diff options
41 files changed, 18 insertions, 65 deletions
diff --git a/etc/QMediathekView.profile b/etc/QMediathekView.profile index ae863b73d..ece681c35 100644 --- a/etc/QMediathekView.profile +++ b/etc/QMediathekView.profile | |||
@@ -48,8 +48,6 @@ disable-mnt | |||
48 | private-bin mplayer,mpv,QMediathekView,smplayer,totem,vlc,xplayer | 48 | private-bin mplayer,mpv,QMediathekView,smplayer,totem,vlc,xplayer |
49 | private-cache | 49 | private-cache |
50 | private-dev | 50 | private-dev |
51 | # private-etc alternatives | ||
52 | # private-lib | ||
53 | private-tmp | 51 | private-tmp |
54 | 52 | ||
55 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 53 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/amarok.profile b/etc/amarok.profile index 6cec3befc..0b974e9ac 100644 --- a/etc/amarok.profile +++ b/etc/amarok.profile | |||
@@ -31,5 +31,5 @@ shell none | |||
31 | 31 | ||
32 | # private-bin amarok | 32 | # private-bin amarok |
33 | private-dev | 33 | private-dev |
34 | # private-etc alternatives,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies | 34 | # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,ssl |
35 | private-tmp | 35 | private-tmp |
diff --git a/etc/arch-audit.profile b/etc/arch-audit.profile index e353326df..2f08fa169 100644 --- a/etc/arch-audit.profile +++ b/etc/arch-audit.profile | |||
@@ -7,7 +7,6 @@ include arch-audit.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | |||
11 | noblacklist /var/lib/pacman | 10 | noblacklist /var/lib/pacman |
12 | 11 | ||
13 | include disable-common.inc | 12 | include disable-common.inc |
diff --git a/etc/archaudit-report.profile b/etc/archaudit-report.profile index bfd110bf2..19c37f90e 100644 --- a/etc/archaudit-report.profile +++ b/etc/archaudit-report.profile | |||
@@ -6,7 +6,6 @@ include archaudit-report.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | |||
10 | noblacklist /var/lib/pacman | 9 | noblacklist /var/lib/pacman |
11 | 10 | ||
12 | include disable-common.inc | 11 | include disable-common.inc |
@@ -17,8 +16,6 @@ include disable-passwdmgr.inc | |||
17 | include disable-programs.inc | 16 | include disable-programs.inc |
18 | include disable-xdg.inc | 17 | include disable-xdg.inc |
19 | 18 | ||
20 | include whitelist-common.inc | ||
21 | |||
22 | caps.drop all | 19 | caps.drop all |
23 | ipc-namespace | 20 | ipc-namespace |
24 | netfilter | 21 | netfilter |
diff --git a/etc/asunder.profile b/etc/asunder.profile index fa2479051..fc10739aa 100644 --- a/etc/asunder.profile +++ b/etc/asunder.profile | |||
@@ -34,7 +34,6 @@ protocol unix,inet,inet6 | |||
34 | seccomp | 34 | seccomp |
35 | shell none | 35 | shell none |
36 | 36 | ||
37 | #private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc | ||
38 | private-dev | 37 | private-dev |
39 | private-tmp | 38 | private-tmp |
40 | 39 | ||
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index 287e5f52e..62eeb88f3 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile | |||
@@ -6,12 +6,15 @@ include bitlbee.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | ignore noexec ${HOME} | ||
10 | |||
9 | noblacklist /sbin | 11 | noblacklist /sbin |
10 | noblacklist /usr/sbin | 12 | noblacklist /usr/sbin |
11 | # noblacklist /var/log | 13 | # noblacklist /var/log |
12 | 14 | ||
13 | include disable-common.inc | 15 | include disable-common.inc |
14 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 20 | include disable-programs.inc |
@@ -34,5 +37,4 @@ private-cache | |||
34 | private-dev | 37 | private-dev |
35 | private-tmp | 38 | private-tmp |
36 | 39 | ||
37 | noexec /tmp | ||
38 | read-write /var/lib/bitlbee | 40 | read-write /var/lib/bitlbee |
diff --git a/etc/brasero.profile b/etc/brasero.profile index aa838380a..058253308 100644 --- a/etc/brasero.profile +++ b/etc/brasero.profile | |||
@@ -31,7 +31,6 @@ tracelog | |||
31 | # private-bin brasero | 31 | # private-bin brasero |
32 | private-cache | 32 | private-cache |
33 | # private-dev | 33 | # private-dev |
34 | # private-etc alternatives,fonts | ||
35 | # private-tmp | 34 | # private-tmp |
36 | 35 | ||
37 | memory-deny-write-execute | 36 | memory-deny-write-execute |
diff --git a/etc/caja.profile b/etc/caja.profile index 2a95649af..c5cef7b27 100644 --- a/etc/caja.profile +++ b/etc/caja.profile | |||
@@ -39,5 +39,4 @@ tracelog | |||
39 | # caja needs to be able to start arbitrary applications so we cannot blacklist their files | 39 | # caja needs to be able to start arbitrary applications so we cannot blacklist their files |
40 | # private-bin caja | 40 | # private-bin caja |
41 | # private-dev | 41 | # private-dev |
42 | # private-etc alternatives,fonts | ||
43 | # private-tmp | 42 | # private-tmp |
diff --git a/etc/catfish.profile b/etc/catfish.profile index f615b5323..c6c2d7e8a 100644 --- a/etc/catfish.profile +++ b/etc/catfish.profile | |||
@@ -15,11 +15,11 @@ noblacklist ${HOME}/.config/catfish | |||
15 | include allow-python2.inc | 15 | include allow-python2.inc |
16 | include allow-python3.inc | 16 | include allow-python3.inc |
17 | 17 | ||
18 | include disable-common.inc | 18 | # include disable-common.inc |
19 | # include disable-devel.inc | 19 | # include disable-devel.inc |
20 | include disable-interpreters.inc | 20 | include disable-interpreters.inc |
21 | include disable-passwdmgr.inc | 21 | include disable-passwdmgr.inc |
22 | include disable-programs.inc | 22 | # include disable-programs.inc |
23 | 23 | ||
24 | whitelist /var/lib/mlocate | 24 | whitelist /var/lib/mlocate |
25 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
diff --git a/etc/dig.profile b/etc/dig.profile index 9bc4ee0ca..6f2c1f755 100644 --- a/etc/dig.profile +++ b/etc/dig.profile | |||
@@ -17,7 +17,7 @@ include disable-passwdmgr.inc | |||
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | include disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | mkfile ${HOME}/.digrc | 20 | #mkfile ${HOME}/.digrc -- see #903 |
21 | whitelist ${HOME}/.digrc | 21 | whitelist ${HOME}/.digrc |
22 | include whitelist-common.inc | 22 | include whitelist-common.inc |
23 | include whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
@@ -45,7 +45,6 @@ private | |||
45 | private-bin bash,dig,sh | 45 | private-bin bash,dig,sh |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | # private-etc alternatives,resolv.conf | ||
49 | private-lib | 48 | private-lib |
50 | private-tmp | 49 | private-tmp |
51 | 50 | ||
diff --git a/etc/digikam.profile b/etc/digikam.profile index e9c89a1b9..1b80981f7 100644 --- a/etc/digikam.profile +++ b/etc/digikam.profile | |||
@@ -33,11 +33,8 @@ noroot | |||
33 | notv | 33 | notv |
34 | protocol unix,inet,inet6,netlink | 34 | protocol unix,inet,inet6,netlink |
35 | seccomp | 35 | seccomp |
36 | # seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group | ||
37 | shell none | 36 | shell none |
38 | 37 | ||
39 | # private-bin program | ||
40 | # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device | 38 | # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device |
41 | # private-etc alternatives,ca-certificates,ssl,pki,crypto-policies | 39 | # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl |
42 | private-tmp | 40 | private-tmp |
43 | |||
diff --git a/etc/engrampa.profile b/etc/engrampa.profile index 562e8f542..aaf3e3382 100644 --- a/etc/engrampa.profile +++ b/etc/engrampa.profile | |||
@@ -35,7 +35,6 @@ tracelog | |||
35 | 35 | ||
36 | # private-bin engrampa | 36 | # private-bin engrampa |
37 | private-dev | 37 | private-dev |
38 | # private-etc alternatives,fonts | ||
39 | # private-tmp | 38 | # private-tmp |
40 | 39 | ||
41 | memory-deny-write-execute | 40 | memory-deny-write-execute |
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile index 9c1c5b7de..0771bf6a5 100644 --- a/etc/ffmpeg.profile +++ b/etc/ffmpeg.profile | |||
@@ -36,7 +36,6 @@ nou2f | |||
36 | novideo | 36 | novideo |
37 | protocol inet,inet6 | 37 | protocol inet,inet6 |
38 | seccomp | 38 | seccomp |
39 | # seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom | ||
40 | shell none | 39 | shell none |
41 | tracelog | 40 | tracelog |
42 | 41 | ||
diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 95accdd36..59d2f3ec8 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile | |||
@@ -39,7 +39,6 @@ tracelog | |||
39 | 39 | ||
40 | # private-bin file-roller | 40 | # private-bin file-roller |
41 | private-dev | 41 | private-dev |
42 | # private-etc alternatives,fonts | ||
43 | # private-tmp | 42 | # private-tmp |
44 | 43 | ||
45 | # memory-deny-write-execute | 44 | # memory-deny-write-execute |
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile index 9596bc610..3931aa64a 100644 --- a/etc/frozen-bubble.profile +++ b/etc/frozen-bubble.profile | |||
@@ -38,5 +38,4 @@ shell none | |||
38 | disable-mnt | 38 | disable-mnt |
39 | # private-bin frozen-bubble | 39 | # private-bin frozen-bubble |
40 | private-dev | 40 | private-dev |
41 | # private-etc alternatives | ||
42 | private-tmp | 41 | private-tmp |
diff --git a/etc/gedit.profile b/etc/gedit.profile index 551e30659..8232bbae4 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile | |||
@@ -44,7 +44,6 @@ tracelog | |||
44 | 44 | ||
45 | # private-bin gedit | 45 | # private-bin gedit |
46 | private-dev | 46 | private-dev |
47 | # private-etc alternatives,fonts | ||
48 | private-lib aspell,gconv,gedit,libgspell-1.so.*,libreadline.so.*,libtinfo.so.* | 47 | private-lib aspell,gconv,gedit,libgspell-1.so.*,libreadline.so.*,libtinfo.so.* |
49 | private-tmp | 48 | private-tmp |
50 | 49 | ||
diff --git a/etc/geeqie.profile b/etc/geeqie.profile index adfc3ef1c..8810ca161 100644 --- a/etc/geeqie.profile +++ b/etc/geeqie.profile | |||
@@ -31,4 +31,3 @@ shell none | |||
31 | 31 | ||
32 | # private-bin geeqie | 32 | # private-bin geeqie |
33 | private-dev | 33 | private-dev |
34 | # private-etc alternatives,X11 | ||
diff --git a/etc/github-desktop.profile b/etc/github-desktop.profile index 4a969f9ad..b25b138ad 100644 --- a/etc/github-desktop.profile +++ b/etc/github-desktop.profile | |||
@@ -42,7 +42,6 @@ disable-mnt | |||
42 | private-cache | 42 | private-cache |
43 | ?HAS_APPIMAGE: ignore private-dev | 43 | ?HAS_APPIMAGE: ignore private-dev |
44 | private-dev | 44 | private-dev |
45 | # private-etc alternatives | ||
46 | # private-lib | 45 | # private-lib |
47 | private-tmp | 46 | private-tmp |
48 | 47 | ||
diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile index 184751132..25cd94f0c 100644 --- a/etc/gnome-books.profile +++ b/etc/gnome-books.profile | |||
@@ -36,8 +36,7 @@ seccomp | |||
36 | shell none | 36 | shell none |
37 | tracelog | 37 | tracelog |
38 | 38 | ||
39 | # private-bin gjs gnome-books | 39 | # private-bin gjs,gnome-books |
40 | private-dev | 40 | private-dev |
41 | # private-etc alternatives,fonts | ||
42 | private-tmp | 41 | private-tmp |
43 | 42 | ||
diff --git a/etc/gnome-nettool.profile b/etc/gnome-nettool.profile index 9d4088eed..001274372 100644 --- a/etc/gnome-nettool.profile +++ b/etc/gnome-nettool.profile | |||
@@ -14,7 +14,7 @@ include disable-passwdmgr.inc | |||
14 | include disable-programs.inc | 14 | include disable-programs.inc |
15 | include disable-xdg.inc | 15 | include disable-xdg.inc |
16 | 16 | ||
17 | include whitelist-common.inc | 17 | #include whitelist-common.inc -- see #903 |
18 | include whitelist-var-common.inc | 18 | include whitelist-var-common.inc |
19 | 19 | ||
20 | caps.keep net_raw | 20 | caps.keep net_raw |
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile index 4e5a3b109..3bbad67bb 100644 --- a/etc/gnome-photos.profile +++ b/etc/gnome-photos.profile | |||
@@ -33,8 +33,7 @@ seccomp | |||
33 | shell none | 33 | shell none |
34 | tracelog | 34 | tracelog |
35 | 35 | ||
36 | # private-bin gjs gnome-photos | 36 | # private-bin gjs,gnome-photos |
37 | private-dev | 37 | private-dev |
38 | # private-etc alternatives,fonts | ||
39 | private-tmp | 38 | private-tmp |
40 | 39 | ||
diff --git a/etc/gnome-schedule.profile b/etc/gnome-schedule.profile index 08256f3a5..0fca08505 100644 --- a/etc/gnome-schedule.profile +++ b/etc/gnome-schedule.profile | |||
@@ -69,6 +69,5 @@ tracelog | |||
69 | disable-mnt | 69 | disable-mnt |
70 | private-cache | 70 | private-cache |
71 | private-dev | 71 | private-dev |
72 | # private-etc alternatives | ||
73 | writable-var | 72 | writable-var |
74 | 73 | ||
diff --git a/etc/highlight.profile b/etc/highlight.profile index 243643aea..cae8e29d7 100644 --- a/etc/highlight.profile +++ b/etc/highlight.profile | |||
@@ -34,5 +34,4 @@ tracelog | |||
34 | private-bin highlight | 34 | private-bin highlight |
35 | private-cache | 35 | private-cache |
36 | private-dev | 36 | private-dev |
37 | # private-etc alternatives | ||
38 | private-tmp | 37 | private-tmp |
diff --git a/etc/img2txt.profile b/etc/img2txt.profile index ade50048e..a36af8abf 100644 --- a/etc/img2txt.profile +++ b/etc/img2txt.profile | |||
@@ -38,7 +38,6 @@ tracelog | |||
38 | # private-bin img2txt | 38 | # private-bin img2txt |
39 | private-cache | 39 | private-cache |
40 | private-dev | 40 | private-dev |
41 | # private-etc alternatives | ||
42 | private-tmp | 41 | private-tmp |
43 | 42 | ||
44 | memory-deny-write-execute | 43 | memory-deny-write-execute |
diff --git a/etc/nautilus.profile b/etc/nautilus.profile index b81313b6a..d6d08679b 100644 --- a/etc/nautilus.profile +++ b/etc/nautilus.profile | |||
@@ -40,5 +40,4 @@ tracelog | |||
40 | # nautilus needs to be able to start arbitrary applications so we cannot blacklist their files | 40 | # nautilus needs to be able to start arbitrary applications so we cannot blacklist their files |
41 | # private-bin nautilus | 41 | # private-bin nautilus |
42 | # private-dev | 42 | # private-dev |
43 | # private-etc alternatives,fonts | ||
44 | # private-tmp | 43 | # private-tmp |
diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile index bff42fb19..d80b3d351 100644 --- a/etc/open-invaders.profile +++ b/etc/open-invaders.profile | |||
@@ -33,5 +33,4 @@ shell none | |||
33 | 33 | ||
34 | # private-bin open-invaders | 34 | # private-bin open-invaders |
35 | private-dev | 35 | private-dev |
36 | # private-etc alternatives | ||
37 | private-tmp | 36 | private-tmp |
diff --git a/etc/openarena.profile b/etc/openarena.profile index f36d3270f..c83e78e2c 100644 --- a/etc/openarena.profile +++ b/etc/openarena.profile | |||
@@ -21,16 +21,12 @@ include whitelist-var-common.inc | |||
21 | apparmor | 21 | apparmor |
22 | caps.drop all | 22 | caps.drop all |
23 | # ipc-namespace | 23 | # ipc-namespace |
24 | # machine-id | ||
25 | # net none | ||
26 | # netfilter | 24 | # netfilter |
27 | # no3d | ||
28 | # nodbus | 25 | # nodbus |
29 | # nodvd | 26 | # nodvd |
30 | # nogroups | 27 | # nogroups |
31 | nonewprivs | 28 | nonewprivs |
32 | noroot | 29 | noroot |
33 | # nosound | ||
34 | notv | 30 | notv |
35 | # nou2f | 31 | # nou2f |
36 | novideo | 32 | novideo |
@@ -40,12 +36,8 @@ shell none | |||
40 | # tracelog | 36 | # tracelog |
41 | 37 | ||
42 | # disable-mnt | 38 | # disable-mnt |
43 | # private | ||
44 | # private-bin openarena | 39 | # private-bin openarena |
45 | private-cache | 40 | private-cache |
46 | private-dev | 41 | private-dev |
47 | # private-etc machine-id,xdg,openal,udev,drirc,passwd,selinux | 42 | # private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg |
48 | # private-lib | ||
49 | private-tmp | 43 | private-tmp |
50 | |||
51 | # memory-deny-write-execute | ||
diff --git a/etc/ping.profile b/etc/ping.profile index 66574bab5..00ac45c5a 100644 --- a/etc/ping.profile +++ b/etc/ping.profile | |||
@@ -30,10 +30,8 @@ nosound | |||
30 | notv | 30 | notv |
31 | nou2f | 31 | nou2f |
32 | novideo | 32 | novideo |
33 | |||
34 | # protocol command is built using seccomp; nonewprivs will kill it | 33 | # protocol command is built using seccomp; nonewprivs will kill it |
35 | #protocol unix,inet,inet6,netlink,packet | 34 | #protocol unix,inet,inet6,netlink,packet |
36 | |||
37 | # killed by no-new-privs | 35 | # killed by no-new-privs |
38 | #seccomp | 36 | #seccomp |
39 | 37 | ||
@@ -42,7 +40,7 @@ private | |||
42 | #private-bin has mammoth problems with execvp: "No such file or directory" | 40 | #private-bin has mammoth problems with execvp: "No such file or directory" |
43 | private-dev | 41 | private-dev |
44 | # /etc/hosts is required in private-etc; however, just adding it to the list doesn't solve the problem! | 42 | # /etc/hosts is required in private-etc; however, just adding it to the list doesn't solve the problem! |
45 | #private-etc resolv.conf,hosts,ca-certificates,ssl,pki,crypto-policies | 43 | #private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl |
46 | private-tmp | 44 | private-tmp |
47 | 45 | ||
48 | # memory-deny-write-execute is built using seccomp; nonewprivs will kill it | 46 | # memory-deny-write-execute is built using seccomp; nonewprivs will kill it |
diff --git a/etc/pingus.profile b/etc/pingus.profile index 6b664248f..782ee200d 100644 --- a/etc/pingus.profile +++ b/etc/pingus.profile | |||
@@ -33,5 +33,4 @@ shell none | |||
33 | 33 | ||
34 | # private-bin pingus | 34 | # private-bin pingus |
35 | private-dev | 35 | private-dev |
36 | # private-etc alternatives | ||
37 | private-tmp | 36 | private-tmp |
diff --git a/etc/pluma.profile b/etc/pluma.profile index 47626753a..91e6edc65 100644 --- a/etc/pluma.profile +++ b/etc/pluma.profile | |||
@@ -39,7 +39,6 @@ tracelog | |||
39 | 39 | ||
40 | private-bin pluma | 40 | private-bin pluma |
41 | private-dev | 41 | private-dev |
42 | # private-etc alternatives,fonts | ||
43 | private-lib pluma | 42 | private-lib pluma |
44 | private-tmp | 43 | private-tmp |
45 | 44 | ||
diff --git a/etc/remmina.profile b/etc/remmina.profile index a77f2d8aa..e85ceca13 100644 --- a/etc/remmina.profile +++ b/etc/remmina.profile | |||
@@ -31,7 +31,6 @@ nou2f | |||
31 | novideo | 31 | novideo |
32 | protocol unix,inet,inet6 | 32 | protocol unix,inet,inet6 |
33 | seccomp | 33 | seccomp |
34 | # seccomp.keep access,arch_prctl,brk,chmod,clock_getres,clock_gettime,clone,close,connect,dup3,eventfd2,execve,fadvise64,fallocate,fcntl,flock,fstat,fstatfs,fsync,ftruncate,futex,getdents,getegid,geteuid,getgid,getpeername,getpid,getrandom,getresgid,getresuid,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,memfd_create,mmap,mprotect,mremap,munmap,nanosleep,open,openat,pipe,pipe2,poll,prctl,prlimit64,pwrite64,read,readlink,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,sendmmsg,sendmsg,sendto,set_robust_list,setsockopt,set_tid_address,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,tgkill,uname,utimensat,write,writev | ||
35 | shell none | 34 | shell none |
36 | 35 | ||
37 | private-cache | 36 | private-cache |
diff --git a/etc/shotcut.profile b/etc/shotcut.profile index 264566dcd..e6c48561f 100644 --- a/etc/shotcut.profile +++ b/etc/shotcut.profile | |||
@@ -5,10 +5,13 @@ include shotcut.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | ignore noexec ${HOME} | ||
9 | |||
8 | noblacklist ${HOME}/.config/Meltytech | 10 | noblacklist ${HOME}/.config/Meltytech |
9 | 11 | ||
10 | include disable-common.inc | 12 | include disable-common.inc |
11 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
13 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 17 | include disable-programs.inc |
@@ -26,9 +29,6 @@ protocol unix | |||
26 | seccomp | 29 | seccomp |
27 | shell none | 30 | shell none |
28 | 31 | ||
29 | #private-bin shotcut,melt,qmelt,nice | 32 | #private-bin melt,nice,qmelt,shotcut |
30 | private-cache | 33 | private-cache |
31 | private-dev | 34 | private-dev |
32 | |||
33 | #noexec ${HOME} | ||
34 | noexec /tmp | ||
diff --git a/etc/simplescreenrecorder.profile b/etc/simplescreenrecorder.profile index ead475e07..a3caedf88 100644 --- a/etc/simplescreenrecorder.profile +++ b/etc/simplescreenrecorder.profile | |||
@@ -31,7 +31,6 @@ tracelog | |||
31 | 31 | ||
32 | private-cache | 32 | private-cache |
33 | private-dev | 33 | private-dev |
34 | # private-etc alternatives | ||
35 | private-tmp | 34 | private-tmp |
36 | 35 | ||
37 | memory-deny-write-execute | 36 | memory-deny-write-execute |
diff --git a/etc/simutrans.profile b/etc/simutrans.profile index c07b1c145..7febcde46 100644 --- a/etc/simutrans.profile +++ b/etc/simutrans.profile | |||
@@ -33,5 +33,4 @@ shell none | |||
33 | 33 | ||
34 | # private-bin simutrans | 34 | # private-bin simutrans |
35 | private-dev | 35 | private-dev |
36 | # private-etc alternatives | ||
37 | private-tmp | 36 | private-tmp |
diff --git a/etc/skanlite.profile b/etc/skanlite.profile index 76b050d18..c10be717b 100644 --- a/etc/skanlite.profile +++ b/etc/skanlite.profile | |||
@@ -16,7 +16,6 @@ include disable-programs.inc | |||
16 | include disable-xdg.inc | 16 | include disable-xdg.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | # net none | ||
20 | netfilter | 19 | netfilter |
21 | # nodbus | 20 | # nodbus |
22 | nodvd | 21 | nodvd |
@@ -31,6 +30,6 @@ protocol unix,inet,inet6,netlink | |||
31 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 30 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
32 | shell none | 31 | shell none |
33 | 32 | ||
34 | # private-bin skanlite,kbuildsycoca4,kdeinit4 | 33 | # private-bin kbuildsycoca4,kdeinit4,skanlite |
35 | # private-dev | 34 | # private-dev |
36 | # private-tmp | 35 | # private-tmp |
diff --git a/etc/supertux2.profile b/etc/supertux2.profile index 793e4126c..287a078b3 100644 --- a/etc/supertux2.profile +++ b/etc/supertux2.profile | |||
@@ -34,5 +34,4 @@ shell none | |||
34 | disable-mnt | 34 | disable-mnt |
35 | # private-bin supertux2 | 35 | # private-bin supertux2 |
36 | private-dev | 36 | private-dev |
37 | # private-etc alternatives | ||
38 | private-tmp | 37 | private-tmp |
diff --git a/etc/tor.profile b/etc/tor.profile index 8d6622241..e896b609a 100644 --- a/etc/tor.profile +++ b/etc/tor.profile | |||
@@ -49,4 +49,3 @@ private-cache | |||
49 | private-dev | 49 | private-dev |
50 | private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor | 50 | private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor |
51 | private-tmp | 51 | private-tmp |
52 | |||
diff --git a/etc/tracker.profile b/etc/tracker.profile index c1779ae3e..6e107d99e 100644 --- a/etc/tracker.profile +++ b/etc/tracker.profile | |||
@@ -33,5 +33,4 @@ tracelog | |||
33 | 33 | ||
34 | # private-bin tracker | 34 | # private-bin tracker |
35 | # private-dev | 35 | # private-dev |
36 | # private-etc alternatives,fonts | ||
37 | # private-tmp | 36 | # private-tmp |
diff --git a/etc/xed.profile b/etc/xed.profile index 9a7806b19..2ee299b9a 100644 --- a/etc/xed.profile +++ b/etc/xed.profile | |||
@@ -42,7 +42,6 @@ tracelog | |||
42 | 42 | ||
43 | private-bin xed | 43 | private-bin xed |
44 | private-dev | 44 | private-dev |
45 | # private-etc alternatives,fonts | ||
46 | private-tmp | 45 | private-tmp |
47 | 46 | ||
48 | # xed uses python plugins, memory-deny-write-execute breaks python | 47 | # xed uses python plugins, memory-deny-write-execute breaks python |
diff --git a/etc/xfburn.profile b/etc/xfburn.profile index 1cb7f568a..cd9561e74 100644 --- a/etc/xfburn.profile +++ b/etc/xfburn.profile | |||
@@ -29,5 +29,4 @@ tracelog | |||
29 | 29 | ||
30 | # private-bin xfburn | 30 | # private-bin xfburn |
31 | # private-dev | 31 | # private-dev |
32 | # private-etc alternatives,fonts | ||
33 | # private-tmp | 32 | # private-tmp |
diff --git a/etc/xviewer.profile b/etc/xviewer.profile index b483e9404..b09bf8ab1 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile | |||
@@ -39,7 +39,6 @@ tracelog | |||
39 | 39 | ||
40 | private-bin xviewer | 40 | private-bin xviewer |
41 | private-dev | 41 | private-dev |
42 | #private-etc alternatives,fonts | ||
43 | private-lib | 42 | private-lib |
44 | private-tmp | 43 | private-tmp |
45 | 44 | ||