aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--etc/0ad.profile3
-rw-r--r--etc/7z.profile4
-rw-r--r--etc/JDownloader.profile3
-rw-r--r--etc/Maelstrom.profile4
-rw-r--r--etc/QMediathekView.profile4
-rw-r--r--etc/abiword.profile4
-rw-r--r--etc/anki.profile4
-rw-r--r--etc/apktool.profile4
-rw-r--r--etc/ar.profile4
-rw-r--r--etc/arch-audit.profile4
-rw-r--r--etc/ardour5.profile3
-rw-r--r--etc/aria2c.profile4
-rw-r--r--etc/ark.profile3
-rw-r--r--etc/artha.profile4
-rw-r--r--etc/assogiate.profile4
-rw-r--r--etc/asunder.profile4
-rw-r--r--etc/atom.profile4
-rw-r--r--etc/atool.profile4
-rw-r--r--etc/audacious.profile5
-rw-r--r--etc/audacity.profile5
-rw-r--r--etc/authenticator.profile5
-rw-r--r--etc/baobab.profile4
-rw-r--r--etc/bibletime.profile4
-rw-r--r--etc/bitwarden.profile5
-rw-r--r--etc/bleachbit.profile4
-rw-r--r--etc/bless.profile3
-rw-r--r--etc/blobwars.profile4
-rw-r--r--etc/bluefish.profile3
-rw-r--r--etc/bsdtar.profile4
-rw-r--r--etc/bzflag.profile4
-rw-r--r--etc/calligra.profile4
-rw-r--r--etc/cameramonitor.profile4
-rw-r--r--etc/catfish.profile4
-rw-r--r--etc/celluloid.profile5
-rw-r--r--etc/checkbashisms.profile4
-rw-r--r--etc/cheese.profile4
-rw-r--r--etc/cin.profile3
-rw-r--r--etc/clamav.profile5
-rw-r--r--etc/clamtk.profile4
-rw-r--r--etc/clawsker.profile4
-rw-r--r--etc/clipgrab.profile6
-rw-r--r--etc/cpio.profile4
-rw-r--r--etc/crawl.profile4
-rw-r--r--etc/curl.profile4
-rw-r--r--etc/ddgtk.profile4
-rw-r--r--etc/default.profile4
-rw-r--r--etc/desktopeditors.profile4
-rw-r--r--etc/devhelp.profile5
-rw-r--r--etc/devilspie.profile4
-rw-r--r--etc/dex2jar.profile3
-rw-r--r--etc/dia.profile3
-rw-r--r--etc/dig.profile4
-rw-r--r--etc/digikam.profile4
-rw-r--r--etc/display.profile4
-rw-r--r--etc/dnscrypt-proxy.profile4
-rw-r--r--etc/drawio.profile4
-rw-r--r--etc/easystroke.profile4
-rw-r--r--etc/ebook-viewer.profile3
-rw-r--r--etc/electron-mail.profile5
-rw-r--r--etc/electron.profile4
-rw-r--r--etc/electrum.profile3
-rw-r--r--etc/enchant.profile4
-rw-r--r--etc/engrampa.profile4
-rw-r--r--etc/ephemeral.profile6
-rw-r--r--etc/etr.profile4
-rw-r--r--etc/evince.profile6
-rw-r--r--etc/exfalso.profile4
-rw-r--r--etc/exiftool.profile4
-rw-r--r--etc/feh.profile4
-rw-r--r--etc/ffmpeg.profile4
-rw-r--r--etc/file.profile4
-rw-r--r--etc/firefox-common-addons.inc3
-rw-r--r--etc/firefox-common.profile8
-rw-r--r--etc/flameshot.profile3
-rw-r--r--etc/freecad.profile3
-rw-r--r--etc/freeciv.profile4
-rw-r--r--etc/freecol.profile4
-rw-r--r--etc/freemind.profile4
-rw-r--r--etc/frogatto.profile4
-rw-r--r--etc/frozen-bubble.profile4
-rw-r--r--etc/galculator.profile4
-rw-r--r--etc/gcloud.profile4
-rw-r--r--etc/geary.profile3
-rw-r--r--etc/gedit.profile4
-rw-r--r--etc/geekbench.profile4
-rw-r--r--etc/gfeeds.profile4
-rw-r--r--etc/gimp.profile4
-rw-r--r--etc/gist.profile4
-rw-r--r--etc/gmpc.profile4
-rw-r--r--etc/gnome-calculator.profile5
-rw-r--r--etc/gnome-characters.profile8
-rw-r--r--etc/gnome-hexgl.profile4
-rw-r--r--etc/gnome-keyring.profile4
-rw-r--r--etc/gnome-logs.profile4
-rw-r--r--etc/gnome-nettool.profile3
-rw-r--r--etc/gnome-system-log.profile4
-rw-r--r--etc/godot.profile4
-rw-r--r--etc/gpicview.profile4
-rw-r--r--etc/gramps.profile4
-rw-r--r--etc/gravity-beams-and-evaporating-stars.profile4
-rw-r--r--etc/gtk-update-icon-cache.profile4
-rw-r--r--etc/gucharmap.profile5
-rw-r--r--etc/gwenview.profile4
-rw-r--r--etc/gzip.profile4
-rw-r--r--etc/handbrake.profile3
-rw-r--r--etc/hashcat.profile3
-rw-r--r--etc/highlight.profile4
-rw-r--r--etc/host.profile4
-rw-r--r--etc/hugin.profile3
-rw-r--r--etc/hyperrogue.profile4
-rw-r--r--etc/iagno.profile4
-rw-r--r--etc/imagej.profile3
-rw-r--r--etc/img2txt.profile4
-rw-r--r--etc/impressive.profile4
-rw-r--r--etc/inkscape.profile4
-rw-r--r--etc/jd-gui.profile3
-rw-r--r--etc/jerry.profile4
-rw-r--r--etc/jumpnbump.profile4
-rw-r--r--etc/kalgebra.profile4
-rw-r--r--etc/kate.profile4
-rw-r--r--etc/kcalc.profile3
-rw-r--r--etc/kdenlive.profile4
-rw-r--r--etc/keepassx.profile4
-rw-r--r--etc/keepassxc.profile8
-rw-r--r--etc/kfind.profile4
-rw-r--r--etc/kid3.profile4
-rw-r--r--etc/kiwix-desktop.profile4
-rw-r--r--etc/klatexformula.profile4
-rw-r--r--etc/klavaro.profile4
-rw-r--r--etc/krita.profile4
-rw-r--r--etc/ktouch.profile4
-rw-r--r--etc/kwrite.profile3
-rw-r--r--etc/latex-common.profile3
-rw-r--r--etc/less.profile4
-rw-r--r--etc/lincity-ng.profile4
-rw-r--r--etc/lmms.profile3
-rw-r--r--etc/lugaru.profile4
-rw-r--r--etc/macrofusion.profile3
-rw-r--r--etc/magicor.profile4
-rw-r--r--etc/manaplus.profile4
-rw-r--r--etc/mate-calc.profile4
-rw-r--r--etc/mediainfo.profile4
-rw-r--r--etc/megaglest.profile4
-rw-r--r--etc/mencoder.profile4
-rw-r--r--etc/mendeleydesktop.profile3
-rw-r--r--etc/meteo-qt.profile4
-rw-r--r--etc/mindless.profile4
-rw-r--r--etc/minetest.profile4
-rw-r--r--etc/mirrormagic.profile4
-rw-r--r--etc/mp3splt-gtk.profile4
-rw-r--r--etc/mp3splt.profile4
-rw-r--r--etc/mpg123.profile4
-rw-r--r--etc/mpsyt.profile3
-rw-r--r--etc/mpv.profile5
-rw-r--r--etc/mrrescue.profile4
-rw-r--r--etc/ms-office.profile3
-rw-r--r--etc/mupdf.profile4
-rw-r--r--etc/mupen64plus.profile4
-rw-r--r--etc/mypaint.profile3
-rw-r--r--etc/nano.profile4
-rw-r--r--etc/natron.profile4
-rw-r--r--etc/ncdu.profile4
-rw-r--r--etc/netactview.profile4
-rw-r--r--etc/nethack-vultures.profile4
-rw-r--r--etc/nethack.profile4
-rw-r--r--etc/newsboat.profile4
-rw-r--r--etc/nitroshare.profile4
-rw-r--r--etc/nslookup.profile4
-rw-r--r--etc/nyx.profile3
-rw-r--r--etc/ocenaudio.profile6
-rw-r--r--etc/odt2txt.profile5
-rw-r--r--etc/okular.profile4
-rw-r--r--etc/open-invaders.profile4
-rw-r--r--etc/openarena.profile4
-rw-r--r--etc/opencity.profile4
-rw-r--r--etc/openclonk.profile4
-rw-r--r--etc/openshot.profile3
-rw-r--r--etc/openttd.profile4
-rw-r--r--etc/ostrichriders.profile4
-rw-r--r--etc/pandoc.profile4
-rw-r--r--etc/patch.profile4
-rw-r--r--etc/pavucontrol.profile4
-rw-r--r--etc/pcmanfm.profile4
-rw-r--r--etc/pdfchain.profile4
-rw-r--r--etc/pdfmod.profile3
-rw-r--r--etc/pdfsam.profile3
-rw-r--r--etc/pdftotext.profile4
-rw-r--r--etc/peek.profile4
-rw-r--r--etc/penguin-command.profile4
-rw-r--r--etc/pingus.profile4
-rw-r--r--etc/pinta.profile3
-rw-r--r--etc/pioneer.profile4
-rw-r--r--etc/pluma.profile5
-rw-r--r--etc/pngquant.profile4
-rw-r--r--etc/ppsspp.profile3
-rw-r--r--etc/profanity.profile4
-rw-r--r--etc/qbittorrent.profile4
-rw-r--r--etc/qgis.profile4
-rw-r--r--etc/qmmp.profile3
-rw-r--r--etc/qpdfview.profile6
-rw-r--r--etc/qtox.profile4
-rw-r--r--etc/ranger.profile4
-rw-r--r--etc/redshift.profile4
-rw-r--r--etc/regextester.profile5
-rw-r--r--etc/rhythmbox.profile5
-rw-r--r--etc/ripperx.profile4
-rw-r--r--etc/rsync-download_only.profile4
-rw-r--r--etc/rtv.profile4
-rw-r--r--etc/scallion.profile4
-rw-r--r--etc/scorched3d.profile4
-rw-r--r--etc/scorchwentbonkers.profile4
-rw-r--r--etc/scribus.profile3
-rw-r--r--etc/sdat2img.profile3
-rw-r--r--etc/seahorse-adventures.profile4
-rw-r--r--etc/server.profile4
-rw-r--r--etc/shellcheck.profile4
-rw-r--r--etc/shotcut.profile4
-rw-r--r--etc/signal-desktop.profile4
-rw-r--r--etc/simutrans.profile4
-rw-r--r--etc/skanlite.profile4
-rw-r--r--etc/slashem.profile4
-rw-r--r--etc/smplayer.profile4
-rw-r--r--etc/softmaker-common.inc4
-rw-r--r--etc/sol.profile4
-rw-r--r--etc/sound-juicer.profile4
-rw-r--r--etc/spectre-meltdown-checker.profile4
-rw-r--r--etc/spotify.profile4
-rw-r--r--etc/sqlitebrowser.profile5
-rw-r--r--etc/ssh-agent.profile4
-rw-r--r--etc/ssh.profile4
-rw-r--r--etc/standardnotes-desktop.profile3
-rw-r--r--etc/start-tor-browser.profile4
-rw-r--r--etc/steam.profile6
-rw-r--r--etc/strings.profile4
-rw-r--r--etc/subdownloader.profile4
-rw-r--r--etc/supertux2.profile4
-rw-r--r--etc/supertuxkart.profile3
-rw-r--r--etc/synfigstudio.profile3
-rw-r--r--etc/sysprof-cli.profile5
-rw-r--r--etc/sysprof.profile5
-rw-r--r--etc/tar.profile4
-rw-r--r--etc/teams-for-linux.profile3
-rw-r--r--etc/teams.profile3
-rw-r--r--etc/teeworlds.profile4
-rw-r--r--etc/templates/profile.template4
-rw-r--r--etc/terasology.profile4
-rw-r--r--etc/thunderbird.profile3
-rw-r--r--etc/torbrowser-launcher.profile4
-rw-r--r--etc/torcs.profile4
-rw-r--r--etc/totem.profile4
-rw-r--r--etc/transgui.profile4
-rw-r--r--etc/transmission-common.profile4
-rw-r--r--etc/tremulous.profile4
-rw-r--r--etc/tvbrowser.profile4
-rw-r--r--etc/uefitool.profile3
-rw-r--r--etc/unbound.profile4
-rw-r--r--etc/unf.profile4
-rw-r--r--etc/unrar.profile4
-rw-r--r--etc/unzip.profile4
-rw-r--r--etc/uudeview.profile4
-rw-r--r--etc/viewnior.profile4
-rw-r--r--etc/vivaldi.profile5
-rw-r--r--etc/vlc.profile5
-rw-r--r--etc/warmux.profile4
-rw-r--r--etc/warsow.profile4
-rw-r--r--etc/webui-aria2.profile3
-rw-r--r--etc/wget.profile4
-rw-r--r--etc/whalebird.profile3
-rw-r--r--etc/whois.profile4
-rw-r--r--etc/widelands.profile4
-rw-r--r--etc/wire-desktop.profile3
-rw-r--r--etc/wordwarvi.profile4
-rw-r--r--etc/wps.profile4
-rw-r--r--etc/x-terminal-emulator.profile4
-rw-r--r--etc/x2goclient.profile4
-rw-r--r--etc/xbill.profile4
-rw-r--r--etc/xcalc.profile3
-rw-r--r--etc/xed.profile5
-rw-r--r--etc/xfce4-mixer.profile4
-rw-r--r--etc/xonotic.profile3
-rw-r--r--etc/xournal.profile4
-rw-r--r--etc/xpdf.profile5
-rw-r--r--etc/xplayer.profile4
-rw-r--r--etc/xviewer.profile5
-rw-r--r--etc/xzdec.profile4
-rw-r--r--etc/youtube-dl.profile4
-rw-r--r--etc/zart.profile3
-rw-r--r--etc/zathura.profile4
-rw-r--r--etc/zeal.profile4
-rw-r--r--etc/zstd.profile1
290 files changed, 850 insertions, 302 deletions
diff --git a/etc/0ad.profile b/etc/0ad.profile
index d01de00d3..dc3eb5262 100644
--- a/etc/0ad.profile
+++ b/etc/0ad.profile
@@ -30,7 +30,6 @@ include whitelist-var-common.inc
30 30
31caps.drop all 31caps.drop all
32netfilter 32netfilter
33nodbus
34nodvd 33nodvd
35nogroups 34nogroups
36nonewprivs 35nonewprivs
@@ -49,3 +48,5 @@ private-cache
49private-dev 48private-dev
50private-tmp 49private-tmp
51 50
51dbus-user none
52dbus-system none
diff --git a/etc/7z.profile b/etc/7z.profile
index b60bb9ee9..02a2e7ea0 100644
--- a/etc/7z.profile
+++ b/etc/7z.profile
@@ -23,7 +23,6 @@ ipc-namespace
23machine-id 23machine-id
24net none 24net none
25no3d 25no3d
26nodbus
27nodvd 26nodvd
28#nogroups 27#nogroups
29nonewprivs 28nonewprivs
@@ -42,4 +41,7 @@ x11 none
42private-cache 41private-cache
43private-dev 42private-dev
44 43
44dbus-user none
45dbus-system none
46
45memory-deny-write-execute 47memory-deny-write-execute
diff --git a/etc/JDownloader.profile b/etc/JDownloader.profile
index 1435f3422..45ec71e63 100644
--- a/etc/JDownloader.profile
+++ b/etc/JDownloader.profile
@@ -28,7 +28,6 @@ caps.drop all
28ipc-namespace 28ipc-namespace
29netfilter 29netfilter
30no3d 30no3d
31nodbus
32nodvd 31nodvd
33nogroups 32nogroups
34nonewprivs 33nonewprivs
@@ -45,3 +44,5 @@ private-cache
45private-dev 44private-dev
46private-tmp 45private-tmp
47 46
47dbus-user none
48dbus-system none
diff --git a/etc/Maelstrom.profile b/etc/Maelstrom.profile
index cee49111e..5cf570f80 100644
--- a/etc/Maelstrom.profile
+++ b/etc/Maelstrom.profile
@@ -23,7 +23,6 @@ include whitelist-var-common.inc
23caps.drop all 23caps.drop all
24ipc-namespace 24ipc-namespace
25net none 25net none
26nodbus
27nodvd 26nodvd
28nogroups 27nogroups
29#nonewprivs 28#nonewprivs
@@ -41,3 +40,6 @@ private-bin Maelstrom
41private-cache 40private-cache
42private-dev 41private-dev
43private-tmp 42private-tmp
43
44dbus-user none
45dbus-system none
diff --git a/etc/QMediathekView.profile b/etc/QMediathekView.profile
index b9ddd80c4..d1548a864 100644
--- a/etc/QMediathekView.profile
+++ b/etc/QMediathekView.profile
@@ -34,7 +34,6 @@ include whitelist-var-common.inc
34caps.drop all 34caps.drop all
35netfilter 35netfilter
36# no3d 36# no3d
37# nodbus
38nodvd 37nodvd
39nogroups 38nogroups
40nonewprivs 39nonewprivs
@@ -53,4 +52,7 @@ private-cache
53private-dev 52private-dev
54private-tmp 53private-tmp
55 54
55# dbus-user none
56# dbus-system none
57
56#memory-deny-write-execute - breaks on Arch (see issue #1803) 58#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/abiword.profile b/etc/abiword.profile
index 748cda195..948d3774a 100644
--- a/etc/abiword.profile
+++ b/etc/abiword.profile
@@ -25,7 +25,6 @@ caps.drop all
25machine-id 25machine-id
26net none 26net none
27no3d 27no3d
28#nodbus
29nodvd 28nodvd
30nogroups 29nogroups
31nonewprivs 30nonewprivs
@@ -44,3 +43,6 @@ private-cache
44private-dev 43private-dev
45private-etc fonts,gtk-3.0,passwd 44private-etc fonts,gtk-3.0,passwd
46private-tmp 45private-tmp
46
47# dbus-user none
48# dbus-system none
diff --git a/etc/anki.profile b/etc/anki.profile
index a0a79ef48..fa688f1a5 100644
--- a/etc/anki.profile
+++ b/etc/anki.profile
@@ -32,7 +32,6 @@ caps.drop all
32machine-id 32machine-id
33netfilter 33netfilter
34no3d 34no3d
35nodbus
36nodvd 35nodvd
37nogroups 36nogroups
38nonewprivs 37nonewprivs
@@ -53,3 +52,6 @@ private-cache
53private-dev 52private-dev
54private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,machine-id,pki,resolv.conf,ssl,Trolltech.conf 53private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,machine-id,pki,resolv.conf,ssl,Trolltech.conf
55private-tmp 54private-tmp
55
56dbus-user none
57dbus-system none
diff --git a/etc/apktool.profile b/etc/apktool.profile
index aeeb845ea..39c5da9ab 100644
--- a/etc/apktool.profile
+++ b/etc/apktool.profile
@@ -18,7 +18,6 @@ include whitelist-var-common.inc
18caps.drop all 18caps.drop all
19net none 19net none
20no3d 20no3d
21nodbus
22nodvd 21nodvd
23nogroups 22nogroups
24nonewprivs 23nonewprivs
@@ -34,3 +33,6 @@ shell none
34private-bin apktool,basename,bash,dirname,expr,java,sh 33private-bin apktool,basename,bash,dirname,expr,java,sh
35private-cache 34private-cache
36private-dev 35private-dev
36
37dbus-user none
38dbus-system none
diff --git a/etc/ar.profile b/etc/ar.profile
index e28370450..6ed60ffe5 100644
--- a/etc/ar.profile
+++ b/etc/ar.profile
@@ -23,7 +23,6 @@ ipc-namespace
23machine-id 23machine-id
24net none 24net none
25no3d 25no3d
26nodbus
27nodvd 26nodvd
28nogroups 27nogroups
29nonewprivs 28nonewprivs
@@ -42,4 +41,7 @@ private-bin ar
42private-cache 41private-cache
43private-dev 42private-dev
44 43
44dbus-user none
45dbus-system none
46
45memory-deny-write-execute 47memory-deny-write-execute
diff --git a/etc/arch-audit.profile b/etc/arch-audit.profile
index 0a87ec297..324730bde 100644
--- a/etc/arch-audit.profile
+++ b/etc/arch-audit.profile
@@ -26,7 +26,6 @@ ipc-namespace
26machine-id 26machine-id
27netfilter 27netfilter
28no3d 28no3d
29nodbus
30nodvd 29nodvd
31nogroups 30nogroups
32nonewprivs 31nonewprivs
@@ -46,4 +45,7 @@ private-cache
46private-dev 45private-dev
47private-tmp 46private-tmp
48 47
48dbus-user none
49dbus-system none
50
49memory-deny-write-execute 51memory-deny-write-execute
diff --git a/etc/ardour5.profile b/etc/ardour5.profile
index 5ebeafa76..a27cb4f6e 100644
--- a/etc/ardour5.profile
+++ b/etc/ardour5.profile
@@ -23,7 +23,6 @@ include disable-xdg.inc
23caps.drop all 23caps.drop all
24ipc-namespace 24ipc-namespace
25net none 25net none
26nodbus
27nodvd 26nodvd
28nogroups 27nogroups
29nonewprivs 28nonewprivs
@@ -40,3 +39,5 @@ private-dev
40#private-etc alternatives,ardour4,ardour5,asound.conf,fonts,machine-id,pulse,X11 39#private-etc alternatives,ardour4,ardour5,asound.conf,fonts,machine-id,pulse,X11
41private-tmp 40private-tmp
42 41
42dbus-user none
43dbus-system none
diff --git a/etc/aria2c.profile b/etc/aria2c.profile
index a52a26d6f..d2dcaace1 100644
--- a/etc/aria2c.profile
+++ b/etc/aria2c.profile
@@ -27,7 +27,6 @@ caps.drop all
27ipc-namespace 27ipc-namespace
28netfilter 28netfilter
29no3d 29no3d
30nodbus
31nodvd 30nodvd
32nogroups 31nogroups
33nonewprivs 32nonewprivs
@@ -50,4 +49,7 @@ private-etc alternatives,ca-certificates,crypto-policies,groups,login.defs,machi
50private-lib libreadline.so.* 49private-lib libreadline.so.*
51private-tmp 50private-tmp
52 51
52dbus-user none
53dbus-system none
54
53memory-deny-write-execute 55memory-deny-write-execute
diff --git a/etc/ark.profile b/etc/ark.profile
index 2fe546b55..01004d772 100644
--- a/etc/ark.profile
+++ b/etc/ark.profile
@@ -23,7 +23,6 @@ apparmor
23caps.drop all 23caps.drop all
24# net none 24# net none
25netfilter 25netfilter
26# nodbus
27nodvd 26nodvd
28nogroups 27nogroups
29nonewprivs 28nonewprivs
@@ -42,3 +41,5 @@ private-bin 7z,ark,bash,lrzip,lsar,lz4,lzop,p7zip,rar,sh,tclsh,unar,unrar,unzip,
42private-dev 41private-dev
43private-tmp 42private-tmp
44 43
44# dbus-user none
45# dbus-system none
diff --git a/etc/artha.profile b/etc/artha.profile
index aaaede7ee..19a4771aa 100644
--- a/etc/artha.profile
+++ b/etc/artha.profile
@@ -38,7 +38,6 @@ caps.drop all
38ipc-namespace 38ipc-namespace
39# net none - breaks on Ubuntu 39# net none - breaks on Ubuntu
40no3d 40no3d
41# nodbus
42nodvd 41nodvd
43nogroups 42nogroups
44nonewprivs 43nonewprivs
@@ -60,4 +59,7 @@ private-etc alternatives,fonts,machine-id
60private-lib libnotify.so.* 59private-lib libnotify.so.*
61private-tmp 60private-tmp
62 61
62# dbus-user none
63# dbus-system none
64
63memory-deny-write-execute 65memory-deny-write-execute
diff --git a/etc/assogiate.profile b/etc/assogiate.profile
index 542b3da8d..da72a4a73 100644
--- a/etc/assogiate.profile
+++ b/etc/assogiate.profile
@@ -26,7 +26,6 @@ caps.drop all
26machine-id 26machine-id
27net none 27net none
28no3d 28no3d
29nodbus
30nodvd 29nodvd
31nogroups 30nogroups
32nonewprivs 31nonewprivs
@@ -47,4 +46,7 @@ private-dev
47private-lib gnome-vfs-2.0,libacl.so.*,libattr.so.*,libfam.so.* 46private-lib gnome-vfs-2.0,libacl.so.*,libattr.so.*,libfam.so.*
48private-tmp 47private-tmp
49 48
49dbus-user none
50dbus-system none
51
50memory-deny-write-execute 52memory-deny-write-execute
diff --git a/etc/asunder.profile b/etc/asunder.profile
index fceac7cf9..33dd4103f 100644
--- a/etc/asunder.profile
+++ b/etc/asunder.profile
@@ -27,7 +27,6 @@ apparmor
27caps.drop all 27caps.drop all
28netfilter 28netfilter
29no3d 29no3d
30nodbus
31# nogroups 30# nogroups
32nonewprivs 31nonewprivs
33noroot 32noroot
@@ -42,5 +41,8 @@ private-cache
42private-dev 41private-dev
43private-tmp 42private-tmp
44 43
44dbus-user none
45dbus-system none
46
45# mdwe is disabled due to breaking hardware accelerated decoding 47# mdwe is disabled due to breaking hardware accelerated decoding
46# memory-deny-write-execute 48# memory-deny-write-execute
diff --git a/etc/atom.profile b/etc/atom.profile
index b9cb49d08..fceef9579 100644
--- a/etc/atom.profile
+++ b/etc/atom.profile
@@ -20,7 +20,6 @@ include disable-programs.inc
20caps.drop all 20caps.drop all
21# net none 21# net none
22netfilter 22netfilter
23nodbus
24nodvd 23nodvd
25nogroups 24nogroups
26nonewprivs 25nonewprivs
@@ -36,3 +35,6 @@ shell none
36private-cache 35private-cache
37private-dev 36private-dev
38private-tmp 37private-tmp
38
39dbus-user none
40dbus-system none
diff --git a/etc/atool.profile b/etc/atool.profile
index ff3c81a80..e501e956c 100644
--- a/etc/atool.profile
+++ b/etc/atool.profile
@@ -27,7 +27,6 @@ machine-id
27net none 27net none
28no3d 28no3d
29nodvd 29nodvd
30nodbus
31nogroups 30nogroups
32nonewprivs 31nonewprivs
33noroot 32noroot
@@ -48,4 +47,7 @@ private-dev
48private-etc alternatives,group,login.defs,passwd 47private-etc alternatives,group,login.defs,passwd
49private-tmp 48private-tmp
50 49
50dbus-user none
51dbus-system none
52
51memory-deny-write-execute 53memory-deny-write-execute
diff --git a/etc/audacious.profile b/etc/audacious.profile
index 1bba61a7f..2e1f6f32a 100644
--- a/etc/audacious.profile
+++ b/etc/audacious.profile
@@ -23,7 +23,6 @@ include whitelist-var-common.inc
23apparmor 23apparmor
24caps.drop all 24caps.drop all
25netfilter 25netfilter
26#nodbus - dbus needed for MPRIS
27nogroups 26nogroups
28nonewprivs 27nonewprivs
29noroot 28noroot
@@ -39,3 +38,7 @@ tracelog
39private-cache 38private-cache
40private-dev 39private-dev
41private-tmp 40private-tmp
41
42# dbus needed for MPRIS
43# dbus-user none
44# dbus-system none
diff --git a/etc/audacity.profile b/etc/audacity.profile
index 022b54d0f..5a454d31d 100644
--- a/etc/audacity.profile
+++ b/etc/audacity.profile
@@ -24,7 +24,6 @@ apparmor
24caps.drop all 24caps.drop all
25net none 25net none
26no3d 26no3d
27# nodbus - problems on Fedora 27
28nodvd 27nodvd
29nogroups 28nogroups
30nonewprivs 29nonewprivs
@@ -40,3 +39,7 @@ tracelog
40private-bin audacity 39private-bin audacity
41private-dev 40private-dev
42private-tmp 41private-tmp
42
43# problems on Fedora 27
44# dbus-user none
45# dbus-system none
diff --git a/etc/authenticator.profile b/etc/authenticator.profile
index 4887299ec..131b20c70 100644
--- a/etc/authenticator.profile
+++ b/etc/authenticator.profile
@@ -24,7 +24,6 @@ include disable-programs.inc
24caps.drop all 24caps.drop all
25netfilter 25netfilter
26no3d 26no3d
27# nodbus - makes settings immutable
28nodvd 27nodvd
29nogroups 28nogroups
30nonewprivs 29nonewprivs
@@ -43,4 +42,8 @@ private-dev
43private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,pki,resolv.conf,ssl 42private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,pki,resolv.conf,ssl
44private-tmp 43private-tmp
45 44
45# makes settings immutable
46# dbus-user none
47# dbus-system none
48
46#memory-deny-write-execute - breaks on Arch (see issue #1803) 49#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/baobab.profile b/etc/baobab.profile
index a2cfa6d67..50f7531c0 100644
--- a/etc/baobab.profile
+++ b/etc/baobab.profile
@@ -19,7 +19,6 @@ include whitelist-runuser-common.inc
19caps.drop all 19caps.drop all
20net none 20net none
21no3d 21no3d
22#nodbus
23nodvd 22nodvd
24nogroups 23nogroups
25nonewprivs 24nonewprivs
@@ -37,4 +36,7 @@ private-bin baobab
37private-dev 36private-dev
38private-tmp 37private-tmp
39 38
39# dbus-user none
40# dbus-system none
41
40read-only ${HOME} 42read-only ${HOME}
diff --git a/etc/bibletime.profile b/etc/bibletime.profile
index b76bc8367..99e2802eb 100644
--- a/etc/bibletime.profile
+++ b/etc/bibletime.profile
@@ -35,7 +35,6 @@ apparmor
35caps.drop all 35caps.drop all
36machine-id 36machine-id
37netfilter 37netfilter
38nodbus
39nodvd 38nodvd
40nogroups 39nogroups
41nonewprivs 40nonewprivs
@@ -54,3 +53,6 @@ private-cache
54private-dev 53private-dev
55private-etc alternatives,ca-certificates,crypto-policies,fonts,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf 54private-etc alternatives,ca-certificates,crypto-policies,fonts,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf
56private-tmp 55private-tmp
56
57dbus-user none
58dbus-system none
diff --git a/etc/bitwarden.profile b/etc/bitwarden.profile
index 6080808ed..3095e7505 100644
--- a/etc/bitwarden.profile
+++ b/etc/bitwarden.profile
@@ -29,7 +29,6 @@ caps.drop all
29machine-id 29machine-id
30netfilter 30netfilter
31no3d 31no3d
32#nodbus - breaks appindicator (tray) functionality
33nodvd 32nodvd
34nogroups 33nogroups
35nonewprivs 34nonewprivs
@@ -51,4 +50,8 @@ private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,nsswitch.co
51private-opt Bitwarden 50private-opt Bitwarden
52private-tmp 51private-tmp
53 52
53# breaks appindicator (tray) functionality
54# dbus-user none
55# dbus-system none
56
54#memory-deny-write-execute - breaks on Arch (see issue #1803) 57#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile
index 47c0cfa48..8f230a413 100644
--- a/etc/bleachbit.profile
+++ b/etc/bleachbit.profile
@@ -20,7 +20,6 @@ include disable-passwdmgr.inc
20caps.drop all 20caps.drop all
21net none 21net none
22no3d 22no3d
23nodbus
24nodvd 23nodvd
25nogroups 24nogroups
26nonewprivs 25nonewprivs
@@ -36,5 +35,8 @@ shell none
36private-dev 35private-dev
37# private-tmp 36# private-tmp
38 37
38dbus-user none
39dbus-system none
40
39# memory-deny-write-execute breaks some systems, see issue #1850 41# memory-deny-write-execute breaks some systems, see issue #1850
40# memory-deny-write-execute 42# memory-deny-write-execute
diff --git a/etc/bless.profile b/etc/bless.profile
index 35235962e..216e86109 100644
--- a/etc/bless.profile
+++ b/etc/bless.profile
@@ -20,7 +20,6 @@ include whitelist-var-common.inc
20caps.drop all 20caps.drop all
21net none 21net none
22no3d 22no3d
23nodbus
24nodvd 23nodvd
25nogroups 24nogroups
26nonewprivs 25nonewprivs
@@ -39,3 +38,5 @@ private-dev
39private-etc alternatives,fonts,mono 38private-etc alternatives,fonts,mono
40private-tmp 39private-tmp
41 40
41dbus-user none
42dbus-system none
diff --git a/etc/blobwars.profile b/etc/blobwars.profile
index c0fa5ab91..2a56bdf94 100644
--- a/etc/blobwars.profile
+++ b/etc/blobwars.profile
@@ -26,7 +26,6 @@ include whitelist-var-common.inc
26apparmor 26apparmor
27caps.drop all 27caps.drop all
28net none 28net none
29nodbus
30nodvd 29nodvd
31nogroups 30nogroups
32nonewprivs 31nonewprivs
@@ -45,3 +44,6 @@ private-cache
45private-dev 44private-dev
46private-etc machine-id 45private-etc machine-id
47private-tmp 46private-tmp
47
48dbus-user none
49dbus-system none
diff --git a/etc/bluefish.profile b/etc/bluefish.profile
index a85840d2f..88ac9c0ed 100644
--- a/etc/bluefish.profile
+++ b/etc/bluefish.profile
@@ -19,7 +19,6 @@ apparmor
19caps.drop all 19caps.drop all
20net none 20net none
21no3d 21no3d
22nodbus
23nodvd 22nodvd
24nogroups 23nogroups
25nonewprivs 24nonewprivs
@@ -37,3 +36,5 @@ private-bin bluefish
37private-dev 36private-dev
38private-tmp 37private-tmp
39 38
39dbus-user none
40dbus-system none
diff --git a/etc/bsdtar.profile b/etc/bsdtar.profile
index 5ce9b6406..08e51f3c1 100644
--- a/etc/bsdtar.profile
+++ b/etc/bsdtar.profile
@@ -22,7 +22,6 @@ ipc-namespace
22machine-id 22machine-id
23net none 23net none
24no3d 24no3d
25nodbus
26nodvd 25nodvd
27nogroups 26nogroups
28nonewprivs 27nonewprivs
@@ -43,4 +42,7 @@ private-cache
43private-dev 42private-dev
44private-etc alternatives,group,localtime,passwd 43private-etc alternatives,group,localtime,passwd
45 44
45dbus-user none
46dbus-system none
47
46memory-deny-write-execute 48memory-deny-write-execute
diff --git a/etc/bzflag.profile b/etc/bzflag.profile
index 86ab73e0b..1f56d5169 100644
--- a/etc/bzflag.profile
+++ b/etc/bzflag.profile
@@ -24,7 +24,6 @@ include whitelist-var-common.inc
24caps.drop all 24caps.drop all
25ipc-namespace 25ipc-namespace
26netfilter 26netfilter
27nodbus
28nodvd 27nodvd
29nogroups 28nogroups
30nonewprivs 29nonewprivs
@@ -42,3 +41,6 @@ private-bin bzadmin,bzflag,bzflag-wrapper,bzfs
42private-cache 41private-cache
43private-dev 42private-dev
44private-tmp 43private-tmp
44
45dbus-user none
46dbus-system none
diff --git a/etc/calligra.profile b/etc/calligra.profile
index 7054739c8..489036e39 100644
--- a/etc/calligra.profile
+++ b/etc/calligra.profile
@@ -16,7 +16,6 @@ caps.drop all
16ipc-namespace 16ipc-namespace
17# net none 17# net none
18netfilter 18netfilter
19# nodbus
20nodvd 19nodvd
21nogroups 20nogroups
22nonewprivs 21nonewprivs
@@ -31,5 +30,8 @@ shell none
31private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch,kbuildsycoca4,kdeinit4 30private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch,kbuildsycoca4,kdeinit4
32private-dev 31private-dev
33 32
33# dbus-user none
34# dbus-system none
35
34# noexec ${HOME} 36# noexec ${HOME}
35noexec /tmp 37noexec /tmp
diff --git a/etc/cameramonitor.profile b/etc/cameramonitor.profile
index 1d7aa0f9c..f48cc43a1 100644
--- a/etc/cameramonitor.profile
+++ b/etc/cameramonitor.profile
@@ -30,7 +30,6 @@ ipc-namespace
30machine-id 30machine-id
31net none 31net none
32no3d 32no3d
33#nodbus
34nodvd 33nodvd
35nogroups 34nogroups
36nonewprivs 35nonewprivs
@@ -50,4 +49,7 @@ private-cache
50private-etc alternatives,fonts 49private-etc alternatives,fonts
51private-tmp 50private-tmp
52 51
52# dbus-user none
53# dbus-system none
54
53# memory-deny-write-execute - breaks on Arch 55# memory-deny-write-execute - breaks on Arch
diff --git a/etc/catfish.profile b/etc/catfish.profile
index 577391c5d..009d3a049 100644
--- a/etc/catfish.profile
+++ b/etc/catfish.profile
@@ -28,7 +28,6 @@ apparmor
28caps.drop all 28caps.drop all
29net none 29net none
30no3d 30no3d
31nodbus
32nodvd 31nodvd
33nogroups 32nogroups
34nonewprivs 33nonewprivs
@@ -46,3 +45,6 @@ tracelog
46# private-bin bash,catfish,env,locate,ls,mlocate,python* 45# private-bin bash,catfish,env,locate,ls,mlocate,python*
47# private-dev 46# private-dev
48# private-tmp 47# private-tmp
48
49dbus-user none
50dbus-system none
diff --git a/etc/celluloid.profile b/etc/celluloid.profile
index daed19634..9be6b1631 100644
--- a/etc/celluloid.profile
+++ b/etc/celluloid.profile
@@ -31,7 +31,6 @@ include whitelist-var-common.inc
31apparmor 31apparmor
32caps.drop all 32caps.drop all
33netfilter 33netfilter
34# nodbus -- uses dconf, MPRIS
35nogroups 34nogroups
36nonewprivs 35nonewprivs
37noroot 36noroot
@@ -47,5 +46,9 @@ private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3
47private-dev 46private-dev
48private-tmp 47private-tmp
49 48
49# uses dconf, MPRIS
50# dbus-user none
51# dbus-system none
52
50read-only ${HOME} 53read-only ${HOME}
51read-write ${HOME}/.config/celluloid 54read-write ${HOME}/.config/celluloid
diff --git a/etc/checkbashisms.profile b/etc/checkbashisms.profile
index e15131dca..93f61091b 100644
--- a/etc/checkbashisms.profile
+++ b/etc/checkbashisms.profile
@@ -32,7 +32,6 @@ ipc-namespace
32machine-id 32machine-id
33net none 33net none
34no3d 34no3d
35nodbus
36nodvd 35nodvd
37nogroups 36nogroups
38nonewprivs 37nonewprivs
@@ -51,4 +50,7 @@ private-dev
51private-lib libfreebl3.so,perl* 50private-lib libfreebl3.so,perl*
52private-tmp 51private-tmp
53 52
53dbus-user none
54dbus-system none
55
54memory-deny-write-execute 56memory-deny-write-execute
diff --git a/etc/cheese.profile b/etc/cheese.profile
index 633928260..337117c4a 100644
--- a/etc/cheese.profile
+++ b/etc/cheese.profile
@@ -26,7 +26,6 @@ apparmor
26caps.drop all 26caps.drop all
27machine-id 27machine-id
28net none 28net none
29nodbus
30nodvd 29nodvd
31nogroups 30nogroups
32nonewprivs 31nonewprivs
@@ -43,3 +42,6 @@ private-bin cheese
43private-cache 42private-cache
44private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0 43private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0
45private-tmp 44private-tmp
45
46dbus-user none
47dbus-system none
diff --git a/etc/cin.profile b/etc/cin.profile
index efeb9cd14..8c3fb42d1 100644
--- a/etc/cin.profile
+++ b/etc/cin.profile
@@ -17,7 +17,6 @@ include disable-programs.inc
17caps.drop all 17caps.drop all
18ipc-namespace 18ipc-namespace
19net none 19net none
20nodbus
21nodvd 20nodvd
22#nogroups 21#nogroups
23nonewprivs 22nonewprivs
@@ -34,3 +33,5 @@ shell none
34private-cache 33private-cache
35private-dev 34private-dev
36 35
36dbus-user none
37dbus-system none
diff --git a/etc/clamav.profile b/etc/clamav.profile
index 51bc58108..2726ab5af 100644
--- a/etc/clamav.profile
+++ b/etc/clamav.profile
@@ -15,7 +15,6 @@ caps.drop all
15ipc-namespace 15ipc-namespace
16net none 16net none
17no3d 17no3d
18nodbus
19nodvd 18nodvd
20nogroups 19nogroups
21nonewprivs 20nonewprivs
@@ -31,6 +30,10 @@ tracelog
31x11 none 30x11 none
32 31
33private-dev 32private-dev
33
34dbus-user none
35dbus-system none
36
34read-only ${HOME} 37read-only ${HOME}
35 38
36memory-deny-write-execute 39memory-deny-write-execute
diff --git a/etc/clamtk.profile b/etc/clamtk.profile
index bc09808cb..4425a2bd0 100644
--- a/etc/clamtk.profile
+++ b/etc/clamtk.profile
@@ -11,7 +11,6 @@ caps.drop all
11ipc-namespace 11ipc-namespace
12net none 12net none
13no3d 13no3d
14nodbus
15nodvd 14nodvd
16nogroups 15nogroups
17nonewprivs 16nonewprivs
@@ -25,3 +24,6 @@ seccomp
25shell none 24shell none
26 25
27private-dev 26private-dev
27
28dbus-user none
29dbus-system none
diff --git a/etc/clawsker.profile b/etc/clawsker.profile
index 07db86c92..12ce47401 100644
--- a/etc/clawsker.profile
+++ b/etc/clawsker.profile
@@ -29,7 +29,6 @@ apparmor
29caps.drop all 29caps.drop all
30net none 30net none
31no3d 31no3d
32nodbus
33nodvd 32nodvd
34nogroups 33nogroups
35nonewprivs 34nonewprivs
@@ -50,4 +49,7 @@ private-etc alternatives,fonts
50private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl* 49private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl*
51private-tmp 50private-tmp
52 51
52dbus-user none
53dbus-system none
54
53#memory-deny-write-execute - breaks on Arch (see issue #1803) 55#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/clipgrab.profile b/etc/clipgrab.profile
index 786d1c866..dace5e83e 100644
--- a/etc/clipgrab.profile
+++ b/etc/clipgrab.profile
@@ -25,8 +25,6 @@ apparmor
25caps.drop all 25caps.drop all
26machine-id 26machine-id
27netfilter 27netfilter
28# Breaks tray-icon, uncommend or add to clipgrab.local if you don't need it.
29#nodbus
30nodvd 28nodvd
31nogroups 29nogroups
32nonewprivs 30nonewprivs
@@ -43,3 +41,7 @@ disable-mnt
43private-cache 41private-cache
44private-dev 42private-dev
45private-tmp 43private-tmp
44
45# Breaks tray icon, uncomment or add to clipgrab.local if you don't need it
46# dbus-user none
47# dbus-system none
diff --git a/etc/cpio.profile b/etc/cpio.profile
index 1156b7439..087a5b2bb 100644
--- a/etc/cpio.profile
+++ b/etc/cpio.profile
@@ -25,7 +25,6 @@ ipc-namespace
25machine-id 25machine-id
26net none 26net none
27no3d 27no3d
28nodbus
29nodvd 28nodvd
30nogroups 29nogroups
31nonewprivs 30nonewprivs
@@ -41,4 +40,7 @@ x11 none
41private-cache 40private-cache
42private-dev 41private-dev
43 42
43dbus-user none
44dbus-system none
45
44memory-deny-write-execute 46memory-deny-write-execute
diff --git a/etc/crawl.profile b/etc/crawl.profile
index af78ac738..3da2413d9 100644
--- a/etc/crawl.profile
+++ b/etc/crawl.profile
@@ -25,7 +25,6 @@ caps.drop all
25ipc-namespace 25ipc-namespace
26net none 26net none
27no3d 27no3d
28nodbus
29nodvd 28nodvd
30nogroups 29nogroups
31nonewprivs 30nonewprivs
@@ -43,3 +42,6 @@ private-bin crawl,crawl-tiles
43private-cache 42private-cache
44private-dev 43private-dev
45private-tmp 44private-tmp
45
46dbus-user none
47dbus-system none
diff --git a/etc/curl.profile b/etc/curl.profile
index a33d084ce..996ff51d3 100644
--- a/etc/curl.profile
+++ b/etc/curl.profile
@@ -29,7 +29,6 @@ ipc-namespace
29machine-id 29machine-id
30netfilter 30netfilter
31no3d 31no3d
32nodbus
33nodvd 32nodvd
34nogroups 33nogroups
35nonewprivs 34nonewprivs
@@ -48,3 +47,6 @@ private-cache
48private-dev 47private-dev
49# private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl 48# private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
50private-tmp 49private-tmp
50
51dbus-user none
52dbus-system none
diff --git a/etc/ddgtk.profile b/etc/ddgtk.profile
index 3dfc657bc..5b95b74be 100644
--- a/etc/ddgtk.profile
+++ b/etc/ddgtk.profile
@@ -30,7 +30,6 @@ ipc-namespace
30machine-id 30machine-id
31net none 31net none
32no3d 32no3d
33nodbus
34nodvd 33nodvd
35nogroups 34nogroups
36nonewprivs 35nonewprivs
@@ -50,4 +49,7 @@ private-cache
50private-etc alternatives,fonts 49private-etc alternatives,fonts
51private-tmp 50private-tmp
52 51
52dbus-user none
53dbus-system none
54
53# memory-deny-write-execute - breaks on Arch 55# memory-deny-write-execute - breaks on Arch
diff --git a/etc/default.profile b/etc/default.profile
index 7731b6e00..74314cf92 100644
--- a/etc/default.profile
+++ b/etc/default.profile
@@ -28,7 +28,6 @@ caps.drop all
28# net none 28# net none
29netfilter 29netfilter
30# no3d 30# no3d
31# nodbus
32# nodvd 31# nodvd
33# nogroups 32# nogroups
34nonewprivs 33nonewprivs
@@ -53,5 +52,8 @@ seccomp
53# private-opt none 52# private-opt none
54# private-tmp 53# private-tmp
55 54
55# dbus-user none
56# dbus-system none
57
56# memory-deny-write-execute 58# memory-deny-write-execute
57# read-only ${HOME} 59# read-only ${HOME}
diff --git a/etc/desktopeditors.profile b/etc/desktopeditors.profile
index d0c727c5c..9a98c4933 100644
--- a/etc/desktopeditors.profile
+++ b/etc/desktopeditors.profile
@@ -24,7 +24,6 @@ apparmor
24caps.drop all 24caps.drop all
25ipc-namespace 25ipc-namespace
26netfilter 26netfilter
27nodbus
28nodvd 27nodvd
29nogroups 28nogroups
30nonewprivs 29nonewprivs
@@ -41,3 +40,6 @@ private-bin desktopeditors,sh
41private-cache 40private-cache
42private-dev 41private-dev
43private-tmp 42private-tmp
43
44dbus-user none
45dbus-system none
diff --git a/etc/devhelp.profile b/etc/devhelp.profile
index cc9553e73..f3c012acb 100644
--- a/etc/devhelp.profile
+++ b/etc/devhelp.profile
@@ -24,7 +24,6 @@ include whitelist-usr-share-common.inc
24apparmor 24apparmor
25caps.drop all 25caps.drop all
26# net none - makes settings immutable 26# net none - makes settings immutable
27# nodbus - makes settings immutable
28nodvd 27nodvd
29nogroups 28nogroups
30nonewprivs 29nonewprivs
@@ -45,6 +44,10 @@ private-dev
45private-etc alternatives,dconf,fonts,ld.so.cache,machine-id,ssl 44private-etc alternatives,dconf,fonts,ld.so.cache,machine-id,ssl
46private-tmp 45private-tmp
47 46
47# makes settings immutable
48# dbus-user none
49# dbus-system none
50
48#memory-deny-write-execute - breaks on Arch (see issue #1803) 51#memory-deny-write-execute - breaks on Arch (see issue #1803)
49 52
50read-only ${HOME} 53read-only ${HOME}
diff --git a/etc/devilspie.profile b/etc/devilspie.profile
index b561787d8..1ab10a6f6 100644
--- a/etc/devilspie.profile
+++ b/etc/devilspie.profile
@@ -30,7 +30,6 @@ ipc-namespace
30machine-id 30machine-id
31net none 31net none
32no3d 32no3d
33nodbus
34nodvd 33nodvd
35nogroups 34nogroups
36nonewprivs 35nonewprivs
@@ -53,6 +52,9 @@ private-etc alternatives
53private-lib gconv 52private-lib gconv
54private-tmp 53private-tmp
55 54
55dbus-user none
56dbus-system none
57
56memory-deny-write-execute 58memory-deny-write-execute
57 59
58read-only ${HOME} 60read-only ${HOME}
diff --git a/etc/dex2jar.profile b/etc/dex2jar.profile
index e5f37b06a..7a59c5d73 100644
--- a/etc/dex2jar.profile
+++ b/etc/dex2jar.profile
@@ -22,7 +22,6 @@ include whitelist-var-common.inc
22caps.drop all 22caps.drop all
23net none 23net none
24no3d 24no3d
25nodbus
26nodvd 25nodvd
27nogroups 26nogroups
28nonewprivs 27nonewprivs
@@ -39,3 +38,5 @@ private-bin bash,dex2jar,dirname,expr,grep,java,ls,sh,uname
39private-cache 38private-cache
40private-dev 39private-dev
41 40
41dbus-user none
42dbus-system none
diff --git a/etc/dia.profile b/etc/dia.profile
index 3a8651e2e..52bf1c7f8 100644
--- a/etc/dia.profile
+++ b/etc/dia.profile
@@ -25,7 +25,6 @@ apparmor
25caps.drop all 25caps.drop all
26net none 26net none
27no3d 27no3d
28nodbus
29nodvd 28nodvd
30nogroups 29nogroups
31nonewprivs 30nonewprivs
@@ -44,3 +43,5 @@ private-cache
44private-dev 43private-dev
45private-tmp 44private-tmp
46 45
46dbus-user none
47dbus-system none
diff --git a/etc/dig.profile b/etc/dig.profile
index 673af1526..152dfd980 100644
--- a/etc/dig.profile
+++ b/etc/dig.profile
@@ -34,7 +34,6 @@ ipc-namespace
34machine-id 34machine-id
35netfilter 35netfilter
36no3d 36no3d
37nodbus
38nodvd 37nodvd
39nogroups 38nogroups
40nonewprivs 39nonewprivs
@@ -55,4 +54,7 @@ private-dev
55#private-lib 54#private-lib
56private-tmp 55private-tmp
57 56
57dbus-user none
58dbus-system none
59
58memory-deny-write-execute 60memory-deny-write-execute
diff --git a/etc/digikam.profile b/etc/digikam.profile
index e66434444..ae4a63c62 100644
--- a/etc/digikam.profile
+++ b/etc/digikam.profile
@@ -25,7 +25,6 @@ include whitelist-var-common.inc
25apparmor 25apparmor
26caps.drop all 26caps.drop all
27netfilter 27netfilter
28# nodbus
29nodvd 28nodvd
30nogroups 29nogroups
31nonewprivs 30nonewprivs
@@ -39,3 +38,6 @@ shell none
39# private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device 38# private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device
40# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl 39# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
41private-tmp 40private-tmp
41
42# dbus-user none
43# dbus-system none
diff --git a/etc/display.profile b/etc/display.profile
index 9e976c11a..2ae4edced 100644
--- a/etc/display.profile
+++ b/etc/display.profile
@@ -24,7 +24,6 @@ include whitelist-var-common.inc
24 24
25caps.drop all 25caps.drop all
26net none 26net none
27nodbus
28nodvd 27nodvd
29nogroups 28nogroups
30nonewprivs 29nonewprivs
@@ -42,3 +41,6 @@ private-dev
42# On Debian-based systems, display is a symlink in /etc/alternatives 41# On Debian-based systems, display is a symlink in /etc/alternatives
43private-etc alternatives 42private-etc alternatives
44private-tmp 43private-tmp
44
45dbus-user none
46dbus-system none
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index 6637b8d02..e48e9d1ac 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -31,7 +31,6 @@ ipc-namespace
31machine-id 31machine-id
32netfilter 32netfilter
33no3d 33no3d
34nodbus
35nodvd 34nodvd
36nonewprivs 35nonewprivs
37nosound 36nosound
@@ -48,5 +47,8 @@ private
48private-cache 47private-cache
49private-dev 48private-dev
50 49
50dbus-user none
51dbus-system none
52
51# mdwe can break modules/plugins 53# mdwe can break modules/plugins
52memory-deny-write-execute 54memory-deny-write-execute
diff --git a/etc/drawio.profile b/etc/drawio.profile
index d4fd735a1..4132caa4f 100644
--- a/etc/drawio.profile
+++ b/etc/drawio.profile
@@ -28,7 +28,6 @@ caps.drop all
28ipc-namespace 28ipc-namespace
29machine-id 29machine-id
30net none 30net none
31nodbus
32nodvd 31nodvd
33nogroups 32nogroups
34nonewprivs 33nonewprivs
@@ -48,4 +47,7 @@ private-dev
48private-etc alternatives,fonts 47private-etc alternatives,fonts
49private-tmp 48private-tmp
50 49
50dbus-user none
51dbus-system none
52
51# memory-deny-write-execute - breaks on Arch 53# memory-deny-write-execute - breaks on Arch
diff --git a/etc/easystroke.profile b/etc/easystroke.profile
index 1297f5f40..bb711b1bf 100644
--- a/etc/easystroke.profile
+++ b/etc/easystroke.profile
@@ -27,7 +27,6 @@ caps.drop all
27machine-id 27machine-id
28net none 28net none
29no3d 29no3d
30# nodbus
31nodvd 30nodvd
32nogroups 31nogroups
33nonewprivs 32nonewprivs
@@ -51,4 +50,7 @@ private-etc alternatives,fonts,group,passwd
51#private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* 50#private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
52private-tmp 51private-tmp
53 52
53# dbus-user none
54# dbus-system none
55
54memory-deny-write-execute 56memory-deny-write-execute
diff --git a/etc/ebook-viewer.profile b/etc/ebook-viewer.profile
index 29cb87a62..706aec737 100644
--- a/etc/ebook-viewer.profile
+++ b/etc/ebook-viewer.profile
@@ -4,7 +4,8 @@
4include ebook-viewer.local 4include ebook-viewer.local
5 5
6net none 6net none
7nodbus 7dbus-user none
8dbus-system none
8 9
9# Redirect 10# Redirect
10include calibre.profile 11include calibre.profile
diff --git a/etc/electron-mail.profile b/etc/electron-mail.profile
index bde8978df..d5def68c2 100644
--- a/etc/electron-mail.profile
+++ b/etc/electron-mail.profile
@@ -29,7 +29,6 @@ apparmor
29caps.drop all 29caps.drop all
30netfilter 30netfilter
31no3d 31no3d
32# nodbus - breaks tray functionality
33nodvd 32nodvd
34nogroups 33nogroups
35nonewprivs 34nonewprivs
@@ -49,4 +48,8 @@ private-etc alternatives,fonts
49private-opt ElectronMail 48private-opt ElectronMail
50private-tmp 49private-tmp
51 50
51# breaks tray functionality
52# dbus-user none
53# dbus-system none
54
52# memory-deny-write-execute - breaks on Arch 55# memory-deny-write-execute - breaks on Arch
diff --git a/etc/electron.profile b/etc/electron.profile
index c24100f17..9b99c7ffb 100644
--- a/etc/electron.profile
+++ b/etc/electron.profile
@@ -15,7 +15,6 @@ whitelist ${DOWNLOADS}
15apparmor 15apparmor
16caps.drop all 16caps.drop all
17netfilter 17netfilter
18nodbus
19nodvd 18nodvd
20nogroups 19nogroups
21nonewprivs 20nonewprivs
@@ -23,3 +22,6 @@ noroot
23notv 22notv
24protocol unix,inet,inet6,netlink 23protocol unix,inet,inet6,netlink
25seccomp 24seccomp
25
26dbus-user none
27dbus-system none
diff --git a/etc/electrum.profile b/etc/electrum.profile
index c9f50f12a..bcc84ddb8 100644
--- a/etc/electrum.profile
+++ b/etc/electrum.profile
@@ -29,7 +29,6 @@ caps.drop all
29ipc-namespace 29ipc-namespace
30netfilter 30netfilter
31no3d 31no3d
32#nodbus
33nodvd 32nodvd
34nogroups 33nogroups
35nonewprivs 34nonewprivs
@@ -50,3 +49,5 @@ private-dev
50private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,machine-id,pki,resolv.conf,ssl 49private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,machine-id,pki,resolv.conf,ssl
51private-tmp 50private-tmp
52 51
52# dbus-user none
53# dbus-system none
diff --git a/etc/enchant.profile b/etc/enchant.profile
index 69e8b1e44..2b5de799f 100644
--- a/etc/enchant.profile
+++ b/etc/enchant.profile
@@ -31,7 +31,6 @@ ipc-namespace
31machine-id 31machine-id
32net none 32net none
33no3d 33no3d
34nodbus
35nodvd 34nodvd
36nogroups 35nogroups
37nonewprivs 36nonewprivs
@@ -53,4 +52,7 @@ private-etc alternatives
53private-lib 52private-lib
54private-tmp 53private-tmp
55 54
55dbus-user none
56dbus-system none
57
56memory-deny-write-execute 58memory-deny-write-execute
diff --git a/etc/engrampa.profile b/etc/engrampa.profile
index aaf3e3382..6c0892c56 100644
--- a/etc/engrampa.profile
+++ b/etc/engrampa.profile
@@ -19,7 +19,6 @@ apparmor
19caps.drop all 19caps.drop all
20net none 20net none
21no3d 21no3d
22nodbus
23nodvd 22nodvd
24nogroups 23nogroups
25nonewprivs 24nonewprivs
@@ -37,4 +36,7 @@ tracelog
37private-dev 36private-dev
38# private-tmp 37# private-tmp
39 38
39dbus-user none
40dbus-system none
41
40memory-deny-write-execute 42memory-deny-write-execute
diff --git a/etc/ephemeral.profile b/etc/ephemeral.profile
index c688c2324..029f613c6 100644
--- a/etc/ephemeral.profile
+++ b/etc/ephemeral.profile
@@ -39,8 +39,6 @@ caps.drop all
39# machine-id breaks pulse audio; it should work fine in setups where sound is not required. 39# machine-id breaks pulse audio; it should work fine in setups where sound is not required.
40#machine-id 40#machine-id
41netfilter 41netfilter
42# nodbus breaks preferences
43#nodbus
44nodvd 42nodvd
45nogroups 43nogroups
46nonewprivs 44nonewprivs
@@ -59,3 +57,7 @@ private-cache
59# private-etc below works fine on most distributions. There are some problems on CentOS. 57# private-etc below works fine on most distributions. There are some problems on CentOS.
60#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,login.defs,machine-id,mailcap,mime.types,nsswitch.conf,os-release,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg 58#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,login.defs,machine-id,mailcap,mime.types,nsswitch.conf,os-release,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
61private-tmp 59private-tmp
60
61# breaks preferences
62# dbus-user none
63# dbus-system none
diff --git a/etc/etr.profile b/etc/etr.profile
index 97a43bb59..7afcd01d7 100644
--- a/etc/etr.profile
+++ b/etc/etr.profile
@@ -23,7 +23,6 @@ include whitelist-var-common.inc
23apparmor 23apparmor
24caps.drop all 24caps.drop all
25net none 25net none
26nodbus
27nodvd 26nodvd
28nogroups 27nogroups
29nonewprivs 28nonewprivs
@@ -42,3 +41,6 @@ private-cache
42private-dev 41private-dev
43# private-etc alternatives,drirc,machine-id,openal 42# private-etc alternatives,drirc,machine-id,openal
44private-tmp 43private-tmp
44
45dbus-user none
46dbus-system none
diff --git a/etc/evince.profile b/etc/evince.profile
index 68ef5eb9a..04964ce33 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -30,8 +30,6 @@ machine-id
30# net none - breaks AppArmor on Ubuntu systems 30# net none - breaks AppArmor on Ubuntu systems
31netfilter 31netfilter
32no3d 32no3d
33# nodbus might break two-page-view on some systems
34nodbus
35nodvd 33nodvd
36nogroups 34nogroups
37nonewprivs 35nonewprivs
@@ -52,3 +50,7 @@ private-etc alternatives,fonts,group,ld.so.cache,machine-id,passwd
52# private-lib might break two-page-view on some systems 50# private-lib might break two-page-view on some systems
53private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.* 51private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*
54private-tmp 52private-tmp
53
54# might break two-page-view on some systems
55dbus-user none
56dbus-system none
diff --git a/etc/exfalso.profile b/etc/exfalso.profile
index 04bafdde4..0b961f534 100644
--- a/etc/exfalso.profile
+++ b/etc/exfalso.profile
@@ -35,7 +35,6 @@ ipc-namespace
35machine-id 35machine-id
36netfilter 36netfilter
37no3d 37no3d
38nodbus
39nodvd 38nodvd
40nogroups 39nogroups
41nonewprivs 40nonewprivs
@@ -55,4 +54,7 @@ private-etc alternatives,fonts,group,passwd
55private-lib libatk-1.0.so.*,libgdk-3.so.*,libgdk_pixbuf-2.0.so.*,libgirepository-1.0.so.*,libgstreamer-1.0.so.*,libgtk-3.so.*,libgtksourceview-3.0.so.*,libpango-1.0.so.*,libpython*,libreadline.so.*,libsoup-2.4.so.*,libssl.so.1.*,python2*,python3* 54private-lib libatk-1.0.so.*,libgdk-3.so.*,libgdk_pixbuf-2.0.so.*,libgirepository-1.0.so.*,libgstreamer-1.0.so.*,libgtk-3.so.*,libgtksourceview-3.0.so.*,libpango-1.0.so.*,libpython*,libreadline.so.*,libsoup-2.4.so.*,libssl.so.1.*,python2*,python3*
56private-tmp 55private-tmp
57 56
57dbus-user none
58dbus-system none
59
58#memory-deny-write-execute - breaks on Arch (see issue #1803) 60#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/exiftool.profile b/etc/exiftool.profile
index daacbc0c7..90d8a0fc2 100644
--- a/etc/exiftool.profile
+++ b/etc/exiftool.profile
@@ -29,7 +29,6 @@ ipc-namespace
29machine-id 29machine-id
30net none 30net none
31no3d 31no3d
32nodbus
33nodvd 32nodvd
34nogroups 33nogroups
35nonewprivs 34nonewprivs
@@ -52,4 +51,7 @@ private-dev
52private-etc alternatives 51private-etc alternatives
53private-tmp 52private-tmp
54 53
54dbus-user none
55dbus-system none
56
55memory-deny-write-execute 57memory-deny-write-execute
diff --git a/etc/feh.profile b/etc/feh.profile
index 6a8071c28..91123fa0e 100644
--- a/etc/feh.profile
+++ b/etc/feh.profile
@@ -21,7 +21,6 @@ include disable-programs.inc
21caps.drop all 21caps.drop all
22net none 22net none
23no3d 23no3d
24nodbus
25nodvd 24nodvd
26nogroups 25nogroups
27nonewprivs 26nonewprivs
@@ -39,3 +38,6 @@ private-cache
39private-dev 38private-dev
40private-etc alternatives,feh 39private-etc alternatives,feh
41private-tmp 40private-tmp
41
42dbus-user none
43dbus-system none
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile
index b392087e8..37c46e7d6 100644
--- a/etc/ffmpeg.profile
+++ b/etc/ffmpeg.profile
@@ -29,7 +29,6 @@ caps.drop all
29ipc-namespace 29ipc-namespace
30machine-id 30machine-id
31netfilter 31netfilter
32nodbus
33nodvd 32nodvd
34nogroups 33nogroups
35nonewprivs 34nonewprivs
@@ -50,4 +49,7 @@ private-dev
50private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pkcs11,pki,resolv.conf,ssl 49private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pkcs11,pki,resolv.conf,ssl
51private-tmp 50private-tmp
52 51
52dbus-user none
53dbus-system none
54
53# memory-deny-write-execute - it breaks old versions of ffmpeg 55# memory-deny-write-execute - it breaks old versions of ffmpeg
diff --git a/etc/file.profile b/etc/file.profile
index 854586354..74620d4cd 100644
--- a/etc/file.profile
+++ b/etc/file.profile
@@ -22,7 +22,6 @@ ipc-namespace
22machine-id 22machine-id
23net none 23net none
24no3d 24no3d
25nodbus
26nodvd 25nodvd
27nogroups 26nogroups
28nonewprivs 27nonewprivs
@@ -42,5 +41,8 @@ private-dev
42#private-etc alternatives,localtime,magic,magic.mgc 41#private-etc alternatives,localtime,magic,magic.mgc
43#private-lib file,libarchive.so.*,libfakeroot,libmagic.so.*,libseccomp.so.* 42#private-lib file,libarchive.so.*,libfakeroot,libmagic.so.*,libseccomp.so.*
44 43
44dbus-user none
45dbus-system none
46
45memory-deny-write-execute 47memory-deny-write-execute
46read-only ${HOME} 48read-only ${HOME}
diff --git a/etc/firefox-common-addons.inc b/etc/firefox-common-addons.inc
index 1dca67e06..681e72d33 100644
--- a/etc/firefox-common-addons.inc
+++ b/etc/firefox-common-addons.inc
@@ -57,7 +57,8 @@ whitelist ${HOME}/dwhelper
57# GNOME Shell integration (chrome-gnome-shell) needs dbus and python 3 (blacklisted by disable-interpreters.inc) 57# GNOME Shell integration (chrome-gnome-shell) needs dbus and python 3 (blacklisted by disable-interpreters.inc)
58noblacklist ${HOME}/.local/share/gnome-shell 58noblacklist ${HOME}/.local/share/gnome-shell
59whitelist ${HOME}/.local/share/gnome-shell 59whitelist ${HOME}/.local/share/gnome-shell
60ignore nodbus 60ignore dbus-user none
61ignore dbus-system none
61include allow-python3.inc 62include allow-python3.inc
62 63
63# KeePassXC Browser Integration 64# KeePassXC Browser Integration
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index 323070289..7c343c26d 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -34,9 +34,6 @@ caps.drop all
34# machine-id breaks pulse audio; it should work fine in setups where sound is not required. 34# machine-id breaks pulse audio; it should work fine in setups where sound is not required.
35#machine-id 35#machine-id
36netfilter 36netfilter
37# nodbus breaks various desktop integration features
38# among other things global menus, native notifications, Gnome connector, KDE connect and power management on KDE Plasma
39nodbus
40nodvd 37nodvd
41nogroups 38nogroups
42nonewprivs 39nonewprivs
@@ -56,3 +53,8 @@ disable-mnt
56# private-etc below works fine on most distributions. There are some problems on CentOS. 53# private-etc below works fine on most distributions. There are some problems on CentOS.
57#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg 54#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
58private-tmp 55private-tmp
56
57# breaks various desktop integration features
58# among other things global menus, native notifications, Gnome connector, KDE connect and power management on KDE Plasma
59dbus-user none
60dbus-system none
diff --git a/etc/flameshot.profile b/etc/flameshot.profile
index 9a3df98f4..5a69684b5 100644
--- a/etc/flameshot.profile
+++ b/etc/flameshot.profile
@@ -23,7 +23,6 @@ caps.drop all
23ipc-namespace 23ipc-namespace
24netfilter 24netfilter
25no3d 25no3d
26# nodbus
27nodvd 26nodvd
28nogroups 27nogroups
29nonewprivs 28nonewprivs
@@ -43,3 +42,5 @@ private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,pki,re
43private-dev 42private-dev
44private-tmp 43private-tmp
45 44
45# dbus-user none
46# dbus-system none
diff --git a/etc/freecad.profile b/etc/freecad.profile
index 6f0f52a55..0a1d4a750 100644
--- a/etc/freecad.profile
+++ b/etc/freecad.profile
@@ -24,7 +24,6 @@ include disable-xdg.inc
24caps.drop all 24caps.drop all
25ipc-namespace 25ipc-namespace
26net none 26net none
27nodbus
28nodvd 27nodvd
29nogroups 28nogroups
30nonewprivs 29nonewprivs
@@ -42,3 +41,5 @@ private-cache
42private-dev 41private-dev
43private-tmp 42private-tmp
44 43
44dbus-user none
45dbus-system none
diff --git a/etc/freeciv.profile b/etc/freeciv.profile
index 379c5eca9..0fe933478 100644
--- a/etc/freeciv.profile
+++ b/etc/freeciv.profile
@@ -25,7 +25,6 @@ apparmor
25caps.drop all 25caps.drop all
26ipc-namespace 26ipc-namespace
27netfilter 27netfilter
28nodbus
29nodvd 28nodvd
30nogroups 29nogroups
31nonewprivs 30nonewprivs
@@ -43,3 +42,6 @@ private-bin freeciv-gtk3,freeciv-manual,freeciv-mp-gtk3,freeciv-server
43private-cache 42private-cache
44private-dev 43private-dev
45private-tmp 44private-tmp
45
46dbus-user none
47dbus-system none
diff --git a/etc/freecol.profile b/etc/freecol.profile
index baeb4c528..3cbd2ff53 100644
--- a/etc/freecol.profile
+++ b/etc/freecol.profile
@@ -37,7 +37,6 @@ include whitelist-var-common.inc
37caps.drop all 37caps.drop all
38ipc-namespace 38ipc-namespace
39netfilter 39netfilter
40nodbus
41nodvd 40nodvd
42nogroups 41nogroups
43nonewprivs 42nonewprivs
@@ -54,3 +53,6 @@ disable-mnt
54private-cache 53private-cache
55private-dev 54private-dev
56private-tmp 55private-tmp
56
57dbus-user none
58dbus-system none
diff --git a/etc/freemind.profile b/etc/freemind.profile
index ba945c0fb..0ffb5c54d 100644
--- a/etc/freemind.profile
+++ b/etc/freemind.profile
@@ -27,7 +27,6 @@ caps.drop all
27machine-id 27machine-id
28netfilter 28netfilter
29no3d 29no3d
30nodbus
31nodvd 30nodvd
32nogroups 31nogroups
33nonewprivs 32nonewprivs
@@ -49,3 +48,6 @@ private-dev
49private-tmp 48private-tmp
50private-opt none 49private-opt none
51private-srv none 50private-srv none
51
52dbus-user none
53dbus-system none
diff --git a/etc/frogatto.profile b/etc/frogatto.profile
index fd7c5fc16..06f13e8c6 100644
--- a/etc/frogatto.profile
+++ b/etc/frogatto.profile
@@ -26,7 +26,6 @@ include whitelist-var-common.inc
26apparmor 26apparmor
27caps.drop all 27caps.drop all
28net none 28net none
29nodbus
30nodvd 29nodvd
31nogroups 30nogroups
32nonewprivs 31nonewprivs
@@ -45,3 +44,6 @@ private-cache
45private-dev 44private-dev
46private-etc machine-id 45private-etc machine-id
47private-tmp 46private-tmp
47
48dbus-user none
49dbus-system none
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile
index c089d2e35..d1dc64bb9 100644
--- a/etc/frozen-bubble.profile
+++ b/etc/frozen-bubble.profile
@@ -26,7 +26,6 @@ include whitelist-var-common.inc
26apparmor 26apparmor
27caps.drop all 27caps.drop all
28net none 28net none
29nodbus
30nodvd 29nodvd
31nogroups 30nogroups
32nonewprivs 31nonewprivs
@@ -42,3 +41,6 @@ disable-mnt
42# private-bin frozen-bubble 41# private-bin frozen-bubble
43private-dev 42private-dev
44private-tmp 43private-tmp
44
45dbus-user none
46dbus-system none
diff --git a/etc/galculator.profile b/etc/galculator.profile
index f757aed69..404d89742 100644
--- a/etc/galculator.profile
+++ b/etc/galculator.profile
@@ -26,7 +26,6 @@ caps.drop all
26#hostname galculator - breaks Arch Linux 26#hostname galculator - breaks Arch Linux
27#ipc-namespace 27#ipc-namespace
28net none 28net none
29nodbus
30nodvd 29nodvd
31nogroups 30nogroups
32nonewprivs 31nonewprivs
@@ -47,4 +46,7 @@ private-etc alternatives,fonts
47private-lib 46private-lib
48private-tmp 47private-tmp
49 48
49dbus-user none
50dbus-system none
51
50#memory-deny-write-execute - breaks on Arch (see issue #1803) 52#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/gcloud.profile b/etc/gcloud.profile
index 7ca99f420..46a862a21 100644
--- a/etc/gcloud.profile
+++ b/etc/gcloud.profile
@@ -21,7 +21,6 @@ apparmor
21caps.drop all 21caps.drop all
22machine-id 22machine-id
23netfilter 23netfilter
24nodbus
25nodvd 24nodvd
26# required for sudo-free docker 25# required for sudo-free docker
27#nogroups 26#nogroups
@@ -38,3 +37,6 @@ disable-mnt
38private-dev 37private-dev
39private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,localtime,nsswitch.conf,pki,resolv.conf,ssl 38private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,localtime,nsswitch.conf,pki,resolv.conf,ssl
40private-tmp 39private-tmp
40
41dbus-user none
42dbus-system none
diff --git a/etc/geary.profile b/etc/geary.profile
index eb427c077..fa01d04b7 100644
--- a/etc/geary.profile
+++ b/etc/geary.profile
@@ -10,7 +10,8 @@ include geary.local
10# Users have Geary set to open a browser by clicking a link in an email 10# Users have Geary set to open a browser by clicking a link in an email
11# We are not allowed to blacklist browser-specific directories 11# We are not allowed to blacklist browser-specific directories
12 12
13ignore nodbus 13ignore dbus-user none
14ignore dbus-system none
14ignore private-tmp 15ignore private-tmp
15 16
16noblacklist ${HOME}/.gnupg 17noblacklist ${HOME}/.gnupg
diff --git a/etc/gedit.profile b/etc/gedit.profile
index 148b98c99..17b7ad563 100644
--- a/etc/gedit.profile
+++ b/etc/gedit.profile
@@ -27,7 +27,6 @@ caps.drop all
27machine-id 27machine-id
28# net none - makes settings immutable 28# net none - makes settings immutable
29no3d 29no3d
30# nodbus - makes settings immutable
31nodvd 30nodvd
32nogroups 31nogroups
33nonewprivs 32nonewprivs
@@ -47,3 +46,6 @@ private-dev
47#private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.* 46#private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.*
48private-tmp 47private-tmp
49 48
49# makes settings immutable
50# dbus-user none
51# dbus-system none
diff --git a/etc/geekbench.profile b/etc/geekbench.profile
index 6398505ed..e06a9afad 100644
--- a/etc/geekbench.profile
+++ b/etc/geekbench.profile
@@ -25,7 +25,6 @@ ipc-namespace
25machine-id 25machine-id
26netfilter 26netfilter
27no3d 27no3d
28nodbus
29nodvd 28nodvd
30nogroups 29nogroups
31nonewprivs 30nonewprivs
@@ -48,6 +47,9 @@ private-lib gcc/*/*/libstdc++.so.*
48private-opt none 47private-opt none
49private-tmp 48private-tmp
50 49
50dbus-user none
51dbus-system none
52
51#memory-deny-write-execute - breaks on Arch (see issue #1803) 53#memory-deny-write-execute - breaks on Arch (see issue #1803)
52 54
53read-only ${HOME} 55read-only ${HOME}
diff --git a/etc/gfeeds.profile b/etc/gfeeds.profile
index 7de762e0d..e7913f5e4 100644
--- a/etc/gfeeds.profile
+++ b/etc/gfeeds.profile
@@ -38,7 +38,6 @@ caps.drop all
38machine-id 38machine-id
39netfilter 39netfilter
40no3d 40no3d
41#nodbus
42nodvd 41nodvd
43nogroups 42nogroups
44nonewprivs 43nonewprivs
@@ -58,3 +57,6 @@ private-bin gfeeds,python3*
58private-dev 57private-dev
59private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,fonts,gconf,group,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg 58private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,fonts,gconf,group,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg
60private-tmp 59private-tmp
60
61# dbus-user none
62# dbus-system none
diff --git a/etc/gimp.profile b/etc/gimp.profile
index 94035bc02..8093c0c39 100644
--- a/etc/gimp.profile
+++ b/etc/gimp.profile
@@ -36,7 +36,6 @@ include whitelist-var-common.inc
36apparmor 36apparmor
37caps.drop all 37caps.drop all
38net none 38net none
39nodbus
40nodvd 39nodvd
41nogroups 40nogroups
42nonewprivs 41nonewprivs
@@ -51,3 +50,6 @@ tracelog
51 50
52private-dev 51private-dev
53private-tmp 52private-tmp
53
54dbus-user none
55dbus-system none
diff --git a/etc/gist.profile b/etc/gist.profile
index 59fcb2775..681fc2829 100644
--- a/etc/gist.profile
+++ b/etc/gist.profile
@@ -36,7 +36,6 @@ ipc-namespace
36machine-id 36machine-id
37netfilter 37netfilter
38no3d 38no3d
39nodbus
40nodvd 39nodvd
41nogroups 40nogroups
42nonewprivs 41nonewprivs
@@ -56,4 +55,7 @@ private-dev
56private-etc alternatives 55private-etc alternatives
57private-tmp 56private-tmp
58 57
58dbus-user none
59dbus-system none
60
59memory-deny-write-execute 61memory-deny-write-execute
diff --git a/etc/gmpc.profile b/etc/gmpc.profile
index b1546db30..b3aad8b2c 100644
--- a/etc/gmpc.profile
+++ b/etc/gmpc.profile
@@ -30,7 +30,6 @@ caps.drop all
30ipc-namespace 30ipc-namespace
31netfilter 31netfilter
32no3d 32no3d
33#nodbus
34nodvd 33nodvd
35nogroups 34nogroups
36nonewprivs 35nonewprivs
@@ -50,4 +49,7 @@ private-etc alternatives,fonts
50private-tmp 49private-tmp
51writable-run-user 50writable-run-user
52 51
52# dbus-user none
53# dbus-system none
54
53# memory-deny-write-execute - breaks on Arch 55# memory-deny-write-execute - breaks on Arch
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile
index 627ae368a..a18a123d3 100644
--- a/etc/gnome-calculator.profile
+++ b/etc/gnome-calculator.profile
@@ -27,7 +27,6 @@ machine-id
27# net none 27# net none
28netfilter 28netfilter
29no3d 29no3d
30# nodbus - makes settings immutable
31nodvd 30nodvd
32nogroups 31nogroups
33nonewprivs 32nonewprivs
@@ -47,4 +46,8 @@ private-dev
47#private-lib gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*,libgnutls.so.*,libproxy.so.*,librsvg-2.so.*,libxml2.so.* 46#private-lib gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*,libgnutls.so.*,libproxy.so.*,librsvg-2.so.*,libxml2.so.*
48private-tmp 47private-tmp
49 48
49# makes settings immutable
50# dbus-user none
51# dbus-system none
52
50# memory-deny-write-execute 53# memory-deny-write-execute
diff --git a/etc/gnome-characters.profile b/etc/gnome-characters.profile
index 77b0c3c15..3d7a2e4a6 100644
--- a/etc/gnome-characters.profile
+++ b/etc/gnome-characters.profile
@@ -28,9 +28,6 @@ caps.drop all
28machine-id 28machine-id
29net none 29net none
30no3d 30no3d
31# Uncomment the next line (or add it to your gnome-characters.local)
32# if you don't need recently used chars
33#nodbus
34nodvd 31nodvd
35nogroups 32nogroups
36nonewprivs 33nonewprivs
@@ -54,4 +51,9 @@ private-dev
54private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,pango,X11,xdg 51private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,pango,X11,xdg
55private-tmp 52private-tmp
56 53
54# Uncomment the next lines (or add it to your gnome-characters.local)
55# if you don't need recently used chars
56# dbus-user none
57# dbus-system none
58
57read-only ${HOME} 59read-only ${HOME}
diff --git a/etc/gnome-hexgl.profile b/etc/gnome-hexgl.profile
index a06ccc9c1..873a47ea9 100644
--- a/etc/gnome-hexgl.profile
+++ b/etc/gnome-hexgl.profile
@@ -23,7 +23,6 @@ include whitelist-var-common.inc
23apparmor 23apparmor
24caps.drop all 24caps.drop all
25net none 25net none
26nodbus
27nodvd 26nodvd
28nogroups 27nogroups
29nonewprivs 28nonewprivs
@@ -44,5 +43,8 @@ private-dev
44private-etc machine-id 43private-etc machine-id
45private-tmp 44private-tmp
46 45
46dbus-user none
47dbus-system none
48
47read-only ${HOME} 49read-only ${HOME}
48read-write ${HOME}/.cache/mesa_shader_cache 50read-write ${HOME}/.cache/mesa_shader_cache
diff --git a/etc/gnome-keyring.profile b/etc/gnome-keyring.profile
index 7e2d701b7..ecbb74158 100644
--- a/etc/gnome-keyring.profile
+++ b/etc/gnome-keyring.profile
@@ -31,7 +31,6 @@ ipc-namespace
31machine-id 31machine-id
32netfilter 32netfilter
33no3d 33no3d
34# nodbus
35nodvd 34nodvd
36nogroups 35nogroups
37nonewprivs 36nonewprivs
@@ -52,4 +51,7 @@ private-dev
52#private-lib alternatives,gnome-keyring,libsecret-1.so.*,pkcs11,security 51#private-lib alternatives,gnome-keyring,libsecret-1.so.*,pkcs11,security
53private-tmp 52private-tmp
54 53
54# dbus-user none
55# dbus-system none
56
55memory-deny-write-execute 57memory-deny-write-execute
diff --git a/etc/gnome-logs.profile b/etc/gnome-logs.profile
index 31b7cfb4f..4b6453015 100644
--- a/etc/gnome-logs.profile
+++ b/etc/gnome-logs.profile
@@ -24,7 +24,6 @@ caps.drop all
24ipc-namespace 24ipc-namespace
25net none 25net none
26no3d 26no3d
27nodbus
28nodvd 27nodvd
29# When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html), 28# When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html),
30# comment both 'nogroups' and 'noroot' 29# comment both 'nogroups' and 'noroot'
@@ -50,6 +49,9 @@ private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.s
50private-tmp 49private-tmp
51writable-var-log 50writable-var-log
52 51
52dbus-user none
53dbus-system none
54
53# comment this if you export logs to a file in your ${HOME} 55# comment this if you export logs to a file in your ${HOME}
54# or put 'ignore read-only ${HOME}' in your gnome-logs.local. 56# or put 'ignore read-only ${HOME}' in your gnome-logs.local.
55read-only ${HOME} 57read-only ${HOME}
diff --git a/etc/gnome-nettool.profile b/etc/gnome-nettool.profile
index 649473679..33eb9c81a 100644
--- a/etc/gnome-nettool.profile
+++ b/etc/gnome-nettool.profile
@@ -25,7 +25,6 @@ ipc-namespace
25machine-id 25machine-id
26netfilter 26netfilter
27no3d 27no3d
28nodbus
29nodvd 28nodvd
30nogroups 29nogroups
31# ping needs to elevate privileges, noroot and nonewprivs will kill it 30# ping needs to elevate privileges, noroot and nonewprivs will kill it
@@ -45,3 +44,5 @@ private-dev
45private-lib libbind9.so.*,libcrypto.so.*,libdns.so.*,libgtk-3.so.*,libgtop*,libirs.so.*,liblua.so.*,libssh2.so.*,libssl.so.* 44private-lib libbind9.so.*,libcrypto.so.*,libdns.so.*,libgtk-3.so.*,libgtop*,libirs.so.*,liblua.so.*,libssh2.so.*,libssl.so.*
46private-tmp 45private-tmp
47 46
47dbus-user none
48dbus-system none
diff --git a/etc/gnome-system-log.profile b/etc/gnome-system-log.profile
index cfe39d18b..f597f5cd3 100644
--- a/etc/gnome-system-log.profile
+++ b/etc/gnome-system-log.profile
@@ -24,7 +24,6 @@ caps.drop all
24ipc-namespace 24ipc-namespace
25# net none - breaks dbus 25# net none - breaks dbus
26no3d 26no3d
27# nodbus
28nodvd 27nodvd
29# When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html), 28# When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html),
30# comment both 'nogroups' and 'noroot' 29# comment both 'nogroups' and 'noroot'
@@ -49,6 +48,9 @@ private-lib
49private-tmp 48private-tmp
50writable-var-log 49writable-var-log
51 50
51# dbus-user none
52# dbus-system none
53
52memory-deny-write-execute 54memory-deny-write-execute
53 55
54# comment this if you export logs to a file in your ${HOME} 56# comment this if you export logs to a file in your ${HOME}
diff --git a/etc/godot.profile b/etc/godot.profile
index 2baf09b1d..8324a4eb5 100644
--- a/etc/godot.profile
+++ b/etc/godot.profile
@@ -22,7 +22,6 @@ include whitelist-var-common.inc
22 22
23caps.drop all 23caps.drop all
24netfilter 24netfilter
25nodbus
26nodvd 25nodvd
27nogroups 26nogroups
28nonewprivs 27nonewprivs
@@ -41,3 +40,6 @@ private-cache
41private-dev 40private-dev
42private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,machine-id,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl 41private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,machine-id,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl
43private-tmp 42private-tmp
43
44dbus-user none
45dbus-system none
diff --git a/etc/gpicview.profile b/etc/gpicview.profile
index eb00688dd..578ccaef9 100644
--- a/etc/gpicview.profile
+++ b/etc/gpicview.profile
@@ -24,7 +24,6 @@ caps.drop all
24ipc-namespace 24ipc-namespace
25machine-id 25machine-id
26net none 26net none
27nodbus
28nodvd 27nodvd
29nogroups 28nogroups
30nonewprivs 29nonewprivs
@@ -45,4 +44,7 @@ private-etc alternatives,fonts,group,passwd
45private-lib 44private-lib
46private-tmp 45private-tmp
47 46
47dbus-user none
48dbus-system none
49
48memory-deny-write-execute 50memory-deny-write-execute
diff --git a/etc/gramps.profile b/etc/gramps.profile
index 54b154964..427fe2d7a 100644
--- a/etc/gramps.profile
+++ b/etc/gramps.profile
@@ -30,7 +30,6 @@ caps.drop all
30ipc-namespace 30ipc-namespace
31netfilter 31netfilter
32no3d 32no3d
33nodbus
34nodvd 33nodvd
35nogroups 34nogroups
36nonewprivs 35nonewprivs
@@ -47,3 +46,6 @@ disable-mnt
47private-cache 46private-cache
48private-dev 47private-dev
49private-tmp 48private-tmp
49
50dbus-user none
51dbus-system none
diff --git a/etc/gravity-beams-and-evaporating-stars.profile b/etc/gravity-beams-and-evaporating-stars.profile
index a0ffa0d88..7a1a9440e 100644
--- a/etc/gravity-beams-and-evaporating-stars.profile
+++ b/etc/gravity-beams-and-evaporating-stars.profile
@@ -22,7 +22,6 @@ include whitelist-var-common.inc
22apparmor 22apparmor
23caps.drop all 23caps.drop all
24net none 24net none
25nodbus
26nodvd 25nodvd
27nogroups 26nogroups
28nonewprivs 27nonewprivs
@@ -42,3 +41,6 @@ private-cache
42private-dev 41private-dev
43private-etc fonts,machine-id 42private-etc fonts,machine-id
44private-tmp 43private-tmp
44
45dbus-user none
46dbus-system none
diff --git a/etc/gtk-update-icon-cache.profile b/etc/gtk-update-icon-cache.profile
index 668a48f9a..ac2e9891b 100644
--- a/etc/gtk-update-icon-cache.profile
+++ b/etc/gtk-update-icon-cache.profile
@@ -27,7 +27,6 @@ ipc-namespace
27machine-id 27machine-id
28net none 28net none
29no3d 29no3d
30nodbus
31nodvd 30nodvd
32nogroups 31nogroups
33nonewprivs 32nonewprivs
@@ -50,4 +49,7 @@ private-etc none
50private-lib 49private-lib
51private-tmp 50private-tmp
52 51
52dbus-user none
53dbus-system none
54
53memory-deny-write-execute 55memory-deny-write-execute
diff --git a/etc/gucharmap.profile b/etc/gucharmap.profile
index f3e3ab14d..624914759 100644
--- a/etc/gucharmap.profile
+++ b/etc/gucharmap.profile
@@ -24,7 +24,6 @@ caps.drop all
24machine-id 24machine-id
25#net none - breaks dbus 25#net none - breaks dbus
26no3d 26no3d
27#nodbus - breaks state saveing
28nodvd 27nodvd
29nogroups 28nogroups
30nonewprivs 29nonewprivs
@@ -46,4 +45,8 @@ private-etc alternatives,dbus-1,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld
46private-lib 45private-lib
47private-tmp 46private-tmp
48 47
48# breaks state saving
49# dbus-user none
50# dbus-system none
51
49read-only ${HOME} 52read-only ${HOME}
diff --git a/etc/gwenview.profile b/etc/gwenview.profile
index 5a5d81378..dee0ba9a2 100644
--- a/etc/gwenview.profile
+++ b/etc/gwenview.profile
@@ -30,7 +30,6 @@ apparmor
30caps.drop all 30caps.drop all
31# net none 31# net none
32netfilter 32netfilter
33# nodbus
34nodvd 33nodvd
35nogroups 34nogroups
36nonewprivs 35nonewprivs
@@ -47,4 +46,7 @@ private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4
47private-dev 46private-dev
48private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,xdg 47private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,xdg
49 48
49# dbus-user none
50# dbus-system none
51
50# memory-deny-write-execute 52# memory-deny-write-execute
diff --git a/etc/gzip.profile b/etc/gzip.profile
index 1af15d227..8ec39d8ca 100644
--- a/etc/gzip.profile
+++ b/etc/gzip.profile
@@ -26,7 +26,6 @@ ipc-namespace
26machine-id 26machine-id
27net none 27net none
28no3d 28no3d
29nodbus
30nodvd 29nodvd
31nogroups 30nogroups
32nonewprivs 31nonewprivs
@@ -44,4 +43,7 @@ x11 none
44private-cache 43private-cache
45private-dev 44private-dev
46 45
46dbus-user none
47dbus-system none
48
47memory-deny-write-execute 49memory-deny-write-execute
diff --git a/etc/handbrake.profile b/etc/handbrake.profile
index add3f407c..0539ffcb8 100644
--- a/etc/handbrake.profile
+++ b/etc/handbrake.profile
@@ -23,7 +23,6 @@ include whitelist-var-common.inc
23apparmor 23apparmor
24caps.drop all 24caps.drop all
25net none 25net none
26nodbus
27nogroups 26nogroups
28nonewprivs 27nonewprivs
29noroot 28noroot
@@ -36,3 +35,5 @@ shell none
36private-dev 35private-dev
37private-tmp 36private-tmp
38 37
38dbus-user none
39dbus-system none
diff --git a/etc/hashcat.profile b/etc/hashcat.profile
index b4d6d52f0..8ec67ff19 100644
--- a/etc/hashcat.profile
+++ b/etc/hashcat.profile
@@ -23,7 +23,6 @@ include disable-xdg.inc
23 23
24caps.drop all 24caps.drop all
25net none 25net none
26nodbus
27nodvd 26nodvd
28nogroups 27nogroups
29nonewprivs 28nonewprivs
@@ -43,3 +42,5 @@ private-cache
43private-dev 42private-dev
44private-tmp 43private-tmp
45 44
45dbus-user none
46dbus-system none
diff --git a/etc/highlight.profile b/etc/highlight.profile
index fc8b2f65a..8d2987b62 100644
--- a/etc/highlight.profile
+++ b/etc/highlight.profile
@@ -18,7 +18,6 @@ include disable-programs.inc
18caps.drop all 18caps.drop all
19net none 19net none
20no3d 20no3d
21nodbus
22nodvd 21nodvd
23nogroups 22nogroups
24nonewprivs 23nonewprivs
@@ -37,3 +36,6 @@ private-bin highlight
37private-cache 36private-cache
38private-dev 37private-dev
39private-tmp 38private-tmp
39
40dbus-user none
41dbus-system none
diff --git a/etc/host.profile b/etc/host.profile
index 51b372361..2b78073df 100644
--- a/etc/host.profile
+++ b/etc/host.profile
@@ -26,7 +26,6 @@ ipc-namespace
26machine-id 26machine-id
27netfilter 27netfilter
28no3d 28no3d
29nodbus
30nodvd 29nodvd
31nogroups 30nogroups
32nonewprivs 31nonewprivs
@@ -46,4 +45,7 @@ private-bin bash,host,sh
46private-dev 45private-dev
47private-tmp 46private-tmp
48 47
48dbus-user none
49dbus-system none
50
49memory-deny-write-execute 51memory-deny-write-execute
diff --git a/etc/hugin.profile b/etc/hugin.profile
index 07a697c05..f8d9f999d 100644
--- a/etc/hugin.profile
+++ b/etc/hugin.profile
@@ -20,7 +20,6 @@ include disable-xdg.inc
20 20
21caps.drop all 21caps.drop all
22net none 22net none
23nodbus
24nodvd 23nodvd
25nogroups 24nogroups
26nonewprivs 25nonewprivs
@@ -38,3 +37,5 @@ private-cache
38private-dev 37private-dev
39private-tmp 38private-tmp
40 39
40dbus-user none
41dbus-system none
diff --git a/etc/hyperrogue.profile b/etc/hyperrogue.profile
index e6b385de9..1e3663b8f 100644
--- a/etc/hyperrogue.profile
+++ b/etc/hyperrogue.profile
@@ -26,7 +26,6 @@ include whitelist-var-common.inc
26apparmor 26apparmor
27caps.drop all 27caps.drop all
28net none 28net none
29nodbus
30nodvd 29nodvd
31nogroups 30nogroups
32nonewprivs 31nonewprivs
@@ -46,3 +45,6 @@ private-cwd ${HOME}
46private-dev 45private-dev
47private-etc fonts,machine-id 46private-etc fonts,machine-id
48private-tmp 47private-tmp
48
49dbus-user none
50dbus-system none
diff --git a/etc/iagno.profile b/etc/iagno.profile
index e79043048..a99c603bd 100644
--- a/etc/iagno.profile
+++ b/etc/iagno.profile
@@ -18,7 +18,6 @@ include whitelist-var-common.inc
18apparmor 18apparmor
19caps.drop all 19caps.drop all
20net none 20net none
21#nodbus
22nodvd 21nodvd
23nogroups 22nogroups
24nonewprivs 23nonewprivs
@@ -35,3 +34,6 @@ private
35private-bin iagno 34private-bin iagno
36private-dev 35private-dev
37private-tmp 36private-tmp
37
38# dbus-user none
39# dbus-system none
diff --git a/etc/imagej.profile b/etc/imagej.profile
index 00ee115ed..91a60c188 100644
--- a/etc/imagej.profile
+++ b/etc/imagej.profile
@@ -21,7 +21,6 @@ include disable-programs.inc
21caps.drop all 21caps.drop all
22ipc-namespace 22ipc-namespace
23net none 23net none
24nodbus
25nodvd 24nodvd
26nogroups 25nogroups
27nonewprivs 26nonewprivs
@@ -38,3 +37,5 @@ private-bin awk,basename,bash,cut,free,grep,hostname,imagej,ln,ls,mkdir,rm,sort,
38private-dev 37private-dev
39private-tmp 38private-tmp
40 39
40dbus-user none
41dbus-system none
diff --git a/etc/img2txt.profile b/etc/img2txt.profile
index 0b30ec33f..ae03fc8bc 100644
--- a/etc/img2txt.profile
+++ b/etc/img2txt.profile
@@ -27,7 +27,6 @@ caps.drop all
27ipc-namespace 27ipc-namespace
28machine-id 28machine-id
29net none 29net none
30nodbus
31nodvd 30nodvd
32nogroups 31nogroups
33nonewprivs 32nonewprivs
@@ -47,4 +46,7 @@ private-cache
47private-dev 46private-dev
48private-tmp 47private-tmp
49 48
49dbus-user none
50dbus-system none
51
50memory-deny-write-execute 52memory-deny-write-execute
diff --git a/etc/impressive.profile b/etc/impressive.profile
index 0bfe5de5a..af82fb059 100644
--- a/etc/impressive.profile
+++ b/etc/impressive.profile
@@ -33,7 +33,6 @@ caps.drop all
33ipc-namespace 33ipc-namespace
34machine-id 34machine-id
35net none 35net none
36nodbus
37nodvd 36nodvd
38nogroups 37nogroups
39nonewprivs 38nonewprivs
@@ -51,5 +50,8 @@ private-cache
51private-dev 50private-dev
52private-tmp 51private-tmp
53 52
53dbus-user none
54dbus-system none
55
54read-only ${HOME} 56read-only ${HOME}
55read-write ${HOME}/.cache/mesa_shader_cache 57read-write ${HOME}/.cache/mesa_shader_cache
diff --git a/etc/inkscape.profile b/etc/inkscape.profile
index 30cb5d75d..f14868668 100644
--- a/etc/inkscape.profile
+++ b/etc/inkscape.profile
@@ -37,7 +37,6 @@ caps.drop all
37ipc-namespace 37ipc-namespace
38machine-id 38machine-id
39net none 39net none
40nodbus
41nodvd 40nodvd
42nogroups 41nogroups
43nonewprivs 42nonewprivs
@@ -56,4 +55,7 @@ private-cache
56private-dev 55private-dev
57private-tmp 56private-tmp
58 57
58dbus-user none
59dbus-system none
60
59# memory-deny-write-execute 61# memory-deny-write-execute
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile
index 5b7275718..0944051e5 100644
--- a/etc/jd-gui.profile
+++ b/etc/jd-gui.profile
@@ -23,7 +23,6 @@ include whitelist-var-common.inc
23caps.drop all 23caps.drop all
24net none 24net none
25no3d 25no3d
26nodbus
27nodvd 26nodvd
28nogroups 27nogroups
29nonewprivs 28nonewprivs
@@ -41,3 +40,5 @@ private-cache
41private-dev 40private-dev
42private-tmp 41private-tmp
43 42
43dbus-user none
44dbus-system none
diff --git a/etc/jerry.profile b/etc/jerry.profile
index f6bfb9953..b79ae0ee0 100644
--- a/etc/jerry.profile
+++ b/etc/jerry.profile
@@ -20,7 +20,6 @@ caps.drop all
20machine-id 20machine-id
21net none 21net none
22no3d 22no3d
23nodbus
24nodvd 23nodvd
25nogroups 24nogroups
26nonewprivs 25nonewprivs
@@ -38,4 +37,7 @@ private-dev
38private-etc fonts,gtk-2.0,gtk-3.0 37private-etc fonts,gtk-2.0,gtk-3.0
39private-tmp 38private-tmp
40 39
40dbus-user none
41dbus-system none
42
41memory-deny-write-execute 43memory-deny-write-execute
diff --git a/etc/jumpnbump.profile b/etc/jumpnbump.profile
index c8167e1dc..daeb54610 100644
--- a/etc/jumpnbump.profile
+++ b/etc/jumpnbump.profile
@@ -26,7 +26,6 @@ include whitelist-var-common.inc
26apparmor 26apparmor
27caps.drop all 27caps.drop all
28net none 28net none
29nodbus
30nodvd 29nodvd
31nogroups 30nogroups
32nonewprivs 31nonewprivs
@@ -45,3 +44,6 @@ private-cache
45private-dev 44private-dev
46private-etc none 45private-etc none
47private-tmp 46private-tmp
47
48dbus-user none
49dbus-system none
diff --git a/etc/kalgebra.profile b/etc/kalgebra.profile
index 2dc90b9b9..e1e93163b 100644
--- a/etc/kalgebra.profile
+++ b/etc/kalgebra.profile
@@ -25,7 +25,6 @@ apparmor
25caps.drop all 25caps.drop all
26machine-id 26machine-id
27net none 27net none
28nodbus
29nodvd 28nodvd
30nogroups 29nogroups
31nonewprivs 30nonewprivs
@@ -45,3 +44,6 @@ private-cache
45private-dev 44private-dev
46private-etc fonts,machine-id 45private-etc fonts,machine-id
47private-tmp 46private-tmp
47
48dbus-user none
49dbus-system none
diff --git a/etc/kate.profile b/etc/kate.profile
index 3035393c4..321c4558f 100644
--- a/etc/kate.profile
+++ b/etc/kate.profile
@@ -28,7 +28,6 @@ include whitelist-var-common.inc
28# apparmor 28# apparmor
29caps.drop all 29caps.drop all
30# net none 30# net none
31# nodbus
32netfilter 31netfilter
33nodvd 32nodvd
34nogroups 33nogroups
@@ -48,4 +47,7 @@ private-dev
48# private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg 47# private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg
49private-tmp 48private-tmp
50 49
50# dbus-user none
51# dbus-system none
52
51join-or-start kate 53join-or-start kate
diff --git a/etc/kcalc.profile b/etc/kcalc.profile
index 8c641802b..6f94777aa 100644
--- a/etc/kcalc.profile
+++ b/etc/kcalc.profile
@@ -27,7 +27,6 @@ apparmor
27caps.drop all 27caps.drop all
28net none 28net none
29no3d 29no3d
30nodbus
31nodvd 30nodvd
32nogroups 31nogroups
33nonewprivs 32nonewprivs
@@ -46,3 +45,5 @@ private-dev
46# private-lib - problems on Arch 45# private-lib - problems on Arch
47private-tmp 46private-tmp
48 47
48dbus-user none
49dbus-system none
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile
index 361109127..e3560cb35 100644
--- a/etc/kdenlive.profile
+++ b/etc/kdenlive.profile
@@ -22,7 +22,6 @@ include disable-programs.inc
22apparmor 22apparmor
23caps.drop all 23caps.drop all
24# net none 24# net none
25# nodbus
26nodvd 25nodvd
27nogroups 26nogroups
28nonewprivs 27nonewprivs
@@ -36,3 +35,6 @@ shell none
36private-bin dbus-launch,dvdauthor,ffmpeg,ffplay,ffprobe,genisoimage,kdeinit4,kdeinit4_shutdown,kdeinit4_wrapper,kdeinit5,kdeinit5_shutdown,kdeinit5_wrapper,kdenlive,kdenlive_render,kshell4,kshell5,melt,mlt-melt,vlc,xine 35private-bin dbus-launch,dvdauthor,ffmpeg,ffplay,ffprobe,genisoimage,kdeinit4,kdeinit4_shutdown,kdeinit4_wrapper,kdeinit5,kdeinit5_shutdown,kdeinit5_wrapper,kdenlive,kdenlive_render,kshell4,kshell5,melt,mlt-melt,vlc,xine
37private-dev 36private-dev
38# private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,X11,xdg 37# private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,X11,xdg
38
39# dbus-user none
40# dbus-system none
diff --git a/etc/keepassx.profile b/etc/keepassx.profile
index 44e9c67bb..b8239e140 100644
--- a/etc/keepassx.profile
+++ b/etc/keepassx.profile
@@ -26,7 +26,6 @@ caps.drop all
26machine-id 26machine-id
27net none 27net none
28no3d 28no3d
29nodbus
30nodvd 29nodvd
31nogroups 30nogroups
32nonewprivs 31nonewprivs
@@ -45,4 +44,7 @@ private-dev
45private-etc alternatives,fonts,machine-id 44private-etc alternatives,fonts,machine-id
46private-tmp 45private-tmp
47 46
47dbus-user none
48dbus-system none
49
48memory-deny-write-execute 50memory-deny-write-execute
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile
index d04ada227..43dbad5f9 100644
--- a/etc/keepassxc.profile
+++ b/etc/keepassxc.profile
@@ -34,7 +34,7 @@ nodvd
34# Breaks 'Lock database when session is locked or lid is closed' (#2899). 34# Breaks 'Lock database when session is locked or lid is closed' (#2899).
35# Also breaks (Plasma) tray icon, 35# Also breaks (Plasma) tray icon,
36# you can safely uncomment it or add to keepassxc.local if you don't need these features. 36# you can safely uncomment it or add to keepassxc.local if you don't need these features.
37#nodbus 37#
38nogroups 38nogroups
39nonewprivs 39nonewprivs
40noroot 40noroot
@@ -52,5 +52,11 @@ private-dev
52private-etc alternatives,fonts,ld.so.cache,machine-id 52private-etc alternatives,fonts,ld.so.cache,machine-id
53private-tmp 53private-tmp
54 54
55# Breaks 'Lock database when session is locked or lid is closed' (#2899).
56# Also breaks (Plasma) tray icon,
57# you can safely uncomment it or add to keepassxc.local if you don't need these features.
58# dbus-user none
59# dbus-system none
60
55# Mutex is stored in /tmp by default, which is broken by private-tmp 61# Mutex is stored in /tmp by default, which is broken by private-tmp
56join-or-start keepassxc 62join-or-start keepassxc
diff --git a/etc/kfind.profile b/etc/kfind.profile
index ee4c35825..ed815676a 100644
--- a/etc/kfind.profile
+++ b/etc/kfind.profile
@@ -27,7 +27,6 @@ machine-id
27# net none 27# net none
28netfilter 28netfilter
29no3d 29no3d
30# nodbus
31nodvd 30nodvd
32nogroups 31nogroups
33nonewprivs 32nonewprivs
@@ -43,3 +42,6 @@ shell none
43# private-bin kbuildsycoca4,kdeinit4,kfind 42# private-bin kbuildsycoca4,kdeinit4,kfind
44private-dev 43private-dev
45private-tmp 44private-tmp
45
46# dbus-user none
47# dbus-system none
diff --git a/etc/kid3.profile b/etc/kid3.profile
index 01064feb5..cce92a93f 100644
--- a/etc/kid3.profile
+++ b/etc/kid3.profile
@@ -22,7 +22,6 @@ include whitelist-var-common.inc
22apparmor 22apparmor
23caps.drop all 23caps.drop all
24netfilter 24netfilter
25nodbus
26nodvd 25nodvd
27nogroups 26nogroups
28nonewprivs 27nonewprivs
@@ -42,4 +41,7 @@ private-tmp
42private-opt none 41private-opt none
43private-srv none 42private-srv none
44 43
44dbus-user none
45dbus-system none
46
45memory-deny-write-execute 47memory-deny-write-execute
diff --git a/etc/kiwix-desktop.profile b/etc/kiwix-desktop.profile
index 8b7b12882..d222d6d24 100644
--- a/etc/kiwix-desktop.profile
+++ b/etc/kiwix-desktop.profile
@@ -29,7 +29,6 @@ caps.drop all
29ipc-namespace 29ipc-namespace
30netfilter 30netfilter
31# no3d 31# no3d
32nodbus
33nodvd 32nodvd
34nogroups 33nogroups
35nonewprivs 34nonewprivs
@@ -47,3 +46,6 @@ private-cache
47private-dev 46private-dev
48private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl 47private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl
49private-tmp 48private-tmp
49
50dbus-user none
51dbus-system none
diff --git a/etc/klatexformula.profile b/etc/klatexformula.profile
index d584f6a56..10b689ce5 100644
--- a/etc/klatexformula.profile
+++ b/etc/klatexformula.profile
@@ -24,7 +24,6 @@ apparmor
24caps.drop all 24caps.drop all
25machine-id 25machine-id
26net none 26net none
27nodbus
28nodvd 27nodvd
29nogroups 28nogroups
30nonewprivs 29nonewprivs
@@ -41,3 +40,6 @@ tracelog
41private-cache 40private-cache
42private-dev 41private-dev
43private-tmp 42private-tmp
43
44dbus-user none
45dbus-system none
diff --git a/etc/klavaro.profile b/etc/klavaro.profile
index b6b538557..c03d75098 100644
--- a/etc/klavaro.profile
+++ b/etc/klavaro.profile
@@ -29,7 +29,6 @@ caps.drop all
29machine-id 29machine-id
30net none 30net none
31no3d 31no3d
32nodbus
33nodvd 32nodvd
34nogroups 33nogroups
35nonewprivs 34nonewprivs
@@ -50,3 +49,6 @@ private-etc alternatives,fonts
50private-tmp 49private-tmp
51private-opt none 50private-opt none
52private-srv none 51private-srv none
52
53dbus-user none
54dbus-system none
diff --git a/etc/krita.profile b/etc/krita.profile
index 49c36274a..be9921478 100644
--- a/etc/krita.profile
+++ b/etc/krita.profile
@@ -31,7 +31,6 @@ caps.drop all
31ipc-namespace 31ipc-namespace
32# net none 32# net none
33netfilter 33netfilter
34# nodbus
35nodvd 34nodvd
36nogroups 35nogroups
37nonewprivs 36nonewprivs
@@ -47,3 +46,6 @@ shell none
47private-cache 46private-cache
48private-dev 47private-dev
49private-tmp 48private-tmp
49
50# dbus-user none
51# dbus-system none
diff --git a/etc/ktouch.profile b/etc/ktouch.profile
index 446bc50ee..b23b23730 100644
--- a/etc/ktouch.profile
+++ b/etc/ktouch.profile
@@ -28,7 +28,6 @@ apparmor
28caps.drop all 28caps.drop all
29machine-id 29machine-id
30net none 30net none
31nodbus
32nodvd 31nodvd
33nogroups 32nogroups
34nonewprivs 33nonewprivs
@@ -48,3 +47,6 @@ private-cache
48private-dev 47private-dev
49private-etc alternatives,fonts,kde5rc,machine-id 48private-etc alternatives,fonts,kde5rc,machine-id
50private-tmp 49private-tmp
50
51dbus-user none
52dbus-system none
diff --git a/etc/kwrite.profile b/etc/kwrite.profile
index 31ac19039..a71e3bfb9 100644
--- a/etc/kwrite.profile
+++ b/etc/kwrite.profile
@@ -29,7 +29,6 @@ apparmor
29caps.drop all 29caps.drop all
30# net none 30# net none
31netfilter 31netfilter
32# nodbus
33nodvd 32nodvd
34nogroups 33nogroups
35nonewprivs 34nonewprivs
@@ -48,5 +47,7 @@ private-dev
48private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg 47private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg
49private-tmp 48private-tmp
50 49
50# dbus-user none
51# dbus-system none
51 52
52join-or-start kwrite 53join-or-start kwrite
diff --git a/etc/latex-common.profile b/etc/latex-common.profile
index 84901e8ef..b090be726 100644
--- a/etc/latex-common.profile
+++ b/etc/latex-common.profile
@@ -20,7 +20,6 @@ include whitelist-var-common.inc
20caps.drop all 20caps.drop all
21net none 21net none
22no3d 22no3d
23nodbus
24nodvd 23nodvd
25nogroups 24nogroups
26nonewprivs 25nonewprivs
@@ -38,3 +37,5 @@ private-cache
38private-dev 37private-dev
39private-tmp 38private-tmp
40 39
40dbus-user none
41dbus-system none
diff --git a/etc/less.profile b/etc/less.profile
index 27e24c852..de6fa67d1 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -23,7 +23,6 @@ ipc-namespace
23machine-id 23machine-id
24net none 24net none
25no3d 25no3d
26nodbus
27nodvd 26nodvd
28nonewprivs 27nonewprivs
29#noroot 28#noroot
@@ -45,6 +44,9 @@ private-cache
45private-dev 44private-dev
46writable-var-log 45writable-var-log
47 46
47dbus-user none
48dbus-system none
49
48memory-deny-write-execute 50memory-deny-write-execute
49read-only ${HOME} 51read-only ${HOME}
50read-write ${HOME}/.lesshst 52read-write ${HOME}/.lesshst
diff --git a/etc/lincity-ng.profile b/etc/lincity-ng.profile
index 748d38221..624d4a8bd 100644
--- a/etc/lincity-ng.profile
+++ b/etc/lincity-ng.profile
@@ -25,7 +25,6 @@ apparmor
25caps.drop all 25caps.drop all
26ipc-namespace 26ipc-namespace
27net none 27net none
28nodbus
29nodvd 28nodvd
30nogroups 29nogroups
31nonewprivs 30nonewprivs
@@ -43,3 +42,6 @@ private-bin lincity-ng
43private-cache 42private-cache
44private-dev 43private-dev
45private-tmp 44private-tmp
45
46dbus-user none
47dbus-system none
diff --git a/etc/lmms.profile b/etc/lmms.profile
index 98ddd03e5..afe1ad635 100644
--- a/etc/lmms.profile
+++ b/etc/lmms.profile
@@ -22,7 +22,6 @@ caps.drop all
22ipc-namespace 22ipc-namespace
23net none 23net none
24no3d 24no3d
25nodbus
26nodvd 25nodvd
27nogroups 26nogroups
28nonewprivs 27nonewprivs
@@ -37,3 +36,5 @@ shell none
37private-dev 36private-dev
38private-tmp 37private-tmp
39 38
39dbus-user none
40dbus-system none
diff --git a/etc/lugaru.profile b/etc/lugaru.profile
index d81441572..26157b942 100644
--- a/etc/lugaru.profile
+++ b/etc/lugaru.profile
@@ -29,7 +29,6 @@ include whitelist-var-common.inc
29caps.drop all 29caps.drop all
30ipc-namespace 30ipc-namespace
31net none 31net none
32nodbus
33nodvd 32nodvd
34nogroups 33nogroups
35nonewprivs 34nonewprivs
@@ -47,3 +46,6 @@ private-bin lugaru
47private-cache 46private-cache
48private-dev 47private-dev
49private-tmp 48private-tmp
49
50dbus-user none
51dbus-system none
diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile
index 94d90780b..3eef22f98 100644
--- a/etc/macrofusion.profile
+++ b/etc/macrofusion.profile
@@ -23,7 +23,6 @@ include disable-xdg.inc
23caps.drop all 23caps.drop all
24ipc-namespace 24ipc-namespace
25net none 25net none
26nodbus
27nodvd 26nodvd
28nogroups 27nogroups
29nonewprivs 28nonewprivs
@@ -41,3 +40,5 @@ private-cache
41private-dev 40private-dev
42private-tmp 41private-tmp
43 42
43dbus-user none
44dbus-system none
diff --git a/etc/magicor.profile b/etc/magicor.profile
index c34e7b6f2..380a59957 100644
--- a/etc/magicor.profile
+++ b/etc/magicor.profile
@@ -29,7 +29,6 @@ include whitelist-var-common.inc
29apparmor 29apparmor
30caps.drop all 30caps.drop all
31net none 31net none
32nodbus
33nodvd 32nodvd
34nogroups 33nogroups
35nonewprivs 34nonewprivs
@@ -47,3 +46,6 @@ private-cache
47private-dev 46private-dev
48private-etc machine-id 47private-etc machine-id
49private-tmp 48private-tmp
49
50dbus-user none
51dbus-system none
diff --git a/etc/manaplus.profile b/etc/manaplus.profile
index 93d409bf8..b29a489a6 100644
--- a/etc/manaplus.profile
+++ b/etc/manaplus.profile
@@ -28,7 +28,6 @@ include whitelist-var-common.inc
28caps.drop all 28caps.drop all
29ipc-namespace 29ipc-namespace
30netfilter 30netfilter
31nodbus
32nodvd 31nodvd
33nogroups 32nogroups
34nonewprivs 33nonewprivs
@@ -46,3 +45,6 @@ private-bin manaplus
46private-cache 45private-cache
47private-dev 46private-dev
48private-tmp 47private-tmp
48
49dbus-user none
50dbus-system none
diff --git a/etc/mate-calc.profile b/etc/mate-calc.profile
index 8bd62ae0b..ce418d68f 100644
--- a/etc/mate-calc.profile
+++ b/etc/mate-calc.profile
@@ -28,7 +28,6 @@ apparmor
28caps.drop all 28caps.drop all
29net none 29net none
30no3d 30no3d
31nodbus
32nodvd 31nodvd
33nogroups 32nogroups
34nonewprivs 33nonewprivs
@@ -48,4 +47,7 @@ private-dev
48private-opt none 47private-opt none
49private-tmp 48private-tmp
50 49
50dbus-user none
51dbus-system none
52
51memory-deny-write-execute 53memory-deny-write-execute
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile
index 40ae663fc..c62d3f6d5 100644
--- a/etc/mediainfo.profile
+++ b/etc/mediainfo.profile
@@ -24,7 +24,6 @@ ipc-namespace
24machine-id 24machine-id
25net none 25net none
26no3d 26no3d
27nodbus
28nodvd 27nodvd
29nogroups 28nogroups
30nonewprivs 29nonewprivs
@@ -45,4 +44,7 @@ private-dev
45private-etc alternatives 44private-etc alternatives
46private-tmp 45private-tmp
47 46
47dbus-user none
48dbus-system none
49
48memory-deny-write-execute 50memory-deny-write-execute
diff --git a/etc/megaglest.profile b/etc/megaglest.profile
index 08eae6dfc..86e7f129e 100644
--- a/etc/megaglest.profile
+++ b/etc/megaglest.profile
@@ -24,7 +24,6 @@ include whitelist-var-common.inc
24caps.drop all 24caps.drop all
25ipc-namespace 25ipc-namespace
26netfilter 26netfilter
27nodbus
28nodvd 27nodvd
29nogroups 28nogroups
30nonewprivs 29nonewprivs
@@ -42,3 +41,6 @@ private-bin megaglest,megaglest_editor,megaglest_g3dviewer
42private-cache 41private-cache
43private-dev 42private-dev
44private-tmp 43private-tmp
44
45dbus-user none
46dbus-system none
diff --git a/etc/mencoder.profile b/etc/mencoder.profile
index ad5ce436a..caf238785 100644
--- a/etc/mencoder.profile
+++ b/etc/mencoder.profile
@@ -18,7 +18,6 @@ ipc-namespace
18machine-id 18machine-id
19net none 19net none
20no3d 20no3d
21nodbus
22nosound 21nosound
23notv 22notv
24protocol unix 23protocol unix
@@ -27,6 +26,9 @@ x11 none
27 26
28private-bin mencoder 27private-bin mencoder
29 28
29dbus-user none
30dbus-system none
31
30memory-deny-write-execute 32memory-deny-write-execute
31 33
32# Redirect 34# Redirect
diff --git a/etc/mendeleydesktop.profile b/etc/mendeleydesktop.profile
index 1f02ff5c0..6022b110a 100644
--- a/etc/mendeleydesktop.profile
+++ b/etc/mendeleydesktop.profile
@@ -29,7 +29,6 @@ include whitelist-var-common.inc
29 29
30caps.drop all 30caps.drop all
31netfilter 31netfilter
32nodbus
33nodvd 32nodvd
34nogroups 33nogroups
35nonewprivs 34nonewprivs
@@ -47,3 +46,5 @@ private-bin cat,env,gconftool-2,ln,mendeleydesktop,python*,sh,update-desktop-dat
47private-dev 46private-dev
48private-tmp 47private-tmp
49 48
49dbus-user none
50dbus-system none
diff --git a/etc/meteo-qt.profile b/etc/meteo-qt.profile
index 4437d86ea..f9466eb61 100644
--- a/etc/meteo-qt.profile
+++ b/etc/meteo-qt.profile
@@ -28,7 +28,6 @@ include whitelist-var-common.inc
28 28
29caps.drop all 29caps.drop all
30netfilter 30netfilter
31nodbus
32nodvd 31nodvd
33nogroups 32nogroups
34nonewprivs 33nonewprivs
@@ -48,4 +47,7 @@ private-cache
48private-dev 47private-dev
49private-tmp 48private-tmp
50 49
50dbus-user none
51dbus-system none
52
51memory-deny-write-execute 53memory-deny-write-execute
diff --git a/etc/mindless.profile b/etc/mindless.profile
index 4f33404eb..e6ea54522 100644
--- a/etc/mindless.profile
+++ b/etc/mindless.profile
@@ -23,7 +23,6 @@ caps.drop all
23machine-id 23machine-id
24net none 24net none
25no3d 25no3d
26nodbus
27nodvd 26nodvd
28nogroups 27nogroups
29nonewprivs 28nonewprivs
@@ -45,4 +44,7 @@ private-dev
45private-etc fonts 44private-etc fonts
46private-tmp 45private-tmp
47 46
47dbus-user none
48dbus-system none
49
48memory-deny-write-execute 50memory-deny-write-execute
diff --git a/etc/minetest.profile b/etc/minetest.profile
index 0439a1ccc..619173024 100644
--- a/etc/minetest.profile
+++ b/etc/minetest.profile
@@ -27,7 +27,6 @@ include whitelist-var-common.inc
27caps.drop all 27caps.drop all
28ipc-namespace 28ipc-namespace
29netfilter 29netfilter
30nodbus
31nodvd 30nodvd
32nogroups 31nogroups
33nonewprivs 32nonewprivs
@@ -47,3 +46,6 @@ private-dev
47# private-etc needs to be updated, see #1702 46# private-etc needs to be updated, see #1702
48#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl 47#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl
49private-tmp 48private-tmp
49
50dbus-user none
51dbus-system none
diff --git a/etc/mirrormagic.profile b/etc/mirrormagic.profile
index 8892ca94d..ef0748436 100644
--- a/etc/mirrormagic.profile
+++ b/etc/mirrormagic.profile
@@ -26,7 +26,6 @@ include whitelist-var-common.inc
26apparmor 26apparmor
27caps.drop all 27caps.drop all
28net none 28net none
29nodbus
30nodvd 29nodvd
31nogroups 30nogroups
32nonewprivs 31nonewprivs
@@ -46,3 +45,6 @@ private-cache
46private-dev 45private-dev
47private-etc machine-id 46private-etc machine-id
48private-tmp 47private-tmp
48
49dbus-user none
50dbus-system none
diff --git a/etc/mp3splt-gtk.profile b/etc/mp3splt-gtk.profile
index e0936476b..bf6077395 100644
--- a/etc/mp3splt-gtk.profile
+++ b/etc/mp3splt-gtk.profile
@@ -21,7 +21,6 @@ apparmor
21caps.drop all 21caps.drop all
22net none 22net none
23no3d 23no3d
24nodbus
25nodvd 24nodvd
26nogroups 25nogroups
27nonewprivs 26nonewprivs
@@ -39,3 +38,6 @@ private-cache
39private-dev 38private-dev
40private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-3.0,machine-id,openal,pulse 39private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-3.0,machine-id,openal,pulse
41private-tmp 40private-tmp
41
42dbus-user none
43dbus-system none
diff --git a/etc/mp3splt.profile b/etc/mp3splt.profile
index 7754d276b..c65754a03 100644
--- a/etc/mp3splt.profile
+++ b/etc/mp3splt.profile
@@ -26,7 +26,6 @@ ipc-namespace
26machine-id 26machine-id
27net none 27net none
28no3d 28no3d
29nodbus
30nodvd 29nodvd
31nogroups 30nogroups
32nonewprivs 31nonewprivs
@@ -49,3 +48,6 @@ private-etc alternatives
49private-tmp 48private-tmp
50 49
51memory-deny-write-execute 50memory-deny-write-execute
51
52dbus-user none
53dbus-system none
diff --git a/etc/mpg123.profile b/etc/mpg123.profile
index 6dfeb4586..6e18aa401 100644
--- a/etc/mpg123.profile
+++ b/etc/mpg123.profile
@@ -23,7 +23,6 @@ include whitelist-var-common.inc
23apparmor 23apparmor
24caps.drop all 24caps.drop all
25netfilter 25netfilter
26nodbus
27nogroups 26nogroups
28nonewprivs 27nonewprivs
29noroot 28noroot
@@ -37,3 +36,6 @@ private-dev
37private-tmp 36private-tmp
38 37
39memory-deny-write-execute 38memory-deny-write-execute
39
40dbus-user none
41dbus-system none
diff --git a/etc/mpsyt.profile b/etc/mpsyt.profile
index 546755ecb..f30fd48eb 100644
--- a/etc/mpsyt.profile
+++ b/etc/mpsyt.profile
@@ -48,7 +48,6 @@ include whitelist-var-common.inc
48apparmor 48apparmor
49caps.drop all 49caps.drop all
50netfilter 50netfilter
51nodbus
52nodvd 51nodvd
53# Seems to cause issues with Nvidia drivers sometimes 52# Seems to cause issues with Nvidia drivers sometimes
54nogroups 53nogroups
@@ -67,3 +66,5 @@ private-bin env,ffmpeg,mplayer,mpsyt,mpv,python*,youtube-dl
67private-dev 66private-dev
68private-tmp 67private-tmp
69 68
69dbus-user none
70dbus-system none
diff --git a/etc/mpv.profile b/etc/mpv.profile
index 80c45d20b..8c463e7db 100644
--- a/etc/mpv.profile
+++ b/etc/mpv.profile
@@ -36,7 +36,7 @@ include whitelist-var-common.inc
36apparmor 36apparmor
37caps.drop all 37caps.drop all
38netfilter 38netfilter
39nodbus 39
40# Seems to cause issues with Nvidia drivers sometimes 40# Seems to cause issues with Nvidia drivers sometimes
41nogroups 41nogroups
42nonewprivs 42nonewprivs
@@ -51,3 +51,6 @@ private-bin env,mpv,python*,youtube-dl
51# Causes slow OSD, see #2838 51# Causes slow OSD, see #2838
52#private-cache 52#private-cache
53private-dev 53private-dev
54
55dbus-user none
56dbus-system none
diff --git a/etc/mrrescue.profile b/etc/mrrescue.profile
index 869a162f8..f02a4f357 100644
--- a/etc/mrrescue.profile
+++ b/etc/mrrescue.profile
@@ -26,7 +26,6 @@ include whitelist-var-common.inc
26apparmor 26apparmor
27caps.drop all 27caps.drop all
28net none 28net none
29nodbus
30nodvd 29nodvd
31nogroups 30nogroups
32nonewprivs 31nonewprivs
@@ -45,3 +44,6 @@ private-cache
45private-dev 44private-dev
46private-etc machine-id 45private-etc machine-id
47private-tmp 46private-tmp
47
48dbus-user none
49dbus-system none
diff --git a/etc/ms-office.profile b/etc/ms-office.profile
index 3bc674134..a6892d698 100644
--- a/etc/ms-office.profile
+++ b/etc/ms-office.profile
@@ -21,7 +21,6 @@ include disable-programs.inc
21 21
22caps.drop all 22caps.drop all
23netfilter 23netfilter
24nodbus
25nodvd 24nodvd
26nogroups 25nogroups
27nonewprivs 26nonewprivs
@@ -40,3 +39,5 @@ private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
40private-dev 39private-dev
41private-tmp 40private-tmp
42 41
42dbus-user none
43dbus-system none
diff --git a/etc/mupdf.profile b/etc/mupdf.profile
index 592467658..a3e56170a 100644
--- a/etc/mupdf.profile
+++ b/etc/mupdf.profile
@@ -22,7 +22,6 @@ apparmor
22caps.drop all 22caps.drop all
23machine-id 23machine-id
24net none 24net none
25nodbus
26nodvd 25nodvd
27nogroups 26nogroups
28nonewprivs 27nonewprivs
@@ -39,3 +38,6 @@ tracelog
39private-dev 38private-dev
40private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload 39private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
41private-tmp 40private-tmp
41
42dbus-user none
43dbus-system none
diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile
index e131f5319..00983a8f3 100644
--- a/etc/mupen64plus.profile
+++ b/etc/mupen64plus.profile
@@ -24,10 +24,12 @@ include whitelist-common.inc
24 24
25caps.drop all 25caps.drop all
26net none 26net none
27nodbus
28nodvd 27nodvd
29nonewprivs 28nonewprivs
30noroot 29noroot
31notv 30notv
32novideo 31novideo
33seccomp 32seccomp
33
34dbus-user none
35dbus-system none
diff --git a/etc/mypaint.profile b/etc/mypaint.profile
index d75651d78..c592e8477 100644
--- a/etc/mypaint.profile
+++ b/etc/mypaint.profile
@@ -28,7 +28,6 @@ caps.drop all
28machine-id 28machine-id
29net none 29net none
30no3d 30no3d
31nodbus
32nodvd 31nodvd
33nogroups 32nogroups
34nonewprivs 33nonewprivs
@@ -47,3 +46,5 @@ private-dev
47private-etc alternatives,dconf,fonts,gtk-3.0 46private-etc alternatives,dconf,fonts,gtk-3.0
48private-tmp 47private-tmp
49 48
49dbus-user none
50dbus-system none
diff --git a/etc/nano.profile b/etc/nano.profile
index bc8c3dde0..2a4625896 100644
--- a/etc/nano.profile
+++ b/etc/nano.profile
@@ -28,7 +28,6 @@ ipc-namespace
28machine-id 28machine-id
29net none 29net none
30no3d 30no3d
31nodbus
32nodvd 31nodvd
33nogroups 32nogroups
34nonewprivs 33nonewprivs
@@ -50,4 +49,7 @@ private-dev
50# Comment the next line if you want to edit files in /etc directly 49# Comment the next line if you want to edit files in /etc directly
51private-etc alternatives,nanorc 50private-etc alternatives,nanorc
52 51
52dbus-user none
53dbus-system none
54
53memory-deny-write-execute 55memory-deny-write-execute
diff --git a/etc/natron.profile b/etc/natron.profile
index 7ad217b72..5bf152f84 100644
--- a/etc/natron.profile
+++ b/etc/natron.profile
@@ -22,7 +22,6 @@ include disable-programs.inc
22 22
23caps.drop all 23caps.drop all
24net none 24net none
25nodbus
26nodvd 25nodvd
27nogroups 26nogroups
28nonewprivs 27nonewprivs
@@ -34,3 +33,6 @@ seccomp
34shell none 33shell none
35 34
36private-bin natron,Natron,NatronRenderer 35private-bin natron,Natron,NatronRenderer
36
37dbus-user none
38dbus-system none
diff --git a/etc/ncdu.profile b/etc/ncdu.profile
index 9fda6ebe0..651804bf1 100644
--- a/etc/ncdu.profile
+++ b/etc/ncdu.profile
@@ -12,7 +12,6 @@ include disable-exec.inc
12 12
13caps.drop all 13caps.drop all
14ipc-namespace 14ipc-namespace
15nodbus
16net none 15net none
17no3d 16no3d
18nodvd 17nodvd
@@ -31,4 +30,7 @@ x11 none
31private-dev 30private-dev
32# private-tmp 31# private-tmp
33 32
33dbus-user none
34dbus-system none
35
34memory-deny-write-execute 36memory-deny-write-execute
diff --git a/etc/netactview.profile b/etc/netactview.profile
index 0618caf68..cbf0d235d 100644
--- a/etc/netactview.profile
+++ b/etc/netactview.profile
@@ -29,7 +29,6 @@ ipc-namespace
29machine-id 29machine-id
30netfilter 30netfilter
31no3d 31no3d
32nodbus
33nodvd 32nodvd
34nogroups 33nogroups
35nonewprivs 34nonewprivs
@@ -49,4 +48,7 @@ private-etc alternatives,fonts
49private-lib 48private-lib
50private-tmp 49private-tmp
51 50
51dbus-user none
52dbus-system none
53
52memory-deny-write-execute 54memory-deny-write-execute
diff --git a/etc/nethack-vultures.profile b/etc/nethack-vultures.profile
index 079f44ee7..4daa8054b 100644
--- a/etc/nethack-vultures.profile
+++ b/etc/nethack-vultures.profile
@@ -24,7 +24,6 @@ include whitelist-var-common.inc
24caps.drop all 24caps.drop all
25ipc-namespace 25ipc-namespace
26net none 26net none
27nodbus
28nodvd 27nodvd
29nogroups 28nogroups
30#nonewprivs 29#nonewprivs
@@ -41,3 +40,6 @@ private-cache
41private-dev 40private-dev
42private-tmp 41private-tmp
43writable-var 42writable-var
43
44dbus-user none
45dbus-system none
diff --git a/etc/nethack.profile b/etc/nethack.profile
index 3df632451..c8c927db2 100644
--- a/etc/nethack.profile
+++ b/etc/nethack.profile
@@ -23,7 +23,6 @@ caps.drop all
23ipc-namespace 23ipc-namespace
24net none 24net none
25no3d 25no3d
26nodbus
27nodvd 26nodvd
28nogroups 27nogroups
29#nonewprivs 28#nonewprivs
@@ -42,4 +41,7 @@ private-dev
42private-tmp 41private-tmp
43writable-var 42writable-var
44 43
44dbus-user none
45dbus-system none
46
45#memory-deny-write-execute 47#memory-deny-write-execute
diff --git a/etc/newsboat.profile b/etc/newsboat.profile
index eabd17b4b..a7bac6286 100644
--- a/etc/newsboat.profile
+++ b/etc/newsboat.profile
@@ -26,7 +26,6 @@ caps.drop all
26ipc-namespace 26ipc-namespace
27netfilter 27netfilter
28no3d 28no3d
29nodbus
30nodvd 29nodvd
31nogroups 30nogroups
32nonewprivs 31nonewprivs
@@ -45,4 +44,7 @@ private-dev
45private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,terminfo 44private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,terminfo
46private-tmp 45private-tmp
47 46
47dbus-user none
48dbus-system none
49
48memory-deny-write-execute 50memory-deny-write-execute
diff --git a/etc/nitroshare.profile b/etc/nitroshare.profile
index dfa64cff9..1743a771e 100644
--- a/etc/nitroshare.profile
+++ b/etc/nitroshare.profile
@@ -26,7 +26,6 @@ include whitelist-var-common.inc
26caps.drop all 26caps.drop all
27netfilter 27netfilter
28no3d 28no3d
29# nodbus
30nodvd 29nodvd
31nogroups 30nogroups
32nonewprivs 31nonewprivs
@@ -47,4 +46,7 @@ private-etc alternatives,ca-certificates,dconf,fonts,hostname,hosts,ld.so.cache,
47# private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare 46# private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare
48private-tmp 47private-tmp
49 48
49# dbus-user none
50# dbus-system none
51
50# memory-deny-write-execute 52# memory-deny-write-execute
diff --git a/etc/nslookup.profile b/etc/nslookup.profile
index 000cc1075..a8e0ddd89 100644
--- a/etc/nslookup.profile
+++ b/etc/nslookup.profile
@@ -32,7 +32,6 @@ ipc-namespace
32machine-id 32machine-id
33netfilter 33netfilter
34no3d 34no3d
35nodbus
36nodvd 35nodvd
37nogroups 36nogroups
38nonewprivs 37nonewprivs
@@ -51,4 +50,7 @@ private-bin bash,nslookup,sh
51private-dev 50private-dev
52private-tmp 51private-tmp
53 52
53dbus-user none
54dbus-system none
55
54memory-deny-write-execute 56memory-deny-write-execute
diff --git a/etc/nyx.profile b/etc/nyx.profile
index c4475c75c..df214ff20 100644
--- a/etc/nyx.profile
+++ b/etc/nyx.profile
@@ -28,7 +28,6 @@ include whitelist-var-common.inc
28caps.drop all 28caps.drop all
29netfilter 29netfilter
30no3d 30no3d
31nodbus
32nodvd 31nodvd
33nogroups 32nogroups
34nonewprivs 33nonewprivs
@@ -50,3 +49,5 @@ private-opt none
50private-srv none 49private-srv none
51private-tmp 50private-tmp
52 51
52dbus-user none
53dbus-system none
diff --git a/etc/ocenaudio.profile b/etc/ocenaudio.profile
index a523a6c56..61fe14c08 100644
--- a/etc/ocenaudio.profile
+++ b/etc/ocenaudio.profile
@@ -29,8 +29,6 @@ ipc-namespace
29#net none 29#net none
30netfilter 30netfilter
31no3d 31no3d
32# nodbus - breaks preferences, comment (or put 'ignore nodbus' in your oceanaudio.local) when needed
33nodbus
34nodvd 32nodvd
35nogroups 33nogroups
36nonewprivs 34nonewprivs
@@ -49,4 +47,8 @@ private-dev
49private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse 47private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse
50private-tmp 48private-tmp
51 49
50# breaks preferences
51# dbus-user none
52# dbus-system none
53
52#memory-deny-write-execute - breaks on Arch (see issue #1803) 54#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile
index c0c5b671c..3e4bd94b6 100644
--- a/etc/odt2txt.profile
+++ b/etc/odt2txt.profile
@@ -20,7 +20,6 @@ include disable-xdg.inc
20caps.drop all 20caps.drop all
21net none 21net none
22no3d 22no3d
23nodbus
24nodvd 23nodvd
25nogroups 24nogroups
26nonewprivs 25nonewprivs
@@ -40,4 +39,8 @@ private-cache
40private-dev 39private-dev
41private-etc alternatives 40private-etc alternatives
42private-tmp 41private-tmp
42
43dbus-user none
44dbus-system none
45
43read-only ${HOME} 46read-only ${HOME}
diff --git a/etc/okular.profile b/etc/okular.profile
index 9debd86ff..de82f8266 100644
--- a/etc/okular.profile
+++ b/etc/okular.profile
@@ -37,7 +37,6 @@ caps.drop all
37machine-id 37machine-id
38# net none 38# net none
39netfilter 39netfilter
40# nodbus
41nodvd 40nodvd
42nogroups 41nogroups
43nonewprivs 42nonewprivs
@@ -56,6 +55,9 @@ private-dev
56private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,xdg 55private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,xdg
57# private-tmp - on KDE we need access to the real /tmp for data exchange with email clients 56# private-tmp - on KDE we need access to the real /tmp for data exchange with email clients
58 57
58# dbus-user none
59# dbus-system none
60
59# memory-deny-write-execute 61# memory-deny-write-execute
60 62
61join-or-start okular 63join-or-start okular
diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile
index 1f214b7f5..de1ef7800 100644
--- a/etc/open-invaders.profile
+++ b/etc/open-invaders.profile
@@ -23,7 +23,6 @@ include whitelist-var-common.inc
23apparmor 23apparmor
24caps.drop all 24caps.drop all
25net none 25net none
26nodbus
27nodvd 26nodvd
28nogroups 27nogroups
29nonewprivs 28nonewprivs
@@ -38,3 +37,6 @@ shell none
38private-bin open-invaders 37private-bin open-invaders
39private-dev 38private-dev
40private-tmp 39private-tmp
40
41dbus-user none
42dbus-system none
diff --git a/etc/openarena.profile b/etc/openarena.profile
index c83e78e2c..3b15a6e42 100644
--- a/etc/openarena.profile
+++ b/etc/openarena.profile
@@ -22,7 +22,6 @@ apparmor
22caps.drop all 22caps.drop all
23# ipc-namespace 23# ipc-namespace
24# netfilter 24# netfilter
25# nodbus
26# nodvd 25# nodvd
27# nogroups 26# nogroups
28nonewprivs 27nonewprivs
@@ -41,3 +40,6 @@ private-cache
41private-dev 40private-dev
42# private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg 41# private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg
43private-tmp 42private-tmp
43
44# dbus-user none
45# dbus-system none
diff --git a/etc/opencity.profile b/etc/opencity.profile
index b0192c947..59a2d1055 100644
--- a/etc/opencity.profile
+++ b/etc/opencity.profile
@@ -25,7 +25,6 @@ apparmor
25caps.drop all 25caps.drop all
26ipc-namespace 26ipc-namespace
27net none 27net none
28nodbus
29nodvd 28nodvd
30nogroups 29nogroups
31nonewprivs 30nonewprivs
@@ -43,3 +42,6 @@ private-bin opencity
43private-cache 42private-cache
44private-dev 43private-dev
45private-tmp 44private-tmp
45
46dbus-user none
47dbus-system none
diff --git a/etc/openclonk.profile b/etc/openclonk.profile
index 20b2a9626..37f046df2 100644
--- a/etc/openclonk.profile
+++ b/etc/openclonk.profile
@@ -26,7 +26,6 @@ caps.drop all
26ipc-namespace 26ipc-namespace
27# net none - networked game 27# net none - networked game
28netfilter 28netfilter
29nodbus
30nodvd 29nodvd
31nogroups 30nogroups
32nonewprivs 31nonewprivs
@@ -44,3 +43,6 @@ private-bin c4group,openclonk
44private-cache 43private-cache
45private-dev 44private-dev
46private-tmp 45private-tmp
46
47dbus-user none
48dbus-system none
diff --git a/etc/openshot.profile b/etc/openshot.profile
index 482528be1..e1839c724 100644
--- a/etc/openshot.profile
+++ b/etc/openshot.profile
@@ -24,7 +24,6 @@ include whitelist-var-common.inc
24apparmor 24apparmor
25caps.drop all 25caps.drop all
26net none 26net none
27nodbus
28nodvd 27nodvd
29nogroups 28nogroups
30nonewprivs 29nonewprivs
@@ -39,3 +38,5 @@ tracelog
39private-dev 38private-dev
40private-tmp 39private-tmp
41 40
41dbus-user none
42dbus-system none
diff --git a/etc/openttd.profile b/etc/openttd.profile
index 10f2f39c3..57e3787aa 100644
--- a/etc/openttd.profile
+++ b/etc/openttd.profile
@@ -25,7 +25,6 @@ apparmor
25caps.drop all 25caps.drop all
26ipc-namespace 26ipc-namespace
27net none 27net none
28nodbus
29nodvd 28nodvd
30nogroups 29nogroups
31nonewprivs 30nonewprivs
@@ -43,3 +42,6 @@ private-bin openttd
43private-cache 42private-cache
44private-dev 43private-dev
45private-tmp 44private-tmp
45
46dbus-user none
47dbus-system none
diff --git a/etc/ostrichriders.profile b/etc/ostrichriders.profile
index bef784126..378d267f6 100644
--- a/etc/ostrichriders.profile
+++ b/etc/ostrichriders.profile
@@ -24,7 +24,6 @@ include whitelist-var-common.inc
24caps.drop all 24caps.drop all
25ipc-namespace 25ipc-namespace
26net none 26net none
27nodbus
28nodvd 27nodvd
29nogroups 28nogroups
30nonewprivs 29nonewprivs
@@ -43,3 +42,6 @@ private-cache
43# private-dev should be commented for controllers 42# private-dev should be commented for controllers
44private-dev 43private-dev
45private-tmp 44private-tmp
45
46dbus-user none
47dbus-system none
diff --git a/etc/pandoc.profile b/etc/pandoc.profile
index 9117b0c07..354f6eab8 100644
--- a/etc/pandoc.profile
+++ b/etc/pandoc.profile
@@ -29,7 +29,6 @@ ipc-namespace
29machine-id 29machine-id
30net none 30net none
31no3d 31no3d
32nodbus
33nodvd 32nodvd
34nogroups 33nogroups
35nonewprivs 34nonewprivs
@@ -51,4 +50,7 @@ private-dev
51private-etc alternatives,texlive 50private-etc alternatives,texlive
52private-tmp 51private-tmp
53 52
53dbus-user none
54dbus-system none
55
54memory-deny-write-execute 56memory-deny-write-execute
diff --git a/etc/patch.profile b/etc/patch.profile
index 95c92a3f5..2bb85e3c6 100644
--- a/etc/patch.profile
+++ b/etc/patch.profile
@@ -26,7 +26,6 @@ caps.drop all
26ipc-namespace 26ipc-namespace
27net none 27net none
28no3d 28no3d
29nodbus
30nodvd 29nodvd
31nogroups 30nogroups
32nonewprivs 31nonewprivs
@@ -45,4 +44,7 @@ private-bin patch,red
45private-dev 44private-dev
46private-lib libfakeroot 45private-lib libfakeroot
47 46
47dbus-user none
48dbus-system none
49
48memory-deny-write-execute 50memory-deny-write-execute
diff --git a/etc/pavucontrol.profile b/etc/pavucontrol.profile
index 0ae9f08af..f7d3576da 100644
--- a/etc/pavucontrol.profile
+++ b/etc/pavucontrol.profile
@@ -29,7 +29,6 @@ apparmor
29caps.drop all 29caps.drop all
30netfilter 30netfilter
31no3d 31no3d
32nodbus
33nodvd 32nodvd
34nogroups 33nogroups
35nonewprivs 34nonewprivs
@@ -50,5 +49,8 @@ private-etc alternatives,asound.conf,avahi,fonts,machine-id,pulse
50private-lib 49private-lib
51private-tmp 50private-tmp
52 51
52dbus-user none
53dbus-system none
54
53# mdwe is broken under Wayland, but works under Xorg. 55# mdwe is broken under Wayland, but works under Xorg.
54#memory-deny-write-execute 56#memory-deny-write-execute
diff --git a/etc/pcmanfm.profile b/etc/pcmanfm.profile
index 7f2a0d673..4e53f9d6e 100644
--- a/etc/pcmanfm.profile
+++ b/etc/pcmanfm.profile
@@ -20,7 +20,6 @@ allusers
20caps.drop all 20caps.drop all
21# net none - see issue #1467, computer:/// location broken 21# net none - see issue #1467, computer:/// location broken
22no3d 22no3d
23# nodbus
24nodvd 23nodvd
25nonewprivs 24nonewprivs
26noroot 25noroot
@@ -31,3 +30,6 @@ protocol unix
31seccomp 30seccomp
32shell none 31shell none
33tracelog 32tracelog
33
34# dbus-user none
35# dbus-system none
diff --git a/etc/pdfchain.profile b/etc/pdfchain.profile
index 98a9f1840..4b6da4d6f 100644
--- a/etc/pdfchain.profile
+++ b/etc/pdfchain.profile
@@ -21,7 +21,6 @@ caps.drop all
21ipc-namespace 21ipc-namespace
22net none 22net none
23no3d 23no3d
24nodbus
25nogroups 24nogroups
26nonewprivs 25nonewprivs
27noroot 26noroot
@@ -38,4 +37,7 @@ private-dev
38private-etc alternatives,dconf,fonts,gtk-3.0,xdg 37private-etc alternatives,dconf,fonts,gtk-3.0,xdg
39private-tmp 38private-tmp
40 39
40dbus-user none
41dbus-system none
42
41memory-deny-write-execute 43memory-deny-write-execute
diff --git a/etc/pdfmod.profile b/etc/pdfmod.profile
index 177070e83..fb3c42526 100644
--- a/etc/pdfmod.profile
+++ b/etc/pdfmod.profile
@@ -25,7 +25,6 @@ ipc-namespace
25machine-id 25machine-id
26net none 26net none
27no3d 27no3d
28nodbus
29nodvd 28nodvd
30nogroups 29nogroups
31nonewprivs 30nonewprivs
@@ -41,3 +40,5 @@ shell none
41private-dev 40private-dev
42private-tmp 41private-tmp
43 42
43dbus-user none
44dbus-system none
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile
index 48f424190..2f4227159 100644
--- a/etc/pdfsam.profile
+++ b/etc/pdfsam.profile
@@ -23,7 +23,6 @@ caps.drop all
23machine-id 23machine-id
24net none 24net none
25no3d 25no3d
26nodbus
27nodvd 26nodvd
28nogroups 27nogroups
29nonewprivs 28nonewprivs
@@ -41,3 +40,5 @@ private-cache
41private-dev 40private-dev
42private-tmp 41private-tmp
43 42
43dbus-user none
44dbus-system none
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile
index a7112f1e8..d9e4aedfb 100644
--- a/etc/pdftotext.profile
+++ b/etc/pdftotext.profile
@@ -29,7 +29,6 @@ ipc-namespace
29machine-id 29machine-id
30net none 30net none
31no3d 31no3d
32nodbus
33nodvd 32nodvd
34nogroups 33nogroups
35nonewprivs 34nonewprivs
@@ -49,3 +48,6 @@ private-cache
49private-dev 48private-dev
50private-etc alternatives 49private-etc alternatives
51private-tmp 50private-tmp
51
52dbus-user none
53dbus-system none
diff --git a/etc/peek.profile b/etc/peek.profile
index 8cbff0c64..66fdd6496 100644
--- a/etc/peek.profile
+++ b/etc/peek.profile
@@ -20,7 +20,6 @@ include disable-xdg.inc
20caps.drop all 20caps.drop all
21net none 21net none
22no3d 22no3d
23nodbus
24nodvd 23nodvd
25nogroups 24nogroups
26nonewprivs 25nonewprivs
@@ -38,4 +37,7 @@ shell none
38private-dev 37private-dev
39private-tmp 38private-tmp
40 39
40dbus-user none
41dbus-system none
42
41memory-deny-write-execute 43memory-deny-write-execute
diff --git a/etc/penguin-command.profile b/etc/penguin-command.profile
index a44126b65..d4d3e914d 100644
--- a/etc/penguin-command.profile
+++ b/etc/penguin-command.profile
@@ -22,7 +22,6 @@ include whitelist-var-common.inc
22apparmor 22apparmor
23caps.drop all 23caps.drop all
24net none 24net none
25nodbus
26nodvd 25nodvd
27nogroups 26nogroups
28nonewprivs 27nonewprivs
@@ -37,3 +36,6 @@ shell none
37private-bin penguin-command 36private-bin penguin-command
38private-dev 37private-dev
39private-tmp 38private-tmp
39
40dbus-user none
41dbus-system none
diff --git a/etc/pingus.profile b/etc/pingus.profile
index 8e77a26d0..cfe45b9c9 100644
--- a/etc/pingus.profile
+++ b/etc/pingus.profile
@@ -23,7 +23,6 @@ include whitelist-var-common.inc
23apparmor 23apparmor
24caps.drop all 24caps.drop all
25net none 25net none
26nodbus
27nodvd 26nodvd
28nogroups 27nogroups
29nonewprivs 28nonewprivs
@@ -38,3 +37,6 @@ shell none
38# private-bin pingus 37# private-bin pingus
39private-dev 38private-dev
40private-tmp 39private-tmp
40
41dbus-user none
42dbus-system none
diff --git a/etc/pinta.profile b/etc/pinta.profile
index 8151bc98f..7d94972c4 100644
--- a/etc/pinta.profile
+++ b/etc/pinta.profile
@@ -21,7 +21,6 @@ include disable-xdg.inc
21caps.drop all 21caps.drop all
22ipc-namespace 22ipc-namespace
23net none 23net none
24nodbus
25nodvd 24nodvd
26nogroups 25nogroups
27nonewprivs 26nonewprivs
@@ -38,3 +37,5 @@ private-dev
38private-cache 37private-cache
39private-tmp 38private-tmp
40 39
40dbus-user none
41dbus-system none
diff --git a/etc/pioneer.profile b/etc/pioneer.profile
index c5b936617..8b1c5afb8 100644
--- a/etc/pioneer.profile
+++ b/etc/pioneer.profile
@@ -24,7 +24,6 @@ include whitelist-var-common.inc
24caps.drop all 24caps.drop all
25ipc-namespace 25ipc-namespace
26net none 26net none
27nodbus
28nodvd 27nodvd
29nogroups 28nogroups
30nonewprivs 29nonewprivs
@@ -42,3 +41,6 @@ private-bin modelcompiler,pioneer,savegamedump
42private-cache 41private-cache
43private-dev 42private-dev
44private-tmp 43private-tmp
44
45dbus-user none
46dbus-system none
diff --git a/etc/pluma.profile b/etc/pluma.profile
index dadfcc44e..ea8550bda 100644
--- a/etc/pluma.profile
+++ b/etc/pluma.profile
@@ -26,7 +26,6 @@ caps.drop all
26machine-id 26machine-id
27# net none - makes settings immutable 27# net none - makes settings immutable
28no3d 28no3d
29# nodbus - makes settings immutable
30nodvd 29nodvd
31nogroups 30nogroups
32nonewprivs 31nonewprivs
@@ -45,6 +44,10 @@ private-dev
45private-lib aspell,gconv,libgspell-1.so.*,libreadline.so.*,libtinfo.so.*,pluma 44private-lib aspell,gconv,libgspell-1.so.*,libreadline.so.*,libtinfo.so.*,pluma
46private-tmp 45private-tmp
47 46
47# makes settings immutable
48# dbus-user none
49# dbus-system none
50
48memory-deny-write-execute 51memory-deny-write-execute
49 52
50join-or-start pluma 53join-or-start pluma
diff --git a/etc/pngquant.profile b/etc/pngquant.profile
index 4695eee71..e9338d4b9 100644
--- a/etc/pngquant.profile
+++ b/etc/pngquant.profile
@@ -26,7 +26,6 @@ ipc-namespace
26machine-id 26machine-id
27net none 27net none
28no3d 28no3d
29nodbus
30nodvd 29nodvd
31nogroups 30nogroups
32nonewprivs 31nonewprivs
@@ -48,4 +47,7 @@ private-dev
48private-etc alternatives 47private-etc alternatives
49private-tmp 48private-tmp
50 49
50dbus-user none
51dbus-system none
52
51memory-deny-write-execute 53memory-deny-write-execute
diff --git a/etc/ppsspp.profile b/etc/ppsspp.profile
index 0b5da661a..c62e53151 100644
--- a/etc/ppsspp.profile
+++ b/etc/ppsspp.profile
@@ -22,7 +22,6 @@ include whitelist-var-common.inc
22caps.drop all 22caps.drop all
23ipc-namespace 23ipc-namespace
24net none 24net none
25nodbus
26nodvd 25nodvd
27nogroups 26nogroups
28nonewprivs 27nonewprivs
@@ -39,3 +38,5 @@ private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts
39private-opt ppsspp 38private-opt ppsspp
40private-tmp 39private-tmp
41 40
41dbus-user none
42dbus-system none
diff --git a/etc/profanity.profile b/etc/profanity.profile
index 6ca9314e9..b7aa2bf52 100644
--- a/etc/profanity.profile
+++ b/etc/profanity.profile
@@ -28,7 +28,6 @@ include whitelist-var-common.inc
28caps.drop all 28caps.drop all
29netfilter 29netfilter
30no3d 30no3d
31nodbus
32nodvd 31nodvd
33nogroups 32nogroups
34nonewprivs 33nonewprivs
@@ -47,4 +46,7 @@ private-dev
47private-etc alternatives,ca-certificates,crypto-policies,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl 46private-etc alternatives,ca-certificates,crypto-policies,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl
48private-tmp 47private-tmp
49 48
49dbus-user none
50dbus-system none
51
50memory-deny-write-execute 52memory-deny-write-execute
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index fe9caec77..820dc7214 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -38,7 +38,6 @@ apparmor
38caps.drop all 38caps.drop all
39machine-id 39machine-id
40netfilter 40netfilter
41nodbus
42nodvd 41nodvd
43nogroups 42nogroups
44nonewprivs 43nonewprivs
@@ -56,4 +55,7 @@ private-dev
56# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl,X11,xdg 55# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl,X11,xdg
57private-tmp 56private-tmp
58 57
58dbus-user none
59dbus-system none
60
59# memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo 61# memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo
diff --git a/etc/qgis.profile b/etc/qgis.profile
index 88ed0cd81..eee538383 100644
--- a/etc/qgis.profile
+++ b/etc/qgis.profile
@@ -35,7 +35,6 @@ include whitelist-var-common.inc
35caps.drop all 35caps.drop all
36netfilter 36netfilter
37machine-id 37machine-id
38nodbus
39nodvd 38nodvd
40nogroups 39nogroups
41nonewprivs 40nonewprivs
@@ -55,3 +54,6 @@ private-cache
55private-dev 54private-dev
56private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,QGIS,QGIS.conf,resolv.conf,ssl,Trolltech.conf 55private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,QGIS,QGIS.conf,resolv.conf,ssl,Trolltech.conf
57private-tmp 56private-tmp
57
58dbus-user none
59dbus-system none
diff --git a/etc/qmmp.profile b/etc/qmmp.profile
index b69bbdef1..4dc6b6784 100644
--- a/etc/qmmp.profile
+++ b/etc/qmmp.profile
@@ -19,7 +19,6 @@ include disable-xdg.inc
19caps.drop all 19caps.drop all
20netfilter 20netfilter
21# no3d 21# no3d
22nodbus
23nogroups 22nogroups
24nonewprivs 23nonewprivs
25noroot 24noroot
@@ -35,3 +34,5 @@ private-bin bzip2,gzip,qmmp,tar,unzip
35private-dev 34private-dev
36private-tmp 35private-tmp
37 36
37dbus-user none
38dbus-system none
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile
index dace1634f..c082762ad 100644
--- a/etc/qpdfview.profile
+++ b/etc/qpdfview.profile
@@ -23,8 +23,6 @@ include whitelist-var-common.inc
23apparmor 23apparmor
24caps.drop all 24caps.drop all
25machine-id 25machine-id
26# needs D-Bus when started from a file manager
27#nodbus
28nodvd 26nodvd
29nogroups 27nogroups
30nonewprivs 28nonewprivs
@@ -41,3 +39,7 @@ tracelog
41private-bin qpdfview 39private-bin qpdfview
42private-dev 40private-dev
43private-tmp 41private-tmp
42
43# needs D-Bus when started from a file manager
44# dbus-user none
45# dbus-system none
diff --git a/etc/qtox.profile b/etc/qtox.profile
index cb2a78920..c8b77123d 100644
--- a/etc/qtox.profile
+++ b/etc/qtox.profile
@@ -27,7 +27,6 @@ apparmor
27caps.drop all 27caps.drop all
28ipc-namespace 28ipc-namespace
29netfilter 29netfilter
30nodbus
31nodvd 30nodvd
32nogroups 31nogroups
33nonewprivs 32nonewprivs
@@ -46,4 +45,7 @@ private-dev
46private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl 45private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
47private-tmp 46private-tmp
48 47
48dbus-user none
49dbus-system none
50
49#memory-deny-write-execute - breaks on Arch (see issue #1803) 51#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/ranger.profile b/etc/ranger.profile
index bcf39095b..af033af1a 100644
--- a/etc/ranger.profile
+++ b/etc/ranger.profile
@@ -26,7 +26,6 @@ include disable-programs.inc
26allusers 26allusers
27caps.drop all 27caps.drop all
28net none 28net none
29nodbus
30nodvd 29nodvd
31nogroups 30nogroups
32nonewprivs 31nonewprivs
@@ -40,3 +39,6 @@ seccomp
40#x11 none 39#x11 none
41 40
42private-dev 41private-dev
42
43dbus-user none
44dbus-system none
diff --git a/etc/redshift.profile b/etc/redshift.profile
index 0f6d34ed0..298ab1902 100644
--- a/etc/redshift.profile
+++ b/etc/redshift.profile
@@ -29,7 +29,6 @@ ipc-namespace
29machine-id 29machine-id
30netfilter 30netfilter
31no3d 31no3d
32nodbus
33nodvd 32nodvd
34nogroups 33nogroups
35nonewprivs 34nonewprivs
@@ -48,4 +47,7 @@ private-cache
48private-dev 47private-dev
49private-tmp 48private-tmp
50 49
50dbus-user none
51dbus-system none
52
51memory-deny-write-execute 53memory-deny-write-execute
diff --git a/etc/regextester.profile b/etc/regextester.profile
index e30748946..207156ba5 100644
--- a/etc/regextester.profile
+++ b/etc/regextester.profile
@@ -26,7 +26,6 @@ ipc-namespace
26machine-id 26machine-id
27net none 27net none
28no3d 28no3d
29# nodbus - makes settings immutable
30nodvd 29nodvd
31nogroups 30nogroups
32nonewprivs 31nonewprivs
@@ -48,6 +47,10 @@ private-etc alternatives,fonts
48private-lib libgranite.so.* 47private-lib libgranite.so.*
49private-tmp 48private-tmp
50 49
50# makes settings immutable
51# dbus-user none
52# dbus-system none
53
51memory-deny-write-execute 54memory-deny-write-execute
52 55
53# never write anything 56# never write anything
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile
index 689fbe626..e8f964383 100644
--- a/etc/rhythmbox.profile
+++ b/etc/rhythmbox.profile
@@ -32,7 +32,6 @@ include whitelist-var-common.inc
32apparmor 32apparmor
33caps.drop all 33caps.drop all
34netfilter 34netfilter
35# nodbus - makes settings immutable
36nogroups 35nogroups
37nonewprivs 36nonewprivs
38noroot 37noroot
@@ -47,3 +46,7 @@ tracelog
47private-bin rhythmbox,rhythmbox-client 46private-bin rhythmbox,rhythmbox-client
48private-dev 47private-dev
49private-tmp 48private-tmp
49
50# makes settings immutable
51# dbus-user none
52# dbus-system none
diff --git a/etc/ripperx.profile b/etc/ripperx.profile
index b572aa1b4..cf6daada5 100644
--- a/etc/ripperx.profile
+++ b/etc/ripperx.profile
@@ -24,7 +24,6 @@ apparmor
24caps.drop all 24caps.drop all
25netfilter 25netfilter
26no3d 26no3d
27nodbus
28nogroups 27nogroups
29nonewprivs 28nonewprivs
30noroot 29noroot
@@ -39,3 +38,6 @@ tracelog
39private-cache 38private-cache
40private-dev 39private-dev
41private-tmp 40private-tmp
41
42dbus-user none
43dbus-system none
diff --git a/etc/rsync-download_only.profile b/etc/rsync-download_only.profile
index 500656a4b..a39ff759a 100644
--- a/etc/rsync-download_only.profile
+++ b/etc/rsync-download_only.profile
@@ -33,7 +33,6 @@ ipc-namespace
33machine-id 33machine-id
34netfilter 34netfilter
35no3d 35no3d
36nodbus
37nodvd 36nodvd
38nogroups 37nogroups
39nonewprivs 38nonewprivs
@@ -54,4 +53,7 @@ private-dev
54private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl 53private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
55private-tmp 54private-tmp
56 55
56dbus-user none
57dbus-system none
58
57memory-deny-write-execute 59memory-deny-write-execute
diff --git a/etc/rtv.profile b/etc/rtv.profile
index af4b7e94b..14740e05f 100644
--- a/etc/rtv.profile
+++ b/etc/rtv.profile
@@ -35,7 +35,6 @@ caps.drop all
35machine-id 35machine-id
36netfilter 36netfilter
37no3d 37no3d
38nodbus
39nodvd 38nodvd
40nogroups 39nogroups
41nonewprivs 40nonewprivs
@@ -54,3 +53,6 @@ private-bin python*,rtv,sh,xdg-settings
54private-cache 53private-cache
55private-dev 54private-dev
56private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg 55private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg
56
57dbus-user none
58dbus-system none
diff --git a/etc/scallion.profile b/etc/scallion.profile
index dee9e1f40..0f67d4d09 100644
--- a/etc/scallion.profile
+++ b/etc/scallion.profile
@@ -23,7 +23,6 @@ include whitelist-var-common.inc
23caps.drop all 23caps.drop all
24ipc-namespace 24ipc-namespace
25net none 25net none
26nodbus
27nodvd 26nodvd
28nogroups 27nogroups
29nonewprivs 28nonewprivs
@@ -40,3 +39,6 @@ disable-mnt
40private 39private
41private-dev 40private-dev
42private-tmp 41private-tmp
42
43dbus-user none
44dbus-system none
diff --git a/etc/scorched3d.profile b/etc/scorched3d.profile
index e94d436cf..b5e51198b 100644
--- a/etc/scorched3d.profile
+++ b/etc/scorched3d.profile
@@ -24,7 +24,6 @@ include whitelist-var-common.inc
24caps.drop all 24caps.drop all
25ipc-namespace 25ipc-namespace
26netfilter 26netfilter
27nodbus
28nodvd 27nodvd
29nogroups 28nogroups
30nonewprivs 29nonewprivs
@@ -42,3 +41,6 @@ private-bin scorched3d,scorched3d-wrapper,scorched3dc,scorched3ds
42private-cache 41private-cache
43private-dev 42private-dev
44private-tmp 43private-tmp
44
45dbus-user none
46dbus-system none
diff --git a/etc/scorchwentbonkers.profile b/etc/scorchwentbonkers.profile
index fcb3d5f29..7cb57edce 100644
--- a/etc/scorchwentbonkers.profile
+++ b/etc/scorchwentbonkers.profile
@@ -26,7 +26,6 @@ include whitelist-var-common.inc
26apparmor 26apparmor
27caps.drop all 27caps.drop all
28net none 28net none
29nodbus
30nodvd 29nodvd
31nogroups 30nogroups
32nonewprivs 31nonewprivs
@@ -45,3 +44,6 @@ private-cache
45private-dev 44private-dev
46private-etc alsa,asound.conf,machine-id,pulse 45private-etc alsa,asound.conf,machine-id,pulse
47private-tmp 46private-tmp
47
48dbus-user none
49dbus-system none
diff --git a/etc/scribus.profile b/etc/scribus.profile
index e7faccea1..22cd10737 100644
--- a/etc/scribus.profile
+++ b/etc/scribus.profile
@@ -43,7 +43,6 @@ include whitelist-var-common.inc
43apparmor 43apparmor
44caps.drop all 44caps.drop all
45net none 45net none
46nodbus
47nodvd 46nodvd
48nogroups 47nogroups
49nonewprivs 48nonewprivs
@@ -61,3 +60,5 @@ tracelog
61private-dev 60private-dev
62private-tmp 61private-tmp
63 62
63dbus-user none
64dbus-system none
diff --git a/etc/sdat2img.profile b/etc/sdat2img.profile
index a367acad5..b45eff4cd 100644
--- a/etc/sdat2img.profile
+++ b/etc/sdat2img.profile
@@ -23,7 +23,6 @@ include whitelist-var-common.inc
23caps.drop all 23caps.drop all
24net none 24net none
25no3d 25no3d
26nodbus
27nodvd 26nodvd
28nogroups 27nogroups
29nonewprivs 28nonewprivs
@@ -40,3 +39,5 @@ private-bin env,python*,sdat2img
40private-cache 39private-cache
41private-dev 40private-dev
42 41
42dbus-user none
43dbus-system none
diff --git a/etc/seahorse-adventures.profile b/etc/seahorse-adventures.profile
index 5fd654eed..895724844 100644
--- a/etc/seahorse-adventures.profile
+++ b/etc/seahorse-adventures.profile
@@ -26,7 +26,6 @@ include whitelist-var-common.inc
26apparmor 26apparmor
27caps.drop all 27caps.drop all
28net none 28net none
29nodbus
30nodvd 29nodvd
31nogroups 30nogroups
32nonewprivs 31nonewprivs
@@ -46,3 +45,6 @@ private-cache
46private-dev 45private-dev
47private-etc machine-id 46private-etc machine-id
48private-tmp 47private-tmp
48
49dbus-user none
50dbus-system none
diff --git a/etc/server.profile b/etc/server.profile
index ce318a828..bee8df932 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -28,7 +28,6 @@ caps
28# ipc-namespace 28# ipc-namespace
29# netfilter /etc/firejail/webserver.net 29# netfilter /etc/firejail/webserver.net
30no3d 30no3d
31# nodbus
32nodvd 31nodvd
33# nogroups 32# nogroups
34# nonewprivs 33# nonewprivs
@@ -49,4 +48,7 @@ private-dev
49# private-lib 48# private-lib
50private-tmp 49private-tmp
51 50
51# dbus-user none
52# dbus-system none
53
52# memory-deny-write-execute 54# memory-deny-write-execute
diff --git a/etc/shellcheck.profile b/etc/shellcheck.profile
index fb43c61e4..6cd70c2ea 100644
--- a/etc/shellcheck.profile
+++ b/etc/shellcheck.profile
@@ -30,7 +30,6 @@ ipc-namespace
30machine-id 30machine-id
31net none 31net none
32no3d 32no3d
33nodbus
34nodvd 33nodvd
35nogroups 34nogroups
36nonewprivs 35nonewprivs
@@ -49,4 +48,7 @@ private-cache
49private-dev 48private-dev
50private-tmp 49private-tmp
51 50
51dbus-user none
52dbus-system none
53
52memory-deny-write-execute 54memory-deny-write-execute
diff --git a/etc/shotcut.profile b/etc/shotcut.profile
index 072cc2c0d..bec0bfbb0 100644
--- a/etc/shotcut.profile
+++ b/etc/shotcut.profile
@@ -19,7 +19,6 @@ include disable-programs.inc
19 19
20caps.drop all 20caps.drop all
21net none 21net none
22nodbus
23nodvd 22nodvd
24nogroups 23nogroups
25nonewprivs 24nonewprivs
@@ -34,3 +33,6 @@ tracelog
34#private-bin melt,nice,qmelt,shotcut 33#private-bin melt,nice,qmelt,shotcut
35private-cache 34private-cache
36private-dev 35private-dev
36
37dbus-user none
38dbus-system none
diff --git a/etc/signal-desktop.profile b/etc/signal-desktop.profile
index 25932720b..5d9225705 100644
--- a/etc/signal-desktop.profile
+++ b/etc/signal-desktop.profile
@@ -30,7 +30,6 @@ include whitelist-var-common.inc
30apparmor 30apparmor
31caps.keep sys_admin,sys_chroot 31caps.keep sys_admin,sys_chroot
32netfilter 32netfilter
33nodbus
34nodvd 33nodvd
35nogroups 34nogroups
36notv 35notv
@@ -40,3 +39,6 @@ shell none
40disable-mnt 39disable-mnt
41private-dev 40private-dev
42private-tmp 41private-tmp
42
43dbus-user none
44dbus-system none
diff --git a/etc/simutrans.profile b/etc/simutrans.profile
index 73093a259..1b81f2ea1 100644
--- a/etc/simutrans.profile
+++ b/etc/simutrans.profile
@@ -23,7 +23,6 @@ include whitelist-var-common.inc
23apparmor 23apparmor
24caps.drop all 24caps.drop all
25net none 25net none
26nodbus
27nodvd 26nodvd
28nogroups 27nogroups
29nonewprivs 28nonewprivs
@@ -38,3 +37,6 @@ shell none
38# private-bin simutrans 37# private-bin simutrans
39private-dev 38private-dev
40private-tmp 39private-tmp
40
41dbus-user none
42dbus-system none
diff --git a/etc/skanlite.profile b/etc/skanlite.profile
index 6f9bfd201..093a61398 100644
--- a/etc/skanlite.profile
+++ b/etc/skanlite.profile
@@ -17,7 +17,6 @@ include disable-xdg.inc
17 17
18caps.drop all 18caps.drop all
19netfilter 19netfilter
20# nodbus
21nodvd 20nodvd
22nogroups 21nogroups
23nonewprivs 22nonewprivs
@@ -33,3 +32,6 @@ shell none
33# private-bin kbuildsycoca4,kdeinit4,skanlite 32# private-bin kbuildsycoca4,kdeinit4,skanlite
34# private-dev 33# private-dev
35# private-tmp 34# private-tmp
35
36# dbus-user none
37# dbus-system none
diff --git a/etc/slashem.profile b/etc/slashem.profile
index 8c84180d7..ca0516e65 100644
--- a/etc/slashem.profile
+++ b/etc/slashem.profile
@@ -23,7 +23,6 @@ caps.drop all
23ipc-namespace 23ipc-namespace
24net none 24net none
25no3d 25no3d
26nodbus
27nodvd 26nodvd
28nogroups 27nogroups
29#nonewprivs 28#nonewprivs
@@ -42,4 +41,7 @@ private-dev
42private-tmp 41private-tmp
43writable-var 42writable-var
44 43
44dbus-user none
45dbus-system none
46
45#memory-deny-write-execute 47#memory-deny-write-execute
diff --git a/etc/smplayer.profile b/etc/smplayer.profile
index 395888c8a..ac01c675b 100644
--- a/etc/smplayer.profile
+++ b/etc/smplayer.profile
@@ -32,7 +32,6 @@ include whitelist-var-common.inc
32apparmor 32apparmor
33caps.drop all 33caps.drop all
34netfilter 34netfilter
35# nodbus - problems with KDE
36# nogroups 35# nogroups
37nonewprivs 36nonewprivs
38noroot 37noroot
@@ -45,3 +44,6 @@ private-bin env,mplayer,mpv,python*,smplayer,smtube,youtube-dl
45private-dev 44private-dev
46private-tmp 45private-tmp
47 46
47# problems with KDE
48# dbus-user none
49# dbus-system none
diff --git a/etc/softmaker-common.inc b/etc/softmaker-common.inc
index 48249877c..a8ec5848c 100644
--- a/etc/softmaker-common.inc
+++ b/etc/softmaker-common.inc
@@ -28,7 +28,6 @@ apparmor
28caps.drop all 28caps.drop all
29ipc-namespace 29ipc-namespace
30netfilter 30netfilter
31nodbus
32nodvd 31nodvd
33nogroups 32nogroups
34nonewprivs 33nonewprivs
@@ -46,3 +45,6 @@ private-cache
46private-dev 45private-dev
47private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,SoftMaker,ssl 46private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,SoftMaker,ssl
48private-tmp 47private-tmp
48
49dbus-user none
50dbus-system none
diff --git a/etc/sol.profile b/etc/sol.profile
index 4c8fdfbb1..8519de6df 100644
--- a/etc/sol.profile
+++ b/etc/sol.profile
@@ -22,7 +22,6 @@ caps.drop all
22ipc-namespace 22ipc-namespace
23net none 23net none
24# no3d 24# no3d
25nodbus
26nodvd 25nodvd
27nogroups 26nogroups
28nonewprivs 27nonewprivs
@@ -41,4 +40,7 @@ private-cache
41private-dev 40private-dev
42private-tmp 41private-tmp
43 42
43dbus-user none
44dbus-system none
45
44# memory-deny-write-execute 46# memory-deny-write-execute
diff --git a/etc/sound-juicer.profile b/etc/sound-juicer.profile
index ebd321573..b9f3768be 100644
--- a/etc/sound-juicer.profile
+++ b/etc/sound-juicer.profile
@@ -23,7 +23,6 @@ apparmor
23caps.drop all 23caps.drop all
24netfilter 24netfilter
25no3d 25no3d
26#nodbus
27nogroups 26nogroups
28nonewprivs 27nonewprivs
29noroot 28noroot
@@ -39,3 +38,6 @@ tracelog
39private-cache 38private-cache
40private-dev 39private-dev
41private-tmp 40private-tmp
41
42# dbus-user none
43# dbus-system none
diff --git a/etc/spectre-meltdown-checker.profile b/etc/spectre-meltdown-checker.profile
index e27df4cc8..a0b99abcf 100644
--- a/etc/spectre-meltdown-checker.profile
+++ b/etc/spectre-meltdown-checker.profile
@@ -31,7 +31,6 @@ caps.keep sys_rawio
31ipc-namespace 31ipc-namespace
32net none 32net none
33no3d 33no3d
34nodbus
35nodvd 34nodvd
36nogroups 35nogroups
37nonewprivs 36nonewprivs
@@ -49,4 +48,7 @@ private-bin awk,bzip2,cat,coreos-install,cpucontrol,cut,dd,dirname,dmesg,dnf,ech
49private-cache 48private-cache
50private-tmp 49private-tmp
51 50
51dbus-user none
52dbus-system none
53
52memory-deny-write-execute 54memory-deny-write-execute
diff --git a/etc/spotify.profile b/etc/spotify.profile
index 59692f1d6..1a34cb86d 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -29,7 +29,6 @@ include whitelist-var-common.inc
29 29
30caps.drop all 30caps.drop all
31netfilter 31netfilter
32#nodbus - dbus needed for MPRIS
33nodvd 32nodvd
34nogroups 33nogroups
35nonewprivs 34nonewprivs
@@ -50,3 +49,6 @@ private-opt spotify
50private-srv none 49private-srv none
51private-tmp 50private-tmp
52 51
52# dbus needed for MPRIS
53# dbus-user none
54# dbus-system none
diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile
index 94bb4d3f2..017120811 100644
--- a/etc/sqlitebrowser.profile
+++ b/etc/sqlitebrowser.profile
@@ -24,7 +24,6 @@ apparmor
24caps.drop all 24caps.drop all
25ipc-namespace 25ipc-namespace
26netfilter 26netfilter
27# nodbus - breaks proxy creation
28nodvd 27nodvd
29nogroups 28nogroups
30nonewprivs 29nonewprivs
@@ -43,4 +42,8 @@ private-dev
43private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,ssl 42private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,ssl
44private-tmp 43private-tmp
45 44
45# breaks proxy creation
46# dbus-user none
47# dbus-system none
48
46#memory-deny-write-execute - breaks on Arch (see issue #1803) 49#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile
index cf509852a..01b63d3ce 100644
--- a/etc/ssh-agent.profile
+++ b/etc/ssh-agent.profile
@@ -22,7 +22,6 @@ include whitelist-usr-share-common.inc
22caps.drop all 22caps.drop all
23netfilter 23netfilter
24no3d 24no3d
25nodbus
26nodvd 25nodvd
27nonewprivs 26nonewprivs
28noroot 27noroot
@@ -34,3 +33,6 @@ shell none
34tracelog 33tracelog
35 34
36writable-run-user 35writable-run-user
36
37dbus-user none
38dbus-system none
diff --git a/etc/ssh.profile b/etc/ssh.profile
index a69fdb0f5..5d3458c29 100644
--- a/etc/ssh.profile
+++ b/etc/ssh.profile
@@ -28,7 +28,6 @@ caps.drop all
28ipc-namespace 28ipc-namespace
29netfilter 29netfilter
30no3d 30no3d
31nodbus
32nodvd 31nodvd
33nogroups 32nogroups
34nonewprivs 33nonewprivs
@@ -47,4 +46,7 @@ private-dev
47# private-tmp # Breaks when exiting 46# private-tmp # Breaks when exiting
48writable-run-user 47writable-run-user
49 48
49dbus-user none
50dbus-system none
51
50memory-deny-write-execute 52memory-deny-write-execute
diff --git a/etc/standardnotes-desktop.profile b/etc/standardnotes-desktop.profile
index a402aca5a..1292b806b 100644
--- a/etc/standardnotes-desktop.profile
+++ b/etc/standardnotes-desktop.profile
@@ -25,7 +25,6 @@ apparmor
25caps.drop all 25caps.drop all
26machine-id 26machine-id
27netfilter 27netfilter
28nodbus
29nodvd 28nodvd
30nogroups 29nogroups
31nonewprivs 30nonewprivs
@@ -41,3 +40,5 @@ private-dev
41private-tmp 40private-tmp
42private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,pki,resolv.conf,ssl,xdg 41private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,pki,resolv.conf,ssl,xdg
43 42
43dbus-user none
44dbus-system none
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile
index f9daf8f09..b62b19101 100644
--- a/etc/start-tor-browser.profile
+++ b/etc/start-tor-browser.profile
@@ -19,7 +19,6 @@ include whitelist-var-common.inc
19 19
20caps.drop all 20caps.drop all
21netfilter 21netfilter
22nodbus
23nodvd 22nodvd
24nogroups 23nogroups
25nonewprivs 24nonewprivs
@@ -38,3 +37,6 @@ private-bin bash,cat,cp,cut,dirname,env,getconf,gpg,grep,gxmessage,id,kdialog,ln
38private-dev 37private-dev
39private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl 38private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
40private-tmp 39private-tmp
40
41dbus-user none
42dbus-system none
diff --git a/etc/steam.profile b/etc/steam.profile
index ef927ba89..2463764a7 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -77,8 +77,6 @@ include whitelist-var-common.inc
77caps.drop all 77caps.drop all
78#ipc-namespace 78#ipc-namespace
79netfilter 79netfilter
80# nodbus disabled as it breaks appindicator support
81#nodbus
82nodvd 80nodvd
83# nVidia user may need to comment / ignore nogroups and noroot 81# nVidia user may need to comment / ignore nogroups and noroot
84nogroups 82nogroups
@@ -108,3 +106,7 @@ private-dev
108# private-etc breaks a small selection of games on some systems, comment to support those 106# private-etc breaks a small selection of games on some systems, comment to support those
109private-etc alternatives,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl 107private-etc alternatives,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl
110private-tmp 108private-tmp
109
110# breaks appindicator support
111# dbus-user none
112# dbus-system none
diff --git a/etc/strings.profile b/etc/strings.profile
index 7d2d035a4..31ed5dd3f 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -27,7 +27,6 @@ ipc-namespace
27machine-id 27machine-id
28net none 28net none
29no3d 29no3d
30nodbus
31nodvd 30nodvd
32nogroups 31nogroups
33nonewprivs 32nonewprivs
@@ -50,5 +49,8 @@ private-dev
50#private-lib libfakeroot 49#private-lib libfakeroot
51private-tmp 50private-tmp
52 51
52dbus-user none
53dbus-system none
54
53memory-deny-write-execute 55memory-deny-write-execute
54read-only ${HOME} 56read-only ${HOME}
diff --git a/etc/subdownloader.profile b/etc/subdownloader.profile
index f6165f139..428af3737 100644
--- a/etc/subdownloader.profile
+++ b/etc/subdownloader.profile
@@ -30,7 +30,6 @@ ipc-namespace
30machine-id 30machine-id
31netfilter 31netfilter
32no3d 32no3d
33nodbus
34nodvd 33nodvd
35nogroups 34nogroups
36nonewprivs 35nonewprivs
@@ -48,4 +47,7 @@ private-dev
48private-etc alternatives,fonts 47private-etc alternatives,fonts
49private-tmp 48private-tmp
50 49
50dbus-user none
51dbus-system none
52
51#memory-deny-write-execute - breaks on Arch (see issue #1803) 53#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/supertux2.profile b/etc/supertux2.profile
index a702faa9e..e1cdb114c 100644
--- a/etc/supertux2.profile
+++ b/etc/supertux2.profile
@@ -23,7 +23,6 @@ include whitelist-var-common.inc
23apparmor 23apparmor
24caps.drop all 24caps.drop all
25net none 25net none
26nodbus
27nodvd 26nodvd
28nogroups 27nogroups
29nonewprivs 28nonewprivs
@@ -39,3 +38,6 @@ disable-mnt
39# private-bin supertux2 38# private-bin supertux2
40private-dev 39private-dev
41private-tmp 40private-tmp
41
42dbus-user none
43dbus-system none
diff --git a/etc/supertuxkart.profile b/etc/supertuxkart.profile
index 2975a61ed..73877b1b5 100644
--- a/etc/supertuxkart.profile
+++ b/etc/supertuxkart.profile
@@ -32,7 +32,6 @@ include whitelist-var-common.inc
32apparmor 32apparmor
33caps.drop all 33caps.drop all
34netfilter 34netfilter
35nodbus
36nodvd 35nodvd
37nogroups 36nogroups
38nonewprivs 37nonewprivs
@@ -54,3 +53,5 @@ private-tmp
54private-opt none 53private-opt none
55private-srv none 54private-srv none
56 55
56dbus-user none
57dbus-system none
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile
index 30b0ad762..a83080cc3 100644
--- a/etc/synfigstudio.profile
+++ b/etc/synfigstudio.profile
@@ -18,7 +18,6 @@ include disable-programs.inc
18 18
19caps.drop all 19caps.drop all
20net none 20net none
21nodbus
22nodvd 21nodvd
23nogroups 22nogroups
24nonewprivs 23nonewprivs
@@ -36,3 +35,5 @@ private-cache
36private-dev 35private-dev
37private-tmp 36private-tmp
38 37
38dbus-user none
39dbus-system none
diff --git a/etc/sysprof-cli.profile b/etc/sysprof-cli.profile
index 935c7e9ca..8f4de130b 100644
--- a/etc/sysprof-cli.profile
+++ b/etc/sysprof-cli.profile
@@ -7,12 +7,13 @@ include sysprof-cli.local
7# added by included profile 7# added by included profile
8#include globals.local 8#include globals.local
9 9
10nodbus
11
12# There is no GUI help menu to break in the CLI version 10# There is no GUI help menu to break in the CLI version
13private-bin sysprof-cli 11private-bin sysprof-cli
14private-lib 12private-lib
15 13
14dbus-user none
15dbus-system none
16
16memory-deny-write-execute 17memory-deny-write-execute
17 18
18# Redirect 19# Redirect
diff --git a/etc/sysprof.profile b/etc/sysprof.profile
index 9761629d2..ad3346285 100644
--- a/etc/sysprof.profile
+++ b/etc/sysprof.profile
@@ -23,7 +23,6 @@ ipc-namespace
23machine-id 23machine-id
24net none 24net none
25no3d 25no3d
26# nodbus - makes settings immutable
27nodvd 26nodvd
28nogroups 27nogroups
29nonewprivs 28nonewprivs
@@ -46,4 +45,8 @@ private-etc alternatives,fonts,ld.so.cache,machine-id,ssl
46#private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so 45#private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so
47private-tmp 46private-tmp
48 47
48# makes settings immutable
49# dbus-user none
50# dbus-system none
51
49# memory-deny-write-execute - Breaks GUI on Arch 52# memory-deny-write-execute - Breaks GUI on Arch
diff --git a/etc/tar.profile b/etc/tar.profile
index 0858dcb26..3a7405305 100644
--- a/etc/tar.profile
+++ b/etc/tar.profile
@@ -26,7 +26,6 @@ ipc-namespace
26machine-id 26machine-id
27net none 27net none
28no3d 28no3d
29nodbus
30nodvd 29nodvd
31nogroups 30nogroups
32nonewprivs 31nonewprivs
@@ -50,4 +49,7 @@ private-lib libfakeroot
50# Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) 49# Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
51writable-var 50writable-var
52 51
52dbus-user none
53dbus-system none
54
53memory-deny-write-execute 55memory-deny-write-execute
diff --git a/etc/teams-for-linux.profile b/etc/teams-for-linux.profile
index 882d8d0f3..a13c92bc3 100644
--- a/etc/teams-for-linux.profile
+++ b/etc/teams-for-linux.profile
@@ -7,7 +7,8 @@ include teams-for-linux.local
7# added by included profile 7# added by included profile
8#include globals.local 8#include globals.local
9 9
10ignore nodbus 10ignore dbus-user none
11ignore dbus-system none
11 12
12noblacklist ${HOME}/.config/teams-for-linux 13noblacklist ${HOME}/.config/teams-for-linux
13 14
diff --git a/etc/teams.profile b/etc/teams.profile
index 0e5a42be7..326b97e4b 100644
--- a/etc/teams.profile
+++ b/etc/teams.profile
@@ -9,7 +9,8 @@ include teams.local
9# added by included profile 9# added by included profile
10#include globals.local 10#include globals.local
11 11
12ignore nodbus 12ignore dbus-user none
13ignore dbus-system none
13 14
14noblacklist ${HOME}/.config/teams 15noblacklist ${HOME}/.config/teams
15noblacklist ${HOME}/.config/Microsoft 16noblacklist ${HOME}/.config/Microsoft
diff --git a/etc/teeworlds.profile b/etc/teeworlds.profile
index 782f337d3..7765703de 100644
--- a/etc/teeworlds.profile
+++ b/etc/teeworlds.profile
@@ -24,7 +24,6 @@ include whitelist-var-common.inc
24caps.drop all 24caps.drop all
25ipc-namespace 25ipc-namespace
26netfilter 26netfilter
27nodbus
28nodvd 27nodvd
29nogroups 28nogroups
30nonewprivs 29nonewprivs
@@ -42,3 +41,6 @@ private-bin teeworlds
42private-cache 41private-cache
43private-dev 42private-dev
44private-tmp 43private-tmp
44
45dbus-user none
46dbus-system none
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 4cb40027c..b3ebd4996 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -136,7 +136,6 @@ include globals.local
136#net none 136#net none
137#netfilter 137#netfilter
138#no3d 138#no3d
139#nodbus
140#nodvd 139#nodvd
141#nogroups 140#nogroups
142#nonewprivs 141#nonewprivs
@@ -186,6 +185,9 @@ include globals.local
186##writable-var 185##writable-var
187##writable-var-log 186##writable-var-log
188 187
188#dbus-user none
189#dbus-system none
190
189##env VAR=VALUE 191##env VAR=VALUE
190#memory-deny-write-execute 192#memory-deny-write-execute
191##noexec PATH 193##noexec PATH
diff --git a/etc/terasology.profile b/etc/terasology.profile
index 3324a18be..36ce6d469 100644
--- a/etc/terasology.profile
+++ b/etc/terasology.profile
@@ -28,7 +28,6 @@ include whitelist-common.inc
28caps.drop all 28caps.drop all
29ipc-namespace 29ipc-namespace
30net none 30net none
31nodbus
32nodvd 31nodvd
33nogroups 32nogroups
34nonewprivs 33nonewprivs
@@ -44,3 +43,6 @@ disable-mnt
44private-dev 43private-dev
45private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,java-7-openjdk,java-8-openjdk,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pki,pulse,resolv.conf,ssl 44private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,java-7-openjdk,java-8-openjdk,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pki,pulse,resolv.conf,ssl
46private-tmp 45private-tmp
46
47dbus-user none
48dbus-system none
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile
index 06bd2bb03..44ed6e5e0 100644
--- a/etc/thunderbird.profile
+++ b/etc/thunderbird.profile
@@ -7,7 +7,8 @@ include thunderbird.local
7include globals.local 7include globals.local
8 8
9# writable-run-user and dbus are needed by enigmail 9# writable-run-user and dbus are needed by enigmail
10ignore nodbus 10ignore dbus-user none
11ignore dbus-system none
11writable-run-user 12writable-run-user
12 13
13# If you want to read local mail stored in /var/mail, add the following to thunderbird.local: 14# If you want to read local mail stored in /var/mail, add the following to thunderbird.local:
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile
index 329d7be02..6bcc51f4d 100644
--- a/etc/torbrowser-launcher.profile
+++ b/etc/torbrowser-launcher.profile
@@ -33,7 +33,6 @@ include whitelist-var-common.inc
33 33
34caps.drop all 34caps.drop all
35netfilter 35netfilter
36nodbus
37nodvd 36nodvd
38nogroups 37nogroups
39nonewprivs 38nonewprivs
@@ -52,3 +51,6 @@ private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,
52private-dev 51private-dev
53private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl 52private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
54private-tmp 53private-tmp
54
55dbus-user none
56dbus-system none
diff --git a/etc/torcs.profile b/etc/torcs.profile
index d9c59b276..8dcd7447b 100644
--- a/etc/torcs.profile
+++ b/etc/torcs.profile
@@ -24,7 +24,6 @@ include whitelist-var-common.inc
24caps.drop all 24caps.drop all
25ipc-namespace 25ipc-namespace
26net none 26net none
27nodbus
28nodvd 27nodvd
29nogroups 28nogroups
30nonewprivs 29nonewprivs
@@ -41,3 +40,6 @@ disable-mnt
41private-cache 40private-cache
42private-dev 41private-dev
43private-tmp 42private-tmp
43
44dbus-user none
45dbus-system none
diff --git a/etc/totem.profile b/etc/totem.profile
index 5b74709e3..d49ef0cb8 100644
--- a/etc/totem.profile
+++ b/etc/totem.profile
@@ -27,7 +27,6 @@ include whitelist-var-common.inc
27# apparmor - makes settings immutable 27# apparmor - makes settings immutable
28caps.drop all 28caps.drop all
29netfilter 29netfilter
30# nodbus - makes settings immutable
31nogroups 30nogroups
32nonewprivs 31nonewprivs
33noroot 32noroot
@@ -43,3 +42,6 @@ private-dev
43# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl 42# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
44private-tmp 43private-tmp
45 44
45# makes settings immutable
46# dbus-user none
47# dbus-system none
diff --git a/etc/transgui.profile b/etc/transgui.profile
index 567e2ab30..cafc6e6d1 100644
--- a/etc/transgui.profile
+++ b/etc/transgui.profile
@@ -28,7 +28,6 @@ caps.drop all
28ipc-namespace 28ipc-namespace
29machine-id 29machine-id
30netfilter 30netfilter
31nodbus
32nodvd 31nodvd
33nogroups 32nogroups
34nonewprivs 33nonewprivs
@@ -49,4 +48,7 @@ private-etc alternatives,fonts
49private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*,libX11.so.* 48private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*,libX11.so.*
50private-tmp 49private-tmp
51 50
51dbus-user none
52dbus-system none
53
52memory-deny-write-execute 54memory-deny-write-execute
diff --git a/etc/transmission-common.profile b/etc/transmission-common.profile
index b9f49c4a4..9d2e8e990 100644
--- a/etc/transmission-common.profile
+++ b/etc/transmission-common.profile
@@ -30,7 +30,6 @@ apparmor
30caps.drop all 30caps.drop all
31machine-id 31machine-id
32netfilter 32netfilter
33nodbus
34nodvd 33nodvd
35nonewprivs 34nonewprivs
36noroot 35noroot
@@ -48,4 +47,7 @@ private-dev
48private-lib 47private-lib
49private-tmp 48private-tmp
50 49
50dbus-user none
51dbus-system none
52
51memory-deny-write-execute 53memory-deny-write-execute
diff --git a/etc/tremulous.profile b/etc/tremulous.profile
index e148298ae..64bb8cba8 100644
--- a/etc/tremulous.profile
+++ b/etc/tremulous.profile
@@ -24,7 +24,6 @@ include whitelist-var-common.inc
24caps.drop all 24caps.drop all
25ipc-namespace 25ipc-namespace
26netfilter 26netfilter
27nodbus
28nodvd 27nodvd
29nogroups 28nogroups
30nonewprivs 29nonewprivs
@@ -42,3 +41,6 @@ private-bin tremded,tremulous,tremulous-wrapper
42private-cache 41private-cache
43private-dev 42private-dev
44private-tmp 43private-tmp
44
45dbus-user none
46dbus-system none
diff --git a/etc/tvbrowser.profile b/etc/tvbrowser.profile
index 6e028b086..d3dcbfe53 100644
--- a/etc/tvbrowser.profile
+++ b/etc/tvbrowser.profile
@@ -32,7 +32,6 @@ include whitelist-var-common.inc
32caps.drop all 32caps.drop all
33netfilter 33netfilter
34no3d 34no3d
35nodbus
36nodvd 35nodvd
37nogroups 36nogroups
38nonewprivs 37nonewprivs
@@ -49,3 +48,6 @@ disable-mnt
49private-cache 48private-cache
50private-dev 49private-dev
51private-tmp 50private-tmp
51
52dbus-user none
53dbus-system none
diff --git a/etc/uefitool.profile b/etc/uefitool.profile
index 8ab0e9a26..8807b0b2c 100644
--- a/etc/uefitool.profile
+++ b/etc/uefitool.profile
@@ -19,7 +19,6 @@ caps.drop all
19ipc-namespace 19ipc-namespace
20net none 20net none
21no3d 21no3d
22nodbus
23nodvd 22nodvd
24nogroups 23nogroups
25nonewprivs 24nonewprivs
@@ -36,3 +35,5 @@ private-cache
36private-dev 35private-dev
37private-tmp 36private-tmp
38 37
38dbus-user none
39dbus-system none
diff --git a/etc/unbound.profile b/etc/unbound.profile
index 36533a762..714a3f2f4 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -30,7 +30,6 @@ ipc-namespace
30machine-id 30machine-id
31netfilter 31netfilter
32no3d 32no3d
33nodbus
34nodvd 33nodvd
35nonewprivs 34nonewprivs
36nosound 35nosound
@@ -46,5 +45,8 @@ private-dev
46private-tmp 45private-tmp
47writable-var 46writable-var
48 47
48dbus-user none
49dbus-system none
50
49# mdwe can break modules/plugins 51# mdwe can break modules/plugins
50memory-deny-write-execute 52memory-deny-write-execute
diff --git a/etc/unf.profile b/etc/unf.profile
index b8eccf4dc..fbbe949e9 100644
--- a/etc/unf.profile
+++ b/etc/unf.profile
@@ -29,7 +29,6 @@ ipc-namespace
29machine-id 29machine-id
30net none 30net none
31no3d 31no3d
32nodbus
33nodvd 32nodvd
34nogroups 33nogroups
35nonewprivs 34nonewprivs
@@ -53,4 +52,7 @@ private-etc alternatives
53private-lib gcc/*/*/libgcc_s.so.* 52private-lib gcc/*/*/libgcc_s.so.*
54private-tmp 53private-tmp
55 54
55dbus-user none
56dbus-system none
57
56memory-deny-write-execute 58memory-deny-write-execute
diff --git a/etc/unrar.profile b/etc/unrar.profile
index bf28746b0..88a753d59 100644
--- a/etc/unrar.profile
+++ b/etc/unrar.profile
@@ -22,7 +22,6 @@ ipc-namespace
22machine-id 22machine-id
23net none 23net none
24no3d 24no3d
25nodbus
26nodvd 25nodvd
27#nogroups 26#nogroups
28nonewprivs 27nonewprivs
@@ -41,3 +40,6 @@ private-bin unrar
41private-dev 40private-dev
42private-etc alternatives,group,localtime,passwd 41private-etc alternatives,group,localtime,passwd
43private-tmp 42private-tmp
43
44dbus-user none
45dbus-system none
diff --git a/etc/unzip.profile b/etc/unzip.profile
index 7882f2b63..b4b63882b 100644
--- a/etc/unzip.profile
+++ b/etc/unzip.profile
@@ -25,7 +25,6 @@ ipc-namespace
25machine-id 25machine-id
26net none 26net none
27no3d 27no3d
28nodbus
29nodvd 28nodvd
30#nogroups 29#nogroups
31nonewprivs 30nonewprivs
@@ -43,3 +42,6 @@ x11 none
43private-bin unzip 42private-bin unzip
44private-dev 43private-dev
45private-etc alternatives,group,localtime,passwd 44private-etc alternatives,group,localtime,passwd
45
46dbus-user none
47dbus-system none
diff --git a/etc/uudeview.profile b/etc/uudeview.profile
index bd2ee01d5..6b5f14cab 100644
--- a/etc/uudeview.profile
+++ b/etc/uudeview.profile
@@ -23,7 +23,6 @@ hostname uudeview
23ipc-namespace 23ipc-namespace
24machine-id 24machine-id
25net none 25net none
26nodbus
27nodvd 26nodvd
28#nogroups 27#nogroups
29nonewprivs 28nonewprivs
@@ -42,3 +41,6 @@ private-bin uudeview
42private-cache 41private-cache
43private-dev 42private-dev
44private-etc alternatives,ld.so.preload 43private-etc alternatives,ld.so.preload
44
45dbus-user none
46dbus-system none
diff --git a/etc/viewnior.profile b/etc/viewnior.profile
index 9f57b2971..f009f6340 100644
--- a/etc/viewnior.profile
+++ b/etc/viewnior.profile
@@ -26,7 +26,6 @@ apparmor
26caps.drop all 26caps.drop all
27net none 27net none
28no3d 28no3d
29nodbus
30nodvd 29nodvd
31nogroups 30nogroups
32nonewprivs 31nonewprivs
@@ -46,4 +45,7 @@ private-dev
46private-etc alternatives,fonts,machine-id 45private-etc alternatives,fonts,machine-id
47private-tmp 46private-tmp
48 47
48dbus-user none
49dbus-system none
50
49#memory-deny-write-execute - breaks on Arch (see issues #1803 and #1808) 51#memory-deny-write-execute - breaks on Arch (see issues #1803 and #1808)
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile
index 2185b90ec..096ce8a72 100644
--- a/etc/vivaldi.profile
+++ b/etc/vivaldi.profile
@@ -23,8 +23,9 @@ whitelist ${HOME}/.cache/vivaldi
23whitelist ${HOME}/.config/vivaldi 23whitelist ${HOME}/.config/vivaldi
24whitelist ${HOME}/.local/lib/vivaldi 24whitelist ${HOME}/.local/lib/vivaldi
25 25
26# nodbus breaks vivaldi sync 26# breaks vivaldi sync
27ignore nodbus 27ignore dbus-user none
28ignore dbus-system none
28 29
29# Redirect 30# Redirect
30include chromium-common.profile 31include chromium-common.profile
diff --git a/etc/vlc.profile b/etc/vlc.profile
index 572758f28..0069ebeae 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -25,7 +25,6 @@ include whitelist-var-common.inc
25#apparmor - on Ubuntu 18.04 it refuses to start without dbus access 25#apparmor - on Ubuntu 18.04 it refuses to start without dbus access
26caps.drop all 26caps.drop all
27netfilter 27netfilter
28#nodbus - dbus needed for MPRIS
29nogroups 28nogroups
30nonewprivs 29nonewprivs
31noroot 30noroot
@@ -38,5 +37,9 @@ private-bin cvlc,nvlc,qvlc,rvlc,svlc,vlc
38private-dev 37private-dev
39private-tmp 38private-tmp
40 39
40# dbus needed for MPRIS
41# dbus-user none
42# dbus-system none
43
41# mdwe is disabled due to breaking hardware accelerated decoding 44# mdwe is disabled due to breaking hardware accelerated decoding
42#memory-deny-write-execute 45#memory-deny-write-execute
diff --git a/etc/warmux.profile b/etc/warmux.profile
index df7af49c4..a3de3d444 100644
--- a/etc/warmux.profile
+++ b/etc/warmux.profile
@@ -32,7 +32,6 @@ include whitelist-var-common.inc
32apparmor 32apparmor
33caps.drop all 33caps.drop all
34netfilter 34netfilter
35nodbus
36nodvd 35nodvd
37nogroups 36nogroups
38nonewprivs 37nonewprivs
@@ -51,3 +50,6 @@ private-cache
51private-dev 50private-dev
52private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,machine-id,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl 51private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,machine-id,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
53private-tmp 52private-tmp
53
54dbus-user none
55dbus-system none
diff --git a/etc/warsow.profile b/etc/warsow.profile
index e884ab07a..32d27e1b9 100644
--- a/etc/warsow.profile
+++ b/etc/warsow.profile
@@ -29,7 +29,6 @@ include whitelist-var-common.inc
29caps.drop all 29caps.drop all
30ipc-namespace 30ipc-namespace
31netfilter 31netfilter
32nodbus
33nodvd 32nodvd
34nogroups 33nogroups
35nonewprivs 34nonewprivs
@@ -47,3 +46,6 @@ private-bin warsow
47private-cache 46private-cache
48private-dev 47private-dev
49private-tmp 48private-tmp
49
50dbus-user none
51dbus-system none
diff --git a/etc/webui-aria2.profile b/etc/webui-aria2.profile
index 0cd1e05ab..8928f8116 100644
--- a/etc/webui-aria2.profile
+++ b/etc/webui-aria2.profile
@@ -18,7 +18,6 @@ include disable-xdg.inc
18 18
19caps.drop all 19caps.drop all
20netfilter 20netfilter
21nodbus
22nodvd 21nodvd
23nogroups 22nogroups
24nonewprivs 23nonewprivs
@@ -35,3 +34,5 @@ private-cache
35private-dev 34private-dev
36private-tmp 35private-tmp
37 36
37dbus-user none
38dbus-system none
diff --git a/etc/wget.profile b/etc/wget.profile
index ad7a14c41..65723e68c 100644
--- a/etc/wget.profile
+++ b/etc/wget.profile
@@ -31,7 +31,6 @@ apparmor
31caps.drop all 31caps.drop all
32ipc-namespace 32ipc-namespace
33machine-id 33machine-id
34nodbus
35netfilter 34netfilter
36no3d 35no3d
37nodvd 36nodvd
@@ -54,4 +53,7 @@ private-dev
54#private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,wgetrc 53#private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,wgetrc
55#private-tmp 54#private-tmp
56 55
56dbus-user none
57dbus-system none
58
57memory-deny-write-execute 59memory-deny-write-execute
diff --git a/etc/whalebird.profile b/etc/whalebird.profile
index 2e24dd8e0..187c49ed8 100644
--- a/etc/whalebird.profile
+++ b/etc/whalebird.profile
@@ -7,7 +7,8 @@ include whalebird.local
7# added by included profile 7# added by included profile
8#include globals.local 8#include globals.local
9 9
10ignore nodbus 10ignore dbus-user none
11ignore dbus-system none
11 12
12noblacklist ${HOME}/.config/Whalebird 13noblacklist ${HOME}/.config/Whalebird
13 14
diff --git a/etc/whois.profile b/etc/whois.profile
index 5fea610d8..2af1379e0 100644
--- a/etc/whois.profile
+++ b/etc/whois.profile
@@ -29,7 +29,6 @@ ipc-namespace
29machine-id 29machine-id
30netfilter 30netfilter
31no3d 31no3d
32nodbus
33nodvd 32nodvd
34nogroups 33nogroups
35nonewprivs 34nonewprivs
@@ -52,4 +51,7 @@ private-etc alternatives,hosts,jwhois.conf,resolv.conf,services,whois.conf
52private-lib gconv 51private-lib gconv
53private-tmp 52private-tmp
54 53
54dbus-user none
55dbus-system none
56
55memory-deny-write-execute 57memory-deny-write-execute
diff --git a/etc/widelands.profile b/etc/widelands.profile
index dd956fa28..079e4eb96 100644
--- a/etc/widelands.profile
+++ b/etc/widelands.profile
@@ -25,7 +25,6 @@ apparmor
25caps.drop all 25caps.drop all
26ipc-namespace 26ipc-namespace
27netfilter 27netfilter
28nodbus
29nodvd 28nodvd
30nogroups 29nogroups
31nonewprivs 30nonewprivs
@@ -43,3 +42,6 @@ private-bin widelands
43private-cache 42private-cache
44private-dev 43private-dev
45private-tmp 44private-tmp
45
46dbus-user none
47dbus-system none
diff --git a/etc/wire-desktop.profile b/etc/wire-desktop.profile
index e199be02c..c1250b1f0 100644
--- a/etc/wire-desktop.profile
+++ b/etc/wire-desktop.profile
@@ -10,7 +10,8 @@ include wire-desktop.local
10# Debian/Ubuntu use /opt/Wire. As that is not in PATH by default, run `firejail /opt/Wire/wire-desktop` to start it. 10# Debian/Ubuntu use /opt/Wire. As that is not in PATH by default, run `firejail /opt/Wire/wire-desktop` to start it.
11 11
12ignore caps.drop all 12ignore caps.drop all
13ignore nodbus 13ignore dbus-user none
14ignore dbus-system none
14 15
15noblacklist ${HOME}/.config/Wire 16noblacklist ${HOME}/.config/Wire
16 17
diff --git a/etc/wordwarvi.profile b/etc/wordwarvi.profile
index ea750e172..6372654bd 100644
--- a/etc/wordwarvi.profile
+++ b/etc/wordwarvi.profile
@@ -27,7 +27,6 @@ apparmor
27caps.drop all 27caps.drop all
28net none 28net none
29no3d 29no3d
30nodbus
31nodvd 30nodvd
32nogroups 31nogroups
33nonewprivs 32nonewprivs
@@ -47,3 +46,6 @@ private-cache
47private-dev 46private-dev
48private-etc alsa,asound.conf,machine-id,pulse 47private-etc alsa,asound.conf,machine-id,pulse
49private-tmp 48private-tmp
49
50dbus-user none
51dbus-system none
diff --git a/etc/wps.profile b/etc/wps.profile
index 47bba2dda..6e4a313e3 100644
--- a/etc/wps.profile
+++ b/etc/wps.profile
@@ -27,7 +27,6 @@ machine-id
27#net none 27#net none
28netfilter 28netfilter
29no3d 29no3d
30nodbus
31nodvd 30nodvd
32nogroups 31nogroups
33nonewprivs 32nonewprivs
@@ -45,3 +44,6 @@ tracelog
45private-cache 44private-cache
46private-dev 45private-dev
47private-tmp 46private-tmp
47
48dbus-user none
49dbus-system none
diff --git a/etc/x-terminal-emulator.profile b/etc/x-terminal-emulator.profile
index b6424f342..fe0781336 100644
--- a/etc/x-terminal-emulator.profile
+++ b/etc/x-terminal-emulator.profile
@@ -8,7 +8,6 @@ include globals.local
8caps.drop all 8caps.drop all
9ipc-namespace 9ipc-namespace
10net none 10net none
11nodbus
12nogroups 11nogroups
13noroot 12noroot
14nou2f 13nou2f
@@ -17,4 +16,7 @@ seccomp
17 16
18private-dev 17private-dev
19 18
19dbus-user none
20dbus-system none
21
20noexec /tmp 22noexec /tmp
diff --git a/etc/x2goclient.profile b/etc/x2goclient.profile
index bb0535ae6..bc9603835 100644
--- a/etc/x2goclient.profile
+++ b/etc/x2goclient.profile
@@ -22,7 +22,6 @@ caps.drop all
22ipc-namespace 22ipc-namespace
23netfilter 23netfilter
24#no3d 24#no3d
25nodbus
26nodvd 25nodvd
27nogroups 26nogroups
28nonewprivs 27nonewprivs
@@ -44,4 +43,7 @@ private-opt none
44private-srv none 43private-srv none
45private-tmp 44private-tmp
46 45
46dbus-user none
47dbus-system none
48
47#memory-deny-write-execute 49#memory-deny-write-execute
diff --git a/etc/xbill.profile b/etc/xbill.profile
index fc29dced6..56d3cf40d 100644
--- a/etc/xbill.profile
+++ b/etc/xbill.profile
@@ -25,7 +25,6 @@ caps.drop all
25machine-id 25machine-id
26net none 26net none
27no3d 27no3d
28nodbus
29nodvd 28nodvd
30nogroups 29nogroups
31nonewprivs 30nonewprivs
@@ -47,5 +46,8 @@ private-dev
47private-etc none 46private-etc none
48private-tmp 47private-tmp
49 48
49dbus-user none
50dbus-system none
51
50memory-deny-write-execute 52memory-deny-write-execute
51read-only ${HOME} 53read-only ${HOME}
diff --git a/etc/xcalc.profile b/etc/xcalc.profile
index a644af351..294ad7c80 100644
--- a/etc/xcalc.profile
+++ b/etc/xcalc.profile
@@ -19,7 +19,6 @@ apparmor
19caps.drop all 19caps.drop all
20net none 20net none
21no3d 21no3d
22nodbus
23nodvd 22nodvd
24nogroups 23nogroups
25nonewprivs 24nonewprivs
@@ -39,3 +38,5 @@ private-dev
39private-lib 38private-lib
40private-tmp 39private-tmp
41 40
41dbus-user none
42dbus-system none
diff --git a/etc/xed.profile b/etc/xed.profile
index 145dd988e..64a50083f 100644
--- a/etc/xed.profile
+++ b/etc/xed.profile
@@ -28,7 +28,6 @@ caps.drop all
28machine-id 28machine-id
29# net none - makes settings immutable 29# net none - makes settings immutable
30no3d 30no3d
31# nodbus - makes settings immutable
32nodvd 31nodvd
33nogroups 32nogroups
34nonewprivs 33nonewprivs
@@ -46,5 +45,9 @@ private-bin xed
46private-dev 45private-dev
47private-tmp 46private-tmp
48 47
48# makes settings immutable
49# dbus-user none
50# dbus-system none
51
49# xed uses python plugins, memory-deny-write-execute breaks python 52# xed uses python plugins, memory-deny-write-execute breaks python
50# memory-deny-write-execute 53# memory-deny-write-execute
diff --git a/etc/xfce4-mixer.profile b/etc/xfce4-mixer.profile
index 6ef85f318..5707dc443 100644
--- a/etc/xfce4-mixer.profile
+++ b/etc/xfce4-mixer.profile
@@ -29,7 +29,6 @@ caps.drop all
29ipc-namespace 29ipc-namespace
30netfilter 30netfilter
31no3d 31no3d
32# nodbus
33nodvd 32nodvd
34nogroups 33nogroups
35nonewprivs 34nonewprivs
@@ -48,4 +47,7 @@ private-dev
48private-etc alternatives,asound.conf,fonts,machine-id,pulse 47private-etc alternatives,asound.conf,fonts,machine-id,pulse
49private-tmp 48private-tmp
50 49
50# dbus-user none
51# dbus-system none
52
51memory-deny-write-execute 53memory-deny-write-execute
diff --git a/etc/xonotic.profile b/etc/xonotic.profile
index f4f828eda..949988c3b 100644
--- a/etc/xonotic.profile
+++ b/etc/xonotic.profile
@@ -22,7 +22,6 @@ include whitelist-var-common.inc
22 22
23caps.drop all 23caps.drop all
24netfilter 24netfilter
25nodbus
26nodvd 25nodvd
27nogroups 26nogroups
28nonewprivs 27nonewprivs
@@ -40,3 +39,5 @@ private-dev
40private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl 39private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl
41private-tmp 40private-tmp
42 41
42dbus-user none
43dbus-system none
diff --git a/etc/xournal.profile b/etc/xournal.profile
index fa5200ea3..ba41d5bb3 100644
--- a/etc/xournal.profile
+++ b/etc/xournal.profile
@@ -25,7 +25,6 @@ caps.drop all
25machine-id 25machine-id
26net none 26net none
27no3d 27no3d
28nodbus
29nodvd 28nodvd
30nogroups 29nogroups
31nonewprivs 30nonewprivs
@@ -45,3 +44,6 @@ private-dev
45private-etc alternatives,fonts,group,machine-id,passwd 44private-etc alternatives,fonts,group,machine-id,passwd
46# TODO should use private-lib 45# TODO should use private-lib
47private-tmp 46private-tmp
47
48dbus-user none
49dbus-system none
diff --git a/etc/xpdf.profile b/etc/xpdf.profile
index cb7ac4a59..cdffe4eb7 100644
--- a/etc/xpdf.profile
+++ b/etc/xpdf.profile
@@ -24,7 +24,6 @@ caps.drop all
24machine-id 24machine-id
25net none 25net none
26no3d 26no3d
27nodbus
28nodvd 27nodvd
29nogroups 28nogroups
30nonewprivs 29nonewprivs
@@ -39,4 +38,8 @@ shell none
39 38
40private-dev 39private-dev
41private-tmp 40private-tmp
41
42dbus-user none
43dbus-system none
44
42memory-deny-write-execute 45memory-deny-write-execute
diff --git a/etc/xplayer.profile b/etc/xplayer.profile
index 7c474da41..28df73ea5 100644
--- a/etc/xplayer.profile
+++ b/etc/xplayer.profile
@@ -27,7 +27,6 @@ include whitelist-var-common.inc
27# apparmor - makes settings immutable 27# apparmor - makes settings immutable
28caps.drop all 28caps.drop all
29netfilter 29netfilter
30# nodbus - makes settings immutable
31nogroups 30nogroups
32nonewprivs 31nonewprivs
33noroot 32noroot
@@ -42,3 +41,6 @@ private-dev
42# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl 41# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
43private-tmp 42private-tmp
44 43
44# makes settings immutable
45# dbus-user none
46# dbus-system none
diff --git a/etc/xviewer.profile b/etc/xviewer.profile
index b09bf8ab1..59c8a44f2 100644
--- a/etc/xviewer.profile
+++ b/etc/xviewer.profile
@@ -23,7 +23,6 @@ include whitelist-var-common.inc
23caps.drop all 23caps.drop all
24# net none - makes settings immutable 24# net none - makes settings immutable
25no3d 25no3d
26# nodbus - makes settings immutable
27nodvd 26nodvd
28nogroups 27nogroups
29nonewprivs 28nonewprivs
@@ -42,4 +41,8 @@ private-dev
42private-lib 41private-lib
43private-tmp 42private-tmp
44 43
44# makes settings immutable
45# dbus-user none
46# dbus-system none
47
45memory-deny-write-execute 48memory-deny-write-execute
diff --git a/etc/xzdec.profile b/etc/xzdec.profile
index ca6aaf1d5..542363b57 100644
--- a/etc/xzdec.profile
+++ b/etc/xzdec.profile
@@ -21,7 +21,6 @@ ipc-namespace
21machine-id 21machine-id
22net none 22net none
23no3d 23no3d
24nodbus
25nodvd 24nodvd
26#nogroups 25#nogroups
27nonewprivs 26nonewprivs
@@ -37,3 +36,6 @@ tracelog
37x11 none 36x11 none
38 37
39private-dev 38private-dev
39
40dbus-user none
41dbus-system none
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile
index 6066313a3..061d873b3 100644
--- a/etc/youtube-dl.profile
+++ b/etc/youtube-dl.profile
@@ -41,7 +41,6 @@ ipc-namespace
41machine-id 41machine-id
42netfilter 42netfilter
43no3d 43no3d
44nodbus
45nodvd 44nodvd
46nogroups 45nogroups
47nonewprivs 46nonewprivs
@@ -61,4 +60,7 @@ private-dev
61private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,mime.types,pki,resolv.conf,ssl,youtube-dl.conf 60private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,mime.types,pki,resolv.conf,ssl,youtube-dl.conf
62private-tmp 61private-tmp
63 62
63dbus-user none
64dbus-system none
65
64#memory-deny-write-execute - breaks on Arch (see issue #1803) 66#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/zart.profile b/etc/zart.profile
index 347bed8b6..3fe3c8ce8 100644
--- a/etc/zart.profile
+++ b/etc/zart.profile
@@ -20,7 +20,6 @@ include disable-xdg.inc
20caps.drop all 20caps.drop all
21ipc-namespace 21ipc-namespace
22net none 22net none
23nodbus
24nodvd 23nodvd
25nogroups 24nogroups
26nonewprivs 25nonewprivs
@@ -34,3 +33,5 @@ shell none
34private-bin ffmpeg,ffplay,ffprobe,melt,zart 33private-bin ffmpeg,ffplay,ffprobe,melt,zart
35private-dev 34private-dev
36 35
36dbus-user none
37dbus-system none
diff --git a/etc/zathura.profile b/etc/zathura.profile
index 9ca5fd862..ba0ea1032 100644
--- a/etc/zathura.profile
+++ b/etc/zathura.profile
@@ -30,7 +30,6 @@ caps.drop all
30ipc-namespace 30ipc-namespace
31machine-id 31machine-id
32net none 32net none
33nodbus
34nodvd 33nodvd
35nogroups 34nogroups
36nonewprivs 35nonewprivs
@@ -52,6 +51,9 @@ private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
52#private-lib gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,libarchive.so.*,libdjvulibre.so.*,libgirara-gtk*,libpoppler-glib.so.*,libspectre.so.*,zathura 51#private-lib gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,libarchive.so.*,libdjvulibre.so.*,libgirara-gtk*,libpoppler-glib.so.*,libspectre.so.*,zathura
53private-tmp 52private-tmp
54 53
54dbus-user none
55dbus-system none
56
55read-only ${HOME} 57read-only ${HOME}
56read-write ${HOME}/.config/zathura 58read-write ${HOME}/.config/zathura
57read-write ${HOME}/.local/share/zathura 59read-write ${HOME}/.local/share/zathura
diff --git a/etc/zeal.profile b/etc/zeal.profile
index f0fa29aa3..943d39097 100644
--- a/etc/zeal.profile
+++ b/etc/zeal.profile
@@ -32,7 +32,6 @@ caps.drop all
32machine-id 32machine-id
33netfilter 33netfilter
34no3d 34no3d
35nodbus
36nodvd 35nodvd
37nogroups 36nogroups
38nonewprivs 37nonewprivs
@@ -53,4 +52,7 @@ private-dev
53private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg 52private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg
54private-tmp 53private-tmp
55 54
55dbus-user none
56dbus-system none
57
56memory-deny-write-execute 58memory-deny-write-execute
diff --git a/etc/zstd.profile b/etc/zstd.profile
index 93b849568..be27c10e1 100644
--- a/etc/zstd.profile
+++ b/etc/zstd.profile
@@ -23,7 +23,6 @@ ipc-namespace
23machine-id 23machine-id
24net none 24net none
25no3d 25no3d
26nodbus
27nodvd 26nodvd
28nogroups 27nogroups
29nonewprivs 28nonewprivs
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-08 23:06:35 +0000