diff options
-rw-r--r-- | etc/Xephyr.profile | 4 | ||||
-rw-r--r-- | etc/Xvfb.profile | 3 | ||||
-rw-r--r-- | etc/bitwarden.profile | 9 | ||||
-rw-r--r-- | etc/brave-browser.profile | 1 | ||||
-rw-r--r-- | etc/brave.profile | 6 | ||||
-rw-r--r-- | etc/disable-programs.inc | 18 | ||||
-rw-r--r-- | etc/geary.profile | 12 | ||||
-rw-r--r-- | etc/gzip.profile | 13 | ||||
-rw-r--r-- | etc/less.profile | 17 | ||||
-rw-r--r-- | etc/meld.profile | 1 | ||||
-rw-r--r-- | etc/midori.profile | 6 | ||||
-rw-r--r-- | etc/ms-skype.profile | 7 | ||||
-rw-r--r-- | etc/pidgin.profile | 4 | ||||
-rw-r--r-- | etc/strings.profile | 23 | ||||
-rw-r--r-- | etc/templates/redirect_alias-profile.template | 2 | ||||
-rw-r--r-- | etc/templates/syscalls.txt | 10 | ||||
-rw-r--r-- | etc/xlinks.profile | 2 | ||||
-rw-r--r-- | etc/xpra.profile | 3 | ||||
-rw-r--r-- | etc/youtube-dl.profile | 6 | ||||
-rw-r--r-- | etc/zpaq.profile | 1 |
20 files changed, 83 insertions, 65 deletions
diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile index b4325cd74..230a88472 100644 --- a/etc/Xephyr.profile +++ b/etc/Xephyr.profile | |||
@@ -14,9 +14,6 @@ include globals.local | |||
14 | # or run "sudo firecfg" | 14 | # or run "sudo firecfg" |
15 | # | 15 | # |
16 | 16 | ||
17 | |||
18 | blacklist /media | ||
19 | |||
20 | whitelist /var/lib/xkb | 17 | whitelist /var/lib/xkb |
21 | include whitelist-common.inc | 18 | include whitelist-common.inc |
22 | 19 | ||
@@ -34,6 +31,7 @@ protocol unix | |||
34 | seccomp | 31 | seccomp |
35 | shell none | 32 | shell none |
36 | 33 | ||
34 | disable-mnt | ||
37 | # using a private home directory | 35 | # using a private home directory |
38 | private | 36 | private |
39 | # private-bin Xephyr,sh,xkbcomp | 37 | # private-bin Xephyr,sh,xkbcomp |
diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile index b2413ac73..3580f8336 100644 --- a/etc/Xvfb.profile +++ b/etc/Xvfb.profile | |||
@@ -17,8 +17,6 @@ include globals.local | |||
17 | # some Linux distributions. Also, older versions of Xpra use Xvfb. | 17 | # some Linux distributions. Also, older versions of Xpra use Xvfb. |
18 | # | 18 | # |
19 | 19 | ||
20 | blacklist /media | ||
21 | |||
22 | whitelist /var/lib/xkb | 20 | whitelist /var/lib/xkb |
23 | include whitelist-common.inc | 21 | include whitelist-common.inc |
24 | 22 | ||
@@ -36,6 +34,7 @@ protocol unix | |||
36 | seccomp | 34 | seccomp |
37 | shell none | 35 | shell none |
38 | 36 | ||
37 | disable-mnt | ||
39 | # using a private home directory | 38 | # using a private home directory |
40 | private | 39 | private |
41 | # private-bin Xvfb,sh,xkbcomp | 40 | # private-bin Xvfb,sh,xkbcomp |
diff --git a/etc/bitwarden.profile b/etc/bitwarden.profile index 2a6fe9d42..609543e14 100644 --- a/etc/bitwarden.profile +++ b/etc/bitwarden.profile | |||
@@ -6,9 +6,10 @@ include bitwarden.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/Bitwarden | ||
10 | ignore noexec /tmp | 9 | ignore noexec /tmp |
11 | 10 | ||
11 | noblacklist ${HOME}/.config/Bitwarden | ||
12 | |||
12 | include disable-common.inc | 13 | include disable-common.inc |
13 | include disable-devel.inc | 14 | include disable-devel.inc |
14 | include disable-exec.inc | 15 | include disable-exec.inc |
@@ -17,11 +18,11 @@ include disable-passwdmgr.inc | |||
17 | include disable-programs.inc | 18 | include disable-programs.inc |
18 | include disable-xdg.inc | 19 | include disable-xdg.inc |
19 | 20 | ||
20 | include whitelist-common.inc | 21 | mkdir ${HOME}/.config/Bitwarden |
21 | include whitelist-var-common.inc | ||
22 | |||
23 | whitelist ${HOME}/.config/Bitwarden | 22 | whitelist ${HOME}/.config/Bitwarden |
24 | whitelist ${DOWNLOADS} | 23 | whitelist ${DOWNLOADS} |
24 | include whitelist-common.inc | ||
25 | include whitelist-var-common.inc | ||
25 | 26 | ||
26 | apparmor | 27 | apparmor |
27 | caps.drop all | 28 | caps.drop all |
diff --git a/etc/brave-browser.profile b/etc/brave-browser.profile index 6d9d162fd..e223ecf87 100644 --- a/etc/brave-browser.profile +++ b/etc/brave-browser.profile | |||
@@ -1,6 +1,5 @@ | |||
1 | # Firejail profile alias for brave | 1 | # Firejail profile alias for brave |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | |||
5 | # Redirect | 4 | # Redirect |
6 | include brave.profile | 5 | include brave.profile |
diff --git a/etc/brave.profile b/etc/brave.profile index cc003d49a..984fab5a8 100644 --- a/etc/brave.profile +++ b/etc/brave.profile | |||
@@ -6,6 +6,9 @@ include brave.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # noexec /tmp is included in chromium-common.profile and breaks Brave | ||
10 | ignore noexec /tmp | ||
11 | |||
9 | noblacklist ${HOME}/.config/brave | 12 | noblacklist ${HOME}/.config/brave |
10 | noblacklist ${HOME}/.config/BraveSoftware | 13 | noblacklist ${HOME}/.config/BraveSoftware |
11 | # brave uses gpg for built-in password manager | 14 | # brave uses gpg for built-in password manager |
@@ -17,8 +20,5 @@ whitelist ${HOME}/.config/brave | |||
17 | whitelist ${HOME}/.config/BraveSoftware | 20 | whitelist ${HOME}/.config/BraveSoftware |
18 | whitelist ${HOME}/.gnupg | 21 | whitelist ${HOME}/.gnupg |
19 | 22 | ||
20 | # noexec /tmp is included in chromium-common.profile and breaks Brave | ||
21 | ignore noexec /tmp | ||
22 | |||
23 | # Redirect | 23 | # Redirect |
24 | include chromium-common.profile | 24 | include chromium-common.profile |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index c8e85cf1f..d03a709ca 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -197,6 +197,7 @@ blacklist ${HOME}/.config/katerc | |||
197 | blacklist ${HOME}/.config/kateschemarc | 197 | blacklist ${HOME}/.config/kateschemarc |
198 | blacklist ${HOME}/.config/katesyntaxhighlightingrc | 198 | blacklist ${HOME}/.config/katesyntaxhighlightingrc |
199 | blacklist ${HOME}/.config/katevirc | 199 | blacklist ${HOME}/.config/katevirc |
200 | blacklist ${HOME}/.config/kdeconnect | ||
200 | blacklist ${HOME}/.config/kdenliverc | 201 | blacklist ${HOME}/.config/kdenliverc |
201 | blacklist ${HOME}/.config/kgetrc | 202 | blacklist ${HOME}/.config/kgetrc |
202 | blacklist ${HOME}/.config/kid3rc | 203 | blacklist ${HOME}/.config/kid3rc |
@@ -204,13 +205,12 @@ blacklist ${HOME}/.config/klavaro | |||
204 | blacklist ${HOME}/.config/klipperrc | 205 | blacklist ${HOME}/.config/klipperrc |
205 | blacklist ${HOME}/.config/kmail2rc | 206 | blacklist ${HOME}/.config/kmail2rc |
206 | blacklist ${HOME}/.config/kmailsearchindexingrc | 207 | blacklist ${HOME}/.config/kmailsearchindexingrc |
207 | blacklist ${HOME}/.config/kritarc | ||
208 | blacklist ${HOME}/.config/kwriterc | ||
209 | blacklist ${HOME}/.config/kdeconnect | ||
210 | blacklist ${HOME}/.config/knotesrc | 208 | blacklist ${HOME}/.config/knotesrc |
211 | blacklist ${HOME}/.config/konversationrc | 209 | blacklist ${HOME}/.config/konversationrc |
210 | blacklist ${HOME}/.config/kritarc | ||
212 | blacklist ${HOME}/.config/ktorrentrc | 211 | blacklist ${HOME}/.config/ktorrentrc |
213 | blacklist ${HOME}/.config/ktouch2rc | 212 | blacklist ${HOME}/.config/ktouch2rc |
213 | blacklist ${HOME}/.config/kwriterc | ||
214 | blacklist ${HOME}/.config/leafpad | 214 | blacklist ${HOME}/.config/leafpad |
215 | blacklist ${HOME}/.config/libreoffice | 215 | blacklist ${HOME}/.config/libreoffice |
216 | blacklist ${HOME}/.config/liferea | 216 | blacklist ${HOME}/.config/liferea |
@@ -275,17 +275,17 @@ blacklist ${HOME}/.config/smtube | |||
275 | blacklist ${HOME}/.config/snox | 275 | blacklist ${HOME}/.config/snox |
276 | blacklist ${HOME}/.config/specialmailcollectionsrc | 276 | blacklist ${HOME}/.config/specialmailcollectionsrc |
277 | blacklist ${HOME}/.config/spotify | 277 | blacklist ${HOME}/.config/spotify |
278 | blacklist ${HOME}/.config/supertuxkart | ||
279 | blacklist ${HOME}/.config/sqlitebrowser | 278 | blacklist ${HOME}/.config/sqlitebrowser |
280 | blacklist ${HOME}/.config/stellarium | 279 | blacklist ${HOME}/.config/stellarium |
280 | blacklist ${HOME}/.config/supertuxkart | ||
281 | blacklist ${HOME}/.config/synfig | 281 | blacklist ${HOME}/.config/synfig |
282 | blacklist ${HOME}/.config/telepathy-account-widgets | 282 | blacklist ${HOME}/.config/telepathy-account-widgets |
283 | blacklist ${HOME}/.config/torbrowser | 283 | blacklist ${HOME}/.config/torbrowser |
284 | blacklist ${HOME}/.config/totem | 284 | blacklist ${HOME}/.config/totem |
285 | blacklist ${HOME}/.config/tox | 285 | blacklist ${HOME}/.config/tox |
286 | blacklist ${HOME}/.config/transgui | 286 | blacklist ${HOME}/.config/transgui |
287 | blacklist ${HOME}/.config/truecraft | ||
288 | blacklist ${HOME}/.config/transmission | 287 | blacklist ${HOME}/.config/transmission |
288 | blacklist ${HOME}/.config/truecraft | ||
289 | blacklist ${HOME}/.config/uGet | 289 | blacklist ${HOME}/.config/uGet |
290 | blacklist ${HOME}/.config/uzbl | 290 | blacklist ${HOME}/.config/uzbl |
291 | blacklist ${HOME}/.config/viewnior | 291 | blacklist ${HOME}/.config/viewnior |
@@ -328,7 +328,6 @@ blacklist ${HOME}/.electron-cache | |||
328 | blacklist ${HOME}/.electrum* | 328 | blacklist ${HOME}/.electrum* |
329 | blacklist ${HOME}/.elinks | 329 | blacklist ${HOME}/.elinks |
330 | blacklist ${HOME}/.emacs | 330 | blacklist ${HOME}/.emacs |
331 | blacklist ${HOME}/.emacs | ||
332 | blacklist ${HOME}/.emacs.d | 331 | blacklist ${HOME}/.emacs.d |
333 | blacklist ${HOME}/.ethereum | 332 | blacklist ${HOME}/.ethereum |
334 | blacklist ${HOME}/.etr | 333 | blacklist ${HOME}/.etr |
@@ -374,7 +373,6 @@ blacklist ${HOME}/.kde/share/apps/klatexformula | |||
374 | blacklist ${HOME}/.kde/share/apps/konqsidebartng | 373 | blacklist ${HOME}/.kde/share/apps/konqsidebartng |
375 | blacklist ${HOME}/.kde/share/apps/konqueror | 374 | blacklist ${HOME}/.kde/share/apps/konqueror |
376 | blacklist ${HOME}/.kde/share/apps/kopete | 375 | blacklist ${HOME}/.kde/share/apps/kopete |
377 | blacklist ${HOME}/.kde/share/apps/khtml | ||
378 | blacklist ${HOME}/.kde/share/apps/ktorrent | 376 | blacklist ${HOME}/.kde/share/apps/ktorrent |
379 | blacklist ${HOME}/.kde/share/apps/okular | 377 | blacklist ${HOME}/.kde/share/apps/okular |
380 | blacklist ${HOME}/.kde/share/config/baloofilerc | 378 | blacklist ${HOME}/.kde/share/config/baloofilerc |
@@ -499,8 +497,8 @@ blacklist ${HOME}/.local/share/klavaro | |||
499 | blacklist ${HOME}/.local/share/kmail2 | 497 | blacklist ${HOME}/.local/share/kmail2 |
500 | blacklist ${HOME}/.local/share/knotes | 498 | blacklist ${HOME}/.local/share/knotes |
501 | blacklist ${HOME}/.local/share/krita | 499 | blacklist ${HOME}/.local/share/krita |
502 | blacklist ${HOME}/.local/share/ktorrentrc | ||
503 | blacklist ${HOME}/.local/share/ktorrent | 500 | blacklist ${HOME}/.local/share/ktorrent |
501 | blacklist ${HOME}/.local/share/ktorrentrc | ||
504 | blacklist ${HOME}/.local/share/ktouch | 502 | blacklist ${HOME}/.local/share/ktouch |
505 | blacklist ${HOME}/.local/share/kwrite | 503 | blacklist ${HOME}/.local/share/kwrite |
506 | blacklist ${HOME}/.local/share/liferea | 504 | blacklist ${HOME}/.local/share/liferea |
@@ -525,13 +523,13 @@ blacklist ${HOME}/.local/share/ocenaudio | |||
525 | blacklist ${HOME}/.local/share/okular | 523 | blacklist ${HOME}/.local/share/okular |
526 | blacklist ${HOME}/.local/share/orage | 524 | blacklist ${HOME}/.local/share/orage |
527 | blacklist ${HOME}/.local/share/org.kde.gwenview | 525 | blacklist ${HOME}/.local/share/org.kde.gwenview |
528 | blacklist ${HOME}/.local/share/rhythmbox | ||
529 | blacklist ${HOME}/.local/share/pix | 526 | blacklist ${HOME}/.local/share/pix |
530 | blacklist ${HOME}/.local/share/plasma_notes | 527 | blacklist ${HOME}/.local/share/plasma_notes |
531 | blacklist ${HOME}/.local/share/psi+ | 528 | blacklist ${HOME}/.local/share/psi+ |
532 | blacklist ${HOME}/.local/share/qpdfview | 529 | blacklist ${HOME}/.local/share/qpdfview |
533 | blacklist ${HOME}/.local/share/qutebrowser | 530 | blacklist ${HOME}/.local/share/qutebrowser |
534 | blacklist ${HOME}/.local/share/remmina | 531 | blacklist ${HOME}/.local/share/remmina |
532 | blacklist ${HOME}/.local/share/rhythmbox | ||
535 | blacklist ${HOME}/.local/share/scribus | 533 | blacklist ${HOME}/.local/share/scribus |
536 | blacklist ${HOME}/.local/share/spotify | 534 | blacklist ${HOME}/.local/share/spotify |
537 | blacklist ${HOME}/.local/share/steam | 535 | blacklist ${HOME}/.local/share/steam |
@@ -632,8 +630,8 @@ blacklist ${HOME}/.wget-hsts | |||
632 | blacklist ${HOME}/.wgetrc | 630 | blacklist ${HOME}/.wgetrc |
633 | blacklist ${HOME}/.widelands | 631 | blacklist ${HOME}/.widelands |
634 | blacklist ${HOME}/.wine | 632 | blacklist ${HOME}/.wine |
635 | blacklist ${HOME}/.wireshark | ||
636 | blacklist ${HOME}/.wine64 | 633 | blacklist ${HOME}/.wine64 |
634 | blacklist ${HOME}/.wireshark | ||
637 | blacklist ${HOME}/.xiphos | 635 | blacklist ${HOME}/.xiphos |
638 | blacklist ${HOME}/.xmind | 636 | blacklist ${HOME}/.xmind |
639 | blacklist ${HOME}/.xmms | 637 | blacklist ${HOME}/.xmms |
diff --git a/etc/geary.profile b/etc/geary.profile index a21eed9f1..a446c81d0 100644 --- a/etc/geary.profile +++ b/etc/geary.profile | |||
@@ -4,27 +4,25 @@ | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include geary.local | 5 | include geary.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | # added by included profile |
8 | #include globals.local | ||
8 | 9 | ||
9 | # Users have Geary set to open a browser by clicking a link in an email | 10 | # Users have Geary set to open a browser by clicking a link in an email |
10 | # We are not allowed to blacklist browser-specific directories | 11 | # We are not allowed to blacklist browser-specific directories |
11 | 12 | ||
13 | ignore nodbus | ||
14 | ignore private-tmp | ||
15 | |||
12 | noblacklist ${HOME}/.gnupg | 16 | noblacklist ${HOME}/.gnupg |
13 | noblacklist ${HOME}/.local/share/geary | 17 | noblacklist ${HOME}/.local/share/geary |
14 | 18 | ||
15 | mkdir ${HOME}/.gnupg | 19 | mkdir ${HOME}/.gnupg |
16 | mkdir ${HOME}/.config/geary | 20 | mkdir ${HOME}/.config/geary |
17 | mkdir ${HOME}/.local/share/geary | 21 | mkdir ${HOME}/.local/share/geary |
18 | |||
19 | whitelist ${HOME}/.gnupg | 22 | whitelist ${HOME}/.gnupg |
20 | whitelist ${HOME}/.config/geary | 23 | whitelist ${HOME}/.config/geary |
21 | whitelist ${HOME}/.local/share/geary | 24 | whitelist ${HOME}/.local/share/geary |
22 | 25 | ||
23 | include whitelist-common.inc | ||
24 | |||
25 | ignore nodbus | ||
26 | ignore private-tmp | ||
27 | |||
28 | read-only ${HOME}/.config/mimeapps.list | 26 | read-only ${HOME}/.config/mimeapps.list |
29 | 27 | ||
30 | # allow browsers | 28 | # allow browsers |
diff --git a/etc/gzip.profile b/etc/gzip.profile index 27e262f87..810684eae 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile | |||
@@ -9,12 +9,15 @@ include globals.local | |||
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
11 | 11 | ||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
12 | include disable-exec.inc | 14 | include disable-exec.inc |
13 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
14 | 16 | include disable-passwdmgr.inc | |
15 | ignore noroot | 17 | include disable-programs.inc |
16 | 18 | ||
17 | apparmor | 19 | apparmor |
20 | caps.drop all | ||
18 | hostname gzip | 21 | hostname gzip |
19 | ipc-namespace | 22 | ipc-namespace |
20 | machine-id | 23 | machine-id |
@@ -23,10 +26,14 @@ no3d | |||
23 | nodbus | 26 | nodbus |
24 | nodvd | 27 | nodvd |
25 | nogroups | 28 | nogroups |
29 | nonewprivs | ||
30 | #noroot | ||
26 | nosound | 31 | nosound |
27 | notv | 32 | notv |
28 | nou2f | 33 | nou2f |
29 | novideo | 34 | novideo |
35 | protocol unix | ||
36 | seccomp | ||
30 | shell none | 37 | shell none |
31 | tracelog | 38 | tracelog |
32 | 39 | ||
@@ -34,5 +41,3 @@ private-cache | |||
34 | private-dev | 41 | private-dev |
35 | 42 | ||
36 | memory-deny-write-execute | 43 | memory-deny-write-execute |
37 | |||
38 | include default.profile | ||
diff --git a/etc/less.profile b/etc/less.profile index 5ad7cb959..bc85e5ad5 100644 --- a/etc/less.profile +++ b/etc/less.profile | |||
@@ -5,24 +5,33 @@ quiet | |||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include less.local | 6 | include less.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | # added by included profile | 8 | include globals.local |
9 | #include globals.local | ||
10 | 9 | ||
11 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
12 | include disable-exec.inc | 14 | include disable-exec.inc |
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
13 | 18 | ||
14 | ignore noroot | ||
15 | apparmor | 19 | apparmor |
20 | caps.drop all | ||
16 | ipc-namespace | 21 | ipc-namespace |
17 | machine-id | 22 | machine-id |
18 | net none | 23 | net none |
19 | no3d | 24 | no3d |
20 | nodbus | 25 | nodbus |
21 | nodvd | 26 | nodvd |
27 | nonewprivs | ||
28 | #noroot | ||
22 | nosound | 29 | nosound |
23 | notv | 30 | notv |
24 | nou2f | 31 | nou2f |
25 | novideo | 32 | novideo |
33 | protocol unix | ||
34 | seccomp | ||
26 | shell none | 35 | shell none |
27 | tracelog | 36 | tracelog |
28 | writable-var-log | 37 | writable-var-log |
@@ -35,5 +44,3 @@ private-cache | |||
35 | private-dev | 44 | private-dev |
36 | 45 | ||
37 | memory-deny-write-execute | 46 | memory-deny-write-execute |
38 | |||
39 | include default.profile | ||
diff --git a/etc/meld.profile b/etc/meld.profile index 8aa30feff..34b1f22de 100644 --- a/etc/meld.profile +++ b/etc/meld.profile | |||
@@ -54,3 +54,4 @@ private-dev | |||
54 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion | 54 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion |
55 | private-tmp | 55 | private-tmp |
56 | 56 | ||
57 | read-only ${HOME}/.ssh | ||
diff --git a/etc/midori.profile b/etc/midori.profile index e4d39cd70..ffae4919f 100644 --- a/etc/midori.profile +++ b/etc/midori.profile | |||
@@ -6,6 +6,9 @@ include midori.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # noexec ${HOME} breaks DRM binaries. | ||
10 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} | ||
11 | |||
9 | noblacklist ${HOME}/.config/midori | 12 | noblacklist ${HOME}/.config/midori |
10 | noblacklist ${HOME}/.local/share/midori | 13 | noblacklist ${HOME}/.local/share/midori |
11 | # noblacklist ${HOME}/.local/share/webkit | 14 | # noblacklist ${HOME}/.local/share/webkit |
@@ -13,9 +16,6 @@ noblacklist ${HOME}/.local/share/midori | |||
13 | noblacklist ${HOME}/.pki | 16 | noblacklist ${HOME}/.pki |
14 | noblacklist ${HOME}/.local/share/pki | 17 | noblacklist ${HOME}/.local/share/pki |
15 | 18 | ||
16 | # noexec ${HOME} breaks DRM binaries. | ||
17 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} | ||
18 | |||
19 | include disable-common.inc | 19 | include disable-common.inc |
20 | include disable-devel.inc | 20 | include disable-devel.inc |
21 | include disable-exec.inc | 21 | include disable-exec.inc |
diff --git a/etc/ms-skype.profile b/etc/ms-skype.profile index 02084d923..df1618361 100644 --- a/etc/ms-skype.profile +++ b/etc/ms-skype.profile | |||
@@ -3,10 +3,13 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include ms-skype.local | 4 | include ms-skype.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | # added by included profile |
7 | #include globals.local | ||
7 | 8 | ||
8 | noblacklist ${HOME}/.cache/ms-skype-online | ||
9 | ignore novideo | 9 | ignore novideo |
10 | |||
11 | noblacklist ${HOME}/.cache/ms-skype-online | ||
12 | |||
10 | private-bin ms-skype | 13 | private-bin ms-skype |
11 | 14 | ||
12 | # Redirect | 15 | # Redirect |
diff --git a/etc/pidgin.profile b/etc/pidgin.profile index bdd5404f5..299f807af 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile | |||
@@ -6,11 +6,11 @@ include pidgin.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.purple | ||
10 | |||
11 | ignore noexec ${RUNUSER} | 9 | ignore noexec ${RUNUSER} |
12 | ignore noexec /dev/shm | 10 | ignore noexec /dev/shm |
13 | 11 | ||
12 | noblacklist ${HOME}/.purple | ||
13 | |||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-exec.inc | 16 | include disable-exec.inc |
diff --git a/etc/strings.profile b/etc/strings.profile index 0caecdf7b..ace0d9351 100644 --- a/etc/strings.profile +++ b/etc/strings.profile | |||
@@ -4,30 +4,43 @@ quiet | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include strings.local | 5 | include strings.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | # added by included profile | 7 | include globals.local |
8 | #include globals.local | ||
9 | 8 | ||
10 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
11 | include disable-exec.inc | 13 | include disable-exec.inc |
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
12 | 17 | ||
13 | ignore noroot | 18 | apparmor |
19 | caps.drop all | ||
20 | ipc-namespace | ||
21 | machine-id | ||
14 | net none | 22 | net none |
15 | no3d | 23 | no3d |
16 | nodbus | 24 | nodbus |
17 | nodvd | 25 | nodvd |
26 | nogroups | ||
27 | nonewprivs | ||
28 | #noroot | ||
18 | nosound | 29 | nosound |
19 | notv | 30 | notv |
20 | nou2f | 31 | nou2f |
21 | novideo | 32 | novideo |
33 | protocol unix | ||
34 | seccomp | ||
22 | shell none | 35 | shell none |
23 | tracelog | 36 | tracelog |
24 | 37 | ||
38 | #private | ||
25 | private-bin strings | 39 | private-bin strings |
26 | private-cache | 40 | private-cache |
27 | private-dev | 41 | private-dev |
28 | private-etc alternatives | 42 | private-etc alternatives |
29 | private-lib libfakeroot | 43 | private-lib libfakeroot |
44 | private-tmp | ||
30 | 45 | ||
31 | memory-deny-write-execute | 46 | memory-deny-write-execute |
32 | |||
33 | include default.profile | ||
diff --git a/etc/templates/redirect_alias-profile.template b/etc/templates/redirect_alias-profile.template index 5a00933a5..0a0788e96 100644 --- a/etc/templates/redirect_alias-profile.template +++ b/etc/templates/redirect_alias-profile.template | |||
@@ -31,8 +31,6 @@ include PROFILE.local | |||
31 | 31 | ||
32 | # Additional options (if needed) | 32 | # Additional options (if needed) |
33 | 33 | ||
34 | |||
35 | |||
36 | # Additional private-options (if needed) | 34 | # Additional private-options (if needed) |
37 | # Add programs to private-bin (if needed) | 35 | # Add programs to private-bin (if needed) |
38 | #private-bin PROGRAMS | 36 | #private-bin PROGRAMS |
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt index ec8247517..2464df9ee 100644 --- a/etc/templates/syscalls.txt +++ b/etc/templates/syscalls.txt | |||
@@ -4,19 +4,19 @@ Hints for writing seccomp.drop lines | |||
4 | @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime | 4 | @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime |
5 | @module=delete_module,finit_module,init_module | 5 | @module=delete_module,finit_module,init_module |
6 | @raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write | 6 | @raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write |
7 | @reboot=kexec_load,kexec_file_load,reboot, | 7 | @reboot=kexec_file_load,kexec_load,reboot |
8 | @swap=swapon,swapoff | 8 | @swap=swapoff,swapon |
9 | 9 | ||
10 | @privileged=@clock,@module,@raw-io,@reboot,@swap,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup | 10 | @privileged=@clock,@module,@raw-io,@reboot,@swap,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup |
11 | 11 | ||
12 | @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old | 12 | @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old |
13 | @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext | 13 | @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext |
14 | @obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver | 14 | @obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver |
15 | @resources=set_mempolicy,migrate_pages,move_pages,mbind | 15 | @resources=mbind,migrate_pages,move_pages,set_mempolicy |
16 | 16 | ||
17 | @default=@cpu-emulation,@debug,@obsolete,@privileged,@resources,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,vmsplice,umount,userfaultfd,mincore | 17 | @default=@cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,ioprio_set,io_setup,io_submit,kcmp,keyctl,mincore,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice |
18 | 18 | ||
19 | @default-nodebuggers=@default,ptrace,personality,process_vm_readv | 19 | @default-nodebuggers=@default,personality,process_vm_readv,ptrace |
20 | 20 | ||
21 | @default-keep=execve,prctl | 21 | @default-keep=execve,prctl |
22 | 22 | ||
diff --git a/etc/xlinks.profile b/etc/xlinks.profile index 775d6f8ed..ad1511791 100644 --- a/etc/xlinks.profile +++ b/etc/xlinks.profile | |||
@@ -15,4 +15,4 @@ private-bin xlinks | |||
15 | private-etc fonts | 15 | private-etc fonts |
16 | 16 | ||
17 | # Redirect | 17 | # Redirect |
18 | include links.profile \ No newline at end of file | 18 | include links.profile |
diff --git a/etc/xpra.profile b/etc/xpra.profile index fc861176f..dc8d7a665 100644 --- a/etc/xpra.profile +++ b/etc/xpra.profile | |||
@@ -14,8 +14,6 @@ include globals.local | |||
14 | # | 14 | # |
15 | # or run "sudo firecfg" | 15 | # or run "sudo firecfg" |
16 | 16 | ||
17 | blacklist /media | ||
18 | |||
19 | # Allow python (blacklisted by disable-interpreters.inc) | 17 | # Allow python (blacklisted by disable-interpreters.inc) |
20 | include allow-python2.inc | 18 | include allow-python2.inc |
21 | include allow-python3.inc | 19 | include allow-python3.inc |
@@ -45,6 +43,7 @@ protocol unix | |||
45 | seccomp | 43 | seccomp |
46 | shell none | 44 | shell none |
47 | 45 | ||
46 | disable-mnt | ||
48 | # private home directory doesn't work on some distros, so we go for a regular home | 47 | # private home directory doesn't work on some distros, so we go for a regular home |
49 | # private | 48 | # private |
50 | # older Xpra versions also use Xvfb | 49 | # older Xpra versions also use Xvfb |
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile index 237f24fd1..1c2bad51c 100644 --- a/etc/youtube-dl.profile +++ b/etc/youtube-dl.profile | |||
@@ -7,6 +7,9 @@ include youtube-dl.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | # breaks when installed via pip | ||
11 | ignore noexec ${HOME} | ||
12 | |||
10 | noblacklist ${HOME}/.netrc | 13 | noblacklist ${HOME}/.netrc |
11 | noblacklist ${MUSIC} | 14 | noblacklist ${MUSIC} |
12 | noblacklist ${VIDEOS} | 15 | noblacklist ${VIDEOS} |
@@ -15,9 +18,6 @@ noblacklist ${VIDEOS} | |||
15 | include allow-python2.inc | 18 | include allow-python2.inc |
16 | include allow-python3.inc | 19 | include allow-python3.inc |
17 | 20 | ||
18 | # breaks when installed via pip | ||
19 | ignore noexec ${HOME} | ||
20 | |||
21 | include disable-common.inc | 21 | include disable-common.inc |
22 | include disable-devel.inc | 22 | include disable-devel.inc |
23 | include disable-exec.inc | 23 | include disable-exec.inc |
diff --git a/etc/zpaq.profile b/etc/zpaq.profile index 6d4501e4f..6bf3605eb 100644 --- a/etc/zpaq.profile +++ b/etc/zpaq.profile | |||
@@ -10,6 +10,5 @@ include zpaq.local | |||
10 | # mdwx breaks 'list' functionality | 10 | # mdwx breaks 'list' functionality |
11 | ignore memory-deny-write-execute | 11 | ignore memory-deny-write-execute |
12 | 12 | ||
13 | |||
14 | # Redirect | 13 | # Redirect |
15 | include cpio.profile | 14 | include cpio.profile |