share/8pecxstudios | 15 | whitelist /usr/share/8pecxstudios |
16 | whitelist /usr/share/cyberfox | 16 | whitelist /usr/share/cyberfox |
17 | 17 | ||
18 | # private-bin cyberfox,dbus-launch,dbus-send,env,sh,which | 18 | #private-bin cyberfox,dbus-launch,dbus-send,env,sh,which |
19 | # private-etc must first be enabled in firefox-common.profile | 19 | # private-etc must first be enabled in firefox-common.profile |
20 | #private-etc cyberfox | 20 | #private-etc cyberfox |
21 | 21 | ||
diff --git a/etc/profile-a-l/d-feet.profile b/etc/profile-a-l/d-feet.profile index 7dd5ca260..75338eb6d 100644 --- a/etc/profile-a-l/d-feet.profile +++ b/etc/profile-a-l/d-feet.profile | |||
@@ -31,7 +31,7 @@ include whitelist-var-common.inc | |||
31 | apparmor | 31 | apparmor |
32 | caps.drop all | 32 | caps.drop all |
33 | ipc-namespace | 33 | ipc-namespace |
34 | # net none - breaks on Ubuntu | 34 | #net none # breaks on Ubuntu |
35 | no3d | 35 | no3d |
36 | nodvd | 36 | nodvd |
37 | nogroups | 37 | nogroups |
@@ -52,5 +52,5 @@ private-dev | |||
52 | private-etc dbus-1 | 52 | private-etc dbus-1 |
53 | private-tmp | 53 | private-tmp |
54 | 54 | ||
55 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 55 | #memory-deny-write-execute # breaks on Arch (see issue #1803) |
56 | restrict-namespaces | 56 | restrict-namespaces |
diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile index e2e2492bc..e8acd60b7 100644 --- a/etc/profile-a-l/dconf-editor.profile +++ b/etc/profile-a-l/dconf-editor.profile | |||
@@ -22,7 +22,7 @@ include whitelist-var-common.inc | |||
22 | 22 | ||
23 | apparmor | 23 | apparmor |
24 | caps.drop all | 24 | caps.drop all |
25 | # net none - breaks application on older versions | 25 | #net none # breaks application on older versions |
26 | no3d | 26 | no3d |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
diff --git a/etc/profile-a-l/ddgtk.profile b/etc/profile-a-l/ddgtk.profile index 9811c90d6..0fa88f232 100644 --- a/etc/profile-a-l/ddgtk.profile +++ b/etc/profile-a-l/ddgtk.profile | |||
@@ -50,5 +50,5 @@ private-tmp | |||
50 | dbus-user none | 50 | dbus-user none |
51 | dbus-system none | 51 | dbus-system none |
52 | 52 | ||
53 | # memory-deny-write-execute - breaks on Arch | 53 | #memory-deny-write-execute # breaks on Arch |
54 | restrict-namespaces | 54 | restrict-namespaces |
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile index 377c4e2e3..c071da4b7 100644 --- a/etc/profile-a-l/default.profile +++ b/etc/profile-a-l/default.profile | |||
@@ -9,54 +9,54 @@ include globals.local | |||
9 | # depending on your usage, you can enable some of the commands below: | 9 | # depending on your usage, you can enable some of the commands below: |
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | # include disable-devel.inc | 12 | #include disable-devel.inc |
13 | # include disable-exec.inc | 13 | #include disable-exec.inc |
14 | # include disable-interpreters.inc | 14 | #include disable-interpreters.inc |
15 | include disable-programs.inc | 15 | include disable-programs.inc |
16 | # include disable-shell.inc | 16 | #include disable-shell.inc |
17 | # include disable-write-mnt.inc | 17 | #include disable-write-mnt.inc |
18 | # include disable-xdg.inc | 18 | #include disable-xdg.inc |
19 | 19 | ||
20 | # include whitelist-common.inc | 20 | #include whitelist-common.inc |
21 | # include whitelist-runuser-common.inc | 21 | #include whitelist-runuser-common.inc |
22 | # include whitelist-usr-share-common.inc | 22 | #include whitelist-usr-share-common.inc |
23 | # include whitelist-var-common.inc | 23 | #include whitelist-var-common.inc |
24 | 24 | ||
25 | # apparmor | 25 | #apparmor |
26 | caps.drop all | 26 | caps.drop all |
27 | # ipc-namespace | 27 | #ipc-namespace |
28 | # machine-id | 28 | #machine-id |
29 | # net none | 29 | #net none |
30 | netfilter | 30 | netfilter |
31 | # no3d | 31 | #no3d |
32 | # nodvd | 32 | #nodvd |
33 | # nogroups | 33 | #nogroups |
34 | noinput | 34 | noinput |
35 | nonewprivs | 35 | nonewprivs |
36 | noroot | 36 | noroot |
37 | # nosound | 37 | #nosound |
38 | notv | 38 | notv |
39 | # nou2f | 39 | #nou2f |
40 | novideo | 40 | novideo |
41 | protocol unix,inet,inet6 | 41 | protocol unix,inet,inet6 |
42 | seccomp | 42 | seccomp |
43 | # tracelog | 43 | #tracelog |
44 | 44 | ||
45 | # disable-mnt | 45 | #disable-mnt |
46 | # private | 46 | #private |
47 | # private-bin program | 47 | #private-bin program |
48 | # private-cache | 48 | #private-cache |
49 | private-dev | 49 | private-dev |
50 | # see /usr/share/doc/firejail/profile.template for more common private-etc paths. | 50 | # see /usr/share/doc/firejail/profile.template for more common private-etc paths. |
51 | # private-etc alternatives,fonts,machine-id | 51 | #private-etc alternatives,fonts,machine-id |
52 | # private-lib | 52 | #private-lib |
53 | # private-opt none | 53 | #private-opt none |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
56 | # dbus-user none | 56 | #dbus-user none |
57 | # dbus-system none | 57 | #dbus-system none |
58 | 58 | ||
59 | # deterministic-shutdown | 59 | #deterministic-shutdown |
60 | # memory-deny-write-execute | 60 | #memory-deny-write-execute |
61 | # read-only ${HOME} | 61 | #read-only ${HOME} |
62 | restrict-namespaces | 62 | restrict-namespaces |
diff --git a/etc/profile-a-l/deluge.profile b/etc/profile-a-l/deluge.profile index ebc751e1a..b257f9a4c 100644 --- a/etc/profile-a-l/deluge.profile +++ b/etc/profile-a-l/deluge.profile | |||
@@ -13,7 +13,7 @@ include allow-python2.inc | |||
13 | include allow-python3.inc | 13 | include allow-python3.inc |
14 | 14 | ||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | # include disable-devel.inc | 16 | #include disable-devel.inc |
17 | include disable-exec.inc | 17 | include disable-exec.inc |
18 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
19 | include disable-programs.inc | 19 | include disable-programs.inc |
diff --git a/etc/profile-a-l/devhelp.profile b/etc/profile-a-l/devhelp.profile index 066cdc8b0..7b5e692a0 100644 --- a/etc/profile-a-l/devhelp.profile +++ b/etc/profile-a-l/devhelp.profile | |||
@@ -23,7 +23,7 @@ include whitelist-usr-share-common.inc | |||
23 | 23 | ||
24 | apparmor | 24 | apparmor |
25 | caps.drop all | 25 | caps.drop all |
26 | # net none - makes settings immutable | 26 | #net none # makes settings immutable |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | noinput | 29 | noinput |
@@ -45,9 +45,9 @@ private-etc @tls-ca,@x11 | |||
45 | private-tmp | 45 | private-tmp |
46 | 46 | ||
47 | # makes settings immutable | 47 | # makes settings immutable |
48 | # dbus-user none | 48 | #dbus-user none |
49 | # dbus-system none | 49 | #dbus-system none |
50 | 50 | ||
51 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 51 | #memory-deny-write-execute # breaks on Arch (see issue #1803) |
52 | read-only ${HOME} | 52 | read-only ${HOME} |
53 | restrict-namespaces | 53 | restrict-namespaces |
diff --git a/etc/profile-a-l/dig.profile b/etc/profile-a-l/dig.profile index 7c0fee9c3..781dfdcbc 100644 --- a/etc/profile-a-l/dig.profile +++ b/etc/profile-a-l/dig.profile | |||
@@ -14,13 +14,13 @@ blacklist /tmp/.X11-unix | |||
14 | blacklist ${RUNUSER} | 14 | blacklist ${RUNUSER} |
15 | 15 | ||
16 | include disable-common.inc | 16 | include disable-common.inc |
17 | # include disable-devel.inc | 17 | #include disable-devel.inc |
18 | include disable-exec.inc | 18 | include disable-exec.inc |
19 | # include disable-interpreters.inc | 19 | #include disable-interpreters.inc |
20 | include disable-programs.inc | 20 | include disable-programs.inc |
21 | include disable-xdg.inc | 21 | include disable-xdg.inc |
22 | 22 | ||
23 | #mkfile ${HOME}/.digrc - see #903 | 23 | #mkfile ${HOME}/.digrc # see #903 |
24 | whitelist ${HOME}/.digrc | 24 | whitelist ${HOME}/.digrc |
25 | include whitelist-common.inc | 25 | include whitelist-common.inc |
26 | include whitelist-usr-share-common.inc | 26 | include whitelist-usr-share-common.inc |
diff --git a/etc/profile-a-l/digikam.profile b/etc/profile-a-l/digikam.profile index 05f0dfba8..34d4081d4 100644 --- a/etc/profile-a-l/digikam.profile +++ b/etc/profile-a-l/digikam.profile | |||
@@ -37,11 +37,13 @@ protocol unix,inet,inet6,netlink | |||
37 | # QtWebengine needs chroot to set up its own sandbox | 37 | # QtWebengine needs chroot to set up its own sandbox |
38 | seccomp !chroot | 38 | seccomp !chroot |
39 | 39 | ||
40 | # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device | 40 | # private-dev prevents libdc1394 from loading; this lib is used to connect to a |
41 | # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl | 41 | # camera device |
42 | #private-dev | ||
43 | #private-etc alternatives,ca-certificates,crypto-policies,pki,ssl | ||
42 | private-tmp | 44 | private-tmp |
43 | 45 | ||
44 | # dbus-user none | 46 | #dbus-user none |
45 | # dbus-system none | 47 | #dbus-system none |
46 | 48 | ||
47 | # restrict-namespaces | 49 | #restrict-namespaces |
diff --git a/etc/profile-a-l/dino.profile b/etc/profile-a-l/dino.profile index fe2b59a1e..44a3f0846 100644 --- a/etc/profile-a-l/dino.profile +++ b/etc/profile-a-l/dino.profile | |||
@@ -40,7 +40,8 @@ tracelog | |||
40 | disable-mnt | 40 | disable-mnt |
41 | private-bin dino | 41 | private-bin dino |
42 | private-dev | 42 | private-dev |
43 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl -- breaks server connection | 43 | # breaks server connection |
44 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl | ||
44 | private-tmp | 45 | private-tmp |
45 | 46 | ||
46 | dbus-user filter | 47 | dbus-user filter |
diff --git a/etc/profile-a-l/display.profile b/etc/profile-a-l/display.profile index bf77828be..40e19dfc3 100644 --- a/etc/profile-a-l/display.profile +++ b/etc/profile-a-l/display.profile | |||
@@ -34,7 +34,7 @@ notv | |||
34 | nou2f | 34 | nou2f |
35 | protocol unix | 35 | protocol unix |
36 | seccomp | 36 | seccomp |
37 | # x11 xorg - problems on kubuntu 17.04 | 37 | #x11 xorg # problems on kubuntu 17.04 |
38 | 38 | ||
39 | private-bin display,python* | 39 | private-bin display,python* |
40 | private-dev | 40 | private-dev |
diff --git a/etc/profile-a-l/dolphin-emu.profile b/etc/profile-a-l/dolphin-emu.profile index 9743ebfbd..0ae09ce7e 100644 --- a/etc/profile-a-l/dolphin-emu.profile +++ b/etc/profile-a-l/dolphin-emu.profile | |||
@@ -36,7 +36,7 @@ apparmor | |||
36 | caps.drop all | 36 | caps.drop all |
37 | ipc-namespace | 37 | ipc-namespace |
38 | # Add the next line to your dolphin-emu.local if you do not need NetPlay support. | 38 | # Add the next line to your dolphin-emu.local if you do not need NetPlay support. |
39 | # net none | 39 | #net none |
40 | netfilter | 40 | netfilter |
41 | # Add the next line to your dolphin-emu.local if you do not need disc support. | 41 | # Add the next line to your dolphin-emu.local if you do not need disc support. |
42 | #nodvd | 42 | #nodvd |
diff --git a/etc/profile-a-l/drawio.profile b/etc/profile-a-l/drawio.profile index 79366b8ee..c9daa939a 100644 --- a/etc/profile-a-l/drawio.profile +++ b/etc/profile-a-l/drawio.profile | |||
@@ -39,7 +39,7 @@ nou2f | |||
39 | novideo | 39 | novideo |
40 | protocol unix | 40 | protocol unix |
41 | seccomp !chroot | 41 | seccomp !chroot |
42 | # tracelog - breaks on Arch | 42 | #tracelog # breaks on Arch |
43 | 43 | ||
44 | private-bin drawio | 44 | private-bin drawio |
45 | private-cache | 45 | private-cache |
@@ -50,5 +50,5 @@ private-tmp | |||
50 | dbus-user none | 50 | dbus-user none |
51 | dbus-system none | 51 | dbus-system none |
52 | 52 | ||
53 | # memory-deny-write-execute - breaks on Arch | 53 | #memory-deny-write-execute # breaks on Arch |
54 | # restrict-namespaces | 54 | #restrict-namespaces |
diff --git a/etc/profile-a-l/drill.profile b/etc/profile-a-l/drill.profile index bea114dd6..63dfd6c0d 100644 --- a/etc/profile-a-l/drill.profile +++ b/etc/profile-a-l/drill.profile | |||
@@ -13,9 +13,9 @@ blacklist /tmp/.X11-unix | |||
13 | blacklist ${RUNUSER} | 13 | blacklist ${RUNUSER} |
14 | 14 | ||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | # include disable-devel.inc | 16 | #include disable-devel.inc |
17 | include disable-exec.inc | 17 | include disable-exec.inc |
18 | # include disable-interpreters.inc | 18 | #include disable-interpreters.inc |
19 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | include disable-xdg.inc | 20 | include disable-xdg.inc |
21 | 21 | ||
diff --git a/etc/profile-a-l/easystroke.profile b/etc/profile-a-l/easystroke.profile index 40fd8be7c..3fd5578e6 100644 --- a/etc/profile-a-l/easystroke.profile +++ b/etc/profile-a-l/easystroke.profile | |||
@@ -49,8 +49,8 @@ private-etc | |||
49 | #private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* | 49 | #private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
52 | # dbus-user none | 52 | #dbus-user none |
53 | # dbus-system none | 53 | #dbus-system none |
54 | 54 | ||
55 | memory-deny-write-execute | 55 | memory-deny-write-execute |
56 | restrict-namespaces | 56 | restrict-namespaces |
diff --git a/etc/profile-a-l/electrum.profile b/etc/profile-a-l/electrum.profile index 48ce0aa22..d73ed9092 100644 --- a/etc/profile-a-l/electrum.profile +++ b/etc/profile-a-l/electrum.profile | |||
@@ -49,7 +49,7 @@ private-dev | |||
49 | private-etc @tls-ca,@x11 | 49 | private-etc @tls-ca,@x11 |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
52 | # dbus-user none | 52 | #dbus-user none |
53 | # dbus-system none | 53 | #dbus-system none |
54 | 54 | ||
55 | restrict-namespaces | 55 | restrict-namespaces |
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile index 8eee662ad..cffa85fd5 100644 --- a/etc/profile-a-l/email-common.profile +++ b/etc/profile-a-l/email-common.profile | |||
@@ -75,7 +75,7 @@ seccomp | |||
75 | seccomp.block-secondary | 75 | seccomp.block-secondary |
76 | tracelog | 76 | tracelog |
77 | 77 | ||
78 | # disable-mnt | 78 | #disable-mnt |
79 | private-cache | 79 | private-cache |
80 | private-dev | 80 | private-dev |
81 | private-etc @tls-ca,@x11,bogofilter,bogofilter.cf,gnupg,hosts.conf,mailname,timezone | 81 | private-etc @tls-ca,@x11,bogofilter,bogofilter.cf,gnupg,hosts.conf,mailname,timezone |
diff --git a/etc/profile-a-l/engrampa.profile b/etc/profile-a-l/engrampa.profile index e1d107dc7..24e4f8a0e 100644 --- a/etc/profile-a-l/engrampa.profile +++ b/etc/profile-a-l/engrampa.profile | |||
@@ -35,9 +35,9 @@ seccomp | |||
35 | seccomp.block-secondary | 35 | seccomp.block-secondary |
36 | tracelog | 36 | tracelog |
37 | 37 | ||
38 | # private-bin engrampa | 38 | #private-bin engrampa |
39 | private-dev | 39 | private-dev |
40 | # private-tmp | 40 | #private-tmp |
41 | 41 | ||
42 | dbus-user filter | 42 | dbus-user filter |
43 | dbus-user.talk ca.desrt.dconf | 43 | dbus-user.talk ca.desrt.dconf |
diff --git a/etc/profile-a-l/enpass.profile b/etc/profile-a-l/enpass.profile index 45a1125b4..93929c6ea 100644 --- a/etc/profile-a-l/enpass.profile +++ b/etc/profile-a-l/enpass.profile | |||
@@ -58,5 +58,5 @@ private-dev | |||
58 | private-opt Enpass | 58 | private-opt Enpass |
59 | private-tmp | 59 | private-tmp |
60 | 60 | ||
61 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 61 | #memory-deny-write-execute # breaks on Arch (see issue #1803) |
62 | restrict-namespaces | 62 | restrict-namespaces |
diff --git a/etc/profile-a-l/ephemeral.profile b/etc/profile-a-l/ephemeral.profile index 8b32d08b1..795128418 100644 --- a/etc/profile-a-l/ephemeral.profile +++ b/etc/profile-a-l/ephemeral.profile | |||
@@ -59,7 +59,7 @@ private-cache | |||
59 | private-tmp | 59 | private-tmp |
60 | 60 | ||
61 | # breaks preferences | 61 | # breaks preferences |
62 | # dbus-user none | 62 | #dbus-user none |
63 | # dbus-system none | 63 | #dbus-system none |
64 | 64 | ||
65 | restrict-namespaces | 65 | restrict-namespaces |
diff --git a/etc/profile-a-l/etr.profile b/etc/profile-a-l/etr.profile index 5b9892af3..4789afee6 100644 --- a/etc/profile-a-l/etr.profile +++ b/etc/profile-a-l/etr.profile | |||
@@ -48,7 +48,7 @@ disable-mnt | |||
48 | private-bin etr | 48 | private-bin etr |
49 | private-cache | 49 | private-cache |
50 | private-dev | 50 | private-dev |
51 | # private-etc alternatives,drirc,machine-id,openal,passwd | 51 | #private-etc alternatives,drirc,machine-id,openal,passwd |
52 | private-etc @games,@x11 | 52 | private-etc @games,@x11 |
53 | private-tmp | 53 | private-tmp |
54 | 54 | ||
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile index 75a3958ad..06a4a64b1 100644 --- a/etc/profile-a-l/evince.profile +++ b/etc/profile-a-l/evince.profile | |||
@@ -34,7 +34,7 @@ include whitelist-var-common.inc | |||
34 | 34 | ||
35 | caps.drop all | 35 | caps.drop all |
36 | machine-id | 36 | machine-id |
37 | # net none - breaks AppArmor on Ubuntu systems | 37 | #net none # breaks AppArmor on Ubuntu systems |
38 | netfilter | 38 | netfilter |
39 | no3d | 39 | no3d |
40 | nodvd | 40 | nodvd |
diff --git a/etc/profile-a-l/falkon.profile b/etc/profile-a-l/falkon.profile index d805766eb..2a30d2e23 100644 --- a/etc/profile-a-l/falkon.profile +++ b/etc/profile-a-l/falkon.profile | |||
@@ -41,17 +41,17 @@ nou2f | |||
41 | protocol unix,inet,inet6,netlink | 41 | protocol unix,inet,inet6,netlink |
42 | # blacklisting of chroot system calls breaks falkon | 42 | # blacklisting of chroot system calls breaks falkon |
43 | seccomp !chroot | 43 | seccomp !chroot |
44 | # tracelog | 44 | #tracelog |
45 | 45 | ||
46 | disable-mnt | 46 | disable-mnt |
47 | # private-bin falkon | 47 | #private-bin falkon |
48 | private-cache | 48 | private-cache |
49 | private-dev | 49 | private-dev |
50 | private-etc @tls-ca,@x11,adobe,mailcap,mime.types | 50 | private-etc @tls-ca,@x11,adobe,mailcap,mime.types |
51 | private-tmp | 51 | private-tmp |
52 | 52 | ||
53 | # dbus-user filter | 53 | #dbus-user filter |
54 | # dbus-user.own org.kde.Falkon | 54 | #dbus-user.own org.kde.Falkon |
55 | dbus-system none | 55 | dbus-system none |
56 | 56 | ||
57 | # restrict-namespaces | 57 | #restrict-namespaces |
diff --git a/etc/profile-a-l/fdns.profile b/etc/profile-a-l/fdns.profile index fe7f88a75..e9d5709ec 100644 --- a/etc/profile-a-l/fdns.profile +++ b/etc/profile-a-l/fdns.profile | |||
@@ -24,7 +24,7 @@ include disable-xdg.inc | |||
24 | apparmor /usr/bin/fdns | 24 | apparmor /usr/bin/fdns |
25 | caps.keep kill,net_bind_service,setgid,setuid,sys_admin,sys_chroot | 25 | caps.keep kill,net_bind_service,setgid,setuid,sys_admin,sys_chroot |
26 | ipc-namespace | 26 | ipc-namespace |
27 | # netfilter /etc/firejail/webserver.net | 27 | #netfilter /etc/firejail/webserver.net |
28 | no3d | 28 | no3d |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
@@ -43,7 +43,7 @@ private-bin bash,fdns,sh | |||
43 | private-cache | 43 | private-cache |
44 | #private-dev | 44 | #private-dev |
45 | private-etc @tls-ca,fdns | 45 | private-etc @tls-ca,fdns |
46 | # private-lib | 46 | #private-lib |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | memory-deny-write-execute | 49 | memory-deny-write-execute |
diff --git a/etc/profile-a-l/feedreader.profile b/etc/profile-a-l/feedreader.profile index 6aa24cc86..7b205a917 100644 --- a/etc/profile-a-l/feedreader.profile +++ b/etc/profile-a-l/feedreader.profile | |||
@@ -29,13 +29,13 @@ include whitelist-var-common.inc | |||
29 | 29 | ||
30 | caps.drop all | 30 | caps.drop all |
31 | netfilter | 31 | netfilter |
32 | # no3d | 32 | #no3d |
33 | nodvd | 33 | nodvd |
34 | nogroups | 34 | nogroups |
35 | noinput | 35 | noinput |
36 | nonewprivs | 36 | nonewprivs |
37 | noroot | 37 | noroot |
38 | # nosound | 38 | #nosound |
39 | notv | 39 | notv |
40 | nou2f | 40 | nou2f |
41 | novideo | 41 | novideo |
diff --git a/etc/profile-a-l/ferdi.profile b/etc/profile-a-l/ferdi.profile index 3a044542f..27920620a 100644 --- a/etc/profile-a-l/ferdi.profile +++ b/etc/profile-a-l/ferdi.profile | |||
@@ -45,4 +45,4 @@ disable-mnt | |||
45 | private-dev | 45 | private-dev |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | # restrict-namespaces | 48 | #restrict-namespaces |
diff --git a/etc/profile-a-l/ffmpeg.profile b/etc/profile-a-l/ffmpeg.profile index b7d54f05d..af9d556db 100644 --- a/etc/profile-a-l/ffmpeg.profile +++ b/etc/profile-a-l/ffmpeg.profile | |||
@@ -53,5 +53,5 @@ private-tmp | |||
53 | dbus-user none | 53 | dbus-user none |
54 | dbus-system none | 54 | dbus-system none |
55 | 55 | ||
56 | # memory-deny-write-execute - it breaks old versions of ffmpeg | 56 | #memory-deny-write-execute # it breaks old versions of ffmpeg |
57 | restrict-namespaces | 57 | restrict-namespaces |
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile index 78e2751b3..b32f7595c 100644 --- a/etc/profile-a-l/file-roller.profile +++ b/etc/profile-a-l/file-roller.profile | |||
@@ -22,7 +22,7 @@ include whitelist-var-common.inc | |||
22 | apparmor | 22 | apparmor |
23 | caps.drop all | 23 | caps.drop all |
24 | machine-id | 24 | machine-id |
25 | # net none - breaks on older Ubuntu versions | 25 | #net none # breaks on older Ubuntu versions |
26 | netfilter | 26 | netfilter |
27 | no3d | 27 | no3d |
28 | nodvd | 28 | nodvd |
@@ -44,7 +44,7 @@ private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dp | |||
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc @x11 | 46 | private-etc @x11 |
47 | # private-tmp | 47 | #private-tmp |
48 | 48 | ||
49 | dbus-user filter | 49 | dbus-user filter |
50 | dbus-user.own org.gnome.ArchiveManager1 | 50 | dbus-user.own org.gnome.ArchiveManager1 |
diff --git a/etc/profile-a-l/font-manager.profile b/etc/profile-a-l/font-manager.profile index 88ae56c82..5b9603243 100644 --- a/etc/profile-a-l/font-manager.profile +++ b/etc/profile-a-l/font-manager.profile | |||
@@ -33,7 +33,7 @@ include whitelist-var-common.inc | |||
33 | apparmor | 33 | apparmor |
34 | caps.drop all | 34 | caps.drop all |
35 | machine-id | 35 | machine-id |
36 | # net none - issues on older versions | 36 | #net none # issues on older versions |
37 | no3d | 37 | no3d |
38 | nodvd | 38 | nodvd |
39 | nogroups | 39 | nogroups |
@@ -53,5 +53,5 @@ private-bin font-manager,python*,yelp | |||
53 | private-dev | 53 | private-dev |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
56 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 56 | #memory-deny-write-execute # breaks on Arch (see issue #1803) |
57 | restrict-namespaces | 57 | restrict-namespaces |
diff --git a/etc/profile-a-l/franz.profile b/etc/profile-a-l/franz.profile index e21789d73..664773b77 100644 --- a/etc/profile-a-l/franz.profile +++ b/etc/profile-a-l/franz.profile | |||
@@ -45,4 +45,4 @@ disable-mnt | |||
45 | private-dev | 45 | private-dev |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | # restrict-namespaces | 48 | #restrict-namespaces |
diff --git a/etc/profile-a-l/frozen-bubble.profile b/etc/profile-a-l/frozen-bubble.profile index f162a4a31..98f473654 100644 --- a/etc/profile-a-l/frozen-bubble.profile +++ b/etc/profile-a-l/frozen-bubble.profile | |||
@@ -41,7 +41,7 @@ seccomp | |||
41 | tracelog | 41 | tracelog |
42 | 42 | ||
43 | disable-mnt | 43 | disable-mnt |
44 | # private-bin frozen-bubble | 44 | #private-bin frozen-bubble |
45 | private-dev | 45 | private-dev |
46 | private-etc @games,@x11 | 46 | private-etc @games,@x11 |
47 | private-tmp | 47 | private-tmp |
diff --git a/etc/profile-a-l/funnyboat.profile b/etc/profile-a-l/funnyboat.profile index 8ca349d1c..bd790cab4 100644 --- a/etc/profile-a-l/funnyboat.profile +++ b/etc/profile-a-l/funnyboat.profile | |||
@@ -16,7 +16,7 @@ include disable-devel.inc | |||
16 | include disable-exec.inc | 16 | include disable-exec.inc |
17 | include disable-interpreters.inc | 17 | include disable-interpreters.inc |
18 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | # include disable-shell.inc | 19 | #include disable-shell.inc |
20 | include disable-xdg.inc | 20 | include disable-xdg.inc |
21 | 21 | ||
22 | mkdir ${HOME}/.funnyboat | 22 | mkdir ${HOME}/.funnyboat |
@@ -41,7 +41,7 @@ notv | |||
41 | novideo | 41 | novideo |
42 | protocol unix,inet,inet6 | 42 | protocol unix,inet,inet6 |
43 | seccomp | 43 | seccomp |
44 | # tracelog | 44 | #tracelog |
45 | 45 | ||
46 | disable-mnt | 46 | disable-mnt |
47 | private-cache | 47 | private-cache |
diff --git a/etc/profile-a-l/galculator.profile b/etc/profile-a-l/galculator.profile index 44d62cc86..aa1b96c41 100644 --- a/etc/profile-a-l/galculator.profile +++ b/etc/profile-a-l/galculator.profile | |||
@@ -48,5 +48,5 @@ private-tmp | |||
48 | dbus-user none | 48 | dbus-user none |
49 | dbus-system none | 49 | dbus-system none |
50 | 50 | ||
51 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 51 | #memory-deny-write-execute # breaks on Arch (see issue #1803) |
52 | restrict-namespaces | 52 | restrict-namespaces |
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile index ba0837780..da240c36a 100644 --- a/etc/profile-a-l/geary.profile +++ b/etc/profile-a-l/geary.profile | |||
@@ -53,7 +53,7 @@ include whitelist-var-common.inc | |||
53 | 53 | ||
54 | apparmor | 54 | apparmor |
55 | caps.drop all | 55 | caps.drop all |
56 | #ipc-namespace - may cause issues with X11 | 56 | #ipc-namespace # may cause issues with X11 |
57 | #machine-id | 57 | #machine-id |
58 | netfilter | 58 | netfilter |
59 | no3d | 59 | no3d |
@@ -71,7 +71,7 @@ seccomp | |||
71 | seccomp.block-secondary | 71 | seccomp.block-secondary |
72 | tracelog | 72 | tracelog |
73 | 73 | ||
74 | # disable-mnt | 74 | #disable-mnt |
75 | #private-bin geary,sh | 75 | #private-bin geary,sh |
76 | private-cache | 76 | private-cache |
77 | private-dev | 77 | private-dev |
diff --git a/etc/profile-a-l/gedit.profile b/etc/profile-a-l/gedit.profile index dbb3ab971..bc265a509 100644 --- a/etc/profile-a-l/gedit.profile +++ b/etc/profile-a-l/gedit.profile | |||
@@ -13,18 +13,18 @@ noblacklist ${HOME}/.config/gedit | |||
13 | include allow-common-devel.inc | 13 | include allow-common-devel.inc |
14 | 14 | ||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | # include disable-devel.inc | 16 | #include disable-devel.inc |
17 | include disable-exec.inc | 17 | include disable-exec.inc |
18 | # include disable-interpreters.inc | 18 | #include disable-interpreters.inc |
19 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | 20 | ||
21 | include whitelist-runuser-common.inc | 21 | include whitelist-runuser-common.inc |
22 | include whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
23 | 23 | ||
24 | # apparmor - makes settings immutable | 24 | #apparmor # makes settings immutable |
25 | caps.drop all | 25 | caps.drop all |
26 | machine-id | 26 | machine-id |
27 | # net none - makes settings immutable | 27 | #net none # makes settings immutable |
28 | no3d | 28 | no3d |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
@@ -40,14 +40,14 @@ seccomp | |||
40 | seccomp.block-secondary | 40 | seccomp.block-secondary |
41 | tracelog | 41 | tracelog |
42 | 42 | ||
43 | # private-bin gedit | 43 | #private-bin gedit |
44 | private-dev | 44 | private-dev |
45 | # private-lib breaks python plugins - add the next line to your gedit.local if you don't use them. | 45 | # private-lib breaks python plugins - add the next line to your gedit.local if you don't use them. |
46 | #private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.* | 46 | #private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.* |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | # makes settings immutable | 49 | # makes settings immutable |
50 | # dbus-user none | 50 | #dbus-user none |
51 | # dbus-system none | 51 | #dbus-system none |
52 | 52 | ||
53 | restrict-namespaces | 53 | restrict-namespaces |
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile index e8d4c013f..387ec615f 100644 --- a/etc/profile-a-l/geekbench.profile +++ b/etc/profile-a-l/geekbench.profile | |||
@@ -43,7 +43,7 @@ seccomp | |||
43 | tracelog | 43 | tracelog |
44 | 44 | ||
45 | disable-mnt | 45 | disable-mnt |
46 | #private-bin bash,geekbench*,sh -- #4576 | 46 | #private-bin bash,geekbench*,sh # #4576 |
47 | private-cache | 47 | private-cache |
48 | private-dev | 48 | private-dev |
49 | private-etc lsb-release | 49 | private-etc lsb-release |
diff --git a/etc/profile-a-l/geeqie.profile b/etc/profile-a-l/geeqie.profile index f81a49e4f..6cd28f25d 100644 --- a/etc/profile-a-l/geeqie.profile +++ b/etc/profile-a-l/geeqie.profile | |||
@@ -32,7 +32,7 @@ novideo | |||
32 | protocol unix,inet,inet6 | 32 | protocol unix,inet,inet6 |
33 | seccomp | 33 | seccomp |
34 | 34 | ||
35 | # private-bin geeqie | 35 | #private-bin geeqie |
36 | private-dev | 36 | private-dev |
37 | 37 | ||
38 | restrict-namespaces | 38 | restrict-namespaces |
diff --git a/etc/profile-a-l/gfeeds.profile b/etc/profile-a-l/gfeeds.profile index 1c97ad21c..007658138 100644 --- a/etc/profile-a-l/gfeeds.profile +++ b/etc/profile-a-l/gfeeds.profile | |||
@@ -58,7 +58,7 @@ tracelog | |||
58 | 58 | ||
59 | disable-mnt | 59 | disable-mnt |
60 | private-bin gfeeds,python3* | 60 | private-bin gfeeds,python3* |
61 | # private-cache -- feeds are stored in ~/.cache | 61 | #private-cache # feeds are stored in ~/.cache |
62 | private-dev | 62 | private-dev |
63 | private-etc @tls-ca,@x11,dbus-1,gconf,host.conf,mime.types,rpc,services | 63 | private-etc @tls-ca,@x11,dbus-1,gconf,host.conf,mime.types,rpc,services |
64 | private-tmp | 64 | private-tmp |
diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile index dabf0dd7f..2023ca9f0 100644 --- a/etc/profile-a-l/ghostwriter.profile +++ b/etc/profile-a-l/ghostwriter.profile | |||
@@ -45,7 +45,7 @@ novideo | |||
45 | protocol unix,inet,inet6,netlink | 45 | protocol unix,inet,inet6,netlink |
46 | seccomp !chroot | 46 | seccomp !chroot |
47 | seccomp.block-secondary | 47 | seccomp.block-secondary |
48 | #tracelog -- breaks | 48 | #tracelog # breaks |
49 | 49 | ||
50 | private-bin context,gettext,ghostwriter,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf | 50 | private-bin context,gettext,ghostwriter,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf |
51 | private-cache | 51 | private-cache |
diff --git a/etc/profile-a-l/github-desktop.profile b/etc/profile-a-l/github-desktop.profile index ced1aa190..88134b363 100644 --- a/etc/profile-a-l/github-desktop.profile +++ b/etc/profile-a-l/github-desktop.profile | |||
@@ -29,14 +29,14 @@ noblacklist ${HOME}/.config/git | |||
29 | noblacklist ${HOME}/.gitconfig | 29 | noblacklist ${HOME}/.gitconfig |
30 | noblacklist ${HOME}/.git-credentials | 30 | noblacklist ${HOME}/.git-credentials |
31 | 31 | ||
32 | # no3d | 32 | #no3d |
33 | nosound | 33 | nosound |
34 | 34 | ||
35 | # private-bin github-desktop | 35 | #private-bin github-desktop |
36 | ?HAS_APPIMAGE: ignore private-dev | 36 | ?HAS_APPIMAGE: ignore private-dev |
37 | # private-lib | 37 | #private-lib |
38 | 38 | ||
39 | # memory-deny-write-execute | 39 | #memory-deny-write-execute |
40 | 40 | ||
41 | # Redirect | 41 | # Redirect |
42 | include electron-common.profile | 42 | include electron-common.profile |
diff --git a/etc/profile-a-l/gjs.profile b/etc/profile-a-l/gjs.profile index bd332a6d5..cad261365 100644 --- a/etc/profile-a-l/gjs.profile +++ b/etc/profile-a-l/gjs.profile | |||
@@ -38,9 +38,9 @@ protocol unix,inet,inet6 | |||
38 | seccomp | 38 | seccomp |
39 | tracelog | 39 | tracelog |
40 | 40 | ||
41 | # private-bin gjs,gnome-books,gnome-documents,gnome-maps,gnome-photos,gnome-weather | 41 | #private-bin gjs,gnome-books,gnome-documents,gnome-maps,gnome-photos,gnome-weather |
42 | private-dev | 42 | private-dev |
43 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl | 43 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl |
44 | private-tmp | 44 | private-tmp |
45 | 45 | ||
46 | restrict-namespaces | 46 | restrict-namespaces |
diff --git a/etc/profile-a-l/gmpc.profile b/etc/profile-a-l/gmpc.profile index 8c20f7398..4d4a0d50e 100644 --- a/etc/profile-a-l/gmpc.profile +++ b/etc/profile-a-l/gmpc.profile | |||
@@ -51,5 +51,5 @@ dbus-user filter | |||
51 | dbus-user.talk org.mpris.MediaPlayer2.mpd | 51 | dbus-user.talk org.mpris.MediaPlayer2.mpd |
52 | dbus-system none | 52 | dbus-system none |
53 | 53 | ||
54 | # memory-deny-write-execute - breaks on Arch | 54 | #memory-deny-write-execute # breaks on Arch |
55 | restrict-namespaces | 55 | restrict-namespaces |
diff --git a/etc/profile-a-l/gnome-books.profile b/etc/profile-a-l/gnome-books.profile index 812923b2d..962b8b30f 100644 --- a/etc/profile-a-l/gnome-books.profile +++ b/etc/profile-a-l/gnome-books.profile | |||
@@ -39,7 +39,7 @@ protocol unix | |||
39 | seccomp | 39 | seccomp |
40 | tracelog | 40 | tracelog |
41 | 41 | ||
42 | # private-bin gjs,gnome-books | 42 | #private-bin gjs,gnome-books |
43 | private-dev | 43 | private-dev |
44 | private-tmp | 44 | private-tmp |
45 | 45 | ||
diff --git a/etc/profile-a-l/gnome-calculator.profile b/etc/profile-a-l/gnome-calculator.profile index e5c6022e8..40f799693 100644 --- a/etc/profile-a-l/gnome-calculator.profile +++ b/etc/profile-a-l/gnome-calculator.profile | |||
@@ -24,7 +24,7 @@ apparmor | |||
24 | caps.drop all | 24 | caps.drop all |
25 | ipc-namespace | 25 | ipc-namespace |
26 | machine-id | 26 | machine-id |
27 | #net none -- breaks currency conversion | 27 | #net none # breaks currency conversion |
28 | netfilter | 28 | netfilter |
29 | no3d | 29 | no3d |
30 | nodvd | 30 | nodvd |
diff --git a/etc/profile-a-l/gnome-characters.profile b/etc/profile-a-l/gnome-characters.profile index 9e9730e53..9f592722c 100644 --- a/etc/profile-a-l/gnome-characters.profile +++ b/etc/profile-a-l/gnome-characters.profile | |||
@@ -52,8 +52,8 @@ private-etc @x11,gconf,mime.types | |||
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
54 | # Add the next lines to your gnome-characters.local if you don't need access to recently used chars. | 54 | # Add the next lines to your gnome-characters.local if you don't need access to recently used chars. |
55 | # dbus-user none | 55 | #dbus-user none |
56 | # dbus-system none | 56 | #dbus-system none |
57 | 57 | ||
58 | read-only ${HOME} | 58 | read-only ${HOME} |
59 | restrict-namespaces | 59 | restrict-namespaces |
diff --git a/etc/profile-a-l/gnome-contacts.profile b/etc/profile-a-l/gnome-contacts.profile index 2326115c3..25a906c69 100644 --- a/etc/profile-a-l/gnome-contacts.profile +++ b/etc/profile-a-l/gnome-contacts.profile | |||
@@ -21,7 +21,7 @@ include whitelist-var-common.inc | |||
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | netfilter | 23 | netfilter |
24 | #no3d - breaks on Arch | 24 | #no3d # breaks on Arch |
25 | nodvd | 25 | nodvd |
26 | noinput | 26 | noinput |
27 | nonewprivs | 27 | nonewprivs |
diff --git a/etc/profile-a-l/gnome-keyring.profile b/etc/profile-a-l/gnome-keyring.profile index 45b6fd880..aa0a7f4cc 100644 --- a/etc/profile-a-l/gnome-keyring.profile +++ b/etc/profile-a-l/gnome-keyring.profile | |||
@@ -55,7 +55,7 @@ private-dev | |||
55 | #private-lib alternatives,gnome-keyring,libsecret-1.so.*,pkcs11,security | 55 | #private-lib alternatives,gnome-keyring,libsecret-1.so.*,pkcs11,security |
56 | private-tmp | 56 | private-tmp |
57 | 57 | ||
58 | # dbus-user none | 58 | #dbus-user none |
59 | dbus-system none | 59 | dbus-system none |
60 | 60 | ||
61 | memory-deny-write-execute | 61 | memory-deny-write-execute |
diff --git a/etc/profile-a-l/gnome-maps.profile b/etc/profile-a-l/gnome-maps.profile index 17f52e588..40c264c86 100644 --- a/etc/profile-a-l/gnome-maps.profile +++ b/etc/profile-a-l/gnome-maps.profile | |||
@@ -61,7 +61,7 @@ tracelog | |||
61 | 61 | ||
62 | disable-mnt | 62 | disable-mnt |
63 | private-bin gjs,gnome-maps | 63 | private-bin gjs,gnome-maps |
64 | # private-cache -- gnome-maps cache all maps/satelite-images | 64 | #private-cache # gnome-maps cache all maps/satelite-images |
65 | private-dev | 65 | private-dev |
66 | private-etc @tls-ca,@x11,clutter-1.0,gconf,host.conf,mime.types,pkcs11,rpc,services | 66 | private-etc @tls-ca,@x11,clutter-1.0,gconf,host.conf,mime.types,pkcs11,rpc,services |
67 | private-tmp | 67 | private-tmp |
diff --git a/etc/profile-a-l/gnome-mplayer.profile b/etc/profile-a-l/gnome-mplayer.profile index 052e9ba9c..5315cbec6 100644 --- a/etc/profile-a-l/gnome-mplayer.profile +++ b/etc/profile-a-l/gnome-mplayer.profile | |||
@@ -26,7 +26,7 @@ nou2f | |||
26 | protocol unix,inet,inet6 | 26 | protocol unix,inet,inet6 |
27 | seccomp | 27 | seccomp |
28 | 28 | ||
29 | # private-bin gnome-mplayer,mplayer | 29 | #private-bin gnome-mplayer,mplayer |
30 | private-cache | 30 | private-cache |
31 | private-dev | 31 | private-dev |
32 | private-tmp | 32 | private-tmp |
diff --git a/etc/profile-a-l/gnome-nettool.profile b/etc/profile-a-l/gnome-nettool.profile index 7a9a0e336..7a8338cd7 100644 --- a/etc/profile-a-l/gnome-nettool.profile +++ b/etc/profile-a-l/gnome-nettool.profile | |||
@@ -14,7 +14,7 @@ include disable-programs.inc | |||
14 | include disable-xdg.inc | 14 | include disable-xdg.inc |
15 | 15 | ||
16 | whitelist /usr/share/gnome-nettool | 16 | whitelist /usr/share/gnome-nettool |
17 | #include whitelist-common.inc -- see #903 | 17 | #include whitelist-common.inc # see #903 |
18 | include whitelist-runuser-common.inc | 18 | include whitelist-runuser-common.inc |
19 | include whitelist-usr-share-common.inc | 19 | include whitelist-usr-share-common.inc |
20 | include whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
diff --git a/etc/profile-a-l/gnome-photos.profile b/etc/profile-a-l/gnome-photos.profile index 1d0291aa2..4d2a3913f 100644 --- a/etc/profile-a-l/gnome-photos.profile +++ b/etc/profile-a-l/gnome-photos.profile | |||
@@ -36,7 +36,7 @@ seccomp | |||
36 | seccomp.block-secondary | 36 | seccomp.block-secondary |
37 | tracelog | 37 | tracelog |
38 | 38 | ||
39 | # private-bin gjs,gnome-photos | 39 | #private-bin gjs,gnome-photos |
40 | private-dev | 40 | private-dev |
41 | private-tmp | 41 | private-tmp |
42 | 42 | ||
diff --git a/etc/profile-a-l/gnome-pie.profile b/etc/profile-a-l/gnome-pie.profile index ac0fb555d..dff6032d1 100644 --- a/etc/profile-a-l/gnome-pie.profile +++ b/etc/profile-a-l/gnome-pie.profile | |||
@@ -16,7 +16,7 @@ include disable-exec.inc | |||
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | ipc-namespace | 18 | ipc-namespace |
19 | # net none - breaks dbus | 19 | #net none # breaks dbus |
20 | no3d | 20 | no3d |
21 | nodvd | 21 | nodvd |
22 | nogroups | 22 | nogroups |
diff --git a/etc/profile-a-l/gnome-ring.profile b/etc/profile-a-l/gnome-ring.profile index 8f2ab7fd6..898cdf1f8 100644 --- a/etc/profile-a-l/gnome-ring.profile +++ b/etc/profile-a-l/gnome-ring.profile | |||
@@ -27,7 +27,7 @@ protocol unix,inet,inet6,netlink | |||
27 | seccomp | 27 | seccomp |
28 | 28 | ||
29 | disable-mnt | 29 | disable-mnt |
30 | # private-dev | 30 | #private-dev |
31 | private-tmp | 31 | private-tmp |
32 | 32 | ||
33 | restrict-namespaces | 33 | restrict-namespaces |
diff --git a/etc/profile-a-l/gnome-schedule.profile b/etc/profile-a-l/gnome-schedule.profile index b71d77621..33f22136e 100644 --- a/etc/profile-a-l/gnome-schedule.profile +++ b/etc/profile-a-l/gnome-schedule.profile | |||
@@ -46,7 +46,7 @@ apparmor | |||
46 | caps.keep chown,dac_override,setgid,setuid | 46 | caps.keep chown,dac_override,setgid,setuid |
47 | ipc-namespace | 47 | ipc-namespace |
48 | machine-id | 48 | machine-id |
49 | #net none - breaks on Ubuntu | 49 | #net none # breaks on Ubuntu |
50 | no3d | 50 | no3d |
51 | nodvd | 51 | nodvd |
52 | nogroups | 52 | nogroups |
diff --git a/etc/profile-a-l/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile index f4e985342..b3bc7499c 100644 --- a/etc/profile-a-l/gnome-system-log.profile +++ b/etc/profile-a-l/gnome-system-log.profile | |||
@@ -22,7 +22,7 @@ include whitelist-var-common.inc | |||
22 | apparmor | 22 | apparmor |
23 | caps.drop all | 23 | caps.drop all |
24 | ipc-namespace | 24 | ipc-namespace |
25 | # net none - breaks dbus | 25 | #net none # breaks dbus |
26 | no3d | 26 | no3d |
27 | nodvd | 27 | nodvd |
28 | # When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html), | 28 | # When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html), |
@@ -47,8 +47,8 @@ private-lib | |||
47 | private-tmp | 47 | private-tmp |
48 | writable-var-log | 48 | writable-var-log |
49 | 49 | ||
50 | # dbus-user none | 50 | #dbus-user none |
51 | # dbus-system none | 51 | #dbus-system none |
52 | 52 | ||
53 | memory-deny-write-execute | 53 | memory-deny-write-execute |
54 | # Add 'ignore read-only ${HOME}' to your gnome-system-log.local if you export logs to a file under your ${HOME}. | 54 | # Add 'ignore read-only ${HOME}' to your gnome-system-log.local if you export logs to a file under your ${HOME}. |
diff --git a/etc/profile-a-l/gnome-weather.profile b/etc/profile-a-l/gnome-weather.profile index 147b84a19..8637f5019 100644 --- a/etc/profile-a-l/gnome-weather.profile +++ b/etc/profile-a-l/gnome-weather.profile | |||
@@ -41,9 +41,9 @@ seccomp.block-secondary | |||
41 | tracelog | 41 | tracelog |
42 | 42 | ||
43 | disable-mnt | 43 | disable-mnt |
44 | # private-bin gjs,gnome-weather | 44 | #private-bin gjs,gnome-weather |
45 | private-dev | 45 | private-dev |
46 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl | 46 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | restrict-namespaces | 49 | restrict-namespaces |
diff --git a/etc/profile-a-l/godot.profile b/etc/profile-a-l/godot.profile index 5e41384ab..96bbffc41 100644 --- a/etc/profile-a-l/godot.profile +++ b/etc/profile-a-l/godot.profile | |||
@@ -34,7 +34,7 @@ seccomp | |||
34 | tracelog | 34 | tracelog |
35 | 35 | ||
36 | 36 | ||
37 | # private-bin godot | 37 | #private-bin godot |
38 | private-cache | 38 | private-cache |
39 | private-dev | 39 | private-dev |
40 | private-etc @games,@tls-ca,@x11,mono | 40 | private-etc @games,@tls-ca,@x11,mono |
diff --git a/etc/profile-a-l/goobox.profile b/etc/profile-a-l/goobox.profile index 8807a239d..96b72230d 100644 --- a/etc/profile-a-l/goobox.profile +++ b/etc/profile-a-l/goobox.profile | |||
@@ -28,9 +28,9 @@ protocol unix,inet,inet6 | |||
28 | seccomp | 28 | seccomp |
29 | tracelog | 29 | tracelog |
30 | 30 | ||
31 | # private-bin goobox | 31 | #private-bin goobox |
32 | private-dev | 32 | private-dev |
33 | # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl | 33 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl |
34 | # private-tmp | 34 | #private-tmp |
35 | 35 | ||
36 | restrict-namespaces | 36 | restrict-namespaces |
diff --git a/etc/profile-a-l/google-play-music-desktop-player.profile b/etc/profile-a-l/google-play-music-desktop-player.profile index c2a7d89fd..1218631d8 100644 --- a/etc/profile-a-l/google-play-music-desktop-player.profile +++ b/etc/profile-a-l/google-play-music-desktop-player.profile | |||
@@ -17,8 +17,8 @@ include disable-interpreters.inc | |||
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | mkdir ${HOME}/.config/Google Play Music Desktop Player | 19 | mkdir ${HOME}/.config/Google Play Music Desktop Player |
20 | # whitelist ${HOME}/.config/pulse | 20 | #whitelist ${HOME}/.config/pulse |
21 | # whitelist ${HOME}/.pulse | 21 | #whitelist ${HOME}/.pulse |
22 | whitelist ${HOME}/.config/Google Play Music Desktop Player | 22 | whitelist ${HOME}/.config/Google Play Music Desktop Player |
23 | include whitelist-common.inc | 23 | include whitelist-common.inc |
24 | 24 | ||
diff --git a/etc/profile-a-l/gpa.profile b/etc/profile-a-l/gpa.profile index e05cdf424..25498d89e 100644 --- a/etc/profile-a-l/gpa.profile +++ b/etc/profile-a-l/gpa.profile | |||
@@ -28,7 +28,7 @@ protocol unix,inet,inet6 | |||
28 | seccomp | 28 | seccomp |
29 | tracelog | 29 | tracelog |
30 | 30 | ||
31 | # private-bin gpa,gpg | 31 | #private-bin gpa,gpg |
32 | private-dev | 32 | private-dev |
33 | 33 | ||
34 | restrict-namespaces | 34 | restrict-namespaces |
diff --git a/etc/profile-a-l/gpg-agent.profile b/etc/profile-a-l/gpg-agent.profile index f4cd85e3a..3b623a338 100644 --- a/etc/profile-a-l/gpg-agent.profile +++ b/etc/profile-a-l/gpg-agent.profile | |||
@@ -46,7 +46,7 @@ protocol unix,inet,inet6 | |||
46 | seccomp | 46 | seccomp |
47 | tracelog | 47 | tracelog |
48 | 48 | ||
49 | # private-bin gpg-agent | 49 | #private-bin gpg-agent |
50 | private-cache | 50 | private-cache |
51 | private-dev | 51 | private-dev |
52 | 52 | ||
diff --git a/etc/profile-a-l/gpg.profile b/etc/profile-a-l/gpg.profile index 60690852a..bf4a1c60b 100644 --- a/etc/profile-a-l/gpg.profile +++ b/etc/profile-a-l/gpg.profile | |||
@@ -42,7 +42,7 @@ protocol unix,inet,inet6 | |||
42 | seccomp | 42 | seccomp |
43 | tracelog | 43 | tracelog |
44 | 44 | ||
45 | # private-bin gpg | 45 | #private-bin gpg |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | 48 | ||
diff --git a/etc/profile-a-l/gpg2.profile b/etc/profile-a-l/gpg2.profile index b831b0f62..a9d928f17 100644 --- a/etc/profile-a-l/gpg2.profile +++ b/etc/profile-a-l/gpg2.profile | |||
@@ -7,7 +7,7 @@ include gpg2.local | |||
7 | # added by included profile | 7 | # added by included profile |
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | # private-bin gpg2 | 10 | #private-bin gpg2 |
11 | 11 | ||
12 | # Redirect | 12 | # Redirect |
13 | include gpg.profile | 13 | include gpg.profile |
diff --git a/etc/profile-a-l/gucharmap.profile b/etc/profile-a-l/gucharmap.profile index ef4aad4da..93db304da 100644 --- a/etc/profile-a-l/gucharmap.profile +++ b/etc/profile-a-l/gucharmap.profile | |||
@@ -22,7 +22,7 @@ include whitelist-var-common.inc | |||
22 | apparmor | 22 | apparmor |
23 | caps.drop all | 23 | caps.drop all |
24 | machine-id | 24 | machine-id |
25 | #net none - breaks dbus | 25 | #net none # breaks dbus |
26 | no3d | 26 | no3d |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
@@ -47,8 +47,8 @@ private-lib | |||
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | # breaks state saving | 49 | # breaks state saving |
50 | # dbus-user none | 50 | #dbus-user none |
51 | # dbus-system none | 51 | #dbus-system none |
52 | 52 | ||
53 | read-only ${HOME} | 53 | read-only ${HOME} |
54 | restrict-namespaces | 54 | restrict-namespaces |
diff --git a/etc/profile-a-l/gwenview.profile b/etc/profile-a-l/gwenview.profile index 4be71f6d3..889eac07a 100644 --- a/etc/profile-a-l/gwenview.profile +++ b/etc/profile-a-l/gwenview.profile | |||
@@ -30,7 +30,7 @@ include whitelist-var-common.inc | |||
30 | 30 | ||
31 | apparmor | 31 | apparmor |
32 | caps.drop all | 32 | caps.drop all |
33 | # net none | 33 | #net none |
34 | netfilter | 34 | netfilter |
35 | nodvd | 35 | nodvd |
36 | nogroups | 36 | nogroups |
@@ -42,14 +42,14 @@ nou2f | |||
42 | novideo | 42 | novideo |
43 | protocol unix | 43 | protocol unix |
44 | seccomp | 44 | seccomp |
45 | # tracelog | 45 | #tracelog |
46 | 46 | ||
47 | private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4 | 47 | private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4 |
48 | private-dev | 48 | private-dev |
49 | private-etc @x11,gimp | 49 | private-etc @x11,gimp |
50 | 50 | ||
51 | # dbus-user none | 51 | #dbus-user none |
52 | # dbus-system none | 52 | #dbus-system none |
53 | 53 | ||
54 | # memory-deny-write-execute | 54 | #memory-deny-write-execute |
55 | restrict-namespaces | 55 | restrict-namespaces |
diff --git a/etc/profile-a-l/hexchat.profile b/etc/profile-a-l/hexchat.profile index df7f8f3a3..def7bf25f 100644 --- a/etc/profile-a-l/hexchat.profile +++ b/etc/profile-a-l/hexchat.profile | |||
@@ -32,7 +32,7 @@ include whitelist-common.inc | |||
32 | include whitelist-var-common.inc | 32 | include whitelist-var-common.inc |
33 | 33 | ||
34 | caps.drop all | 34 | caps.drop all |
35 | #machine-id -- breaks sound | 35 | #machine-id # breaks sound |
36 | netfilter | 36 | netfilter |
37 | no3d | 37 | no3d |
38 | nodvd | 38 | nodvd |
@@ -51,8 +51,8 @@ disable-mnt | |||
51 | # debug note: private-bin requires perl, python, etc on some systems | 51 | # debug note: private-bin requires perl, python, etc on some systems |
52 | private-bin hexchat,python*,sh | 52 | private-bin hexchat,python*,sh |
53 | private-dev | 53 | private-dev |
54 | #private-lib - python problems | 54 | #private-lib # python problems |
55 | private-tmp | 55 | private-tmp |
56 | 56 | ||
57 | # memory-deny-write-execute - breaks python | 57 | #memory-deny-write-execute # breaks python |
58 | restrict-namespaces | 58 | restrict-namespaces |
diff --git a/etc/profile-a-l/homebank.profile b/etc/profile-a-l/homebank.profile index ccbb66333..d36cf0f46 100644 --- a/etc/profile-a-l/homebank.profile +++ b/etc/profile-a-l/homebank.profile | |||
@@ -28,7 +28,7 @@ include whitelist-var-common.inc | |||
28 | apparmor | 28 | apparmor |
29 | caps.drop all | 29 | caps.drop all |
30 | machine-id | 30 | machine-id |
31 | # net none | 31 | #net none |
32 | netfilter | 32 | netfilter |
33 | nodvd | 33 | nodvd |
34 | no3d | 34 | no3d |
@@ -55,5 +55,5 @@ private-tmp | |||
55 | dbus-user none | 55 | dbus-user none |
56 | dbus-system none | 56 | dbus-system none |
57 | 57 | ||
58 | # memory-deny-write-execute | 58 | #memory-deny-write-execute |
59 | restrict-namespaces | 59 | restrict-namespaces |
diff --git a/etc/profile-a-l/iagno.profile b/etc/profile-a-l/iagno.profile index 82cba7887..47c341333 100644 --- a/etc/profile-a-l/iagno.profile +++ b/etc/profile-a-l/iagno.profile | |||
@@ -43,7 +43,7 @@ private-dev | |||
43 | private-etc @x11,gconf | 43 | private-etc @x11,gconf |
44 | private-tmp | 44 | private-tmp |
45 | 45 | ||
46 | # dbus-user none | 46 | #dbus-user none |
47 | # dbus-system none | 47 | #dbus-system none |
48 | 48 | ||
49 | restrict-namespaces | 49 | restrict-namespaces |
diff --git a/etc/profile-a-l/idea.sh.profile b/etc/profile-a-l/idea.sh.profile index 31f65962f..2b4c68a4d 100644 --- a/etc/profile-a-l/idea.sh.profile +++ b/etc/profile-a-l/idea.sh.profile | |||
@@ -36,7 +36,7 @@ seccomp | |||
36 | 36 | ||
37 | private-cache | 37 | private-cache |
38 | private-dev | 38 | private-dev |
39 | # private-tmp | 39 | #private-tmp |
40 | 40 | ||
41 | noexec /tmp | 41 | noexec /tmp |
42 | restrict-namespaces | 42 | restrict-namespaces |
diff --git a/etc/profile-a-l/img2txt.profile b/etc/profile-a-l/img2txt.profile index ee341423a..8091a4c9e 100644 --- a/etc/profile-a-l/img2txt.profile +++ b/etc/profile-a-l/img2txt.profile | |||
@@ -41,7 +41,7 @@ seccomp | |||
41 | tracelog | 41 | tracelog |
42 | x11 none | 42 | x11 none |
43 | 43 | ||
44 | # private-bin img2txt | 44 | #private-bin img2txt |
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-tmp | 47 | private-tmp |
diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile index c4fc16c87..ced7a285f 100644 --- a/etc/profile-a-l/inkscape.profile +++ b/etc/profile-a-l/inkscape.profile | |||
@@ -61,7 +61,7 @@ protocol unix | |||
61 | seccomp | 61 | seccomp |
62 | tracelog | 62 | tracelog |
63 | 63 | ||
64 | # private-bin inkscape,potrace,python* - problems on Debian stretch | 64 | #private-bin inkscape,potrace,python* # problems on Debian stretch |
65 | private-cache | 65 | private-cache |
66 | private-dev | 66 | private-dev |
67 | private-etc @x11,ImageMagick*,python* | 67 | private-etc @x11,ImageMagick*,python* |
diff --git a/etc/profile-a-l/ipcalc.profile b/etc/profile-a-l/ipcalc.profile index e73ca44a8..369519947 100644 --- a/etc/profile-a-l/ipcalc.profile +++ b/etc/profile-a-l/ipcalc.profile | |||
@@ -14,7 +14,7 @@ include disable-devel.inc | |||
14 | include disable-exec.inc | 14 | include disable-exec.inc |
15 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | # include disable-shell.inc | 17 | #include disable-shell.inc |
18 | include disable-write-mnt.inc | 18 | include disable-write-mnt.inc |
19 | include disable-xdg.inc | 19 | include disable-xdg.inc |
20 | 20 | ||
@@ -26,7 +26,7 @@ include whitelist-var-common.inc | |||
26 | apparmor | 26 | apparmor |
27 | caps.drop all | 27 | caps.drop all |
28 | ipc-namespace | 28 | ipc-namespace |
29 | # machine-id | 29 | #machine-id |
30 | net none | 30 | net none |
31 | netfilter | 31 | netfilter |
32 | no3d | 32 | no3d |
@@ -39,14 +39,14 @@ nosound | |||
39 | notv | 39 | notv |
40 | nou2f | 40 | nou2f |
41 | novideo | 41 | novideo |
42 | # protocol unix | 42 | #protocol unix |
43 | seccomp | 43 | seccomp |
44 | # tracelog | 44 | #tracelog |
45 | 45 | ||
46 | disable-mnt | 46 | disable-mnt |
47 | private | 47 | private |
48 | private-bin bash,ipcalc,ipcalc-ng,perl,sh | 48 | private-bin bash,ipcalc,ipcalc-ng,perl,sh |
49 | # private-cache | 49 | #private-cache |
50 | private-dev | 50 | private-dev |
51 | # empty etc directory | 51 | # empty etc directory |
52 | private-etc | 52 | private-etc |
@@ -57,6 +57,6 @@ private-tmp | |||
57 | dbus-user none | 57 | dbus-user none |
58 | dbus-system none | 58 | dbus-system none |
59 | 59 | ||
60 | # memory-deny-write-execute | 60 | #memory-deny-write-execute |
61 | # read-only ${HOME} | 61 | #read-only ${HOME} |
62 | restrict-namespaces | 62 | restrict-namespaces |
diff --git a/etc/profile-a-l/k3b.profile b/etc/profile-a-l/k3b.profile index 81d4f3458..9fb609151 100644 --- a/etc/profile-a-l/k3b.profile +++ b/etc/profile-a-l/k3b.profile | |||
@@ -21,19 +21,19 @@ include disable-xdg.inc | |||
21 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
22 | 22 | ||
23 | caps.keep chown,dac_override,ipc_lock,net_bind_service,sys_admin,sys_nice,sys_rawio,sys_resource | 23 | caps.keep chown,dac_override,ipc_lock,net_bind_service,sys_admin,sys_nice,sys_rawio,sys_resource |
24 | # net none | 24 | #net none |
25 | netfilter | 25 | netfilter |
26 | no3d | 26 | no3d |
27 | # nonewprivs - breaks privileged helpers | 27 | #nonewprivs # breaks privileged helpers |
28 | noinput | 28 | noinput |
29 | # noroot - breaks privileged helpers | 29 | #noroot # breaks privileged helpers |
30 | nosound | 30 | nosound |
31 | notv | 31 | notv |
32 | novideo | 32 | novideo |
33 | # protocol unix - breaks privileged helpers | 33 | #protocol unix # breaks privileged helpers |
34 | # seccomp - breaks privileged helpers | 34 | #seccomp # breaks privileged helpers |
35 | 35 | ||
36 | private-dev | 36 | private-dev |
37 | # private-tmp | 37 | #private-tmp |
38 | 38 | ||
39 | # restrict-namespaces - breaks privileged helpers | 39 | #restrict-namespaces # breaks privileged helpers |
diff --git a/etc/profile-a-l/kaffeine.profile b/etc/profile-a-l/kaffeine.profile index 73417bf11..b84d144bd 100644 --- a/etc/profile-a-l/kaffeine.profile +++ b/etc/profile-a-l/kaffeine.profile | |||
@@ -36,7 +36,7 @@ novideo | |||
36 | protocol unix,inet,inet6 | 36 | protocol unix,inet,inet6 |
37 | seccomp | 37 | seccomp |
38 | 38 | ||
39 | # private-bin kaffeine | 39 | #private-bin kaffeine |
40 | private-dev | 40 | private-dev |
41 | private-tmp | 41 | private-tmp |
42 | 42 | ||
diff --git a/etc/profile-a-l/kalgebra.profile b/etc/profile-a-l/kalgebra.profile index a4e67cf6b..359c02b38 100644 --- a/etc/profile-a-l/kalgebra.profile +++ b/etc/profile-a-l/kalgebra.profile | |||
@@ -35,7 +35,7 @@ nou2f | |||
35 | novideo | 35 | novideo |
36 | protocol unix,netlink | 36 | protocol unix,netlink |
37 | seccomp !chroot | 37 | seccomp !chroot |
38 | # tracelog | 38 | #tracelog |
39 | 39 | ||
40 | disable-mnt | 40 | disable-mnt |
41 | private-bin kalgebra,kalgebramobile | 41 | private-bin kalgebra,kalgebramobile |
@@ -47,4 +47,4 @@ private-tmp | |||
47 | dbus-user none | 47 | dbus-user none |
48 | dbus-system none | 48 | dbus-system none |
49 | 49 | ||
50 | # restrict-namespaces | 50 | #restrict-namespaces |
diff --git a/etc/profile-a-l/kate.profile b/etc/profile-a-l/kate.profile index 152f73d5d..f141a25e1 100644 --- a/etc/profile-a-l/kate.profile +++ b/etc/profile-a-l/kate.profile | |||
@@ -28,17 +28,17 @@ noblacklist ${HOME}/.local/share/kxmlgui5/katesearch | |||
28 | include allow-common-devel.inc | 28 | include allow-common-devel.inc |
29 | 29 | ||
30 | include disable-common.inc | 30 | include disable-common.inc |
31 | # include disable-devel.inc | 31 | #include disable-devel.inc |
32 | include disable-exec.inc | 32 | include disable-exec.inc |
33 | # include disable-interpreters.inc | 33 | #include disable-interpreters.inc |
34 | include disable-programs.inc | 34 | include disable-programs.inc |
35 | 35 | ||
36 | include whitelist-run-common.inc | 36 | include whitelist-run-common.inc |
37 | include whitelist-var-common.inc | 37 | include whitelist-var-common.inc |
38 | 38 | ||
39 | # apparmor | 39 | #apparmor |
40 | caps.drop all | 40 | caps.drop all |
41 | # net none | 41 | #net none |
42 | netfilter | 42 | netfilter |
43 | nodvd | 43 | nodvd |
44 | nogroups | 44 | nogroups |
@@ -52,13 +52,13 @@ novideo | |||
52 | protocol unix | 52 | protocol unix |
53 | seccomp | 53 | seccomp |
54 | 54 | ||
55 | # private-bin kate,kbuildsycoca4,kdeinit4 | 55 | #private-bin kate,kbuildsycoca4,kdeinit4 |
56 | private-dev | 56 | private-dev |
57 | # private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg | 57 | #private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg |
58 | private-tmp | 58 | private-tmp |
59 | 59 | ||
60 | # dbus-user none | 60 | #dbus-user none |
61 | # dbus-system none | 61 | #dbus-system none |
62 | 62 | ||
63 | restrict-namespaces | 63 | restrict-namespaces |
64 | join-or-start kate | 64 | join-or-start kate |
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile index 70414eeea..5a19d2f50 100644 --- a/etc/profile-a-l/kazam.profile +++ b/etc/profile-a-l/kazam.profile | |||
@@ -45,7 +45,7 @@ seccomp | |||
45 | tracelog | 45 | tracelog |
46 | 46 | ||
47 | disable-mnt | 47 | disable-mnt |
48 | # private-bin kazam,python* | 48 | #private-bin kazam,python* |
49 | private-cache | 49 | private-cache |
50 | private-dev | 50 | private-dev |
51 | private-etc @x11 | 51 | private-etc @x11 |
diff --git a/etc/profile-a-l/kcalc.profile b/etc/profile-a-l/kcalc.profile index cfb756c43..9f10039df 100644 --- a/etc/profile-a-l/kcalc.profile +++ b/etc/profile-a-l/kcalc.profile | |||
@@ -60,7 +60,7 @@ private-bin kcalc | |||
60 | private-cache | 60 | private-cache |
61 | private-dev | 61 | private-dev |
62 | private-etc | 62 | private-etc |
63 | # private-lib - problems on Arch | 63 | #private-lib # problems on Arch |
64 | private-tmp | 64 | private-tmp |
65 | 65 | ||
66 | dbus-user none | 66 | dbus-user none |
diff --git a/etc/profile-a-l/kdeinit4.profile b/etc/profile-a-l/kdeinit4.profile index 2f426e191..dce189c59 100644 --- a/etc/profile-a-l/kdeinit4.profile +++ b/etc/profile-a-l/kdeinit4.profile | |||
@@ -22,7 +22,7 @@ no3d | |||
22 | nogroups | 22 | nogroups |
23 | noinput | 23 | noinput |
24 | nonewprivs | 24 | nonewprivs |
25 | # nosound - disabled for knotify | 25 | #nosound # disabled for knotify |
26 | noroot | 26 | noroot |
27 | nou2f | 27 | nou2f |
28 | novideo | 28 | novideo |
diff --git a/etc/profile-a-l/kdenlive.profile b/etc/profile-a-l/kdenlive.profile index d4933d816..717bfa8d6 100644 --- a/etc/profile-a-l/kdenlive.profile +++ b/etc/profile-a-l/kdenlive.profile | |||
@@ -21,7 +21,7 @@ include disable-programs.inc | |||
21 | 21 | ||
22 | apparmor | 22 | apparmor |
23 | caps.drop all | 23 | caps.drop all |
24 | # net none | 24 | #net none |
25 | nodvd | 25 | nodvd |
26 | nogroups | 26 | nogroups |
27 | noinput | 27 | noinput |
@@ -34,9 +34,9 @@ seccomp | |||
34 | 34 | ||
35 | private-bin dbus-launch,dvdauthor,ffmpeg,ffplay,ffprobe,genisoimage,kdeinit4,kdeinit4_shutdown,kdeinit4_wrapper,kdeinit5,kdeinit5_shutdown,kdeinit5_wrapper,kdenlive,kdenlive_render,kshell4,kshell5,melt,mlt-melt,vlc,xine | 35 | private-bin dbus-launch,dvdauthor,ffmpeg,ffplay,ffprobe,genisoimage,kdeinit4,kdeinit4_shutdown,kdeinit4_wrapper,kdeinit5,kdeinit5_shutdown,kdeinit5_wrapper,kdenlive,kdenlive_render,kshell4,kshell5,melt,mlt-melt,vlc,xine |
36 | private-dev | 36 | private-dev |
37 | # private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,X11,xdg | 37 | #private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,X11,xdg |
38 | 38 | ||
39 | # dbus-user none | 39 | #dbus-user none |
40 | # dbus-system none | 40 | #dbus-system none |
41 | 41 | ||
42 | restrict-namespaces | 42 | restrict-namespaces |
diff --git a/etc/profile-a-l/kfind.profile b/etc/profile-a-l/kfind.profile index c70030a38..115f785eb 100644 --- a/etc/profile-a-l/kfind.profile +++ b/etc/profile-a-l/kfind.profile | |||
@@ -9,21 +9,21 @@ include globals.local | |||
9 | # searching in blacklisted or masked paths fails silently | 9 | # searching in blacklisted or masked paths fails silently |
10 | # adjust filesystem restrictions as necessary | 10 | # adjust filesystem restrictions as necessary |
11 | 11 | ||
12 | # noblacklist ${HOME}/.cache/kfind - disable-programs.inc is disabled, see below | 12 | #noblacklist ${HOME}/.cache/kfind # disable-programs.inc is disabled, see below |
13 | # noblacklist ${HOME}/.config/kfindrc | 13 | #noblacklist ${HOME}/.config/kfindrc |
14 | # noblacklist ${HOME}/.kde/share/config/kfindrc | 14 | #noblacklist ${HOME}/.kde/share/config/kfindrc |
15 | # noblacklist ${HOME}/.kde4/share/config/kfindrc | 15 | #noblacklist ${HOME}/.kde4/share/config/kfindrc |
16 | 16 | ||
17 | include disable-common.inc | 17 | include disable-common.inc |
18 | include disable-devel.inc | 18 | include disable-devel.inc |
19 | include disable-exec.inc | 19 | include disable-exec.inc |
20 | include disable-interpreters.inc | 20 | include disable-interpreters.inc |
21 | # include disable-programs.inc | 21 | #include disable-programs.inc |
22 | 22 | ||
23 | apparmor | 23 | apparmor |
24 | caps.drop all | 24 | caps.drop all |
25 | machine-id | 25 | machine-id |
26 | # net none | 26 | #net none |
27 | netfilter | 27 | netfilter |
28 | no3d | 28 | no3d |
29 | nodvd | 29 | nodvd |
@@ -38,11 +38,11 @@ novideo | |||
38 | protocol unix | 38 | protocol unix |
39 | seccomp | 39 | seccomp |
40 | 40 | ||
41 | # private-bin kbuildsycoca4,kdeinit4,kfind | 41 | #private-bin kbuildsycoca4,kdeinit4,kfind |
42 | private-dev | 42 | private-dev |
43 | private-tmp | 43 | private-tmp |
44 | 44 | ||
45 | # dbus-user none | 45 | #dbus-user none |
46 | # dbus-system none | 46 | #dbus-system none |
47 | 47 | ||
48 | restrict-namespaces | 48 | restrict-namespaces |
diff --git a/etc/profile-a-l/kget.profile b/etc/profile-a-l/kget.profile index dd45c1889..892577117 100644 --- a/etc/profile-a-l/kget.profile +++ b/etc/profile-a-l/kget.profile | |||
@@ -40,5 +40,5 @@ seccomp | |||
40 | private-dev | 40 | private-dev |
41 | private-tmp | 41 | private-tmp |
42 | 42 | ||
43 | # memory-deny-write-execute | 43 | #memory-deny-write-execute |
44 | restrict-namespaces | 44 | restrict-namespaces |
diff --git a/etc/profile-a-l/kiwix-desktop.profile b/etc/profile-a-l/kiwix-desktop.profile index 2e369b945..9f41f41db 100644 --- a/etc/profile-a-l/kiwix-desktop.profile +++ b/etc/profile-a-l/kiwix-desktop.profile | |||
@@ -27,13 +27,13 @@ apparmor | |||
27 | caps.drop all | 27 | caps.drop all |
28 | ipc-namespace | 28 | ipc-namespace |
29 | netfilter | 29 | netfilter |
30 | # no3d | 30 | #no3d |
31 | nodvd | 31 | nodvd |
32 | nogroups | 32 | nogroups |
33 | noinput | 33 | noinput |
34 | nonewprivs | 34 | nonewprivs |
35 | noroot | 35 | noroot |
36 | # nosound | 36 | #nosound |
37 | notv | 37 | notv |
38 | nou2f | 38 | nou2f |
39 | novideo | 39 | novideo |
@@ -49,4 +49,4 @@ private-tmp | |||
49 | dbus-user none | 49 | dbus-user none |
50 | dbus-system none | 50 | dbus-system none |
51 | 51 | ||
52 | # restrict-namespaces | 52 | #restrict-namespaces |
diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile index 9724f4963..20d2c01d6 100644 --- a/etc/profile-a-l/kmail.profile +++ b/etc/profile-a-l/kmail.profile | |||
@@ -41,7 +41,7 @@ include disable-programs.inc | |||
41 | include whitelist-run-common.inc | 41 | include whitelist-run-common.inc |
42 | include whitelist-var-common.inc | 42 | include whitelist-var-common.inc |
43 | 43 | ||
44 | # apparmor | 44 | #apparmor |
45 | caps.drop all | 45 | caps.drop all |
46 | netfilter | 46 | netfilter |
47 | nodvd | 47 | nodvd |
@@ -56,11 +56,11 @@ novideo | |||
56 | protocol unix,inet,inet6,netlink | 56 | protocol unix,inet,inet6,netlink |
57 | # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls | 57 | # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls |
58 | seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set | 58 | seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set |
59 | # tracelog | 59 | #tracelog |
60 | 60 | ||
61 | private-dev | 61 | private-dev |
62 | # private-tmp - interrupts connection to akonadi, breaks opening of email attachments | 62 | #private-tmp # interrupts connection to akonadi, breaks opening of email attachments |
63 | # writable-run-user is needed for signing and encrypting emails | 63 | # writable-run-user is needed for signing and encrypting emails |
64 | writable-run-user | 64 | writable-run-user |
65 | 65 | ||
66 | # restrict-namespaces | 66 | #restrict-namespaces |
diff --git a/etc/profile-a-l/kmplayer.profile b/etc/profile-a-l/kmplayer.profile index 992b312ee..7615f00c4 100644 --- a/etc/profile-a-l/kmplayer.profile +++ b/etc/profile-a-l/kmplayer.profile | |||
@@ -33,7 +33,7 @@ nou2f | |||
33 | protocol unix,inet,inet6,netlink | 33 | protocol unix,inet,inet6,netlink |
34 | seccomp | 34 | seccomp |
35 | 35 | ||
36 | # private-bin kmplayer,mplayer | 36 | #private-bin kmplayer,mplayer |
37 | private-cache | 37 | private-cache |
38 | private-dev | 38 | private-dev |
39 | private-tmp | 39 | private-tmp |
diff --git a/etc/profile-a-l/konversation.profile b/etc/profile-a-l/konversation.profile index e4781fea3..10a823c89 100644 --- a/etc/profile-a-l/konversation.profile +++ b/etc/profile-a-l/konversation.profile | |||
@@ -42,5 +42,5 @@ private-cache | |||
42 | private-dev | 42 | private-dev |
43 | private-tmp | 43 | private-tmp |
44 | 44 | ||
45 | # memory-deny-write-execute | 45 | #memory-deny-write-execute |
46 | restrict-namespaces | 46 | restrict-namespaces |
diff --git a/etc/profile-a-l/krita.profile b/etc/profile-a-l/krita.profile index a04376430..f61bf36a8 100644 --- a/etc/profile-a-l/krita.profile +++ b/etc/profile-a-l/krita.profile | |||
@@ -28,7 +28,7 @@ include disable-xdg.inc | |||
28 | apparmor | 28 | apparmor |
29 | caps.drop all | 29 | caps.drop all |
30 | ipc-namespace | 30 | ipc-namespace |
31 | # net none | 31 | #net none |
32 | netfilter | 32 | netfilter |
33 | nodvd | 33 | nodvd |
34 | nogroups | 34 | nogroups |
@@ -46,7 +46,7 @@ private-cache | |||
46 | private-dev | 46 | private-dev |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | # dbus-user none | 49 | #dbus-user none |
50 | # dbus-system none | 50 | #dbus-system none |
51 | 51 | ||
52 | restrict-namespaces | 52 | restrict-namespaces |
diff --git a/etc/profile-a-l/krunner.profile b/etc/profile-a-l/krunner.profile index a0244ef47..8af3657d1 100644 --- a/etc/profile-a-l/krunner.profile +++ b/etc/profile-a-l/krunner.profile | |||
@@ -10,19 +10,19 @@ include globals.local | |||
10 | # When a file is opened in krunner, the file viewer runs in its own sandbox | 10 | # When a file is opened in krunner, the file viewer runs in its own sandbox |
11 | # with its own profile, if it is sandboxed automatically. | 11 | # with its own profile, if it is sandboxed automatically. |
12 | 12 | ||
13 | # noblacklist ${HOME}/.cache/krunner | 13 | #noblacklist ${HOME}/.cache/krunner |
14 | # noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite* | 14 | #noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite* |
15 | # noblacklist ${HOME}/.config/chromium | 15 | #noblacklist ${HOME}/.config/chromium |
16 | noblacklist ${HOME}/.config/krunnerrc | 16 | noblacklist ${HOME}/.config/krunnerrc |
17 | noblacklist ${HOME}/.kde/share/config/krunnerrc | 17 | noblacklist ${HOME}/.kde/share/config/krunnerrc |
18 | noblacklist ${HOME}/.kde4/share/config/krunnerrc | 18 | noblacklist ${HOME}/.kde4/share/config/krunnerrc |
19 | # noblacklist ${HOME}/.local/share/baloo | 19 | #noblacklist ${HOME}/.local/share/baloo |
20 | # noblacklist ${HOME}/.mozilla | 20 | #noblacklist ${HOME}/.mozilla |
21 | 21 | ||
22 | include disable-common.inc | 22 | include disable-common.inc |
23 | # include disable-devel.inc | 23 | #include disable-devel.inc |
24 | # include disable-interpreters.inc | 24 | #include disable-interpreters.inc |
25 | # include disable-programs.inc | 25 | #include disable-programs.inc |
26 | 26 | ||
27 | include whitelist-var-common.inc | 27 | include whitelist-var-common.inc |
28 | 28 | ||
@@ -34,6 +34,6 @@ noroot | |||
34 | protocol unix,inet,inet6 | 34 | protocol unix,inet,inet6 |
35 | seccomp | 35 | seccomp |
36 | 36 | ||
37 | # private-cache | 37 | #private-cache |
38 | 38 | ||
39 | restrict-namespaces | 39 | restrict-namespaces |
diff --git a/etc/profile-a-l/ktorrent.profile b/etc/profile-a-l/ktorrent.profile index da267b962..63bdc0b83 100644 --- a/etc/profile-a-l/ktorrent.profile +++ b/etc/profile-a-l/ktorrent.profile | |||
@@ -62,9 +62,9 @@ seccomp | |||
62 | 62 | ||
63 | private-bin kbuildsycoca4,kdeinit4,ktmagnetdownloader,ktorrent,ktupnptest | 63 | private-bin kbuildsycoca4,kdeinit4,ktmagnetdownloader,ktorrent,ktupnptest |
64 | private-dev | 64 | private-dev |
65 | # private-lib - problems on Arch | 65 | #private-lib # problems on Arch |
66 | private-tmp | 66 | private-tmp |
67 | 67 | ||
68 | deterministic-shutdown | 68 | deterministic-shutdown |
69 | # memory-deny-write-execute | 69 | #memory-deny-write-execute |
70 | restrict-namespaces | 70 | restrict-namespaces |
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile index 82336969d..1f8757edb 100644 --- a/etc/profile-a-l/kube.profile +++ b/etc/profile-a-l/kube.profile | |||
@@ -65,7 +65,7 @@ protocol unix,inet,inet6 | |||
65 | seccomp | 65 | seccomp |
66 | tracelog | 66 | tracelog |
67 | 67 | ||
68 | # disable-mnt | 68 | #disable-mnt |
69 | # Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg | 69 | # Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg |
70 | private-bin kube,sink_synchronizer | 70 | private-bin kube,sink_synchronizer |
71 | private-cache | 71 | private-cache |
diff --git a/etc/profile-a-l/kwrite.profile b/etc/profile-a-l/kwrite.profile index 34fe2ace6..efc6b7c56 100644 --- a/etc/profile-a-l/kwrite.profile +++ b/etc/profile-a-l/kwrite.profile | |||
@@ -29,14 +29,14 @@ include whitelist-var-common.inc | |||
29 | 29 | ||
30 | apparmor | 30 | apparmor |
31 | caps.drop all | 31 | caps.drop all |
32 | # net none | 32 | #net none |
33 | netfilter | 33 | netfilter |
34 | nodvd | 34 | nodvd |
35 | nogroups | 35 | nogroups |
36 | noinput | 36 | noinput |
37 | nonewprivs | 37 | nonewprivs |
38 | noroot | 38 | noroot |
39 | # nosound - KWrite is using ALSA! | 39 | #nosound # KWrite is using ALSA! |
40 | notv | 40 | notv |
41 | nou2f | 41 | nou2f |
42 | novideo | 42 | novideo |
@@ -49,8 +49,8 @@ private-dev | |||
49 | private-etc @x11 | 49 | private-etc @x11 |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
52 | # dbus-user none | 52 | #dbus-user none |
53 | # dbus-system none | 53 | #dbus-system none |
54 | 54 | ||
55 | restrict-namespaces | 55 | restrict-namespaces |
56 | join-or-start kwrite | 56 | join-or-start kwrite |
diff --git a/etc/profile-a-l/less.profile b/etc/profile-a-l/less.profile index 6efe23ade..661c0594a 100644 --- a/etc/profile-a-l/less.profile +++ b/etc/profile-a-l/less.profile | |||
@@ -36,8 +36,8 @@ x11 none | |||
36 | 36 | ||
37 | # The user can have a custom coloring script configured in ${HOME}/.lessfilter. | 37 | # The user can have a custom coloring script configured in ${HOME}/.lessfilter. |
38 | # Enable private-bin and private-lib if you are not using any filter. | 38 | # Enable private-bin and private-lib if you are not using any filter. |
39 | # private-bin less | 39 | #private-bin less |
40 | # private-lib | 40 | #private-lib |
41 | private-cache | 41 | private-cache |
42 | private-dev | 42 | private-dev |
43 | writable-var-log | 43 | writable-var-log |
diff --git a/etc/profile-a-l/liferea.profile b/etc/profile-a-l/liferea.profile index b0e9015ee..739d2cc1e 100644 --- a/etc/profile-a-l/liferea.profile +++ b/etc/profile-a-l/liferea.profile | |||
@@ -33,13 +33,13 @@ include whitelist-var-common.inc | |||
33 | 33 | ||
34 | caps.drop all | 34 | caps.drop all |
35 | netfilter | 35 | netfilter |
36 | # no3d | 36 | #no3d |
37 | nodvd | 37 | nodvd |
38 | nogroups | 38 | nogroups |
39 | noinput | 39 | noinput |
40 | nonewprivs | 40 | nonewprivs |
41 | noroot | 41 | noroot |
42 | # nosound | 42 | #nosound |
43 | notv | 43 | notv |
44 | nou2f | 44 | nou2f |
45 | novideo | 45 | novideo |
diff --git a/etc/profile-a-l/links-common.profile b/etc/profile-a-l/links-common.profile index 838d619b7..636560789 100644 --- a/etc/profile-a-l/links-common.profile +++ b/etc/profile-a-l/links-common.profile | |||
@@ -52,7 +52,7 @@ private-cache | |||
52 | private-dev | 52 | private-dev |
53 | private-etc @tls-ca | 53 | private-etc @tls-ca |
54 | # Add the next line to your links-common.local to allow external media players. | 54 | # Add the next line to your links-common.local to allow external media players. |
55 | # private-etc alsa,asound.conf,machine-id,openal,pulse | 55 | #private-etc alsa,asound.conf,machine-id,openal,pulse |
56 | private-tmp | 56 | private-tmp |
57 | 57 | ||
58 | dbus-user none | 58 | dbus-user none |
diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile index 2658c5373..c3497c3bd 100644 --- a/etc/profile-a-l/lutris.profile +++ b/etc/profile-a-l/lutris.profile | |||
@@ -13,7 +13,7 @@ noblacklist ${HOME}/.cache/wine | |||
13 | noblacklist ${HOME}/.cache/winetricks | 13 | noblacklist ${HOME}/.cache/winetricks |
14 | noblacklist ${HOME}/.config/lutris | 14 | noblacklist ${HOME}/.config/lutris |
15 | noblacklist ${HOME}/.local/share/lutris | 15 | noblacklist ${HOME}/.local/share/lutris |
16 | # noblacklist ${HOME}/.wine | 16 | #noblacklist ${HOME}/.wine |
17 | noblacklist /tmp/.wine-* | 17 | noblacklist /tmp/.wine-* |
18 | # Don't block access to /sbin and /usr/sbin to allow using ldconfig. Otherwise | 18 | # Don't block access to /sbin and /usr/sbin to allow using ldconfig. Otherwise |
19 | # Lutris won't even start. | 19 | # Lutris won't even start. |
@@ -39,7 +39,7 @@ mkdir ${HOME}/.cache/wine | |||
39 | mkdir ${HOME}/.cache/winetricks | 39 | mkdir ${HOME}/.cache/winetricks |
40 | mkdir ${HOME}/.config/lutris | 40 | mkdir ${HOME}/.config/lutris |
41 | mkdir ${HOME}/.local/share/lutris | 41 | mkdir ${HOME}/.local/share/lutris |
42 | # mkdir ${HOME}/.wine | 42 | #mkdir ${HOME}/.wine |
43 | whitelist ${DOWNLOADS} | 43 | whitelist ${DOWNLOADS} |
44 | whitelist ${HOME}/Games | 44 | whitelist ${HOME}/Games |
45 | whitelist ${HOME}/.cache/lutris | 45 | whitelist ${HOME}/.cache/lutris |
@@ -47,7 +47,7 @@ whitelist ${HOME}/.cache/wine | |||
47 | whitelist ${HOME}/.cache/winetricks | 47 | whitelist ${HOME}/.cache/winetricks |
48 | whitelist ${HOME}/.config/lutris | 48 | whitelist ${HOME}/.config/lutris |
49 | whitelist ${HOME}/.local/share/lutris | 49 | whitelist ${HOME}/.local/share/lutris |
50 | # whitelist ${HOME}/.wine | 50 | #whitelist ${HOME}/.wine |
51 | whitelist /usr/share/lutris | 51 | whitelist /usr/share/lutris |
52 | whitelist /usr/share/wine | 52 | whitelist /usr/share/wine |
53 | include whitelist-common.inc | 53 | include whitelist-common.inc |
@@ -55,11 +55,11 @@ include whitelist-usr-share-common.inc | |||
55 | include whitelist-runuser-common.inc | 55 | include whitelist-runuser-common.inc |
56 | include whitelist-var-common.inc | 56 | include whitelist-var-common.inc |
57 | 57 | ||
58 | # allow-debuggers | 58 | #allow-debuggers |
59 | # apparmor | 59 | #apparmor |
60 | caps.drop all | 60 | caps.drop all |
61 | ipc-namespace | 61 | ipc-namespace |
62 | # net none | 62 | #net none |
63 | netfilter | 63 | netfilter |
64 | nodvd | 64 | nodvd |
65 | nogroups | 65 | nogroups |
diff --git a/etc/profile-a-l/lynx.profile b/etc/profile-a-l/lynx.profile index caf8de104..248061b3f 100644 --- a/etc/profile-a-l/lynx.profile +++ b/etc/profile-a-l/lynx.profile | |||
@@ -34,10 +34,10 @@ protocol unix,inet,inet6 | |||
34 | seccomp | 34 | seccomp |
35 | tracelog | 35 | tracelog |
36 | 36 | ||
37 | # private-bin lynx | 37 | #private-bin lynx |
38 | private-cache | 38 | private-cache |
39 | private-dev | 39 | private-dev |
40 | # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl | 40 | #private-etc alternatives,ca-certificates,crypto-policies,pki,ssl |
41 | private-tmp | 41 | private-tmp |
42 | 42 | ||
43 | restrict-namespaces | 43 | restrict-namespaces |
diff --git a/etc/profile-a-l/lyx.profile b/etc/profile-a-l/lyx.profile index c3366acef..d210333c3 100644 --- a/etc/profile-a-l/lyx.profile +++ b/etc/profile-a-l/lyx.profile | |||
@@ -31,7 +31,7 @@ include whitelist-usr-share-common.inc | |||
31 | apparmor | 31 | apparmor |
32 | machine-id | 32 | machine-id |
33 | 33 | ||
34 | # private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex | 34 | #private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex |
35 | private-etc @x11,lyx,mime.types,texmf | 35 | private-etc @x11,lyx,mime.types,texmf |
36 | 36 | ||
37 | # Redirect | 37 | # Redirect |
diff --git a/etc/profile-m-z/PCSX2.profile b/etc/profile-m-z/PCSX2.profile index e75de80ac..a6a9ba6bc 100644 --- a/etc/profile-m-z/PCSX2.profile +++ b/etc/profile-m-z/PCSX2.profile | |||
@@ -40,8 +40,8 @@ notv | |||
40 | nou2f | 40 | nou2f |
41 | novideo | 41 | novideo |
42 | protocol unix,netlink | 42 | protocol unix,netlink |
43 | #seccomp - breaks loading with no logs | 43 | #seccomp # breaks loading with no logs |
44 | #tracelog - 32/64 bit incompatibility | 44 | #tracelog # 32/64 bit incompatibility |
45 | 45 | ||
46 | private-bin PCSX2 | 46 | private-bin PCSX2 |
47 | private-cache | 47 | private-cache |
diff --git a/etc/profile-m-z/QMediathekView.profile b/etc/profile-m-z/QMediathekView.profile index 0e18b3cdf..dd5639268 100644 --- a/etc/profile-m-z/QMediathekView.profile +++ b/etc/profile-m-z/QMediathekView.profile | |||
@@ -57,7 +57,7 @@ include whitelist-var-common.inc | |||
57 | apparmor | 57 | apparmor |
58 | caps.drop all | 58 | caps.drop all |
59 | netfilter | 59 | netfilter |
60 | # no3d | 60 | #no3d |
61 | nodvd | 61 | nodvd |
62 | nogroups | 62 | nogroups |
63 | noinput | 63 | noinput |
@@ -81,5 +81,5 @@ private-tmp | |||
81 | dbus-user none | 81 | dbus-user none |
82 | dbus-system none | 82 | dbus-system none |
83 | 83 | ||
84 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 84 | #memory-deny-write-execute # breaks on Arch (see issue #1803) |
85 | restrict-namespaces | 85 | restrict-namespaces |
diff --git a/etc/profile-m-z/Viber.profile b/etc/profile-m-z/Viber.profile index 34d500bb1..fe1f9b877 100644 --- a/etc/profile-m-z/Viber.profile +++ b/etc/profile-m-z/Viber.profile | |||
@@ -35,4 +35,4 @@ private-bin awk,bash,dig,sh,Viber | |||
35 | private-etc @tls-ca,@x11,mailcap,proxychains.conf | 35 | private-etc @tls-ca,@x11,mailcap,proxychains.conf |
36 | private-tmp | 36 | private-tmp |
37 | 37 | ||
38 | # restrict-namespaces | 38 | #restrict-namespaces |
diff --git a/etc/profile-m-z/Xephyr.profile b/etc/profile-m-z/Xephyr.profile index 0c3d4c1da..aae1808dd 100644 --- a/etc/profile-m-z/Xephyr.profile +++ b/etc/profile-m-z/Xephyr.profile | |||
@@ -25,7 +25,7 @@ nogroups | |||
25 | noinput | 25 | noinput |
26 | nonewprivs | 26 | nonewprivs |
27 | # In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix. | 27 | # In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix. |
28 | # noroot | 28 | #noroot |
29 | nosound | 29 | nosound |
30 | notv | 30 | notv |
31 | nou2f | 31 | nou2f |
@@ -35,10 +35,10 @@ seccomp | |||
35 | disable-mnt | 35 | disable-mnt |
36 | # using a private home directory | 36 | # using a private home directory |
37 | private | 37 | private |
38 | # private-bin sh,Xephyr,xkbcomp | 38 | #private-bin sh,Xephyr,xkbcomp |
39 | # private-bin bash,cat,ls,sh,strace,Xephyr,xkbcomp | 39 | #private-bin bash,cat,ls,sh,strace,Xephyr,xkbcomp |
40 | private-dev | 40 | private-dev |
41 | # private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf | 41 | #private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf |
42 | #private-tmp | 42 | #private-tmp |
43 | 43 | ||
44 | restrict-namespaces | 44 | restrict-namespaces |
diff --git a/etc/profile-m-z/Xvfb.profile b/etc/profile-m-z/Xvfb.profile index 2bb9f171a..052ea520d 100644 --- a/etc/profile-m-z/Xvfb.profile +++ b/etc/profile-m-z/Xvfb.profile | |||
@@ -39,8 +39,8 @@ seccomp | |||
39 | disable-mnt | 39 | disable-mnt |
40 | # using a private home directory | 40 | # using a private home directory |
41 | private | 41 | private |
42 | # private-bin sh,xkbcomp,Xvfb | 42 | #private-bin sh,xkbcomp,Xvfb |
43 | # private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb | 43 | #private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb |
44 | private-dev | 44 | private-dev |
45 | private-etc gai.conf,host.conf | 45 | private-etc gai.conf,host.conf |
46 | private-tmp | 46 | private-tmp |
diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile index 266d00395..b6afbad59 100644 --- a/etc/profile-m-z/makepkg.profile +++ b/etc/profile-m-z/makepkg.profile | |||
@@ -14,8 +14,8 @@ blacklist ${RUNUSER}/wayland-* | |||
14 | # for potential issues and their solutions when Firejailing makepkg | 14 | # for potential issues and their solutions when Firejailing makepkg |
15 | 15 | ||
16 | # This profile could be significantly strengthened by adding the following to makepkg.local | 16 | # This profile could be significantly strengthened by adding the following to makepkg.local |
17 | # whitelist ${HOME}/<Your Build Folder> | 17 | #whitelist ${HOME}/<Your Build Folder> |
18 | # whitelist ${HOME}/.gnupg | 18 | #whitelist ${HOME}/.gnupg |
19 | 19 | ||
20 | # Enable severely restricted access to ${HOME}/.gnupg | 20 | # Enable severely restricted access to ${HOME}/.gnupg |
21 | noblacklist ${HOME}/.gnupg | 21 | noblacklist ${HOME}/.gnupg |
diff --git a/etc/profile-m-z/midori.profile b/etc/profile-m-z/midori.profile index d1655fabb..fcc4845df 100644 --- a/etc/profile-m-z/midori.profile +++ b/etc/profile-m-z/midori.profile | |||
@@ -13,8 +13,8 @@ noblacklist ${HOME}/.cache/midori | |||
13 | noblacklist ${HOME}/.config/midori | 13 | noblacklist ${HOME}/.config/midori |
14 | noblacklist ${HOME}/.local/share/midori | 14 | noblacklist ${HOME}/.local/share/midori |
15 | noblacklist ${HOME}/.local/share/pki | 15 | noblacklist ${HOME}/.local/share/pki |
16 | # noblacklist ${HOME}/.local/share/webkit | 16 | #noblacklist ${HOME}/.local/share/webkit |
17 | # noblacklist ${HOME}/.local/share/webkitgtk | 17 | #noblacklist ${HOME}/.local/share/webkitgtk |
18 | noblacklist ${HOME}/.pki | 18 | noblacklist ${HOME}/.pki |
19 | 19 | ||
20 | noblacklist ${HOME}/.cache/gnome-mplayer | 20 | noblacklist ${HOME}/.cache/gnome-mplayer |
@@ -54,7 +54,7 @@ caps.drop all | |||
54 | netfilter | 54 | netfilter |
55 | nodvd | 55 | nodvd |
56 | nonewprivs | 56 | nonewprivs |
57 | # noroot - problems on Ubuntu 14.04 | 57 | #noroot # problems on Ubuntu 14.04 |
58 | notv | 58 | notv |
59 | protocol unix,inet,inet6,netlink | 59 | protocol unix,inet,inet6,netlink |
60 | seccomp | 60 | seccomp |
diff --git a/etc/profile-m-z/mpDris2.profile b/etc/profile-m-z/mpDris2.profile index 86359426b..ab1c93eaf 100644 --- a/etc/profile-m-z/mpDris2.profile +++ b/etc/profile-m-z/mpDris2.profile | |||
@@ -56,7 +56,7 @@ dbus-user filter | |||
56 | dbus-user.own org.mpris.MediaPlayer2.mpd | 56 | dbus-user.own org.mpris.MediaPlayer2.mpd |
57 | dbus-system none | 57 | dbus-system none |
58 | 58 | ||
59 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 59 | #memory-deny-write-execute # breaks on Arch (see issue #1803) |
60 | 60 | ||
61 | read-only ${HOME} | 61 | read-only ${HOME} |
62 | restrict-namespaces | 62 | restrict-namespaces |
diff --git a/etc/profile-m-z/mplayer.profile b/etc/profile-m-z/mplayer.profile index 7d9ff39ad..bdb9fa51d 100644 --- a/etc/profile-m-z/mplayer.profile +++ b/etc/profile-m-z/mplayer.profile | |||
@@ -24,9 +24,9 @@ include whitelist-var-common.inc | |||
24 | 24 | ||
25 | apparmor | 25 | apparmor |
26 | caps.drop all | 26 | caps.drop all |
27 | # net none - mplayer can be used for streaming. | 27 | #net none # mplayer can be used for streaming. |
28 | netfilter | 28 | netfilter |
29 | # nogroups | 29 | #nogroups |
30 | noinput | 30 | noinput |
31 | nonewprivs | 31 | nonewprivs |
32 | noroot | 32 | noroot |
diff --git a/etc/profile-m-z/mullvad-browser.profile b/etc/profile-m-z/mullvad-browser.profile index b9eb57743..cdbb0ae9c 100644 --- a/etc/profile-m-z/mullvad-browser.profile +++ b/etc/profile-m-z/mullvad-browser.profile | |||
@@ -73,13 +73,13 @@ novideo | |||
73 | protocol unix,inet,inet6 | 73 | protocol unix,inet,inet6 |
74 | seccomp !chroot | 74 | seccomp !chroot |
75 | seccomp.block-secondary | 75 | seccomp.block-secondary |
76 | #tracelog - may cause issues, see #1930 | 76 | #tracelog # may cause issues, see #1930 |
77 | 77 | ||
78 | disable-mnt | 78 | disable-mnt |
79 | private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mullvad-browser,mv,python*,rm,sed,sh,tail,tar,tclsh,test,update-desktop-database,xmessage,xz,zenity | 79 | private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mullvad-browser,mv,python*,rm,sed,sh,tail,tar,tclsh,test,update-desktop-database,xmessage,xz,zenity |
80 | private-dev | 80 | private-dev |
81 | private-etc @tls-ca | 81 | private-etc @tls-ca |
82 | #private-opt mullvad-browser - can cause slow startup | 82 | #private-opt mullvad-browser # can cause slow startup |
83 | private-tmp | 83 | private-tmp |
84 | 84 | ||
85 | blacklist ${PATH}/curl | 85 | blacklist ${PATH}/curl |
diff --git a/etc/profile-m-z/multimc5.profile b/etc/profile-m-z/multimc5.profile index 73107680c..41f82bd07 100644 --- a/etc/profile-m-z/multimc5.profile +++ b/etc/profile-m-z/multimc5.profile | |||
@@ -41,12 +41,12 @@ notv | |||
41 | nou2f | 41 | nou2f |
42 | novideo | 42 | novideo |
43 | protocol unix,inet,inet6 | 43 | protocol unix,inet,inet6 |
44 | # seccomp | 44 | #seccomp |
45 | 45 | ||
46 | disable-mnt | 46 | disable-mnt |
47 | # private-bin works, but causes weirdness | 47 | # private-bin works, but causes weirdness |
48 | # private-bin apt-file,awk,bash,chmod,dirname,dnf,grep,java,kdialog,ldd,mkdir,multimc5,pfl,pkgfile,readlink,sort,valgrind,which,yum,zenity,zypper | 48 | #private-bin apt-file,awk,bash,chmod,dirname,dnf,grep,java,kdialog,ldd,mkdir,multimc5,pfl,pkgfile,readlink,sort,valgrind,which,yum,zenity,zypper |
49 | private-dev | 49 | private-dev |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
52 | # restrict-namespaces | 52 | #restrict-namespaces |
diff --git a/etc/profile-m-z/mumble.profile b/etc/profile-m-z/mumble.profile index ef09e6fca..52dc46800 100644 --- a/etc/profile-m-z/mumble.profile +++ b/etc/profile-m-z/mumble.profile | |||
@@ -41,5 +41,5 @@ disable-mnt | |||
41 | private-bin mumble | 41 | private-bin mumble |
42 | private-tmp | 42 | private-tmp |
43 | 43 | ||
44 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 44 | #memory-deny-write-execute # breaks on Arch (see issue #1803) |
45 | restrict-namespaces | 45 | restrict-namespaces |
diff --git a/etc/profile-m-z/musescore.profile b/etc/profile-m-z/musescore.profile index ca951f70c..b62674ad6 100644 --- a/etc/profile-m-z/musescore.profile +++ b/etc/profile-m-z/musescore.profile | |||
@@ -37,7 +37,7 @@ protocol unix,inet,inet6 | |||
37 | seccomp !chroot | 37 | seccomp !chroot |
38 | tracelog | 38 | tracelog |
39 | 39 | ||
40 | # private-bin musescore,mscore | 40 | #private-bin musescore,mscore |
41 | private-tmp | 41 | private-tmp |
42 | 42 | ||
43 | # restrict-namespaces | 43 | #restrict-namespaces |
diff --git a/etc/profile-m-z/musixmatch.profile b/etc/profile-m-z/musixmatch.profile index 7ce7fbd19..d67cd24bd 100644 --- a/etc/profile-m-z/musixmatch.profile +++ b/etc/profile-m-z/musixmatch.profile | |||
@@ -35,4 +35,4 @@ disable-mnt | |||
35 | private-dev | 35 | private-dev |
36 | private-etc @tls-ca | 36 | private-etc @tls-ca |
37 | 37 | ||
38 | # restrict-namespaces | 38 | #restrict-namespaces |
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile index 288ffedf1..f56c2b1e5 100644 --- a/etc/profile-m-z/mutt.profile +++ b/etc/profile-m-z/mutt.profile | |||
@@ -121,7 +121,7 @@ seccomp | |||
121 | seccomp.block-secondary | 121 | seccomp.block-secondary |
122 | tracelog | 122 | tracelog |
123 | 123 | ||
124 | # disable-mnt | 124 | #disable-mnt |
125 | private-cache | 125 | private-cache |
126 | private-dev | 126 | private-dev |
127 | private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gai.conf,gnupg,gnutls,hosts.conf,mail,mailname,nntpserver,terminfo | 127 | private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gai.conf,gnupg,gnutls,hosts.conf,mail,mailname,nntpserver,terminfo |
diff --git a/etc/profile-m-z/nano.profile b/etc/profile-m-z/nano.profile index 6b4074dfb..ba63b2067 100644 --- a/etc/profile-m-z/nano.profile +++ b/etc/profile-m-z/nano.profile | |||
@@ -41,7 +41,7 @@ seccomp | |||
41 | tracelog | 41 | tracelog |
42 | x11 none | 42 | x11 none |
43 | 43 | ||
44 | # disable-mnt | 44 | #disable-mnt |
45 | private-bin nano,rnano | 45 | private-bin nano,rnano |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
diff --git a/etc/profile-m-z/ncdu.profile b/etc/profile-m-z/ncdu.profile index 09687199b..5cfd8290a 100644 --- a/etc/profile-m-z/ncdu.profile +++ b/etc/profile-m-z/ncdu.profile | |||
@@ -29,7 +29,7 @@ seccomp | |||
29 | x11 none | 29 | x11 none |
30 | 30 | ||
31 | private-dev | 31 | private-dev |
32 | # private-tmp | 32 | #private-tmp |
33 | 33 | ||
34 | dbus-user none | 34 | dbus-user none |
35 | dbus-system none | 35 | dbus-system none |
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile index 5bd1e7cba..e028d8d42 100644 --- a/etc/profile-m-z/neomutt.profile +++ b/etc/profile-m-z/neomutt.profile | |||
@@ -113,7 +113,7 @@ seccomp | |||
113 | seccomp.block-secondary | 113 | seccomp.block-secondary |
114 | tracelog | 114 | tracelog |
115 | 115 | ||
116 | # disable-mnt | 116 | #disable-mnt |
117 | private-cache | 117 | private-cache |
118 | private-dev | 118 | private-dev |
119 | private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gnupg,hosts.conf,mail,mailname,neomuttrc,neomuttrc.d,nntpserver | 119 | private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gnupg,hosts.conf,mail,mailname,neomuttrc,neomuttrc.d,nntpserver |
diff --git a/etc/profile-m-z/nitroshare.profile b/etc/profile-m-z/nitroshare.profile index 7a97ca825..254eb789a 100644 --- a/etc/profile-m-z/nitroshare.profile +++ b/etc/profile-m-z/nitroshare.profile | |||
@@ -42,11 +42,11 @@ private-bin awk,grep,nitroshare,nitroshare-cli,nitroshare-nmh,nitroshare-send,ni | |||
42 | private-cache | 42 | private-cache |
43 | private-dev | 43 | private-dev |
44 | private-etc @tls-ca,@x11 | 44 | private-etc @tls-ca,@x11 |
45 | # private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare | 45 | #private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | # dbus-user none | 48 | #dbus-user none |
49 | # dbus-system none | 49 | #dbus-system none |
50 | 50 | ||
51 | # memory-deny-write-execute | 51 | #memory-deny-write-execute |
52 | restrict-namespaces | 52 | restrict-namespaces |
diff --git a/etc/profile-m-z/nuclear.profile b/etc/profile-m-z/nuclear.profile index dec48c827..57fba2693 100644 --- a/etc/profile-m-z/nuclear.profile +++ b/etc/profile-m-z/nuclear.profile | |||
@@ -17,7 +17,7 @@ whitelist ${HOME}/.config/nuclear | |||
17 | 17 | ||
18 | no3d | 18 | no3d |
19 | 19 | ||
20 | # private-bin nuclear | 20 | #private-bin nuclear |
21 | private-etc @tls-ca,@x11,host.conf,mime.types | 21 | private-etc @tls-ca,@x11,host.conf,mime.types |
22 | private-opt nuclear | 22 | private-opt nuclear |
23 | 23 | ||
diff --git a/etc/profile-m-z/okular.profile b/etc/profile-m-z/okular.profile index 8e0758c37..ac573dc47 100644 --- a/etc/profile-m-z/okular.profile +++ b/etc/profile-m-z/okular.profile | |||
@@ -44,7 +44,7 @@ include whitelist-var-common.inc | |||
44 | apparmor | 44 | apparmor |
45 | caps.drop all | 45 | caps.drop all |
46 | machine-id | 46 | machine-id |
47 | # net none | 47 | #net none |
48 | netfilter | 48 | netfilter |
49 | nodvd | 49 | nodvd |
50 | nogroups | 50 | nogroups |
@@ -62,12 +62,13 @@ tracelog | |||
62 | private-bin kbuildsycoca4,kdeinit4,lpr,okular,unar,unrar | 62 | private-bin kbuildsycoca4,kdeinit4,lpr,okular,unar,unrar |
63 | private-dev | 63 | private-dev |
64 | private-etc @x11,cups | 64 | private-etc @x11,cups |
65 | # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients | 65 | # on KDE we need access to the real /tmp for data exchange with email clients |
66 | #private-tmp | ||
66 | 67 | ||
67 | # dbus-user none | 68 | #dbus-user none |
68 | # dbus-system none | 69 | #dbus-system none |
69 | 70 | ||
70 | # memory-deny-write-execute | 71 | #memory-deny-write-execute |
71 | 72 | ||
72 | restrict-namespaces | 73 | restrict-namespaces |
73 | join-or-start okular | 74 | join-or-start okular |
diff --git a/etc/profile-m-z/onionshare-gui.profile b/etc/profile-m-z/onionshare-gui.profile index 47ac9fc05..3338cadf5 100644 --- a/etc/profile-m-z/onionshare-gui.profile +++ b/etc/profile-m-z/onionshare-gui.profile | |||
@@ -50,7 +50,7 @@ novideo | |||
50 | protocol unix,inet,inet6 | 50 | protocol unix,inet,inet6 |
51 | seccomp | 51 | seccomp |
52 | seccomp.block-secondary | 52 | seccomp.block-secondary |
53 | #tracelog - may cause issues, see #1930 | 53 | #tracelog # may cause issues, see #1930 |
54 | 54 | ||
55 | disable-mnt | 55 | disable-mnt |
56 | private-bin onionshare,onionshare-cli,onionshare-gui,python*,tor* | 56 | private-bin onionshare,onionshare-cli,onionshare-gui,python*,tor* |
diff --git a/etc/profile-m-z/openclonk.profile b/etc/profile-m-z/openclonk.profile index 3449ac686..e10f6011b 100644 --- a/etc/profile-m-z/openclonk.profile +++ b/etc/profile-m-z/openclonk.profile | |||
@@ -24,7 +24,7 @@ include whitelist-var-common.inc | |||
24 | apparmor | 24 | apparmor |
25 | caps.drop all | 25 | caps.drop all |
26 | ipc-namespace | 26 | ipc-namespace |
27 | # net none - networked game | 27 | #net none # networked game |
28 | netfilter | 28 | netfilter |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
diff --git a/etc/profile-m-z/orage.profile b/etc/profile-m-z/orage.profile index fa16c05e2..c4849b958 100644 --- a/etc/profile-m-z/orage.profile +++ b/etc/profile-m-z/orage.profile | |||
@@ -24,7 +24,7 @@ nogroups | |||
24 | noinput | 24 | noinput |
25 | nonewprivs | 25 | nonewprivs |
26 | noroot | 26 | noroot |
27 | # nosound - calendar application, It must be able to play sound to wake you up. | 27 | #nosound # calendar application, It must be able to play sound to wake you up. |
28 | notv | 28 | notv |
29 | nou2f | 29 | nou2f |
30 | novideo | 30 | novideo |
diff --git a/etc/profile-m-z/otter-browser.profile b/etc/profile-m-z/otter-browser.profile index a1c0462ba..76d4a2c52 100644 --- a/etc/profile-m-z/otter-browser.profile +++ b/etc/profile-m-z/otter-browser.profile | |||
@@ -57,4 +57,4 @@ private-tmp | |||
57 | 57 | ||
58 | dbus-system none | 58 | dbus-system none |
59 | 59 | ||
60 | # restrict-namespaces | 60 | #restrict-namespaces |
diff --git a/etc/profile-m-z/pidgin.profile b/etc/profile-m-z/pidgin.profile index a852a2a18..5bc0bd700 100644 --- a/etc/profile-m-z/pidgin.profile +++ b/etc/profile-m-z/pidgin.profile | |||
@@ -40,7 +40,7 @@ protocol unix,inet,inet6,netlink | |||
40 | seccomp | 40 | seccomp |
41 | tracelog | 41 | tracelog |
42 | 42 | ||
43 | # private-bin pidgin | 43 | #private-bin pidgin |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-tmp | 46 | private-tmp |
diff --git a/etc/profile-m-z/ping.profile b/etc/profile-m-z/ping.profile index d563064e1..c3aa0a501 100644 --- a/etc/profile-m-z/ping.profile +++ b/etc/profile-m-z/ping.profile | |||
@@ -55,7 +55,7 @@ tracelog | |||
55 | 55 | ||
56 | disable-mnt | 56 | disable-mnt |
57 | private | 57 | private |
58 | #private-bin ping - has mammoth problems with execvp: "No such file or directory" | 58 | #private-bin ping # has mammoth problems with execvp: "No such file or directory" |
59 | private-cache | 59 | private-cache |
60 | private-dev | 60 | private-dev |
61 | private-etc @tls-ca | 61 | private-etc @tls-ca |
diff --git a/etc/profile-m-z/pluma.profile b/etc/profile-m-z/pluma.profile index efcdaa661..6e56208d5 100644 --- a/etc/profile-m-z/pluma.profile +++ b/etc/profile-m-z/pluma.profile | |||
@@ -21,10 +21,10 @@ include disable-shell.inc | |||
21 | 21 | ||
22 | include whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
23 | 23 | ||
24 | # apparmor - makes settings immutable | 24 | #apparmor # makes settings immutable |
25 | caps.drop all | 25 | caps.drop all |
26 | machine-id | 26 | machine-id |
27 | # net none - makes settings immutable | 27 | #net none # makes settings immutable |
28 | no3d | 28 | no3d |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
@@ -45,8 +45,8 @@ private-lib aspell,gconv,libgspell-1.so.*,libreadline.so.*,libtinfo.so.*,pluma | |||
45 | private-tmp | 45 | private-tmp |
46 | 46 | ||
47 | # makes settings immutable | 47 | # makes settings immutable |
48 | # dbus-user none | 48 | #dbus-user none |
49 | # dbus-system none | 49 | #dbus-system none |
50 | 50 | ||
51 | restrict-namespaces | 51 | restrict-namespaces |
52 | join-or-start pluma | 52 | join-or-start pluma |
diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile index 34e18cbd7..38fa01553 100644 --- a/etc/profile-m-z/plv.profile +++ b/etc/profile-m-z/plv.profile | |||
@@ -53,7 +53,7 @@ writable-var-log | |||
53 | dbus-user none | 53 | dbus-user none |
54 | dbus-system none | 54 | dbus-system none |
55 | 55 | ||
56 | #memory-deny-write-execute - breaks opening file-chooser | 56 | #memory-deny-write-execute # breaks opening file-chooser |
57 | read-only ${HOME} | 57 | read-only ${HOME} |
58 | read-write ${HOME}/.config/PacmanLogViewer | 58 | read-write ${HOME}/.config/PacmanLogViewer |
59 | read-only /var/log/pacman.log | 59 | read-only /var/log/pacman.log |
diff --git a/etc/profile-m-z/psi-plus.profile b/etc/profile-m-z/psi-plus.profile index af117c3b5..7a735bba7 100644 --- a/etc/profile-m-z/psi-plus.profile +++ b/etc/profile-m-z/psi-plus.profile | |||
@@ -43,4 +43,4 @@ disable-mnt | |||
43 | private-dev | 43 | private-dev |
44 | private-tmp | 44 | private-tmp |
45 | 45 | ||
46 | # restrict-namespaces | 46 | #restrict-namespaces |
diff --git a/etc/profile-m-z/psi.profile b/etc/profile-m-z/psi.profile index a1a0606b9..1417a87c9 100644 --- a/etc/profile-m-z/psi.profile +++ b/etc/profile-m-z/psi.profile | |||
@@ -62,7 +62,7 @@ novideo | |||
62 | nou2f | 62 | nou2f |
63 | protocol unix,inet,inet6,netlink | 63 | protocol unix,inet,inet6,netlink |
64 | seccomp !chroot | 64 | seccomp !chroot |
65 | #tracelog - breaks on Arch | 65 | #tracelog # breaks on Arch |
66 | 66 | ||
67 | disable-mnt | 67 | disable-mnt |
68 | # Add the next line to your psi.local to enable GPG support. | 68 | # Add the next line to your psi.local to enable GPG support. |
diff --git a/etc/profile-m-z/pycharm-community.profile b/etc/profile-m-z/pycharm-community.profile index 875b83e8e..fa307fc88 100644 --- a/etc/profile-m-z/pycharm-community.profile +++ b/etc/profile-m-z/pycharm-community.profile | |||
@@ -34,8 +34,8 @@ nou2f | |||
34 | novideo | 34 | novideo |
35 | tracelog | 35 | tracelog |
36 | 36 | ||
37 | # private-etc alternatives,fonts,passwd - minimal required to run but will probably break | 37 | # minimum required to run but will probably break the program! |
38 | # program! | 38 | #private-etc alternatives,fonts,passwd |
39 | private-dev | 39 | private-dev |
40 | private-tmp | 40 | private-tmp |
41 | 41 | ||
diff --git a/etc/profile-m-z/qbittorrent.profile b/etc/profile-m-z/qbittorrent.profile index 9605da3ac..ae0a2cdf1 100644 --- a/etc/profile-m-z/qbittorrent.profile +++ b/etc/profile-m-z/qbittorrent.profile | |||
@@ -55,12 +55,12 @@ seccomp | |||
55 | 55 | ||
56 | private-bin python*,qbittorrent | 56 | private-bin python*,qbittorrent |
57 | private-dev | 57 | private-dev |
58 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl,X11,xdg | 58 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl,X11,xdg |
59 | private-tmp | 59 | private-tmp |
60 | 60 | ||
61 | # See https://github.com/netblue30/firejail/issues/3707 for tray-icon | 61 | # See https://github.com/netblue30/firejail/issues/3707 for tray-icon |
62 | dbus-user none | 62 | dbus-user none |
63 | dbus-system none | 63 | dbus-system none |
64 | 64 | ||
65 | # memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo | 65 | #memory-deny-write-execute # problems on Arch, see #1690 on GitHub repo |
66 | restrict-namespaces | 66 | restrict-namespaces |
diff --git a/etc/profile-m-z/qmmp.profile b/etc/profile-m-z/qmmp.profile index ecd62a7d1..66c8f3238 100644 --- a/etc/profile-m-z/qmmp.profile +++ b/etc/profile-m-z/qmmp.profile | |||
@@ -18,7 +18,7 @@ include disable-xdg.inc | |||
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | netfilter | 20 | netfilter |
21 | # no3d | 21 | #no3d |
22 | nogroups | 22 | nogroups |
23 | noinput | 23 | noinput |
24 | nonewprivs | 24 | nonewprivs |
diff --git a/etc/profile-m-z/qpdfview.profile b/etc/profile-m-z/qpdfview.profile index 4caa0917f..784d2fafd 100644 --- a/etc/profile-m-z/qpdfview.profile +++ b/etc/profile-m-z/qpdfview.profile | |||
@@ -41,7 +41,7 @@ private-dev | |||
41 | private-tmp | 41 | private-tmp |
42 | 42 | ||
43 | # needs D-Bus when started from a file manager | 43 | # needs D-Bus when started from a file manager |
44 | # dbus-user none | 44 | #dbus-user none |
45 | # dbus-system none | 45 | #dbus-system none |
46 | 46 | ||
47 | restrict-namespaces | 47 | restrict-namespaces |
diff --git a/etc/profile-m-z/qtox.profile b/etc/profile-m-z/qtox.profile index ab0f9425a..20c84c5a8 100644 --- a/etc/profile-m-z/qtox.profile +++ b/etc/profile-m-z/qtox.profile | |||
@@ -48,5 +48,5 @@ private-tmp | |||
48 | dbus-user none | 48 | dbus-user none |
49 | dbus-system none | 49 | dbus-system none |
50 | 50 | ||
51 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 51 | #memory-deny-write-execute # breaks on Arch (see issue #1803) |
52 | restrict-namespaces | 52 | restrict-namespaces |
diff --git a/etc/profile-m-z/quassel.profile b/etc/profile-m-z/quassel.profile index 4589c9e4a..4ec990e95 100644 --- a/etc/profile-m-z/quassel.profile +++ b/etc/profile-m-z/quassel.profile | |||
@@ -25,4 +25,4 @@ seccomp !chroot | |||
25 | private-cache | 25 | private-cache |
26 | private-tmp | 26 | private-tmp |
27 | 27 | ||
28 | # restrict-namespaces | 28 | #restrict-namespaces |
diff --git a/etc/profile-m-z/quiterss.profile b/etc/profile-m-z/quiterss.profile index a59f01f85..4102b1ea0 100644 --- a/etc/profile-m-z/quiterss.profile +++ b/etc/profile-m-z/quiterss.profile | |||
@@ -50,6 +50,6 @@ tracelog | |||
50 | disable-mnt | 50 | disable-mnt |
51 | private-bin quiterss | 51 | private-bin quiterss |
52 | private-dev | 52 | private-dev |
53 | # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl,X11 | 53 | #private-etc alternatives,ca-certificates,crypto-policies,pki,ssl,X11 |
54 | 54 | ||
55 | restrict-namespaces | 55 | restrict-namespaces |
diff --git a/etc/profile-m-z/rpcs3.profile b/etc/profile-m-z/rpcs3.profile index 405ab818d..603ec8ff4 100644 --- a/etc/profile-m-z/rpcs3.profile +++ b/etc/profile-m-z/rpcs3.profile | |||
@@ -54,7 +54,8 @@ tracelog | |||
54 | 54 | ||
55 | disable-mnt | 55 | disable-mnt |
56 | #private-cache | 56 | #private-cache |
57 | #private-etc alternatives,ca-certificates,crypto-policies,machine-id,pki,resolv.conf,ssl # seems to need awk | 57 | # seems to need awk |
58 | #private-etc alternatives,ca-certificates,crypto-policies,machine-id,pki,resolv.conf,ssl | ||
58 | private-tmp | 59 | private-tmp |
59 | 60 | ||
60 | dbus-user none | 61 | dbus-user none |
diff --git a/etc/profile-m-z/rssguard.profile b/etc/profile-m-z/rssguard.profile index 81381c205..ce455baba 100644 --- a/etc/profile-m-z/rssguard.profile +++ b/etc/profile-m-z/rssguard.profile | |||
@@ -31,13 +31,13 @@ include whitelist-var-common.inc | |||
31 | apparmor | 31 | apparmor |
32 | caps.drop all | 32 | caps.drop all |
33 | netfilter | 33 | netfilter |
34 | # no3d | 34 | #no3d |
35 | nodvd | 35 | nodvd |
36 | nogroups | 36 | nogroups |
37 | noinput | 37 | noinput |
38 | nonewprivs | 38 | nonewprivs |
39 | noroot | 39 | noroot |
40 | # nosound | 40 | #nosound |
41 | notv | 41 | notv |
42 | nou2f | 42 | nou2f |
43 | novideo | 43 | novideo |
diff --git a/etc/profile-m-z/scribus.profile b/etc/profile-m-z/scribus.profile index 34cf783fe..8e25375b0 100644 --- a/etc/profile-m-z/scribus.profile +++ b/etc/profile-m-z/scribus.profile | |||
@@ -55,7 +55,7 @@ protocol unix | |||
55 | seccomp | 55 | seccomp |
56 | tracelog | 56 | tracelog |
57 | 57 | ||
58 | # private-bin gimp*,gs,scribus | 58 | #private-bin gimp*,gs,scribus |
59 | private-dev | 59 | private-dev |
60 | private-tmp | 60 | private-tmp |
61 | 61 | ||
diff --git a/etc/profile-m-z/seamonkey.profile b/etc/profile-m-z/seamonkey.profile index c2dbbc2c6..1171a52f0 100644 --- a/etc/profile-m-z/seamonkey.profile +++ b/etc/profile-m-z/seamonkey.profile | |||
@@ -55,7 +55,7 @@ seccomp | |||
55 | tracelog | 55 | tracelog |
56 | 56 | ||
57 | disable-mnt | 57 | disable-mnt |
58 | # private-etc adobe,alternatives,asound.conf,ca-certificates,crypto-policies,firefox,fonts,group,gtk-2.0,hostname,hosts,iceweasel,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl | 58 | #private-etc adobe,alternatives,asound.conf,ca-certificates,crypto-policies,firefox,fonts,group,gtk-2.0,hostname,hosts,iceweasel,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl |
59 | writable-run-user | 59 | writable-run-user |
60 | 60 | ||
61 | restrict-namespaces | 61 | restrict-namespaces |
diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile index 667f9c557..74587c992 100644 --- a/etc/profile-m-z/server.profile +++ b/etc/profile-m-z/server.profile | |||
@@ -34,36 +34,36 @@ include globals.local | |||
34 | noblacklist /sbin | 34 | noblacklist /sbin |
35 | noblacklist /usr/sbin | 35 | noblacklist /usr/sbin |
36 | noblacklist /etc/init.d | 36 | noblacklist /etc/init.d |
37 | # noblacklist /var/opt | 37 | #noblacklist /var/opt |
38 | 38 | ||
39 | blacklist /tmp/.X11-unix | 39 | blacklist /tmp/.X11-unix |
40 | blacklist ${RUNUSER}/wayland-* | 40 | blacklist ${RUNUSER}/wayland-* |
41 | 41 | ||
42 | include disable-common.inc | 42 | include disable-common.inc |
43 | # include disable-devel.inc | 43 | #include disable-devel.inc |
44 | # include disable-exec.inc | 44 | #include disable-exec.inc |
45 | # include disable-interpreters.inc | 45 | #include disable-interpreters.inc |
46 | include disable-programs.inc | 46 | include disable-programs.inc |
47 | include disable-write-mnt.inc | 47 | include disable-write-mnt.inc |
48 | include disable-xdg.inc | 48 | include disable-xdg.inc |
49 | 49 | ||
50 | # include whitelist-runuser-common.inc | 50 | #include whitelist-runuser-common.inc |
51 | # include whitelist-usr-share-common.inc | 51 | #include whitelist-usr-share-common.inc |
52 | # include whitelist-var-common.inc | 52 | #include whitelist-var-common.inc |
53 | 53 | ||
54 | # people use to install servers all over the place! | 54 | # people use to install servers all over the place! |
55 | # apparmor runs executable only from default system locations | 55 | # apparmor runs executable only from default system locations |
56 | # apparmor | 56 | #apparmor |
57 | caps | 57 | caps |
58 | # ipc-namespace | 58 | #ipc-namespace |
59 | machine-id | 59 | machine-id |
60 | # netfilter /etc/firejail/webserver.net | 60 | #netfilter /etc/firejail/webserver.net |
61 | no3d | 61 | no3d |
62 | nodvd | 62 | nodvd |
63 | # nogroups | 63 | #nogroups |
64 | noinput | 64 | noinput |
65 | nonewprivs | 65 | nonewprivs |
66 | # noroot | 66 | #noroot |
67 | nosound | 67 | nosound |
68 | notv | 68 | notv |
69 | nou2f | 69 | nou2f |
@@ -74,22 +74,22 @@ tab # allow tab completion | |||
74 | 74 | ||
75 | disable-mnt | 75 | disable-mnt |
76 | private | 76 | private |
77 | # private-bin program | 77 | #private-bin program |
78 | # private-cache | 78 | #private-cache |
79 | private-dev | 79 | private-dev |
80 | # see /usr/share/doc/firejail/profile.template for more common private-etc paths. | 80 | # see /usr/share/doc/firejail/profile.template for more common private-etc paths. |
81 | # private-etc alternatives | 81 | #private-etc alternatives |
82 | # private-lib | 82 | #private-lib |
83 | # private-opt none | 83 | #private-opt none |
84 | private-tmp | 84 | private-tmp |
85 | # writable-run-user | 85 | #writable-run-user |
86 | # writable-var | 86 | #writable-var |
87 | # writable-var-log | 87 | #writable-var-log |
88 | 88 | ||
89 | dbus-user none | 89 | dbus-user none |
90 | # dbus-system none | 90 | #dbus-system none |
91 | 91 | ||
92 | # deterministic-shutdown | 92 | #deterministic-shutdown |
93 | # memory-deny-write-execute | 93 | #memory-deny-write-execute |
94 | # read-only ${HOME} | 94 | #read-only ${HOME} |
95 | # restrict-namespaces | 95 | #restrict-namespaces |
diff --git a/etc/profile-m-z/silentarmy.profile b/etc/profile-m-z/silentarmy.profile index 96e4cf283..154e29ccf 100644 --- a/etc/profile-m-z/silentarmy.profile +++ b/etc/profile-m-z/silentarmy.profile | |||
@@ -7,7 +7,7 @@ include globals.local | |||
7 | 7 | ||
8 | 8 | ||
9 | include disable-common.inc | 9 | include disable-common.inc |
10 | # include disable-devel.inc | 10 | #include disable-devel.inc |
11 | include disable-exec.inc | 11 | include disable-exec.inc |
12 | include disable-interpreters.inc | 12 | include disable-interpreters.inc |
13 | include disable-programs.inc | 13 | include disable-programs.inc |
diff --git a/etc/profile-m-z/simple-scan.profile b/etc/profile-m-z/simple-scan.profile index 14846cf58..f8bcd3c6e 100644 --- a/etc/profile-m-z/simple-scan.profile +++ b/etc/profile-m-z/simple-scan.profile | |||
@@ -28,15 +28,15 @@ nonewprivs | |||
28 | noroot | 28 | noroot |
29 | nosound | 29 | nosound |
30 | notv | 30 | notv |
31 | # novideo | 31 | #novideo |
32 | protocol unix,inet,inet6,netlink | 32 | protocol unix,inet,inet6,netlink |
33 | # blacklisting of ioperm system calls breaks simple-scan | 33 | # blacklisting of ioperm system calls breaks simple-scan |
34 | seccomp !ioperm | 34 | seccomp !ioperm |
35 | tracelog | 35 | tracelog |
36 | 36 | ||
37 | # private-bin simple-scan | 37 | #private-bin simple-scan |
38 | # private-dev | 38 | #private-dev |
39 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl | 39 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl |
40 | # private-tmp | 40 | #private-tmp |
41 | 41 | ||
42 | restrict-namespaces | 42 | restrict-namespaces |
diff --git a/etc/profile-m-z/simutrans.profile b/etc/profile-m-z/simutrans.profile index f88ae65c8..995b59538 100644 --- a/etc/profile-m-z/simutrans.profile +++ b/etc/profile-m-z/simutrans.profile | |||
@@ -33,7 +33,7 @@ novideo | |||
33 | protocol unix | 33 | protocol unix |
34 | seccomp | 34 | seccomp |
35 | 35 | ||
36 | # private-bin simutrans | 36 | #private-bin simutrans |
37 | private-dev | 37 | private-dev |
38 | private-etc @games,@x11 | 38 | private-etc @games,@x11 |
39 | private-tmp | 39 | private-tmp |
diff --git a/etc/profile-m-z/skanlite.profile b/etc/profile-m-z/skanlite.profile index 6b73b2289..3b78f7fd2 100644 --- a/etc/profile-m-z/skanlite.profile +++ b/etc/profile-m-z/skanlite.profile | |||
@@ -22,16 +22,16 @@ nonewprivs | |||
22 | noroot | 22 | noroot |
23 | nosound | 23 | nosound |
24 | notv | 24 | notv |
25 | # novideo | 25 | #novideo |
26 | protocol unix,inet,inet6,netlink | 26 | protocol unix,inet,inet6,netlink |
27 | # blacklisting of ioperm system calls breaks skanlite | 27 | # blacklisting of ioperm system calls breaks skanlite |
28 | seccomp !ioperm | 28 | seccomp !ioperm |
29 | 29 | ||
30 | # private-bin kbuildsycoca4,kdeinit4,skanlite | 30 | #private-bin kbuildsycoca4,kdeinit4,skanlite |
31 | # private-dev | 31 | #private-dev |
32 | # private-tmp | 32 | #private-tmp |
33 | 33 | ||
34 | # dbus-user none | 34 | #dbus-user none |
35 | # dbus-system none | 35 | #dbus-system none |
36 | 36 | ||
37 | restrict-namespaces | 37 | restrict-namespaces |
diff --git a/etc/profile-m-z/smplayer.profile b/etc/profile-m-z/smplayer.profile index 9dd41fd27..ece191b73 100644 --- a/etc/profile-m-z/smplayer.profile +++ b/etc/profile-m-z/smplayer.profile | |||
@@ -36,7 +36,7 @@ include whitelist-var-common.inc | |||
36 | apparmor | 36 | apparmor |
37 | caps.drop all | 37 | caps.drop all |
38 | netfilter | 38 | netfilter |
39 | # nogroups | 39 | #nogroups |
40 | noinput | 40 | noinput |
41 | nonewprivs | 41 | nonewprivs |
42 | noroot | 42 | noroot |
@@ -49,7 +49,7 @@ private-dev | |||
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | # problems with KDE | 51 | # problems with KDE |
52 | # dbus-user none | 52 | #dbus-user none |
53 | # dbus-system none | 53 | #dbus-system none |
54 | 54 | ||
55 | restrict-namespaces | 55 | restrict-namespaces |
diff --git a/etc/profile-m-z/sniffnet.profile b/etc/profile-m-z/sniffnet.profile index eb18c1f01..940c35b2e 100644 --- a/etc/profile-m-z/sniffnet.profile +++ b/etc/profile-m-z/sniffnet.profile | |||
@@ -29,8 +29,8 @@ netfilter | |||
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
31 | noinput | 31 | noinput |
32 | # nonewprivs - breaks network traffic capture for unprivileged users | 32 | #nonewprivs # breaks network traffic capture for unprivileged users |
33 | # noroot | 33 | #noroot |
34 | notv | 34 | notv |
35 | nou2f | 35 | nou2f |
36 | novideo | 36 | novideo |
diff --git a/etc/profile-m-z/sol.profile b/etc/profile-m-z/sol.profile index e2be4e9e0..07f9b0094 100644 --- a/etc/profile-m-z/sol.profile +++ b/etc/profile-m-z/sol.profile | |||
@@ -21,13 +21,13 @@ apparmor | |||
21 | caps.drop all | 21 | caps.drop all |
22 | ipc-namespace | 22 | ipc-namespace |
23 | net none | 23 | net none |
24 | # no3d | 24 | #no3d |
25 | nodvd | 25 | nodvd |
26 | nogroups | 26 | nogroups |
27 | noinput | 27 | noinput |
28 | nonewprivs | 28 | nonewprivs |
29 | noroot | 29 | noroot |
30 | # nosound | 30 | #nosound |
31 | notv | 31 | notv |
32 | nou2f | 32 | nou2f |
33 | novideo | 33 | novideo |
@@ -43,5 +43,5 @@ private-tmp | |||
43 | dbus-user none | 43 | dbus-user none |
44 | dbus-system none | 44 | dbus-system none |
45 | 45 | ||
46 | # memory-deny-write-execute | 46 | #memory-deny-write-execute |
47 | restrict-namespaces | 47 | restrict-namespaces |
diff --git a/etc/profile-m-z/sound-juicer.profile b/etc/profile-m-z/sound-juicer.profile index f5ac6c739..5c5763538 100644 --- a/etc/profile-m-z/sound-juicer.profile +++ b/etc/profile-m-z/sound-juicer.profile | |||
@@ -38,7 +38,7 @@ private-cache | |||
38 | private-dev | 38 | private-dev |
39 | private-tmp | 39 | private-tmp |
40 | 40 | ||
41 | # dbus-user none | 41 | #dbus-user none |
42 | # dbus-system none | 42 | #dbus-system none |
43 | 43 | ||
44 | restrict-namespaces | 44 | restrict-namespaces |
diff --git a/etc/profile-m-z/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile index ce356367f..013c7ac13 100644 --- a/etc/profile-m-z/sqlitebrowser.profile +++ b/etc/profile-m-z/sqlitebrowser.profile | |||
@@ -46,8 +46,8 @@ private-etc @tls-ca | |||
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | # breaks proxy creation | 48 | # breaks proxy creation |
49 | # dbus-user none | 49 | #dbus-user none |
50 | # dbus-system none | 50 | #dbus-system none |
51 | 51 | ||
52 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 52 | #memory-deny-write-execute # breaks on Arch (see issue #1803) |
53 | restrict-namespaces | 53 | restrict-namespaces |
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile index a7956a76e..fde85be64 100644 --- a/etc/profile-m-z/ssh.profile +++ b/etc/profile-m-z/ssh.profile | |||
@@ -32,10 +32,10 @@ nodvd | |||
32 | nogroups | 32 | nogroups |
33 | noinput | 33 | noinput |
34 | nonewprivs | 34 | nonewprivs |
35 | # noroot - see issue #1543 | 35 | #noroot # see issue #1543 |
36 | nosound | 36 | nosound |
37 | notv | 37 | notv |
38 | # nou2f - OpenSSH >= 8.2 supports U2F | 38 | #nou2f # OpenSSH >= 8.2 supports U2F |
39 | novideo | 39 | novideo |
40 | protocol unix,inet,inet6 | 40 | protocol unix,inet,inet6 |
41 | seccomp | 41 | seccomp |
@@ -43,7 +43,7 @@ tracelog | |||
43 | 43 | ||
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | # private-tmp # Breaks when exiting | 46 | #private-tmp # Breaks when exiting |
47 | writable-run-user | 47 | writable-run-user |
48 | 48 | ||
49 | dbus-user none | 49 | dbus-user none |
diff --git a/etc/profile-m-z/standardnotes-desktop.profile b/etc/profile-m-z/standardnotes-desktop.profile index 3fe0963a9..fe4e4b6d7 100644 --- a/etc/profile-m-z/standardnotes-desktop.profile +++ b/etc/profile-m-z/standardnotes-desktop.profile | |||
@@ -47,4 +47,4 @@ private-etc @tls-ca,@x11,host.conf | |||
47 | dbus-user none | 47 | dbus-user none |
48 | dbus-system none | 48 | dbus-system none |
49 | 49 | ||
50 | # restrict-namespaces | 50 | #restrict-namespaces |
diff --git a/etc/profile-m-z/subdownloader.profile b/etc/profile-m-z/subdownloader.profile index 6de288c46..8b5d7e253 100644 --- a/etc/profile-m-z/subdownloader.profile +++ b/etc/profile-m-z/subdownloader.profile | |||
@@ -49,5 +49,5 @@ private-tmp | |||
49 | dbus-user none | 49 | dbus-user none |
50 | dbus-system none | 50 | dbus-system none |
51 | 51 | ||
52 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 52 | #memory-deny-write-execute # breaks on Arch (see issue #1803) |
53 | restrict-namespaces | 53 | restrict-namespaces |
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile index 2ad107f1a..65aea6667 100644 --- a/etc/profile-m-z/supertux2.profile +++ b/etc/profile-m-z/supertux2.profile | |||
@@ -41,7 +41,7 @@ seccomp.block-secondary | |||
41 | tracelog | 41 | tracelog |
42 | 42 | ||
43 | disable-mnt | 43 | disable-mnt |
44 | # private-bin supertux2 | 44 | #private-bin supertux2 |
45 | private-cache | 45 | private-cache |
46 | private-etc | 46 | private-etc |
47 | private-dev | 47 | private-dev |
diff --git a/etc/profile-m-z/sushi.profile b/etc/profile-m-z/sushi.profile index 7b6a87b31..728db012e 100644 --- a/etc/profile-m-z/sushi.profile +++ b/etc/profile-m-z/sushi.profile | |||
@@ -13,7 +13,7 @@ include disable-common.inc | |||
13 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | 14 | include disable-exec.inc |
15 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | # include disable-programs.inc | 16 | #include disable-programs.inc |
17 | include disable-shell.inc | 17 | include disable-shell.inc |
18 | 18 | ||
19 | include whitelist-runuser-common.inc | 19 | include whitelist-runuser-common.inc |
diff --git a/etc/profile-m-z/sylpheed.profile b/etc/profile-m-z/sylpheed.profile index 5fb35aa04..7cef394c2 100644 --- a/etc/profile-m-z/sylpheed.profile +++ b/etc/profile-m-z/sylpheed.profile | |||
@@ -13,7 +13,7 @@ whitelist ${HOME}/.sylpheed-2.0 | |||
13 | 13 | ||
14 | whitelist /usr/share/sylpheed | 14 | whitelist /usr/share/sylpheed |
15 | 15 | ||
16 | # private-bin curl,gpg,gpg2,gpg-agent,gpgsm,pinentry,pinentry-gtk-2,sylpheed | 16 | #private-bin curl,gpg,gpg2,gpg-agent,gpgsm,pinentry,pinentry-gtk-2,sylpheed |
17 | 17 | ||
18 | # Redirect | 18 | # Redirect |
19 | include email-common.profile | 19 | include email-common.profile |
diff --git a/etc/profile-m-z/sysprof.profile b/etc/profile-m-z/sysprof.profile index 726baf336..b0a80fc27 100644 --- a/etc/profile-m-z/sysprof.profile +++ b/etc/profile-m-z/sysprof.profile | |||
@@ -59,11 +59,11 @@ seccomp | |||
59 | tracelog | 59 | tracelog |
60 | 60 | ||
61 | disable-mnt | 61 | disable-mnt |
62 | #private-bin sysprof - breaks help menu | 62 | #private-bin sysprof # breaks help menu |
63 | private-cache | 63 | private-cache |
64 | private-dev | 64 | private-dev |
65 | private-etc @tls-ca | 65 | private-etc @tls-ca |
66 | # private-lib - breaks help menu | 66 | #private-lib # breaks help menu |
67 | #private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so | 67 | #private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so |
68 | private-tmp | 68 | private-tmp |
69 | 69 | ||
@@ -73,5 +73,5 @@ dbus-user.own org.gnome.Yelp | |||
73 | dbus-user.own org.gnome.Sysprof3 | 73 | dbus-user.own org.gnome.Sysprof3 |
74 | dbus-user.talk ca.desrt.dconf | 74 | dbus-user.talk ca.desrt.dconf |
75 | 75 | ||
76 | # memory-deny-write-execute - breaks on Arch | 76 | #memory-deny-write-execute # breaks on Arch |
77 | restrict-namespaces | 77 | restrict-namespaces |
diff --git a/etc/profile-m-z/teamspeak3.profile b/etc/profile-m-z/teamspeak3.profile index 41da4ee13..06b547b3d 100644 --- a/etc/profile-m-z/teamspeak3.profile +++ b/etc/profile-m-z/teamspeak3.profile | |||
@@ -39,4 +39,4 @@ disable-mnt | |||
39 | private-dev | 39 | private-dev |
40 | private-tmp | 40 | private-tmp |
41 | 41 | ||
42 | # restrict-namespaces | 42 | #restrict-namespaces |
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile index 17e2f0856..979971ac2 100644 --- a/etc/profile-m-z/thunderbird.profile +++ b/etc/profile-m-z/thunderbird.profile | |||
@@ -35,7 +35,7 @@ whitelist ${HOME}/.mozilla/firefox/profiles.ini | |||
35 | 35 | ||
36 | noblacklist ${HOME}/.cache/thunderbird | 36 | noblacklist ${HOME}/.cache/thunderbird |
37 | noblacklist ${HOME}/.gnupg | 37 | noblacklist ${HOME}/.gnupg |
38 | # noblacklist ${HOME}/.icedove | 38 | #noblacklist ${HOME}/.icedove |
39 | noblacklist ${HOME}/.thunderbird | 39 | noblacklist ${HOME}/.thunderbird |
40 | 40 | ||
41 | include disable-xdg.inc | 41 | include disable-xdg.inc |
@@ -46,11 +46,11 @@ include disable-xdg.inc | |||
46 | # See https://github.com/netblue30/firejail/issues/2357 | 46 | # See https://github.com/netblue30/firejail/issues/2357 |
47 | mkdir ${HOME}/.cache/thunderbird | 47 | mkdir ${HOME}/.cache/thunderbird |
48 | mkdir ${HOME}/.gnupg | 48 | mkdir ${HOME}/.gnupg |
49 | # mkdir ${HOME}/.icedove | 49 | #mkdir ${HOME}/.icedove |
50 | mkdir ${HOME}/.thunderbird | 50 | mkdir ${HOME}/.thunderbird |
51 | whitelist ${HOME}/.cache/thunderbird | 51 | whitelist ${HOME}/.cache/thunderbird |
52 | whitelist ${HOME}/.gnupg | 52 | whitelist ${HOME}/.gnupg |
53 | # whitelist ${HOME}/.icedove | 53 | #whitelist ${HOME}/.icedove |
54 | whitelist ${HOME}/.thunderbird | 54 | whitelist ${HOME}/.thunderbird |
55 | 55 | ||
56 | whitelist /usr/share/gnupg | 56 | whitelist /usr/share/gnupg |
diff --git a/etc/profile-m-z/tmux.profile b/etc/profile-m-z/tmux.profile index a855ff839..ddd2aa85f 100644 --- a/etc/profile-m-z/tmux.profile +++ b/etc/profile-m-z/tmux.profile | |||
@@ -12,10 +12,10 @@ blacklist ${RUNUSER} | |||
12 | 12 | ||
13 | noblacklist /tmp/tmux-* | 13 | noblacklist /tmp/tmux-* |
14 | 14 | ||
15 | # include disable-common.inc | 15 | #include disable-common.inc |
16 | # include disable-devel.inc | 16 | #include disable-devel.inc |
17 | # include disable-exec.inc | 17 | #include disable-exec.inc |
18 | # include disable-programs.inc | 18 | #include disable-programs.inc |
19 | 19 | ||
20 | caps.drop all | 20 | caps.drop all |
21 | ipc-namespace | 21 | ipc-namespace |
@@ -36,9 +36,9 @@ seccomp | |||
36 | seccomp.block-secondary | 36 | seccomp.block-secondary |
37 | tracelog | 37 | tracelog |
38 | 38 | ||
39 | # private-cache | 39 | #private-cache |
40 | private-dev | 40 | private-dev |
41 | # private-tmp | 41 | #private-tmp |
42 | 42 | ||
43 | dbus-user none | 43 | dbus-user none |
44 | dbus-system none | 44 | dbus-system none |
diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile index 86746c7f1..20ebddb69 100644 --- a/etc/profile-m-z/torbrowser-launcher.profile +++ b/etc/profile-m-z/torbrowser-launcher.profile | |||
@@ -56,13 +56,13 @@ novideo | |||
56 | protocol unix,inet,inet6 | 56 | protocol unix,inet,inet6 |
57 | seccomp !chroot | 57 | seccomp !chroot |
58 | seccomp.block-secondary | 58 | seccomp.block-secondary |
59 | #tracelog - may cause issues, see #1930 | 59 | #tracelog # may cause issues, see #1930 |
60 | 60 | ||
61 | disable-mnt | 61 | disable-mnt |
62 | private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity | 62 | private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity |
63 | private-dev | 63 | private-dev |
64 | private-etc @tls-ca | 64 | private-etc @tls-ca |
65 | #private-opt tor-browser - can cause slow startup | 65 | #private-opt tor-browser # can cause slow startup |
66 | private-tmp | 66 | private-tmp |
67 | 67 | ||
68 | dbus-user none | 68 | dbus-user none |
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile index a4cb49171..73d3b0b6f 100644 --- a/etc/profile-m-z/totem.profile +++ b/etc/profile-m-z/totem.profile | |||
@@ -35,7 +35,7 @@ include whitelist-runuser-common.inc | |||
35 | include whitelist-usr-share-common.inc | 35 | include whitelist-usr-share-common.inc |
36 | include whitelist-var-common.inc | 36 | include whitelist-var-common.inc |
37 | 37 | ||
38 | # apparmor - makes settings immutable | 38 | #apparmor # makes settings immutable |
39 | caps.drop all | 39 | caps.drop all |
40 | netfilter | 40 | netfilter |
41 | nogroups | 41 | nogroups |
@@ -55,7 +55,7 @@ private-etc @tls-ca,@x11,python* | |||
55 | private-tmp | 55 | private-tmp |
56 | 56 | ||
57 | # makes settings immutable | 57 | # makes settings immutable |
58 | # dbus-user none | 58 | #dbus-user none |
59 | dbus-system none | 59 | dbus-system none |
60 | 60 | ||
61 | restrict-namespaces | 61 | restrict-namespaces |
diff --git a/etc/profile-m-z/tracker.profile b/etc/profile-m-z/tracker.profile index f30b0aef6..c46b00fc9 100644 --- a/etc/profile-m-z/tracker.profile +++ b/etc/profile-m-z/tracker.profile | |||
@@ -33,8 +33,8 @@ protocol unix | |||
33 | seccomp | 33 | seccomp |
34 | tracelog | 34 | tracelog |
35 | 35 | ||
36 | # private-bin tracker | 36 | #private-bin tracker |
37 | # private-dev | 37 | #private-dev |
38 | # private-tmp | 38 | #private-tmp |
39 | 39 | ||
40 | restrict-namespaces | 40 | restrict-namespaces |
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile index 2578eb0be..5e9e7f127 100644 --- a/etc/profile-m-z/trojita.profile +++ b/etc/profile-m-z/trojita.profile | |||
@@ -52,7 +52,7 @@ protocol unix,inet,inet6,netlink | |||
52 | seccomp | 52 | seccomp |
53 | tracelog | 53 | tracelog |
54 | 54 | ||
55 | # disable-mnt | 55 | #disable-mnt |
56 | private-bin trojita | 56 | private-bin trojita |
57 | private-cache | 57 | private-cache |
58 | private-dev | 58 | private-dev |
diff --git a/etc/profile-m-z/udiskie.profile b/etc/profile-m-z/udiskie.profile index c182326bb..175ae4591 100644 --- a/etc/profile-m-z/udiskie.profile +++ b/etc/profile-m-z/udiskie.profile | |||
@@ -36,8 +36,8 @@ tracelog | |||
36 | 36 | ||
37 | private-bin awk,cut,dbus-send,egrep,file,grep,head,python*,readlink,sed,sh,udiskie,uname,which,xdg-mime,xdg-open,xprop | 37 | private-bin awk,cut,dbus-send,egrep,file,grep,head,python*,readlink,sed,sh,udiskie,uname,which,xdg-mime,xdg-open,xprop |
38 | # add your configured file browser in udiskie.local, e. g. | 38 | # add your configured file browser in udiskie.local, e. g. |
39 | # private-bin nautilus | 39 | #private-bin nautilus |
40 | # private-bin thunar | 40 | #private-bin thunar |
41 | private-cache | 41 | private-cache |
42 | private-dev | 42 | private-dev |
43 | private-etc @x11,mime.types | 43 | private-etc @x11,mime.types |
diff --git a/etc/profile-m-z/unknown-horizons.profile b/etc/profile-m-z/unknown-horizons.profile index 3e2b28dec..4e7dc3705 100644 --- a/etc/profile-m-z/unknown-horizons.profile +++ b/etc/profile-m-z/unknown-horizons.profile | |||
@@ -34,11 +34,11 @@ protocol unix,inet,inet6,netlink | |||
34 | seccomp | 34 | seccomp |
35 | 35 | ||
36 | disable-mnt | 36 | disable-mnt |
37 | # private-bin unknown-horizons | 37 | #private-bin unknown-horizons |
38 | private-dev | 38 | private-dev |
39 | # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl | 39 | #private-etc alternatives,ca-certificates,crypto-policies,pki,ssl |
40 | private-tmp | 40 | private-tmp |
41 | 41 | ||
42 | # doesn't work - maybe all Tcl/Tk programs have this problem | 42 | # doesn't work - maybe all Tcl/Tk programs have this problem |
43 | # memory-deny-write-execute | 43 | #memory-deny-write-execute |
44 | restrict-namespaces | 44 | restrict-namespaces |
diff --git a/etc/profile-m-z/viewnior.profile b/etc/profile-m-z/viewnior.profile index aa8199442..8c6efaa1c 100644 --- a/etc/profile-m-z/viewnior.profile +++ b/etc/profile-m-z/viewnior.profile | |||
@@ -49,5 +49,5 @@ private-tmp | |||
49 | dbus-user none | 49 | dbus-user none |
50 | dbus-system none | 50 | dbus-system none |
51 | 51 | ||
52 | #memory-deny-write-execute - breaks on Arch (see issues #1803 and #1808) | 52 | #memory-deny-write-execute # breaks on Arch (see issues #1803 and #1808) |
53 | restrict-namespaces | 53 | restrict-namespaces |
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile index ae8afbbf1..b768a635a 100644 --- a/etc/profile-m-z/virtualbox.profile +++ b/etc/profile-m-z/virtualbox.profile | |||
@@ -9,7 +9,7 @@ include globals.local | |||
9 | noblacklist ${HOME}/.VirtualBox | 9 | noblacklist ${HOME}/.VirtualBox |
10 | noblacklist ${HOME}/.config/VirtualBox | 10 | noblacklist ${HOME}/.config/VirtualBox |
11 | noblacklist ${HOME}/VirtualBox VMs | 11 | noblacklist ${HOME}/VirtualBox VMs |
12 | # noblacklist /usr/bin/virtualbox | 12 | #noblacklist /usr/bin/virtualbox |
13 | noblacklist /usr/lib/virtualbox | 13 | noblacklist /usr/lib/virtualbox |
14 | noblacklist /usr/lib64/virtualbox | 14 | noblacklist /usr/lib64/virtualbox |
15 | 15 | ||
diff --git a/etc/profile-m-z/warzone2100.profile b/etc/profile-m-z/warzone2100.profile index 79ba41d44..a7b0f5f1d 100644 --- a/etc/profile-m-z/warzone2100.profile +++ b/etc/profile-m-z/warzone2100.profile | |||
@@ -15,7 +15,7 @@ include disable-devel.inc | |||
15 | include disable-exec.inc | 15 | include disable-exec.inc |
16 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | #include disable-shell.inc - problems on Debian 11 | 18 | #include disable-shell.inc # problems on Debian 11 |
19 | 19 | ||
20 | mkdir ${HOME}/.local/share/warzone2100 | 20 | mkdir ${HOME}/.local/share/warzone2100 |
21 | mkdir ${HOME}/.local/share/warzone2100-3.3.0 | 21 | mkdir ${HOME}/.local/share/warzone2100-3.3.0 |
diff --git a/etc/profile-m-z/wine.profile b/etc/profile-m-z/wine.profile index 1e2b164b9..33f404464 100644 --- a/etc/profile-m-z/wine.profile +++ b/etc/profile-m-z/wine.profile | |||
@@ -20,23 +20,23 @@ include disable-devel.inc | |||
20 | include disable-interpreters.inc | 20 | include disable-interpreters.inc |
21 | include disable-programs.inc | 21 | include disable-programs.inc |
22 | 22 | ||
23 | # whitelist /usr/share/wine | 23 | #whitelist /usr/share/wine |
24 | # include whitelist-usr-share-common.inc | 24 | #include whitelist-usr-share-common.inc |
25 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
26 | 26 | ||
27 | # Some applications don't need allow-debuggers. Add 'ignore allow-debuggers' to your wine.local if you want to override this. | 27 | # Some applications don't need allow-debuggers. Add 'ignore allow-debuggers' to your wine.local if you want to override this. |
28 | allow-debuggers | 28 | allow-debuggers |
29 | caps.drop all | 29 | caps.drop all |
30 | # net none | 30 | #net none |
31 | netfilter | 31 | netfilter |
32 | nodvd | 32 | nodvd |
33 | nogroups | 33 | nogroups |
34 | noinput | 34 | noinput |
35 | nonewprivs | 35 | nonewprivs |
36 | noroot | 36 | noroot |
37 | # nosound | 37 | #nosound |
38 | notv | 38 | notv |
39 | # novideo | 39 | #novideo |
40 | seccomp | 40 | seccomp |
41 | 41 | ||
42 | private-dev | 42 | private-dev |
diff --git a/etc/profile-m-z/wireshark.profile b/etc/profile-m-z/wireshark.profile index d1b757a25..7caac217f 100644 --- a/etc/profile-m-z/wireshark.profile +++ b/etc/profile-m-z/wireshark.profile | |||
@@ -25,29 +25,30 @@ include whitelist-usr-share-common.inc | |||
25 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
26 | 26 | ||
27 | apparmor | 27 | apparmor |
28 | # caps.drop all | 28 | #caps.drop all |
29 | caps.keep dac_override,dac_read_search,net_admin,net_raw | 29 | caps.keep dac_override,dac_read_search,net_admin,net_raw |
30 | netfilter | 30 | netfilter |
31 | no3d | 31 | no3d |
32 | # nogroups - breaks network traffic capture for unprivileged users | 32 | #nogroups # breaks network traffic capture for unprivileged users |
33 | noinput | 33 | noinput |
34 | # nonewprivs - breaks network traffic capture for unprivileged users | 34 | #nonewprivs # breaks network traffic capture for unprivileged users |
35 | # noroot | 35 | #noroot |
36 | nodvd | 36 | nodvd |
37 | nosound | 37 | nosound |
38 | notv | 38 | notv |
39 | nou2f | 39 | nou2f |
40 | novideo | 40 | novideo |
41 | # protocol unix,inet,inet6,netlink,packet,bluetooth - commented out in case they bring in new protocols | 41 | # commented out in case they bring in new protocols |
42 | #protocol unix,inet,inet6,netlink,packet,bluetooth | ||
42 | #seccomp | 43 | #seccomp |
43 | tracelog | 44 | tracelog |
44 | 45 | ||
45 | # private-bin wireshark | 46 | #private-bin wireshark |
46 | private-cache | 47 | private-cache |
47 | # private-dev prevents (some) interfaces from being shown. | 48 | # private-dev prevents (some) interfaces from being shown. |
48 | # Add the below line to your wirehsark.local if you only want to inspect pcap files. | 49 | # Add the below line to your wirehsark.local if you only want to inspect pcap files. |
49 | #private-dev | 50 | #private-dev |
50 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,resolv.conf,ssl | 51 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,resolv.conf,ssl |
51 | private-tmp | 52 | private-tmp |
52 | 53 | ||
53 | dbus-user none | 54 | dbus-user none |
diff --git a/etc/profile-m-z/xed.profile b/etc/profile-m-z/xed.profile index dda803bd5..b47437e2d 100644 --- a/etc/profile-m-z/xed.profile +++ b/etc/profile-m-z/xed.profile | |||
@@ -23,10 +23,10 @@ include disable-shell.inc | |||
23 | 23 | ||
24 | include whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
25 | 25 | ||
26 | # apparmor - makes settings immutable | 26 | #apparmor # makes settings immutable |
27 | caps.drop all | 27 | caps.drop all |
28 | machine-id | 28 | machine-id |
29 | # net none - makes settings immutable | 29 | #net none # makes settings immutable |
30 | no3d | 30 | no3d |
31 | nodvd | 31 | nodvd |
32 | nogroups | 32 | nogroups |
@@ -46,9 +46,9 @@ private-dev | |||
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | # makes settings immutable | 48 | # makes settings immutable |
49 | # dbus-user none | 49 | #dbus-user none |
50 | # dbus-system none | 50 | #dbus-system none |
51 | 51 | ||
52 | # xed uses python plugins, memory-deny-write-execute breaks python | 52 | # xed uses python plugins, memory-deny-write-execute breaks python |
53 | # memory-deny-write-execute | 53 | #memory-deny-write-execute |
54 | restrict-namespaces | 54 | restrict-namespaces |
diff --git a/etc/profile-m-z/xfburn.profile b/etc/profile-m-z/xfburn.profile index 141fda909..96edc15ab 100644 --- a/etc/profile-m-z/xfburn.profile +++ b/etc/profile-m-z/xfburn.profile | |||
@@ -25,8 +25,8 @@ protocol unix | |||
25 | seccomp | 25 | seccomp |
26 | tracelog | 26 | tracelog |
27 | 27 | ||
28 | # private-bin xfburn | 28 | #private-bin xfburn |
29 | # private-dev | 29 | #private-dev |
30 | # private-tmp | 30 | #private-tmp |
31 | 31 | ||
32 | restrict-namespaces | 32 | restrict-namespaces |
diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile index 9c4fa8293..6c3a5812b 100644 --- a/etc/profile-m-z/xfce4-mixer.profile +++ b/etc/profile-m-z/xfce4-mixer.profile | |||
@@ -53,5 +53,5 @@ dbus-user.own org.xfce.xfce4-mixer | |||
53 | dbus-user.talk org.xfce.Xfconf | 53 | dbus-user.talk org.xfce.Xfconf |
54 | dbus-system none | 54 | dbus-system none |
55 | 55 | ||
56 | # memory-deny-write-execute - breaks on Arch | 56 | #memory-deny-write-execute # breaks on Arch |
57 | restrict-namespaces | 57 | restrict-namespaces |
diff --git a/etc/profile-m-z/xfce4-screenshooter.profile b/etc/profile-m-z/xfce4-screenshooter.profile index 4d841b35c..9094a7872 100644 --- a/etc/profile-m-z/xfce4-screenshooter.profile +++ b/etc/profile-m-z/xfce4-screenshooter.profile | |||
@@ -47,5 +47,5 @@ private-tmp | |||
47 | dbus-user none | 47 | dbus-user none |
48 | dbus-system none | 48 | dbus-system none |
49 | 49 | ||
50 | # memory-deny-write-execute -- see #3790 | 50 | #memory-deny-write-execute # see #3790 |
51 | restrict-namespaces | 51 | restrict-namespaces |
diff --git a/etc/profile-m-z/xplayer.profile b/etc/profile-m-z/xplayer.profile index a673d6aa3..9741888f0 100644 --- a/etc/profile-m-z/xplayer.profile +++ b/etc/profile-m-z/xplayer.profile | |||
@@ -27,7 +27,7 @@ include whitelist-common.inc | |||
27 | include whitelist-player-common.inc | 27 | include whitelist-player-common.inc |
28 | include whitelist-var-common.inc | 28 | include whitelist-var-common.inc |
29 | 29 | ||
30 | # apparmor - makes settings immutable | 30 | #apparmor # makes settings immutable |
31 | caps.drop all | 31 | caps.drop all |
32 | netfilter | 32 | netfilter |
33 | nogroups | 33 | nogroups |
@@ -41,11 +41,11 @@ tracelog | |||
41 | 41 | ||
42 | private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer | 42 | private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer |
43 | private-dev | 43 | private-dev |
44 | # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl | 44 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl |
45 | private-tmp | 45 | private-tmp |
46 | 46 | ||
47 | # makes settings immutable | 47 | # makes settings immutable |
48 | # dbus-user none | 48 | #dbus-user none |
49 | # dbus-system none | 49 | #dbus-system none |
50 | 50 | ||
51 | restrict-namespaces | 51 | restrict-namespaces |
diff --git a/etc/profile-m-z/xpra.profile b/etc/profile-m-z/xpra.profile index 05c12b9a2..b00307394 100644 --- a/etc/profile-m-z/xpra.profile +++ b/etc/profile-m-z/xpra.profile | |||
@@ -45,11 +45,11 @@ seccomp | |||
45 | 45 | ||
46 | disable-mnt | 46 | disable-mnt |
47 | # private home directory doesn't work on some distros, so we go for a regular home | 47 | # private home directory doesn't work on some distros, so we go for a regular home |
48 | # private | 48 | #private |
49 | # older Xpra versions also use Xvfb | 49 | # older Xpra versions also use Xvfb |
50 | # private-bin bash,cat,dbus-launch,ldconfig,ls,pactl,python*,sh,strace,which,xauth,xkbcomp,Xorg,xpra,Xvfb | 50 | #private-bin bash,cat,dbus-launch,ldconfig,ls,pactl,python*,sh,strace,which,xauth,xkbcomp,Xorg,xpra,Xvfb |
51 | private-dev | 51 | private-dev |
52 | # private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,nsswitch.conf,resolv.conf,X11,xpra | 52 | #private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,nsswitch.conf,resolv.conf,X11,xpra |
53 | private-tmp | 53 | private-tmp |
54 | 54 | ||
55 | restrict-namespaces | 55 | restrict-namespaces |
diff --git a/etc/profile-m-z/xreader.profile b/etc/profile-m-z/xreader.profile index 6edbf9357..cad836fdc 100644 --- a/etc/profile-m-z/xreader.profile +++ b/etc/profile-m-z/xreader.profile | |||
@@ -18,9 +18,9 @@ include disable-programs.inc | |||
18 | include disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | # Breaks xreader on Mint 18.3 | 20 | # Breaks xreader on Mint 18.3 |
21 | # include whitelist-var-common.inc | 21 | #include whitelist-var-common.inc |
22 | 22 | ||
23 | # apparmor | 23 | #apparmor |
24 | caps.drop all | 24 | caps.drop all |
25 | no3d | 25 | no3d |
26 | nodvd | 26 | nodvd |
diff --git a/etc/profile-m-z/xviewer.profile b/etc/profile-m-z/xviewer.profile index 6c31df4a9..575c1bf68 100644 --- a/etc/profile-m-z/xviewer.profile +++ b/etc/profile-m-z/xviewer.profile | |||
@@ -19,9 +19,9 @@ include disable-shell.inc | |||
19 | 19 | ||
20 | include whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
22 | # apparmor - makes settings immutable | 22 | #apparmor # makes settings immutable |
23 | caps.drop all | 23 | caps.drop all |
24 | # net none - makes settings immutable | 24 | #net none # makes settings immutable |
25 | no3d | 25 | no3d |
26 | nodvd | 26 | nodvd |
27 | nogroups | 27 | nogroups |
@@ -42,8 +42,8 @@ private-lib | |||
42 | private-tmp | 42 | private-tmp |
43 | 43 | ||
44 | # makes settings immutable | 44 | # makes settings immutable |
45 | # dbus-user none | 45 | #dbus-user none |
46 | # dbus-system none | 46 | #dbus-system none |
47 | 47 | ||
48 | memory-deny-write-execute | 48 | memory-deny-write-execute |
49 | restrict-namespaces | 49 | restrict-namespaces |
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile index f5dd0c309..f957954dd 100644 --- a/etc/profile-m-z/yelp.profile +++ b/etc/profile-m-z/yelp.profile | |||
@@ -33,16 +33,14 @@ include whitelist-var-common.inc | |||
33 | 33 | ||
34 | apparmor | 34 | apparmor |
35 | caps.drop all | 35 | caps.drop all |
36 | # machine-id breaks sound - add the next line to your yelp.local if you don't need sound support. | 36 | #machine-id # add this to your yelp.local if you don't need sound support. |
37 | #machine-id | ||
38 | net none | 37 | net none |
39 | nodvd | 38 | nodvd |
40 | nogroups | 39 | nogroups |
41 | noinput | 40 | noinput |
42 | nonewprivs | 41 | nonewprivs |
43 | noroot | 42 | noroot |
44 | # nosound - add the next line to your yelp.local if you don't need sound support. | 43 | #nosound # add this to your yelp.local if you don't need sound support. |
45 | #nosound | ||
46 | notv | 44 | notv |
47 | nou2f | 45 | nou2f |
48 | novideo | 46 | novideo |
diff --git a/etc/profile-m-z/ytmdesktop.profile b/etc/profile-m-z/ytmdesktop.profile index de07e3ddf..ccf5f1e63 100644 --- a/etc/profile-m-z/ytmdesktop.profile +++ b/etc/profile-m-z/ytmdesktop.profile | |||
@@ -13,9 +13,9 @@ noblacklist ${HOME}/.config/youtube-music-desktop-app | |||
13 | mkdir ${HOME}/.config/youtube-music-desktop-app | 13 | mkdir ${HOME}/.config/youtube-music-desktop-app |
14 | whitelist ${HOME}/.config/youtube-music-desktop-app | 14 | whitelist ${HOME}/.config/youtube-music-desktop-app |
15 | 15 | ||
16 | # private-bin env,ytmdesktop | 16 | #private-bin env,ytmdesktop |
17 | private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types | 17 | private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types |
18 | # private-opt | 18 | #private-opt |
19 | 19 | ||
20 | # Redirect | 20 | # Redirect |
21 | include electron-common.profile | 21 | include electron-common.profile |
diff --git a/etc/profile-m-z/zeal.profile b/etc/profile-m-z/zeal.profile index 09a1d37a3..d576dbefd 100644 --- a/etc/profile-m-z/zeal.profile +++ b/etc/profile-m-z/zeal.profile | |||
@@ -67,5 +67,5 @@ dbus-user.talk org.mozilla.* | |||
67 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher | 67 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher |
68 | dbus-system none | 68 | dbus-system none |
69 | 69 | ||
70 | # memory-deny-write-execute - breaks on Arch | 70 | #memory-deny-write-execute # breaks on Arch |
71 | restrict-namespaces | 71 | restrict-namespaces |