Improve profile.template

 * uncomment .local includes
 * add options
   * ##ignore noexec /tmp
   * ##caps.keep CAPS
   * ##hostname NAME
   * ##writable-etc
   * ##writable-run-user
   * ##writable-var
   * ##writable-var-log
 * add disable x11
   * x11 none
   * blacklist /tmp/.X11-unix
   * comment when which of the both option should be used
 * sort private-etc template Common
 * add comments
   * machine-id: breaks sound and sometime dbus related functions
   * private-bin: python should be added by 'python*'
   * protocol: auxiliary comment for protocol line
 * add 'packet' to protocol list
 * Sections structure: OPTIONS: now has seccomp* instead of seccomp

1 files changed, 23 insertions, 5 deletions

diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 0ccb3fae0..892fd71ef 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -30,7 +30,7 @@
 #   MKDIRS
 #   WHITELISTS
 #   WHITELIST INCLUDES
-#   OPTIONS (caps*, net*, no*, protocol, seccomp, shell none, tracelog)
+#   OPTIONS (caps*, net*, no*, protocol, seccomp*, shell none, tracelog)
 #   PRIVATE OPTIONS (disable-mnt, private-*, writable-*)
 #   SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start)
 #   REDIRECT INCLUDES
@@ -49,13 +49,16 @@
 # --- CUT HERE ---
 ##quiet
 # Persistent local customizations
-#include PROFILE.local
+include PROFILE.local
 # Persistent global definitions
-#include globals.local
+include globals.local
 
 ##ignore noexec ${HOME}
+##ignore noexec /tmp
 
 ##blacklist PATH
+# Disable X11 (CLI only), see also 'x11 none' below
+#blacklist /tmp/.X11-unix
 
 # It is common practice to add files/dirs containing program-specific configuration
 # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc
@@ -105,8 +108,11 @@
 
 #apparmor
 #caps.drop all
+##caps.keep CAPS
+##hostname NAME
 # CLI only
 ##ipc-namespace
+# breaks sound and sometime dbus related functions
 #machine-id
 # 'net none' or 'netfilter'
 #net none
@@ -121,20 +127,28 @@
 #notv
 #nou2f
 #novideo
-#protocol unix,inet,inet6,netlink
+# Remove every not needed protocol
+#  - unix is usually needed
+#  - inet,inet6 only if internet access is requiered (see 'net none'/'netfilter' above)
+#  - netlink is rarely needed
+#  - packet almost never
+#protocol unix,inet,inet6,netlink,packet
 #seccomp
 ##seccomp.drop SYSCALLS (see also syscalls.txt)
 #shell none
 #tracelog
+# Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set
+##x11 none
 
 #disable-mnt
 ##private
+# It's common practice to refer to the python executable(s) in private-bin with `python*`, which covers both v2 and v3
 #private-bin PROGRAMS
 #private-cache
 #private-dev
 #private-etc FILES
 # private-etc templates (see also #1734, #2093)
-#  Common: ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,locale,locale.alias,locale.conf,localtime,alternatives,mime.types,xdg
+#  Common: alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg
 #    Extra: magic,magic.mgc,passwd,group
 #  Networking: ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf,hosts,host.conf,hostname,protocols,services,rpc
 #    Extra: proxychains.conf,gai.conf
@@ -148,6 +162,10 @@
 ##private-lib LIBS
 ##private-opt NAME
 #private-tmp
+##writable-etc
+##writable-run-user
+##writable-var
+##writable-var-log
 
 ##env VAR=VALUE
 #memory-deny-write-execute