diff options
712 files changed, 2609 insertions, 601 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index a319e1ac6..839ba6f49 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml | |||
| @@ -4,33 +4,47 @@ on: | |||
| 4 | push: | 4 | push: |
| 5 | branches: [ master ] | 5 | branches: [ master ] |
| 6 | paths-ignore: | 6 | paths-ignore: |
| 7 | - '.github/ISSUE_TEMPLATE/*' | ||
| 8 | - 'etc/**' | ||
| 9 | - 'contrib/gtksourceview-5/**' | ||
| 10 | - 'contrib/vim/**' | ||
| 11 | - 'src/man/*.txt' | ||
| 7 | - .git-blame-ignore-revs | 12 | - .git-blame-ignore-revs |
| 13 | - .github/dependabot.yml | ||
| 14 | - .github/pull_request_template.md | ||
| 15 | - .github/workflows/codeql-analysis.yml | ||
| 16 | - .github/workflows/profile-checks.yml | ||
| 8 | - .gitignore | 17 | - .gitignore |
| 18 | - .gitlab-ci.yml | ||
| 9 | - CONTRIBUTING.md | 19 | - CONTRIBUTING.md |
| 10 | - COPYING | 20 | - COPYING |
| 11 | - README | 21 | - README |
| 12 | - README.md | 22 | - README.md |
| 13 | - RELNOTES | 23 | - RELNOTES |
| 14 | - SECURITY.md | 24 | - SECURITY.md |
| 15 | - 'etc/**' | 25 | - src/firecfg/firecfg.config |
| 16 | - 'src/firecfg/firecfg.config' | ||
| 17 | - '.github/ISSUE_TEMPLATE/*' | ||
| 18 | - '.github/pull_request_template.md' | ||
| 19 | pull_request: | 26 | pull_request: |
| 20 | branches: [ master ] | 27 | branches: [ master ] |
| 21 | paths-ignore: | 28 | paths-ignore: |
| 29 | - '.github/ISSUE_TEMPLATE/*' | ||
| 30 | - 'etc/**' | ||
| 31 | - 'contrib/gtksourceview-5/**' | ||
| 32 | - 'contrib/vim/**' | ||
| 33 | - 'src/man/*.txt' | ||
| 22 | - .git-blame-ignore-revs | 34 | - .git-blame-ignore-revs |
| 35 | - .github/dependabot.yml | ||
| 36 | - .github/pull_request_template.md | ||
| 37 | - .github/workflows/codeql-analysis.yml | ||
| 38 | - .github/workflows/profile-checks.yml | ||
| 23 | - .gitignore | 39 | - .gitignore |
| 40 | - .gitlab-ci.yml | ||
| 24 | - CONTRIBUTING.md | 41 | - CONTRIBUTING.md |
| 25 | - COPYING | 42 | - COPYING |
| 26 | - README | 43 | - README |
| 27 | - README.md | 44 | - README.md |
| 28 | - RELNOTES | 45 | - RELNOTES |
| 29 | - SECURITY.md | 46 | - SECURITY.md |
| 30 | - 'etc/**' | 47 | - src/firecfg/firecfg.config |
| 31 | - 'src/firecfg/firecfg.config' | ||
| 32 | - '.github/ISSUE_TEMPLATE/*' | ||
| 33 | - '.github/pull_request_template.md' | ||
| 34 | 48 | ||
| 35 | permissions: # added using https://github.com/step-security/secure-workflows | 49 | permissions: # added using https://github.com/step-security/secure-workflows |
| 36 | contents: read | 50 | contents: read |
| @@ -40,11 +54,13 @@ jobs: | |||
| 40 | runs-on: ubuntu-22.04 | 54 | runs-on: ubuntu-22.04 |
| 41 | steps: | 55 | steps: |
| 42 | - name: Harden Runner | 56 | - name: Harden Runner |
| 43 | uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 | 57 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 |
| 44 | with: | 58 | with: |
| 45 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | 59 | egress-policy: block |
| 46 | 60 | allowed-endpoints: > | |
| 47 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 61 | azure.archive.ubuntu.com:80 |
| 62 | github.com:443 | ||
| 63 | - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | ||
| 48 | - name: install dependencies | 64 | - name: install dependencies |
| 49 | run: sudo apt-get install libapparmor-dev libselinux1-dev | 65 | run: sudo apt-get install libapparmor-dev libselinux1-dev |
| 50 | - name: configure | 66 | - name: configure |
| @@ -59,11 +75,13 @@ jobs: | |||
| 59 | runs-on: ubuntu-22.04 | 75 | runs-on: ubuntu-22.04 |
| 60 | steps: | 76 | steps: |
| 61 | - name: Harden Runner | 77 | - name: Harden Runner |
| 62 | uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 | 78 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 |
| 63 | with: | 79 | with: |
| 64 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | 80 | egress-policy: block |
| 65 | 81 | allowed-endpoints: > | |
| 66 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 82 | azure.archive.ubuntu.com:80 |
| 83 | github.com:443 | ||
| 84 | - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | ||
| 67 | - name: install clang-tools-14 and dependencies | 85 | - name: install clang-tools-14 and dependencies |
| 68 | run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev | 86 | run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev |
| 69 | - name: configure | 87 | - name: configure |
| @@ -74,11 +92,13 @@ jobs: | |||
| 74 | runs-on: ubuntu-22.04 | 92 | runs-on: ubuntu-22.04 |
| 75 | steps: | 93 | steps: |
| 76 | - name: Harden Runner | 94 | - name: Harden Runner |
| 77 | uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 | 95 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 |
| 78 | with: | 96 | with: |
| 79 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | 97 | egress-policy: block |
| 80 | 98 | allowed-endpoints: > | |
| 81 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 99 | azure.archive.ubuntu.com:80 |
| 100 | github.com:443 | ||
| 101 | - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | ||
| 82 | - name: install cppcheck | 102 | - name: install cppcheck |
| 83 | run: sudo apt-get install cppcheck | 103 | run: sudo apt-get install cppcheck |
| 84 | - name: cppcheck | 104 | - name: cppcheck |
| @@ -89,11 +109,13 @@ jobs: | |||
| 89 | runs-on: ubuntu-20.04 | 109 | runs-on: ubuntu-20.04 |
| 90 | steps: | 110 | steps: |
| 91 | - name: Harden Runner | 111 | - name: Harden Runner |
| 92 | uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 | 112 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 |
| 93 | with: | 113 | with: |
| 94 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | 114 | egress-policy: block |
| 95 | 115 | allowed-endpoints: > | |
| 96 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 116 | azure.archive.ubuntu.com:80 |
| 117 | github.com:443 | ||
| 118 | - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | ||
| 97 | - name: install cppcheck | 119 | - name: install cppcheck |
| 98 | run: sudo apt-get install cppcheck | 120 | run: sudo apt-get install cppcheck |
| 99 | - name: cppcheck | 121 | - name: cppcheck |
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e383c9ef2..852575532 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml | |||
| @@ -4,8 +4,14 @@ on: | |||
| 4 | push: | 4 | push: |
| 5 | branches: [ master ] | 5 | branches: [ master ] |
| 6 | paths-ignore: | 6 | paths-ignore: |
| 7 | - '.github/ISSUE_TEMPLATE/*' | ||
| 7 | - .git-blame-ignore-revs | 8 | - .git-blame-ignore-revs |
| 9 | - .github/dependabot.yml | ||
| 10 | - .github/pull_request_template.md | ||
| 11 | - .github/workflows/codeql-analysis.yml | ||
| 12 | - .github/workflows/profile-checks.yml | ||
| 8 | - .gitignore | 13 | - .gitignore |
| 14 | - .gitlab-ci.yml | ||
| 9 | - CONTRIBUTING.md | 15 | - CONTRIBUTING.md |
| 10 | - COPYING | 16 | - COPYING |
| 11 | - README | 17 | - README |
| @@ -15,8 +21,14 @@ on: | |||
| 15 | pull_request: | 21 | pull_request: |
| 16 | branches: [ master ] | 22 | branches: [ master ] |
| 17 | paths-ignore: | 23 | paths-ignore: |
| 24 | - '.github/ISSUE_TEMPLATE/*' | ||
| 18 | - .git-blame-ignore-revs | 25 | - .git-blame-ignore-revs |
| 26 | - .github/dependabot.yml | ||
| 27 | - .github/pull_request_template.md | ||
| 28 | - .github/workflows/codeql-analysis.yml | ||
| 29 | - .github/workflows/profile-checks.yml | ||
| 19 | - .gitignore | 30 | - .gitignore |
| 31 | - .gitlab-ci.yml | ||
| 20 | - CONTRIBUTING.md | 32 | - CONTRIBUTING.md |
| 21 | - COPYING | 33 | - COPYING |
| 22 | - README | 34 | - README |
| @@ -32,11 +44,19 @@ jobs: | |||
| 32 | runs-on: ubuntu-22.04 | 44 | runs-on: ubuntu-22.04 |
| 33 | steps: | 45 | steps: |
| 34 | - name: Harden Runner | 46 | - name: Harden Runner |
| 35 | uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 | 47 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 |
| 36 | with: | 48 | with: |
| 37 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | 49 | egress-policy: block |
| 38 | 50 | allowed-endpoints: > | |
| 39 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 51 | azure.archive.ubuntu.com:80 |
| 52 | debian.org:80 | ||
| 53 | github.com:443 | ||
| 54 | packages.microsoft.com:443 | ||
| 55 | ppa.launchpadcontent.net:443 | ||
| 56 | www.debian.org:443 | ||
| 57 | www.debian.org:80 | ||
| 58 | yahoo.com:1025 | ||
| 59 | - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | ||
| 40 | - name: update package information | 60 | - name: update package information |
| 41 | run: sudo apt-get update | 61 | run: sudo apt-get update |
| 42 | - name: install dependencies | 62 | - name: install dependencies |
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 6c8a9bf99..47b4bfca3 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml | |||
| @@ -9,28 +9,46 @@ on: | |||
| 9 | push: | 9 | push: |
| 10 | branches: [ master ] | 10 | branches: [ master ] |
| 11 | paths-ignore: | 11 | paths-ignore: |
| 12 | - '.github/ISSUE_TEMPLATE/*' | ||
| 13 | - 'etc/**' | ||
| 14 | - 'contrib/gtksourceview-5/**' | ||
| 15 | - 'contrib/vim/**' | ||
| 16 | - 'src/man/*.txt' | ||
| 12 | - .git-blame-ignore-revs | 17 | - .git-blame-ignore-revs |
| 18 | - .github/dependabot.yml | ||
| 19 | - .github/pull_request_template.md | ||
| 20 | - .github/workflows/profile-checks.yml | ||
| 13 | - .gitignore | 21 | - .gitignore |
| 22 | - .gitlab-ci.yml | ||
| 14 | - CONTRIBUTING.md | 23 | - CONTRIBUTING.md |
| 15 | - COPYING | 24 | - COPYING |
| 16 | - README | 25 | - README |
| 17 | - README.md | 26 | - README.md |
| 18 | - RELNOTES | 27 | - RELNOTES |
| 19 | - SECURITY.md | 28 | - SECURITY.md |
| 20 | - 'etc/**' | 29 | - src/firecfg/firecfg.config |
| 21 | pull_request: | 30 | pull_request: |
| 22 | # The branches below must be a subset of the branches above | 31 | # The branches below must be a subset of the branches above |
| 23 | branches: [ master ] | 32 | branches: [ master ] |
| 24 | paths-ignore: | 33 | paths-ignore: |
| 34 | - '.github/ISSUE_TEMPLATE/*' | ||
| 35 | - 'etc/**' | ||
| 36 | - 'contrib/gtksourceview-5/**' | ||
| 37 | - 'contrib/vim/**' | ||
| 38 | - 'src/man/*.txt' | ||
| 25 | - .git-blame-ignore-revs | 39 | - .git-blame-ignore-revs |
| 40 | - .github/dependabot.yml | ||
| 41 | - .github/pull_request_template.md | ||
| 42 | - .github/workflows/profile-checks.yml | ||
| 26 | - .gitignore | 43 | - .gitignore |
| 44 | - .gitlab-ci.yml | ||
| 27 | - CONTRIBUTING.md | 45 | - CONTRIBUTING.md |
| 28 | - COPYING | 46 | - COPYING |
| 29 | - README | 47 | - README |
| 30 | - README.md | 48 | - README.md |
| 31 | - RELNOTES | 49 | - RELNOTES |
| 32 | - SECURITY.md | 50 | - SECURITY.md |
| 33 | - 'etc/**' | 51 | - src/firecfg/firecfg.config |
| 34 | schedule: | 52 | schedule: |
| 35 | - cron: '0 7 * * 2' | 53 | - cron: '0 7 * * 2' |
| 36 | 54 | ||
| @@ -56,16 +74,21 @@ jobs: | |||
| 56 | 74 | ||
| 57 | steps: | 75 | steps: |
| 58 | - name: Harden Runner | 76 | - name: Harden Runner |
| 59 | uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 | 77 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 |
| 60 | with: | 78 | with: |
| 61 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | 79 | disable-sudo: true |
| 80 | egress-policy: block | ||
| 81 | allowed-endpoints: > | ||
| 82 | api.github.com:443 | ||
| 83 | github.com:443 | ||
| 84 | uploads.github.com:443 | ||
| 62 | 85 | ||
| 63 | - name: Checkout repository | 86 | - name: Checkout repository |
| 64 | uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 87 | uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b |
| 65 | 88 | ||
| 66 | # Initializes the CodeQL tools for scanning. | 89 | # Initializes the CodeQL tools for scanning. |
| 67 | - name: Initialize CodeQL | 90 | - name: Initialize CodeQL |
| 68 | uses: github/codeql-action/init@c3b6fce4ee2ca25bc1066aa3bf73962fda0e8898 | 91 | uses: github/codeql-action/init@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 |
| 69 | with: | 92 | with: |
| 70 | languages: ${{ matrix.language }} | 93 | languages: ${{ matrix.language }} |
| 71 | # If you wish to specify custom queries, you can do so here or in a config file. | 94 | # If you wish to specify custom queries, you can do so here or in a config file. |
| @@ -76,7 +99,7 @@ jobs: | |||
| 76 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). | 99 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). |
| 77 | # If this step fails, then you should remove it and run the build manually (see below) | 100 | # If this step fails, then you should remove it and run the build manually (see below) |
| 78 | - name: Autobuild | 101 | - name: Autobuild |
| 79 | uses: github/codeql-action/autobuild@c3b6fce4ee2ca25bc1066aa3bf73962fda0e8898 | 102 | uses: github/codeql-action/autobuild@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 |
| 80 | 103 | ||
| 81 | # ℹ️ Command-line programs to run using the OS shell. | 104 | # ℹ️ Command-line programs to run using the OS shell. |
| 82 | # 📚 https://git.io/JvXDl | 105 | # 📚 https://git.io/JvXDl |
| @@ -90,4 +113,4 @@ jobs: | |||
| 90 | # make release | 113 | # make release |
| 91 | 114 | ||
| 92 | - name: Perform CodeQL Analysis | 115 | - name: Perform CodeQL Analysis |
| 93 | uses: github/codeql-action/analyze@c3b6fce4ee2ca25bc1066aa3bf73962fda0e8898 | 116 | uses: github/codeql-action/analyze@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 |
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml index f5de62412..4acd94c96 100644 --- a/.github/workflows/profile-checks.yml +++ b/.github/workflows/profile-checks.yml | |||
| @@ -4,17 +4,19 @@ on: | |||
| 4 | push: | 4 | push: |
| 5 | branches: [ master ] | 5 | branches: [ master ] |
| 6 | paths: | 6 | paths: |
| 7 | - 'etc/**' | ||
| 8 | - 'ci/check/profiles/**' | 7 | - 'ci/check/profiles/**' |
| 9 | - 'src/firecfg/firecfg.config' | 8 | - 'etc/**' |
| 10 | - 'contrib/sort.py' | 9 | - .github/workflows/profile-checks.yml |
| 10 | - contrib/sort.py | ||
| 11 | - src/firecfg/firecfg.config | ||
| 11 | pull_request: | 12 | pull_request: |
| 12 | branches: [ master ] | 13 | branches: [ master ] |
| 13 | paths: | 14 | paths: |
| 14 | - 'etc/**' | ||
| 15 | - 'ci/check/profiles/**' | 15 | - 'ci/check/profiles/**' |
| 16 | - 'src/firecfg/firecfg.config' | 16 | - 'etc/**' |
| 17 | - 'contrib/sort.py' | 17 | - .github/workflows/profile-checks.yml |
| 18 | - contrib/sort.py | ||
| 19 | - src/firecfg/firecfg.config | ||
| 18 | 20 | ||
| 19 | permissions: # added using https://github.com/step-security/secure-workflows | 21 | permissions: # added using https://github.com/step-security/secure-workflows |
| 20 | contents: read | 22 | contents: read |
| @@ -24,11 +26,14 @@ jobs: | |||
| 24 | runs-on: ubuntu-latest | 26 | runs-on: ubuntu-latest |
| 25 | steps: | 27 | steps: |
| 26 | - name: Harden Runner | 28 | - name: Harden Runner |
| 27 | uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 | 29 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 |
| 28 | with: | 30 | with: |
| 29 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | 31 | disable-sudo: true |
| 32 | egress-policy: block | ||
| 33 | allowed-endpoints: > | ||
| 34 | github.com:443 | ||
| 30 | 35 | ||
| 31 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 36 | - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b |
| 32 | - name: sort.py | 37 | - name: sort.py |
| 33 | run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile | 38 | run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile |
| 34 | - name: private-etc-always-required.sh | 39 | - name: private-etc-always-required.sh |
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 0f868d6c4..9a5f19b54 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md | |||
| @@ -39,6 +39,7 @@ If you add a new command, here's the checklist: | |||
| 39 | - [ ] Update manpages: firejail(1) and firejail-profile(5) | 39 | - [ ] Update manpages: firejail(1) and firejail-profile(5) |
| 40 | - [ ] Update shell completions | 40 | - [ ] Update shell completions |
| 41 | - [ ] Update vim syntax files | 41 | - [ ] Update vim syntax files |
| 42 | - [ ] Update gtksourceview language specs | ||
| 42 | - [ ] Update --help | 43 | - [ ] Update --help |
| 43 | 44 | ||
| 44 | # Editing the wiki | 45 | # Editing the wiki |
| @@ -1,3 +1,4 @@ | |||
| 1 | ROOT = . | ||
| 1 | -include config.mk | 2 | -include config.mk |
| 2 | 3 | ||
| 3 | ifneq ($(HAVE_MAN),no) | 4 | ifneq ($(HAVE_MAN),no) |
| @@ -7,8 +8,6 @@ endif | |||
| 7 | 8 | ||
| 8 | COMPLETIONDIRS = src/zsh_completion src/bash_completion | 9 | COMPLETIONDIRS = src/zsh_completion src/bash_completion |
| 9 | 10 | ||
| 10 | .PHONY: all | ||
| 11 | all: all_items mydirs $(MAN_TARGET) filters | ||
| 12 | APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck | 11 | APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck |
| 13 | SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee src/fids/fids | 12 | SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee src/fids/fids |
| 14 | SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter src/fzenity/fzenity | 13 | SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter src/fzenity/fzenity |
| @@ -22,6 +21,9 @@ MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 fi | |||
| 22 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 | 21 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 |
| 23 | ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS) | 22 | ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS) |
| 24 | 23 | ||
| 24 | .PHONY: all | ||
| 25 | all: all_items mydirs $(MAN_TARGET) filters | ||
| 26 | |||
| 25 | config.mk config.sh: | 27 | config.mk config.sh: |
| 26 | printf 'run ./configure to generate %s\n' "$@" >&2 | 28 | printf 'run ./configure to generate %s\n' "$@" >&2 |
| 27 | false | 29 | false |
| @@ -123,6 +125,9 @@ ifeq ($(HAVE_CONTRIB_INSTALL),yes) | |||
| 123 | install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax | 125 | install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax |
| 124 | install -m 0644 contrib/vim/ftdetect/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect | 126 | install -m 0644 contrib/vim/ftdetect/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect |
| 125 | install -m 0644 contrib/vim/syntax/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax | 127 | install -m 0644 contrib/vim/syntax/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax |
| 128 | # gtksourceview-5 language-specs | ||
| 129 | install -m 0755 -d $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs | ||
| 130 | install -m 0644 contrib/gtksourceview-5/language-specs/firejail-profile.lang $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs | ||
| 126 | endif | 131 | endif |
| 127 | # documents | 132 | # documents |
| 128 | install -m 0755 -d $(DESTDIR)$(docdir) | 133 | install -m 0755 -d $(DESTDIR)$(docdir) |
| @@ -505,6 +505,7 @@ hhzek0014 (https://github.com/hhzek0014) | |||
| 505 | hknaack (https://github.com/hknaack) | 505 | hknaack (https://github.com/hknaack) |
| 506 | - Kate profile fixes | 506 | - Kate profile fixes |
| 507 | - seamonkey.profile: support enigmail/gpg | 507 | - seamonkey.profile: support enigmail/gpg |
| 508 | - Avidemux tools support | ||
| 508 | hlein (https://github.com/hlein) | 509 | hlein (https://github.com/hlein) |
| 509 | - strip out \r's from jail prober | 510 | - strip out \r's from jail prober |
| 510 | - make env/arg sanity check failure messages more useful | 511 | - make env/arg sanity check failure messages more useful |
| @@ -615,6 +616,8 @@ juan (https://github.com/nyancat18) | |||
| 615 | - fixed Kdenlive, Shotcut profiles | 616 | - fixed Kdenlive, Shotcut profiles |
| 616 | - new profiles for Cinelerra, Cliqz, Bluefish | 617 | - new profiles for Cinelerra, Cliqz, Bluefish |
| 617 | - profile hardening | 618 | - profile hardening |
| 619 | k4leg (https://github.com/k4leg) | ||
| 620 | - fix PyCharm profiles | ||
| 618 | Kaan Genç (https://github.com/SeriousBug) | 621 | Kaan Genç (https://github.com/SeriousBug) |
| 619 | - dynamic allocation of noblacklist buffer | 622 | - dynamic allocation of noblacklist buffer |
| 620 | Karoshi42 (https://github.com/karoshi42) | 623 | Karoshi42 (https://github.com/karoshi42) |
| @@ -306,34 +306,39 @@ No include .local found in /etc/firejail/noprofile.profile | |||
| 306 | Warning: multiple caps in /etc/firejail/transmission-daemon.profile | 306 | Warning: multiple caps in /etc/firejail/transmission-daemon.profile |
| 307 | 307 | ||
| 308 | Stats: | 308 | Stats: |
| 309 | profiles 1196 | 309 | profiles 1205 |
| 310 | include local profile 1195 (include profile-name.local) | 310 | include local profile 1204 (include profile-name.local) |
| 311 | include globals 1169 (include globals.local) | 311 | include globals 1178 (include globals.local) |
| 312 | blacklist ~/.ssh 1067 (include disable-common.inc) | 312 | blacklist ~/.ssh 1076 (include disable-common.inc) |
| 313 | seccomp 1087 | 313 | seccomp 1095 |
| 314 | capabilities 1190 | 314 | capabilities 1199 |
| 315 | noexec 1075 (include disable-exec.inc) | 315 | noexec 1084 (include disable-exec.inc) |
| 316 | noroot 995 | 316 | noroot 1002 |
| 317 | memory-deny-write-execute 269 | 317 | memory-deny-write-execute 272 |
| 318 | apparmor 713 | 318 | restrict-namespaces 962 |
| 319 | private-bin 695 | 319 | apparmor 720 |
| 320 | private-dev 1045 | 320 | private-bin 704 |
| 321 | private-etc 542 | 321 | private-dev 1055 |
| 322 | private-lib 70 | 322 | private-etc 546 |
| 323 | private-tmp 918 | 323 | private-lib 71 |
| 324 | whitelist home directory 575 | 324 | private-tmp 929 |
| 325 | whitelist var 858 (include whitelist-var-common.inc) | 325 | whitelist home directory 581 |
| 326 | whitelist run/user 1164 (include whitelist-runuser-common.inc | 326 | whitelist var 867 (include whitelist-var-common.inc) |
| 327 | whitelist run/user 1173 (include whitelist-runuser-common.inc | ||
| 327 | or blacklist ${RUNUSER}) | 328 | or blacklist ${RUNUSER}) |
| 328 | whitelist usr/share 630 (include whitelist-usr-share-common.inc | 329 | whitelist usr/share 637 (include whitelist-usr-share-common.inc |
| 329 | net none 404 | 330 | net none 410 |
| 330 | dbus-user none 677 | 331 | dbus-user none 677 |
| 331 | dbus-user filter 123 | 332 | dbus-user filter 137 |
| 332 | dbus-system none 837 | 333 | dbus-system none 848 |
| 333 | dbus-system filter 12 | 334 | dbus-system filter 12 |
| 335 | |||
| 334 | ``` | 336 | ``` |
| 335 | 337 | ||
| 336 | ### New profiles: | 338 | ### New profiles: |
| 337 | 339 | ||
| 338 | onionshare, onionshare-cli, opera-developer, songrec, gdu, makedeb, lbry-viewer, tuir, | 340 | onionshare, onionshare-cli, opera-developer, songrec, gdu, makedeb, lbry-viewer, tuir, |
| 339 | cinelerra-gg | 341 | cinelerra-gg, tesseract, avidemux3_cli, avidemux3_jobs_qt5, avidemux3_qt5, ssmtp |
| 342 | |||
| 343 | |||
| 344 | |||
| @@ -1,13 +1,21 @@ | |||
| 1 | firejail (0.9.71) baseline; urgency=low | 1 | firejail (0.9.72rc1) baseline; urgency=low |
| 2 | * work in progress | 2 | * work in progress |
| 3 | * feature: On failing to remount a fuse filesystem, give warning instead of | 3 | * feature: On failing to remount a fuse filesystem, give warning instead of |
| 4 | erroring out (#5240 #5242) | 4 | erroring out (#5240 #5242) |
| 5 | * feature: restrict namespaces (--restrict-namespaces) implemented as | 5 | * feature: Update syscall tables and seccomp groups (#5188) |
| 6 | a seccomp filter for both 64 and 32 bit architectures (#4939 #5259) | 6 | * feature: improve force-nonewprivs security guarantees (#5217 #5271) |
| 7 | * feature: support for custom AppArmor profiles (--apparmor=) (#5274 #5316 | 7 | * feature: add support for restricting the creation of Linux namespaces |
| 8 | #5317) | 8 | (--restrict-namespaces, --restrict-namespaces=), implemented as a seccomp |
| 9 | * feature: added support for ICMP in nettrace | 9 | filter for both 64 and 32 bit architectures (#4939 #5259) |
| 10 | * feature: --dnstrace, --icmptrace, and --snitrace | 10 | * feature: add support for custom AppArmor profiles (--apparmor=) (#5274 |
| 11 | #5316 #5317) | ||
| 12 | * feature: add support for ICMP in nettrace | ||
| 13 | * feature: add --dnstrace, --icmptrace, and --snitrace commands | ||
| 14 | * feature: Add basic gtksourceview language-spec (file type detection/syntax | ||
| 15 | highlighting for profiles) (#5502) | ||
| 16 | * feature: add restrict-namespaces to (almost) all applicable profiles (#5440 | ||
| 17 | #5537) | ||
| 18 | * feature: add support for netlock in profile files | ||
| 11 | * modif: removed --cgroup= command (#5190 #5200) | 19 | * modif: removed --cgroup= command (#5190 #5200) |
| 12 | * modif: set --shell=none as the default (#5190) | 20 | * modif: set --shell=none as the default (#5190) |
| 13 | * modif: removed --shell= command (#5190 #5196 #5209) | 21 | * modif: removed --shell= command (#5190 #5196 #5209) |
| @@ -29,8 +37,16 @@ firejail (0.9.71) baseline; urgency=low | |||
| 29 | * build: only install ids.config when --enable-ids is set (#5356 #5357) | 37 | * build: only install ids.config when --enable-ids is set (#5356 #5357) |
| 30 | * build: Remove deprecated syntax and modernize shell test scripts (#5370) | 38 | * build: Remove deprecated syntax and modernize shell test scripts (#5370) |
| 31 | * build: Fix musl warnings (#5421 #5431) | 39 | * build: Fix musl warnings (#5421 #5431) |
| 40 | * build: sort.py improvements (#5429) | ||
| 41 | * build: deduplicate makefiles (#5478) | ||
| 42 | * build: fix formatting and misc in configure (#5488) | ||
| 43 | * build: actually set LDFLAGS/LIBS & stop overriding CFLAGS/LDFLAGS (#5504) | ||
| 32 | * ci: bump ubuntu to 22.04 and use newer compilers / analyzers (#5275) | 44 | * ci: bump ubuntu to 22.04 and use newer compilers / analyzers (#5275) |
| 33 | * ci: ignore git-related paths and the project license (#5249) | 45 | * ci: ignore git-related paths and the project license (#5249) |
| 46 | * ci: Harden GitHub Actions (StepSecurity) (#5439) | ||
| 47 | * ci: sort and ignore more paths (#5481) | ||
| 48 | * ci: whitelist needed endpoints and block access to sudo (#5485) | ||
| 49 | * docs: fix typos (#5189 #5349) | ||
| 34 | * docs: mention risk of SUID binaries and also firejail-users(5) (#5288 | 50 | * docs: mention risk of SUID binaries and also firejail-users(5) (#5288 |
| 35 | #5290) | 51 | #5290) |
| 36 | * docs: set vim filetype on man pages for syntax highlighting (#5296) | 52 | * docs: set vim filetype on man pages for syntax highlighting (#5296) |
| @@ -38,6 +54,10 @@ firejail (0.9.71) baseline; urgency=low | |||
| 38 | * docs: Add IRC channel info to README.md (#5361) | 54 | * docs: Add IRC channel info to README.md (#5361) |
| 39 | * docs: man: Note that some commands can be disabled in firejail.config | 55 | * docs: man: Note that some commands can be disabled in firejail.config |
| 40 | (#5366) | 56 | (#5366) |
| 57 | * docs: Add gist note to bug_report.md (#5398) | ||
| 58 | * docs: clarify that --appimage should appear before --profile (#5402 #5451) | ||
| 59 | * docs: add more Firefox examples to the firejail-local AppArmor profile | ||
| 60 | (#5493) | ||
| 41 | -- netblue30 <netblue30@yahoo.com> Sat, 11 Jun 2022 09:00:00 -0500 | 61 | -- netblue30 <netblue30@yahoo.com> Sat, 11 Jun 2022 09:00:00 -0500 |
| 42 | 62 | ||
| 43 | firejail (0.9.70) baseline; urgency=low | 63 | firejail (0.9.70) baseline; urgency=low |
diff --git a/config.mk.in b/config.mk.in index 9973b7eaa..cfef6b8d3 100644 --- a/config.mk.in +++ b/config.mk.in | |||
| @@ -51,8 +51,15 @@ HAVE_ONLY_SYSCFG_PROFILES=@HAVE_ONLY_SYSCFG_PROFILES@ | |||
| 51 | 51 | ||
| 52 | MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_IDS) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES) | 52 | MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_IDS) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES) |
| 53 | 53 | ||
| 54 | # User variables - should not be modified in the code (as they are reserved for | ||
| 55 | # the user building the package); see the following for details: | ||
| 56 | # https://www.gnu.org/software/automake/manual/1.16.5/html_node/User-Variables.html | ||
| 54 | CC=@CC@ | 57 | CC=@CC@ |
| 55 | CFLAGS=@CFLAGS@ | 58 | CFLAGS=@CFLAGS@ |
| 59 | LDFLAGS=@LDFLAGS@ | ||
| 60 | |||
| 61 | # Project variables | ||
| 62 | LIBS=@LIBS@ | ||
| 56 | 63 | ||
| 57 | ifdef NO_EXTRA_CFLAGS | 64 | ifdef NO_EXTRA_CFLAGS |
| 58 | else | 65 | else |
| @@ -1,6 +1,6 @@ | |||
| 1 | #! /bin/sh | 1 | #! /bin/sh |
| 2 | # Guess values for system-dependent variables and create Makefiles. | 2 | # Guess values for system-dependent variables and create Makefiles. |
| 3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.71. | 3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.72rc1. |
| 4 | # | 4 | # |
| 5 | # Report bugs to <netblue30@protonmail.com>. | 5 | # Report bugs to <netblue30@protonmail.com>. |
| 6 | # | 6 | # |
| @@ -580,8 +580,8 @@ MAKEFLAGS= | |||
| 580 | # Identity of this package. | 580 | # Identity of this package. |
| 581 | PACKAGE_NAME='firejail' | 581 | PACKAGE_NAME='firejail' |
| 582 | PACKAGE_TARNAME='firejail' | 582 | PACKAGE_TARNAME='firejail' |
| 583 | PACKAGE_VERSION='0.9.71' | 583 | PACKAGE_VERSION='0.9.72rc1' |
| 584 | PACKAGE_STRING='firejail 0.9.71' | 584 | PACKAGE_STRING='firejail 0.9.72rc1' |
| 585 | PACKAGE_BUGREPORT='netblue30@protonmail.com' | 585 | PACKAGE_BUGREPORT='netblue30@protonmail.com' |
| 586 | PACKAGE_URL='https://firejail.wordpress.com' | 586 | PACKAGE_URL='https://firejail.wordpress.com' |
| 587 | 587 | ||
| @@ -1298,7 +1298,7 @@ if test "$ac_init_help" = "long"; then | |||
| 1298 | # Omit some internal or obsolete options to make the list less imposing. | 1298 | # Omit some internal or obsolete options to make the list less imposing. |
| 1299 | # This message is too long to be a string in the A/UX 3.1 sh. | 1299 | # This message is too long to be a string in the A/UX 3.1 sh. |
| 1300 | cat <<_ACEOF | 1300 | cat <<_ACEOF |
| 1301 | \`configure' configures firejail 0.9.71 to adapt to many kinds of systems. | 1301 | \`configure' configures firejail 0.9.72rc1 to adapt to many kinds of systems. |
| 1302 | 1302 | ||
| 1303 | Usage: $0 [OPTION]... [VAR=VALUE]... | 1303 | Usage: $0 [OPTION]... [VAR=VALUE]... |
| 1304 | 1304 | ||
| @@ -1360,7 +1360,7 @@ fi | |||
| 1360 | 1360 | ||
| 1361 | if test -n "$ac_init_help"; then | 1361 | if test -n "$ac_init_help"; then |
| 1362 | case $ac_init_help in | 1362 | case $ac_init_help in |
| 1363 | short | recursive ) echo "Configuration of firejail 0.9.71:";; | 1363 | short | recursive ) echo "Configuration of firejail 0.9.72rc1:";; |
| 1364 | esac | 1364 | esac |
| 1365 | cat <<\_ACEOF | 1365 | cat <<\_ACEOF |
| 1366 | 1366 | ||
| @@ -1484,7 +1484,7 @@ fi | |||
| 1484 | test -n "$ac_init_help" && exit $ac_status | 1484 | test -n "$ac_init_help" && exit $ac_status |
| 1485 | if $ac_init_version; then | 1485 | if $ac_init_version; then |
| 1486 | cat <<\_ACEOF | 1486 | cat <<\_ACEOF |
| 1487 | firejail configure 0.9.71 | 1487 | firejail configure 0.9.72rc1 |
| 1488 | generated by GNU Autoconf 2.69 | 1488 | generated by GNU Autoconf 2.69 |
| 1489 | 1489 | ||
| 1490 | Copyright (C) 2012 Free Software Foundation, Inc. | 1490 | Copyright (C) 2012 Free Software Foundation, Inc. |
| @@ -1740,7 +1740,7 @@ cat >config.log <<_ACEOF | |||
| 1740 | This file contains any messages produced by compilers while | 1740 | This file contains any messages produced by compilers while |
| 1741 | running configure, to aid debugging if configure makes a mistake. | 1741 | running configure, to aid debugging if configure makes a mistake. |
| 1742 | 1742 | ||
| 1743 | It was created by firejail $as_me 0.9.71, which was | 1743 | It was created by firejail $as_me 0.9.72rc1, which was |
| 1744 | generated by GNU Autoconf 2.69. Invocation command line was | 1744 | generated by GNU Autoconf 2.69. Invocation command line was |
| 1745 | 1745 | ||
| 1746 | $ $0 $@ | 1746 | $ $0 $@ |
| @@ -2914,7 +2914,9 @@ fi | |||
| 2914 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___mindirect_branch_thunk" >&5 | 2914 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___mindirect_branch_thunk" >&5 |
| 2915 | $as_echo "$ax_cv_check_cflags___mindirect_branch_thunk" >&6; } | 2915 | $as_echo "$ax_cv_check_cflags___mindirect_branch_thunk" >&6; } |
| 2916 | if test "x$ax_cv_check_cflags___mindirect_branch_thunk" = xyes; then : | 2916 | if test "x$ax_cv_check_cflags___mindirect_branch_thunk" = xyes; then : |
| 2917 | HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -mindirect-branch=thunk" | 2917 | |
| 2918 | HAVE_SPECTRE="yes" | ||
| 2919 | EXTRA_CFLAGS="$EXTRA_CFLAGS -mindirect-branch=thunk" | ||
| 2918 | 2920 | ||
| 2919 | else | 2921 | else |
| 2920 | : | 2922 | : |
| @@ -2950,7 +2952,9 @@ fi | |||
| 2950 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___mretpoline" >&5 | 2952 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___mretpoline" >&5 |
| 2951 | $as_echo "$ax_cv_check_cflags___mretpoline" >&6; } | 2953 | $as_echo "$ax_cv_check_cflags___mretpoline" >&6; } |
| 2952 | if test "x$ax_cv_check_cflags___mretpoline" = xyes; then : | 2954 | if test "x$ax_cv_check_cflags___mretpoline" = xyes; then : |
| 2953 | HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -mretpoline" | 2955 | |
| 2956 | HAVE_SPECTRE="yes" | ||
| 2957 | EXTRA_CFLAGS="$EXTRA_CFLAGS -mretpoline" | ||
| 2954 | 2958 | ||
| 2955 | else | 2959 | else |
| 2956 | : | 2960 | : |
| @@ -2986,7 +2990,9 @@ fi | |||
| 2986 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fstack_clash_protection" >&5 | 2990 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fstack_clash_protection" >&5 |
| 2987 | $as_echo "$ax_cv_check_cflags___fstack_clash_protection" >&6; } | 2991 | $as_echo "$ax_cv_check_cflags___fstack_clash_protection" >&6; } |
| 2988 | if test "x$ax_cv_check_cflags___fstack_clash_protection" = xyes; then : | 2992 | if test "x$ax_cv_check_cflags___fstack_clash_protection" = xyes; then : |
| 2989 | HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-clash-protection" | 2993 | |
| 2994 | HAVE_SPECTRE="yes" | ||
| 2995 | EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-clash-protection" | ||
| 2990 | 2996 | ||
| 2991 | else | 2997 | else |
| 2992 | : | 2998 | : |
| @@ -3022,7 +3028,9 @@ fi | |||
| 3022 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fstack_protector_strong" >&5 | 3028 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fstack_protector_strong" >&5 |
| 3023 | $as_echo "$ax_cv_check_cflags___fstack_protector_strong" >&6; } | 3029 | $as_echo "$ax_cv_check_cflags___fstack_protector_strong" >&6; } |
| 3024 | if test "x$ax_cv_check_cflags___fstack_protector_strong" = xyes; then : | 3030 | if test "x$ax_cv_check_cflags___fstack_protector_strong" = xyes; then : |
| 3025 | HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-protector-strong" | 3031 | |
| 3032 | HAVE_SPECTRE="yes" | ||
| 3033 | EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-protector-strong" | ||
| 3026 | 3034 | ||
| 3027 | else | 3035 | else |
| 3028 | : | 3036 | : |
| @@ -3048,7 +3056,8 @@ else | |||
| 3048 | fi | 3056 | fi |
| 3049 | 3057 | ||
| 3050 | if test "x$enable_sanitizer" != "xno" ; then : | 3058 | if test "x$enable_sanitizer" != "xno" ; then : |
| 3051 | as_CACHEVAR=`$as_echo "ax_cv_check_cflags__-fsanitize=$enable_sanitizer" | $as_tr_sh` | 3059 | |
| 3060 | as_CACHEVAR=`$as_echo "ax_cv_check_cflags__-fsanitize=$enable_sanitizer" | $as_tr_sh` | ||
| 3052 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fsanitize=$enable_sanitizer" >&5 | 3061 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fsanitize=$enable_sanitizer" >&5 |
| 3053 | $as_echo_n "checking whether C compiler accepts -fsanitize=$enable_sanitizer... " >&6; } | 3062 | $as_echo_n "checking whether C compiler accepts -fsanitize=$enable_sanitizer... " >&6; } |
| 3054 | if eval \${$as_CACHEVAR+:} false; then : | 3063 | if eval \${$as_CACHEVAR+:} false; then : |
| @@ -3086,9 +3095,9 @@ if eval test \"x\$"$as_CACHEVAR"\" = x"yes"; then : | |||
| 3086 | 3095 | ||
| 3087 | else | 3096 | else |
| 3088 | as_fn_error $? "sanitizer not supported: $enable_sanitizer" "$LINENO" 5 | 3097 | as_fn_error $? "sanitizer not supported: $enable_sanitizer" "$LINENO" 5 |
| 3089 | |||
| 3090 | fi | 3098 | fi |
| 3091 | 3099 | ||
| 3100 | |||
| 3092 | fi | 3101 | fi |
| 3093 | 3102 | ||
| 3094 | HAVE_IDS="" | 3103 | HAVE_IDS="" |
| @@ -3323,7 +3332,10 @@ else | |||
| 3323 | AA_LIBS=$pkg_cv_AA_LIBS | 3332 | AA_LIBS=$pkg_cv_AA_LIBS |
| 3324 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 | 3333 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 |
| 3325 | $as_echo "yes" >&6; } | 3334 | $as_echo "yes" >&6; } |
| 3326 | EXTRA_CFLAGS="$EXTRA_CFLAGS $AA_CFLAGS" && EXTRA_LDFLAGS="$EXTRA_LDFLAGS $AA_LIBS" | 3335 | |
| 3336 | EXTRA_CFLAGS="$EXTRA_CFLAGS $AA_CFLAGS" | ||
| 3337 | LIBS="$LIBS $AA_LIBS" | ||
| 3338 | |||
| 3327 | fi | 3339 | fi |
| 3328 | 3340 | ||
| 3329 | fi | 3341 | fi |
| @@ -3338,14 +3350,13 @@ fi | |||
| 3338 | if test "x$enable_selinux" = "xyes"; then : | 3350 | if test "x$enable_selinux" = "xyes"; then : |
| 3339 | 3351 | ||
| 3340 | HAVE_SELINUX="-DHAVE_SELINUX" | 3352 | HAVE_SELINUX="-DHAVE_SELINUX" |
| 3341 | EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lselinux" | 3353 | LIBS="$LIBS -lselinux" |
| 3342 | 3354 | ||
| 3343 | fi | 3355 | fi |
| 3344 | 3356 | ||
| 3345 | 3357 | ||
| 3346 | 3358 | ||
| 3347 | 3359 | ||
| 3348 | |||
| 3349 | HAVE_DBUSPROXY="" | 3360 | HAVE_DBUSPROXY="" |
| 3350 | 3361 | ||
| 3351 | # Check whether --enable-dbusproxy was given. | 3362 | # Check whether --enable-dbusproxy was given. |
| @@ -3591,7 +3602,6 @@ if test "x$enable_busybox_workaround" = "xyes"; then : | |||
| 3591 | 3602 | ||
| 3592 | fi | 3603 | fi |
| 3593 | 3604 | ||
| 3594 | |||
| 3595 | HAVE_GCOV="" | 3605 | HAVE_GCOV="" |
| 3596 | 3606 | ||
| 3597 | # Check whether --enable-gcov was given. | 3607 | # Check whether --enable-gcov was given. |
| @@ -3602,7 +3612,8 @@ fi | |||
| 3602 | if test "x$enable_gcov" = "xyes"; then : | 3612 | if test "x$enable_gcov" = "xyes"; then : |
| 3603 | 3613 | ||
| 3604 | HAVE_GCOV="--coverage -DHAVE_GCOV" | 3614 | HAVE_GCOV="--coverage -DHAVE_GCOV" |
| 3605 | EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lgcov --coverage" | 3615 | EXTRA_LDFLAGS="$EXTRA_LDFLAGS --coverage" |
| 3616 | LIBS="$LIBS -lgcov" | ||
| 3606 | 3617 | ||
| 3607 | fi | 3618 | fi |
| 3608 | 3619 | ||
| @@ -3615,7 +3626,7 @@ fi | |||
| 3615 | 3626 | ||
| 3616 | if test "x$enable_contrib_install" = "xno"; then : | 3627 | if test "x$enable_contrib_install" = "xno"; then : |
| 3617 | 3628 | ||
| 3618 | HAVE_CONTRIB_INSTALL="no" | 3629 | HAVE_CONTRIB_INSTALL="no" |
| 3619 | 3630 | ||
| 3620 | fi | 3631 | fi |
| 3621 | 3632 | ||
| @@ -3641,7 +3652,7 @@ fi | |||
| 3641 | 3652 | ||
| 3642 | if test "x$enable_only_syscfg_profiles" = "xyes"; then : | 3653 | if test "x$enable_only_syscfg_profiles" = "xyes"; then : |
| 3643 | 3654 | ||
| 3644 | HAVE_ONLY_SYSCFG_PROFILES="-DHAVE_ONLY_SYSCFG_PROFILES" | 3655 | HAVE_ONLY_SYSCFG_PROFILES="-DHAVE_ONLY_SYSCFG_PROFILES" |
| 3645 | 3656 | ||
| 3646 | fi | 3657 | fi |
| 3647 | 3658 | ||
| @@ -3670,7 +3681,7 @@ if test "x$enable_lts" = "xyes"; then : | |||
| 3670 | HAVE_FILE_TRANSFER="" | 3681 | HAVE_FILE_TRANSFER="" |
| 3671 | HAVE_SUID="-DHAVE_SUID" | 3682 | HAVE_SUID="-DHAVE_SUID" |
| 3672 | BUSYBOX_WORKAROUND="no" | 3683 | BUSYBOX_WORKAROUND="no" |
| 3673 | HAVE_CONTRIB_INSTALL="no", | 3684 | HAVE_CONTRIB_INSTALL="no" |
| 3674 | 3685 | ||
| 3675 | fi | 3686 | fi |
| 3676 | 3687 | ||
| @@ -4629,7 +4640,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |||
| 4629 | # report actual input values of CONFIG_FILES etc. instead of their | 4640 | # report actual input values of CONFIG_FILES etc. instead of their |
| 4630 | # values after options handling. | 4641 | # values after options handling. |
| 4631 | ac_log=" | 4642 | ac_log=" |
| 4632 | This file was extended by firejail $as_me 0.9.71, which was | 4643 | This file was extended by firejail $as_me 0.9.72rc1, which was |
| 4633 | generated by GNU Autoconf 2.69. Invocation command line was | 4644 | generated by GNU Autoconf 2.69. Invocation command line was |
| 4634 | 4645 | ||
| 4635 | CONFIG_FILES = $CONFIG_FILES | 4646 | CONFIG_FILES = $CONFIG_FILES |
| @@ -4683,7 +4694,7 @@ _ACEOF | |||
| 4683 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | 4694 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
| 4684 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" | 4695 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" |
| 4685 | ac_cs_version="\\ | 4696 | ac_cs_version="\\ |
| 4686 | firejail config.status 0.9.71 | 4697 | firejail config.status 0.9.72rc1 |
| 4687 | configured by $0, generated by GNU Autoconf 2.69, | 4698 | configured by $0, generated by GNU Autoconf 2.69, |
| 4688 | with options \\"\$ac_cs_config\\" | 4699 | with options \\"\$ac_cs_config\\" |
| 4689 | 4700 | ||
| @@ -5248,8 +5259,12 @@ fi | |||
| 5248 | cat <<EOF | 5259 | cat <<EOF |
| 5249 | 5260 | ||
| 5250 | Compile options: | 5261 | Compile options: |
| 5262 | CC: $CC | ||
| 5263 | CFLAGS: $CFLAGS | ||
| 5264 | LDFLAGS: $LDFLAGS | ||
| 5251 | EXTRA_CFLAGS: $EXTRA_CFLAGS | 5265 | EXTRA_CFLAGS: $EXTRA_CFLAGS |
| 5252 | EXTRA_LDFLAGS: $EXTRA_LDFLAGS | 5266 | EXTRA_LDFLAGS: $EXTRA_LDFLAGS |
| 5267 | LIBS: $LIBS | ||
| 5253 | fatal warnings: $HAVE_FATAL_WARNINGS | 5268 | fatal warnings: $HAVE_FATAL_WARNINGS |
| 5254 | gcov instrumentation: $HAVE_GCOV | 5269 | gcov instrumentation: $HAVE_GCOV |
| 5255 | install as a SUID executable: $HAVE_SUID | 5270 | install as a SUID executable: $HAVE_SUID |
| @@ -5284,13 +5299,10 @@ EOF | |||
| 5284 | 5299 | ||
| 5285 | if test "$HAVE_LTS" = -DHAVE_LTS; then | 5300 | if test "$HAVE_LTS" = -DHAVE_LTS; then |
| 5286 | cat <<\EOF | 5301 | cat <<\EOF |
| 5287 | |||
| 5288 | |||
| 5289 | ********************************************************* | 5302 | ********************************************************* |
| 5290 | * Warning: Long-term support (LTS) was enabled! * | 5303 | * Warning: Long-term support (LTS) was enabled! * |
| 5291 | * Most compile-time options have bean rewritten! * | 5304 | * Most compile-time options have been rewritten! * |
| 5292 | ********************************************************* | 5305 | ********************************************************* |
| 5293 | 5306 | ||
| 5294 | |||
| 5295 | EOF | 5307 | EOF |
| 5296 | fi | 5308 | fi |
diff --git a/configure.ac b/configure.ac index 8a488ff43..bee9143c2 100644 --- a/configure.ac +++ b/configure.ac | |||
| @@ -12,7 +12,7 @@ | |||
| 12 | # | 12 | # |
| 13 | 13 | ||
| 14 | AC_PREREQ([2.68]) | 14 | AC_PREREQ([2.68]) |
| 15 | AC_INIT([firejail], [0.9.71], [netblue30@protonmail.com], [], | 15 | AC_INIT([firejail], [0.9.72rc1], [netblue30@protonmail.com], [], |
| 16 | [https://firejail.wordpress.com]) | 16 | [https://firejail.wordpress.com]) |
| 17 | 17 | ||
| 18 | AC_CONFIG_SRCDIR([src/firejail/main.c]) | 18 | AC_CONFIG_SRCDIR([src/firejail/main.c]) |
| @@ -21,22 +21,22 @@ AC_CONFIG_MACRO_DIR([m4]) | |||
| 21 | AC_PROG_CC | 21 | AC_PROG_CC |
| 22 | 22 | ||
| 23 | HAVE_SPECTRE="no" | 23 | HAVE_SPECTRE="no" |
| 24 | AX_CHECK_COMPILE_FLAG( | 24 | AX_CHECK_COMPILE_FLAG([-mindirect-branch=thunk], [ |
| 25 | [-mindirect-branch=thunk], | 25 | HAVE_SPECTRE="yes" |
| 26 | [HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -mindirect-branch=thunk"] | 26 | EXTRA_CFLAGS="$EXTRA_CFLAGS -mindirect-branch=thunk" |
| 27 | ) | 27 | ]) |
| 28 | AX_CHECK_COMPILE_FLAG( | 28 | AX_CHECK_COMPILE_FLAG([-mretpoline], [ |
| 29 | [-mretpoline], | 29 | HAVE_SPECTRE="yes" |
| 30 | [HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -mretpoline"] | 30 | EXTRA_CFLAGS="$EXTRA_CFLAGS -mretpoline" |
| 31 | ) | 31 | ]) |
| 32 | AX_CHECK_COMPILE_FLAG( | 32 | AX_CHECK_COMPILE_FLAG([-fstack-clash-protection], [ |
| 33 | [-fstack-clash-protection], | 33 | HAVE_SPECTRE="yes" |
| 34 | [HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-clash-protection"] | 34 | EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-clash-protection" |
| 35 | ) | 35 | ]) |
| 36 | AX_CHECK_COMPILE_FLAG( | 36 | AX_CHECK_COMPILE_FLAG([-fstack-protector-strong], [ |
| 37 | [-fstack-protector-strong], | 37 | HAVE_SPECTRE="yes" |
| 38 | [HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-protector-strong"] | 38 | EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-protector-strong" |
| 39 | ) | 39 | ]) |
| 40 | 40 | ||
| 41 | AC_ARG_ENABLE([analyzer], | 41 | AC_ARG_ENABLE([analyzer], |
| 42 | [AS_HELP_STRING([--enable-analyzer], [enable GCC static analyzer])]) | 42 | [AS_HELP_STRING([--enable-analyzer], [enable GCC static analyzer])]) |
| @@ -45,14 +45,16 @@ AS_IF([test "x$enable_analyzer" = "xyes"], [ | |||
| 45 | ]) | 45 | ]) |
| 46 | 46 | ||
| 47 | AC_ARG_ENABLE([sanitizer], | 47 | AC_ARG_ENABLE([sanitizer], |
| 48 | [AS_HELP_STRING([--enable-sanitizer=@<:@address | memory | undefined@:>@], [enable a compiler-based sanitizer (debug)])], | 48 | [AS_HELP_STRING([--enable-sanitizer=@<:@address | memory | undefined@:>@], |
| 49 | [], [enable_sanitizer=no]) | 49 | [enable a compiler-based sanitizer (debug)])], |
| 50 | AS_IF([test "x$enable_sanitizer" != "xno" ], | 50 | [], |
| 51 | [AX_CHECK_COMPILE_FLAG([-fsanitize=$enable_sanitizer], [ | 51 | [enable_sanitizer=no]) |
| 52 | AS_IF([test "x$enable_sanitizer" != "xno" ], [ | ||
| 53 | AX_CHECK_COMPILE_FLAG([-fsanitize=$enable_sanitizer], [ | ||
| 52 | EXTRA_CFLAGS="$EXTRA_CFLAGS -fsanitize=$enable_sanitizer -fno-omit-frame-pointer" | 54 | EXTRA_CFLAGS="$EXTRA_CFLAGS -fsanitize=$enable_sanitizer -fno-omit-frame-pointer" |
| 53 | EXTRA_LDFLAGS="$EXTRA_LDFLAGS -fsanitize=$enable_sanitizer" | 55 | EXTRA_LDFLAGS="$EXTRA_LDFLAGS -fsanitize=$enable_sanitizer" |
| 54 | ], [AC_MSG_ERROR([sanitizer not supported: $enable_sanitizer])] | 56 | ], [AC_MSG_ERROR([sanitizer not supported: $enable_sanitizer])]) |
| 55 | )]) | 57 | ]) |
| 56 | 58 | ||
| 57 | HAVE_IDS="" | 59 | HAVE_IDS="" |
| 58 | AC_SUBST([HAVE_IDS]) | 60 | AC_SUBST([HAVE_IDS]) |
| @@ -68,8 +70,10 @@ AC_ARG_ENABLE([apparmor], | |||
| 68 | [AS_HELP_STRING([--enable-apparmor], [enable apparmor])]) | 70 | [AS_HELP_STRING([--enable-apparmor], [enable apparmor])]) |
| 69 | AS_IF([test "x$enable_apparmor" = "xyes"], [ | 71 | AS_IF([test "x$enable_apparmor" = "xyes"], [ |
| 70 | HAVE_APPARMOR="-DHAVE_APPARMOR" | 72 | HAVE_APPARMOR="-DHAVE_APPARMOR" |
| 71 | PKG_CHECK_MODULES([AA], [libapparmor], | 73 | PKG_CHECK_MODULES([AA], [libapparmor], [ |
| 72 | [EXTRA_CFLAGS="$EXTRA_CFLAGS $AA_CFLAGS" && EXTRA_LDFLAGS="$EXTRA_LDFLAGS $AA_LIBS"]) | 74 | EXTRA_CFLAGS="$EXTRA_CFLAGS $AA_CFLAGS" |
| 75 | LIBS="$LIBS $AA_LIBS" | ||
| 76 | ]) | ||
| 73 | ]) | 77 | ]) |
| 74 | 78 | ||
| 75 | HAVE_SELINUX="" | 79 | HAVE_SELINUX="" |
| @@ -78,13 +82,12 @@ AC_ARG_ENABLE([selinux], | |||
| 78 | [AS_HELP_STRING([--enable-selinux], [SELinux labeling support])]) | 82 | [AS_HELP_STRING([--enable-selinux], [SELinux labeling support])]) |
| 79 | AS_IF([test "x$enable_selinux" = "xyes"], [ | 83 | AS_IF([test "x$enable_selinux" = "xyes"], [ |
| 80 | HAVE_SELINUX="-DHAVE_SELINUX" | 84 | HAVE_SELINUX="-DHAVE_SELINUX" |
| 81 | EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lselinux" | 85 | LIBS="$LIBS -lselinux" |
| 82 | ]) | 86 | ]) |
| 83 | 87 | ||
| 84 | AC_SUBST([EXTRA_CFLAGS]) | 88 | AC_SUBST([EXTRA_CFLAGS]) |
| 85 | AC_SUBST([EXTRA_LDFLAGS]) | 89 | AC_SUBST([EXTRA_LDFLAGS]) |
| 86 | 90 | ||
| 87 | |||
| 88 | HAVE_DBUSPROXY="" | 91 | HAVE_DBUSPROXY="" |
| 89 | AC_SUBST([HAVE_DBUSPROXY]) | 92 | AC_SUBST([HAVE_DBUSPROXY]) |
| 90 | AC_ARG_ENABLE([dbusproxy], | 93 | AC_ARG_ENABLE([dbusproxy], |
| @@ -217,14 +220,14 @@ AS_IF([test "x$enable_busybox_workaround" = "xyes"], [ | |||
| 217 | BUSYBOX_WORKAROUND="yes" | 220 | BUSYBOX_WORKAROUND="yes" |
| 218 | ]) | 221 | ]) |
| 219 | 222 | ||
| 220 | |||
| 221 | HAVE_GCOV="" | 223 | HAVE_GCOV="" |
| 222 | AC_SUBST([HAVE_GCOV]) | 224 | AC_SUBST([HAVE_GCOV]) |
| 223 | AC_ARG_ENABLE([gcov], | 225 | AC_ARG_ENABLE([gcov], |
| 224 | [AS_HELP_STRING([--enable-gcov], [Gcov instrumentation])]) | 226 | [AS_HELP_STRING([--enable-gcov], [Gcov instrumentation])]) |
| 225 | AS_IF([test "x$enable_gcov" = "xyes"], [ | 227 | AS_IF([test "x$enable_gcov" = "xyes"], [ |
| 226 | HAVE_GCOV="--coverage -DHAVE_GCOV" | 228 | HAVE_GCOV="--coverage -DHAVE_GCOV" |
| 227 | EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lgcov --coverage" | 229 | EXTRA_LDFLAGS="$EXTRA_LDFLAGS --coverage" |
| 230 | LIBS="$LIBS -lgcov" | ||
| 228 | ]) | 231 | ]) |
| 229 | 232 | ||
| 230 | HAVE_CONTRIB_INSTALL="yes" | 233 | HAVE_CONTRIB_INSTALL="yes" |
| @@ -232,7 +235,7 @@ AC_SUBST([HAVE_CONTRIB_INSTALL]) | |||
| 232 | AC_ARG_ENABLE([contrib-install], | 235 | AC_ARG_ENABLE([contrib-install], |
| 233 | [AS_HELP_STRING([--enable-contrib-install], [install contrib scripts])]) | 236 | [AS_HELP_STRING([--enable-contrib-install], [install contrib scripts])]) |
| 234 | AS_IF([test "x$enable_contrib_install" = "xno"], [ | 237 | AS_IF([test "x$enable_contrib_install" = "xno"], [ |
| 235 | HAVE_CONTRIB_INSTALL="no" | 238 | HAVE_CONTRIB_INSTALL="no" |
| 236 | ]) | 239 | ]) |
| 237 | 240 | ||
| 238 | HAVE_FORCE_NONEWPRIVS="" | 241 | HAVE_FORCE_NONEWPRIVS="" |
| @@ -248,7 +251,7 @@ AC_SUBST([HAVE_ONLY_SYSCFG_PROFILES]) | |||
| 248 | AC_ARG_ENABLE([only-syscfg-profiles], | 251 | AC_ARG_ENABLE([only-syscfg-profiles], |
| 249 | [AS_HELP_STRING([--enable-only-syscfg-profiles], [disable profiles in $HOME/.config/firejail])]) | 252 | [AS_HELP_STRING([--enable-only-syscfg-profiles], [disable profiles in $HOME/.config/firejail])]) |
| 250 | AS_IF([test "x$enable_only_syscfg_profiles" = "xyes"], [ | 253 | AS_IF([test "x$enable_only_syscfg_profiles" = "xyes"], [ |
| 251 | HAVE_ONLY_SYSCFG_PROFILES="-DHAVE_ONLY_SYSCFG_PROFILES" | 254 | HAVE_ONLY_SYSCFG_PROFILES="-DHAVE_ONLY_SYSCFG_PROFILES" |
| 252 | ]) | 255 | ]) |
| 253 | 256 | ||
| 254 | HAVE_LTS="" | 257 | HAVE_LTS="" |
| @@ -272,10 +275,11 @@ AS_IF([test "x$enable_lts" = "xyes"], [ | |||
| 272 | HAVE_FILE_TRANSFER="" | 275 | HAVE_FILE_TRANSFER="" |
| 273 | HAVE_SUID="-DHAVE_SUID" | 276 | HAVE_SUID="-DHAVE_SUID" |
| 274 | BUSYBOX_WORKAROUND="no" | 277 | BUSYBOX_WORKAROUND="no" |
| 275 | HAVE_CONTRIB_INSTALL="no", | 278 | HAVE_CONTRIB_INSTALL="no" |
| 276 | ]) | 279 | ]) |
| 277 | 280 | ||
| 278 | AC_CHECK_HEADER([linux/seccomp.h], [], AC_MSG_ERROR([*** SECCOMP support is not installed (/usr/include/linux/seccomp.h missing) ***])) | 281 | AC_CHECK_HEADER([linux/seccomp.h], [], |
| 282 | [AC_MSG_ERROR([*** SECCOMP support is not installed (/usr/include/linux/seccomp.h missing) ***])]) | ||
| 279 | 283 | ||
| 280 | # set sysconfdir | 284 | # set sysconfdir |
| 281 | if test "$prefix" = /usr; then | 285 | if test "$prefix" = /usr; then |
| @@ -288,8 +292,12 @@ AC_OUTPUT | |||
| 288 | cat <<EOF | 292 | cat <<EOF |
| 289 | 293 | ||
| 290 | Compile options: | 294 | Compile options: |
| 295 | CC: $CC | ||
| 296 | CFLAGS: $CFLAGS | ||
| 297 | LDFLAGS: $LDFLAGS | ||
| 291 | EXTRA_CFLAGS: $EXTRA_CFLAGS | 298 | EXTRA_CFLAGS: $EXTRA_CFLAGS |
| 292 | EXTRA_LDFLAGS: $EXTRA_LDFLAGS | 299 | EXTRA_LDFLAGS: $EXTRA_LDFLAGS |
| 300 | LIBS: $LIBS | ||
| 293 | fatal warnings: $HAVE_FATAL_WARNINGS | 301 | fatal warnings: $HAVE_FATAL_WARNINGS |
| 294 | gcov instrumentation: $HAVE_GCOV | 302 | gcov instrumentation: $HAVE_GCOV |
| 295 | install as a SUID executable: $HAVE_SUID | 303 | install as a SUID executable: $HAVE_SUID |
| @@ -324,13 +332,10 @@ EOF | |||
| 324 | 332 | ||
| 325 | if test "$HAVE_LTS" = -DHAVE_LTS; then | 333 | if test "$HAVE_LTS" = -DHAVE_LTS; then |
| 326 | cat <<\EOF | 334 | cat <<\EOF |
| 327 | |||
| 328 | |||
| 329 | ********************************************************* | 335 | ********************************************************* |
| 330 | * Warning: Long-term support (LTS) was enabled! * | 336 | * Warning: Long-term support (LTS) was enabled! * |
| 331 | * Most compile-time options have bean rewritten! * | 337 | * Most compile-time options have been rewritten! * |
| 332 | ********************************************************* | 338 | ********************************************************* |
| 333 | 339 | ||
| 334 | |||
| 335 | EOF | 340 | EOF |
| 336 | fi | 341 | fi |
diff --git a/contrib/gtksourceview-5/language-specs/firejail-profile.lang b/contrib/gtksourceview-5/language-specs/firejail-profile.lang new file mode 100644 index 000000000..61c37f98f --- /dev/null +++ b/contrib/gtksourceview-5/language-specs/firejail-profile.lang | |||
| @@ -0,0 +1,69 @@ | |||
| 1 | <?xml version="1.0" encoding="UTF-8"?> | ||
| 2 | <!-- vim: set ts=2 sts=2 sw=2 et: --> | ||
| 3 | <!-- | ||
| 4 | https://gitlab.gnome.org/GNOME/gtksourceview/-/blob/master/docs/lang-tutorial.md | ||
| 5 | https://gitlab.gnome.org/GNOME/gtksourceview/-/blob/master/docs/lang-reference.md | ||
| 6 | --> | ||
| 7 | <language id="firejail-profile" name="Firejail Profile" version="2.0" _section="Other"> | ||
| 8 | <metadata> | ||
| 9 | <property name="mimetypes">text/plain;text/x-firejail-profile</property> | ||
| 10 | <property name="globs">*.profile;*.local;*.inc</property> | ||
| 11 | <property name="line-comment-start">#</property> | ||
| 12 | </metadata> | ||
| 13 | |||
| 14 | <styles> | ||
| 15 | <style id="comment" name="Comment" map-to="def:comment"/> | ||
| 16 | <style id="condition" name="Condition" map-to="def:preprocessor"/> | ||
| 17 | <style id="command" name="Command" map-to="def:keyword"/> | ||
| 18 | <style id="invalid" name="Invalid" map-to="def:error"/> | ||
| 19 | </styles> | ||
| 20 | |||
| 21 | <definitions> | ||
| 22 | <define-regex id="commands-with-arguments" extended="true"> | ||
| 23 | (apparmor|bind|blacklist-nolog|blacklist|caps.drop|caps.keep|cpu|dbus-system.broadcast|dbus-system.call|dbus-system.own|dbus-system.see|dbus-system.talk|dbus-system|dbus-user.broadcast|dbus-user.call|dbus-user.own|dbus-user.see|dbus-user.talk|dbus-user|defaultgw|dns|env|hostname|hosts-file|ignore|include|ip6|ip|iprange|join-or-start|keep-fd|mac|mkdir|mkfile|mtu|name|net|netfilter6|netfilter|netmask|netns|nice|noblacklist|noexec|nowhitelist|overlay-named|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|private|protocol|read-only|read-write|restrict-namespaces|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|rlimit|rmenv|seccomp-error-action|seccomp.32.drop|seccomp.32.keep|seccomp.32|seccomp.drop|seccomp.keep|seccomp|shell|timeout|tmpfs|veth-name|whitelist-ro|whitelist|x11|xephyr-screen) | ||
| 24 | </define-regex> | ||
| 25 | |||
| 26 | <define-regex id="commands-without-arguments" extended="true"> | ||
| 27 | (allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay-tmpfs|overlay|private-cache|private-cwd|private-dev|private-lib|private-tmp|private|quiet|restrict-namespaces|seccomp.32|seccomp.block-secondary|seccomp|tab|tracelog|writable-etc|writable-run-user|writable-var-log|writable-var|x11) | ||
| 28 | </define-regex> | ||
| 29 | |||
| 30 | <define-regex id="conditions" extended="true"> | ||
| 31 | (ALLOW_TRAY|BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11) | ||
| 32 | </define-regex> | ||
| 33 | |||
| 34 | <context id="conditional-line"> | ||
| 35 | <match>\?(?P<condition>\%{conditions}): </match> | ||
| 36 | <include> | ||
| 37 | <context sub-pattern="condition" style-ref="condition"/> | ||
| 38 | </include> | ||
| 39 | </context> | ||
| 40 | |||
| 41 | <context id="command-with-args"> | ||
| 42 | <match>(?P<command>\%{commands-with-arguments}) (?P<args>.+)</match> | ||
| 43 | <include> | ||
| 44 | <context sub-pattern="command" style-ref="command"/> | ||
| 45 | </include> | ||
| 46 | </context> | ||
| 47 | |||
| 48 | <context id="command-without-args"> | ||
| 49 | <match dupnames="true">(?P<command>\%{commands-without-arguments})</match> | ||
| 50 | <include> | ||
| 51 | <context sub-pattern="command" style-ref="command"/> | ||
| 52 | </include> | ||
| 53 | </context> | ||
| 54 | |||
| 55 | <context id="invalid" style-ref="invalid"> | ||
| 56 | <match>.+</match> | ||
| 57 | </context> | ||
| 58 | |||
| 59 | <context id="firejail-profile" class="no-spell-check"> | ||
| 60 | <include> | ||
| 61 | <context ref="def:shell-like-comment"/> | ||
| 62 | <context ref="conditional-line"/> | ||
| 63 | <context ref="command-with-args"/> | ||
| 64 | <context ref="command-without-args"/> | ||
| 65 | <context ref="invalid"/> | ||
| 66 | </include> | ||
| 67 | </context> | ||
| 68 | </definitions> | ||
| 69 | </language> | ||
diff --git a/contrib/sort.py b/contrib/sort.py index 6f21370ec..638f14516 100755 --- a/contrib/sort.py +++ b/contrib/sort.py | |||
| @@ -2,48 +2,61 @@ | |||
| 2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
| 3 | # Copyright (C) 2014-2022 Firejail Authors | 3 | # Copyright (C) 2014-2022 Firejail Authors |
| 4 | # License GPL v2 | 4 | # License GPL v2 |
| 5 | """ | ||
| 6 | Sort the items of multi-item options in profiles, the following options are supported: | ||
| 7 | private-bin, private-etc, private-lib, caps.drop, caps.keep, seccomp.drop, seccomp.drop, protocol | ||
| 8 | 5 | ||
| 9 | Usage: | 6 | # Requirements: |
| 10 | $ ./sort.py /path/to/profile [ /path/to/profile2 /path/to/profile3 ... ] | 7 | # python >= 3.6 |
| 8 | from os import path | ||
| 9 | from sys import argv, exit as sys_exit, stderr | ||
| 10 | |||
| 11 | __doc__ = f"""\ | ||
| 12 | Sort the arguments of commands in profiles. | ||
| 13 | |||
| 14 | Usage: {path.basename(argv[0])} [/path/to/profile ...] | ||
| 15 | |||
| 16 | The following commands are supported: | ||
| 17 | |||
| 18 | private-bin, private-etc, private-lib, caps.drop, caps.keep, seccomp.drop, | ||
| 19 | seccomp.drop, protocol | ||
| 20 | |||
| 21 | Note that this is only applicable to commands that support multiple arguments. | ||
| 22 | |||
| 11 | Keep in mind that this will overwrite your profile(s). | 23 | Keep in mind that this will overwrite your profile(s). |
| 12 | 24 | ||
| 13 | Examples: | 25 | Examples: |
| 14 | $ ./sort.py MyAwesomeProfile.profile | 26 | $ {argv[0]} MyAwesomeProfile.profile |
| 15 | $ ./sort.py new_profile.profile second_new_profile.profile | 27 | $ {argv[0]} new_profile.profile second_new_profile.profile |
| 16 | $ ./sort.py ~/.config/firejail/*.{profile,inc,local} | 28 | $ {argv[0]} ~/.config/firejail/*.{{profile,inc,local}} |
| 17 | $ sudo ./sort.py /etc/firejail/*.{profile,inc,local} | 29 | $ sudo {argv[0]} /etc/firejail/*.{{profile,inc,local}} |
| 18 | 30 | ||
| 19 | Exit-Codes: | 31 | Exit Codes: |
| 20 | 0: No Error; No Profile Fixed. | 32 | 0: Success: No profiles needed fixing. |
| 21 | 1: Error, one or more profiles were not processed correctly. | 33 | 1: Error: One or more profiles could not be processed correctly. |
| 22 | 101: No Error; One or more profile were fixed. | 34 | 2: Error: Missing arguments. |
| 35 | 101: Info: One or more profiles were fixed. | ||
| 23 | """ | 36 | """ |
| 24 | 37 | ||
| 25 | # Requirements: | ||
| 26 | # python >= 3.6 | ||
| 27 | from sys import argv, exit as sys_exit | ||
| 28 | |||
| 29 | 38 | ||
| 30 | def sort_alphabetical(raw_items): | 39 | def sort_alphabetical(original_items): |
| 31 | items = raw_items.split(",") | 40 | items = original_items.split(",") |
| 32 | items.sort(key=lambda s: s.casefold()) | 41 | items.sort(key=str.casefold) |
| 33 | return ",".join(items) | 42 | return ",".join(items) |
| 34 | 43 | ||
| 35 | 44 | ||
| 36 | def sort_protocol(protocols): | 45 | def sort_protocol(original_protocols): |
| 37 | """sort the given protocols into this scheme: unix,inet,inet6,netlink,packet,bluetooth""" | 46 | """ |
| 47 | Sort the given protocols into the following order: | ||
| 48 | |||
| 49 | unix,inet,inet6,netlink,packet,bluetooth | ||
| 50 | """ | ||
| 38 | 51 | ||
| 39 | # shortcut for common protocol lines | 52 | # shortcut for common protocol lines |
| 40 | if protocols in ("unix", "unix,inet,inet6"): | 53 | if original_protocols in ("unix", "unix,inet,inet6"): |
| 41 | return protocols | 54 | return original_protocols |
| 42 | 55 | ||
| 43 | fixed_protocols = "" | 56 | fixed_protocols = "" |
| 44 | for protocol in ("unix", "inet", "inet6", "netlink", "packet", "bluetooth"): | 57 | for protocol in ("unix", "inet", "inet6", "netlink", "packet", "bluetooth"): |
| 45 | for prefix in ("", "-", "+", "="): | 58 | for prefix in ("", "-", "+", "="): |
| 46 | if f",{prefix}{protocol}," in f",{protocols},": | 59 | if f",{prefix}{protocol}," in f",{original_protocols},": |
| 47 | fixed_protocols += f"{prefix}{protocol}," | 60 | fixed_protocols += f"{prefix}{protocol}," |
| 48 | return fixed_protocols[:-1] | 61 | return fixed_protocols[:-1] |
| 49 | 62 | ||
| @@ -53,7 +66,7 @@ def fix_profile(filename): | |||
| 53 | lines = profile.read().split("\n") | 66 | lines = profile.read().split("\n") |
| 54 | was_fixed = False | 67 | was_fixed = False |
| 55 | fixed_profile = [] | 68 | fixed_profile = [] |
| 56 | for lineno, line in enumerate(lines): | 69 | for lineno, line in enumerate(lines, 1): |
| 57 | if line[:12] in ("private-bin ", "private-etc ", "private-lib "): | 70 | if line[:12] in ("private-bin ", "private-etc ", "private-lib "): |
| 58 | fixed_line = f"{line[:12]}{sort_alphabetical(line[12:])}" | 71 | fixed_line = f"{line[:12]}{sort_alphabetical(line[12:])}" |
| 59 | elif line[:13] in ("seccomp.drop ", "seccomp.keep "): | 72 | elif line[:13] in ("seccomp.drop ", "seccomp.keep "): |
| @@ -69,8 +82,8 @@ def fix_profile(filename): | |||
| 69 | if fixed_line != line: | 82 | if fixed_line != line: |
| 70 | was_fixed = True | 83 | was_fixed = True |
| 71 | print( | 84 | print( |
| 72 | f"{filename}:{lineno + 1}:-{line}\n" | 85 | f"{filename}:{lineno}:-{line}\n" |
| 73 | f"{filename}:{lineno + 1}:+{fixed_line}" | 86 | f"{filename}:{lineno}:+{fixed_line}" |
| 74 | ) | 87 | ) |
| 75 | fixed_profile.append(fixed_line) | 88 | fixed_profile.append(fixed_line) |
| 76 | if was_fixed: | 89 | if was_fixed: |
| @@ -84,22 +97,30 @@ def fix_profile(filename): | |||
| 84 | 97 | ||
| 85 | 98 | ||
| 86 | def main(args): | 99 | def main(args): |
| 100 | if len(args) < 1: | ||
| 101 | print(__doc__, file=stderr) | ||
| 102 | return 2 | ||
| 103 | |||
| 104 | print(f"sort.py: checking {len(args)} profile(s)...") | ||
| 105 | |||
| 87 | exit_code = 0 | 106 | exit_code = 0 |
| 88 | print(f"sort.py: checking {len(args)} {'profiles' if len(args) != 1 else 'profile'}...") | ||
| 89 | for filename in args: | 107 | for filename in args: |
| 90 | try: | 108 | try: |
| 91 | if exit_code not in (1, 101): | 109 | if exit_code not in (1, 101): |
| 92 | exit_code = fix_profile(filename) | 110 | exit_code = fix_profile(filename) |
| 93 | else: | 111 | else: |
| 94 | fix_profile(filename) | 112 | fix_profile(filename) |
| 95 | except FileNotFoundError: | 113 | except FileNotFoundError as err: |
| 96 | print(f"[ Error ] Can't find `{filename}'") | 114 | print(f"[ Error ] {err}", file=stderr) |
| 97 | exit_code = 1 | 115 | exit_code = 1 |
| 98 | except PermissionError: | 116 | except PermissionError as err: |
| 99 | print(f"[ Error ] Can't read/write `{filename}'") | 117 | print(f"[ Error ] {err}", file=stderr) |
| 100 | exit_code = 1 | 118 | exit_code = 1 |
| 101 | except Exception as err: | 119 | except Exception as err: |
| 102 | print(f"[ Error ] An error occurred while processing `{filename}': {err}") | 120 | print( |
| 121 | f"[ Error ] An error occurred while processing '{filename}': {err}", | ||
| 122 | file=stderr, | ||
| 123 | ) | ||
| 103 | exit_code = 1 | 124 | exit_code = 1 |
| 104 | return exit_code | 125 | return exit_code |
| 105 | 126 | ||
diff --git a/etc/apparmor/firejail-local b/etc/apparmor/firejail-local index 59c8f7f8a..e7236b0bc 100644 --- a/etc/apparmor/firejail-local +++ b/etc/apparmor/firejail-local | |||
| @@ -14,5 +14,11 @@ | |||
| 14 | # Uncomment to opt-in to apparmor for brave + tor | 14 | # Uncomment to opt-in to apparmor for brave + tor |
| 15 | #owner @{HOME}/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/*/** ix, | 15 | #owner @{HOME}/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/*/** ix, |
| 16 | 16 | ||
| 17 | # Uncomment to opt-in to apparmor for firefox DRM (gmp-widevinecdm) | ||
| 18 | #owner @{HOME}/.mozilla/firefox/*/gm*/** ix, | ||
| 19 | |||
| 20 | # Uncomment to opt-in to apparmor for firefox native-messaging-hosts under ${HOME} | ||
| 21 | #owner @{HOME}/.mozilla/native-messaging-hosts/** ix, | ||
| 22 | |||
| 17 | # Uncomment to opt-in to apparmor for torbrowser-launcher | 23 | # Uncomment to opt-in to apparmor for torbrowser-launcher |
| 18 | #owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/** ix, | 24 | #owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/** ix, |
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 23886f1b6..44e45d416 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
| @@ -558,6 +558,7 @@ blacklist /tmp/tmux-* | |||
| 558 | # disable terminals running as server resulting in sandbox escape | 558 | # disable terminals running as server resulting in sandbox escape |
| 559 | blacklist ${PATH}/gnome-terminal | 559 | blacklist ${PATH}/gnome-terminal |
| 560 | blacklist ${PATH}/gnome-terminal.wrapper | 560 | blacklist ${PATH}/gnome-terminal.wrapper |
| 561 | blacklist ${PATH}/kgx | ||
| 561 | # blacklist ${PATH}/konsole | 562 | # blacklist ${PATH}/konsole |
| 562 | # konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 | 563 | # konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 |
| 563 | blacklist ${PATH}/lilyterm | 564 | blacklist ${PATH}/lilyterm |
| @@ -619,7 +620,7 @@ blacklist ${HOME}/mail | |||
| 619 | blacklist ${HOME}/postponed | 620 | blacklist ${HOME}/postponed |
| 620 | blacklist ${HOME}/sent | 621 | blacklist ${HOME}/sent |
| 621 | 622 | ||
| 622 | # kernel configuration | 623 | # kernel configuration - keep this here although it's also in disable-proc.inc |
| 623 | blacklist /proc/config.gz | 624 | blacklist /proc/config.gz |
| 624 | 625 | ||
| 625 | # prevent DNS malware attempting to communicate with the server using regular DNS tools | 626 | # prevent DNS malware attempting to communicate with the server using regular DNS tools |
diff --git a/etc/inc/disable-proc.inc b/etc/inc/disable-proc.inc index 81a8883f3..7cb1ec2ab 100644 --- a/etc/inc/disable-proc.inc +++ b/etc/inc/disable-proc.inc | |||
| @@ -8,7 +8,7 @@ blacklist /proc/bootconfig | |||
| 8 | blacklist /proc/buddyinfo | 8 | blacklist /proc/buddyinfo |
| 9 | blacklist /proc/cgroups | 9 | blacklist /proc/cgroups |
| 10 | blacklist /proc/cmdline | 10 | blacklist /proc/cmdline |
| 11 | blacklist /proc/config.gz | 11 | blacklist /proc/config.gz # keep this here even though it's also in disable-common.inc |
| 12 | blacklist /proc/consoles | 12 | blacklist /proc/consoles |
| 13 | #blacklist /proc/cpuinfo | 13 | #blacklist /proc/cpuinfo |
| 14 | blacklist /proc/crypto | 14 | blacklist /proc/crypto |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index b86e0bbe4..5e253f232 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
| @@ -42,6 +42,7 @@ blacklist ${HOME}/.asunder_album_title | |||
| 42 | blacklist ${HOME}/.atom | 42 | blacklist ${HOME}/.atom |
| 43 | blacklist ${HOME}/.attic | 43 | blacklist ${HOME}/.attic |
| 44 | blacklist ${HOME}/.audacity-data | 44 | blacklist ${HOME}/.audacity-data |
| 45 | blacklist ${HOME}/.avidemux3 | ||
| 45 | blacklist ${HOME}/.avidemux6 | 46 | blacklist ${HOME}/.avidemux6 |
| 46 | blacklist ${HOME}/.ballbuster.hs | 47 | blacklist ${HOME}/.ballbuster.hs |
| 47 | blacklist ${HOME}/.balsa | 48 | blacklist ${HOME}/.balsa |
| @@ -67,6 +68,7 @@ blacklist ${HOME}/.cache/GoldenDict | |||
| 67 | blacklist ${HOME}/.cache/INRIA | 68 | blacklist ${HOME}/.cache/INRIA |
| 68 | blacklist ${HOME}/.cache/INRIA/Natron | 69 | blacklist ${HOME}/.cache/INRIA/Natron |
| 69 | blacklist ${HOME}/.cache/JetBrains/CLion* | 70 | blacklist ${HOME}/.cache/JetBrains/CLion* |
| 71 | blacklist ${HOME}/.cache/JetBrains/PyCharm* | ||
| 70 | blacklist ${HOME}/.cache/KDE/neochat | 72 | blacklist ${HOME}/.cache/KDE/neochat |
| 71 | blacklist ${HOME}/.cache/Mendeley Ltd. | 73 | blacklist ${HOME}/.cache/Mendeley Ltd. |
| 72 | blacklist ${HOME}/.cache/MusicBrainz | 74 | blacklist ${HOME}/.cache/MusicBrainz |
| @@ -83,6 +85,7 @@ blacklist ${HOME}/.cache/agenda | |||
| 83 | blacklist ${HOME}/.cache/akonadi* | 85 | blacklist ${HOME}/.cache/akonadi* |
| 84 | blacklist ${HOME}/.cache/atril | 86 | blacklist ${HOME}/.cache/atril |
| 85 | blacklist ${HOME}/.cache/attic | 87 | blacklist ${HOME}/.cache/attic |
| 88 | blacklist ${HOME}/.cache/audacity | ||
| 86 | blacklist ${HOME}/.cache/babl | 89 | blacklist ${HOME}/.cache/babl |
| 87 | blacklist ${HOME}/.cache/bnox | 90 | blacklist ${HOME}/.cache/bnox |
| 88 | blacklist ${HOME}/.cache/borg | 91 | blacklist ${HOME}/.cache/borg |
| @@ -113,6 +116,7 @@ blacklist ${HOME}/.cache/fossamail | |||
| 113 | blacklist ${HOME}/.cache/fractal | 116 | blacklist ${HOME}/.cache/fractal |
| 114 | blacklist ${HOME}/.cache/freecol | 117 | blacklist ${HOME}/.cache/freecol |
| 115 | blacklist ${HOME}/.cache/gajim | 118 | blacklist ${HOME}/.cache/gajim |
| 119 | blacklist ${HOME}/.cache/gdfuse | ||
| 116 | blacklist ${HOME}/.cache/geary | 120 | blacklist ${HOME}/.cache/geary |
| 117 | blacklist ${HOME}/.cache/geeqie | 121 | blacklist ${HOME}/.cache/geeqie |
| 118 | blacklist ${HOME}/.cache/gegl-0.4 | 122 | blacklist ${HOME}/.cache/gegl-0.4 |
| @@ -280,6 +284,7 @@ blacklist ${HOME}/.config/Gpredict | |||
| 280 | blacklist ${HOME}/.config/INRIA | 284 | blacklist ${HOME}/.config/INRIA |
| 281 | blacklist ${HOME}/.config/InSilmaril | 285 | blacklist ${HOME}/.config/InSilmaril |
| 282 | blacklist ${HOME}/.config/JetBrains/CLion* | 286 | blacklist ${HOME}/.config/JetBrains/CLion* |
| 287 | blacklist ${HOME}/.config/JetBrains/PyCharm* | ||
| 283 | blacklist ${HOME}/.config/Jitsi Meet | 288 | blacklist ${HOME}/.config/Jitsi Meet |
| 284 | blacklist ${HOME}/.config/KDE/neochat | 289 | blacklist ${HOME}/.config/KDE/neochat |
| 285 | blacklist ${HOME}/.config/KeePass | 290 | blacklist ${HOME}/.config/KeePass |
| @@ -356,6 +361,7 @@ blacklist ${HOME}/.config/artha.log | |||
| 356 | blacklist ${HOME}/.config/asunder | 361 | blacklist ${HOME}/.config/asunder |
| 357 | blacklist ${HOME}/.config/atril | 362 | blacklist ${HOME}/.config/atril |
| 358 | blacklist ${HOME}/.config/audacious | 363 | blacklist ${HOME}/.config/audacious |
| 364 | blacklist ${HOME}/.config/audacity | ||
| 359 | blacklist ${HOME}/.config/autokey | 365 | blacklist ${HOME}/.config/autokey |
| 360 | blacklist ${HOME}/.config/avidemux3_qt5rc | 366 | blacklist ${HOME}/.config/avidemux3_qt5rc |
| 361 | blacklist ${HOME}/.config/aweather | 367 | blacklist ${HOME}/.config/aweather |
| @@ -431,6 +437,7 @@ blacklist ${HOME}/.config/gajim | |||
| 431 | blacklist ${HOME}/.config/galculator | 437 | blacklist ${HOME}/.config/galculator |
| 432 | blacklist ${HOME}/.config/gallery-dl | 438 | blacklist ${HOME}/.config/gallery-dl |
| 433 | blacklist ${HOME}/.config/gconf | 439 | blacklist ${HOME}/.config/gconf |
| 440 | blacklist ${HOME}/.config/gdfuse | ||
| 434 | blacklist ${HOME}/.config/geany | 441 | blacklist ${HOME}/.config/geany |
| 435 | blacklist ${HOME}/.config/geary | 442 | blacklist ${HOME}/.config/geary |
| 436 | blacklist ${HOME}/.config/gedit | 443 | blacklist ${HOME}/.config/gedit |
| @@ -609,6 +616,7 @@ blacklist ${HOME}/.config/sound-juicer | |||
| 609 | blacklist ${HOME}/.config/specialmailcollectionsrc | 616 | blacklist ${HOME}/.config/specialmailcollectionsrc |
| 610 | blacklist ${HOME}/.config/spectaclerc | 617 | blacklist ${HOME}/.config/spectaclerc |
| 611 | blacklist ${HOME}/.config/spotify | 618 | blacklist ${HOME}/.config/spotify |
| 619 | blacklist ${HOME}/.config/spotify-adblock | ||
| 612 | blacklist ${HOME}/.config/sqlitebrowser | 620 | blacklist ${HOME}/.config/sqlitebrowser |
| 613 | blacklist ${HOME}/.config/stellarium | 621 | blacklist ${HOME}/.config/stellarium |
| 614 | blacklist ${HOME}/.config/straw-viewer | 622 | blacklist ${HOME}/.config/straw-viewer |
| @@ -702,6 +710,7 @@ blacklist ${HOME}/.frozen-bubble | |||
| 702 | blacklist ${HOME}/.funnyboat | 710 | blacklist ${HOME}/.funnyboat |
| 703 | blacklist ${HOME}/.g8 | 711 | blacklist ${HOME}/.g8 |
| 704 | blacklist ${HOME}/.gallery-dl.conf | 712 | blacklist ${HOME}/.gallery-dl.conf |
| 713 | blacklist ${HOME}/.gdfuse | ||
| 705 | blacklist ${HOME}/.geekbench5 | 714 | blacklist ${HOME}/.geekbench5 |
| 706 | blacklist ${HOME}/.gimp* | 715 | blacklist ${HOME}/.gimp* |
| 707 | blacklist ${HOME}/.gist | 716 | blacklist ${HOME}/.gist |
| @@ -857,6 +866,7 @@ blacklist ${HOME}/.local/share/akonadi* | |||
| 857 | blacklist ${HOME}/.local/share/akregator | 866 | blacklist ${HOME}/.local/share/akregator |
| 858 | blacklist ${HOME}/.local/share/apps/korganizer | 867 | blacklist ${HOME}/.local/share/apps/korganizer |
| 859 | blacklist ${HOME}/.local/share/aspyr-media | 868 | blacklist ${HOME}/.local/share/aspyr-media |
| 869 | blacklist ${HOME}/.local/share/audacity | ||
| 860 | blacklist ${HOME}/.local/share/authenticator-rs | 870 | blacklist ${HOME}/.local/share/authenticator-rs |
| 861 | blacklist ${HOME}/.local/share/autokey | 871 | blacklist ${HOME}/.local/share/autokey |
| 862 | blacklist ${HOME}/.local/share/backintime | 872 | blacklist ${HOME}/.local/share/backintime |
| @@ -869,6 +879,7 @@ blacklist ${HOME}/.local/share/caja-python | |||
| 869 | blacklist ${HOME}/.local/share/calligragemini | 879 | blacklist ${HOME}/.local/share/calligragemini |
| 870 | blacklist ${HOME}/.local/share/cantata | 880 | blacklist ${HOME}/.local/share/cantata |
| 871 | blacklist ${HOME}/.local/share/cdprojektred | 881 | blacklist ${HOME}/.local/share/cdprojektred |
| 882 | blacklist ${HOME}/.local/share/chatterino | ||
| 872 | blacklist ${HOME}/.local/share/clipit | 883 | blacklist ${HOME}/.local/share/clipit |
| 873 | blacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate | 884 | blacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate |
| 874 | blacklist ${HOME}/.local/share/contacts | 885 | blacklist ${HOME}/.local/share/contacts |
| @@ -890,6 +901,7 @@ blacklist ${HOME}/.local/share/feral-interactive | |||
| 890 | blacklist ${HOME}/.local/share/five-or-more | 901 | blacklist ${HOME}/.local/share/five-or-more |
| 891 | blacklist ${HOME}/.local/share/freecol | 902 | blacklist ${HOME}/.local/share/freecol |
| 892 | blacklist ${HOME}/.local/share/gajim | 903 | blacklist ${HOME}/.local/share/gajim |
| 904 | blacklist ${HOME}/.local/share/gdfuse | ||
| 893 | blacklist ${HOME}/.local/share/geary | 905 | blacklist ${HOME}/.local/share/geary |
| 894 | blacklist ${HOME}/.local/share/geeqie | 906 | blacklist ${HOME}/.local/share/geeqie |
| 895 | blacklist ${HOME}/.local/share/ghostwriter | 907 | blacklist ${HOME}/.local/share/ghostwriter |
| @@ -1011,6 +1023,7 @@ blacklist ${HOME}/.local/share/wormux | |||
| 1011 | blacklist ${HOME}/.local/share/xplayer | 1023 | blacklist ${HOME}/.local/share/xplayer |
| 1012 | blacklist ${HOME}/.local/share/xreader | 1024 | blacklist ${HOME}/.local/share/xreader |
| 1013 | blacklist ${HOME}/.local/share/zathura | 1025 | blacklist ${HOME}/.local/share/zathura |
| 1026 | blacklist ${HOME}/.local/state/audacity | ||
| 1014 | blacklist ${HOME}/.local/state/pipewire | 1027 | blacklist ${HOME}/.local/state/pipewire |
| 1015 | blacklist ${HOME}/.lv2 | 1028 | blacklist ${HOME}/.lv2 |
| 1016 | blacklist ${HOME}/.lyx | 1029 | blacklist ${HOME}/.lyx |
| @@ -1173,6 +1186,7 @@ blacklist ${HOME}/yt-dlp.conf.txt | |||
| 1173 | blacklist ${RUNUSER}/*firefox* | 1186 | blacklist ${RUNUSER}/*firefox* |
| 1174 | blacklist ${RUNUSER}/akonadi | 1187 | blacklist ${RUNUSER}/akonadi |
| 1175 | blacklist ${RUNUSER}/psd/*firefox* | 1188 | blacklist ${RUNUSER}/psd/*firefox* |
| 1189 | blacklist /etc/ssmtp | ||
| 1176 | blacklist /tmp/.wine-* | 1190 | blacklist /tmp/.wine-* |
| 1177 | blacklist /tmp/akonadi-* | 1191 | blacklist /tmp/akonadi-* |
| 1178 | blacklist /var/games/nethack | 1192 | blacklist /var/games/nethack |
diff --git a/etc/inc/whitelist-run-common.inc b/etc/inc/whitelist-run-common.inc index 72e677ba5..75151ed1f 100644 --- a/etc/inc/whitelist-run-common.inc +++ b/etc/inc/whitelist-run-common.inc | |||
| @@ -3,6 +3,7 @@ | |||
| 3 | include whitelist-run-common.local | 3 | include whitelist-run-common.local |
| 4 | 4 | ||
| 5 | whitelist /run/NetworkManager/resolv.conf | 5 | whitelist /run/NetworkManager/resolv.conf |
| 6 | whitelist /run/avahi-daemon/socket | ||
| 6 | whitelist /run/cups/cups.sock | 7 | whitelist /run/cups/cups.sock |
| 7 | whitelist /run/dbus/system_bus_socket | 8 | whitelist /run/dbus/system_bus_socket |
| 8 | whitelist /run/media | 9 | whitelist /run/media |
diff --git a/etc/inc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc index 1dbaf8bdb..bb0bcd050 100644 --- a/etc/inc/whitelist-usr-share-common.inc +++ b/etc/inc/whitelist-usr-share-common.inc | |||
| @@ -55,6 +55,7 @@ whitelist /usr/share/qt | |||
| 55 | whitelist /usr/share/qt4 | 55 | whitelist /usr/share/qt4 |
| 56 | whitelist /usr/share/qt5 | 56 | whitelist /usr/share/qt5 |
| 57 | whitelist /usr/share/qt5ct | 57 | whitelist /usr/share/qt5ct |
| 58 | whitelist /usr/share/qt6 | ||
| 58 | whitelist /usr/share/qt6ct | 59 | whitelist /usr/share/qt6ct |
| 59 | whitelist /usr/share/sounds | 60 | whitelist /usr/share/sounds |
| 60 | whitelist /usr/share/tcl8.6 | 61 | whitelist /usr/share/tcl8.6 |
diff --git a/etc/profile-a-l/0ad.profile b/etc/profile-a-l/0ad.profile index 04f58abb9..48a2afdf2 100644 --- a/etc/profile-a-l/0ad.profile +++ b/etc/profile-a-l/0ad.profile | |||
| @@ -54,3 +54,5 @@ private-tmp | |||
| 54 | 54 | ||
| 55 | dbus-user none | 55 | dbus-user none |
| 56 | dbus-system none | 56 | dbus-system none |
| 57 | |||
| 58 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/2048-qt.profile b/etc/profile-a-l/2048-qt.profile index 7913fdea9..1cd207996 100644 --- a/etc/profile-a-l/2048-qt.profile +++ b/etc/profile-a-l/2048-qt.profile | |||
| @@ -40,3 +40,5 @@ seccomp | |||
| 40 | disable-mnt | 40 | disable-mnt |
| 41 | private-dev | 41 | private-dev |
| 42 | private-tmp | 42 | private-tmp |
| 43 | |||
| 44 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/Cryptocat.profile b/etc/profile-a-l/Cryptocat.profile index af026fc86..4a850f1bd 100644 --- a/etc/profile-a-l/Cryptocat.profile +++ b/etc/profile-a-l/Cryptocat.profile | |||
| @@ -28,3 +28,5 @@ seccomp | |||
| 28 | private-cache | 28 | private-cache |
| 29 | private-dev | 29 | private-dev |
| 30 | private-tmp | 30 | private-tmp |
| 31 | |||
| 32 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/Fritzing.profile b/etc/profile-a-l/Fritzing.profile index 09149350d..462bfa517 100644 --- a/etc/profile-a-l/Fritzing.profile +++ b/etc/profile-a-l/Fritzing.profile | |||
| @@ -36,3 +36,4 @@ seccomp | |||
| 36 | private-dev | 36 | private-dev |
| 37 | private-tmp | 37 | private-tmp |
| 38 | 38 | ||
| 39 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/JDownloader.profile b/etc/profile-a-l/JDownloader.profile index 8d56c0d95..b229c151d 100644 --- a/etc/profile-a-l/JDownloader.profile +++ b/etc/profile-a-l/JDownloader.profile | |||
| @@ -45,3 +45,5 @@ private-tmp | |||
| 45 | 45 | ||
| 46 | dbus-user none | 46 | dbus-user none |
| 47 | dbus-system none | 47 | dbus-system none |
| 48 | |||
| 49 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/abiword.profile b/etc/profile-a-l/abiword.profile index ce3d0630f..eb7a5254f 100644 --- a/etc/profile-a-l/abiword.profile +++ b/etc/profile-a-l/abiword.profile | |||
| @@ -46,3 +46,5 @@ private-tmp | |||
| 46 | 46 | ||
| 47 | # dbus-user none | 47 | # dbus-user none |
| 48 | # dbus-system none | 48 | # dbus-system none |
| 49 | |||
| 50 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/agetpkg.profile b/etc/profile-a-l/agetpkg.profile index ee9420d62..96c56d85d 100644 --- a/etc/profile-a-l/agetpkg.profile +++ b/etc/profile-a-l/agetpkg.profile | |||
| @@ -56,3 +56,4 @@ dbus-user none | |||
| 56 | dbus-system none | 56 | dbus-system none |
| 57 | 57 | ||
| 58 | memory-deny-write-execute | 58 | memory-deny-write-execute |
| 59 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/akonadi_control.profile b/etc/profile-a-l/akonadi_control.profile index 2f58d9146..184036f24 100644 --- a/etc/profile-a-l/akonadi_control.profile +++ b/etc/profile-a-l/akonadi_control.profile | |||
| @@ -55,3 +55,4 @@ tracelog | |||
| 55 | private-dev | 55 | private-dev |
| 56 | # private-tmp - breaks programs that depend on akonadi | 56 | # private-tmp - breaks programs that depend on akonadi |
| 57 | 57 | ||
| 58 | # restrict-namespaces | ||
diff --git a/etc/profile-a-l/akregator.profile b/etc/profile-a-l/akregator.profile index 8e6935fb8..d88a1fcad 100644 --- a/etc/profile-a-l/akregator.profile +++ b/etc/profile-a-l/akregator.profile | |||
| @@ -49,3 +49,4 @@ private-dev | |||
| 49 | private-tmp | 49 | private-tmp |
| 50 | 50 | ||
| 51 | deterministic-shutdown | 51 | deterministic-shutdown |
| 52 | # restrict-namespaces | ||
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile index 5dc306147..9612ffdd2 100644 --- a/etc/profile-a-l/alacarte.profile +++ b/etc/profile-a-l/alacarte.profile | |||
| @@ -62,3 +62,4 @@ read-write ${HOME}/.config/menus | |||
| 62 | read-write ${HOME}/.gnome/apps | 62 | read-write ${HOME}/.gnome/apps |
| 63 | read-write ${HOME}/.local/share/applications | 63 | read-write ${HOME}/.local/share/applications |
| 64 | read-write ${HOME}/.local/share/flatpak/exports | 64 | read-write ${HOME}/.local/share/flatpak/exports |
| 65 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/alienarena.profile b/etc/profile-a-l/alienarena.profile index ee6be4bc9..0f7407f05 100644 --- a/etc/profile-a-l/alienarena.profile +++ b/etc/profile-a-l/alienarena.profile | |||
| @@ -48,3 +48,5 @@ private-tmp | |||
| 48 | 48 | ||
| 49 | dbus-user none | 49 | dbus-user none |
| 50 | dbus-system none | 50 | dbus-system none |
| 51 | |||
| 52 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/alpine.profile b/etc/profile-a-l/alpine.profile index e00aef423..4e994c025 100644 --- a/etc/profile-a-l/alpine.profile +++ b/etc/profile-a-l/alpine.profile | |||
| @@ -100,3 +100,4 @@ dbus-system none | |||
| 100 | 100 | ||
| 101 | memory-deny-write-execute | 101 | memory-deny-write-execute |
| 102 | read-only ${HOME}/.signature | 102 | read-only ${HOME}/.signature |
| 103 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/amarok.profile b/etc/profile-a-l/amarok.profile index 7211f0cf7..3171d738e 100644 --- a/etc/profile-a-l/amarok.profile +++ b/etc/profile-a-l/amarok.profile | |||
| @@ -44,3 +44,5 @@ dbus-user.talk org.freedesktop.Notifications | |||
| 44 | #dbus-user.own org.kde.klauncher | 44 | #dbus-user.own org.kde.klauncher |
| 45 | #dbus-user.talk org.kde.knotify | 45 | #dbus-user.talk org.kde.knotify |
| 46 | dbus-system none | 46 | dbus-system none |
| 47 | |||
| 48 | # restrict-namespaces | ||
diff --git a/etc/profile-a-l/amule.profile b/etc/profile-a-l/amule.profile index bce22fbfd..ccf7231bd 100644 --- a/etc/profile-a-l/amule.profile +++ b/etc/profile-a-l/amule.profile | |||
| @@ -40,3 +40,4 @@ private-bin amule | |||
| 40 | private-dev | 40 | private-dev |
| 41 | private-tmp | 41 | private-tmp |
| 42 | 42 | ||
| 43 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/android-studio.profile b/etc/profile-a-l/android-studio.profile index add75c849..3dfa0f95a 100644 --- a/etc/profile-a-l/android-studio.profile +++ b/etc/profile-a-l/android-studio.profile | |||
| @@ -40,3 +40,4 @@ private-cache | |||
| 40 | 40 | ||
| 41 | # noexec /tmp breaks 'Android Profiler' | 41 | # noexec /tmp breaks 'Android Profiler' |
| 42 | #noexec /tmp | 42 | #noexec /tmp |
| 43 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/anki.profile b/etc/profile-a-l/anki.profile index 45d000012..466f60bda 100644 --- a/etc/profile-a-l/anki.profile +++ b/etc/profile-a-l/anki.profile | |||
| @@ -54,3 +54,5 @@ private-tmp | |||
| 54 | 54 | ||
| 55 | dbus-user none | 55 | dbus-user none |
| 56 | dbus-system none | 56 | dbus-system none |
| 57 | |||
| 58 | # restrict-namespaces | ||
diff --git a/etc/profile-a-l/anydesk.profile b/etc/profile-a-l/anydesk.profile index fd92f63db..4c2dcf0e6 100644 --- a/etc/profile-a-l/anydesk.profile +++ b/etc/profile-a-l/anydesk.profile | |||
| @@ -33,3 +33,5 @@ disable-mnt | |||
| 33 | private-bin anydesk | 33 | private-bin anydesk |
| 34 | private-dev | 34 | private-dev |
| 35 | private-tmp | 35 | private-tmp |
| 36 | |||
| 37 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/aosp.profile b/etc/profile-a-l/aosp.profile index 0d3131f8c..80ee71831 100644 --- a/etc/profile-a-l/aosp.profile +++ b/etc/profile-a-l/aosp.profile | |||
| @@ -40,3 +40,5 @@ protocol unix,inet,inet6 | |||
| 40 | #seccomp | 40 | #seccomp |
| 41 | 41 | ||
| 42 | private-tmp | 42 | private-tmp |
| 43 | |||
| 44 | #restrict-namespaces | ||
diff --git a/etc/profile-a-l/apktool.profile b/etc/profile-a-l/apktool.profile index e03ff3084..9f1940a4d 100644 --- a/etc/profile-a-l/apktool.profile +++ b/etc/profile-a-l/apktool.profile | |||
| @@ -35,3 +35,5 @@ private-dev | |||
| 35 | 35 | ||
| 36 | dbus-user none | 36 | dbus-user none |
| 37 | dbus-system none | 37 | dbus-system none |
| 38 | |||
| 39 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/apostrophe.profile b/etc/profile-a-l/apostrophe.profile index ca4dec918..dab91fe7d 100644 --- a/etc/profile-a-l/apostrophe.profile +++ b/etc/profile-a-l/apostrophe.profile | |||
| @@ -69,3 +69,5 @@ dbus-user filter | |||
| 69 | dbus-user.own org.gnome.gitlab.somas.Apostrophe | 69 | dbus-user.own org.gnome.gitlab.somas.Apostrophe |
| 70 | dbus-user.talk ca.desrt.dconf | 70 | dbus-user.talk ca.desrt.dconf |
| 71 | dbus-system none | 71 | dbus-system none |
| 72 | |||
| 73 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/arch-audit.profile b/etc/profile-a-l/arch-audit.profile index 7db947be8..766c2c96d 100644 --- a/etc/profile-a-l/arch-audit.profile +++ b/etc/profile-a-l/arch-audit.profile | |||
| @@ -49,3 +49,4 @@ dbus-user none | |||
| 49 | dbus-system none | 49 | dbus-system none |
| 50 | 50 | ||
| 51 | memory-deny-write-execute | 51 | memory-deny-write-execute |
| 52 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/archaudit-report.profile b/etc/profile-a-l/archaudit-report.profile index 6ad75d68c..3e3f77576 100644 --- a/etc/profile-a-l/archaudit-report.profile +++ b/etc/profile-a-l/archaudit-report.profile | |||
| @@ -36,3 +36,4 @@ private-bin arch-audit,archaudit-report,bash,cat,comm,cut,date,fold,grep,pacman, | |||
| 36 | private-tmp | 36 | private-tmp |
| 37 | 37 | ||
| 38 | memory-deny-write-execute | 38 | memory-deny-write-execute |
| 39 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/archiver-common.profile b/etc/profile-a-l/archiver-common.profile index b82563099..b0f83aa32 100644 --- a/etc/profile-a-l/archiver-common.profile +++ b/etc/profile-a-l/archiver-common.profile | |||
| @@ -49,3 +49,4 @@ dbus-user none | |||
| 49 | dbus-system none | 49 | dbus-system none |
| 50 | 50 | ||
| 51 | memory-deny-write-execute | 51 | memory-deny-write-execute |
| 52 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/ardour5.profile b/etc/profile-a-l/ardour5.profile index c93cecf9f..341fe1ed8 100644 --- a/etc/profile-a-l/ardour5.profile +++ b/etc/profile-a-l/ardour5.profile | |||
| @@ -40,3 +40,5 @@ private-tmp | |||
| 40 | 40 | ||
| 41 | dbus-user none | 41 | dbus-user none |
| 42 | dbus-system none | 42 | dbus-system none |
| 43 | |||
| 44 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/arduino.profile b/etc/profile-a-l/arduino.profile index bb0bc3513..85ea76939 100644 --- a/etc/profile-a-l/arduino.profile +++ b/etc/profile-a-l/arduino.profile | |||
| @@ -33,3 +33,4 @@ seccomp | |||
| 33 | private-cache | 33 | private-cache |
| 34 | private-tmp | 34 | private-tmp |
| 35 | 35 | ||
| 36 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/aria2c.profile b/etc/profile-a-l/aria2c.profile index f108a6291..17eb2451c 100644 --- a/etc/profile-a-l/aria2c.profile +++ b/etc/profile-a-l/aria2c.profile | |||
| @@ -53,3 +53,4 @@ dbus-user none | |||
| 53 | dbus-system none | 53 | dbus-system none |
| 54 | 54 | ||
| 55 | memory-deny-write-execute | 55 | memory-deny-write-execute |
| 56 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/ark.profile b/etc/profile-a-l/ark.profile index 53697a367..272e06219 100644 --- a/etc/profile-a-l/ark.profile +++ b/etc/profile-a-l/ark.profile | |||
| @@ -44,3 +44,5 @@ private-tmp | |||
| 44 | 44 | ||
| 45 | # dbus-user none | 45 | # dbus-user none |
| 46 | # dbus-system none | 46 | # dbus-system none |
| 47 | |||
| 48 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/arm.profile b/etc/profile-a-l/arm.profile index 556a354e7..db388eee1 100644 --- a/etc/profile-a-l/arm.profile +++ b/etc/profile-a-l/arm.profile | |||
| @@ -45,3 +45,4 @@ private-dev | |||
| 45 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,passwd,pki,ssl,tor | 45 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,passwd,pki,ssl,tor |
| 46 | private-tmp | 46 | private-tmp |
| 47 | 47 | ||
| 48 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/artha.profile b/etc/profile-a-l/artha.profile index b83b6bb10..b1347b0d9 100644 --- a/etc/profile-a-l/artha.profile +++ b/etc/profile-a-l/artha.profile | |||
| @@ -65,3 +65,4 @@ dbus-user.talk org.freedesktop.Notifications | |||
| 65 | dbus-system none | 65 | dbus-system none |
| 66 | 66 | ||
| 67 | memory-deny-write-execute | 67 | memory-deny-write-execute |
| 68 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/assogiate.profile b/etc/profile-a-l/assogiate.profile index 26eddf1b6..f28f77748 100644 --- a/etc/profile-a-l/assogiate.profile +++ b/etc/profile-a-l/assogiate.profile | |||
| @@ -51,3 +51,4 @@ dbus-system none | |||
| 51 | 51 | ||
| 52 | memory-deny-write-execute | 52 | memory-deny-write-execute |
| 53 | read-write ${HOME}/.local/share/mime | 53 | read-write ${HOME}/.local/share/mime |
| 54 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/asunder.profile b/etc/profile-a-l/asunder.profile index 445aa3985..c09ad7936 100644 --- a/etc/profile-a-l/asunder.profile +++ b/etc/profile-a-l/asunder.profile | |||
| @@ -45,3 +45,4 @@ dbus-system none | |||
| 45 | 45 | ||
| 46 | # mdwe is disabled due to breaking hardware accelerated decoding | 46 | # mdwe is disabled due to breaking hardware accelerated decoding |
| 47 | # memory-deny-write-execute | 47 | # memory-deny-write-execute |
| 48 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/atril.profile b/etc/profile-a-l/atril.profile index 8ec6f433e..f24aff108 100644 --- a/etc/profile-a-l/atril.profile +++ b/etc/profile-a-l/atril.profile | |||
| @@ -49,3 +49,4 @@ private-tmp | |||
| 49 | 49 | ||
| 50 | # webkit gtk killed by memory-deny-write-execute | 50 | # webkit gtk killed by memory-deny-write-execute |
| 51 | #memory-deny-write-execute | 51 | #memory-deny-write-execute |
| 52 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/audacious.profile b/etc/profile-a-l/audacious.profile index fe23049f4..b31f3f1b2 100644 --- a/etc/profile-a-l/audacious.profile +++ b/etc/profile-a-l/audacious.profile | |||
| @@ -42,3 +42,5 @@ private-tmp | |||
| 42 | # dbus needed for MPRIS | 42 | # dbus needed for MPRIS |
| 43 | # dbus-user none | 43 | # dbus-user none |
| 44 | # dbus-system none | 44 | # dbus-system none |
| 45 | |||
| 46 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile index 2831fec72..371054728 100644 --- a/etc/profile-a-l/audacity.profile +++ b/etc/profile-a-l/audacity.profile | |||
| @@ -6,7 +6,16 @@ include audacity.local | |||
| 6 | # Persistent global definitions | 6 | # Persistent global definitions |
| 7 | include globals.local | 7 | include globals.local |
| 8 | 8 | ||
| 9 | # Add the below lines to your audacity.local if you need online plugins. | ||
| 10 | #ignore net none | ||
| 11 | #netfilter | ||
| 12 | #protocol inet6 | ||
| 13 | |||
| 9 | noblacklist ${HOME}/.audacity-data | 14 | noblacklist ${HOME}/.audacity-data |
| 15 | noblacklist ${HOME}/.cache/audacity | ||
| 16 | noblacklist ${HOME}/.config/audacity | ||
| 17 | noblacklist ${HOME}/.local/share/audacity | ||
| 18 | noblacklist ${HOME}/.local/state/audacity | ||
| 10 | noblacklist ${DOCUMENTS} | 19 | noblacklist ${DOCUMENTS} |
| 11 | noblacklist ${MUSIC} | 20 | noblacklist ${MUSIC} |
| 12 | 21 | ||
| @@ -20,6 +29,8 @@ include disable-xdg.inc | |||
| 20 | 29 | ||
| 21 | include whitelist-var-common.inc | 30 | include whitelist-var-common.inc |
| 22 | 31 | ||
| 32 | # Silence blacklist violation. See #5539. | ||
| 33 | allow-debuggers | ||
| 23 | ## Enabling App Armor appears to break some Fedora / Arch installs | 34 | ## Enabling App Armor appears to break some Fedora / Arch installs |
| 24 | #apparmor | 35 | #apparmor |
| 25 | caps.drop all | 36 | caps.drop all |
| @@ -44,3 +55,5 @@ private-tmp | |||
| 44 | # problems on Fedora 27 | 55 | # problems on Fedora 27 |
| 45 | # dbus-user none | 56 | # dbus-user none |
| 46 | # dbus-system none | 57 | # dbus-system none |
| 58 | |||
| 59 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/audio-recorder.profile b/etc/profile-a-l/audio-recorder.profile index 6c8a90c0b..74dba7411 100644 --- a/etc/profile-a-l/audio-recorder.profile +++ b/etc/profile-a-l/audio-recorder.profile | |||
| @@ -51,3 +51,4 @@ dbus-user.talk ca.desrt.dconf | |||
| 51 | dbus-system none | 51 | dbus-system none |
| 52 | 52 | ||
| 53 | # memory-deny-write-execute - breaks on Arch | 53 | # memory-deny-write-execute - breaks on Arch |
| 54 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/authenticator-rs.profile b/etc/profile-a-l/authenticator-rs.profile index 8e898b5ee..73a2e1806 100644 --- a/etc/profile-a-l/authenticator-rs.profile +++ b/etc/profile-a-l/authenticator-rs.profile | |||
| @@ -52,3 +52,5 @@ private-tmp | |||
| 52 | dbus-user filter | 52 | dbus-user filter |
| 53 | dbus-user.talk ca.desrt.dconf | 53 | dbus-user.talk ca.desrt.dconf |
| 54 | dbus-system none | 54 | dbus-system none |
| 55 | |||
| 56 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/authenticator.profile b/etc/profile-a-l/authenticator.profile index 5f26a39f5..02c1d8768 100644 --- a/etc/profile-a-l/authenticator.profile +++ b/etc/profile-a-l/authenticator.profile | |||
| @@ -46,3 +46,4 @@ private-tmp | |||
| 46 | # dbus-system none | 46 | # dbus-system none |
| 47 | 47 | ||
| 48 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 48 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
| 49 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/autokey-common.profile b/etc/profile-a-l/autokey-common.profile index ee63f0ead..834eac11a 100644 --- a/etc/profile-a-l/autokey-common.profile +++ b/etc/profile-a-l/autokey-common.profile | |||
| @@ -39,3 +39,4 @@ private-dev | |||
| 39 | private-tmp | 39 | private-tmp |
| 40 | 40 | ||
| 41 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 41 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
| 42 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/avidemux.profile b/etc/profile-a-l/avidemux.profile index 69fc38c44..8707dca5b 100644 --- a/etc/profile-a-l/avidemux.profile +++ b/etc/profile-a-l/avidemux.profile | |||
| @@ -1,10 +1,12 @@ | |||
| 1 | # Firejail profile for Avidemux | 1 | # Firejail profile for Avidemux |
| 2 | # Description: Avidemux is a free video editor designed for simple cutting, filtering and encoding tasks. | 2 | # Description: Avidemux is a free video editor designed for simple cutting, filtering and encoding tasks. |
| 3 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | 4 | # Persistent local customizations |
| 4 | include avidemux.local | 5 | include avidemux.local |
| 5 | # Persistent global definitions | 6 | # Persistent global definitions |
| 6 | include globals.local | 7 | include globals.local |
| 7 | 8 | ||
| 9 | noblacklist ${HOME}/.avidemux3 | ||
| 8 | noblacklist ${HOME}/.avidemux6 | 10 | noblacklist ${HOME}/.avidemux6 |
| 9 | noblacklist ${HOME}/.config/avidemux3_qt5rc | 11 | noblacklist ${HOME}/.config/avidemux3_qt5rc |
| 10 | noblacklist ${VIDEOS} | 12 | noblacklist ${VIDEOS} |
| @@ -17,8 +19,10 @@ include disable-programs.inc | |||
| 17 | include disable-shell.inc | 19 | include disable-shell.inc |
| 18 | include disable-xdg.inc | 20 | include disable-xdg.inc |
| 19 | 21 | ||
| 22 | mkdir ${HOME}/.avidemux3 | ||
| 20 | mkdir ${HOME}/.avidemux6 | 23 | mkdir ${HOME}/.avidemux6 |
| 21 | mkdir ${HOME}/.config/avidemux3_qt5rc | 24 | mkdir ${HOME}/.config/avidemux3_qt5rc |
| 25 | whitelist ${HOME}/.avidemux3 | ||
| 22 | whitelist ${HOME}/.avidemux6 | 26 | whitelist ${HOME}/.avidemux6 |
| 23 | whitelist ${HOME}/.config/avidemux3_qt5rc | 27 | whitelist ${HOME}/.config/avidemux3_qt5rc |
| 24 | whitelist ${VIDEOS} | 28 | whitelist ${VIDEOS} |
| @@ -51,3 +55,5 @@ private-tmp | |||
| 51 | 55 | ||
| 52 | dbus-user none | 56 | dbus-user none |
| 53 | dbus-system none | 57 | dbus-system none |
| 58 | |||
| 59 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/avidemux3_cli.profile b/etc/profile-a-l/avidemux3_cli.profile new file mode 100644 index 000000000..18d05a031 --- /dev/null +++ b/etc/profile-a-l/avidemux3_cli.profile | |||
| @@ -0,0 +1,11 @@ | |||
| 1 | # Firejail profile for avidemux3_cli | ||
| 2 | # Description: The command-line interface for Avidemux. | ||
| 3 | # This file is overwritten after every install/update | ||
| 4 | # Persistent local customizations | ||
| 5 | include avidemux3_cli.local | ||
| 6 | # Persistent global definitions | ||
| 7 | # added by included profile | ||
| 8 | #include globals.local | ||
| 9 | |||
| 10 | # Redirect | ||
| 11 | include avidemux.profile | ||
diff --git a/etc/profile-a-l/avidemux3_jobs_qt5.profile b/etc/profile-a-l/avidemux3_jobs_qt5.profile new file mode 100644 index 000000000..d84d67494 --- /dev/null +++ b/etc/profile-a-l/avidemux3_jobs_qt5.profile | |||
| @@ -0,0 +1,18 @@ | |||
| 1 | # Firejail profile for avidemux3_jobs_qt5 | ||
| 2 | # Description: The Qt5 GUI to run Avidemux jobs. | ||
| 3 | # This file is overwritten after every install/update | ||
| 4 | # Persistent local customizations | ||
| 5 | include avidemux3_jobs_qt5.local | ||
| 6 | # Persistent global definitions | ||
| 7 | # added by included profile | ||
| 8 | #include globals.local | ||
| 9 | |||
| 10 | # Provide a shell to spawn avidemux3_cli | ||
| 11 | include allow-bin-sh.inc | ||
| 12 | private-bin sh | ||
| 13 | |||
| 14 | # Needs to bind to a socket on localhost | ||
| 15 | protocol inet,inet6 | ||
| 16 | |||
| 17 | # Redirect | ||
| 18 | include avidemux3_qt5.profile | ||
diff --git a/etc/profile-a-l/avidemux3_qt5.profile b/etc/profile-a-l/avidemux3_qt5.profile new file mode 100644 index 000000000..65aacd942 --- /dev/null +++ b/etc/profile-a-l/avidemux3_qt5.profile | |||
| @@ -0,0 +1,15 @@ | |||
| 1 | # Firejail profile for avidemux3_qt5 | ||
| 2 | # Description: The Qt5 GUI for Avidemux. | ||
| 3 | # This file is overwritten after every install/update | ||
| 4 | # Persistent local customizations | ||
| 5 | include avidemux3_qt5.local | ||
| 6 | # Persistent global definitions | ||
| 7 | # added by included profile | ||
| 8 | #include globals.local | ||
| 9 | |||
| 10 | # Allow translations | ||
| 11 | whitelist /usr/share/avidemux3 | ||
| 12 | whitelist /usr/share/avidemux6 | ||
| 13 | |||
| 14 | # Redirect | ||
| 15 | include avidemux.profile | ||
diff --git a/etc/profile-a-l/aweather.profile b/etc/profile-a-l/aweather.profile index 0a80a2203..e2646095c 100644 --- a/etc/profile-a-l/aweather.profile +++ b/etc/profile-a-l/aweather.profile | |||
| @@ -37,3 +37,5 @@ tracelog | |||
| 37 | private-bin aweather | 37 | private-bin aweather |
| 38 | private-dev | 38 | private-dev |
| 39 | private-tmp | 39 | private-tmp |
| 40 | |||
| 41 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/awesome.profile b/etc/profile-a-l/awesome.profile index 5d1bf5071..d8c073c8d 100644 --- a/etc/profile-a-l/awesome.profile +++ b/etc/profile-a-l/awesome.profile | |||
| @@ -14,6 +14,7 @@ caps.drop all | |||
| 14 | netfilter | 14 | netfilter |
| 15 | noroot | 15 | noroot |
| 16 | protocol unix,inet,inet6 | 16 | protocol unix,inet,inet6 |
| 17 | seccomp | 17 | seccomp !chroot |
| 18 | 18 | ||
| 19 | read-only ${HOME}/.config/awesome/autorun.sh | 19 | read-only ${HOME}/.config/awesome/autorun.sh |
| 20 | #restrict-namespaces | ||
diff --git a/etc/profile-a-l/ballbuster.profile b/etc/profile-a-l/ballbuster.profile index 05637d247..b60b5715c 100644 --- a/etc/profile-a-l/ballbuster.profile +++ b/etc/profile-a-l/ballbuster.profile | |||
| @@ -49,3 +49,5 @@ private-tmp | |||
| 49 | 49 | ||
| 50 | dbus-user none | 50 | dbus-user none |
| 51 | dbus-system none | 51 | dbus-system none |
| 52 | |||
| 53 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/baloo_file.profile b/etc/profile-a-l/baloo_file.profile index 24bb53981..084b7c702 100644 --- a/etc/profile-a-l/baloo_file.profile +++ b/etc/profile-a-l/baloo_file.profile | |||
| @@ -52,3 +52,5 @@ private-bin baloo_file,baloo_file_extractor,baloo_filemetadata_temp_extractor,kb | |||
| 52 | private-cache | 52 | private-cache |
| 53 | private-dev | 53 | private-dev |
| 54 | private-tmp | 54 | private-tmp |
| 55 | |||
| 56 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile index c78caad77..661356ff6 100644 --- a/etc/profile-a-l/balsa.profile +++ b/etc/profile-a-l/balsa.profile | |||
| @@ -79,3 +79,4 @@ dbus-user.talk org.gnome.keyring.SystemPrompter | |||
| 79 | dbus-system none | 79 | dbus-system none |
| 80 | 80 | ||
| 81 | read-only ${HOME}/.mozilla/firefox/profiles.ini | 81 | read-only ${HOME}/.mozilla/firefox/profiles.ini |
| 82 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/baobab.profile b/etc/profile-a-l/baobab.profile index 40f50e991..31ef66a58 100644 --- a/etc/profile-a-l/baobab.profile +++ b/etc/profile-a-l/baobab.profile | |||
| @@ -41,3 +41,4 @@ private-tmp | |||
| 41 | # dbus-system none | 41 | # dbus-system none |
| 42 | 42 | ||
| 43 | read-only ${HOME} | 43 | read-only ${HOME} |
| 44 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/barrier.profile b/etc/profile-a-l/barrier.profile index dbd3d38f1..a78d202a2 100644 --- a/etc/profile-a-l/barrier.profile +++ b/etc/profile-a-l/barrier.profile | |||
| @@ -42,3 +42,4 @@ private-cache | |||
| 42 | private-tmp | 42 | private-tmp |
| 43 | 43 | ||
| 44 | memory-deny-write-execute | 44 | memory-deny-write-execute |
| 45 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/basilisk.profile b/etc/profile-a-l/basilisk.profile index 8dc3847a0..a962bfe02 100644 --- a/etc/profile-a-l/basilisk.profile +++ b/etc/profile-a-l/basilisk.profile | |||
| @@ -22,5 +22,8 @@ ignore seccomp | |||
| 22 | #private-etc basilisk | 22 | #private-etc basilisk |
| 23 | #private-opt basilisk | 23 | #private-opt basilisk |
| 24 | 24 | ||
| 25 | restrict-namespaces | ||
| 26 | ignore restrict-namespaces | ||
| 27 | |||
| 25 | # Redirect | 28 | # Redirect |
| 26 | include firefox-common.profile | 29 | include firefox-common.profile |
diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile index b43c670b6..d566b94e8 100644 --- a/etc/profile-a-l/bcompare.profile +++ b/etc/profile-a-l/bcompare.profile | |||
| @@ -44,3 +44,5 @@ private-tmp | |||
| 44 | 44 | ||
| 45 | dbus-user none | 45 | dbus-user none |
| 46 | dbus-system none | 46 | dbus-system none |
| 47 | |||
| 48 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/bibletime.profile b/etc/profile-a-l/bibletime.profile index bc1cb18ac..85a1a58c7 100644 --- a/etc/profile-a-l/bibletime.profile +++ b/etc/profile-a-l/bibletime.profile | |||
| @@ -56,3 +56,5 @@ private-tmp | |||
| 56 | 56 | ||
| 57 | dbus-user none | 57 | dbus-user none |
| 58 | dbus-system none | 58 | dbus-system none |
| 59 | |||
| 60 | # restrict-namespaces | ||
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile index e6675e0d3..b6b52601e 100644 --- a/etc/profile-a-l/bijiben.profile +++ b/etc/profile-a-l/bijiben.profile | |||
| @@ -60,3 +60,4 @@ dbus-user.talk org.freedesktop.Tracker1 | |||
| 60 | dbus-system none | 60 | dbus-system none |
| 61 | 61 | ||
| 62 | env WEBKIT_FORCE_SANDBOX=0 | 62 | env WEBKIT_FORCE_SANDBOX=0 |
| 63 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/bitcoin-qt.profile b/etc/profile-a-l/bitcoin-qt.profile index 390d002ed..9fc01a2fd 100644 --- a/etc/profile-a-l/bitcoin-qt.profile +++ b/etc/profile-a-l/bitcoin-qt.profile | |||
| @@ -47,3 +47,4 @@ private-dev | |||
| 47 | private-tmp | 47 | private-tmp |
| 48 | 48 | ||
| 49 | memory-deny-write-execute | 49 | memory-deny-write-execute |
| 50 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/bitlbee.profile b/etc/profile-a-l/bitlbee.profile index 773fa7500..988a1479e 100644 --- a/etc/profile-a-l/bitlbee.profile +++ b/etc/profile-a-l/bitlbee.profile | |||
| @@ -38,3 +38,4 @@ private-dev | |||
| 38 | private-tmp | 38 | private-tmp |
| 39 | 39 | ||
| 40 | read-write /var/lib/bitlbee | 40 | read-write /var/lib/bitlbee |
| 41 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/blackbox.profile b/etc/profile-a-l/blackbox.profile index 233f9a96f..f89026899 100644 --- a/etc/profile-a-l/blackbox.profile +++ b/etc/profile-a-l/blackbox.profile | |||
| @@ -14,5 +14,6 @@ caps.drop all | |||
| 14 | netfilter | 14 | netfilter |
| 15 | noroot | 15 | noroot |
| 16 | protocol unix,inet,inet6 | 16 | protocol unix,inet,inet6 |
| 17 | seccomp | 17 | seccomp !chroot |
| 18 | 18 | ||
| 19 | #restrict-namespaces | ||
diff --git a/etc/profile-a-l/bleachbit.profile b/etc/profile-a-l/bleachbit.profile index a352ab8d8..45ae345c3 100644 --- a/etc/profile-a-l/bleachbit.profile +++ b/etc/profile-a-l/bleachbit.profile | |||
| @@ -40,3 +40,4 @@ dbus-system none | |||
| 40 | 40 | ||
| 41 | # memory-deny-write-execute breaks some systems, see issue #1850 | 41 | # memory-deny-write-execute breaks some systems, see issue #1850 |
| 42 | # memory-deny-write-execute | 42 | # memory-deny-write-execute |
| 43 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/blender.profile b/etc/profile-a-l/blender.profile index 8ee852ab5..cd8fac61f 100644 --- a/etc/profile-a-l/blender.profile +++ b/etc/profile-a-l/blender.profile | |||
| @@ -37,3 +37,5 @@ protocol unix,inet,inet6,netlink | |||
| 37 | seccomp !mbind | 37 | seccomp !mbind |
| 38 | 38 | ||
| 39 | private-dev | 39 | private-dev |
| 40 | |||
| 41 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/bless.profile b/etc/profile-a-l/bless.profile index 0e38889c0..9badb4357 100644 --- a/etc/profile-a-l/bless.profile +++ b/etc/profile-a-l/bless.profile | |||
| @@ -39,3 +39,5 @@ private-tmp | |||
| 39 | 39 | ||
| 40 | dbus-user none | 40 | dbus-user none |
| 41 | dbus-system none | 41 | dbus-system none |
| 42 | |||
| 43 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/blobby.profile b/etc/profile-a-l/blobby.profile index 3bd8c79d0..6e7a87e5f 100644 --- a/etc/profile-a-l/blobby.profile +++ b/etc/profile-a-l/blobby.profile | |||
| @@ -48,3 +48,4 @@ dbus-user none | |||
| 48 | dbus-system none | 48 | dbus-system none |
| 49 | 49 | ||
| 50 | memory-deny-write-execute | 50 | memory-deny-write-execute |
| 51 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/blobwars.profile b/etc/profile-a-l/blobwars.profile index 9dfbd8f8e..e6926ee29 100644 --- a/etc/profile-a-l/blobwars.profile +++ b/etc/profile-a-l/blobwars.profile | |||
| @@ -47,3 +47,5 @@ private-tmp | |||
| 47 | 47 | ||
| 48 | dbus-user none | 48 | dbus-user none |
| 49 | dbus-system none | 49 | dbus-system none |
| 50 | |||
| 51 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/bluefish.profile b/etc/profile-a-l/bluefish.profile index ac949d561..d24f76262 100644 --- a/etc/profile-a-l/bluefish.profile +++ b/etc/profile-a-l/bluefish.profile | |||
| @@ -37,3 +37,5 @@ private-tmp | |||
| 37 | 37 | ||
| 38 | dbus-user none | 38 | dbus-user none |
| 39 | dbus-system none | 39 | dbus-system none |
| 40 | |||
| 41 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/brackets.profile b/etc/profile-a-l/brackets.profile index 0ab28fffe..a483c2b0a 100644 --- a/etc/profile-a-l/brackets.profile +++ b/etc/profile-a-l/brackets.profile | |||
| @@ -31,3 +31,5 @@ seccomp !chroot,!ioperm | |||
| 31 | 31 | ||
| 32 | private-cache | 32 | private-cache |
| 33 | private-dev | 33 | private-dev |
| 34 | |||
| 35 | # restrict-namespaces | ||
diff --git a/etc/profile-a-l/brasero.profile b/etc/profile-a-l/brasero.profile index f80ad9f20..12d7062ab 100644 --- a/etc/profile-a-l/brasero.profile +++ b/etc/profile-a-l/brasero.profile | |||
| @@ -33,3 +33,5 @@ tracelog | |||
| 33 | private-cache | 33 | private-cache |
| 34 | # private-dev | 34 | # private-dev |
| 35 | # private-tmp | 35 | # private-tmp |
| 36 | |||
| 37 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/brave.profile b/etc/profile-a-l/brave.profile index 09548c761..071a279b0 100644 --- a/etc/profile-a-l/brave.profile +++ b/etc/profile-a-l/brave.profile | |||
| @@ -13,6 +13,8 @@ ignore noexec /tmp | |||
| 13 | # you will need to uncomment the 'brave + tor' rule in /etc/apparmor.d/local/firejail-default. | 13 | # you will need to uncomment the 'brave + tor' rule in /etc/apparmor.d/local/firejail-default. |
| 14 | # Alternatively you can add 'ignore apparmor' to your brave.local. | 14 | # Alternatively you can add 'ignore apparmor' to your brave.local. |
| 15 | ignore noexec ${HOME} | 15 | ignore noexec ${HOME} |
| 16 | # Causes slow starts (#4604) | ||
| 17 | ignore private-cache | ||
| 16 | 18 | ||
| 17 | noblacklist ${HOME}/.cache/BraveSoftware | 19 | noblacklist ${HOME}/.cache/BraveSoftware |
| 18 | noblacklist ${HOME}/.config/BraveSoftware | 20 | noblacklist ${HOME}/.config/BraveSoftware |
diff --git a/etc/profile-a-l/build-systems-common.profile b/etc/profile-a-l/build-systems-common.profile index bd6719b62..cf5f462ae 100644 --- a/etc/profile-a-l/build-systems-common.profile +++ b/etc/profile-a-l/build-systems-common.profile | |||
| @@ -63,3 +63,5 @@ private-tmp | |||
| 63 | 63 | ||
| 64 | dbus-user none | 64 | dbus-user none |
| 65 | dbus-system none | 65 | dbus-system none |
| 66 | |||
| 67 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/bzflag.profile b/etc/profile-a-l/bzflag.profile index 5bfe3751b..b28f982fc 100644 --- a/etc/profile-a-l/bzflag.profile +++ b/etc/profile-a-l/bzflag.profile | |||
| @@ -44,3 +44,5 @@ private-tmp | |||
| 44 | 44 | ||
| 45 | dbus-user none | 45 | dbus-user none |
| 46 | dbus-system none | 46 | dbus-system none |
| 47 | |||
| 48 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/calibre.profile b/etc/profile-a-l/calibre.profile index acfc1ba0a..b347941d7 100644 --- a/etc/profile-a-l/calibre.profile +++ b/etc/profile-a-l/calibre.profile | |||
| @@ -35,3 +35,5 @@ seccomp !chroot | |||
| 35 | 35 | ||
| 36 | private-dev | 36 | private-dev |
| 37 | private-tmp | 37 | private-tmp |
| 38 | |||
| 39 | # restrict-namespaces | ||
diff --git a/etc/profile-a-l/calligra.profile b/etc/profile-a-l/calligra.profile index 6fccf2122..c2972f902 100644 --- a/etc/profile-a-l/calligra.profile +++ b/etc/profile-a-l/calligra.profile | |||
| @@ -37,3 +37,4 @@ private-dev | |||
| 37 | 37 | ||
| 38 | # noexec ${HOME} | 38 | # noexec ${HOME} |
| 39 | noexec /tmp | 39 | noexec /tmp |
| 40 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/cameramonitor.profile b/etc/profile-a-l/cameramonitor.profile index fb3a6df7e..b2248ad06 100644 --- a/etc/profile-a-l/cameramonitor.profile +++ b/etc/profile-a-l/cameramonitor.profile | |||
| @@ -52,3 +52,4 @@ private-tmp | |||
| 52 | # dbus-system none | 52 | # dbus-system none |
| 53 | 53 | ||
| 54 | # memory-deny-write-execute - breaks on Arch | 54 | # memory-deny-write-execute - breaks on Arch |
| 55 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/cantata.profile b/etc/profile-a-l/cantata.profile index 2146d1291..7cb56efee 100644 --- a/etc/profile-a-l/cantata.profile +++ b/etc/profile-a-l/cantata.profile | |||
| @@ -34,6 +34,8 @@ novideo | |||
| 34 | protocol unix,inet,inet6,netlink | 34 | protocol unix,inet,inet6,netlink |
| 35 | seccomp | 35 | seccomp |
| 36 | 36 | ||
| 37 | # private-etc drirc,fonts,gcrypt,hosts,kde5rc,mpd.conf,passwd,samba,ssl,xdg | 37 | # private-etc alternatives,drirc,fonts,gcrypt,hosts,kde5rc,mpd.conf,passwd,samba,ssl,xdg |
| 38 | private-bin cantata,mpd,perl | 38 | private-bin cantata,mpd,perl |
| 39 | private-dev | 39 | private-dev |
| 40 | |||
| 41 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/catfish.profile b/etc/profile-a-l/catfish.profile index d076c3ca0..e2df341e9 100644 --- a/etc/profile-a-l/catfish.profile +++ b/etc/profile-a-l/catfish.profile | |||
| @@ -46,3 +46,5 @@ tracelog | |||
| 46 | 46 | ||
| 47 | dbus-user none | 47 | dbus-user none |
| 48 | dbus-system none | 48 | dbus-system none |
| 49 | |||
| 50 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/cawbird.profile b/etc/profile-a-l/cawbird.profile index e9affe09e..e4e32b265 100644 --- a/etc/profile-a-l/cawbird.profile +++ b/etc/profile-a-l/cawbird.profile | |||
| @@ -43,3 +43,5 @@ private-tmp | |||
| 43 | 43 | ||
| 44 | # dbus-user none | 44 | # dbus-user none |
| 45 | dbus-system none | 45 | dbus-system none |
| 46 | |||
| 47 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile index 48522c002..0c4335e8f 100644 --- a/etc/profile-a-l/celluloid.profile +++ b/etc/profile-a-l/celluloid.profile | |||
| @@ -64,3 +64,4 @@ dbus-system none | |||
| 64 | 64 | ||
| 65 | read-only ${HOME} | 65 | read-only ${HOME} |
| 66 | read-write ${HOME}/.config/celluloid | 66 | read-write ${HOME}/.config/celluloid |
| 67 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/chafa.profile b/etc/profile-a-l/chafa.profile index b042ac189..72f79681d 100644 --- a/etc/profile-a-l/chafa.profile +++ b/etc/profile-a-l/chafa.profile | |||
| @@ -53,3 +53,4 @@ dbus-user none | |||
| 53 | dbus-system none | 53 | dbus-system none |
| 54 | 54 | ||
| 55 | read-only ${HOME} | 55 | read-only ${HOME} |
| 56 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/chatterino.profile b/etc/profile-a-l/chatterino.profile new file mode 100644 index 000000000..4dfd85740 --- /dev/null +++ b/etc/profile-a-l/chatterino.profile | |||
| @@ -0,0 +1,92 @@ | |||
| 1 | # Firejail profile for Chatterino | ||
| 2 | # Description: Chat client for https://twitch.tv | ||
| 3 | # This file is overwritten after every install/update | ||
| 4 | # Persistent local customizations | ||
| 5 | include chatterino.local | ||
| 6 | # Persistent global definitions | ||
| 7 | include globals.local | ||
| 8 | |||
| 9 | # To upload images, whitelist/noblacklist their path in chatterino.local. | ||
| 10 | #whitelist ${PICTURES} | ||
| 11 | # For custom notification sounds, whitelist/noblacklist their path in chatterino.local. | ||
| 12 | #whitelist ${MUSIC} | ||
| 13 | |||
| 14 | # Also allow access to mpv/vlc, they're usable via streamlink. | ||
| 15 | noblacklist ${HOME}/.config/mpv | ||
| 16 | noblacklist ${HOME}/.config/pulse | ||
| 17 | noblacklist ${HOME}/.config/vlc | ||
| 18 | noblacklist ${HOME}/.local/share/chatterino | ||
| 19 | noblacklist ${HOME}/.local/share/vlc | ||
| 20 | |||
| 21 | # Allow Lua for mpv (blacklisted by disable-interpreters.inc) | ||
| 22 | include allow-lua.inc | ||
| 23 | |||
| 24 | # Allow Python for Streamlink integration (blacklisted by disable-interpreters.inc) | ||
| 25 | include allow-python3.inc | ||
| 26 | |||
| 27 | include disable-common.inc | ||
| 28 | include disable-devel.inc | ||
| 29 | include disable-exec.inc | ||
| 30 | include disable-interpreters.inc | ||
| 31 | include disable-proc.inc | ||
| 32 | include disable-programs.inc | ||
| 33 | include disable-xdg.inc | ||
| 34 | |||
| 35 | # Also allow read-only access to mpv/VLC, they're usable via streamlink. | ||
| 36 | mkdir ${HOME}/.local/share/chatterino | ||
| 37 | # VLC preferences will fail to save with read-only set. | ||
| 38 | whitelist ${HOME}/.local/share/chatterino | ||
| 39 | whitelist-ro ${HOME}/.config/mpv | ||
| 40 | whitelist-ro ${HOME}/.config/pulse | ||
| 41 | whitelist-ro ${HOME}/.config/vlc | ||
| 42 | whitelist-ro ${HOME}/.local/share/vlc | ||
| 43 | include whitelist-common.inc | ||
| 44 | include whitelist-run-common.inc | ||
| 45 | include whitelist-runuser-common.inc | ||
| 46 | include whitelist-usr-share-common.inc | ||
| 47 | include whitelist-var-common.inc | ||
| 48 | |||
| 49 | # Streamlink+VLC doesn't seem to close properly with apparmor enabled. | ||
| 50 | #apparmor | ||
| 51 | caps.drop all | ||
| 52 | netfilter | ||
| 53 | nodvd | ||
| 54 | nogroups | ||
| 55 | nonewprivs | ||
| 56 | noprinters | ||
| 57 | noroot | ||
| 58 | notv | ||
| 59 | nou2f | ||
| 60 | # Netlink is required for streamlink integration. | ||
| 61 | protocol unix,inet,inet6,netlink | ||
| 62 | # Seccomp may break browser integration. | ||
| 63 | seccomp | ||
| 64 | seccomp.block-secondary | ||
| 65 | tracelog | ||
| 66 | |||
| 67 | disable-mnt | ||
| 68 | # Add more private-bin lines for browsers or video players to chatterino.local if wanted. | ||
| 69 | private-bin chatterino,cvlc,env,ffmpeg,mpv,nvlc,pgrep,python*,qvlc,rvlc,streamlink,svlc,vlc | ||
| 70 | # private-cache may cause issues with mpv (see #2838) | ||
| 71 | private-cache | ||
| 72 | private-dev | ||
| 73 | private-etc alsa,alternatives,asound.conf,ca-certificates,dbus-1,fonts,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,nvidia,passwd,pulse,resolv.conf,rpc,services,ssl,Trolltech.conf,X11 | ||
| 74 | private-srv none | ||
| 75 | private-tmp | ||
| 76 | |||
| 77 | dbus-user filter | ||
| 78 | dbus-user.own com.chatterino.* | ||
| 79 | # Allow notifications. | ||
| 80 | dbus-user.talk org.freedesktop.Notifications | ||
| 81 | # For media player integration. | ||
| 82 | dbus-user.talk org.freedesktop.ScreenSaver | ||
| 83 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher | ||
| 84 | dbus-user.own org.mpris.MediaPlayer2.chatterino | ||
| 85 | dbus-user.talk org.mpris.MediaPlayer2.Player | ||
| 86 | dbus-system none | ||
| 87 | |||
| 88 | # Prevents browsers/players from lingering after Chatterino is closed. | ||
| 89 | #deterministic-shutdown | ||
| 90 | # memory-deny-write-execute may break streamlink and browser integration. | ||
| 91 | #memory-deny-write-execute | ||
| 92 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/checkbashisms.profile b/etc/profile-a-l/checkbashisms.profile index 835b884ad..3baa80d50 100644 --- a/etc/profile-a-l/checkbashisms.profile +++ b/etc/profile-a-l/checkbashisms.profile | |||
| @@ -52,3 +52,4 @@ dbus-user none | |||
| 52 | dbus-system none | 52 | dbus-system none |
| 53 | 53 | ||
| 54 | memory-deny-write-execute | 54 | memory-deny-write-execute |
| 55 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/cheese.profile b/etc/profile-a-l/cheese.profile index 1e498259c..8aed77c04 100644 --- a/etc/profile-a-l/cheese.profile +++ b/etc/profile-a-l/cheese.profile | |||
| @@ -58,3 +58,5 @@ dbus-user filter | |||
| 58 | dbus-user.own org.gnome.Cheese | 58 | dbus-user.own org.gnome.Cheese |
| 59 | dbus-user.talk ca.desrt.dconf | 59 | dbus-user.talk ca.desrt.dconf |
| 60 | dbus-system none | 60 | dbus-system none |
| 61 | |||
| 62 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/cherrytree.profile b/etc/profile-a-l/cherrytree.profile index fe0c7cfe8..528d6203e 100644 --- a/etc/profile-a-l/cherrytree.profile +++ b/etc/profile-a-l/cherrytree.profile | |||
| @@ -40,3 +40,4 @@ private-cache | |||
| 40 | private-dev | 40 | private-dev |
| 41 | private-tmp | 41 | private-tmp |
| 42 | 42 | ||
| 43 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/chromium-common-hardened.inc.profile b/etc/profile-a-l/chromium-common-hardened.inc.profile index 19addd285..c3944bd65 100644 --- a/etc/profile-a-l/chromium-common-hardened.inc.profile +++ b/etc/profile-a-l/chromium-common-hardened.inc.profile | |||
| @@ -7,3 +7,5 @@ nonewprivs | |||
| 7 | noroot | 7 | noroot |
| 8 | protocol unix,inet,inet6,netlink | 8 | protocol unix,inet,inet6,netlink |
| 9 | seccomp !chroot | 9 | seccomp !chroot |
| 10 | |||
| 11 | #restrict-namespaces | ||
diff --git a/etc/profile-a-l/cin.profile b/etc/profile-a-l/cin.profile index 3e62d7ba2..0930c9361 100644 --- a/etc/profile-a-l/cin.profile +++ b/etc/profile-a-l/cin.profile | |||
| @@ -34,3 +34,5 @@ private-dev | |||
| 34 | 34 | ||
| 35 | dbus-user none | 35 | dbus-user none |
| 36 | dbus-system none | 36 | dbus-system none |
| 37 | |||
| 38 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/cinelerra-gg b/etc/profile-a-l/cinelerra-gg.profile index ccb9fe04b..ccb9fe04b 100644 --- a/etc/profile-a-l/cinelerra-gg +++ b/etc/profile-a-l/cinelerra-gg.profile | |||
diff --git a/etc/profile-a-l/clamav.profile b/etc/profile-a-l/clamav.profile index f5f665215..ddd0eb1f9 100644 --- a/etc/profile-a-l/clamav.profile +++ b/etc/profile-a-l/clamav.profile | |||
| @@ -37,3 +37,4 @@ dbus-system none | |||
| 37 | read-only ${HOME} | 37 | read-only ${HOME} |
| 38 | 38 | ||
| 39 | memory-deny-write-execute | 39 | memory-deny-write-execute |
| 40 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/clamtk.profile b/etc/profile-a-l/clamtk.profile index 842416171..9fc73ee55 100644 --- a/etc/profile-a-l/clamtk.profile +++ b/etc/profile-a-l/clamtk.profile | |||
| @@ -27,3 +27,5 @@ private-dev | |||
| 27 | 27 | ||
| 28 | dbus-user none | 28 | dbus-user none |
| 29 | dbus-system none | 29 | dbus-system none |
| 30 | |||
| 31 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/clawsker.profile b/etc/profile-a-l/clawsker.profile index 268cf01b4..4f4e8e7bf 100644 --- a/etc/profile-a-l/clawsker.profile +++ b/etc/profile-a-l/clawsker.profile | |||
| @@ -51,3 +51,4 @@ dbus-user none | |||
| 51 | dbus-system none | 51 | dbus-system none |
| 52 | 52 | ||
| 53 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 53 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
| 54 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/clementine.profile b/etc/profile-a-l/clementine.profile index b1509f391..ee01fa653 100644 --- a/etc/profile-a-l/clementine.profile +++ b/etc/profile-a-l/clementine.profile | |||
| @@ -38,3 +38,5 @@ private-tmp | |||
| 38 | 38 | ||
| 39 | dbus-system none | 39 | dbus-system none |
| 40 | # dbus-user none | 40 | # dbus-user none |
| 41 | |||
| 42 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/clion.profile b/etc/profile-a-l/clion.profile index a8d57d63d..652809f1b 100644 --- a/etc/profile-a-l/clion.profile +++ b/etc/profile-a-l/clion.profile | |||
| @@ -40,3 +40,4 @@ private-dev | |||
| 40 | # private-tmp | 40 | # private-tmp |
| 41 | 41 | ||
| 42 | noexec /tmp | 42 | noexec /tmp |
| 43 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/clipgrab.profile b/etc/profile-a-l/clipgrab.profile index 4086f46ba..3f3748e1a 100644 --- a/etc/profile-a-l/clipgrab.profile +++ b/etc/profile-a-l/clipgrab.profile | |||
| @@ -48,3 +48,5 @@ private-tmp | |||
| 48 | # 'dbus-user none' breaks tray menu - add 'dbus-user none' to your clipgrab.local if you don't need it. | 48 | # 'dbus-user none' breaks tray menu - add 'dbus-user none' to your clipgrab.local if you don't need it. |
| 49 | # dbus-user none | 49 | # dbus-user none |
| 50 | # dbus-system none | 50 | # dbus-system none |
| 51 | |||
| 52 | # restrict-namespaces | ||
diff --git a/etc/profile-a-l/clipit.profile b/etc/profile-a-l/clipit.profile index ef1800aaa..504bce0b1 100644 --- a/etc/profile-a-l/clipit.profile +++ b/etc/profile-a-l/clipit.profile | |||
| @@ -13,7 +13,9 @@ include disable-common.inc | |||
| 13 | include disable-devel.inc | 13 | include disable-devel.inc |
| 14 | include disable-exec.inc | 14 | include disable-exec.inc |
| 15 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
| 16 | include disable-proc.inc | ||
| 16 | include disable-programs.inc | 17 | include disable-programs.inc |
| 18 | include disable-shell.inc | ||
| 17 | include disable-xdg.inc | 19 | include disable-xdg.inc |
| 18 | 20 | ||
| 19 | mkdir ${HOME}/.config/clipit | 21 | mkdir ${HOME}/.config/clipit |
| @@ -21,6 +23,8 @@ mkdir ${HOME}/.local/share/clipit | |||
| 21 | whitelist ${HOME}/.config/clipit | 23 | whitelist ${HOME}/.config/clipit |
| 22 | whitelist ${HOME}/.local/share/clipit | 24 | whitelist ${HOME}/.local/share/clipit |
| 23 | include whitelist-common.inc | 25 | include whitelist-common.inc |
| 26 | include whitelist-run-common.inc | ||
| 27 | include whitelist-runuser-common.inc | ||
| 24 | include whitelist-usr-share-common.inc | 28 | include whitelist-usr-share-common.inc |
| 25 | include whitelist-var-common.inc | 29 | include whitelist-var-common.inc |
| 26 | 30 | ||
| @@ -34,6 +38,7 @@ nodvd | |||
| 34 | nogroups | 38 | nogroups |
| 35 | noinput | 39 | noinput |
| 36 | nonewprivs | 40 | nonewprivs |
| 41 | noprinters | ||
| 37 | noroot | 42 | noroot |
| 38 | nosound | 43 | nosound |
| 39 | notv | 44 | notv |
| @@ -41,9 +46,18 @@ nou2f | |||
| 41 | novideo | 46 | novideo |
| 42 | protocol unix | 47 | protocol unix |
| 43 | seccomp | 48 | seccomp |
| 49 | tracelog | ||
| 44 | 50 | ||
| 45 | disable-mnt | 51 | disable-mnt |
| 52 | private-bin clipit,xdotool | ||
| 46 | private-cache | 53 | private-cache |
| 47 | private-dev | 54 | private-dev |
| 55 | private-lib libxdo.so.* | ||
| 48 | private-tmp | 56 | private-tmp |
| 49 | 57 | ||
| 58 | dbus-user none | ||
| 59 | dbus-system none | ||
| 60 | |||
| 61 | #memory-deny-write-execute | ||
| 62 | read-only ${HOME} | ||
| 63 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/cmus.profile b/etc/profile-a-l/cmus.profile index fa5693901..ad6332f78 100644 --- a/etc/profile-a-l/cmus.profile +++ b/etc/profile-a-l/cmus.profile | |||
| @@ -27,3 +27,5 @@ seccomp | |||
| 27 | 27 | ||
| 28 | private-bin cmus | 28 | private-bin cmus |
| 29 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl | 29 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl |
| 30 | |||
| 31 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/cointop.profile b/etc/profile-a-l/cointop.profile index b4f73458c..c341c4ea2 100644 --- a/etc/profile-a-l/cointop.profile +++ b/etc/profile-a-l/cointop.profile | |||
| @@ -60,3 +60,4 @@ dbus-user none | |||
| 60 | dbus-system none | 60 | dbus-system none |
| 61 | 61 | ||
| 62 | memory-deny-write-execute | 62 | memory-deny-write-execute |
| 63 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/colorful.profile b/etc/profile-a-l/colorful.profile index 79ab5e7b1..442d50259 100644 --- a/etc/profile-a-l/colorful.profile +++ b/etc/profile-a-l/colorful.profile | |||
| @@ -49,3 +49,5 @@ private-tmp | |||
| 49 | 49 | ||
| 50 | dbus-user none | 50 | dbus-user none |
| 51 | dbus-system none | 51 | dbus-system none |
| 52 | |||
| 53 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile index 7024ddb28..990b6bc5a 100644 --- a/etc/profile-a-l/com.github.bleakgrey.tootle.profile +++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile | |||
| @@ -52,3 +52,5 @@ private-tmp | |||
| 52 | # dbus-user.own com.github.bleakgrey.tootle | 52 | # dbus-user.own com.github.bleakgrey.tootle |
| 53 | # dbus-user.talk ca.desrt.dconf | 53 | # dbus-user.talk ca.desrt.dconf |
| 54 | dbus-system none | 54 | dbus-system none |
| 55 | |||
| 56 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/com.github.dahenson.agenda.profile b/etc/profile-a-l/com.github.dahenson.agenda.profile index 05768977d..5f2a1c3e6 100644 --- a/etc/profile-a-l/com.github.dahenson.agenda.profile +++ b/etc/profile-a-l/com.github.dahenson.agenda.profile | |||
| @@ -63,3 +63,4 @@ read-only ${HOME} | |||
| 63 | read-write ${HOME}/.cache/agenda | 63 | read-write ${HOME}/.cache/agenda |
| 64 | read-write ${HOME}/.config/agenda | 64 | read-write ${HOME}/.config/agenda |
| 65 | read-write ${HOME}/.local/share/agenda | 65 | read-write ${HOME}/.local/share/agenda |
| 66 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile index 06c6e5f84..21f37494b 100644 --- a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile +++ b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile | |||
| @@ -60,3 +60,4 @@ private-tmp | |||
| 60 | read-only ${HOME} | 60 | read-only ${HOME} |
| 61 | read-write ${HOME}/.cache/com.github.johnfactotum.Foliate | 61 | read-write ${HOME}/.cache/com.github.johnfactotum.Foliate |
| 62 | read-write ${HOME}/.local/share/com.github.johnfactotum.Foliate | 62 | read-write ${HOME}/.local/share/com.github.johnfactotum.Foliate |
| 63 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/com.github.phase1geo.minder.profile b/etc/profile-a-l/com.github.phase1geo.minder.profile index 667f9805c..07a6a6813 100644 --- a/etc/profile-a-l/com.github.phase1geo.minder.profile +++ b/etc/profile-a-l/com.github.phase1geo.minder.profile | |||
| @@ -58,3 +58,5 @@ dbus-user filter | |||
| 58 | dbus-user.own com.github.phase1geo.minder | 58 | dbus-user.own com.github.phase1geo.minder |
| 59 | dbus-user.talk ca.desrt.dconf | 59 | dbus-user.talk ca.desrt.dconf |
| 60 | dbus-system none | 60 | dbus-system none |
| 61 | |||
| 62 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/com.github.tchx84.Flatseal.profile b/etc/profile-a-l/com.github.tchx84.Flatseal.profile index 20236c161..fd4494e92 100644 --- a/etc/profile-a-l/com.github.tchx84.Flatseal.profile +++ b/etc/profile-a-l/com.github.tchx84.Flatseal.profile | |||
| @@ -62,3 +62,4 @@ dbus-user.talk org.gnome.Software | |||
| 62 | dbus-system none | 62 | dbus-system none |
| 63 | 63 | ||
| 64 | read-write ${HOME}/.local/share/flatpak/overrides | 64 | read-write ${HOME}/.local/share/flatpak/overrides |
| 65 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/conkeror.profile b/etc/profile-a-l/conkeror.profile index 38edf0d21..6486990f5 100644 --- a/etc/profile-a-l/conkeror.profile +++ b/etc/profile-a-l/conkeror.profile | |||
| @@ -34,3 +34,5 @@ protocol unix,inet,inet6 | |||
| 34 | seccomp | 34 | seccomp |
| 35 | 35 | ||
| 36 | disable-mnt | 36 | disable-mnt |
| 37 | |||
| 38 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/conky.profile b/etc/profile-a-l/conky.profile index 49a0a40ff..39e6d3cf9 100644 --- a/etc/profile-a-l/conky.profile +++ b/etc/profile-a-l/conky.profile | |||
| @@ -43,3 +43,4 @@ private-dev | |||
| 43 | private-tmp | 43 | private-tmp |
| 44 | 44 | ||
| 45 | memory-deny-write-execute | 45 | memory-deny-write-execute |
| 46 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/corebird.profile b/etc/profile-a-l/corebird.profile index 41b9f79a1..1774669f1 100644 --- a/etc/profile-a-l/corebird.profile +++ b/etc/profile-a-l/corebird.profile | |||
| @@ -35,3 +35,4 @@ private-bin corebird | |||
| 35 | private-dev | 35 | private-dev |
| 36 | private-tmp | 36 | private-tmp |
| 37 | 37 | ||
| 38 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/cower.profile b/etc/profile-a-l/cower.profile index 2245903a4..e896f3537 100644 --- a/etc/profile-a-l/cower.profile +++ b/etc/profile-a-l/cower.profile | |||
| @@ -46,3 +46,4 @@ private-tmp | |||
| 46 | 46 | ||
| 47 | memory-deny-write-execute | 47 | memory-deny-write-execute |
| 48 | read-only ${HOME}/.config/cower/config | 48 | read-only ${HOME}/.config/cower/config |
| 49 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/coyim.profile b/etc/profile-a-l/coyim.profile index 24a149c5f..793de8ab4 100644 --- a/etc/profile-a-l/coyim.profile +++ b/etc/profile-a-l/coyim.profile | |||
| @@ -46,3 +46,4 @@ dbus-user none | |||
| 46 | dbus-system none | 46 | dbus-system none |
| 47 | 47 | ||
| 48 | #memory-deny-write-execute | 48 | #memory-deny-write-execute |
| 49 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/crawl.profile b/etc/profile-a-l/crawl.profile index 7928dd93c..7df7b4480 100644 --- a/etc/profile-a-l/crawl.profile +++ b/etc/profile-a-l/crawl.profile | |||
| @@ -44,3 +44,5 @@ private-tmp | |||
| 44 | 44 | ||
| 45 | dbus-user none | 45 | dbus-user none |
| 46 | dbus-system none | 46 | dbus-system none |
| 47 | |||
| 48 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/crow.profile b/etc/profile-a-l/crow.profile index ba0dfb1a6..842191f3f 100644 --- a/etc/profile-a-l/crow.profile +++ b/etc/profile-a-l/crow.profile | |||
| @@ -43,3 +43,4 @@ private-opt none | |||
| 43 | private-tmp | 43 | private-tmp |
| 44 | private-srv none | 44 | private-srv none |
| 45 | 45 | ||
| 46 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile index 3fa6ab764..3e5878574 100644 --- a/etc/profile-a-l/curl.profile +++ b/etc/profile-a-l/curl.profile | |||
| @@ -58,3 +58,5 @@ private-tmp | |||
| 58 | 58 | ||
| 59 | dbus-user none | 59 | dbus-user none |
| 60 | dbus-system none | 60 | dbus-system none |
| 61 | |||
| 62 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/d-feet.profile b/etc/profile-a-l/d-feet.profile index a3a16fa0c..63d89ec36 100644 --- a/etc/profile-a-l/d-feet.profile +++ b/etc/profile-a-l/d-feet.profile | |||
| @@ -53,3 +53,4 @@ private-etc alternatives,dbus-1,fonts,ld.so.cache,ld.so.preload,machine-id | |||
| 53 | private-tmp | 53 | private-tmp |
| 54 | 54 | ||
| 55 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 55 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
| 56 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/darktable.profile b/etc/profile-a-l/darktable.profile index 20d5657eb..f871b80aa 100644 --- a/etc/profile-a-l/darktable.profile +++ b/etc/profile-a-l/darktable.profile | |||
| @@ -41,3 +41,4 @@ seccomp | |||
| 41 | private-dev | 41 | private-dev |
| 42 | private-tmp | 42 | private-tmp |
| 43 | 43 | ||
| 44 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/dbus-send.profile b/etc/profile-a-l/dbus-send.profile index 95f24a0ad..b259c7e93 100644 --- a/etc/profile-a-l/dbus-send.profile +++ b/etc/profile-a-l/dbus-send.profile | |||
| @@ -56,3 +56,4 @@ private-tmp | |||
| 56 | 56 | ||
| 57 | memory-deny-write-execute | 57 | memory-deny-write-execute |
| 58 | read-only ${HOME} | 58 | read-only ${HOME} |
| 59 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile index 110c9f58e..876e637b2 100644 --- a/etc/profile-a-l/dconf-editor.profile +++ b/etc/profile-a-l/dconf-editor.profile | |||
| @@ -50,3 +50,5 @@ dbus-user filter | |||
| 50 | dbus-user.own ca.desrt.dconf-editor | 50 | dbus-user.own ca.desrt.dconf-editor |
| 51 | dbus-user.talk ca.desrt.dconf | 51 | dbus-user.talk ca.desrt.dconf |
| 52 | dbus-system none | 52 | dbus-system none |
| 53 | |||
| 54 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/dconf.profile b/etc/profile-a-l/dconf.profile index 56583838e..5136445da 100644 --- a/etc/profile-a-l/dconf.profile +++ b/etc/profile-a-l/dconf.profile | |||
| @@ -50,3 +50,4 @@ private-lib | |||
| 50 | private-tmp | 50 | private-tmp |
| 51 | 51 | ||
| 52 | memory-deny-write-execute | 52 | memory-deny-write-execute |
| 53 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/ddgtk.profile b/etc/profile-a-l/ddgtk.profile index be1f2eece..8ea5d178e 100644 --- a/etc/profile-a-l/ddgtk.profile +++ b/etc/profile-a-l/ddgtk.profile | |||
| @@ -51,3 +51,4 @@ dbus-user none | |||
| 51 | dbus-system none | 51 | dbus-system none |
| 52 | 52 | ||
| 53 | # memory-deny-write-execute - breaks on Arch | 53 | # memory-deny-write-execute - breaks on Arch |
| 54 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/deadbeef.profile b/etc/profile-a-l/deadbeef.profile index 205424a62..4eb89503a 100644 --- a/etc/profile-a-l/deadbeef.profile +++ b/etc/profile-a-l/deadbeef.profile | |||
| @@ -32,3 +32,4 @@ seccomp | |||
| 32 | private-dev | 32 | private-dev |
| 33 | private-tmp | 33 | private-tmp |
| 34 | 34 | ||
| 35 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile index 397a89bee..a10bbab5b 100644 --- a/etc/profile-a-l/default.profile +++ b/etc/profile-a-l/default.profile | |||
| @@ -60,4 +60,4 @@ seccomp | |||
| 60 | # deterministic-shutdown | 60 | # deterministic-shutdown |
| 61 | # memory-deny-write-execute | 61 | # memory-deny-write-execute |
| 62 | # read-only ${HOME} | 62 | # read-only ${HOME} |
| 63 | # restrict-namespaces | 63 | restrict-namespaces |
diff --git a/etc/profile-a-l/deluge.profile b/etc/profile-a-l/deluge.profile index d8a27da62..ebc751e1a 100644 --- a/etc/profile-a-l/deluge.profile +++ b/etc/profile-a-l/deluge.profile | |||
| @@ -43,3 +43,5 @@ seccomp | |||
| 43 | private-bin deluge,deluge-console,deluge-gtk,deluge-web,deluged,python*,sh,uname | 43 | private-bin deluge,deluge-console,deluge-gtk,deluge-web,deluged,python*,sh,uname |
| 44 | private-dev | 44 | private-dev |
| 45 | private-tmp | 45 | private-tmp |
| 46 | |||
| 47 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/desktopeditors.profile b/etc/profile-a-l/desktopeditors.profile index 2b03f0ea0..71579905e 100644 --- a/etc/profile-a-l/desktopeditors.profile +++ b/etc/profile-a-l/desktopeditors.profile | |||
| @@ -42,3 +42,5 @@ private-tmp | |||
| 42 | 42 | ||
| 43 | dbus-user none | 43 | dbus-user none |
| 44 | dbus-system none | 44 | dbus-system none |
| 45 | |||
| 46 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/devhelp.profile b/etc/profile-a-l/devhelp.profile index 42318527c..ef31fc3eb 100644 --- a/etc/profile-a-l/devhelp.profile +++ b/etc/profile-a-l/devhelp.profile | |||
| @@ -50,3 +50,4 @@ private-tmp | |||
| 50 | 50 | ||
| 51 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 51 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
| 52 | read-only ${HOME} | 52 | read-only ${HOME} |
| 53 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/devilspie.profile b/etc/profile-a-l/devilspie.profile index 4b4bfbc5f..0579547af 100644 --- a/etc/profile-a-l/devilspie.profile +++ b/etc/profile-a-l/devilspie.profile | |||
| @@ -56,3 +56,4 @@ dbus-system none | |||
| 56 | 56 | ||
| 57 | memory-deny-write-execute | 57 | memory-deny-write-execute |
| 58 | read-only ${HOME} | 58 | read-only ${HOME} |
| 59 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/dex2jar.profile b/etc/profile-a-l/dex2jar.profile index 0908c16f1..b71387b2f 100644 --- a/etc/profile-a-l/dex2jar.profile +++ b/etc/profile-a-l/dex2jar.profile | |||
| @@ -39,3 +39,5 @@ private-dev | |||
| 39 | 39 | ||
| 40 | dbus-user none | 40 | dbus-user none |
| 41 | dbus-system none | 41 | dbus-system none |
| 42 | |||
| 43 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/dia.profile b/etc/profile-a-l/dia.profile index 30db25ee9..efcdb7ce4 100644 --- a/etc/profile-a-l/dia.profile +++ b/etc/profile-a-l/dia.profile | |||
| @@ -54,3 +54,5 @@ private-tmp | |||
| 54 | 54 | ||
| 55 | dbus-user none | 55 | dbus-user none |
| 56 | dbus-system none | 56 | dbus-system none |
| 57 | |||
| 58 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/dig.profile b/etc/profile-a-l/dig.profile index a6de5e05e..048b92800 100644 --- a/etc/profile-a-l/dig.profile +++ b/etc/profile-a-l/dig.profile | |||
| @@ -56,3 +56,4 @@ dbus-user none | |||
| 56 | dbus-system none | 56 | dbus-system none |
| 57 | 57 | ||
| 58 | memory-deny-write-execute | 58 | memory-deny-write-execute |
| 59 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/digikam.profile b/etc/profile-a-l/digikam.profile index c1f0e3a14..05f0dfba8 100644 --- a/etc/profile-a-l/digikam.profile +++ b/etc/profile-a-l/digikam.profile | |||
| @@ -43,3 +43,5 @@ private-tmp | |||
| 43 | 43 | ||
| 44 | # dbus-user none | 44 | # dbus-user none |
| 45 | # dbus-system none | 45 | # dbus-system none |
| 46 | |||
| 47 | # restrict-namespaces | ||
diff --git a/etc/profile-a-l/dillo.profile b/etc/profile-a-l/dillo.profile index 19b99b5fd..c7cecf23e 100644 --- a/etc/profile-a-l/dillo.profile +++ b/etc/profile-a-l/dillo.profile | |||
| @@ -37,3 +37,4 @@ private-dev | |||
| 37 | private-tmp | 37 | private-tmp |
| 38 | 38 | ||
| 39 | deterministic-shutdown | 39 | deterministic-shutdown |
| 40 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/dino.profile b/etc/profile-a-l/dino.profile index 6802c7eed..1f7134ff2 100644 --- a/etc/profile-a-l/dino.profile +++ b/etc/profile-a-l/dino.profile | |||
| @@ -53,3 +53,5 @@ dbus-user.talk org.freedesktop.Notifications | |||
| 53 | dbus-system filter | 53 | dbus-system filter |
| 54 | # Integration with systemd-logind or elogind | 54 | # Integration with systemd-logind or elogind |
| 55 | dbus-system.talk org.freedesktop.login1 | 55 | dbus-system.talk org.freedesktop.login1 |
| 56 | |||
| 57 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/display.profile b/etc/profile-a-l/display.profile index 6e8e30bfe..15f6e441d 100644 --- a/etc/profile-a-l/display.profile +++ b/etc/profile-a-l/display.profile | |||
| @@ -45,3 +45,5 @@ private-tmp | |||
| 45 | 45 | ||
| 46 | dbus-user none | 46 | dbus-user none |
| 47 | dbus-system none | 47 | dbus-system none |
| 48 | |||
| 49 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/dnscrypt-proxy.profile b/etc/profile-a-l/dnscrypt-proxy.profile index 0efebd9a6..0d52805b7 100644 --- a/etc/profile-a-l/dnscrypt-proxy.profile +++ b/etc/profile-a-l/dnscrypt-proxy.profile | |||
| @@ -51,3 +51,4 @@ dbus-system none | |||
| 51 | 51 | ||
| 52 | # mdwe can break modules/plugins | 52 | # mdwe can break modules/plugins |
| 53 | memory-deny-write-execute | 53 | memory-deny-write-execute |
| 54 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/dnsmasq.profile b/etc/profile-a-l/dnsmasq.profile index 13efd2fa8..40ccab8c7 100644 --- a/etc/profile-a-l/dnsmasq.profile +++ b/etc/profile-a-l/dnsmasq.profile | |||
| @@ -40,3 +40,5 @@ private | |||
| 40 | private-dev | 40 | private-dev |
| 41 | private-tmp | 41 | private-tmp |
| 42 | writable-var | 42 | writable-var |
| 43 | |||
| 44 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/dolphin-emu.profile b/etc/profile-a-l/dolphin-emu.profile index b8a29beb7..acaf2e021 100644 --- a/etc/profile-a-l/dolphin-emu.profile +++ b/etc/profile-a-l/dolphin-emu.profile | |||
| @@ -60,3 +60,5 @@ private-tmp | |||
| 60 | 60 | ||
| 61 | dbus-user none | 61 | dbus-user none |
| 62 | dbus-system none | 62 | dbus-system none |
| 63 | |||
| 64 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/dooble.profile b/etc/profile-a-l/dooble.profile index 427d70e97..6e8d32848 100644 --- a/etc/profile-a-l/dooble.profile +++ b/etc/profile-a-l/dooble.profile | |||
| @@ -38,3 +38,4 @@ disable-mnt | |||
| 38 | private-dev | 38 | private-dev |
| 39 | private-tmp | 39 | private-tmp |
| 40 | 40 | ||
| 41 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/dosbox.profile b/etc/profile-a-l/dosbox.profile index 845277396..1edbb7ca0 100644 --- a/etc/profile-a-l/dosbox.profile +++ b/etc/profile-a-l/dosbox.profile | |||
| @@ -41,3 +41,5 @@ private-tmp | |||
| 41 | 41 | ||
| 42 | dbus-user none | 42 | dbus-user none |
| 43 | dbus-system none | 43 | dbus-system none |
| 44 | |||
| 45 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/dragon.profile b/etc/profile-a-l/dragon.profile index 14c5e7155..742385855 100644 --- a/etc/profile-a-l/dragon.profile +++ b/etc/profile-a-l/dragon.profile | |||
| @@ -39,3 +39,4 @@ private-bin dragon | |||
| 39 | private-dev | 39 | private-dev |
| 40 | private-tmp | 40 | private-tmp |
| 41 | 41 | ||
| 42 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/drawio.profile b/etc/profile-a-l/drawio.profile index b533ad590..9d9fa291b 100644 --- a/etc/profile-a-l/drawio.profile +++ b/etc/profile-a-l/drawio.profile | |||
| @@ -51,3 +51,4 @@ dbus-user none | |||
| 51 | dbus-system none | 51 | dbus-system none |
| 52 | 52 | ||
| 53 | # memory-deny-write-execute - breaks on Arch | 53 | # memory-deny-write-execute - breaks on Arch |
| 54 | # restrict-namespaces | ||
diff --git a/etc/profile-a-l/drill.profile b/etc/profile-a-l/drill.profile index ffbd06cb6..bd6fb6dcc 100644 --- a/etc/profile-a-l/drill.profile +++ b/etc/profile-a-l/drill.profile | |||
| @@ -52,3 +52,4 @@ dbus-user none | |||
| 52 | dbus-system none | 52 | dbus-system none |
| 53 | 53 | ||
| 54 | memory-deny-write-execute | 54 | memory-deny-write-execute |
| 55 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/dropbox.profile b/etc/profile-a-l/dropbox.profile index 5d83485d2..4fdf1bbfe 100644 --- a/etc/profile-a-l/dropbox.profile +++ b/etc/profile-a-l/dropbox.profile | |||
| @@ -46,3 +46,4 @@ private-dev | |||
| 46 | private-tmp | 46 | private-tmp |
| 47 | 47 | ||
| 48 | noexec /tmp | 48 | noexec /tmp |
| 49 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/easystroke.profile b/etc/profile-a-l/easystroke.profile index 9db24f5a3..920eb7697 100644 --- a/etc/profile-a-l/easystroke.profile +++ b/etc/profile-a-l/easystroke.profile | |||
| @@ -53,3 +53,4 @@ private-tmp | |||
| 53 | # dbus-system none | 53 | # dbus-system none |
| 54 | 54 | ||
| 55 | memory-deny-write-execute | 55 | memory-deny-write-execute |
| 56 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/electrum.profile b/etc/profile-a-l/electrum.profile index ad3a38bfa..78a996f71 100644 --- a/etc/profile-a-l/electrum.profile +++ b/etc/profile-a-l/electrum.profile | |||
| @@ -51,3 +51,5 @@ private-tmp | |||
| 51 | 51 | ||
| 52 | # dbus-user none | 52 | # dbus-user none |
| 53 | # dbus-system none | 53 | # dbus-system none |
| 54 | |||
| 55 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/emacs.profile b/etc/profile-a-l/emacs.profile index 7e9be653d..5b44f4ccd 100644 --- a/etc/profile-a-l/emacs.profile +++ b/etc/profile-a-l/emacs.profile | |||
| @@ -30,3 +30,4 @@ seccomp | |||
| 30 | 30 | ||
| 31 | read-write ${HOME}/.emacs | 31 | read-write ${HOME}/.emacs |
| 32 | read-write ${HOME}/.emacs.d | 32 | read-write ${HOME}/.emacs.d |
| 33 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile index 2b26b3727..86fb27514 100644 --- a/etc/profile-a-l/email-common.profile +++ b/etc/profile-a-l/email-common.profile | |||
| @@ -65,7 +65,7 @@ tracelog | |||
| 65 | # disable-mnt | 65 | # disable-mnt |
| 66 | private-cache | 66 | private-cache |
| 67 | private-dev | 67 | private-dev |
| 68 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,machine-id,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg | 68 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,localtime,machine-id,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg |
| 69 | private-tmp | 69 | private-tmp |
| 70 | # encrypting and signing email | 70 | # encrypting and signing email |
| 71 | writable-run-user | 71 | writable-run-user |
| @@ -81,3 +81,4 @@ dbus-system none | |||
| 81 | 81 | ||
| 82 | read-only ${HOME}/.mozilla/firefox/profiles.ini | 82 | read-only ${HOME}/.mozilla/firefox/profiles.ini |
| 83 | read-only ${HOME}/.signature | 83 | read-only ${HOME}/.signature |
| 84 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/empathy.profile b/etc/profile-a-l/empathy.profile index 5ca640d30..9a128d7af 100644 --- a/etc/profile-a-l/empathy.profile +++ b/etc/profile-a-l/empathy.profile | |||
| @@ -24,3 +24,5 @@ seccomp | |||
| 24 | 24 | ||
| 25 | private-cache | 25 | private-cache |
| 26 | private-tmp | 26 | private-tmp |
| 27 | |||
| 28 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/enchant.profile b/etc/profile-a-l/enchant.profile index d9abe52b0..37a6c088b 100644 --- a/etc/profile-a-l/enchant.profile +++ b/etc/profile-a-l/enchant.profile | |||
| @@ -55,3 +55,4 @@ dbus-user none | |||
| 55 | dbus-system none | 55 | dbus-system none |
| 56 | 56 | ||
| 57 | memory-deny-write-execute | 57 | memory-deny-write-execute |
| 58 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/engrampa.profile b/etc/profile-a-l/engrampa.profile index 37eb21546..1118c3bf0 100644 --- a/etc/profile-a-l/engrampa.profile +++ b/etc/profile-a-l/engrampa.profile | |||
| @@ -38,3 +38,5 @@ private-dev | |||
| 38 | dbus-user filter | 38 | dbus-user filter |
| 39 | dbus-user.talk ca.desrt.dconf | 39 | dbus-user.talk ca.desrt.dconf |
| 40 | dbus-system none | 40 | dbus-system none |
| 41 | |||
| 42 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/enpass.profile b/etc/profile-a-l/enpass.profile index 2d3367255..45a1125b4 100644 --- a/etc/profile-a-l/enpass.profile +++ b/etc/profile-a-l/enpass.profile | |||
| @@ -59,3 +59,4 @@ private-opt Enpass | |||
| 59 | private-tmp | 59 | private-tmp |
| 60 | 60 | ||
| 61 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 61 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
| 62 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile index f25f2a291..83abb551e 100644 --- a/etc/profile-a-l/eo-common.profile +++ b/etc/profile-a-l/eo-common.profile | |||
| @@ -49,3 +49,5 @@ private-dev | |||
| 49 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload | 49 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload |
| 50 | private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.* | 50 | private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.* |
| 51 | private-tmp | 51 | private-tmp |
| 52 | |||
| 53 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/ephemeral.profile b/etc/profile-a-l/ephemeral.profile index 37b7fdf11..adda53660 100644 --- a/etc/profile-a-l/ephemeral.profile +++ b/etc/profile-a-l/ephemeral.profile | |||
| @@ -61,3 +61,5 @@ private-tmp | |||
| 61 | # breaks preferences | 61 | # breaks preferences |
| 62 | # dbus-user none | 62 | # dbus-user none |
| 63 | # dbus-system none | 63 | # dbus-system none |
| 64 | |||
| 65 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/epiphany.profile b/etc/profile-a-l/epiphany.profile index 225811226..a8d00d045 100644 --- a/etc/profile-a-l/epiphany.profile +++ b/etc/profile-a-l/epiphany.profile | |||
| @@ -34,3 +34,5 @@ nonewprivs | |||
| 34 | notv | 34 | notv |
| 35 | protocol unix,inet,inet6 | 35 | protocol unix,inet,inet6 |
| 36 | seccomp | 36 | seccomp |
| 37 | |||
| 38 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/equalx.profile b/etc/profile-a-l/equalx.profile index 60d50a7fa..2fe0a4af4 100644 --- a/etc/profile-a-l/equalx.profile +++ b/etc/profile-a-l/equalx.profile | |||
| @@ -60,3 +60,4 @@ dbus-user none | |||
| 60 | dbus-system none | 60 | dbus-system none |
| 61 | 61 | ||
| 62 | memory-deny-write-execute | 62 | memory-deny-write-execute |
| 63 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/etr.profile b/etc/profile-a-l/etr.profile index 8fa6cd3b4..7d27f12c9 100644 --- a/etc/profile-a-l/etr.profile +++ b/etc/profile-a-l/etr.profile | |||
| @@ -53,3 +53,5 @@ private-tmp | |||
| 53 | 53 | ||
| 54 | dbus-user none | 54 | dbus-user none |
| 55 | dbus-system none | 55 | dbus-system none |
| 56 | |||
| 57 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile index 21bf7eabf..95115d484 100644 --- a/etc/profile-a-l/evince.profile +++ b/etc/profile-a-l/evince.profile | |||
| @@ -6,9 +6,9 @@ include evince.local | |||
| 6 | # Persistent global definitions | 6 | # Persistent global definitions |
| 7 | include globals.local | 7 | include globals.local |
| 8 | 8 | ||
| 9 | # WARNING: using bookmarks possibly exposes information, including file history from other programs. | 9 | # WARNING: This exposes information like file history from other programs. |
| 10 | # Add the next line to your evince.local if you need bookmarks support. This also needs additional dbus-user filtering (see below). | 10 | # You can add a blacklist for it in your evince.local for additional hardening if you can live with some restrictions. |
| 11 | #noblacklist ${HOME}/.local/share/gvfs-metadata | 11 | noblacklist ${HOME}/.local/share/gvfs-metadata |
| 12 | 12 | ||
| 13 | noblacklist ${HOME}/.config/evince | 13 | noblacklist ${HOME}/.config/evince |
| 14 | noblacklist ${DOCUMENTS} | 14 | noblacklist ${DOCUMENTS} |
| @@ -59,9 +59,10 @@ private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd | |||
| 59 | private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libarchive.so.*,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.* | 59 | private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libarchive.so.*,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.* |
| 60 | private-tmp | 60 | private-tmp |
| 61 | 61 | ||
| 62 | # dbus-user filtering might break two-page-view on some systems | ||
| 63 | dbus-user filter | 62 | dbus-user filter |
| 64 | # Add the next two lines to your evince.local if you need bookmarks support. | 63 | dbus-user.talk ca.desrt.dconf |
| 65 | #dbus-user.talk org.gtk.vfs.Daemon | 64 | dbus-user.talk org.gtk.vfs.Daemon |
| 66 | #dbus-user.talk org.gtk.vfs.Metadata | 65 | dbus-user.talk org.gtk.vfs.Metadata |
| 67 | dbus-system none | 66 | dbus-system none |
| 67 | |||
| 68 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/evolution.profile b/etc/profile-a-l/evolution.profile index 6f959df6e..517bb6206 100644 --- a/etc/profile-a-l/evolution.profile +++ b/etc/profile-a-l/evolution.profile | |||
| @@ -43,3 +43,5 @@ seccomp | |||
| 43 | private-dev | 43 | private-dev |
| 44 | private-tmp | 44 | private-tmp |
| 45 | writable-var | 45 | writable-var |
| 46 | |||
| 47 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/exiftool.profile b/etc/profile-a-l/exiftool.profile index dd5e32f49..45331487c 100644 --- a/etc/profile-a-l/exiftool.profile +++ b/etc/profile-a-l/exiftool.profile | |||
| @@ -54,3 +54,4 @@ dbus-user none | |||
| 54 | dbus-system none | 54 | dbus-system none |
| 55 | 55 | ||
| 56 | memory-deny-write-execute | 56 | memory-deny-write-execute |
| 57 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/falkon.profile b/etc/profile-a-l/falkon.profile index 321cb0145..2daf1ff15 100644 --- a/etc/profile-a-l/falkon.profile +++ b/etc/profile-a-l/falkon.profile | |||
| @@ -53,3 +53,5 @@ private-tmp | |||
| 53 | # dbus-user filter | 53 | # dbus-user filter |
| 54 | # dbus-user.own org.kde.Falkon | 54 | # dbus-user.own org.kde.Falkon |
| 55 | dbus-system none | 55 | dbus-system none |
| 56 | |||
| 57 | # restrict-namespaces | ||
diff --git a/etc/profile-a-l/fbreader.profile b/etc/profile-a-l/fbreader.profile index 5679f7cc1..434371aee 100644 --- a/etc/profile-a-l/fbreader.profile +++ b/etc/profile-a-l/fbreader.profile | |||
| @@ -36,3 +36,5 @@ seccomp | |||
| 36 | private-bin fbreader,FBReader | 36 | private-bin fbreader,FBReader |
| 37 | private-dev | 37 | private-dev |
| 38 | private-tmp | 38 | private-tmp |
| 39 | |||
| 40 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/fdns.profile b/etc/profile-a-l/fdns.profile index ee775566e..248cb5b49 100644 --- a/etc/profile-a-l/fdns.profile +++ b/etc/profile-a-l/fdns.profile | |||
| @@ -47,3 +47,4 @@ private-etc alternatives,ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so. | |||
| 47 | private-tmp | 47 | private-tmp |
| 48 | 48 | ||
| 49 | memory-deny-write-execute | 49 | memory-deny-write-execute |
| 50 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/feedreader.profile b/etc/profile-a-l/feedreader.profile index 83de90908..6aa24cc86 100644 --- a/etc/profile-a-l/feedreader.profile +++ b/etc/profile-a-l/feedreader.profile | |||
| @@ -56,3 +56,5 @@ dbus-user.talk org.freedesktop.secrets | |||
| 56 | #dbus-user.talk org.freedesktop.Notifications | 56 | #dbus-user.talk org.freedesktop.Notifications |
| 57 | #dbus-user.talk org.gnome.OnlineAccounts | 57 | #dbus-user.talk org.gnome.OnlineAccounts |
| 58 | dbus-system none | 58 | dbus-system none |
| 59 | |||
| 60 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile index 9b0262f5b..be5ab8627 100644 --- a/etc/profile-a-l/feh.profile +++ b/etc/profile-a-l/feh.profile | |||
| @@ -40,3 +40,5 @@ private-tmp | |||
| 40 | 40 | ||
| 41 | dbus-user none | 41 | dbus-user none |
| 42 | dbus-system none | 42 | dbus-system none |
| 43 | |||
| 44 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/ferdi.profile b/etc/profile-a-l/ferdi.profile index e11baa536..3a044542f 100644 --- a/etc/profile-a-l/ferdi.profile +++ b/etc/profile-a-l/ferdi.profile | |||
| @@ -44,3 +44,5 @@ seccomp !chroot | |||
| 44 | disable-mnt | 44 | disable-mnt |
| 45 | private-dev | 45 | private-dev |
| 46 | private-tmp | 46 | private-tmp |
| 47 | |||
| 48 | # restrict-namespaces | ||
diff --git a/etc/profile-a-l/fetchmail.profile b/etc/profile-a-l/fetchmail.profile index cb01fc5dd..ea90239e0 100644 --- a/etc/profile-a-l/fetchmail.profile +++ b/etc/profile-a-l/fetchmail.profile | |||
| @@ -31,3 +31,5 @@ seccomp | |||
| 31 | 31 | ||
| 32 | #private-bin bash,chmod,fetchmail,procmail | 32 | #private-bin bash,chmod,fetchmail,procmail |
| 33 | private-dev | 33 | private-dev |
| 34 | |||
| 35 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/ffmpeg.profile b/etc/profile-a-l/ffmpeg.profile index 42de048d7..160f26f78 100644 --- a/etc/profile-a-l/ffmpeg.profile +++ b/etc/profile-a-l/ffmpeg.profile | |||
| @@ -54,3 +54,4 @@ dbus-user none | |||
| 54 | dbus-system none | 54 | dbus-system none |
| 55 | 55 | ||
| 56 | # memory-deny-write-execute - it breaks old versions of ffmpeg | 56 | # memory-deny-write-execute - it breaks old versions of ffmpeg |
| 57 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/file-manager-common.profile b/etc/profile-a-l/file-manager-common.profile index 9ab7e36d3..bf8475758 100644 --- a/etc/profile-a-l/file-manager-common.profile +++ b/etc/profile-a-l/file-manager-common.profile | |||
| @@ -49,3 +49,5 @@ private-dev | |||
| 49 | 49 | ||
| 50 | #dbus-user none | 50 | #dbus-user none |
| 51 | #dbus-system none | 51 | #dbus-system none |
| 52 | |||
| 53 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile index 06744cdd3..ef4e0e117 100644 --- a/etc/profile-a-l/file-roller.profile +++ b/etc/profile-a-l/file-roller.profile | |||
| @@ -46,3 +46,5 @@ private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,xdg | |||
| 46 | # private-tmp | 46 | # private-tmp |
| 47 | 47 | ||
| 48 | dbus-system none | 48 | dbus-system none |
| 49 | |||
| 50 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/file.profile b/etc/profile-a-l/file.profile index bcb2abc8b..a5fd05bc7 100644 --- a/etc/profile-a-l/file.profile +++ b/etc/profile-a-l/file.profile | |||
| @@ -44,3 +44,4 @@ dbus-system none | |||
| 44 | 44 | ||
| 45 | memory-deny-write-execute | 45 | memory-deny-write-execute |
| 46 | read-only ${HOME} | 46 | read-only ${HOME} |
| 47 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/filezilla.profile b/etc/profile-a-l/filezilla.profile index 273e6180c..e80a875f1 100644 --- a/etc/profile-a-l/filezilla.profile +++ b/etc/profile-a-l/filezilla.profile | |||
| @@ -41,3 +41,5 @@ seccomp | |||
| 41 | private-bin bash,filezilla,fzputtygen,fzsftp,lsb_release,python*,sh,uname,zsh | 41 | private-bin bash,filezilla,fzputtygen,fzsftp,lsb_release,python*,sh,uname,zsh |
| 42 | private-dev | 42 | private-dev |
| 43 | private-tmp | 43 | private-tmp |
| 44 | |||
| 45 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile index b2b7c362a..6dc1fca8a 100644 --- a/etc/profile-a-l/firefox-common-addons.profile +++ b/etc/profile-a-l/firefox-common-addons.profile | |||
| @@ -2,8 +2,13 @@ | |||
| 2 | # Persistent customizations should go in a .local file. | 2 | # Persistent customizations should go in a .local file. |
| 3 | include firefox-common-addons.local | 3 | include firefox-common-addons.local |
| 4 | 4 | ||
| 5 | # Prevent whitelisting in ${RUNUSER} | ||
| 5 | ignore whitelist ${RUNUSER}/*firefox* | 6 | ignore whitelist ${RUNUSER}/*firefox* |
| 7 | ignore whitelist ${RUNUSER}/psd/*firefox* | ||
| 8 | ignore whitelist ${RUNUSER}/kpxc_server | ||
| 9 | ignore whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer | ||
| 6 | ignore include whitelist-runuser-common.inc | 10 | ignore include whitelist-runuser-common.inc |
| 11 | |||
| 7 | ignore private-cache | 12 | ignore private-cache |
| 8 | 13 | ||
| 9 | noblacklist ${HOME}/.cache/youtube-dl | 14 | noblacklist ${HOME}/.cache/youtube-dl |
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index 47eb8638e..60d64736e 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile | |||
| @@ -8,6 +8,8 @@ include firefox-common.local | |||
| 8 | 8 | ||
| 9 | # noexec ${HOME} breaks DRM binaries. | 9 | # noexec ${HOME} breaks DRM binaries. |
| 10 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} | 10 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} |
| 11 | # noexec ${RUNUSER} breaks DRM binaries when using profile-sync-daemon. | ||
| 12 | ?BROWSER_ALLOW_DRM: ignore noexec ${RUNUSER} | ||
| 11 | 13 | ||
| 12 | # Add the next line to your firefox-common.local to allow access to common programs/addons/plugins. | 14 | # Add the next line to your firefox-common.local to allow access to common programs/addons/plugins. |
| 13 | #include firefox-common-addons.profile | 15 | #include firefox-common-addons.profile |
| @@ -68,3 +70,5 @@ blacklist ${PATH}/wget2 | |||
| 68 | # Gnome connector, KDE connect and power management on KDE Plasma. | 70 | # Gnome connector, KDE connect and power management on KDE Plasma. |
| 69 | dbus-user none | 71 | dbus-user none |
| 70 | dbus-system none | 72 | dbus-system none |
| 73 | |||
| 74 | #restrict-namespaces | ||
diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile index d5034ef8e..0984055a3 100644 --- a/etc/profile-a-l/flameshot.profile +++ b/etc/profile-a-l/flameshot.profile | |||
| @@ -65,3 +65,5 @@ dbus-user.talk org.kde.KWin | |||
| 65 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher | 65 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher |
| 66 | ?ALLOW_TRAY: dbus-user.own org.kde.* | 66 | ?ALLOW_TRAY: dbus-user.own org.kde.* |
| 67 | dbus-system none | 67 | dbus-system none |
| 68 | |||
| 69 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/flowblade.profile b/etc/profile-a-l/flowblade.profile index 4bb1b2a71..740dc153f 100644 --- a/etc/profile-a-l/flowblade.profile +++ b/etc/profile-a-l/flowblade.profile | |||
| @@ -35,3 +35,4 @@ private-cache | |||
| 35 | private-dev | 35 | private-dev |
| 36 | private-tmp | 36 | private-tmp |
| 37 | 37 | ||
| 38 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/fluxbox.profile b/etc/profile-a-l/fluxbox.profile index 1210f365c..af55ffc89 100644 --- a/etc/profile-a-l/fluxbox.profile +++ b/etc/profile-a-l/fluxbox.profile | |||
| @@ -14,5 +14,6 @@ caps.drop all | |||
| 14 | netfilter | 14 | netfilter |
| 15 | noroot | 15 | noroot |
| 16 | protocol unix,inet,inet6 | 16 | protocol unix,inet,inet6 |
| 17 | seccomp | 17 | seccomp !chroot |
| 18 | 18 | ||
| 19 | #restrict-namespaces | ||
diff --git a/etc/profile-a-l/font-manager.profile b/etc/profile-a-l/font-manager.profile index fcd4afa44..88ae56c82 100644 --- a/etc/profile-a-l/font-manager.profile +++ b/etc/profile-a-l/font-manager.profile | |||
| @@ -54,3 +54,4 @@ private-dev | |||
| 54 | private-tmp | 54 | private-tmp |
| 55 | 55 | ||
| 56 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 56 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
| 57 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/fontforge.profile b/etc/profile-a-l/fontforge.profile index f18250fdb..756ca4fae 100644 --- a/etc/profile-a-l/fontforge.profile +++ b/etc/profile-a-l/fontforge.profile | |||
| @@ -38,3 +38,4 @@ private-cache | |||
| 38 | private-dev | 38 | private-dev |
| 39 | private-tmp | 39 | private-tmp |
| 40 | 40 | ||
| 41 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/fractal.profile b/etc/profile-a-l/fractal.profile index 796081ece..a614d7d9f 100644 --- a/etc/profile-a-l/fractal.profile +++ b/etc/profile-a-l/fractal.profile | |||
| @@ -55,3 +55,5 @@ dbus-user.talk ca.desrt.dconf | |||
| 55 | dbus-user.talk org.freedesktop.Notifications | 55 | dbus-user.talk org.freedesktop.Notifications |
| 56 | dbus-user.talk org.freedesktop.secrets | 56 | dbus-user.talk org.freedesktop.secrets |
| 57 | dbus-system none | 57 | dbus-system none |
| 58 | |||
| 59 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/franz.profile b/etc/profile-a-l/franz.profile index 4a2e13d89..e21789d73 100644 --- a/etc/profile-a-l/franz.profile +++ b/etc/profile-a-l/franz.profile | |||
| @@ -44,3 +44,5 @@ seccomp !chroot | |||
| 44 | disable-mnt | 44 | disable-mnt |
| 45 | private-dev | 45 | private-dev |
| 46 | private-tmp | 46 | private-tmp |
| 47 | |||
| 48 | # restrict-namespaces | ||
diff --git a/etc/profile-a-l/freecad.profile b/etc/profile-a-l/freecad.profile index e0330b52a..53315c249 100644 --- a/etc/profile-a-l/freecad.profile +++ b/etc/profile-a-l/freecad.profile | |||
| @@ -42,3 +42,5 @@ private-tmp | |||
| 42 | 42 | ||
| 43 | dbus-user none | 43 | dbus-user none |
| 44 | dbus-system none | 44 | dbus-system none |
| 45 | |||
| 46 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/freeciv.profile b/etc/profile-a-l/freeciv.profile index 1690f6eb9..0788acce1 100644 --- a/etc/profile-a-l/freeciv.profile +++ b/etc/profile-a-l/freeciv.profile | |||
| @@ -44,3 +44,5 @@ private-tmp | |||
| 44 | 44 | ||
| 45 | dbus-user none | 45 | dbus-user none |
| 46 | dbus-system none | 46 | dbus-system none |
| 47 | |||
| 48 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/freecol.profile b/etc/profile-a-l/freecol.profile index 3092e830a..f1b2ffcb7 100644 --- a/etc/profile-a-l/freecol.profile +++ b/etc/profile-a-l/freecol.profile | |||
| @@ -55,3 +55,5 @@ private-tmp | |||
| 55 | 55 | ||
| 56 | dbus-user none | 56 | dbus-user none |
| 57 | dbus-system none | 57 | dbus-system none |
| 58 | |||
| 59 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/freemind.profile b/etc/profile-a-l/freemind.profile index c3f32de03..ae5843f7f 100644 --- a/etc/profile-a-l/freemind.profile +++ b/etc/profile-a-l/freemind.profile | |||
| @@ -50,3 +50,5 @@ private-srv none | |||
| 50 | 50 | ||
| 51 | dbus-user none | 51 | dbus-user none |
| 52 | dbus-system none | 52 | dbus-system none |
| 53 | |||
| 54 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/freshclam.profile b/etc/profile-a-l/freshclam.profile index ab6877de8..133d66f0d 100644 --- a/etc/profile-a-l/freshclam.profile +++ b/etc/profile-a-l/freshclam.profile | |||
| @@ -33,3 +33,4 @@ writable-var | |||
| 33 | writable-var-log | 33 | writable-var-log |
| 34 | 34 | ||
| 35 | memory-deny-write-execute | 35 | memory-deny-write-execute |
| 36 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile index 521d50b3b..067fe3caa 100644 --- a/etc/profile-a-l/frogatto.profile +++ b/etc/profile-a-l/frogatto.profile | |||
| @@ -49,3 +49,5 @@ private-tmp | |||
| 49 | 49 | ||
| 50 | dbus-user none | 50 | dbus-user none |
| 51 | dbus-system none | 51 | dbus-system none |
| 52 | |||
| 53 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/frozen-bubble.profile b/etc/profile-a-l/frozen-bubble.profile index bb60d98a5..86a8a8fc6 100644 --- a/etc/profile-a-l/frozen-bubble.profile +++ b/etc/profile-a-l/frozen-bubble.profile | |||
| @@ -46,3 +46,5 @@ private-tmp | |||
| 46 | 46 | ||
| 47 | dbus-user none | 47 | dbus-user none |
| 48 | dbus-system none | 48 | dbus-system none |
| 49 | |||
| 50 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/ftp.profile b/etc/profile-a-l/ftp.profile index 15b68eb08..f448ab932 100644 --- a/etc/profile-a-l/ftp.profile +++ b/etc/profile-a-l/ftp.profile | |||
| @@ -51,3 +51,4 @@ dbus-system none | |||
| 51 | 51 | ||
| 52 | memory-deny-write-execute | 52 | memory-deny-write-execute |
| 53 | noexec ${HOME} | 53 | noexec ${HOME} |
| 54 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/funnyboat.profile b/etc/profile-a-l/funnyboat.profile index ee4226852..8ca349d1c 100644 --- a/etc/profile-a-l/funnyboat.profile +++ b/etc/profile-a-l/funnyboat.profile | |||
| @@ -52,3 +52,4 @@ dbus-user none | |||
| 52 | dbus-system none | 52 | dbus-system none |
| 53 | 53 | ||
| 54 | memory-deny-write-execute | 54 | memory-deny-write-execute |
| 55 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile index 3d4d4b4e7..d4d578dd4 100644 --- a/etc/profile-a-l/gajim.profile +++ b/etc/profile-a-l/gajim.profile | |||
| @@ -75,4 +75,5 @@ dbus-system.talk org.freedesktop.login1 | |||
| 75 | # Add the next line to your gajim.local to enable location plugin support. | 75 | # Add the next line to your gajim.local to enable location plugin support. |
| 76 | #dbus-system.talk org.freedesktop.GeoClue2 | 76 | #dbus-system.talk org.freedesktop.GeoClue2 |
| 77 | 77 | ||
| 78 | restrict-namespaces | ||
| 78 | join-or-start gajim | 79 | join-or-start gajim |
diff --git a/etc/profile-a-l/galculator.profile b/etc/profile-a-l/galculator.profile index 95afc8020..0fba8ac07 100644 --- a/etc/profile-a-l/galculator.profile +++ b/etc/profile-a-l/galculator.profile | |||
| @@ -50,3 +50,4 @@ dbus-user none | |||
| 50 | dbus-system none | 50 | dbus-system none |
| 51 | 51 | ||
| 52 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 52 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
| 53 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile index 6fac9affc..106e0eda6 100644 --- a/etc/profile-a-l/gapplication.profile +++ b/etc/profile-a-l/gapplication.profile | |||
| @@ -70,3 +70,4 @@ dbus-system none | |||
| 70 | 70 | ||
| 71 | memory-deny-write-execute | 71 | memory-deny-write-execute |
| 72 | read-only ${HOME} | 72 | read-only ${HOME} |
| 73 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gcloud.profile b/etc/profile-a-l/gcloud.profile index 60fac668e..313b34a53 100644 --- a/etc/profile-a-l/gcloud.profile +++ b/etc/profile-a-l/gcloud.profile | |||
| @@ -40,3 +40,5 @@ private-tmp | |||
| 40 | 40 | ||
| 41 | dbus-user none | 41 | dbus-user none |
| 42 | dbus-system none | 42 | dbus-system none |
| 43 | |||
| 44 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gconf.profile b/etc/profile-a-l/gconf.profile index 33441ac0e..5b434342b 100644 --- a/etc/profile-a-l/gconf.profile +++ b/etc/profile-a-l/gconf.profile | |||
| @@ -58,3 +58,4 @@ private-lib GConf,libpython*,python2* | |||
| 58 | private-tmp | 58 | private-tmp |
| 59 | 59 | ||
| 60 | memory-deny-write-execute | 60 | memory-deny-write-execute |
| 61 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gdu.profile b/etc/profile-a-l/gdu.profile index 783183bea..4eb94edf4 100644 --- a/etc/profile-a-l/gdu.profile +++ b/etc/profile-a-l/gdu.profile | |||
| @@ -37,6 +37,7 @@ dbus-user none | |||
| 37 | dbus-system none | 37 | dbus-system none |
| 38 | 38 | ||
| 39 | memory-deny-write-execute | 39 | memory-deny-write-execute |
| 40 | restrict-namespaces | ||
| 40 | 41 | ||
| 41 | # gdu has built-in delete (d), empty (e) dir/file support and shell spawning (b) features. | 42 | # gdu has built-in delete (d), empty (e) dir/file support and shell spawning (b) features. |
| 42 | # Depending on workflow and use case the sandbox can be hardened by adding the | 43 | # Depending on workflow and use case the sandbox can be hardened by adding the |
diff --git a/etc/profile-a-l/geany.profile b/etc/profile-a-l/geany.profile index 021abefb3..ec1d68e0d 100644 --- a/etc/profile-a-l/geany.profile +++ b/etc/profile-a-l/geany.profile | |||
| @@ -32,3 +32,5 @@ seccomp | |||
| 32 | private-cache | 32 | private-cache |
| 33 | private-dev | 33 | private-dev |
| 34 | private-tmp | 34 | private-tmp |
| 35 | |||
| 36 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile index cc2119f2a..ad9b45b57 100644 --- a/etc/profile-a-l/geary.profile +++ b/etc/profile-a-l/geary.profile | |||
| @@ -91,3 +91,4 @@ dbus-user.talk org.gnome.evolution.dataserver.Sources5 | |||
| 91 | dbus-system none | 91 | dbus-system none |
| 92 | 92 | ||
| 93 | read-only ${HOME}/.mozilla/firefox/profiles.ini | 93 | read-only ${HOME}/.mozilla/firefox/profiles.ini |
| 94 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gedit.profile b/etc/profile-a-l/gedit.profile index 28a79b646..dbb3ab971 100644 --- a/etc/profile-a-l/gedit.profile +++ b/etc/profile-a-l/gedit.profile | |||
| @@ -49,3 +49,5 @@ private-tmp | |||
| 49 | # makes settings immutable | 49 | # makes settings immutable |
| 50 | # dbus-user none | 50 | # dbus-user none |
| 51 | # dbus-system none | 51 | # dbus-system none |
| 52 | |||
| 53 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile index 19ac4e026..cda47a7e9 100644 --- a/etc/profile-a-l/geekbench.profile +++ b/etc/profile-a-l/geekbench.profile | |||
| @@ -55,3 +55,4 @@ dbus-system none | |||
| 55 | 55 | ||
| 56 | read-only ${HOME} | 56 | read-only ${HOME} |
| 57 | read-write ${HOME}/.geekbench5 | 57 | read-write ${HOME}/.geekbench5 |
| 58 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/geeqie.profile b/etc/profile-a-l/geeqie.profile index 268c3b334..95adc6840 100644 --- a/etc/profile-a-l/geeqie.profile +++ b/etc/profile-a-l/geeqie.profile | |||
| @@ -34,3 +34,5 @@ seccomp | |||
| 34 | 34 | ||
| 35 | # private-bin geeqie | 35 | # private-bin geeqie |
| 36 | private-dev | 36 | private-dev |
| 37 | |||
| 38 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gfeeds.profile b/etc/profile-a-l/gfeeds.profile index 7b42fadd1..d3d49433b 100644 --- a/etc/profile-a-l/gfeeds.profile +++ b/etc/profile-a-l/gfeeds.profile | |||
| @@ -67,3 +67,5 @@ dbus-user filter | |||
| 67 | dbus-user.own org.gabmus.gfeeds | 67 | dbus-user.own org.gabmus.gfeeds |
| 68 | dbus-user.talk ca.desrt.dconf | 68 | dbus-user.talk ca.desrt.dconf |
| 69 | dbus-system none | 69 | dbus-system none |
| 70 | |||
| 71 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gget.profile b/etc/profile-a-l/gget.profile index b40c96e5b..02c4f9509 100644 --- a/etc/profile-a-l/gget.profile +++ b/etc/profile-a-l/gget.profile | |||
| @@ -56,3 +56,4 @@ dbus-user none | |||
| 56 | dbus-system none | 56 | dbus-system none |
| 57 | 57 | ||
| 58 | memory-deny-write-execute | 58 | memory-deny-write-execute |
| 59 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile index e908e5cd9..9c719ddb1 100644 --- a/etc/profile-a-l/ghostwriter.profile +++ b/etc/profile-a-l/ghostwriter.profile | |||
| @@ -56,3 +56,5 @@ private-tmp | |||
| 56 | 56 | ||
| 57 | dbus-user filter | 57 | dbus-user filter |
| 58 | dbus-system none | 58 | dbus-system none |
| 59 | |||
| 60 | #restrict-namespaces | ||
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile index 400c8c54f..083b85a91 100644 --- a/etc/profile-a-l/gimp.profile +++ b/etc/profile-a-l/gimp.profile | |||
| @@ -63,3 +63,5 @@ private-tmp | |||
| 63 | 63 | ||
| 64 | dbus-user none | 64 | dbus-user none |
| 65 | dbus-system none | 65 | dbus-system none |
| 66 | |||
| 67 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gist.profile b/etc/profile-a-l/gist.profile index ffd1b1f13..d315619b7 100644 --- a/etc/profile-a-l/gist.profile +++ b/etc/profile-a-l/gist.profile | |||
| @@ -58,3 +58,4 @@ dbus-user none | |||
| 58 | dbus-system none | 58 | dbus-system none |
| 59 | 59 | ||
| 60 | memory-deny-write-execute | 60 | memory-deny-write-execute |
| 61 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile index 6c6a0bfd4..2f7068d68 100644 --- a/etc/profile-a-l/git-cola.profile +++ b/etc/profile-a-l/git-cola.profile | |||
| @@ -84,3 +84,5 @@ read-only ${HOME}/.git-credentials | |||
| 84 | 84 | ||
| 85 | # Add 'ignore read-only ${HOME}/.ssh' to your git-cola.local if you need to allow hosts. | 85 | # Add 'ignore read-only ${HOME}/.ssh' to your git-cola.local if you need to allow hosts. |
| 86 | read-only ${HOME}/.ssh | 86 | read-only ${HOME}/.ssh |
| 87 | |||
| 88 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/git.profile b/etc/profile-a-l/git.profile index 76636cc03..78d6cb2a1 100644 --- a/etc/profile-a-l/git.profile +++ b/etc/profile-a-l/git.profile | |||
| @@ -65,3 +65,4 @@ private-cache | |||
| 65 | private-dev | 65 | private-dev |
| 66 | 66 | ||
| 67 | memory-deny-write-execute | 67 | memory-deny-write-execute |
| 68 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gitg.profile b/etc/profile-a-l/gitg.profile index 4c4ddd2d2..85f08d52e 100644 --- a/etc/profile-a-l/gitg.profile +++ b/etc/profile-a-l/gitg.profile | |||
| @@ -61,3 +61,5 @@ dbus-user.talk ca.desrt.dconf | |||
| 61 | # Add the next line to your gitg.local if you need keyring access. | 61 | # Add the next line to your gitg.local if you need keyring access. |
| 62 | #dbus-user.talk org.freedesktop.secrets | 62 | #dbus-user.talk org.freedesktop.secrets |
| 63 | dbus-system none | 63 | dbus-system none |
| 64 | |||
| 65 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gitter.profile b/etc/profile-a-l/gitter.profile index 012bc6159..0f9ed9592 100644 --- a/etc/profile-a-l/gitter.profile +++ b/etc/profile-a-l/gitter.profile | |||
| @@ -41,3 +41,4 @@ private-opt Gitter | |||
| 41 | private-dev | 41 | private-dev |
| 42 | private-tmp | 42 | private-tmp |
| 43 | 43 | ||
| 44 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gjs.profile b/etc/profile-a-l/gjs.profile index 9bdbd0e37..bd332a6d5 100644 --- a/etc/profile-a-l/gjs.profile +++ b/etc/profile-a-l/gjs.profile | |||
| @@ -42,3 +42,5 @@ tracelog | |||
| 42 | private-dev | 42 | private-dev |
| 43 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl | 43 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl |
| 44 | private-tmp | 44 | private-tmp |
| 45 | |||
| 46 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gl-117.profile b/etc/profile-a-l/gl-117.profile index 311d7f127..92ba70113 100644 --- a/etc/profile-a-l/gl-117.profile +++ b/etc/profile-a-l/gl-117.profile | |||
| @@ -48,3 +48,5 @@ private-tmp | |||
| 48 | 48 | ||
| 49 | dbus-user none | 49 | dbus-user none |
| 50 | dbus-system none | 50 | dbus-system none |
| 51 | |||
| 52 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/glaxium.profile b/etc/profile-a-l/glaxium.profile index 162d292f8..d61b566d8 100644 --- a/etc/profile-a-l/glaxium.profile +++ b/etc/profile-a-l/glaxium.profile | |||
| @@ -48,3 +48,5 @@ private-tmp | |||
| 48 | 48 | ||
| 49 | dbus-user none | 49 | dbus-user none |
| 50 | dbus-system none | 50 | dbus-system none |
| 51 | |||
| 52 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/globaltime.profile b/etc/profile-a-l/globaltime.profile index 5e823a5a8..46553d457 100644 --- a/etc/profile-a-l/globaltime.profile +++ b/etc/profile-a-l/globaltime.profile | |||
| @@ -34,3 +34,4 @@ private-cache | |||
| 34 | private-dev | 34 | private-dev |
| 35 | private-tmp | 35 | private-tmp |
| 36 | 36 | ||
| 37 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gmpc.profile b/etc/profile-a-l/gmpc.profile index edd2cd9ee..d4e4caebe 100644 --- a/etc/profile-a-l/gmpc.profile +++ b/etc/profile-a-l/gmpc.profile | |||
| @@ -51,3 +51,4 @@ writable-run-user | |||
| 51 | # dbus-system none | 51 | # dbus-system none |
| 52 | 52 | ||
| 53 | # memory-deny-write-execute - breaks on Arch | 53 | # memory-deny-write-execute - breaks on Arch |
| 54 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gnome-books.profile b/etc/profile-a-l/gnome-books.profile index 0c19faab3..812923b2d 100644 --- a/etc/profile-a-l/gnome-books.profile +++ b/etc/profile-a-l/gnome-books.profile | |||
| @@ -43,3 +43,4 @@ tracelog | |||
| 43 | private-dev | 43 | private-dev |
| 44 | private-tmp | 44 | private-tmp |
| 45 | 45 | ||
| 46 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gnome-builder.profile b/etc/profile-a-l/gnome-builder.profile index fe3a392b4..e171224c0 100644 --- a/etc/profile-a-l/gnome-builder.profile +++ b/etc/profile-a-l/gnome-builder.profile | |||
| @@ -37,3 +37,4 @@ seccomp | |||
| 37 | private-dev | 37 | private-dev |
| 38 | 38 | ||
| 39 | read-write ${HOME}/.bash_history | 39 | read-write ${HOME}/.bash_history |
| 40 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gnome-calculator.profile b/etc/profile-a-l/gnome-calculator.profile index 11fdb9828..3926146ff 100644 --- a/etc/profile-a-l/gnome-calculator.profile +++ b/etc/profile-a-l/gnome-calculator.profile | |||
| @@ -52,3 +52,5 @@ dbus-user filter | |||
| 52 | dbus-user.own org.gnome.Calculator | 52 | dbus-user.own org.gnome.Calculator |
| 53 | dbus-user.talk ca.desrt.dconf | 53 | dbus-user.talk ca.desrt.dconf |
| 54 | dbus-system none | 54 | dbus-system none |
| 55 | |||
| 56 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile index 482992778..b0d3f1d34 100644 --- a/etc/profile-a-l/gnome-calendar.profile +++ b/etc/profile-a-l/gnome-calendar.profile | |||
| @@ -60,3 +60,4 @@ dbus-system filter | |||
| 60 | #dbus-system.talk org.freedesktop.GeoClue2 | 60 | #dbus-system.talk org.freedesktop.GeoClue2 |
| 61 | 61 | ||
| 62 | read-only ${HOME} | 62 | read-only ${HOME} |
| 63 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gnome-characters.profile b/etc/profile-a-l/gnome-characters.profile index af5b61fe6..2e11f335b 100644 --- a/etc/profile-a-l/gnome-characters.profile +++ b/etc/profile-a-l/gnome-characters.profile | |||
| @@ -56,3 +56,4 @@ private-tmp | |||
| 56 | # dbus-system none | 56 | # dbus-system none |
| 57 | 57 | ||
| 58 | read-only ${HOME} | 58 | read-only ${HOME} |
| 59 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gnome-chess.profile b/etc/profile-a-l/gnome-chess.profile index 815ede80b..78bd54b64 100644 --- a/etc/profile-a-l/gnome-chess.profile +++ b/etc/profile-a-l/gnome-chess.profile | |||
| @@ -51,3 +51,5 @@ private-cache | |||
| 51 | private-dev | 51 | private-dev |
| 52 | private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0,ld.so.cache,ld.so.preload | 52 | private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0,ld.so.cache,ld.so.preload |
| 53 | private-tmp | 53 | private-tmp |
| 54 | |||
| 55 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gnome-clocks.profile b/etc/profile-a-l/gnome-clocks.profile index cc8f3fea0..8af9870bf 100644 --- a/etc/profile-a-l/gnome-clocks.profile +++ b/etc/profile-a-l/gnome-clocks.profile | |||
| @@ -44,3 +44,4 @@ private-dev | |||
| 44 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,pkcs11,pki,ssl | 44 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,pkcs11,pki,ssl |
| 45 | private-tmp | 45 | private-tmp |
| 46 | 46 | ||
| 47 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gnome-contacts.profile b/etc/profile-a-l/gnome-contacts.profile index f96f750dd..2326115c3 100644 --- a/etc/profile-a-l/gnome-contacts.profile +++ b/etc/profile-a-l/gnome-contacts.profile | |||
| @@ -38,3 +38,4 @@ disable-mnt | |||
| 38 | private-dev | 38 | private-dev |
| 39 | private-tmp | 39 | private-tmp |
| 40 | 40 | ||
| 41 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gnome-documents.profile b/etc/profile-a-l/gnome-documents.profile index 24fa9721a..c8af97a61 100644 --- a/etc/profile-a-l/gnome-documents.profile +++ b/etc/profile-a-l/gnome-documents.profile | |||
| @@ -41,3 +41,4 @@ private-cache | |||
| 41 | private-dev | 41 | private-dev |
| 42 | private-tmp | 42 | private-tmp |
| 43 | 43 | ||
| 44 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gnome-font-viewer.profile b/etc/profile-a-l/gnome-font-viewer.profile index 294729152..17d266537 100644 --- a/etc/profile-a-l/gnome-font-viewer.profile +++ b/etc/profile-a-l/gnome-font-viewer.profile | |||
| @@ -35,3 +35,4 @@ disable-mnt | |||
| 35 | private-dev | 35 | private-dev |
| 36 | private-tmp | 36 | private-tmp |
| 37 | 37 | ||
| 38 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gnome-hexgl.profile b/etc/profile-a-l/gnome-hexgl.profile index f734f23bd..f0493c645 100644 --- a/etc/profile-a-l/gnome-hexgl.profile +++ b/etc/profile-a-l/gnome-hexgl.profile | |||
| @@ -49,3 +49,4 @@ dbus-system none | |||
| 49 | 49 | ||
| 50 | read-only ${HOME} | 50 | read-only ${HOME} |
| 51 | read-write ${HOME}/.cache/mesa_shader_cache | 51 | read-write ${HOME}/.cache/mesa_shader_cache |
| 52 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gnome-keyring.profile b/etc/profile-a-l/gnome-keyring.profile index 5f9679cc7..45b6fd880 100644 --- a/etc/profile-a-l/gnome-keyring.profile +++ b/etc/profile-a-l/gnome-keyring.profile | |||
| @@ -59,3 +59,4 @@ private-tmp | |||
| 59 | dbus-system none | 59 | dbus-system none |
| 60 | 60 | ||
| 61 | memory-deny-write-execute | 61 | memory-deny-write-execute |
| 62 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile index 105996b38..43e0a1ec1 100644 --- a/etc/profile-a-l/gnome-latex.profile +++ b/etc/profile-a-l/gnome-latex.profile | |||
| @@ -50,3 +50,5 @@ private-dev | |||
| 50 | private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,ld.so.cache,ld.so.preload,login.defs,passwd,texlive | 50 | private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,ld.so.cache,ld.so.preload,login.defs,passwd,texlive |
| 51 | 51 | ||
| 52 | dbus-system none | 52 | dbus-system none |
| 53 | |||
| 54 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gnome-logs.profile b/etc/profile-a-l/gnome-logs.profile index f93d9ca24..b619b0f27 100644 --- a/etc/profile-a-l/gnome-logs.profile +++ b/etc/profile-a-l/gnome-logs.profile | |||
| @@ -51,3 +51,4 @@ dbus-system none | |||
| 51 | 51 | ||
| 52 | # Add 'ignore read-only ${HOME}' to your gnome-logs.local if you export logs to a file under your ${HOME}. | 52 | # Add 'ignore read-only ${HOME}' to your gnome-logs.local if you export logs to a file under your ${HOME}. |
| 53 | read-only ${HOME} | 53 | read-only ${HOME} |
| 54 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gnome-maps.profile b/etc/profile-a-l/gnome-maps.profile index 2f5e033ad..d14b2a5a1 100644 --- a/etc/profile-a-l/gnome-maps.profile +++ b/etc/profile-a-l/gnome-maps.profile | |||
| @@ -73,3 +73,5 @@ dbus-user.own org.gnome.Maps | |||
| 73 | dbus-system filter | 73 | dbus-system filter |
| 74 | #dbus-system.talk org.freedesktop.NetworkManager | 74 | #dbus-system.talk org.freedesktop.NetworkManager |
| 75 | dbus-system.talk org.freedesktop.GeoClue2 | 75 | dbus-system.talk org.freedesktop.GeoClue2 |
| 76 | |||
| 77 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gnome-mplayer.profile b/etc/profile-a-l/gnome-mplayer.profile index 444f6ed34..052e9ba9c 100644 --- a/etc/profile-a-l/gnome-mplayer.profile +++ b/etc/profile-a-l/gnome-mplayer.profile | |||
| @@ -31,3 +31,4 @@ private-cache | |||
| 31 | private-dev | 31 | private-dev |
| 32 | private-tmp | 32 | private-tmp |
| 33 | 33 | ||
| 34 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gnome-music.profile b/etc/profile-a-l/gnome-music.profile index 8c2ff90ea..ec033dbf0 100644 --- a/etc/profile-a-l/gnome-music.profile +++ b/etc/profile-a-l/gnome-music.profile | |||
| @@ -44,3 +44,4 @@ private-dev | |||
| 44 | private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pulse,selinux,xdg | 44 | private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pulse,selinux,xdg |
| 45 | private-tmp | 45 | private-tmp |
| 46 | 46 | ||
| 47 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gnome-nettool.profile b/etc/profile-a-l/gnome-nettool.profile index abf3dd759..ce4e5edd8 100644 --- a/etc/profile-a-l/gnome-nettool.profile +++ b/etc/profile-a-l/gnome-nettool.profile | |||
| @@ -46,3 +46,5 @@ private-tmp | |||
| 46 | 46 | ||
| 47 | dbus-user none | 47 | dbus-user none |
| 48 | dbus-system none | 48 | dbus-system none |
| 49 | |||
| 50 | #restrict-namespaces | ||
diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile index bd39ab0c9..0d7fb2de8 100644 --- a/etc/profile-a-l/gnome-passwordsafe.profile +++ b/etc/profile-a-l/gnome-passwordsafe.profile | |||
| @@ -59,3 +59,5 @@ dbus-user filter | |||
| 59 | dbus-user.own org.gnome.PasswordSafe | 59 | dbus-user.own org.gnome.PasswordSafe |
| 60 | dbus-user.talk ca.desrt.dconf | 60 | dbus-user.talk ca.desrt.dconf |
| 61 | dbus-system none | 61 | dbus-system none |
| 62 | |||
| 63 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gnome-photos.profile b/etc/profile-a-l/gnome-photos.profile index 5c848d0af..1d0291aa2 100644 --- a/etc/profile-a-l/gnome-photos.profile +++ b/etc/profile-a-l/gnome-photos.profile | |||
| @@ -40,3 +40,4 @@ tracelog | |||
| 40 | private-dev | 40 | private-dev |
| 41 | private-tmp | 41 | private-tmp |
| 42 | 42 | ||
| 43 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gnome-pie.profile b/etc/profile-a-l/gnome-pie.profile index 0086edab0..6d90773aa 100644 --- a/etc/profile-a-l/gnome-pie.profile +++ b/etc/profile-a-l/gnome-pie.profile | |||
| @@ -38,3 +38,4 @@ private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.s | |||
| 38 | private-tmp | 38 | private-tmp |
| 39 | 39 | ||
| 40 | memory-deny-write-execute | 40 | memory-deny-write-execute |
| 41 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gnome-pomodoro.profile b/etc/profile-a-l/gnome-pomodoro.profile index e4120743a..fb019227f 100644 --- a/etc/profile-a-l/gnome-pomodoro.profile +++ b/etc/profile-a-l/gnome-pomodoro.profile | |||
| @@ -56,3 +56,4 @@ dbus-system none | |||
| 56 | 56 | ||
| 57 | read-only ${HOME} | 57 | read-only ${HOME} |
| 58 | read-write ${HOME}/.local/share/gnome-pomodoro | 58 | read-write ${HOME}/.local/share/gnome-pomodoro |
| 59 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gnome-recipes.profile b/etc/profile-a-l/gnome-recipes.profile index 483783195..75f3199e2 100644 --- a/etc/profile-a-l/gnome-recipes.profile +++ b/etc/profile-a-l/gnome-recipes.profile | |||
| @@ -50,3 +50,4 @@ private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so | |||
| 50 | private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,libgnutls.so.*,libjpeg.so.*,libp11-kit.so.*,libproxy.so.*,librsvg-2.so.* | 50 | private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,libgnutls.so.*,libjpeg.so.*,libp11-kit.so.*,libproxy.so.*,librsvg-2.so.* |
| 51 | private-tmp | 51 | private-tmp |
| 52 | 52 | ||
| 53 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gnome-ring.profile b/etc/profile-a-l/gnome-ring.profile index 44c608e8c..8f2ab7fd6 100644 --- a/etc/profile-a-l/gnome-ring.profile +++ b/etc/profile-a-l/gnome-ring.profile | |||
| @@ -30,3 +30,4 @@ disable-mnt | |||
| 30 | # private-dev | 30 | # private-dev |
| 31 | private-tmp | 31 | private-tmp |
| 32 | 32 | ||
| 33 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gnome-schedule.profile b/etc/profile-a-l/gnome-schedule.profile index 415d8eb04..b71d77621 100644 --- a/etc/profile-a-l/gnome-schedule.profile +++ b/etc/profile-a-l/gnome-schedule.profile | |||
| @@ -61,4 +61,3 @@ disable-mnt | |||
| 61 | private-cache | 61 | private-cache |
| 62 | private-dev | 62 | private-dev |
| 63 | writable-var | 63 | writable-var |
| 64 | |||
diff --git a/etc/profile-a-l/gnome-screenshot.profile b/etc/profile-a-l/gnome-screenshot.profile index 95e1309ad..74238a109 100644 --- a/etc/profile-a-l/gnome-screenshot.profile +++ b/etc/profile-a-l/gnome-screenshot.profile | |||
| @@ -48,3 +48,5 @@ dbus-user filter | |||
| 48 | dbus-user.own org.gnome.Screenshot | 48 | dbus-user.own org.gnome.Screenshot |
| 49 | dbus-user.talk org.gnome.Shell.Screenshot | 49 | dbus-user.talk org.gnome.Shell.Screenshot |
| 50 | dbus-system none | 50 | dbus-system none |
| 51 | |||
| 52 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gnome-sound-recorder.profile b/etc/profile-a-l/gnome-sound-recorder.profile index 0faf17c2f..d07bd80a7 100644 --- a/etc/profile-a-l/gnome-sound-recorder.profile +++ b/etc/profile-a-l/gnome-sound-recorder.profile | |||
| @@ -41,3 +41,5 @@ private-cache | |||
| 41 | private-dev | 41 | private-dev |
| 42 | private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,openal,pango,pulse,xdg | 42 | private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,openal,pango,pulse,xdg |
| 43 | private-tmp | 43 | private-tmp |
| 44 | |||
| 45 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile index ae2f79e35..4c74c0a61 100644 --- a/etc/profile-a-l/gnome-system-log.profile +++ b/etc/profile-a-l/gnome-system-log.profile | |||
| @@ -53,3 +53,4 @@ writable-var-log | |||
| 53 | memory-deny-write-execute | 53 | memory-deny-write-execute |
| 54 | # Add 'ignore read-only ${HOME}' to your gnome-system-log.local if you export logs to a file under your ${HOME}. | 54 | # Add 'ignore read-only ${HOME}' to your gnome-system-log.local if you export logs to a file under your ${HOME}. |
| 55 | read-only ${HOME} | 55 | read-only ${HOME} |
| 56 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gnome-todo.profile b/etc/profile-a-l/gnome-todo.profile index 097a4d5aa..ae7ea83d8 100644 --- a/etc/profile-a-l/gnome-todo.profile +++ b/etc/profile-a-l/gnome-todo.profile | |||
| @@ -61,3 +61,4 @@ dbus-system none | |||
| 61 | #dbus-system.talk org.freedesktop.login1 | 61 | #dbus-system.talk org.freedesktop.login1 |
| 62 | 62 | ||
| 63 | read-only ${HOME} | 63 | read-only ${HOME} |
| 64 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gnome-twitch.profile b/etc/profile-a-l/gnome-twitch.profile index 3b9e44f66..dfeeff950 100644 --- a/etc/profile-a-l/gnome-twitch.profile +++ b/etc/profile-a-l/gnome-twitch.profile | |||
| @@ -37,3 +37,4 @@ disable-mnt | |||
| 37 | private-dev | 37 | private-dev |
| 38 | private-tmp | 38 | private-tmp |
| 39 | 39 | ||
| 40 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gnome-weather.profile b/etc/profile-a-l/gnome-weather.profile index ddffb8942..147b84a19 100644 --- a/etc/profile-a-l/gnome-weather.profile +++ b/etc/profile-a-l/gnome-weather.profile | |||
| @@ -46,3 +46,4 @@ private-dev | |||
| 46 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl | 46 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl |
| 47 | private-tmp | 47 | private-tmp |
| 48 | 48 | ||
| 49 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gnome_games-common.profile b/etc/profile-a-l/gnome_games-common.profile index bd20bb2bc..c9145d78e 100644 --- a/etc/profile-a-l/gnome_games-common.profile +++ b/etc/profile-a-l/gnome_games-common.profile | |||
| @@ -46,3 +46,5 @@ private-tmp | |||
| 46 | dbus-user filter | 46 | dbus-user filter |
| 47 | dbus-user.talk ca.desrt.dconf | 47 | dbus-user.talk ca.desrt.dconf |
| 48 | dbus-system none | 48 | dbus-system none |
| 49 | |||
| 50 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gnote.profile b/etc/profile-a-l/gnote.profile index 9df2f06a4..d7944ae24 100644 --- a/etc/profile-a-l/gnote.profile +++ b/etc/profile-a-l/gnote.profile | |||
| @@ -57,3 +57,5 @@ dbus-user filter | |||
| 57 | dbus-user.own org.gnome.Gnote | 57 | dbus-user.own org.gnome.Gnote |
| 58 | dbus-user.talk ca.desrt.dconf | 58 | dbus-user.talk ca.desrt.dconf |
| 59 | dbus-system none | 59 | dbus-system none |
| 60 | |||
| 61 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gnubik.profile b/etc/profile-a-l/gnubik.profile index bc69f4729..bdbcf9baf 100644 --- a/etc/profile-a-l/gnubik.profile +++ b/etc/profile-a-l/gnubik.profile | |||
| @@ -47,3 +47,5 @@ private-tmp | |||
| 47 | 47 | ||
| 48 | dbus-user none | 48 | dbus-user none |
| 49 | dbus-system none | 49 | dbus-system none |
| 50 | |||
| 51 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/godot.profile b/etc/profile-a-l/godot.profile index 57ad9bedc..36a2cae07 100644 --- a/etc/profile-a-l/godot.profile +++ b/etc/profile-a-l/godot.profile | |||
| @@ -42,3 +42,5 @@ private-tmp | |||
| 42 | 42 | ||
| 43 | dbus-user none | 43 | dbus-user none |
| 44 | dbus-system none | 44 | dbus-system none |
| 45 | |||
| 46 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/goldendict.profile b/etc/profile-a-l/goldendict.profile index c1119dcb0..327648cd1 100644 --- a/etc/profile-a-l/goldendict.profile +++ b/etc/profile-a-l/goldendict.profile | |||
| @@ -55,3 +55,5 @@ private-tmp | |||
| 55 | 55 | ||
| 56 | dbus-user none | 56 | dbus-user none |
| 57 | dbus-system none | 57 | dbus-system none |
| 58 | |||
| 59 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/goobox.profile b/etc/profile-a-l/goobox.profile index 1eaa68c1d..8807a239d 100644 --- a/etc/profile-a-l/goobox.profile +++ b/etc/profile-a-l/goobox.profile | |||
| @@ -32,3 +32,5 @@ tracelog | |||
| 32 | private-dev | 32 | private-dev |
| 33 | # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl | 33 | # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl |
| 34 | # private-tmp | 34 | # private-tmp |
| 35 | |||
| 36 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/google-earth.profile b/etc/profile-a-l/google-earth.profile index 71e41b289..4af6ce36b 100644 --- a/etc/profile-a-l/google-earth.profile +++ b/etc/profile-a-l/google-earth.profile | |||
| @@ -39,3 +39,4 @@ private-bin bash,dirname,google-earth,grep,ls,sed,sh | |||
| 39 | private-dev | 39 | private-dev |
| 40 | private-opt google | 40 | private-opt google |
| 41 | 41 | ||
| 42 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/google-play-music-desktop-player.profile b/etc/profile-a-l/google-play-music-desktop-player.profile index b84ae83b7..c2a7d89fd 100644 --- a/etc/profile-a-l/google-play-music-desktop-player.profile +++ b/etc/profile-a-l/google-play-music-desktop-player.profile | |||
| @@ -39,3 +39,5 @@ seccomp | |||
| 39 | disable-mnt | 39 | disable-mnt |
| 40 | private-dev | 40 | private-dev |
| 41 | private-tmp | 41 | private-tmp |
| 42 | |||
| 43 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/googler-common.profile b/etc/profile-a-l/googler-common.profile index 74cfd5b89..da7c24581 100644 --- a/etc/profile-a-l/googler-common.profile +++ b/etc/profile-a-l/googler-common.profile | |||
| @@ -58,3 +58,5 @@ private-tmp | |||
| 58 | 58 | ||
| 59 | dbus-user none | 59 | dbus-user none |
| 60 | dbus-system none | 60 | dbus-system none |
| 61 | |||
| 62 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gpa.profile b/etc/profile-a-l/gpa.profile index 40c3b434d..e05cdf424 100644 --- a/etc/profile-a-l/gpa.profile +++ b/etc/profile-a-l/gpa.profile | |||
| @@ -30,3 +30,5 @@ tracelog | |||
| 30 | 30 | ||
| 31 | # private-bin gpa,gpg | 31 | # private-bin gpa,gpg |
| 32 | private-dev | 32 | private-dev |
| 33 | |||
| 34 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gpg-agent.profile b/etc/profile-a-l/gpg-agent.profile index 78546f547..f4cd85e3a 100644 --- a/etc/profile-a-l/gpg-agent.profile +++ b/etc/profile-a-l/gpg-agent.profile | |||
| @@ -46,6 +46,8 @@ protocol unix,inet,inet6 | |||
| 46 | seccomp | 46 | seccomp |
| 47 | tracelog | 47 | tracelog |
| 48 | 48 | ||
| 49 | # private-bin gpg-agent,gpg | 49 | # private-bin gpg-agent |
| 50 | private-cache | 50 | private-cache |
| 51 | private-dev | 51 | private-dev |
| 52 | |||
| 53 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gpg.profile b/etc/profile-a-l/gpg.profile index bc4fb060b..60690852a 100644 --- a/etc/profile-a-l/gpg.profile +++ b/etc/profile-a-l/gpg.profile | |||
| @@ -42,7 +42,7 @@ protocol unix,inet,inet6 | |||
| 42 | seccomp | 42 | seccomp |
| 43 | tracelog | 43 | tracelog |
| 44 | 44 | ||
| 45 | # private-bin gpg,gpg-agent | 45 | # private-bin gpg |
| 46 | private-cache | 46 | private-cache |
| 47 | private-dev | 47 | private-dev |
| 48 | 48 | ||
| @@ -51,3 +51,4 @@ private-dev | |||
| 51 | # installing/upgrading archlinux-keyring extremely slow. | 51 | # installing/upgrading archlinux-keyring extremely slow. |
| 52 | read-write /etc/pacman.d/gnupg | 52 | read-write /etc/pacman.d/gnupg |
| 53 | read-write /usr/share/pacman/keyrings | 53 | read-write /usr/share/pacman/keyrings |
| 54 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gpicview.profile b/etc/profile-a-l/gpicview.profile index 937ef14fe..1012f5774 100644 --- a/etc/profile-a-l/gpicview.profile +++ b/etc/profile-a-l/gpicview.profile | |||
| @@ -48,3 +48,4 @@ dbus-user none | |||
| 48 | dbus-system none | 48 | dbus-system none |
| 49 | 49 | ||
| 50 | memory-deny-write-execute | 50 | memory-deny-write-execute |
| 51 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gpredict.profile b/etc/profile-a-l/gpredict.profile index 628205015..53a6f94e2 100644 --- a/etc/profile-a-l/gpredict.profile +++ b/etc/profile-a-l/gpredict.profile | |||
| @@ -38,3 +38,4 @@ private-dev | |||
| 38 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl | 38 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl |
| 39 | private-tmp | 39 | private-tmp |
| 40 | 40 | ||
| 41 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gradio.profile b/etc/profile-a-l/gradio.profile index 8ff0d92bb..368482fa3 100644 --- a/etc/profile-a-l/gradio.profile +++ b/etc/profile-a-l/gradio.profile | |||
| @@ -52,3 +52,5 @@ dbus-user.own de.haeckerfelix.gradio | |||
| 52 | dbus-user.own org.mpris.MediaPlayer2.gradio | 52 | dbus-user.own org.mpris.MediaPlayer2.gradio |
| 53 | dbus-user.talk ca.desrt.dconf | 53 | dbus-user.talk ca.desrt.dconf |
| 54 | dbus-system none | 54 | dbus-system none |
| 55 | |||
| 56 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gramps.profile b/etc/profile-a-l/gramps.profile index 6d9c54967..5073e79c9 100644 --- a/etc/profile-a-l/gramps.profile +++ b/etc/profile-a-l/gramps.profile | |||
| @@ -48,3 +48,5 @@ private-tmp | |||
| 48 | 48 | ||
| 49 | dbus-user none | 49 | dbus-user none |
| 50 | dbus-system none | 50 | dbus-system none |
| 51 | |||
| 52 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile index ab0915cd6..02a49134c 100644 --- a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile +++ b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile | |||
| @@ -44,3 +44,5 @@ private-tmp | |||
| 44 | 44 | ||
| 45 | dbus-user none | 45 | dbus-user none |
| 46 | dbus-system none | 46 | dbus-system none |
| 47 | |||
| 48 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gthumb.profile b/etc/profile-a-l/gthumb.profile index b9e3d8e25..9654f0ffc 100644 --- a/etc/profile-a-l/gthumb.profile +++ b/etc/profile-a-l/gthumb.profile | |||
| @@ -34,3 +34,5 @@ private-bin gthumb | |||
| 34 | private-cache | 34 | private-cache |
| 35 | private-dev | 35 | private-dev |
| 36 | private-tmp | 36 | private-tmp |
| 37 | |||
| 38 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gtk-update-icon-cache.profile b/etc/profile-a-l/gtk-update-icon-cache.profile index 793fb0440..5fd92fd4f 100644 --- a/etc/profile-a-l/gtk-update-icon-cache.profile +++ b/etc/profile-a-l/gtk-update-icon-cache.profile | |||
| @@ -53,3 +53,4 @@ dbus-user none | |||
| 53 | dbus-system none | 53 | dbus-system none |
| 54 | 54 | ||
| 55 | memory-deny-write-execute | 55 | memory-deny-write-execute |
| 56 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/guayadeque.profile b/etc/profile-a-l/guayadeque.profile index 594c99863..35ce2816b 100644 --- a/etc/profile-a-l/guayadeque.profile +++ b/etc/profile-a-l/guayadeque.profile | |||
| @@ -32,3 +32,4 @@ private-bin guayadeque | |||
| 32 | private-dev | 32 | private-dev |
| 33 | private-tmp | 33 | private-tmp |
| 34 | 34 | ||
| 35 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gucharmap.profile b/etc/profile-a-l/gucharmap.profile index 774652fd5..68b78ec62 100644 --- a/etc/profile-a-l/gucharmap.profile +++ b/etc/profile-a-l/gucharmap.profile | |||
| @@ -51,3 +51,4 @@ private-tmp | |||
| 51 | # dbus-system none | 51 | # dbus-system none |
| 52 | 52 | ||
| 53 | read-only ${HOME} | 53 | read-only ${HOME} |
| 54 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/guvcview.profile b/etc/profile-a-l/guvcview.profile index e8f64e4e0..db307e940 100644 --- a/etc/profile-a-l/guvcview.profile +++ b/etc/profile-a-l/guvcview.profile | |||
| @@ -52,3 +52,5 @@ private-tmp | |||
| 52 | 52 | ||
| 53 | dbus-user none | 53 | dbus-user none |
| 54 | dbus-system none | 54 | dbus-system none |
| 55 | |||
| 56 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/gwenview.profile b/etc/profile-a-l/gwenview.profile index 93af4d1f8..8f7f74e0d 100644 --- a/etc/profile-a-l/gwenview.profile +++ b/etc/profile-a-l/gwenview.profile | |||
| @@ -52,3 +52,4 @@ private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,ld.so.prel | |||
| 52 | # dbus-system none | 52 | # dbus-system none |
| 53 | 53 | ||
| 54 | # memory-deny-write-execute | 54 | # memory-deny-write-execute |
| 55 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/handbrake.profile b/etc/profile-a-l/handbrake.profile index 1f13232f2..488665154 100644 --- a/etc/profile-a-l/handbrake.profile +++ b/etc/profile-a-l/handbrake.profile | |||
| @@ -36,3 +36,5 @@ private-tmp | |||
| 36 | 36 | ||
| 37 | dbus-user none | 37 | dbus-user none |
| 38 | dbus-system none | 38 | dbus-system none |
| 39 | |||
| 40 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/hashcat.profile b/etc/profile-a-l/hashcat.profile index 8d665ce68..e5b0a06af 100644 --- a/etc/profile-a-l/hashcat.profile +++ b/etc/profile-a-l/hashcat.profile | |||
| @@ -43,3 +43,5 @@ private-tmp | |||
| 43 | 43 | ||
| 44 | dbus-user none | 44 | dbus-user none |
| 45 | dbus-system none | 45 | dbus-system none |
| 46 | |||
| 47 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/hasher-common.profile b/etc/profile-a-l/hasher-common.profile index a1a491ca1..fd8246aae 100644 --- a/etc/profile-a-l/hasher-common.profile +++ b/etc/profile-a-l/hasher-common.profile | |||
| @@ -56,3 +56,4 @@ dbus-system none | |||
| 56 | 56 | ||
| 57 | memory-deny-write-execute | 57 | memory-deny-write-execute |
| 58 | read-only ${HOME} | 58 | read-only ${HOME} |
| 59 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/hedgewars.profile b/etc/profile-a-l/hedgewars.profile index 9c6f162c6..2de09ea93 100644 --- a/etc/profile-a-l/hedgewars.profile +++ b/etc/profile-a-l/hedgewars.profile | |||
| @@ -35,3 +35,5 @@ tracelog | |||
| 35 | disable-mnt | 35 | disable-mnt |
| 36 | private-dev | 36 | private-dev |
| 37 | private-tmp | 37 | private-tmp |
| 38 | |||
| 39 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/hexchat.profile b/etc/profile-a-l/hexchat.profile index c730187a9..df7f8f3a3 100644 --- a/etc/profile-a-l/hexchat.profile +++ b/etc/profile-a-l/hexchat.profile | |||
| @@ -55,3 +55,4 @@ private-dev | |||
| 55 | private-tmp | 55 | private-tmp |
| 56 | 56 | ||
| 57 | # memory-deny-write-execute - breaks python | 57 | # memory-deny-write-execute - breaks python |
| 58 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/highlight.profile b/etc/profile-a-l/highlight.profile index 04a603794..d77f49ce0 100644 --- a/etc/profile-a-l/highlight.profile +++ b/etc/profile-a-l/highlight.profile | |||
| @@ -41,3 +41,5 @@ private-tmp | |||
| 41 | 41 | ||
| 42 | dbus-user none | 42 | dbus-user none |
| 43 | dbus-system none | 43 | dbus-system none |
| 44 | |||
| 45 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/homebank.profile b/etc/profile-a-l/homebank.profile index cf06b397f..91b73e8e9 100644 --- a/etc/profile-a-l/homebank.profile +++ b/etc/profile-a-l/homebank.profile | |||
| @@ -56,3 +56,4 @@ dbus-user none | |||
| 56 | dbus-system none | 56 | dbus-system none |
| 57 | 57 | ||
| 58 | # memory-deny-write-execute | 58 | # memory-deny-write-execute |
| 59 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/host.profile b/etc/profile-a-l/host.profile index 22a3ecf51..09af8f0f5 100644 --- a/etc/profile-a-l/host.profile +++ b/etc/profile-a-l/host.profile | |||
| @@ -49,3 +49,4 @@ dbus-user none | |||
| 49 | dbus-system none | 49 | dbus-system none |
| 50 | 50 | ||
| 51 | memory-deny-write-execute | 51 | memory-deny-write-execute |
| 52 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/hugin.profile b/etc/profile-a-l/hugin.profile index d4587a303..c4085cf9c 100644 --- a/etc/profile-a-l/hugin.profile +++ b/etc/profile-a-l/hugin.profile | |||
| @@ -45,3 +45,5 @@ private-tmp | |||
| 45 | 45 | ||
| 46 | dbus-user none | 46 | dbus-user none |
| 47 | dbus-system none | 47 | dbus-system none |
| 48 | |||
| 49 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/hyperrogue.profile b/etc/profile-a-l/hyperrogue.profile index 8fd80564a..13dc06ecc 100644 --- a/etc/profile-a-l/hyperrogue.profile +++ b/etc/profile-a-l/hyperrogue.profile | |||
| @@ -48,3 +48,5 @@ private-tmp | |||
| 48 | 48 | ||
| 49 | dbus-user none | 49 | dbus-user none |
| 50 | dbus-system none | 50 | dbus-system none |
| 51 | |||
| 52 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/i2prouter.profile b/etc/profile-a-l/i2prouter.profile index c131381c8..757af67b0 100644 --- a/etc/profile-a-l/i2prouter.profile +++ b/etc/profile-a-l/i2prouter.profile | |||
| @@ -69,3 +69,5 @@ private-cache | |||
| 69 | private-dev | 69 | private-dev |
| 70 | private-etc alternatives,ca-certificates,crypto-policies,dconf,group,hostname,hosts,i2p,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl | 70 | private-etc alternatives,ca-certificates,crypto-policies,dconf,group,hostname,hosts,i2p,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl |
| 71 | private-tmp | 71 | private-tmp |
| 72 | |||
| 73 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/i3.profile b/etc/profile-a-l/i3.profile index e96b1843c..2268072ef 100644 --- a/etc/profile-a-l/i3.profile +++ b/etc/profile-a-l/i3.profile | |||
| @@ -14,5 +14,6 @@ caps.drop all | |||
| 14 | netfilter | 14 | netfilter |
| 15 | noroot | 15 | noroot |
| 16 | protocol unix,inet,inet6 | 16 | protocol unix,inet,inet6 |
| 17 | seccomp | 17 | seccomp !chroot |
| 18 | 18 | ||
| 19 | #restrict-namespaces | ||
diff --git a/etc/profile-a-l/iagno.profile b/etc/profile-a-l/iagno.profile index 727dabb77..e16f3f1d5 100644 --- a/etc/profile-a-l/iagno.profile +++ b/etc/profile-a-l/iagno.profile | |||
| @@ -37,3 +37,5 @@ private-tmp | |||
| 37 | 37 | ||
| 38 | # dbus-user none | 38 | # dbus-user none |
| 39 | # dbus-system none | 39 | # dbus-system none |
| 40 | |||
| 41 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/idea.sh.profile b/etc/profile-a-l/idea.sh.profile index 0d976222f..31f65962f 100644 --- a/etc/profile-a-l/idea.sh.profile +++ b/etc/profile-a-l/idea.sh.profile | |||
| @@ -39,3 +39,4 @@ private-dev | |||
| 39 | # private-tmp | 39 | # private-tmp |
| 40 | 40 | ||
| 41 | noexec /tmp | 41 | noexec /tmp |
| 42 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/imagej.profile b/etc/profile-a-l/imagej.profile index 29aeb006b..60e97b24c 100644 --- a/etc/profile-a-l/imagej.profile +++ b/etc/profile-a-l/imagej.profile | |||
| @@ -38,3 +38,5 @@ private-tmp | |||
| 38 | 38 | ||
| 39 | dbus-user none | 39 | dbus-user none |
| 40 | dbus-system none | 40 | dbus-system none |
| 41 | |||
| 42 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/img2txt.profile b/etc/profile-a-l/img2txt.profile index 889e4ba65..ee341423a 100644 --- a/etc/profile-a-l/img2txt.profile +++ b/etc/profile-a-l/img2txt.profile | |||
| @@ -50,3 +50,4 @@ dbus-user none | |||
| 50 | dbus-system none | 50 | dbus-system none |
| 51 | 51 | ||
| 52 | memory-deny-write-execute | 52 | memory-deny-write-execute |
| 53 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/impressive.profile b/etc/profile-a-l/impressive.profile index 7306de4b3..d9a256c11 100644 --- a/etc/profile-a-l/impressive.profile +++ b/etc/profile-a-l/impressive.profile | |||
| @@ -54,3 +54,4 @@ dbus-system none | |||
| 54 | 54 | ||
| 55 | read-only ${HOME} | 55 | read-only ${HOME} |
| 56 | read-write ${HOME}/.cache/mesa_shader_cache | 56 | read-write ${HOME}/.cache/mesa_shader_cache |
| 57 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/imv.profile b/etc/profile-a-l/imv.profile index 43085bb9b..94333a610 100644 --- a/etc/profile-a-l/imv.profile +++ b/etc/profile-a-l/imv.profile | |||
| @@ -54,3 +54,4 @@ dbus-user none | |||
| 54 | dbus-system none | 54 | dbus-system none |
| 55 | 55 | ||
| 56 | read-only ${HOME} | 56 | read-only ${HOME} |
| 57 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile index d461add95..1034c225f 100644 --- a/etc/profile-a-l/inkscape.profile +++ b/etc/profile-a-l/inkscape.profile | |||
| @@ -60,3 +60,4 @@ dbus-user none | |||
| 60 | dbus-system none | 60 | dbus-system none |
| 61 | 61 | ||
| 62 | # memory-deny-write-execute | 62 | # memory-deny-write-execute |
| 63 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/io.github.lainsce.Notejot.profile b/etc/profile-a-l/io.github.lainsce.Notejot.profile index 483772a1e..cb2f30350 100644 --- a/etc/profile-a-l/io.github.lainsce.Notejot.profile +++ b/etc/profile-a-l/io.github.lainsce.Notejot.profile | |||
| @@ -57,3 +57,5 @@ dbus-user filter | |||
| 57 | dbus-user.own io.github.lainsce.Notejot | 57 | dbus-user.own io.github.lainsce.Notejot |
| 58 | dbus-user.talk ca.desrt.dconf | 58 | dbus-user.talk ca.desrt.dconf |
| 59 | dbus-system none | 59 | dbus-system none |
| 60 | |||
| 61 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/ipcalc.profile b/etc/profile-a-l/ipcalc.profile index cdf78ea94..983c31bcb 100644 --- a/etc/profile-a-l/ipcalc.profile +++ b/etc/profile-a-l/ipcalc.profile | |||
| @@ -59,3 +59,4 @@ dbus-system none | |||
| 59 | 59 | ||
| 60 | # memory-deny-write-execute | 60 | # memory-deny-write-execute |
| 61 | # read-only ${HOME} | 61 | # read-only ${HOME} |
| 62 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/itch.profile b/etc/profile-a-l/itch.profile index 85ea915c7..1c4ddebdb 100644 --- a/etc/profile-a-l/itch.profile +++ b/etc/profile-a-l/itch.profile | |||
| @@ -39,3 +39,4 @@ private-dev | |||
| 39 | private-tmp | 39 | private-tmp |
| 40 | 40 | ||
| 41 | noexec /tmp | 41 | noexec /tmp |
| 42 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/jami-gnome.profile b/etc/profile-a-l/jami-gnome.profile index fc1f7e42c..5fe484029 100644 --- a/etc/profile-a-l/jami-gnome.profile +++ b/etc/profile-a-l/jami-gnome.profile | |||
| @@ -39,3 +39,4 @@ private-dev | |||
| 39 | private-tmp | 39 | private-tmp |
| 40 | 40 | ||
| 41 | env QT_QPA_PLATFORM=xcb | 41 | env QT_QPA_PLATFORM=xcb |
| 42 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/jd-gui.profile b/etc/profile-a-l/jd-gui.profile index 628a646c2..e34b3e676 100644 --- a/etc/profile-a-l/jd-gui.profile +++ b/etc/profile-a-l/jd-gui.profile | |||
| @@ -41,3 +41,5 @@ private-tmp | |||
| 41 | 41 | ||
| 42 | dbus-user none | 42 | dbus-user none |
| 43 | dbus-system none | 43 | dbus-system none |
| 44 | |||
| 45 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/jerry.profile b/etc/profile-a-l/jerry.profile index f55305a08..3136b412e 100644 --- a/etc/profile-a-l/jerry.profile +++ b/etc/profile-a-l/jerry.profile | |||
| @@ -40,3 +40,4 @@ dbus-user none | |||
| 40 | dbus-system none | 40 | dbus-system none |
| 41 | 41 | ||
| 42 | memory-deny-write-execute | 42 | memory-deny-write-execute |
| 43 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/jitsi.profile b/etc/profile-a-l/jitsi.profile index 23f7b720d..c0bda1cbf 100644 --- a/etc/profile-a-l/jitsi.profile +++ b/etc/profile-a-l/jitsi.profile | |||
| @@ -28,3 +28,5 @@ tracelog | |||
| 28 | disable-mnt | 28 | disable-mnt |
| 29 | private-cache | 29 | private-cache |
| 30 | private-tmp | 30 | private-tmp |
| 31 | |||
| 32 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/jumpnbump.profile b/etc/profile-a-l/jumpnbump.profile index dee252281..66d63283a 100644 --- a/etc/profile-a-l/jumpnbump.profile +++ b/etc/profile-a-l/jumpnbump.profile | |||
| @@ -45,3 +45,5 @@ private-tmp | |||
| 45 | 45 | ||
| 46 | dbus-user none | 46 | dbus-user none |
| 47 | dbus-system none | 47 | dbus-system none |
| 48 | |||
| 49 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/k3b.profile b/etc/profile-a-l/k3b.profile index a98f09d7d..81d4f3458 100644 --- a/etc/profile-a-l/k3b.profile +++ b/etc/profile-a-l/k3b.profile | |||
| @@ -35,3 +35,5 @@ novideo | |||
| 35 | 35 | ||
| 36 | private-dev | 36 | private-dev |
| 37 | # private-tmp | 37 | # private-tmp |
| 38 | |||
| 39 | # restrict-namespaces - breaks privileged helpers | ||
diff --git a/etc/profile-a-l/kaffeine.profile b/etc/profile-a-l/kaffeine.profile index 8dba3b4e9..73417bf11 100644 --- a/etc/profile-a-l/kaffeine.profile +++ b/etc/profile-a-l/kaffeine.profile | |||
| @@ -40,3 +40,4 @@ seccomp | |||
| 40 | private-dev | 40 | private-dev |
| 41 | private-tmp | 41 | private-tmp |
| 42 | 42 | ||
| 43 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/kalgebra.profile b/etc/profile-a-l/kalgebra.profile index 6331e3990..bde52f30e 100644 --- a/etc/profile-a-l/kalgebra.profile +++ b/etc/profile-a-l/kalgebra.profile | |||
| @@ -46,3 +46,5 @@ private-tmp | |||
| 46 | 46 | ||
| 47 | dbus-user none | 47 | dbus-user none |
| 48 | dbus-system none | 48 | dbus-system none |
| 49 | |||
| 50 | # restrict-namespaces | ||
diff --git a/etc/profile-a-l/kate.profile b/etc/profile-a-l/kate.profile index dc6e58c99..152f73d5d 100644 --- a/etc/profile-a-l/kate.profile +++ b/etc/profile-a-l/kate.profile | |||
| @@ -60,4 +60,5 @@ private-tmp | |||
| 60 | # dbus-user none | 60 | # dbus-user none |
| 61 | # dbus-system none | 61 | # dbus-system none |
| 62 | 62 | ||
| 63 | restrict-namespaces | ||
| 63 | join-or-start kate | 64 | join-or-start kate |
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile index 61802383d..c01000af1 100644 --- a/etc/profile-a-l/kazam.profile +++ b/etc/profile-a-l/kazam.profile | |||
| @@ -52,3 +52,5 @@ private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cach | |||
| 52 | private-tmp | 52 | private-tmp |
| 53 | 53 | ||
| 54 | dbus-system none | 54 | dbus-system none |
| 55 | |||
| 56 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/kcalc.profile b/etc/profile-a-l/kcalc.profile index 18f1d4516..ea56f2d39 100644 --- a/etc/profile-a-l/kcalc.profile +++ b/etc/profile-a-l/kcalc.profile | |||
| @@ -16,10 +16,14 @@ include disable-programs.inc | |||
| 16 | include disable-shell.inc | 16 | include disable-shell.inc |
| 17 | include disable-xdg.inc | 17 | include disable-xdg.inc |
| 18 | 18 | ||
| 19 | # Legacy paths | ||
| 20 | #mkdir ${HOME}/.kde/share/config | ||
| 21 | #mkdir ${HOME}/.kde4/share/config | ||
| 22 | #mkfile ${HOME}/.kde/share/config/kcalcrc | ||
| 23 | #mkfile ${HOME}/.kde4/share/config/kcalcrc | ||
| 24 | |||
| 19 | mkdir ${HOME}/.local/share/kxmlgui5/kcalc | 25 | mkdir ${HOME}/.local/share/kxmlgui5/kcalc |
| 20 | mkfile ${HOME}/.config/kcalcrc | 26 | mkfile ${HOME}/.config/kcalcrc |
| 21 | mkfile ${HOME}/.kde/share/config/kcalcrc | ||
| 22 | mkfile ${HOME}/.kde4/share/config/kcalcrc | ||
| 23 | whitelist ${HOME}/.config/kcalcrc | 27 | whitelist ${HOME}/.config/kcalcrc |
| 24 | whitelist ${HOME}/.kde/share/config/kcalcrc | 28 | whitelist ${HOME}/.kde/share/config/kcalcrc |
| 25 | whitelist ${HOME}/.kde4/share/config/kcalcrc | 29 | whitelist ${HOME}/.kde4/share/config/kcalcrc |
| @@ -63,3 +67,4 @@ dbus-user none | |||
| 63 | dbus-system none | 67 | dbus-system none |
| 64 | 68 | ||
| 65 | #memory-deny-write-execute | 69 | #memory-deny-write-execute |
| 70 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/kdeinit4.profile b/etc/profile-a-l/kdeinit4.profile index 8b02142c3..2f426e191 100644 --- a/etc/profile-a-l/kdeinit4.profile +++ b/etc/profile-a-l/kdeinit4.profile | |||
| @@ -34,3 +34,4 @@ private-bin kbuildsycoca4,kded4,kdeinit4,knotify4 | |||
| 34 | private-dev | 34 | private-dev |
| 35 | private-tmp | 35 | private-tmp |
| 36 | 36 | ||
| 37 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/kdenlive.profile b/etc/profile-a-l/kdenlive.profile index 872e6d9aa..d4933d816 100644 --- a/etc/profile-a-l/kdenlive.profile +++ b/etc/profile-a-l/kdenlive.profile | |||
| @@ -38,3 +38,5 @@ private-dev | |||
| 38 | 38 | ||
| 39 | # dbus-user none | 39 | # dbus-user none |
| 40 | # dbus-system none | 40 | # dbus-system none |
| 41 | |||
| 42 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/kdiff3.profile b/etc/profile-a-l/kdiff3.profile index 947e35750..e0b3eadfd 100644 --- a/etc/profile-a-l/kdiff3.profile +++ b/etc/profile-a-l/kdiff3.profile | |||
| @@ -55,3 +55,5 @@ private-dev | |||
| 55 | 55 | ||
| 56 | dbus-user none | 56 | dbus-user none |
| 57 | dbus-system none | 57 | dbus-system none |
| 58 | |||
| 59 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/keepass.profile b/etc/profile-a-l/keepass.profile index db3bbd76f..648ed95cf 100644 --- a/etc/profile-a-l/keepass.profile +++ b/etc/profile-a-l/keepass.profile | |||
| @@ -43,3 +43,4 @@ private-cache | |||
| 43 | private-dev | 43 | private-dev |
| 44 | private-tmp | 44 | private-tmp |
| 45 | 45 | ||
| 46 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/keepassx.profile b/etc/profile-a-l/keepassx.profile index c8b895fc2..935fe3933 100644 --- a/etc/profile-a-l/keepassx.profile +++ b/etc/profile-a-l/keepassx.profile | |||
| @@ -47,3 +47,4 @@ dbus-user none | |||
| 47 | dbus-system none | 47 | dbus-system none |
| 48 | 48 | ||
| 49 | memory-deny-write-execute | 49 | memory-deny-write-execute |
| 50 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile index 827951071..80374690c 100644 --- a/etc/profile-a-l/keepassxc.profile +++ b/etc/profile-a-l/keepassxc.profile | |||
| @@ -106,5 +106,7 @@ dbus-user.talk org.xfce.ScreenSaver | |||
| 106 | dbus-system filter | 106 | dbus-system filter |
| 107 | dbus-system.talk org.freedesktop.login1 | 107 | dbus-system.talk org.freedesktop.login1 |
| 108 | 108 | ||
| 109 | restrict-namespaces | ||
| 110 | |||
| 109 | # Mutex is stored in /tmp by default, which is broken by private-tmp. | 111 | # Mutex is stored in /tmp by default, which is broken by private-tmp. |
| 110 | join-or-start keepassxc | 112 | join-or-start keepassxc |
diff --git a/etc/profile-a-l/kfind.profile b/etc/profile-a-l/kfind.profile index dee84482f..c70030a38 100644 --- a/etc/profile-a-l/kfind.profile +++ b/etc/profile-a-l/kfind.profile | |||
| @@ -44,3 +44,5 @@ private-tmp | |||
| 44 | 44 | ||
| 45 | # dbus-user none | 45 | # dbus-user none |
| 46 | # dbus-system none | 46 | # dbus-system none |
| 47 | |||
| 48 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/kget.profile b/etc/profile-a-l/kget.profile index 9b6646725..dd45c1889 100644 --- a/etc/profile-a-l/kget.profile +++ b/etc/profile-a-l/kget.profile | |||
| @@ -41,3 +41,4 @@ private-dev | |||
| 41 | private-tmp | 41 | private-tmp |
| 42 | 42 | ||
| 43 | # memory-deny-write-execute | 43 | # memory-deny-write-execute |
| 44 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/kid3.profile b/etc/profile-a-l/kid3.profile index 637b00c35..424fb006e 100644 --- a/etc/profile-a-l/kid3.profile +++ b/etc/profile-a-l/kid3.profile | |||
| @@ -45,3 +45,4 @@ dbus-user none | |||
| 45 | dbus-system none | 45 | dbus-system none |
| 46 | 46 | ||
| 47 | memory-deny-write-execute | 47 | memory-deny-write-execute |
| 48 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/kino.profile b/etc/profile-a-l/kino.profile index 2df907376..a4c8486e1 100644 --- a/etc/profile-a-l/kino.profile +++ b/etc/profile-a-l/kino.profile | |||
| @@ -34,3 +34,4 @@ private-cache | |||
| 34 | private-dev | 34 | private-dev |
| 35 | private-tmp | 35 | private-tmp |
| 36 | 36 | ||
| 37 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/kiwix-desktop.profile b/etc/profile-a-l/kiwix-desktop.profile index 1c50ad2ea..5a028aeea 100644 --- a/etc/profile-a-l/kiwix-desktop.profile +++ b/etc/profile-a-l/kiwix-desktop.profile | |||
| @@ -48,3 +48,5 @@ private-tmp | |||
| 48 | 48 | ||
| 49 | dbus-user none | 49 | dbus-user none |
| 50 | dbus-system none | 50 | dbus-system none |
| 51 | |||
| 52 | # restrict-namespaces | ||
diff --git a/etc/profile-a-l/klatexformula.profile b/etc/profile-a-l/klatexformula.profile index c7b5123d2..0c2d171b9 100644 --- a/etc/profile-a-l/klatexformula.profile +++ b/etc/profile-a-l/klatexformula.profile | |||
| @@ -42,3 +42,5 @@ private-tmp | |||
| 42 | 42 | ||
| 43 | dbus-user none | 43 | dbus-user none |
| 44 | dbus-system none | 44 | dbus-system none |
| 45 | |||
| 46 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/klavaro.profile b/etc/profile-a-l/klavaro.profile index 4b8c9e414..0785b904d 100644 --- a/etc/profile-a-l/klavaro.profile +++ b/etc/profile-a-l/klavaro.profile | |||
| @@ -51,3 +51,5 @@ private-srv none | |||
| 51 | 51 | ||
| 52 | dbus-user none | 52 | dbus-user none |
| 53 | dbus-system none | 53 | dbus-system none |
| 54 | |||
| 55 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile index 1bbc141e8..9724f4963 100644 --- a/etc/profile-a-l/kmail.profile +++ b/etc/profile-a-l/kmail.profile | |||
| @@ -62,3 +62,5 @@ private-dev | |||
| 62 | # private-tmp - interrupts connection to akonadi, breaks opening of email attachments | 62 | # private-tmp - interrupts connection to akonadi, breaks opening of email attachments |
| 63 | # writable-run-user is needed for signing and encrypting emails | 63 | # writable-run-user is needed for signing and encrypting emails |
| 64 | writable-run-user | 64 | writable-run-user |
| 65 | |||
| 66 | # restrict-namespaces | ||
diff --git a/etc/profile-a-l/kmplayer.profile b/etc/profile-a-l/kmplayer.profile index 135e8f3ad..992b312ee 100644 --- a/etc/profile-a-l/kmplayer.profile +++ b/etc/profile-a-l/kmplayer.profile | |||
| @@ -38,3 +38,4 @@ private-cache | |||
| 38 | private-dev | 38 | private-dev |
| 39 | private-tmp | 39 | private-tmp |
| 40 | 40 | ||
| 41 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/kodi.profile b/etc/profile-a-l/kodi.profile index b78d9c474..474a10a31 100644 --- a/etc/profile-a-l/kodi.profile +++ b/etc/profile-a-l/kodi.profile | |||
| @@ -51,3 +51,5 @@ tracelog | |||
| 51 | 51 | ||
| 52 | private-dev | 52 | private-dev |
| 53 | private-tmp | 53 | private-tmp |
| 54 | |||
| 55 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/konversation.profile b/etc/profile-a-l/konversation.profile index 875d0ef76..e4781fea3 100644 --- a/etc/profile-a-l/konversation.profile +++ b/etc/profile-a-l/konversation.profile | |||
| @@ -43,3 +43,4 @@ private-dev | |||
| 43 | private-tmp | 43 | private-tmp |
| 44 | 44 | ||
| 45 | # memory-deny-write-execute | 45 | # memory-deny-write-execute |
| 46 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/kopete.profile b/etc/profile-a-l/kopete.profile index 9e75b03eb..91030f453 100644 --- a/etc/profile-a-l/kopete.profile +++ b/etc/profile-a-l/kopete.profile | |||
| @@ -37,3 +37,4 @@ private-dev | |||
| 37 | private-tmp | 37 | private-tmp |
| 38 | writable-var | 38 | writable-var |
| 39 | 39 | ||
| 40 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/krita.profile b/etc/profile-a-l/krita.profile index 70d721e9f..a04376430 100644 --- a/etc/profile-a-l/krita.profile +++ b/etc/profile-a-l/krita.profile | |||
| @@ -48,3 +48,5 @@ private-tmp | |||
| 48 | 48 | ||
| 49 | # dbus-user none | 49 | # dbus-user none |
| 50 | # dbus-system none | 50 | # dbus-system none |
| 51 | |||
| 52 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/krunner.profile b/etc/profile-a-l/krunner.profile index 96eb6978d..27feccf40 100644 --- a/etc/profile-a-l/krunner.profile +++ b/etc/profile-a-l/krunner.profile | |||
| @@ -35,3 +35,5 @@ protocol unix,inet,inet6 | |||
| 35 | seccomp | 35 | seccomp |
| 36 | 36 | ||
| 37 | # private-cache | 37 | # private-cache |
| 38 | |||
| 39 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/ktorrent.profile b/etc/profile-a-l/ktorrent.profile index 949189a1d..da267b962 100644 --- a/etc/profile-a-l/ktorrent.profile +++ b/etc/profile-a-l/ktorrent.profile | |||
| @@ -21,13 +21,17 @@ include disable-interpreters.inc | |||
| 21 | include disable-programs.inc | 21 | include disable-programs.inc |
| 22 | include disable-shell.inc | 22 | include disable-shell.inc |
| 23 | 23 | ||
| 24 | mkdir ${HOME}/.kde/share/apps/ktorrent | 24 | # Legacy paths |
| 25 | mkdir ${HOME}/.kde4/share/apps/ktorrent | 25 | #mkdir ${HOME}/.kde/share/apps/ktorrent |
| 26 | #mkdir ${HOME}/.kde/share/config | ||
| 27 | #mkdir ${HOME}/.kde4/share/apps/ktorrent | ||
| 28 | #mkdir ${HOME}/.kde4/share/config | ||
| 29 | #mkfile ${HOME}/.kde/share/config/ktorrentrc | ||
| 30 | #mkfile ${HOME}/.kde4/share/config/ktorrentrc | ||
| 31 | |||
| 26 | mkdir ${HOME}/.local/share/ktorrent | 32 | mkdir ${HOME}/.local/share/ktorrent |
| 27 | mkdir ${HOME}/.local/share/kxmlgui5/ktorrent | 33 | mkdir ${HOME}/.local/share/kxmlgui5/ktorrent |
| 28 | mkfile ${HOME}/.config/ktorrentrc | 34 | mkfile ${HOME}/.config/ktorrentrc |
| 29 | mkfile ${HOME}/.kde/share/config/ktorrentrc | ||
| 30 | mkfile ${HOME}/.kde4/share/config/ktorrentrc | ||
| 31 | whitelist ${DOWNLOADS} | 35 | whitelist ${DOWNLOADS} |
| 32 | whitelist ${HOME}/.config/ktorrentrc | 36 | whitelist ${HOME}/.config/ktorrentrc |
| 33 | whitelist ${HOME}/.kde/share/apps/ktorrent | 37 | whitelist ${HOME}/.kde/share/apps/ktorrent |
| @@ -56,10 +60,11 @@ novideo | |||
| 56 | protocol unix,inet,inet6,netlink | 60 | protocol unix,inet,inet6,netlink |
| 57 | seccomp | 61 | seccomp |
| 58 | 62 | ||
| 59 | private-bin kbuildsycoca4,kdeinit4,ktorrent | 63 | private-bin kbuildsycoca4,kdeinit4,ktmagnetdownloader,ktorrent,ktupnptest |
| 60 | private-dev | 64 | private-dev |
| 61 | # private-lib - problems on Arch | 65 | # private-lib - problems on Arch |
| 62 | private-tmp | 66 | private-tmp |
| 63 | 67 | ||
| 64 | deterministic-shutdown | 68 | deterministic-shutdown |
| 65 | # memory-deny-write-execute | 69 | # memory-deny-write-execute |
| 70 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/ktouch.profile b/etc/profile-a-l/ktouch.profile index 086a4500a..68ef6111a 100644 --- a/etc/profile-a-l/ktouch.profile +++ b/etc/profile-a-l/ktouch.profile | |||
| @@ -50,3 +50,5 @@ private-tmp | |||
| 50 | 50 | ||
| 51 | dbus-user none | 51 | dbus-user none |
| 52 | dbus-system none | 52 | dbus-system none |
| 53 | |||
| 54 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile index 176c78515..0cdfe4f10 100644 --- a/etc/profile-a-l/kube.profile +++ b/etc/profile-a-l/kube.profile | |||
| @@ -78,3 +78,4 @@ dbus-user.talk org.freedesktop.Notifications | |||
| 78 | dbus-system none | 78 | dbus-system none |
| 79 | 79 | ||
| 80 | read-only ${HOME}/.mozilla/firefox/profiles.ini | 80 | read-only ${HOME}/.mozilla/firefox/profiles.ini |
| 81 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/kwin_x11.profile b/etc/profile-a-l/kwin_x11.profile index c3b2a1205..7ecf26d8e 100644 --- a/etc/profile-a-l/kwin_x11.profile +++ b/etc/profile-a-l/kwin_x11.profile | |||
| @@ -44,3 +44,5 @@ private-bin kwin_x11 | |||
| 44 | private-dev | 44 | private-dev |
| 45 | private-etc alternatives,drirc,fonts,kde5rc,ld.so.cache,ld.so.preload,machine-id,xdg | 45 | private-etc alternatives,drirc,fonts,kde5rc,ld.so.cache,ld.so.preload,machine-id,xdg |
| 46 | private-tmp | 46 | private-tmp |
| 47 | |||
| 48 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/kwrite.profile b/etc/profile-a-l/kwrite.profile index 1883d7c86..18a024c7e 100644 --- a/etc/profile-a-l/kwrite.profile +++ b/etc/profile-a-l/kwrite.profile | |||
| @@ -52,4 +52,5 @@ private-tmp | |||
| 52 | # dbus-user none | 52 | # dbus-user none |
| 53 | # dbus-system none | 53 | # dbus-system none |
| 54 | 54 | ||
| 55 | restrict-namespaces | ||
| 55 | join-or-start kwrite | 56 | join-or-start kwrite |
diff --git a/etc/profile-a-l/latex-common.profile b/etc/profile-a-l/latex-common.profile index f6c28fafa..f1e1a897b 100644 --- a/etc/profile-a-l/latex-common.profile +++ b/etc/profile-a-l/latex-common.profile | |||
| @@ -38,3 +38,5 @@ private-tmp | |||
| 38 | 38 | ||
| 39 | dbus-user none | 39 | dbus-user none |
| 40 | dbus-system none | 40 | dbus-system none |
| 41 | |||
| 42 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/leafpad.profile b/etc/profile-a-l/leafpad.profile index ce62b8d5c..27b27a20b 100644 --- a/etc/profile-a-l/leafpad.profile +++ b/etc/profile-a-l/leafpad.profile | |||
| @@ -38,3 +38,4 @@ private-dev | |||
| 38 | private-lib | 38 | private-lib |
| 39 | private-tmp | 39 | private-tmp |
| 40 | 40 | ||
| 41 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/less.profile b/etc/profile-a-l/less.profile index 24d6261fb..6efe23ade 100644 --- a/etc/profile-a-l/less.profile +++ b/etc/profile-a-l/less.profile | |||
| @@ -48,3 +48,4 @@ dbus-system none | |||
| 48 | memory-deny-write-execute | 48 | memory-deny-write-execute |
| 49 | read-only ${HOME} | 49 | read-only ${HOME} |
| 50 | read-write ${HOME}/.lesshst | 50 | read-write ${HOME}/.lesshst |
| 51 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/librecad.profile b/etc/profile-a-l/librecad.profile index 79f18ae15..40ec7b9c6 100644 --- a/etc/profile-a-l/librecad.profile +++ b/etc/profile-a-l/librecad.profile | |||
| @@ -39,7 +39,7 @@ seccomp | |||
| 39 | #disable-mnt | 39 | #disable-mnt |
| 40 | private-bin librecad | 40 | private-bin librecad |
| 41 | private-dev | 41 | private-dev |
| 42 | # private-etc cups,drirc,fonts,passwd,xdg | 42 | #private-etc alternatives,cups,drirc,fonts,passwd,xdg |
| 43 | #private-lib | 43 | #private-lib |
| 44 | private-tmp | 44 | private-tmp |
| 45 | 45 | ||
| @@ -47,3 +47,4 @@ dbus-user none | |||
| 47 | dbus-system none | 47 | dbus-system none |
| 48 | 48 | ||
| 49 | memory-deny-write-execute | 49 | memory-deny-write-execute |
| 50 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile index e25eaa2e9..518928876 100644 --- a/etc/profile-a-l/libreoffice.profile +++ b/etc/profile-a-l/libreoffice.profile | |||
| @@ -54,4 +54,5 @@ private-tmp | |||
| 54 | 54 | ||
| 55 | dbus-system none | 55 | dbus-system none |
| 56 | 56 | ||
| 57 | restrict-namespaces | ||
| 57 | join-or-start libreoffice | 58 | join-or-start libreoffice |
diff --git a/etc/profile-a-l/lifeograph.profile b/etc/profile-a-l/lifeograph.profile index 280669b24..025156d2d 100644 --- a/etc/profile-a-l/lifeograph.profile +++ b/etc/profile-a-l/lifeograph.profile | |||
| @@ -54,3 +54,5 @@ private-tmp | |||
| 54 | dbus-user filter | 54 | dbus-user filter |
| 55 | dbus-user.talk ca.desrt.dconf | 55 | dbus-user.talk ca.desrt.dconf |
| 56 | dbus-system none | 56 | dbus-system none |
| 57 | |||
| 58 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/liferea.profile b/etc/profile-a-l/liferea.profile index 75aac74d1..b0e9015ee 100644 --- a/etc/profile-a-l/liferea.profile +++ b/etc/profile-a-l/liferea.profile | |||
| @@ -59,3 +59,5 @@ dbus-user.talk ca.desrt.dconf | |||
| 59 | # Add the next line to your liferea.local if you use the 'Libsecret Support' plugin. | 59 | # Add the next line to your liferea.local if you use the 'Libsecret Support' plugin. |
| 60 | #dbus-user.talk org.freedesktop.secrets | 60 | #dbus-user.talk org.freedesktop.secrets |
| 61 | dbus-system none | 61 | dbus-system none |
| 62 | |||
| 63 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/lincity-ng.profile b/etc/profile-a-l/lincity-ng.profile index 79eca0a6f..d81e21636 100644 --- a/etc/profile-a-l/lincity-ng.profile +++ b/etc/profile-a-l/lincity-ng.profile | |||
| @@ -45,3 +45,5 @@ private-tmp | |||
| 45 | 45 | ||
| 46 | dbus-user none | 46 | dbus-user none |
| 47 | dbus-system none | 47 | dbus-system none |
| 48 | |||
| 49 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/links-common.profile b/etc/profile-a-l/links-common.profile index 4eec03855..22a4a2a2a 100644 --- a/etc/profile-a-l/links-common.profile +++ b/etc/profile-a-l/links-common.profile | |||
| @@ -59,3 +59,4 @@ dbus-user none | |||
| 59 | dbus-system none | 59 | dbus-system none |
| 60 | 60 | ||
| 61 | memory-deny-write-execute | 61 | memory-deny-write-execute |
| 62 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/linphone.profile b/etc/profile-a-l/linphone.profile index e375f0c13..2273ed560 100644 --- a/etc/profile-a-l/linphone.profile +++ b/etc/profile-a-l/linphone.profile | |||
| @@ -47,3 +47,4 @@ disable-mnt | |||
| 47 | private-dev | 47 | private-dev |
| 48 | private-tmp | 48 | private-tmp |
| 49 | 49 | ||
| 50 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/lmms.profile b/etc/profile-a-l/lmms.profile index b4582c4f5..35fca733a 100644 --- a/etc/profile-a-l/lmms.profile +++ b/etc/profile-a-l/lmms.profile | |||
| @@ -37,3 +37,5 @@ private-tmp | |||
| 37 | 37 | ||
| 38 | dbus-user none | 38 | dbus-user none |
| 39 | dbus-system none | 39 | dbus-system none |
| 40 | |||
| 41 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/lollypop.profile b/etc/profile-a-l/lollypop.profile index 3108900ef..78b78662b 100644 --- a/etc/profile-a-l/lollypop.profile +++ b/etc/profile-a-l/lollypop.profile | |||
| @@ -39,3 +39,4 @@ private-dev | |||
| 39 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg | 39 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg |
| 40 | private-tmp | 40 | private-tmp |
| 41 | 41 | ||
| 42 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/lugaru.profile b/etc/profile-a-l/lugaru.profile index 2b61f4d48..f6436d93d 100644 --- a/etc/profile-a-l/lugaru.profile +++ b/etc/profile-a-l/lugaru.profile | |||
| @@ -49,3 +49,5 @@ private-tmp | |||
| 49 | 49 | ||
| 50 | dbus-user none | 50 | dbus-user none |
| 51 | dbus-system none | 51 | dbus-system none |
| 52 | |||
| 53 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/luminance-hdr.profile b/etc/profile-a-l/luminance-hdr.profile index b7280b61c..4a8352831 100644 --- a/etc/profile-a-l/luminance-hdr.profile +++ b/etc/profile-a-l/luminance-hdr.profile | |||
| @@ -36,3 +36,4 @@ private-cache | |||
| 36 | private-dev | 36 | private-dev |
| 37 | private-tmp | 37 | private-tmp |
| 38 | 38 | ||
| 39 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile index 0562cf430..2658c5373 100644 --- a/etc/profile-a-l/lutris.profile +++ b/etc/profile-a-l/lutris.profile | |||
| @@ -69,7 +69,8 @@ notv | |||
| 69 | nou2f | 69 | nou2f |
| 70 | novideo | 70 | novideo |
| 71 | protocol unix,inet,inet6,netlink | 71 | protocol unix,inet,inet6,netlink |
| 72 | seccomp | 72 | seccomp !modify_ldt |
| 73 | seccomp.32 !modify_ldt | ||
| 73 | 74 | ||
| 74 | # Add the next line to your lutris.local if you do not need controller support. | 75 | # Add the next line to your lutris.local if you do not need controller support. |
| 75 | #private-dev | 76 | #private-dev |
| @@ -79,3 +80,5 @@ dbus-user filter | |||
| 79 | dbus-user.own net.lutris.Lutris | 80 | dbus-user.own net.lutris.Lutris |
| 80 | dbus-user.talk com.feralinteractive.GameMode | 81 | dbus-user.talk com.feralinteractive.GameMode |
| 81 | dbus-system none | 82 | dbus-system none |
| 83 | |||
| 84 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/lximage-qt.profile b/etc/profile-a-l/lximage-qt.profile index d8485ba65..589f1cf6b 100644 --- a/etc/profile-a-l/lximage-qt.profile +++ b/etc/profile-a-l/lximage-qt.profile | |||
| @@ -35,3 +35,4 @@ private-cache | |||
| 35 | private-dev | 35 | private-dev |
| 36 | private-tmp | 36 | private-tmp |
| 37 | 37 | ||
| 38 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/lxmusic.profile b/etc/profile-a-l/lxmusic.profile index a5fc967be..1ecf3c9d7 100644 --- a/etc/profile-a-l/lxmusic.profile +++ b/etc/profile-a-l/lxmusic.profile | |||
| @@ -37,3 +37,4 @@ seccomp | |||
| 37 | private-dev | 37 | private-dev |
| 38 | private-tmp | 38 | private-tmp |
| 39 | 39 | ||
| 40 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/lynx.profile b/etc/profile-a-l/lynx.profile index 02a9f8d82..caf8de104 100644 --- a/etc/profile-a-l/lynx.profile +++ b/etc/profile-a-l/lynx.profile | |||
| @@ -39,3 +39,5 @@ private-cache | |||
| 39 | private-dev | 39 | private-dev |
| 40 | # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl | 40 | # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl |
| 41 | private-tmp | 41 | private-tmp |
| 42 | |||
| 43 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/Maelstrom.profile b/etc/profile-m-z/Maelstrom.profile index 930d49db2..23b44dbf5 100644 --- a/etc/profile-m-z/Maelstrom.profile +++ b/etc/profile-m-z/Maelstrom.profile | |||
| @@ -43,3 +43,5 @@ private-tmp | |||
| 43 | 43 | ||
| 44 | dbus-user none | 44 | dbus-user none |
| 45 | dbus-system none | 45 | dbus-system none |
| 46 | |||
| 47 | #restrict-namespaces | ||
diff --git a/etc/profile-m-z/Mathematica.profile b/etc/profile-m-z/Mathematica.profile index 6286f066e..08283bd33 100644 --- a/etc/profile-m-z/Mathematica.profile +++ b/etc/profile-m-z/Mathematica.profile | |||
| @@ -27,3 +27,5 @@ nonewprivs | |||
| 27 | noroot | 27 | noroot |
| 28 | notv | 28 | notv |
| 29 | seccomp | 29 | seccomp |
| 30 | |||
| 31 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/PCSX2.profile b/etc/profile-m-z/PCSX2.profile index cc52f053f..902fc9a6a 100644 --- a/etc/profile-m-z/PCSX2.profile +++ b/etc/profile-m-z/PCSX2.profile | |||
| @@ -53,3 +53,5 @@ private-tmp | |||
| 53 | 53 | ||
| 54 | dbus-user none | 54 | dbus-user none |
| 55 | dbus-system none | 55 | dbus-system none |
| 56 | |||
| 57 | #restrict-namespaces | ||
diff --git a/etc/profile-m-z/QMediathekView.profile b/etc/profile-m-z/QMediathekView.profile index cf597c215..1e9af5769 100644 --- a/etc/profile-m-z/QMediathekView.profile +++ b/etc/profile-m-z/QMediathekView.profile | |||
| @@ -56,3 +56,4 @@ dbus-user none | |||
| 56 | dbus-system none | 56 | dbus-system none |
| 57 | 57 | ||
| 58 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 58 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
| 59 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/QOwnNotes.profile b/etc/profile-m-z/QOwnNotes.profile index 6bf69d055..6140de60f 100644 --- a/etc/profile-m-z/QOwnNotes.profile +++ b/etc/profile-m-z/QOwnNotes.profile | |||
| @@ -52,3 +52,4 @@ private-dev | |||
| 52 | private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl | 52 | private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl |
| 53 | private-tmp | 53 | private-tmp |
| 54 | 54 | ||
| 55 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/Viber.profile b/etc/profile-m-z/Viber.profile index e13337b7c..2ea185ec0 100644 --- a/etc/profile-m-z/Viber.profile +++ b/etc/profile-m-z/Viber.profile | |||
| @@ -34,3 +34,5 @@ disable-mnt | |||
| 34 | private-bin awk,bash,dig,sh,Viber | 34 | private-bin awk,bash,dig,sh,Viber |
| 35 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11 | 35 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11 |
| 36 | private-tmp | 36 | private-tmp |
| 37 | |||
| 38 | # restrict-namespaces | ||
diff --git a/etc/profile-m-z/XMind.profile b/etc/profile-m-z/XMind.profile index 53cecd4b1..97b9d2898 100644 --- a/etc/profile-m-z/XMind.profile +++ b/etc/profile-m-z/XMind.profile | |||
| @@ -35,3 +35,4 @@ private-bin cp,sh,XMind | |||
| 35 | private-tmp | 35 | private-tmp |
| 36 | private-dev | 36 | private-dev |
| 37 | 37 | ||
| 38 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/Xephyr.profile b/etc/profile-m-z/Xephyr.profile index bda639232..2fc1d1b8a 100644 --- a/etc/profile-m-z/Xephyr.profile +++ b/etc/profile-m-z/Xephyr.profile | |||
| @@ -40,3 +40,5 @@ private | |||
| 40 | private-dev | 40 | private-dev |
| 41 | # private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf | 41 | # private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf |
| 42 | #private-tmp | 42 | #private-tmp |
| 43 | |||
| 44 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/Xvfb.profile b/etc/profile-m-z/Xvfb.profile index 223370f30..8bf79f554 100644 --- a/etc/profile-m-z/Xvfb.profile +++ b/etc/profile-m-z/Xvfb.profile | |||
| @@ -44,3 +44,5 @@ private | |||
| 44 | private-dev | 44 | private-dev |
| 45 | private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,nsswitch.conf,resolv.conf | 45 | private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,nsswitch.conf,resolv.conf |
| 46 | private-tmp | 46 | private-tmp |
| 47 | |||
| 48 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/ZeGrapher.profile b/etc/profile-m-z/ZeGrapher.profile index 89024f976..6ddc24bf6 100644 --- a/etc/profile-m-z/ZeGrapher.profile +++ b/etc/profile-m-z/ZeGrapher.profile | |||
| @@ -45,3 +45,5 @@ private-tmp | |||
| 45 | 45 | ||
| 46 | dbus-user none | 46 | dbus-user none |
| 47 | dbus-system none | 47 | dbus-system none |
| 48 | |||
| 49 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/macrofusion.profile b/etc/profile-m-z/macrofusion.profile index e8fba41c3..24158d062 100644 --- a/etc/profile-m-z/macrofusion.profile +++ b/etc/profile-m-z/macrofusion.profile | |||
| @@ -42,3 +42,5 @@ private-tmp | |||
| 42 | 42 | ||
| 43 | dbus-user none | 43 | dbus-user none |
| 44 | dbus-system none | 44 | dbus-system none |
| 45 | |||
| 46 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/magicor.profile b/etc/profile-m-z/magicor.profile index 76fc6e6da..e5d994b57 100644 --- a/etc/profile-m-z/magicor.profile +++ b/etc/profile-m-z/magicor.profile | |||
| @@ -49,3 +49,5 @@ private-tmp | |||
| 49 | 49 | ||
| 50 | dbus-user none | 50 | dbus-user none |
| 51 | dbus-system none | 51 | dbus-system none |
| 52 | |||
| 53 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile index 4ec6ef82e..e9d245a6d 100644 --- a/etc/profile-m-z/makepkg.profile +++ b/etc/profile-m-z/makepkg.profile | |||
| @@ -58,3 +58,4 @@ private-cache | |||
| 58 | private-tmp | 58 | private-tmp |
| 59 | 59 | ||
| 60 | memory-deny-write-execute | 60 | memory-deny-write-execute |
| 61 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile index b8d221dc3..0e3f9e6e2 100644 --- a/etc/profile-m-z/man.profile +++ b/etc/profile-m-z/man.profile | |||
| @@ -65,3 +65,4 @@ dbus-system none | |||
| 65 | memory-deny-write-execute | 65 | memory-deny-write-execute |
| 66 | read-only ${HOME} | 66 | read-only ${HOME} |
| 67 | #read-only /tmp # breaks mandoc (see #4927) | 67 | #read-only /tmp # breaks mandoc (see #4927) |
| 68 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/manaplus.profile b/etc/profile-m-z/manaplus.profile index ede669c08..5ee4d0cb5 100644 --- a/etc/profile-m-z/manaplus.profile +++ b/etc/profile-m-z/manaplus.profile | |||
| @@ -48,3 +48,5 @@ private-tmp | |||
| 48 | 48 | ||
| 49 | dbus-user none | 49 | dbus-user none |
| 50 | dbus-system none | 50 | dbus-system none |
| 51 | |||
| 52 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/marker.profile b/etc/profile-m-z/marker.profile index fe0077f3d..7066f4229 100644 --- a/etc/profile-m-z/marker.profile +++ b/etc/profile-m-z/marker.profile | |||
| @@ -60,3 +60,5 @@ dbus-user filter | |||
| 60 | dbus-user.own com.github.fabiocolacio.marker | 60 | dbus-user.own com.github.fabiocolacio.marker |
| 61 | dbus-user.talk ca.desrt.dconf | 61 | dbus-user.talk ca.desrt.dconf |
| 62 | dbus-system none | 62 | dbus-system none |
| 63 | |||
| 64 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/masterpdfeditor.profile b/etc/profile-m-z/masterpdfeditor.profile index a78927cc5..176506ff2 100644 --- a/etc/profile-m-z/masterpdfeditor.profile +++ b/etc/profile-m-z/masterpdfeditor.profile | |||
| @@ -38,3 +38,4 @@ private-dev | |||
| 38 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload | 38 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
| 39 | private-tmp | 39 | private-tmp |
| 40 | 40 | ||
| 41 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/mate-calc.profile b/etc/profile-m-z/mate-calc.profile index 00f0bd9a3..e3a5c6ab6 100644 --- a/etc/profile-m-z/mate-calc.profile +++ b/etc/profile-m-z/mate-calc.profile | |||
| @@ -50,3 +50,4 @@ dbus-user none | |||
| 50 | dbus-system none | 50 | dbus-system none |
| 51 | 51 | ||
| 52 | memory-deny-write-execute | 52 | memory-deny-write-execute |
| 53 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/mate-color-select.profile b/etc/profile-m-z/mate-color-select.profile index a59f5e139..337c2d6e5 100644 --- a/etc/profile-m-z/mate-color-select.profile +++ b/etc/profile-m-z/mate-color-select.profile | |||
| @@ -38,3 +38,4 @@ private-lib | |||
| 38 | private-tmp | 38 | private-tmp |
| 39 | 39 | ||
| 40 | memory-deny-write-execute | 40 | memory-deny-write-execute |
| 41 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/mate-dictionary.profile b/etc/profile-m-z/mate-dictionary.profile index 3720c824e..e80b220b7 100644 --- a/etc/profile-m-z/mate-dictionary.profile +++ b/etc/profile-m-z/mate-dictionary.profile | |||
| @@ -42,3 +42,4 @@ private-dev | |||
| 42 | private-tmp | 42 | private-tmp |
| 43 | 43 | ||
| 44 | memory-deny-write-execute | 44 | memory-deny-write-execute |
| 45 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/mcabber.profile b/etc/profile-m-z/mcabber.profile index 1df04c117..1ebe9aaba 100644 --- a/etc/profile-m-z/mcabber.profile +++ b/etc/profile-m-z/mcabber.profile | |||
| @@ -31,3 +31,5 @@ seccomp | |||
| 31 | private-bin mcabber | 31 | private-bin mcabber |
| 32 | private-dev | 32 | private-dev |
| 33 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,ssl | 33 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,ssl |
| 34 | |||
| 35 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/mcomix.profile b/etc/profile-m-z/mcomix.profile index e654cc16e..a3ff768b7 100644 --- a/etc/profile-m-z/mcomix.profile +++ b/etc/profile-m-z/mcomix.profile | |||
| @@ -70,3 +70,4 @@ read-write ${HOME}/.local/share/mcomix | |||
| 70 | read-write ${HOME}/.local/share | 70 | read-write ${HOME}/.local/share |
| 71 | # used by mcomix <= 1.2, tip, make a symbolic link to .cache/thumbnails | 71 | # used by mcomix <= 1.2, tip, make a symbolic link to .cache/thumbnails |
| 72 | read-write ${HOME}/.thumbnails | 72 | read-write ${HOME}/.thumbnails |
| 73 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/mdr.profile b/etc/profile-m-z/mdr.profile index 63b07d474..e1025a1fb 100644 --- a/etc/profile-m-z/mdr.profile +++ b/etc/profile-m-z/mdr.profile | |||
| @@ -52,3 +52,4 @@ dbus-user none | |||
| 52 | dbus-system none | 52 | dbus-system none |
| 53 | 53 | ||
| 54 | memory-deny-write-execute | 54 | memory-deny-write-execute |
| 55 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/mediainfo.profile b/etc/profile-m-z/mediainfo.profile index 35d59d439..12d692b72 100644 --- a/etc/profile-m-z/mediainfo.profile +++ b/etc/profile-m-z/mediainfo.profile | |||
| @@ -49,3 +49,4 @@ dbus-user none | |||
| 49 | dbus-system none | 49 | dbus-system none |
| 50 | 50 | ||
| 51 | memory-deny-write-execute | 51 | memory-deny-write-execute |
| 52 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/mediathekview.profile b/etc/profile-m-z/mediathekview.profile index f0ef7d010..19ce6fcd1 100644 --- a/etc/profile-m-z/mediathekview.profile +++ b/etc/profile-m-z/mediathekview.profile | |||
| @@ -51,3 +51,4 @@ private-cache | |||
| 51 | private-dev | 51 | private-dev |
| 52 | private-tmp | 52 | private-tmp |
| 53 | 53 | ||
| 54 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/megaglest.profile b/etc/profile-m-z/megaglest.profile index a28a66786..73fd65bcd 100644 --- a/etc/profile-m-z/megaglest.profile +++ b/etc/profile-m-z/megaglest.profile | |||
| @@ -53,3 +53,5 @@ private-tmp | |||
| 53 | 53 | ||
| 54 | dbus-user none | 54 | dbus-user none |
| 55 | dbus-system none | 55 | dbus-system none |
| 56 | |||
| 57 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile index dddc7f977..634694363 100644 --- a/etc/profile-m-z/meld.profile +++ b/etc/profile-m-z/meld.profile | |||
| @@ -78,3 +78,4 @@ private-dev | |||
| 78 | private-tmp | 78 | private-tmp |
| 79 | 79 | ||
| 80 | read-only ${HOME}/.ssh | 80 | read-only ${HOME}/.ssh |
| 81 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/mendeleydesktop.profile b/etc/profile-m-z/mendeleydesktop.profile index 4f9bcea71..f2626b0c1 100644 --- a/etc/profile-m-z/mendeleydesktop.profile +++ b/etc/profile-m-z/mendeleydesktop.profile | |||
| @@ -47,3 +47,5 @@ private-tmp | |||
| 47 | 47 | ||
| 48 | dbus-user none | 48 | dbus-user none |
| 49 | dbus-system none | 49 | dbus-system none |
| 50 | |||
| 51 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile index 08b155a27..cd4938ec6 100644 --- a/etc/profile-m-z/menulibre.profile +++ b/etc/profile-m-z/menulibre.profile | |||
| @@ -61,3 +61,4 @@ read-write ${HOME}/.config/menus | |||
| 61 | read-write ${HOME}/.gnome/apps | 61 | read-write ${HOME}/.gnome/apps |
| 62 | read-write ${HOME}/.local/share/applications | 62 | read-write ${HOME}/.local/share/applications |
| 63 | read-write ${HOME}/.local/share/flatpak/exports | 63 | read-write ${HOME}/.local/share/flatpak/exports |
| 64 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/meteo-qt.profile b/etc/profile-m-z/meteo-qt.profile index 47b4cf8c9..db87b21bc 100644 --- a/etc/profile-m-z/meteo-qt.profile +++ b/etc/profile-m-z/meteo-qt.profile | |||
| @@ -51,3 +51,4 @@ dbus-user none | |||
| 51 | dbus-system none | 51 | dbus-system none |
| 52 | 52 | ||
| 53 | memory-deny-write-execute | 53 | memory-deny-write-execute |
| 54 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/midori.profile b/etc/profile-m-z/midori.profile index eb037f51b..d1655fabb 100644 --- a/etc/profile-m-z/midori.profile +++ b/etc/profile-m-z/midori.profile | |||
| @@ -62,3 +62,5 @@ tracelog | |||
| 62 | 62 | ||
| 63 | disable-mnt | 63 | disable-mnt |
| 64 | private-tmp | 64 | private-tmp |
| 65 | |||
| 66 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/mindless.profile b/etc/profile-m-z/mindless.profile index 8f1cd0bc6..a26896b19 100644 --- a/etc/profile-m-z/mindless.profile +++ b/etc/profile-m-z/mindless.profile | |||
| @@ -48,3 +48,4 @@ dbus-user none | |||
| 48 | dbus-system none | 48 | dbus-system none |
| 49 | 49 | ||
| 50 | memory-deny-write-execute | 50 | memory-deny-write-execute |
| 51 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/minecraft-launcher.profile b/etc/profile-m-z/minecraft-launcher.profile index 22684be39..e6bf86802 100644 --- a/etc/profile-m-z/minecraft-launcher.profile +++ b/etc/profile-m-z/minecraft-launcher.profile | |||
| @@ -56,3 +56,5 @@ private-tmp | |||
| 56 | 56 | ||
| 57 | dbus-user none | 57 | dbus-user none |
| 58 | dbus-system none | 58 | dbus-system none |
| 59 | |||
| 60 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/minetest.profile b/etc/profile-m-z/minetest.profile index 3d7ede3dc..15474c96e 100644 --- a/etc/profile-m-z/minetest.profile +++ b/etc/profile-m-z/minetest.profile | |||
| @@ -61,3 +61,5 @@ private-tmp | |||
| 61 | 61 | ||
| 62 | dbus-user none | 62 | dbus-user none |
| 63 | dbus-system none | 63 | dbus-system none |
| 64 | |||
| 65 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/minitube.profile b/etc/profile-m-z/minitube.profile index 385edbd7a..ce938c867 100644 --- a/etc/profile-m-z/minitube.profile +++ b/etc/profile-m-z/minitube.profile | |||
| @@ -58,3 +58,5 @@ private-tmp | |||
| 58 | 58 | ||
| 59 | dbus-user none | 59 | dbus-user none |
| 60 | dbus-system none | 60 | dbus-system none |
| 61 | |||
| 62 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/mirage.profile b/etc/profile-m-z/mirage.profile index 2b05bbfde..d36c0fc81 100644 --- a/etc/profile-m-z/mirage.profile +++ b/etc/profile-m-z/mirage.profile | |||
| @@ -58,3 +58,5 @@ private-tmp | |||
| 58 | 58 | ||
| 59 | dbus-user none | 59 | dbus-user none |
| 60 | dbus-system none | 60 | dbus-system none |
| 61 | |||
| 62 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/mirrormagic.profile b/etc/profile-m-z/mirrormagic.profile index 707ef34e9..34721b4a3 100644 --- a/etc/profile-m-z/mirrormagic.profile +++ b/etc/profile-m-z/mirrormagic.profile | |||
| @@ -48,3 +48,5 @@ private-tmp | |||
| 48 | 48 | ||
| 49 | dbus-user none | 49 | dbus-user none |
| 50 | dbus-system none | 50 | dbus-system none |
| 51 | |||
| 52 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/mocp.profile b/etc/profile-m-z/mocp.profile index fdaf885bd..46320f8ea 100644 --- a/etc/profile-m-z/mocp.profile +++ b/etc/profile-m-z/mocp.profile | |||
| @@ -50,3 +50,4 @@ dbus-system none | |||
| 50 | memory-deny-write-execute | 50 | memory-deny-write-execute |
| 51 | read-only ${HOME} | 51 | read-only ${HOME} |
| 52 | read-write ${HOME}/.moc | 52 | read-write ${HOME}/.moc |
| 53 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/mousepad.profile b/etc/profile-m-z/mousepad.profile index e87c82e30..8e597fa99 100644 --- a/etc/profile-m-z/mousepad.profile +++ b/etc/profile-m-z/mousepad.profile | |||
| @@ -37,3 +37,5 @@ private-bin mousepad | |||
| 37 | private-dev | 37 | private-dev |
| 38 | private-lib | 38 | private-lib |
| 39 | private-tmp | 39 | private-tmp |
| 40 | |||
| 41 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/mp3splt-gtk.profile b/etc/profile-m-z/mp3splt-gtk.profile index 0dd9f7b43..89cee657d 100644 --- a/etc/profile-m-z/mp3splt-gtk.profile +++ b/etc/profile-m-z/mp3splt-gtk.profile | |||
| @@ -41,3 +41,5 @@ private-tmp | |||
| 41 | 41 | ||
| 42 | dbus-user none | 42 | dbus-user none |
| 43 | dbus-system none | 43 | dbus-system none |
| 44 | |||
| 45 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/mp3splt.profile b/etc/profile-m-z/mp3splt.profile index e1b26aaf0..77ad30d0c 100644 --- a/etc/profile-m-z/mp3splt.profile +++ b/etc/profile-m-z/mp3splt.profile | |||
| @@ -46,7 +46,8 @@ private-dev | |||
| 46 | private-etc alternatives,ld.so.cache,ld.so.preload | 46 | private-etc alternatives,ld.so.cache,ld.so.preload |
| 47 | private-tmp | 47 | private-tmp |
| 48 | 48 | ||
| 49 | memory-deny-write-execute | ||
| 50 | |||
| 51 | dbus-user none | 49 | dbus-user none |
| 52 | dbus-system none | 50 | dbus-system none |
| 51 | |||
| 52 | memory-deny-write-execute | ||
| 53 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/mpDris2.profile b/etc/profile-m-z/mpDris2.profile index ed8a7eee3..1d875c3c4 100644 --- a/etc/profile-m-z/mpDris2.profile +++ b/etc/profile-m-z/mpDris2.profile | |||
| @@ -55,3 +55,4 @@ private-tmp | |||
| 55 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 55 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
| 56 | 56 | ||
| 57 | read-only ${HOME} | 57 | read-only ${HOME} |
| 58 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/mpd.profile b/etc/profile-m-z/mpd.profile index 604db8105..d1c4bd24f 100644 --- a/etc/profile-m-z/mpd.profile +++ b/etc/profile-m-z/mpd.profile | |||
| @@ -41,3 +41,4 @@ private-cache | |||
| 41 | private-dev | 41 | private-dev |
| 42 | private-tmp | 42 | private-tmp |
| 43 | 43 | ||
| 44 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/mpg123.profile b/etc/profile-m-z/mpg123.profile index d03879836..12650dbc9 100644 --- a/etc/profile-m-z/mpg123.profile +++ b/etc/profile-m-z/mpg123.profile | |||
| @@ -42,3 +42,4 @@ dbus-user none | |||
| 42 | dbus-system none | 42 | dbus-system none |
| 43 | 43 | ||
| 44 | memory-deny-write-execute | 44 | memory-deny-write-execute |
| 45 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/mplayer.profile b/etc/profile-m-z/mplayer.profile index ebb4b0e73..7d9ff39ad 100644 --- a/etc/profile-m-z/mplayer.profile +++ b/etc/profile-m-z/mplayer.profile | |||
| @@ -37,3 +37,5 @@ seccomp | |||
| 37 | private-bin mplayer | 37 | private-bin mplayer |
| 38 | private-dev | 38 | private-dev |
| 39 | private-tmp | 39 | private-tmp |
| 40 | |||
| 41 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/mpsyt.profile b/etc/profile-m-z/mpsyt.profile index 9dcdd34a3..e73e3142c 100644 --- a/etc/profile-m-z/mpsyt.profile +++ b/etc/profile-m-z/mpsyt.profile | |||
| @@ -68,3 +68,4 @@ private-tmp | |||
| 68 | 68 | ||
| 69 | dbus-user none | 69 | dbus-user none |
| 70 | dbus-system none | 70 | dbus-system none |
| 71 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index 4ea5740c2..c9706999a 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile | |||
| @@ -86,3 +86,5 @@ private-dev | |||
| 86 | 86 | ||
| 87 | dbus-user none | 87 | dbus-user none |
| 88 | dbus-system none | 88 | dbus-system none |
| 89 | |||
| 90 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile index f4d8d7f6a..4f7ae09b9 100644 --- a/etc/profile-m-z/mrrescue.profile +++ b/etc/profile-m-z/mrrescue.profile | |||
| @@ -56,3 +56,5 @@ private-tmp | |||
| 56 | 56 | ||
| 57 | dbus-user none | 57 | dbus-user none |
| 58 | dbus-system none | 58 | dbus-system none |
| 59 | |||
| 60 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/ms-office.profile b/etc/profile-m-z/ms-office.profile index 7eb8efae6..d979e7401 100644 --- a/etc/profile-m-z/ms-office.profile +++ b/etc/profile-m-z/ms-office.profile | |||
| @@ -40,3 +40,5 @@ private-tmp | |||
| 40 | 40 | ||
| 41 | dbus-user none | 41 | dbus-user none |
| 42 | dbus-system none | 42 | dbus-system none |
| 43 | |||
| 44 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/mtpaint.profile b/etc/profile-m-z/mtpaint.profile index 5467718e2..363c6fe4a 100644 --- a/etc/profile-m-z/mtpaint.profile +++ b/etc/profile-m-z/mtpaint.profile | |||
| @@ -46,3 +46,5 @@ private-tmp | |||
| 46 | 46 | ||
| 47 | dbus-user none | 47 | dbus-user none |
| 48 | dbus-system none | 48 | dbus-system none |
| 49 | |||
| 50 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/multimc5.profile b/etc/profile-m-z/multimc5.profile index 283840c17..73107680c 100644 --- a/etc/profile-m-z/multimc5.profile +++ b/etc/profile-m-z/multimc5.profile | |||
| @@ -49,3 +49,4 @@ disable-mnt | |||
| 49 | private-dev | 49 | private-dev |
| 50 | private-tmp | 50 | private-tmp |
| 51 | 51 | ||
| 52 | # restrict-namespaces | ||
diff --git a/etc/profile-m-z/mumble.profile b/etc/profile-m-z/mumble.profile index e2530efc7..ef09e6fca 100644 --- a/etc/profile-m-z/mumble.profile +++ b/etc/profile-m-z/mumble.profile | |||
| @@ -42,3 +42,4 @@ private-bin mumble | |||
| 42 | private-tmp | 42 | private-tmp |
| 43 | 43 | ||
| 44 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 44 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
| 45 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/mupdf.profile b/etc/profile-m-z/mupdf.profile index 1876dc5ca..954016c2c 100644 --- a/etc/profile-m-z/mupdf.profile +++ b/etc/profile-m-z/mupdf.profile | |||
| @@ -44,3 +44,4 @@ dbus-system none | |||
| 44 | 44 | ||
| 45 | memory-deny-write-execute | 45 | memory-deny-write-execute |
| 46 | read-only ${HOME} | 46 | read-only ${HOME} |
| 47 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/mupen64plus.profile b/etc/profile-m-z/mupen64plus.profile index 093767c27..f97c6f271 100644 --- a/etc/profile-m-z/mupen64plus.profile +++ b/etc/profile-m-z/mupen64plus.profile | |||
| @@ -31,3 +31,5 @@ seccomp | |||
| 31 | 31 | ||
| 32 | dbus-user none | 32 | dbus-user none |
| 33 | dbus-system none | 33 | dbus-system none |
| 34 | |||
| 35 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/musescore.profile b/etc/profile-m-z/musescore.profile index fa4a37bf8..ca951f70c 100644 --- a/etc/profile-m-z/musescore.profile +++ b/etc/profile-m-z/musescore.profile | |||
| @@ -39,3 +39,5 @@ tracelog | |||
| 39 | 39 | ||
| 40 | # private-bin musescore,mscore | 40 | # private-bin musescore,mscore |
| 41 | private-tmp | 41 | private-tmp |
| 42 | |||
| 43 | # restrict-namespaces | ||
diff --git a/etc/profile-m-z/musictube.profile b/etc/profile-m-z/musictube.profile index 9f83bb428..01b8d20b3 100644 --- a/etc/profile-m-z/musictube.profile +++ b/etc/profile-m-z/musictube.profile | |||
| @@ -54,3 +54,5 @@ private-tmp | |||
| 54 | 54 | ||
| 55 | dbus-user none | 55 | dbus-user none |
| 56 | dbus-system none | 56 | dbus-system none |
| 57 | |||
| 58 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/musixmatch.profile b/etc/profile-m-z/musixmatch.profile index 796d7fbb0..d2032dcf6 100644 --- a/etc/profile-m-z/musixmatch.profile +++ b/etc/profile-m-z/musixmatch.profile | |||
| @@ -35,3 +35,4 @@ disable-mnt | |||
| 35 | private-dev | 35 | private-dev |
| 36 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,machine-id,pki,pulse,ssl | 36 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,machine-id,pki,pulse,ssl |
| 37 | 37 | ||
| 38 | # restrict-namespaces | ||
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile index 6c6341d40..52d30669f 100644 --- a/etc/profile-m-z/mutt.profile +++ b/etc/profile-m-z/mutt.profile | |||
| @@ -146,3 +146,4 @@ read-only ${HOME}/.elinks | |||
| 146 | read-only ${HOME}/.nanorc | 146 | read-only ${HOME}/.nanorc |
| 147 | read-only ${HOME}/.signature | 147 | read-only ${HOME}/.signature |
| 148 | read-only ${HOME}/.w3m | 148 | read-only ${HOME}/.w3m |
| 149 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/mypaint.profile b/etc/profile-m-z/mypaint.profile index 41519bbb1..18117965e 100644 --- a/etc/profile-m-z/mypaint.profile +++ b/etc/profile-m-z/mypaint.profile | |||
| @@ -47,3 +47,5 @@ private-tmp | |||
| 47 | 47 | ||
| 48 | dbus-user none | 48 | dbus-user none |
| 49 | dbus-system none | 49 | dbus-system none |
| 50 | |||
| 51 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/nano.profile b/etc/profile-m-z/nano.profile index e8cee2538..a20eb3828 100644 --- a/etc/profile-m-z/nano.profile +++ b/etc/profile-m-z/nano.profile | |||
| @@ -56,3 +56,4 @@ dbus-user none | |||
| 56 | dbus-system none | 56 | dbus-system none |
| 57 | 57 | ||
| 58 | memory-deny-write-execute | 58 | memory-deny-write-execute |
| 59 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/natron.profile b/etc/profile-m-z/natron.profile index 2c7e36a35..b979e1aee 100644 --- a/etc/profile-m-z/natron.profile +++ b/etc/profile-m-z/natron.profile | |||
| @@ -34,3 +34,5 @@ private-bin natron,Natron,NatronRenderer | |||
| 34 | 34 | ||
| 35 | dbus-user none | 35 | dbus-user none |
| 36 | dbus-system none | 36 | dbus-system none |
| 37 | |||
| 38 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/ncdu.profile b/etc/profile-m-z/ncdu.profile index 010f823d0..09687199b 100644 --- a/etc/profile-m-z/ncdu.profile +++ b/etc/profile-m-z/ncdu.profile | |||
| @@ -35,3 +35,4 @@ dbus-user none | |||
| 35 | dbus-system none | 35 | dbus-system none |
| 36 | 36 | ||
| 37 | memory-deny-write-execute | 37 | memory-deny-write-execute |
| 38 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/neochat.profile b/etc/profile-m-z/neochat.profile index a50fdd072..fde1d4d2c 100644 --- a/etc/profile-m-z/neochat.profile +++ b/etc/profile-m-z/neochat.profile | |||
| @@ -62,3 +62,5 @@ dbus-user.talk org.freedesktop.Notifications | |||
| 62 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher | 62 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher |
| 63 | dbus-user.talk org.kde.kwalletd5 | 63 | dbus-user.talk org.kde.kwalletd5 |
| 64 | dbus-system none | 64 | dbus-system none |
| 65 | |||
| 66 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile index 9000b7972..c255a85c9 100644 --- a/etc/profile-m-z/neomutt.profile +++ b/etc/profile-m-z/neomutt.profile | |||
| @@ -129,3 +129,4 @@ read-only ${HOME}/.elinks | |||
| 129 | read-only ${HOME}/.nanorc | 129 | read-only ${HOME}/.nanorc |
| 130 | read-only ${HOME}/.signature | 130 | read-only ${HOME}/.signature |
| 131 | read-only ${HOME}/.w3m | 131 | read-only ${HOME}/.w3m |
| 132 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/netactview.profile b/etc/profile-m-z/netactview.profile index 60fc2fa65..4d5265397 100644 --- a/etc/profile-m-z/netactview.profile +++ b/etc/profile-m-z/netactview.profile | |||
| @@ -52,3 +52,4 @@ dbus-user none | |||
| 52 | dbus-system none | 52 | dbus-system none |
| 53 | 53 | ||
| 54 | memory-deny-write-execute | 54 | memory-deny-write-execute |
| 55 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/nethack-vultures.profile b/etc/profile-m-z/nethack-vultures.profile index d130d5b3a..c07bb7107 100644 --- a/etc/profile-m-z/nethack-vultures.profile +++ b/etc/profile-m-z/nethack-vultures.profile | |||
| @@ -42,3 +42,5 @@ writable-var | |||
| 42 | 42 | ||
| 43 | dbus-user none | 43 | dbus-user none |
| 44 | dbus-system none | 44 | dbus-system none |
| 45 | |||
| 46 | #restrict-namespaces | ||
diff --git a/etc/profile-m-z/nethack.profile b/etc/profile-m-z/nethack.profile index 9cb7457e5..a43889349 100644 --- a/etc/profile-m-z/nethack.profile +++ b/etc/profile-m-z/nethack.profile | |||
| @@ -44,3 +44,4 @@ dbus-user none | |||
| 44 | dbus-system none | 44 | dbus-system none |
| 45 | 45 | ||
| 46 | #memory-deny-write-execute | 46 | #memory-deny-write-execute |
| 47 | #restrict-namespaces | ||
diff --git a/etc/profile-m-z/netsurf.profile b/etc/profile-m-z/netsurf.profile index 0ddb7bbbe..467ce5829 100644 --- a/etc/profile-m-z/netsurf.profile +++ b/etc/profile-m-z/netsurf.profile | |||
| @@ -32,3 +32,5 @@ seccomp | |||
| 32 | tracelog | 32 | tracelog |
| 33 | 33 | ||
| 34 | disable-mnt | 34 | disable-mnt |
| 35 | |||
| 36 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/neverball.profile b/etc/profile-m-z/neverball.profile index b9a25b66c..68b0ce2ea 100644 --- a/etc/profile-m-z/neverball.profile +++ b/etc/profile-m-z/neverball.profile | |||
| @@ -48,3 +48,5 @@ private-tmp | |||
| 48 | 48 | ||
| 49 | dbus-user none | 49 | dbus-user none |
| 50 | dbus-system none | 50 | dbus-system none |
| 51 | |||
| 52 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/newsboat.profile b/etc/profile-m-z/newsboat.profile index 10f9240b7..b80a0a151 100644 --- a/etc/profile-m-z/newsboat.profile +++ b/etc/profile-m-z/newsboat.profile | |||
| @@ -59,3 +59,4 @@ dbus-user none | |||
| 59 | dbus-system none | 59 | dbus-system none |
| 60 | 60 | ||
| 61 | memory-deny-write-execute | 61 | memory-deny-write-execute |
| 62 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/newsflash.profile b/etc/profile-m-z/newsflash.profile index 4da14beae..59f16bb10 100644 --- a/etc/profile-m-z/newsflash.profile +++ b/etc/profile-m-z/newsflash.profile | |||
| @@ -57,3 +57,5 @@ dbus-user none | |||
| 57 | #dbus-user.own com.gitlab.newsflash | 57 | #dbus-user.own com.gitlab.newsflash |
| 58 | #dbus-user.talk org.freedesktop.Notifications | 58 | #dbus-user.talk org.freedesktop.Notifications |
| 59 | dbus-system none | 59 | dbus-system none |
| 60 | |||
| 61 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile index 95f9f5d14..c26942c81 100644 --- a/etc/profile-m-z/nextcloud.profile +++ b/etc/profile-m-z/nextcloud.profile | |||
| @@ -69,3 +69,5 @@ dbus-user filter | |||
| 69 | dbus-user.talk org.freedesktop.secrets | 69 | dbus-user.talk org.freedesktop.secrets |
| 70 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher | 70 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher |
| 71 | dbus-system none | 71 | dbus-system none |
| 72 | |||
| 73 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/nheko.profile b/etc/profile-m-z/nheko.profile index 662584892..4e4c7bfe7 100644 --- a/etc/profile-m-z/nheko.profile +++ b/etc/profile-m-z/nheko.profile | |||
| @@ -56,3 +56,5 @@ dbus-user.talk org.freedesktop.secrets | |||
| 56 | # Add the next line to your nheko.local to enable notification support. | 56 | # Add the next line to your nheko.local to enable notification support. |
| 57 | #dbus-user.talk org.freedesktop.Notifications | 57 | #dbus-user.talk org.freedesktop.Notifications |
| 58 | dbus-system none | 58 | dbus-system none |
| 59 | |||
| 60 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/nicotine.profile b/etc/profile-m-z/nicotine.profile index bb2a41457..568899eea 100644 --- a/etc/profile-m-z/nicotine.profile +++ b/etc/profile-m-z/nicotine.profile | |||
| @@ -8,8 +8,12 @@ include globals.local | |||
| 8 | 8 | ||
| 9 | noblacklist ${HOME}/.nicotine | 9 | noblacklist ${HOME}/.nicotine |
| 10 | 10 | ||
| 11 | # Allow /bin/sh (blacklisted by disable-shell.inc) | ||
| 12 | include allow-bin-sh.inc | ||
| 13 | |||
| 11 | # Allow python (blacklisted by disable-interpreters.inc) | 14 | # Allow python (blacklisted by disable-interpreters.inc) |
| 12 | include allow-python2.inc | 15 | include allow-python2.inc |
| 16 | include allow-python3.inc | ||
| 13 | 17 | ||
| 14 | include disable-common.inc | 18 | include disable-common.inc |
| 15 | include disable-devel.inc | 19 | include disable-devel.inc |
| @@ -37,6 +41,7 @@ nodvd | |||
| 37 | nogroups | 41 | nogroups |
| 38 | noinput | 42 | noinput |
| 39 | nonewprivs | 43 | nonewprivs |
| 44 | noprinters | ||
| 40 | noroot | 45 | noroot |
| 41 | nosound | 46 | nosound |
| 42 | notv | 47 | notv |
| @@ -47,10 +52,12 @@ seccomp | |||
| 47 | tracelog | 52 | tracelog |
| 48 | 53 | ||
| 49 | disable-mnt | 54 | disable-mnt |
| 50 | private-bin nicotine,python2* | 55 | #private-bin nicotine,python2* |
| 51 | private-cache | 56 | private-cache |
| 52 | private-dev | 57 | private-dev |
| 53 | private-tmp | 58 | private-tmp |
| 54 | 59 | ||
| 55 | dbus-user none | 60 | dbus-user none |
| 56 | dbus-system none | 61 | dbus-system none |
| 62 | |||
| 63 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/nitroshare.profile b/etc/profile-m-z/nitroshare.profile index b4da229c4..cefe9fa79 100644 --- a/etc/profile-m-z/nitroshare.profile +++ b/etc/profile-m-z/nitroshare.profile | |||
| @@ -49,3 +49,4 @@ private-tmp | |||
| 49 | # dbus-system none | 49 | # dbus-system none |
| 50 | 50 | ||
| 51 | # memory-deny-write-execute | 51 | # memory-deny-write-execute |
| 52 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile index 2ba125a02..f185a04ee 100644 --- a/etc/profile-m-z/nodejs-common.profile +++ b/etc/profile-m-z/nodejs-common.profile | |||
| @@ -100,3 +100,4 @@ dbus-system none | |||
| 100 | 100 | ||
| 101 | # Add the next line to your nodejs-common.local if you prefer to disable gatsby telemetry. | 101 | # Add the next line to your nodejs-common.local if you prefer to disable gatsby telemetry. |
| 102 | #env GATSBY_TELEMETRY_DISABLED=1 | 102 | #env GATSBY_TELEMETRY_DISABLED=1 |
| 103 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/nomacs.profile b/etc/profile-m-z/nomacs.profile index 733de1096..ac8336331 100644 --- a/etc/profile-m-z/nomacs.profile +++ b/etc/profile-m-z/nomacs.profile | |||
| @@ -42,3 +42,5 @@ private-cache | |||
| 42 | private-dev | 42 | private-dev |
| 43 | private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,login.defs,machine-id,pki,resolv.conf,ssl | 43 | private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,login.defs,machine-id,pki,resolv.conf,ssl |
| 44 | private-tmp | 44 | private-tmp |
| 45 | |||
| 46 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/notify-send.profile b/etc/profile-m-z/notify-send.profile index 7e9290513..11d6bd795 100644 --- a/etc/profile-m-z/notify-send.profile +++ b/etc/profile-m-z/notify-send.profile | |||
| @@ -57,3 +57,4 @@ dbus-system none | |||
| 57 | 57 | ||
| 58 | memory-deny-write-execute | 58 | memory-deny-write-execute |
| 59 | read-only ${HOME} | 59 | read-only ${HOME} |
| 60 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/nslookup.profile b/etc/profile-m-z/nslookup.profile index 160385d70..37d9f593c 100644 --- a/etc/profile-m-z/nslookup.profile +++ b/etc/profile-m-z/nslookup.profile | |||
| @@ -52,3 +52,4 @@ dbus-user none | |||
| 52 | dbus-system none | 52 | dbus-system none |
| 53 | 53 | ||
| 54 | memory-deny-write-execute | 54 | memory-deny-write-execute |
| 55 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/nvim.profile b/etc/profile-m-z/nvim.profile index 1f8334d08..6f415d60a 100644 --- a/etc/profile-m-z/nvim.profile +++ b/etc/profile-m-z/nvim.profile | |||
| @@ -51,3 +51,4 @@ read-write ${HOME}/.local/share/nvim | |||
| 51 | read-write ${HOME}/.local/state/nvim | 51 | read-write ${HOME}/.local/state/nvim |
| 52 | read-write ${HOME}/.vim | 52 | read-write ${HOME}/.vim |
| 53 | read-write ${HOME}/.vimrc | 53 | read-write ${HOME}/.vimrc |
| 54 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/nylas.profile b/etc/profile-m-z/nylas.profile index a86ef478a..8acf09e90 100644 --- a/etc/profile-m-z/nylas.profile +++ b/etc/profile-m-z/nylas.profile | |||
| @@ -35,3 +35,5 @@ protocol unix,inet,inet6,netlink | |||
| 35 | seccomp | 35 | seccomp |
| 36 | 36 | ||
| 37 | private-dev | 37 | private-dev |
| 38 | |||
| 39 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/nyx.profile b/etc/profile-m-z/nyx.profile index f58f4fd1c..4f767f046 100644 --- a/etc/profile-m-z/nyx.profile +++ b/etc/profile-m-z/nyx.profile | |||
| @@ -51,3 +51,5 @@ private-tmp | |||
| 51 | 51 | ||
| 52 | dbus-user none | 52 | dbus-user none |
| 53 | dbus-system none | 53 | dbus-system none |
| 54 | |||
| 55 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/obs.profile b/etc/profile-m-z/obs.profile index 91abdc032..82e7a4137 100644 --- a/etc/profile-m-z/obs.profile +++ b/etc/profile-m-z/obs.profile | |||
| @@ -40,3 +40,4 @@ private-cache | |||
| 40 | private-dev | 40 | private-dev |
| 41 | private-tmp | 41 | private-tmp |
| 42 | 42 | ||
| 43 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/ocenaudio.profile b/etc/profile-m-z/ocenaudio.profile index 0ce3aa088..87c665cba 100644 --- a/etc/profile-m-z/ocenaudio.profile +++ b/etc/profile-m-z/ocenaudio.profile | |||
| @@ -59,3 +59,5 @@ private-tmp | |||
| 59 | 59 | ||
| 60 | dbus-user none | 60 | dbus-user none |
| 61 | dbus-system none | 61 | dbus-system none |
| 62 | |||
| 63 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/odt2txt.profile b/etc/profile-m-z/odt2txt.profile index 38751aa25..25da2139f 100644 --- a/etc/profile-m-z/odt2txt.profile +++ b/etc/profile-m-z/odt2txt.profile | |||
| @@ -44,3 +44,4 @@ dbus-user none | |||
| 44 | dbus-system none | 44 | dbus-system none |
| 45 | 45 | ||
| 46 | read-only ${HOME} | 46 | read-only ${HOME} |
| 47 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/okular.profile b/etc/profile-m-z/okular.profile index 265ed1490..568b6566e 100644 --- a/etc/profile-m-z/okular.profile +++ b/etc/profile-m-z/okular.profile | |||
| @@ -69,4 +69,5 @@ private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,ld.so.preload,mach | |||
| 69 | 69 | ||
| 70 | # memory-deny-write-execute | 70 | # memory-deny-write-execute |
| 71 | 71 | ||
| 72 | restrict-namespaces | ||
| 72 | join-or-start okular | 73 | join-or-start okular |
diff --git a/etc/profile-m-z/onboard.profile b/etc/profile-m-z/onboard.profile index e9d6ac028..913b499d3 100644 --- a/etc/profile-m-z/onboard.profile +++ b/etc/profile-m-z/onboard.profile | |||
| @@ -53,3 +53,5 @@ private-etc alternatives,dbus-1,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.pr | |||
| 53 | private-tmp | 53 | private-tmp |
| 54 | 54 | ||
| 55 | dbus-system none | 55 | dbus-system none |
| 56 | |||
| 57 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/onionshare-gui.profile b/etc/profile-m-z/onionshare-gui.profile index db923056a..47ac9fc05 100644 --- a/etc/profile-m-z/onionshare-gui.profile +++ b/etc/profile-m-z/onionshare-gui.profile | |||
| @@ -65,3 +65,4 @@ dbus-user.talk org.freedesktop.secrets | |||
| 65 | dbus-system none | 65 | dbus-system none |
| 66 | 66 | ||
| 67 | memory-deny-write-execute | 67 | memory-deny-write-execute |
| 68 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/open-invaders.profile b/etc/profile-m-z/open-invaders.profile index 730ed271d..f6b070ab3 100644 --- a/etc/profile-m-z/open-invaders.profile +++ b/etc/profile-m-z/open-invaders.profile | |||
| @@ -39,3 +39,5 @@ private-tmp | |||
| 39 | 39 | ||
| 40 | dbus-user none | 40 | dbus-user none |
| 41 | dbus-system none | 41 | dbus-system none |
| 42 | |||
| 43 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/openarena.profile b/etc/profile-m-z/openarena.profile index 87366547f..053f54b48 100644 --- a/etc/profile-m-z/openarena.profile +++ b/etc/profile-m-z/openarena.profile | |||
| @@ -47,3 +47,5 @@ private-tmp | |||
| 47 | 47 | ||
| 48 | dbus-user none | 48 | dbus-user none |
| 49 | dbus-system none | 49 | dbus-system none |
| 50 | |||
| 51 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/openbox.profile b/etc/profile-m-z/openbox.profile index b49fd9932..2da867dec 100644 --- a/etc/profile-m-z/openbox.profile +++ b/etc/profile-m-z/openbox.profile | |||
| @@ -14,7 +14,8 @@ caps.drop all | |||
| 14 | netfilter | 14 | netfilter |
| 15 | noroot | 15 | noroot |
| 16 | protocol unix,inet,inet6 | 16 | protocol unix,inet,inet6 |
| 17 | seccomp | 17 | seccomp !chroot |
| 18 | 18 | ||
| 19 | read-only ${HOME}/.config/openbox/autostart | 19 | read-only ${HOME}/.config/openbox/autostart |
| 20 | read-only ${HOME}/.config/openbox/environment | 20 | read-only ${HOME}/.config/openbox/environment |
| 21 | #restrict-namespaces | ||
diff --git a/etc/profile-m-z/opencity.profile b/etc/profile-m-z/opencity.profile index 3001a355d..a7d147ec9 100644 --- a/etc/profile-m-z/opencity.profile +++ b/etc/profile-m-z/opencity.profile | |||
| @@ -45,3 +45,5 @@ private-tmp | |||
| 45 | 45 | ||
| 46 | dbus-user none | 46 | dbus-user none |
| 47 | dbus-system none | 47 | dbus-system none |
| 48 | |||
| 49 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/openclonk.profile b/etc/profile-m-z/openclonk.profile index 5f05480d8..3449ac686 100644 --- a/etc/profile-m-z/openclonk.profile +++ b/etc/profile-m-z/openclonk.profile | |||
| @@ -45,3 +45,5 @@ private-tmp | |||
| 45 | 45 | ||
| 46 | dbus-user none | 46 | dbus-user none |
| 47 | dbus-system none | 47 | dbus-system none |
| 48 | |||
| 49 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/openmw.profile b/etc/profile-m-z/openmw.profile index 8fe18f12b..be97552ab 100644 --- a/etc/profile-m-z/openmw.profile +++ b/etc/profile-m-z/openmw.profile | |||
| @@ -58,3 +58,5 @@ private-tmp | |||
| 58 | 58 | ||
| 59 | dbus-user none | 59 | dbus-user none |
| 60 | dbus-system none | 60 | dbus-system none |
| 61 | |||
| 62 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/openshot.profile b/etc/profile-m-z/openshot.profile index e867eccc3..0082be581 100644 --- a/etc/profile-m-z/openshot.profile +++ b/etc/profile-m-z/openshot.profile | |||
| @@ -46,3 +46,5 @@ private-tmp | |||
| 46 | 46 | ||
| 47 | dbus-user filter | 47 | dbus-user filter |
| 48 | dbus-system none | 48 | dbus-system none |
| 49 | |||
| 50 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/openstego.profile b/etc/profile-m-z/openstego.profile index 05b1d222d..fd8f70531 100644 --- a/etc/profile-m-z/openstego.profile +++ b/etc/profile-m-z/openstego.profile | |||
| @@ -55,3 +55,5 @@ private-tmp | |||
| 55 | 55 | ||
| 56 | dbus-user none | 56 | dbus-user none |
| 57 | dbus-system none | 57 | dbus-system none |
| 58 | |||
| 59 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/openttd.profile b/etc/profile-m-z/openttd.profile index 19ba69b14..6e5c09eda 100644 --- a/etc/profile-m-z/openttd.profile +++ b/etc/profile-m-z/openttd.profile | |||
| @@ -45,3 +45,5 @@ private-tmp | |||
| 45 | 45 | ||
| 46 | dbus-user none | 46 | dbus-user none |
| 47 | dbus-system none | 47 | dbus-system none |
| 48 | |||
| 49 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/orage.profile b/etc/profile-m-z/orage.profile index 250e07004..fa16c05e2 100644 --- a/etc/profile-m-z/orage.profile +++ b/etc/profile-m-z/orage.profile | |||
| @@ -36,3 +36,4 @@ private-cache | |||
| 36 | private-dev | 36 | private-dev |
| 37 | private-tmp | 37 | private-tmp |
| 38 | 38 | ||
| 39 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/ostrichriders.profile b/etc/profile-m-z/ostrichriders.profile index a2c3e7d1d..f12838b72 100644 --- a/etc/profile-m-z/ostrichriders.profile +++ b/etc/profile-m-z/ostrichriders.profile | |||
| @@ -47,3 +47,5 @@ private-tmp | |||
| 47 | 47 | ||
| 48 | dbus-user none | 48 | dbus-user none |
| 49 | dbus-system none | 49 | dbus-system none |
| 50 | |||
| 51 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/otter-browser.profile b/etc/profile-m-z/otter-browser.profile index 7af611cc4..028c6fe90 100644 --- a/etc/profile-m-z/otter-browser.profile +++ b/etc/profile-m-z/otter-browser.profile | |||
| @@ -56,3 +56,5 @@ private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts | |||
| 56 | private-tmp | 56 | private-tmp |
| 57 | 57 | ||
| 58 | dbus-system none | 58 | dbus-system none |
| 59 | |||
| 60 | # restrict-namespaces | ||
diff --git a/etc/profile-m-z/palemoon.profile b/etc/profile-m-z/palemoon.profile index acb2ce176..24701b657 100644 --- a/etc/profile-m-z/palemoon.profile +++ b/etc/profile-m-z/palemoon.profile | |||
| @@ -22,5 +22,8 @@ ignore seccomp | |||
| 22 | #private-etc palemoon | 22 | #private-etc palemoon |
| 23 | #private-opt palemoon | 23 | #private-opt palemoon |
| 24 | 24 | ||
| 25 | restrict-namespaces | ||
| 26 | ignore restrict-namespaces | ||
| 27 | |||
| 25 | # Redirect | 28 | # Redirect |
| 26 | include firefox-common.profile | 29 | include firefox-common.profile |
diff --git a/etc/profile-m-z/pandoc.profile b/etc/profile-m-z/pandoc.profile index aac1fc5b6..2610ae67a 100644 --- a/etc/profile-m-z/pandoc.profile +++ b/etc/profile-m-z/pandoc.profile | |||
| @@ -56,3 +56,4 @@ dbus-user none | |||
| 56 | dbus-system none | 56 | dbus-system none |
| 57 | 57 | ||
| 58 | memory-deny-write-execute | 58 | memory-deny-write-execute |
| 59 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/parole.profile b/etc/profile-m-z/parole.profile index ca54d7ad4..fb629669a 100644 --- a/etc/profile-m-z/parole.profile +++ b/etc/profile-m-z/parole.profile | |||
| @@ -27,3 +27,5 @@ seccomp | |||
| 27 | private-bin dbus-launch,parole | 27 | private-bin dbus-launch,parole |
| 28 | private-cache | 28 | private-cache |
| 29 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd,pki,pulse,ssl | 29 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd,pki,pulse,ssl |
| 30 | |||
| 31 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/patch.profile b/etc/profile-m-z/patch.profile index 573410630..5a0f69f79 100644 --- a/etc/profile-m-z/patch.profile +++ b/etc/profile-m-z/patch.profile | |||
| @@ -48,3 +48,4 @@ dbus-user none | |||
| 48 | dbus-system none | 48 | dbus-system none |
| 49 | 49 | ||
| 50 | memory-deny-write-execute | 50 | memory-deny-write-execute |
| 51 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/pavucontrol.profile b/etc/profile-m-z/pavucontrol.profile index d21157325..88cfd3352 100644 --- a/etc/profile-m-z/pavucontrol.profile +++ b/etc/profile-m-z/pavucontrol.profile | |||
| @@ -53,3 +53,4 @@ dbus-system none | |||
| 53 | 53 | ||
| 54 | # mdwe is broken under Wayland, but works under Xorg. | 54 | # mdwe is broken under Wayland, but works under Xorg. |
| 55 | #memory-deny-write-execute | 55 | #memory-deny-write-execute |
| 56 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/pcsxr.profile b/etc/profile-m-z/pcsxr.profile index 9a1e7d420..784d82736 100644 --- a/etc/profile-m-z/pcsxr.profile +++ b/etc/profile-m-z/pcsxr.profile | |||
| @@ -53,3 +53,5 @@ private-tmp | |||
| 53 | 53 | ||
| 54 | dbus-user none | 54 | dbus-user none |
| 55 | dbus-system none | 55 | dbus-system none |
| 56 | |||
| 57 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/pdfchain.profile b/etc/profile-m-z/pdfchain.profile index 0441c9e04..2e38dde3b 100644 --- a/etc/profile-m-z/pdfchain.profile +++ b/etc/profile-m-z/pdfchain.profile | |||
| @@ -40,3 +40,4 @@ dbus-user none | |||
| 40 | dbus-system none | 40 | dbus-system none |
| 41 | 41 | ||
| 42 | memory-deny-write-execute | 42 | memory-deny-write-execute |
| 43 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/pdfmod.profile b/etc/profile-m-z/pdfmod.profile index 463deca4c..81115b2e3 100644 --- a/etc/profile-m-z/pdfmod.profile +++ b/etc/profile-m-z/pdfmod.profile | |||
| @@ -41,3 +41,5 @@ private-tmp | |||
| 41 | 41 | ||
| 42 | dbus-user none | 42 | dbus-user none |
| 43 | dbus-system none | 43 | dbus-system none |
| 44 | |||
| 45 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/pdfsam.profile b/etc/profile-m-z/pdfsam.profile index 3e56a9c1d..34f8387af 100644 --- a/etc/profile-m-z/pdfsam.profile +++ b/etc/profile-m-z/pdfsam.profile | |||
| @@ -41,3 +41,5 @@ private-tmp | |||
| 41 | 41 | ||
| 42 | dbus-user none | 42 | dbus-user none |
| 43 | dbus-system none | 43 | dbus-system none |
| 44 | |||
| 45 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/pdftotext.profile b/etc/profile-m-z/pdftotext.profile index 482181c86..7ece10835 100644 --- a/etc/profile-m-z/pdftotext.profile +++ b/etc/profile-m-z/pdftotext.profile | |||
| @@ -53,3 +53,5 @@ private-tmp | |||
| 53 | 53 | ||
| 54 | dbus-user none | 54 | dbus-user none |
| 55 | dbus-system none | 55 | dbus-system none |
| 56 | |||
| 57 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/peek.profile b/etc/profile-m-z/peek.profile index 9809a488f..24a1bc979 100644 --- a/etc/profile-m-z/peek.profile +++ b/etc/profile-m-z/peek.profile | |||
| @@ -59,3 +59,4 @@ dbus-user.talk org.gnome.Shell.Screencast | |||
| 59 | dbus-system none | 59 | dbus-system none |
| 60 | 60 | ||
| 61 | memory-deny-write-execute | 61 | memory-deny-write-execute |
| 62 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/penguin-command.profile b/etc/profile-m-z/penguin-command.profile index e79e5cbc8..c740f5576 100644 --- a/etc/profile-m-z/penguin-command.profile +++ b/etc/profile-m-z/penguin-command.profile | |||
| @@ -39,3 +39,5 @@ private-tmp | |||
| 39 | 39 | ||
| 40 | dbus-user none | 40 | dbus-user none |
| 41 | dbus-system none | 41 | dbus-system none |
| 42 | |||
| 43 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/photoflare.profile b/etc/profile-m-z/photoflare.profile index 9f8e094fb..dcb52c846 100644 --- a/etc/profile-m-z/photoflare.profile +++ b/etc/profile-m-z/photoflare.profile | |||
| @@ -47,3 +47,5 @@ private-tmp | |||
| 47 | 47 | ||
| 48 | dbus-user none | 48 | dbus-user none |
| 49 | dbus-system none | 49 | dbus-system none |
| 50 | |||
| 51 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/picard.profile b/etc/profile-m-z/picard.profile index 2350f83a2..b007e3ca9 100644 --- a/etc/profile-m-z/picard.profile +++ b/etc/profile-m-z/picard.profile | |||
| @@ -40,3 +40,4 @@ seccomp | |||
| 40 | private-dev | 40 | private-dev |
| 41 | private-tmp | 41 | private-tmp |
| 42 | 42 | ||
| 43 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/pidgin.profile b/etc/profile-m-z/pidgin.profile index 904c17e09..2dc49a28d 100644 --- a/etc/profile-m-z/pidgin.profile +++ b/etc/profile-m-z/pidgin.profile | |||
| @@ -45,3 +45,5 @@ tracelog | |||
| 45 | private-cache | 45 | private-cache |
| 46 | private-dev | 46 | private-dev |
| 47 | private-tmp | 47 | private-tmp |
| 48 | |||
| 49 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/pinball.profile b/etc/profile-m-z/pinball.profile index 440ee7800..3664e1469 100644 --- a/etc/profile-m-z/pinball.profile +++ b/etc/profile-m-z/pinball.profile | |||
| @@ -52,3 +52,5 @@ private-tmp | |||
| 52 | 52 | ||
| 53 | dbus-user none | 53 | dbus-user none |
| 54 | dbus-system none | 54 | dbus-system none |
| 55 | |||
| 56 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/ping-hardened.inc.profile b/etc/profile-m-z/ping-hardened.inc.profile index eda53654a..e3288d2b1 100644 --- a/etc/profile-m-z/ping-hardened.inc.profile +++ b/etc/profile-m-z/ping-hardened.inc.profile | |||
| @@ -9,3 +9,4 @@ protocol unix,inet,inet6 | |||
| 9 | seccomp | 9 | seccomp |
| 10 | 10 | ||
| 11 | memory-deny-write-execute | 11 | memory-deny-write-execute |
| 12 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/ping.profile b/etc/profile-m-z/ping.profile index 07675650e..2a7967de7 100644 --- a/etc/profile-m-z/ping.profile +++ b/etc/profile-m-z/ping.profile | |||
| @@ -57,7 +57,7 @@ private | |||
| 57 | private-cache | 57 | private-cache |
| 58 | private-dev | 58 | private-dev |
| 59 | # /etc/hosts is required in private-etc; however, just adding it to the list doesn't solve the problem! | 59 | # /etc/hosts is required in private-etc; however, just adding it to the list doesn't solve the problem! |
| 60 | #private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl | 60 | #private-etc alternatives,ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl |
| 61 | private-lib | 61 | private-lib |
| 62 | private-tmp | 62 | private-tmp |
| 63 | 63 | ||
| @@ -68,3 +68,4 @@ dbus-user none | |||
| 68 | dbus-system none | 68 | dbus-system none |
| 69 | 69 | ||
| 70 | read-only ${HOME} | 70 | read-only ${HOME} |
| 71 | #restrict-namespaces | ||
diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile index 14ac487ab..419dd5d1a 100644 --- a/etc/profile-m-z/pingus.profile +++ b/etc/profile-m-z/pingus.profile | |||
| @@ -54,3 +54,5 @@ private-tmp | |||
| 54 | 54 | ||
| 55 | dbus-user none | 55 | dbus-user none |
| 56 | dbus-system none | 56 | dbus-system none |
| 57 | |||
| 58 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/pinta.profile b/etc/profile-m-z/pinta.profile index d5a1b1141..e084a7933 100644 --- a/etc/profile-m-z/pinta.profile +++ b/etc/profile-m-z/pinta.profile | |||
| @@ -38,3 +38,5 @@ private-tmp | |||
| 38 | 38 | ||
| 39 | dbus-user none | 39 | dbus-user none |
| 40 | dbus-system none | 40 | dbus-system none |
| 41 | |||
| 42 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/pioneer.profile b/etc/profile-m-z/pioneer.profile index cf79adc6f..dc447def2 100644 --- a/etc/profile-m-z/pioneer.profile +++ b/etc/profile-m-z/pioneer.profile | |||
| @@ -44,3 +44,5 @@ private-tmp | |||
| 44 | 44 | ||
| 45 | dbus-user none | 45 | dbus-user none |
| 46 | dbus-system none | 46 | dbus-system none |
| 47 | |||
| 48 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/pithos.profile b/etc/profile-m-z/pithos.profile index 9db4459e1..714ebd86d 100644 --- a/etc/profile-m-z/pithos.profile +++ b/etc/profile-m-z/pithos.profile | |||
| @@ -40,3 +40,4 @@ private-bin env,pithos,python* | |||
| 40 | private-dev | 40 | private-dev |
| 41 | private-tmp | 41 | private-tmp |
| 42 | 42 | ||
| 43 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/pitivi.profile b/etc/profile-m-z/pitivi.profile index 773454c53..5ad20aafc 100644 --- a/etc/profile-m-z/pitivi.profile +++ b/etc/profile-m-z/pitivi.profile | |||
| @@ -39,3 +39,4 @@ seccomp | |||
| 39 | private-dev | 39 | private-dev |
| 40 | private-tmp | 40 | private-tmp |
| 41 | 41 | ||
| 42 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/pix.profile b/etc/profile-m-z/pix.profile index fb426681e..49bd8c318 100644 --- a/etc/profile-m-z/pix.profile +++ b/etc/profile-m-z/pix.profile | |||
| @@ -34,3 +34,5 @@ private-bin pix | |||
| 34 | private-cache | 34 | private-cache |
| 35 | private-dev | 35 | private-dev |
| 36 | private-tmp | 36 | private-tmp |
| 37 | |||
| 38 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/pkglog.profile b/etc/profile-m-z/pkglog.profile index 2af311269..88173edca 100644 --- a/etc/profile-m-z/pkglog.profile +++ b/etc/profile-m-z/pkglog.profile | |||
| @@ -56,3 +56,4 @@ read-only ${HOME} | |||
| 56 | read-only /var/log/apt/history.log | 56 | read-only /var/log/apt/history.log |
| 57 | read-only /var/log/dnf.rpm.log | 57 | read-only /var/log/dnf.rpm.log |
| 58 | read-only /var/log/pacman.log | 58 | read-only /var/log/pacman.log |
| 59 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/pluma.profile b/etc/profile-m-z/pluma.profile index 0e4a06b44..efcdaa661 100644 --- a/etc/profile-m-z/pluma.profile +++ b/etc/profile-m-z/pluma.profile | |||
| @@ -48,4 +48,5 @@ private-tmp | |||
| 48 | # dbus-user none | 48 | # dbus-user none |
| 49 | # dbus-system none | 49 | # dbus-system none |
| 50 | 50 | ||
| 51 | restrict-namespaces | ||
| 51 | join-or-start pluma | 52 | join-or-start pluma |
diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile index 2140d1a21..62927f9f7 100644 --- a/etc/profile-m-z/plv.profile +++ b/etc/profile-m-z/plv.profile | |||
| @@ -57,3 +57,4 @@ dbus-system none | |||
| 57 | read-only ${HOME} | 57 | read-only ${HOME} |
| 58 | read-write ${HOME}/.config/PacmanLogViewer | 58 | read-write ${HOME}/.config/PacmanLogViewer |
| 59 | read-only /var/log/pacman.log | 59 | read-only /var/log/pacman.log |
| 60 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/pngquant.profile b/etc/profile-m-z/pngquant.profile index ad30c5703..8e2c39b83 100644 --- a/etc/profile-m-z/pngquant.profile +++ b/etc/profile-m-z/pngquant.profile | |||
| @@ -53,3 +53,4 @@ dbus-user none | |||
| 53 | dbus-system none | 53 | dbus-system none |
| 54 | 54 | ||
| 55 | memory-deny-write-execute | 55 | memory-deny-write-execute |
| 56 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/polari.profile b/etc/profile-m-z/polari.profile index 068fd3412..dd730bf76 100644 --- a/etc/profile-m-z/polari.profile +++ b/etc/profile-m-z/polari.profile | |||
| @@ -49,3 +49,4 @@ disable-mnt | |||
| 49 | private-dev | 49 | private-dev |
| 50 | private-tmp | 50 | private-tmp |
| 51 | 51 | ||
| 52 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/ppsspp.profile b/etc/profile-m-z/ppsspp.profile index bf5d9a9c3..58528c372 100644 --- a/etc/profile-m-z/ppsspp.profile +++ b/etc/profile-m-z/ppsspp.profile | |||
| @@ -48,3 +48,5 @@ private-tmp | |||
| 48 | 48 | ||
| 49 | dbus-user none | 49 | dbus-user none |
| 50 | dbus-system none | 50 | dbus-system none |
| 51 | |||
| 52 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/pragha.profile b/etc/profile-m-z/pragha.profile index 9faa1fcd6..73b377712 100644 --- a/etc/profile-m-z/pragha.profile +++ b/etc/profile-m-z/pragha.profile | |||
| @@ -35,3 +35,4 @@ private-dev | |||
| 35 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg | 35 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg |
| 36 | private-tmp | 36 | private-tmp |
| 37 | 37 | ||
| 38 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/profanity.profile b/etc/profile-m-z/profanity.profile index 13f48b048..ddc6524a5 100644 --- a/etc/profile-m-z/profanity.profile +++ b/etc/profile-m-z/profanity.profile | |||
| @@ -50,3 +50,4 @@ dbus-user none | |||
| 50 | dbus-system none | 50 | dbus-system none |
| 51 | 51 | ||
| 52 | memory-deny-write-execute | 52 | memory-deny-write-execute |
| 53 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/psi-plus.profile b/etc/profile-m-z/psi-plus.profile index 8f8b2fff4..af117c3b5 100644 --- a/etc/profile-m-z/psi-plus.profile +++ b/etc/profile-m-z/psi-plus.profile | |||
| @@ -42,3 +42,5 @@ seccomp !chroot | |||
| 42 | disable-mnt | 42 | disable-mnt |
| 43 | private-dev | 43 | private-dev |
| 44 | private-tmp | 44 | private-tmp |
| 45 | |||
| 46 | # restrict-namespaces | ||
diff --git a/etc/profile-m-z/psi.profile b/etc/profile-m-z/psi.profile index 943b8d3ac..be06c5d89 100644 --- a/etc/profile-m-z/psi.profile +++ b/etc/profile-m-z/psi.profile | |||
| @@ -75,3 +75,5 @@ private-tmp | |||
| 75 | 75 | ||
| 76 | dbus-user none | 76 | dbus-user none |
| 77 | dbus-system none | 77 | dbus-system none |
| 78 | |||
| 79 | #restrict-namespaces | ||
diff --git a/etc/profile-m-z/pybitmessage.profile b/etc/profile-m-z/pybitmessage.profile index 358cc36da..ba71ab29d 100644 --- a/etc/profile-m-z/pybitmessage.profile +++ b/etc/profile-m-z/pybitmessage.profile | |||
| @@ -43,3 +43,4 @@ private-dev | |||
| 43 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,hosts,ld.so.cache,ld.so.preload,localtime,pki,pki,PyBitmessage,PyBitmessage.conf,resolv.conf,selinux,sni-qt.conf,ssl,system-fips,Trolltech.conf,xdg | 43 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,hosts,ld.so.cache,ld.so.preload,localtime,pki,pki,PyBitmessage,PyBitmessage.conf,resolv.conf,selinux,sni-qt.conf,ssl,system-fips,Trolltech.conf,xdg |
| 44 | private-tmp | 44 | private-tmp |
| 45 | 45 | ||
| 46 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/pycharm-community.profile b/etc/profile-m-z/pycharm-community.profile index 629396aaa..875b83e8e 100644 --- a/etc/profile-m-z/pycharm-community.profile +++ b/etc/profile-m-z/pycharm-community.profile | |||
| @@ -5,7 +5,13 @@ include pycharm-community.local | |||
| 5 | # Persistent global definitions | 5 | # Persistent global definitions |
| 6 | include globals.local | 6 | include globals.local |
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.PyCharmCE* | 8 | noblacklist ${HOME}/.PyCharm* |
| 9 | # Persistent cache is needed for spell and grammar checkers, etc. | ||
| 10 | noblacklist ${HOME}/.cache/JetBrains/PyCharm* | ||
| 11 | noblacklist ${HOME}/.config/JetBrains/PyCharm* | ||
| 12 | # Not `PyCharm*`, because the state about of "anonymous data sent" is shared | ||
| 13 | # between JetBrains IDEs. | ||
| 14 | noblacklist ${HOME}/.local/share/JetBrains | ||
| 9 | 15 | ||
| 10 | # Allow java (blacklisted by disable-devel.inc) | 16 | # Allow java (blacklisted by disable-devel.inc) |
| 11 | include allow-java.inc | 17 | include allow-java.inc |
| @@ -30,7 +36,6 @@ tracelog | |||
| 30 | 36 | ||
| 31 | # private-etc alternatives,fonts,passwd - minimal required to run but will probably break | 37 | # private-etc alternatives,fonts,passwd - minimal required to run but will probably break |
| 32 | # program! | 38 | # program! |
| 33 | private-cache | ||
| 34 | private-dev | 39 | private-dev |
| 35 | private-tmp | 40 | private-tmp |
| 36 | 41 | ||
diff --git a/etc/profile-m-z/pycharm-professional.profile b/etc/profile-m-z/pycharm-professional.profile index b754a18c9..126f5cec8 100644 --- a/etc/profile-m-z/pycharm-professional.profile +++ b/etc/profile-m-z/pycharm-professional.profile | |||
| @@ -6,7 +6,5 @@ include pyucharm-professional.local | |||
| 6 | # added by included profile | 6 | # added by included profile |
| 7 | #include globals.local | 7 | #include globals.local |
| 8 | 8 | ||
| 9 | noblacklist ${HOME}/.PyCharm* | ||
| 10 | |||
| 11 | # Redirect | 9 | # Redirect |
| 12 | include pycharm-community.profile | 10 | include pycharm-community.profile |
diff --git a/etc/profile-m-z/qbittorrent.profile b/etc/profile-m-z/qbittorrent.profile index e064c7023..9605da3ac 100644 --- a/etc/profile-m-z/qbittorrent.profile +++ b/etc/profile-m-z/qbittorrent.profile | |||
| @@ -1,5 +1,5 @@ | |||
| 1 | # Firejail profile for qbittorrent | 1 | # Firejail profile for qbittorrent |
| 2 | # Description: BitTorrent client based on libtorrent-rasterbar with a Qt5 GUI | 2 | # Description: An advanced BitTorrent client programmed in C++, based on Qt toolkit and libtorrent-rasterbar |
| 3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
| 4 | # Persistent local customizations | 4 | # Persistent local customizations |
| 5 | include qbittorrent.local | 5 | include qbittorrent.local |
| @@ -63,3 +63,4 @@ dbus-user none | |||
| 63 | dbus-system none | 63 | dbus-system none |
| 64 | 64 | ||
| 65 | # memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo | 65 | # memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo |
| 66 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/qcomicbook.profile b/etc/profile-m-z/qcomicbook.profile index f24916630..71374a8c8 100644 --- a/etc/profile-m-z/qcomicbook.profile +++ b/etc/profile-m-z/qcomicbook.profile | |||
| @@ -64,3 +64,4 @@ read-write ${HOME}/.config/PawelStolowski | |||
| 64 | read-write ${HOME}/.local/share/PawelStolowski | 64 | read-write ${HOME}/.local/share/PawelStolowski |
| 65 | #to allow ${HOME}/.local/share/recently-used.xbel | 65 | #to allow ${HOME}/.local/share/recently-used.xbel |
| 66 | read-write ${HOME}/.local/share | 66 | read-write ${HOME}/.local/share |
| 67 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/qemu-launcher.profile b/etc/profile-m-z/qemu-launcher.profile index 034a2b7c1..8484d3705 100644 --- a/etc/profile-m-z/qemu-launcher.profile +++ b/etc/profile-m-z/qemu-launcher.profile | |||
| @@ -25,3 +25,4 @@ private-cache | |||
| 25 | private-tmp | 25 | private-tmp |
| 26 | 26 | ||
| 27 | noexec /tmp | 27 | noexec /tmp |
| 28 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/qemu-system-x86_64.profile b/etc/profile-m-z/qemu-system-x86_64.profile index e565e0165..495c469f7 100644 --- a/etc/profile-m-z/qemu-system-x86_64.profile +++ b/etc/profile-m-z/qemu-system-x86_64.profile | |||
| @@ -24,3 +24,4 @@ private-cache | |||
| 24 | private-tmp | 24 | private-tmp |
| 25 | 25 | ||
| 26 | noexec /tmp | 26 | noexec /tmp |
| 27 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/qgis.profile b/etc/profile-m-z/qgis.profile index 2f8c42548..d4b71f972 100644 --- a/etc/profile-m-z/qgis.profile +++ b/etc/profile-m-z/qgis.profile | |||
| @@ -56,3 +56,5 @@ private-tmp | |||
| 56 | 56 | ||
| 57 | dbus-user none | 57 | dbus-user none |
| 58 | dbus-system none | 58 | dbus-system none |
| 59 | |||
| 60 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/qlipper.profile b/etc/profile-m-z/qlipper.profile index d0a14b079..f183f6e0e 100644 --- a/etc/profile-m-z/qlipper.profile +++ b/etc/profile-m-z/qlipper.profile | |||
| @@ -35,3 +35,4 @@ private-cache | |||
| 35 | private-dev | 35 | private-dev |
| 36 | private-tmp | 36 | private-tmp |
| 37 | 37 | ||
| 38 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/qmmp.profile b/etc/profile-m-z/qmmp.profile index a3fd56186..ecd62a7d1 100644 --- a/etc/profile-m-z/qmmp.profile +++ b/etc/profile-m-z/qmmp.profile | |||
| @@ -36,3 +36,5 @@ private-tmp | |||
| 36 | 36 | ||
| 37 | dbus-user none | 37 | dbus-user none |
| 38 | dbus-system none | 38 | dbus-system none |
| 39 | |||
| 40 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/qnapi.profile b/etc/profile-m-z/qnapi.profile index f6576ae2f..037cc96ec 100644 --- a/etc/profile-m-z/qnapi.profile +++ b/etc/profile-m-z/qnapi.profile | |||
| @@ -52,3 +52,5 @@ private-tmp | |||
| 52 | 52 | ||
| 53 | dbus-user none | 53 | dbus-user none |
| 54 | dbus-system none | 54 | dbus-system none |
| 55 | |||
| 56 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/qpdfview.profile b/etc/profile-m-z/qpdfview.profile index 17142a47f..4caa0917f 100644 --- a/etc/profile-m-z/qpdfview.profile +++ b/etc/profile-m-z/qpdfview.profile | |||
| @@ -43,3 +43,5 @@ private-tmp | |||
| 43 | # needs D-Bus when started from a file manager | 43 | # needs D-Bus when started from a file manager |
| 44 | # dbus-user none | 44 | # dbus-user none |
| 45 | # dbus-system none | 45 | # dbus-system none |
| 46 | |||
| 47 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/qrencode.profile b/etc/profile-m-z/qrencode.profile index e7566cbe4..09b70756b 100644 --- a/etc/profile-m-z/qrencode.profile +++ b/etc/profile-m-z/qrencode.profile | |||
| @@ -54,3 +54,4 @@ dbus-user none | |||
| 54 | dbus-system none | 54 | dbus-system none |
| 55 | 55 | ||
| 56 | memory-deny-write-execute | 56 | memory-deny-write-execute |
| 57 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/qtox.profile b/etc/profile-m-z/qtox.profile index c0d737f00..f95720d71 100644 --- a/etc/profile-m-z/qtox.profile +++ b/etc/profile-m-z/qtox.profile | |||
| @@ -49,3 +49,4 @@ dbus-user none | |||
| 49 | dbus-system none | 49 | dbus-system none |
| 50 | 50 | ||
| 51 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 51 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
| 52 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/quassel.profile b/etc/profile-m-z/quassel.profile index c65089e20..4589c9e4a 100644 --- a/etc/profile-m-z/quassel.profile +++ b/etc/profile-m-z/quassel.profile | |||
| @@ -24,3 +24,5 @@ seccomp !chroot | |||
| 24 | 24 | ||
| 25 | private-cache | 25 | private-cache |
| 26 | private-tmp | 26 | private-tmp |
| 27 | |||
| 28 | # restrict-namespaces | ||
diff --git a/etc/profile-m-z/quaternion.profile b/etc/profile-m-z/quaternion.profile index 686562646..ad45a26d5 100644 --- a/etc/profile-m-z/quaternion.profile +++ b/etc/profile-m-z/quaternion.profile | |||
| @@ -51,3 +51,5 @@ private-tmp | |||
| 51 | 51 | ||
| 52 | dbus-user none | 52 | dbus-user none |
| 53 | dbus-system none | 53 | dbus-system none |
| 54 | |||
| 55 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/quiterss.profile b/etc/profile-m-z/quiterss.profile index 761eb7215..a59f01f85 100644 --- a/etc/profile-m-z/quiterss.profile +++ b/etc/profile-m-z/quiterss.profile | |||
| @@ -52,3 +52,4 @@ private-bin quiterss | |||
| 52 | private-dev | 52 | private-dev |
| 53 | # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl,X11 | 53 | # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl,X11 |
| 54 | 54 | ||
| 55 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/quodlibet.profile b/etc/profile-m-z/quodlibet.profile index 345e85cdf..ea49684e3 100644 --- a/etc/profile-m-z/quodlibet.profile +++ b/etc/profile-m-z/quodlibet.profile | |||
| @@ -63,3 +63,5 @@ private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf, | |||
| 63 | private-tmp | 63 | private-tmp |
| 64 | 64 | ||
| 65 | dbus-system none | 65 | dbus-system none |
| 66 | |||
| 67 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/qutebrowser.profile b/etc/profile-m-z/qutebrowser.profile index ae62c0b89..b83a0ce2d 100644 --- a/etc/profile-m-z/qutebrowser.profile +++ b/etc/profile-m-z/qutebrowser.profile | |||
| @@ -31,7 +31,7 @@ whitelist ${DOWNLOADS} | |||
| 31 | whitelist ${HOME}/.cache/qutebrowser | 31 | whitelist ${HOME}/.cache/qutebrowser |
| 32 | whitelist ${HOME}/.config/qutebrowser | 32 | whitelist ${HOME}/.config/qutebrowser |
| 33 | whitelist ${HOME}/.local/share/qutebrowser | 33 | whitelist ${HOME}/.local/share/qutebrowser |
| 34 | whitelist /usr/share/qtbrowser | 34 | whitelist /usr/share/qutebrowser |
| 35 | include whitelist-common.inc | 35 | include whitelist-common.inc |
| 36 | include whitelist-run-common.inc | 36 | include whitelist-run-common.inc |
| 37 | include whitelist-runuser-common.inc | 37 | include whitelist-runuser-common.inc |
| @@ -48,7 +48,7 @@ notv | |||
| 48 | protocol unix,inet,inet6,netlink | 48 | protocol unix,inet,inet6,netlink |
| 49 | # blacklisting of chroot system calls breaks qt webengine | 49 | # blacklisting of chroot system calls breaks qt webengine |
| 50 | seccomp !chroot,!name_to_handle_at | 50 | seccomp !chroot,!name_to_handle_at |
| 51 | # tracelog | 51 | #tracelog |
| 52 | 52 | ||
| 53 | disable-mnt | 53 | disable-mnt |
| 54 | private-cache | 54 | private-cache |
| @@ -65,3 +65,5 @@ dbus-user.talk org.freedesktop.Notifications | |||
| 65 | # with the above lines (might depend on the portal implementation). | 65 | # with the above lines (might depend on the portal implementation). |
| 66 | #ignore noroot | 66 | #ignore noroot |
| 67 | dbus-system none | 67 | dbus-system none |
| 68 | |||
| 69 | #restrict-namespaces | ||
diff --git a/etc/profile-m-z/raincat.profile b/etc/profile-m-z/raincat.profile index 3042d5e3f..e320d82f7 100644 --- a/etc/profile-m-z/raincat.profile +++ b/etc/profile-m-z/raincat.profile | |||
| @@ -46,3 +46,4 @@ private-tmp | |||
| 46 | dbus-user none | 46 | dbus-user none |
| 47 | dbus-system none | 47 | dbus-system none |
| 48 | 48 | ||
| 49 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/rambox.profile b/etc/profile-m-z/rambox.profile index a14d7862b..38a093337 100644 --- a/etc/profile-m-z/rambox.profile +++ b/etc/profile-m-z/rambox.profile | |||
| @@ -35,4 +35,6 @@ protocol unix,inet,inet6,netlink | |||
| 35 | # electron-based application, needing chroot | 35 | # electron-based application, needing chroot |
| 36 | #seccomp | 36 | #seccomp |
| 37 | seccomp !chroot | 37 | seccomp !chroot |
| 38 | # tracelog | 38 | #tracelog |
| 39 | |||
| 40 | #restrict-namespaces | ||
diff --git a/etc/profile-m-z/redeclipse.profile b/etc/profile-m-z/redeclipse.profile index e738d8cb3..774b46b28 100644 --- a/etc/profile-m-z/redeclipse.profile +++ b/etc/profile-m-z/redeclipse.profile | |||
| @@ -45,3 +45,5 @@ private-tmp | |||
| 45 | 45 | ||
| 46 | dbus-user none | 46 | dbus-user none |
| 47 | dbus-system none | 47 | dbus-system none |
| 48 | |||
| 49 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/rednotebook.profile b/etc/profile-m-z/rednotebook.profile index 7ee79d4c5..1295ce00d 100644 --- a/etc/profile-m-z/rednotebook.profile +++ b/etc/profile-m-z/rednotebook.profile | |||
| @@ -63,3 +63,5 @@ private-tmp | |||
| 63 | 63 | ||
| 64 | dbus-user none | 64 | dbus-user none |
| 65 | dbus-system none | 65 | dbus-system none |
| 66 | |||
| 67 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/redshift.profile b/etc/profile-m-z/redshift.profile index e5564a532..cfc68a697 100644 --- a/etc/profile-m-z/redshift.profile +++ b/etc/profile-m-z/redshift.profile | |||
| @@ -50,3 +50,4 @@ dbus-user none | |||
| 50 | dbus-system none | 50 | dbus-system none |
| 51 | 51 | ||
| 52 | memory-deny-write-execute | 52 | memory-deny-write-execute |
| 53 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/regextester.profile b/etc/profile-m-z/regextester.profile index 82653c209..571381f57 100644 --- a/etc/profile-m-z/regextester.profile +++ b/etc/profile-m-z/regextester.profile | |||
| @@ -52,3 +52,4 @@ dbus-system none | |||
| 52 | 52 | ||
| 53 | # never write anything | 53 | # never write anything |
| 54 | read-only ${HOME} | 54 | read-only ${HOME} |
| 55 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/remmina.profile b/etc/profile-m-z/remmina.profile index 79630f09c..208f57710 100644 --- a/etc/profile-m-z/remmina.profile +++ b/etc/profile-m-z/remmina.profile | |||
| @@ -42,3 +42,4 @@ private-cache | |||
| 42 | private-dev | 42 | private-dev |
| 43 | private-tmp | 43 | private-tmp |
| 44 | 44 | ||
| 45 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/retroarch.profile b/etc/profile-m-z/retroarch.profile index cb5544f5f..91486dc23 100644 --- a/etc/profile-m-z/retroarch.profile +++ b/etc/profile-m-z/retroarch.profile | |||
| @@ -51,3 +51,5 @@ private-tmp | |||
| 51 | 51 | ||
| 52 | dbus-user none | 52 | dbus-user none |
| 53 | dbus-system none | 53 | dbus-system none |
| 54 | |||
| 55 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/rhythmbox.profile b/etc/profile-m-z/rhythmbox.profile index b4eabf7ee..dccd93429 100644 --- a/etc/profile-m-z/rhythmbox.profile +++ b/etc/profile-m-z/rhythmbox.profile | |||
| @@ -63,3 +63,5 @@ dbus-user.talk org.freedesktop.Notifications | |||
| 63 | dbus-user.talk org.gnome.SettingsDaemon.MediaKeys | 63 | dbus-user.talk org.gnome.SettingsDaemon.MediaKeys |
| 64 | dbus-system filter | 64 | dbus-system filter |
| 65 | dbus-system.talk org.freedesktop.Avahi | 65 | dbus-system.talk org.freedesktop.Avahi |
| 66 | |||
| 67 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/ricochet.profile b/etc/profile-m-z/ricochet.profile index a05c1f310..d5cb77fff 100644 --- a/etc/profile-m-z/ricochet.profile +++ b/etc/profile-m-z/ricochet.profile | |||
| @@ -39,3 +39,4 @@ private-bin ricochet,tor | |||
| 39 | private-dev | 39 | private-dev |
| 40 | #private-etc alternatives,alternatives,ca-certificates,crypto-policies,fonts,pki,ssl,tor,X11 | 40 | #private-etc alternatives,alternatives,ca-certificates,crypto-policies,fonts,pki,ssl,tor,X11 |
| 41 | 41 | ||
| 42 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/ripperx.profile b/etc/profile-m-z/ripperx.profile index 5740fcfc4..33878e999 100644 --- a/etc/profile-m-z/ripperx.profile +++ b/etc/profile-m-z/ripperx.profile | |||
| @@ -40,3 +40,5 @@ private-tmp | |||
| 40 | 40 | ||
| 41 | dbus-user none | 41 | dbus-user none |
| 42 | dbus-system none | 42 | dbus-system none |
| 43 | |||
| 44 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/ristretto.profile b/etc/profile-m-z/ristretto.profile index 6dcf2121b..4562616d2 100644 --- a/etc/profile-m-z/ristretto.profile +++ b/etc/profile-m-z/ristretto.profile | |||
| @@ -39,3 +39,4 @@ private-cache | |||
| 39 | private-dev | 39 | private-dev |
| 40 | private-tmp | 40 | private-tmp |
| 41 | 41 | ||
| 42 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/rpcs3.profile b/etc/profile-m-z/rpcs3.profile index 8d0b4e470..186e31b46 100644 --- a/etc/profile-m-z/rpcs3.profile +++ b/etc/profile-m-z/rpcs3.profile | |||
| @@ -54,8 +54,10 @@ tracelog | |||
| 54 | 54 | ||
| 55 | disable-mnt | 55 | disable-mnt |
| 56 | #private-cache | 56 | #private-cache |
| 57 | #private-etc ca-certificates,crypto-policies,machine-id,pki,resolv.conf,ssl # seems to need awk | 57 | #private-etc alternatives,ca-certificates,crypto-policies,machine-id,pki,resolv.conf,ssl # seems to need awk |
| 58 | private-tmp | 58 | private-tmp |
| 59 | 59 | ||
| 60 | dbus-user none | 60 | dbus-user none |
| 61 | dbus-system none | 61 | dbus-system none |
| 62 | |||
| 63 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/rsync-download_only.profile b/etc/profile-m-z/rsync-download_only.profile index a3cb0122c..91b18678f 100644 --- a/etc/profile-m-z/rsync-download_only.profile +++ b/etc/profile-m-z/rsync-download_only.profile | |||
| @@ -55,3 +55,4 @@ dbus-user none | |||
| 55 | dbus-system none | 55 | dbus-system none |
| 56 | 56 | ||
| 57 | memory-deny-write-execute | 57 | memory-deny-write-execute |
| 58 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/rtin.profile b/etc/profile-m-z/rtin.profile index cd84ce05e..87aa69bcb 100644 --- a/etc/profile-m-z/rtin.profile +++ b/etc/profile-m-z/rtin.profile | |||
| @@ -5,4 +5,5 @@ | |||
| 5 | # Persistent local customizations | 5 | # Persistent local customizations |
| 6 | include rtin.local | 6 | include rtin.local |
| 7 | 7 | ||
| 8 | # Redirect | ||
| 8 | include tin.profile | 9 | include tin.profile |
diff --git a/etc/profile-m-z/rtorrent.profile b/etc/profile-m-z/rtorrent.profile index 8c52e3161..a1c735645 100644 --- a/etc/profile-m-z/rtorrent.profile +++ b/etc/profile-m-z/rtorrent.profile | |||
| @@ -31,3 +31,5 @@ private-bin rtorrent | |||
| 31 | private-cache | 31 | private-cache |
| 32 | private-dev | 32 | private-dev |
| 33 | private-tmp | 33 | private-tmp |
| 34 | |||
| 35 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/rtv.profile b/etc/profile-m-z/rtv.profile index c4047ebd4..565925e7a 100644 --- a/etc/profile-m-z/rtv.profile +++ b/etc/profile-m-z/rtv.profile | |||
| @@ -62,3 +62,5 @@ private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,host | |||
| 62 | 62 | ||
| 63 | dbus-user none | 63 | dbus-user none |
| 64 | dbus-system none | 64 | dbus-system none |
| 65 | |||
| 66 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/sayonara.profile b/etc/profile-m-z/sayonara.profile index c299dd13a..f7ef54f5c 100644 --- a/etc/profile-m-z/sayonara.profile +++ b/etc/profile-m-z/sayonara.profile | |||
| @@ -33,3 +33,4 @@ private-bin sayonara | |||
| 33 | private-dev | 33 | private-dev |
| 34 | private-tmp | 34 | private-tmp |
| 35 | 35 | ||
| 36 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/scallion.profile b/etc/profile-m-z/scallion.profile index f8f9c681c..8f5c00f4a 100644 --- a/etc/profile-m-z/scallion.profile +++ b/etc/profile-m-z/scallion.profile | |||
| @@ -41,3 +41,5 @@ private-tmp | |||
| 41 | 41 | ||
| 42 | dbus-user none | 42 | dbus-user none |
| 43 | dbus-system none | 43 | dbus-system none |
| 44 | |||
| 45 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/scorched3d.profile b/etc/profile-m-z/scorched3d.profile index 838286665..a1a0176b9 100644 --- a/etc/profile-m-z/scorched3d.profile +++ b/etc/profile-m-z/scorched3d.profile | |||
| @@ -47,3 +47,5 @@ private-tmp | |||
| 47 | 47 | ||
| 48 | dbus-user none | 48 | dbus-user none |
| 49 | dbus-system none | 49 | dbus-system none |
| 50 | |||
| 51 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/scorchwentbonkers.profile b/etc/profile-m-z/scorchwentbonkers.profile index 316bad98a..6dfb50c5a 100644 --- a/etc/profile-m-z/scorchwentbonkers.profile +++ b/etc/profile-m-z/scorchwentbonkers.profile | |||
| @@ -47,3 +47,5 @@ private-tmp | |||
| 47 | 47 | ||
| 48 | dbus-user none | 48 | dbus-user none |
| 49 | dbus-system none | 49 | dbus-system none |
| 50 | |||
| 51 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/scribus.profile b/etc/profile-m-z/scribus.profile index b9d1e59aa..34cf783fe 100644 --- a/etc/profile-m-z/scribus.profile +++ b/etc/profile-m-z/scribus.profile | |||
| @@ -61,3 +61,5 @@ private-tmp | |||
| 61 | 61 | ||
| 62 | dbus-user none | 62 | dbus-user none |
| 63 | dbus-system none | 63 | dbus-system none |
| 64 | |||
| 65 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/sdat2img.profile b/etc/profile-m-z/sdat2img.profile index a353bc495..c0f9e8aa5 100644 --- a/etc/profile-m-z/sdat2img.profile +++ b/etc/profile-m-z/sdat2img.profile | |||
| @@ -41,3 +41,5 @@ private-dev | |||
| 41 | 41 | ||
| 42 | dbus-user none | 42 | dbus-user none |
| 43 | dbus-system none | 43 | dbus-system none |
| 44 | |||
| 45 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/seafile-applet.profile b/etc/profile-m-z/seafile-applet.profile index 00ae021fd..184a06958 100644 --- a/etc/profile-m-z/seafile-applet.profile +++ b/etc/profile-m-z/seafile-applet.profile | |||
| @@ -59,3 +59,5 @@ private-tmp | |||
| 59 | 59 | ||
| 60 | dbus-user none | 60 | dbus-user none |
| 61 | dbus-system none | 61 | dbus-system none |
| 62 | |||
| 63 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/seahorse-adventures.profile b/etc/profile-m-z/seahorse-adventures.profile index 45b12f2c8..7ff252ec7 100644 --- a/etc/profile-m-z/seahorse-adventures.profile +++ b/etc/profile-m-z/seahorse-adventures.profile | |||
| @@ -52,3 +52,5 @@ private-tmp | |||
| 52 | 52 | ||
| 53 | dbus-user none | 53 | dbus-user none |
| 54 | dbus-system none | 54 | dbus-system none |
| 55 | |||
| 56 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/seahorse-daemon.profile b/etc/profile-m-z/seahorse-daemon.profile index 6410da4d8..b3ead7191 100644 --- a/etc/profile-m-z/seahorse-daemon.profile +++ b/etc/profile-m-z/seahorse-daemon.profile | |||
| @@ -8,6 +8,9 @@ include seahorse-daemon.local | |||
| 8 | # added by included profile | 8 | # added by included profile |
| 9 | #include globals.local | 9 | #include globals.local |
| 10 | 10 | ||
| 11 | blacklist ${RUNUSER}/wayland-* | ||
| 12 | include disable-X11.inc | ||
| 13 | |||
| 11 | memory-deny-write-execute | 14 | memory-deny-write-execute |
| 12 | 15 | ||
| 13 | # Redirect | 16 | # Redirect |
diff --git a/etc/profile-m-z/seahorse-tool.profile b/etc/profile-m-z/seahorse-tool.profile index 9ef174606..e5c9e6b10 100644 --- a/etc/profile-m-z/seahorse-tool.profile +++ b/etc/profile-m-z/seahorse-tool.profile | |||
| @@ -7,9 +7,5 @@ include seahorse-tool.local | |||
| 7 | # added by included profile | 7 | # added by included profile |
| 8 | #include globals.local | 8 | #include globals.local |
| 9 | 9 | ||
| 10 | # private-etc workaround for: #2877 | ||
| 11 | private-etc alternatives,firejail,ld.so.cache,ld.so.preload,login.defs,passwd | ||
| 12 | private-tmp | ||
| 13 | |||
| 14 | # Redirect | 10 | # Redirect |
| 15 | include seahorse.profile | 11 | include seahorse.profile |
diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile index af7abc1d9..e6f51bff9 100644 --- a/etc/profile-m-z/seahorse.profile +++ b/etc/profile-m-z/seahorse.profile | |||
| @@ -6,8 +6,6 @@ include seahorse.local | |||
| 6 | # Persistent global definitions | 6 | # Persistent global definitions |
| 7 | include globals.local | 7 | include globals.local |
| 8 | 8 | ||
| 9 | blacklist /tmp/.X11-unix | ||
| 10 | |||
| 11 | noblacklist ${HOME}/.gnupg | 9 | noblacklist ${HOME}/.gnupg |
| 12 | 10 | ||
| 13 | # Allow ssh (blacklisted by disable-common.inc) | 11 | # Allow ssh (blacklisted by disable-common.inc) |
| @@ -59,11 +57,15 @@ tracelog | |||
| 59 | disable-mnt | 57 | disable-mnt |
| 60 | private-cache | 58 | private-cache |
| 61 | private-dev | 59 | private-dev |
| 62 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssh,ssl,X11 | 60 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,login.defs,nsswitch.conf,pango,passwd,pkcs11,pki,protocols,resolv.conf,rpc,services,ssh,ssl,xdg |
| 61 | private-tmp | ||
| 63 | writable-run-user | 62 | writable-run-user |
| 64 | 63 | ||
| 65 | dbus-user filter | 64 | dbus-user filter |
| 66 | dbus-user.own org.gnome.seahorse | 65 | dbus-user.own org.gnome.seahorse |
| 67 | dbus-user.own org.gnome.seahorse.Application | 66 | dbus-user.own org.gnome.seahorse.Application |
| 67 | dbus-user.talk ca.desrt.dconf | ||
| 68 | dbus-user.talk org.freedesktop.secrets | 68 | dbus-user.talk org.freedesktop.secrets |
| 69 | dbus-system none | 69 | dbus-system none |
| 70 | |||
| 71 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/seamonkey.profile b/etc/profile-m-z/seamonkey.profile index 5210a594c..c2dbbc2c6 100644 --- a/etc/profile-m-z/seamonkey.profile +++ b/etc/profile-m-z/seamonkey.profile | |||
| @@ -57,3 +57,5 @@ tracelog | |||
| 57 | disable-mnt | 57 | disable-mnt |
| 58 | # private-etc adobe,alternatives,asound.conf,ca-certificates,crypto-policies,firefox,fonts,group,gtk-2.0,hostname,hosts,iceweasel,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl | 58 | # private-etc adobe,alternatives,asound.conf,ca-certificates,crypto-policies,firefox,fonts,group,gtk-2.0,hostname,hosts,iceweasel,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl |
| 59 | writable-run-user | 59 | writable-run-user |
| 60 | |||
| 61 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile index 8d8a1dac6..5b71fe6c3 100644 --- a/etc/profile-m-z/server.profile +++ b/etc/profile-m-z/server.profile | |||
| @@ -83,6 +83,9 @@ private-dev | |||
| 83 | # private-lib | 83 | # private-lib |
| 84 | # private-opt none | 84 | # private-opt none |
| 85 | private-tmp | 85 | private-tmp |
| 86 | # writable-run-user | ||
| 87 | # writable-var | ||
| 88 | # writable-var-log | ||
| 86 | 89 | ||
| 87 | dbus-user none | 90 | dbus-user none |
| 88 | # dbus-system none | 91 | # dbus-system none |
| @@ -90,7 +93,4 @@ dbus-user none | |||
| 90 | # deterministic-shutdown | 93 | # deterministic-shutdown |
| 91 | # memory-deny-write-execute | 94 | # memory-deny-write-execute |
| 92 | # read-only ${HOME} | 95 | # read-only ${HOME} |
| 93 | # restrict-namespaces | 96 | restrict-namespaces |
| 94 | # writable-run-user | ||
| 95 | # writable-var | ||
| 96 | # writable-var-log | ||
diff --git a/etc/profile-m-z/servo.profile b/etc/profile-m-z/servo.profile index 6eeba9eb6..65fef339e 100644 --- a/etc/profile-m-z/servo.profile +++ b/etc/profile-m-z/servo.profile | |||
| @@ -46,3 +46,5 @@ private-tmp | |||
| 46 | 46 | ||
| 47 | dbus-user none | 47 | dbus-user none |
| 48 | dbus-system none | 48 | dbus-system none |
| 49 | |||
| 50 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/shellcheck.profile b/etc/profile-m-z/shellcheck.profile index 49c4646ed..cf6b37db6 100644 --- a/etc/profile-m-z/shellcheck.profile +++ b/etc/profile-m-z/shellcheck.profile | |||
| @@ -49,3 +49,5 @@ private-tmp | |||
| 49 | 49 | ||
| 50 | dbus-user none | 50 | dbus-user none |
| 51 | dbus-system none | 51 | dbus-system none |
| 52 | |||
| 53 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/shortwave.profile b/etc/profile-m-z/shortwave.profile index 22cb272c5..cd2a9f13e 100644 --- a/etc/profile-m-z/shortwave.profile +++ b/etc/profile-m-z/shortwave.profile | |||
| @@ -47,3 +47,5 @@ private-cache | |||
| 47 | private-dev | 47 | private-dev |
| 48 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gconf,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl,X11,xdg | 48 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gconf,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl,X11,xdg |
| 49 | private-tmp | 49 | private-tmp |
| 50 | |||
| 51 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/shotcut.profile b/etc/profile-m-z/shotcut.profile index e2cbce2f5..ec0380ce7 100644 --- a/etc/profile-m-z/shotcut.profile +++ b/etc/profile-m-z/shotcut.profile | |||
| @@ -35,3 +35,5 @@ private-dev | |||
| 35 | 35 | ||
| 36 | dbus-user none | 36 | dbus-user none |
| 37 | dbus-system none | 37 | dbus-system none |
| 38 | |||
| 39 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/shotwell.profile b/etc/profile-m-z/shotwell.profile index 44898a2e9..d33a97ffc 100644 --- a/etc/profile-m-z/shotwell.profile +++ b/etc/profile-m-z/shotwell.profile | |||
| @@ -57,3 +57,5 @@ dbus-user.own org.gnome.Shotwell | |||
| 57 | dbus-user.talk ca.desrt.dconf | 57 | dbus-user.talk ca.desrt.dconf |
| 58 | dbus-user.talk org.gtk.vfs.UDisks2VolumeMonitor | 58 | dbus-user.talk org.gtk.vfs.UDisks2VolumeMonitor |
| 59 | dbus-system none | 59 | dbus-system none |
| 60 | |||
| 61 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/signal-cli.profile b/etc/profile-m-z/signal-cli.profile index b70275d0d..d2b604df5 100644 --- a/etc/profile-m-z/signal-cli.profile +++ b/etc/profile-m-z/signal-cli.profile | |||
| @@ -48,3 +48,5 @@ private-dev | |||
| 48 | # Does not work with all Java configurations. You will notice immediately, so you might want to give it a try | 48 | # Does not work with all Java configurations. You will notice immediately, so you might want to give it a try |
| 49 | #private-etc alternatives,ca-certificates,crypto-policies,dbus-1,host.conf,hostname,hosts,java-10-openjdk,java-7-openjdk,java-8-openjdk,java-9-openjdk,java.conf,machine-id,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl | 49 | #private-etc alternatives,ca-certificates,crypto-policies,dbus-1,host.conf,hostname,hosts,java-10-openjdk,java-7-openjdk,java-8-openjdk,java-9-openjdk,java.conf,machine-id,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl |
| 50 | private-tmp | 50 | private-tmp |
| 51 | |||
| 52 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/silentarmy.profile b/etc/profile-m-z/silentarmy.profile index 74a51208c..96e4cf283 100644 --- a/etc/profile-m-z/silentarmy.profile +++ b/etc/profile-m-z/silentarmy.profile | |||
| @@ -37,3 +37,4 @@ private-dev | |||
| 37 | private-opt none | 37 | private-opt none |
| 38 | private-tmp | 38 | private-tmp |
| 39 | 39 | ||
| 40 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/simple-scan.profile b/etc/profile-m-z/simple-scan.profile index 4d13a3ad3..14846cf58 100644 --- a/etc/profile-m-z/simple-scan.profile +++ b/etc/profile-m-z/simple-scan.profile | |||
| @@ -38,3 +38,5 @@ tracelog | |||
| 38 | # private-dev | 38 | # private-dev |
| 39 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl | 39 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl |
| 40 | # private-tmp | 40 | # private-tmp |
| 41 | |||
| 42 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/simplescreenrecorder.profile b/etc/profile-m-z/simplescreenrecorder.profile index a68de8f40..6ee9ea6ba 100644 --- a/etc/profile-m-z/simplescreenrecorder.profile +++ b/etc/profile-m-z/simplescreenrecorder.profile | |||
| @@ -36,3 +36,5 @@ tracelog | |||
| 36 | private-cache | 36 | private-cache |
| 37 | private-dev | 37 | private-dev |
| 38 | private-tmp | 38 | private-tmp |
| 39 | |||
| 40 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/simutrans.profile b/etc/profile-m-z/simutrans.profile index 733ea6413..6ba735556 100644 --- a/etc/profile-m-z/simutrans.profile +++ b/etc/profile-m-z/simutrans.profile | |||
| @@ -39,3 +39,5 @@ private-tmp | |||
| 39 | 39 | ||
| 40 | dbus-user none | 40 | dbus-user none |
| 41 | dbus-system none | 41 | dbus-system none |
| 42 | |||
| 43 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/skanlite.profile b/etc/profile-m-z/skanlite.profile index 1e60fb083..6b73b2289 100644 --- a/etc/profile-m-z/skanlite.profile +++ b/etc/profile-m-z/skanlite.profile | |||
| @@ -33,3 +33,5 @@ seccomp !ioperm | |||
| 33 | 33 | ||
| 34 | # dbus-user none | 34 | # dbus-user none |
| 35 | # dbus-system none | 35 | # dbus-system none |
| 36 | |||
| 37 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/slashem.profile b/etc/profile-m-z/slashem.profile index 8ec692657..3ad182b9e 100644 --- a/etc/profile-m-z/slashem.profile +++ b/etc/profile-m-z/slashem.profile | |||
| @@ -44,3 +44,4 @@ dbus-user none | |||
| 44 | dbus-system none | 44 | dbus-system none |
| 45 | 45 | ||
| 46 | #memory-deny-write-execute | 46 | #memory-deny-write-execute |
| 47 | #restrict-namespaces | ||
diff --git a/etc/profile-m-z/smplayer.profile b/etc/profile-m-z/smplayer.profile index 00770798e..0ab398ebd 100644 --- a/etc/profile-m-z/smplayer.profile +++ b/etc/profile-m-z/smplayer.profile | |||
| @@ -52,3 +52,5 @@ private-tmp | |||
| 52 | # problems with KDE | 52 | # problems with KDE |
| 53 | # dbus-user none | 53 | # dbus-user none |
| 54 | # dbus-system none | 54 | # dbus-system none |
| 55 | |||
| 56 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/smtube.profile b/etc/profile-m-z/smtube.profile index a3a519511..b617444af 100644 --- a/etc/profile-m-z/smtube.profile +++ b/etc/profile-m-z/smtube.profile | |||
| @@ -45,3 +45,4 @@ seccomp | |||
| 45 | private-dev | 45 | private-dev |
| 46 | private-tmp | 46 | private-tmp |
| 47 | 47 | ||
| 48 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/smuxi-frontend-gnome.profile b/etc/profile-m-z/smuxi-frontend-gnome.profile index 9c93845f5..ffed9d44c 100644 --- a/etc/profile-m-z/smuxi-frontend-gnome.profile +++ b/etc/profile-m-z/smuxi-frontend-gnome.profile | |||
| @@ -52,3 +52,5 @@ private-tmp | |||
| 52 | 52 | ||
| 53 | dbus-user none | 53 | dbus-user none |
| 54 | dbus-system none | 54 | dbus-system none |
| 55 | |||
| 56 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/softmaker-common.profile b/etc/profile-m-z/softmaker-common.profile index ff8ba38b4..b4658b7af 100644 --- a/etc/profile-m-z/softmaker-common.profile +++ b/etc/profile-m-z/softmaker-common.profile | |||
| @@ -47,3 +47,5 @@ private-tmp | |||
| 47 | 47 | ||
| 48 | dbus-user none | 48 | dbus-user none |
| 49 | dbus-system none | 49 | dbus-system none |
| 50 | |||
| 51 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/sol.profile b/etc/profile-m-z/sol.profile index 833b905fe..e2be4e9e0 100644 --- a/etc/profile-m-z/sol.profile +++ b/etc/profile-m-z/sol.profile | |||
| @@ -44,3 +44,4 @@ dbus-user none | |||
| 44 | dbus-system none | 44 | dbus-system none |
| 45 | 45 | ||
| 46 | # memory-deny-write-execute | 46 | # memory-deny-write-execute |
| 47 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/songrec.profile b/etc/profile-m-z/songrec.profile index 2e26fbb52..9261c1e3f 100644 --- a/etc/profile-m-z/songrec.profile +++ b/etc/profile-m-z/songrec.profile | |||
| @@ -51,3 +51,5 @@ private-tmp | |||
| 51 | 51 | ||
| 52 | dbus-user none | 52 | dbus-user none |
| 53 | dbus-system none | 53 | dbus-system none |
| 54 | |||
| 55 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/sound-juicer.profile b/etc/profile-m-z/sound-juicer.profile index f8b87065b..f5ac6c739 100644 --- a/etc/profile-m-z/sound-juicer.profile +++ b/etc/profile-m-z/sound-juicer.profile | |||
| @@ -40,3 +40,5 @@ private-tmp | |||
| 40 | 40 | ||
| 41 | # dbus-user none | 41 | # dbus-user none |
| 42 | # dbus-system none | 42 | # dbus-system none |
| 43 | |||
| 44 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/soundconverter.profile b/etc/profile-m-z/soundconverter.profile index d32ba87fc..843080cc8 100644 --- a/etc/profile-m-z/soundconverter.profile +++ b/etc/profile-m-z/soundconverter.profile | |||
| @@ -47,3 +47,4 @@ private-cache | |||
| 47 | private-dev | 47 | private-dev |
| 48 | private-tmp | 48 | private-tmp |
| 49 | 49 | ||
| 50 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/spectacle.profile b/etc/profile-m-z/spectacle.profile index 7637eb868..5a1314315 100644 --- a/etc/profile-m-z/spectacle.profile +++ b/etc/profile-m-z/spectacle.profile | |||
| @@ -65,3 +65,5 @@ dbus-user.talk org.freedesktop.FileManager1 | |||
| 65 | #dbus-user.talk org.kde.JobViewServer | 65 | #dbus-user.talk org.kde.JobViewServer |
| 66 | #dbus-user.talk org.kde.kglobalaccel | 66 | #dbus-user.talk org.kde.kglobalaccel |
| 67 | dbus-system none | 67 | dbus-system none |
| 68 | |||
| 69 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/spectral.profile b/etc/profile-m-z/spectral.profile index f83fe9a17..4bc23fc04 100644 --- a/etc/profile-m-z/spectral.profile +++ b/etc/profile-m-z/spectral.profile | |||
| @@ -53,3 +53,5 @@ dbus-user filter | |||
| 53 | # Add the next line to your spectral.local to enable notification support. | 53 | # Add the next line to your spectral.local to enable notification support. |
| 54 | #dbus-user.talk org.freedesktop.Notifications | 54 | #dbus-user.talk org.freedesktop.Notifications |
| 55 | dbus-system none | 55 | dbus-system none |
| 56 | |||
| 57 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/spectre-meltdown-checker.profile b/etc/profile-m-z/spectre-meltdown-checker.profile index 8c089a5af..d2566040e 100644 --- a/etc/profile-m-z/spectre-meltdown-checker.profile +++ b/etc/profile-m-z/spectre-meltdown-checker.profile | |||
| @@ -10,6 +10,7 @@ blacklist ${RUNUSER}/wayland-* | |||
| 10 | 10 | ||
| 11 | noblacklist ${PATH}/mount | 11 | noblacklist ${PATH}/mount |
| 12 | noblacklist ${PATH}/umount | 12 | noblacklist ${PATH}/umount |
| 13 | noblacklist /proc/config.gz | ||
| 13 | 14 | ||
| 14 | # Allow perl (blacklisted by disable-interpreters.inc) | 15 | # Allow perl (blacklisted by disable-interpreters.inc) |
| 15 | include allow-perl.inc | 16 | include allow-perl.inc |
| @@ -41,7 +42,7 @@ x11 none | |||
| 41 | 42 | ||
| 42 | disable-mnt | 43 | disable-mnt |
| 43 | private | 44 | private |
| 44 | private-bin awk,bzip2,cat,coreos-install,cpucontrol,cut,dd,dirname,dmesg,dnf,echo,grep,gunzip,gz,gzip,head,id,kldload,kldstat,liblz4-tool,lzop,mktemp,modinfo,modprobe,mount,nm,objdump,od,perl,printf,readelf,rm,sed,seq,sh,sort,spectre-meltdown-checker,spectre-meltdown-checker.sh,stat,strings,sysctl,tail,test,toolbox,tr,uname,which,xz-utils | 45 | private-bin awk,basename,bzip2,cat,coreos-install,cpucontrol,cut,dd,dirname,dmesg,dnf,echo,grep,gunzip,gz,gzip,head,id,kldload,kldstat,liblz4-tool,lzop,mktemp,modinfo,modprobe,mount,nm,objdump,od,perl,printf,ps,readelf,rm,sed,seq,sh,sort,spectre-meltdown-checker,spectre-meltdown-checker.sh,stat,strings,sysctl,tail,test,toolbox,tr,uname,unzstd,which,xz-utils |
| 45 | private-cache | 46 | private-cache |
| 46 | private-tmp | 47 | private-tmp |
| 47 | 48 | ||
| @@ -49,3 +50,4 @@ dbus-user none | |||
| 49 | dbus-system none | 50 | dbus-system none |
| 50 | 51 | ||
| 51 | memory-deny-write-execute | 52 | memory-deny-write-execute |
| 53 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/spotify.profile b/etc/profile-m-z/spotify.profile index 146cb5ed1..721e39cd4 100644 --- a/etc/profile-m-z/spotify.profile +++ b/etc/profile-m-z/spotify.profile | |||
| @@ -7,6 +7,7 @@ include globals.local | |||
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.cache/spotify | 8 | noblacklist ${HOME}/.cache/spotify |
| 9 | noblacklist ${HOME}/.config/spotify | 9 | noblacklist ${HOME}/.config/spotify |
| 10 | noblacklist ${HOME}/.config/spotify-adblock | ||
| 10 | noblacklist ${HOME}/.local/share/spotify | 11 | noblacklist ${HOME}/.local/share/spotify |
| 11 | 12 | ||
| 12 | blacklist ${HOME}/.bashrc | 13 | blacklist ${HOME}/.bashrc |
| @@ -22,6 +23,7 @@ mkdir ${HOME}/.config/spotify | |||
| 22 | mkdir ${HOME}/.local/share/spotify | 23 | mkdir ${HOME}/.local/share/spotify |
| 23 | whitelist ${HOME}/.cache/spotify | 24 | whitelist ${HOME}/.cache/spotify |
| 24 | whitelist ${HOME}/.config/spotify | 25 | whitelist ${HOME}/.config/spotify |
| 26 | whitelist ${HOME}/.config/spotify-adblock | ||
| 25 | whitelist ${HOME}/.local/share/spotify | 27 | whitelist ${HOME}/.local/share/spotify |
| 26 | include whitelist-common.inc | 28 | include whitelist-common.inc |
| 27 | include whitelist-var-common.inc | 29 | include whitelist-var-common.inc |
| @@ -43,7 +45,7 @@ disable-mnt | |||
| 43 | private-bin bash,cat,dirname,find,grep,head,rm,sh,spotify,tclsh,touch,zenity | 45 | private-bin bash,cat,dirname,find,grep,head,rm,sh,spotify,tclsh,touch,zenity |
| 44 | private-dev | 46 | private-dev |
| 45 | # If you want to see album covers or want to use the radio, add 'ignore private-etc' to your spotify.local. | 47 | # If you want to see album covers or want to use the radio, add 'ignore private-etc' to your spotify.local. |
| 46 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl | 48 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,spotify-adblock,ssl |
| 47 | private-opt spotify | 49 | private-opt spotify |
| 48 | private-srv none | 50 | private-srv none |
| 49 | private-tmp | 51 | private-tmp |
| @@ -51,3 +53,5 @@ private-tmp | |||
| 51 | # dbus needed for MPRIS | 53 | # dbus needed for MPRIS |
| 52 | # dbus-user none | 54 | # dbus-user none |
| 53 | # dbus-system none | 55 | # dbus-system none |
| 56 | |||
| 57 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile index 0808685d1..b6eee5293 100644 --- a/etc/profile-m-z/sqlitebrowser.profile +++ b/etc/profile-m-z/sqlitebrowser.profile | |||
| @@ -49,3 +49,4 @@ private-tmp | |||
| 49 | # dbus-system none | 49 | # dbus-system none |
| 50 | 50 | ||
| 51 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 51 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
| 52 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile index 35bcdca7c..76755def4 100644 --- a/etc/profile-m-z/ssh-agent.profile +++ b/etc/profile-m-z/ssh-agent.profile | |||
| @@ -33,3 +33,5 @@ writable-run-user | |||
| 33 | 33 | ||
| 34 | dbus-user none | 34 | dbus-user none |
| 35 | dbus-system none | 35 | dbus-system none |
| 36 | |||
| 37 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile index c68b82b54..a7956a76e 100644 --- a/etc/profile-m-z/ssh.profile +++ b/etc/profile-m-z/ssh.profile | |||
| @@ -51,3 +51,4 @@ dbus-system none | |||
| 51 | 51 | ||
| 52 | deterministic-shutdown | 52 | deterministic-shutdown |
| 53 | memory-deny-write-execute | 53 | memory-deny-write-execute |
| 54 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/ssmtp.profile b/etc/profile-m-z/ssmtp.profile new file mode 100644 index 000000000..1a224e7b0 --- /dev/null +++ b/etc/profile-m-z/ssmtp.profile | |||
| @@ -0,0 +1,75 @@ | |||
| 1 | # Firejail profile for ssmtp | ||
| 2 | # Description: Extremely simple MTA to get mail off the system to a mailhub | ||
| 3 | # This file is overwritten after every install/update | ||
| 4 | quiet | ||
| 5 | # Persistent local customizations | ||
| 6 | include ssmtp.local | ||
| 7 | # Persistent global definitions | ||
| 8 | include globals.local | ||
| 9 | |||
| 10 | blacklist ${RUNUSER} | ||
| 11 | blacklist /usr/libexec | ||
| 12 | |||
| 13 | noblacklist /etc/logcheck | ||
| 14 | noblacklist /etc/ssmtp | ||
| 15 | noblacklist /sbin | ||
| 16 | noblacklist /usr/sbin | ||
| 17 | |||
| 18 | noblacklist ${DOCUMENTS} | ||
| 19 | include disable-common.inc | ||
| 20 | include disable-devel.inc | ||
| 21 | include disable-exec.inc | ||
| 22 | include disable-interpreters.inc | ||
| 23 | include disable-proc.inc | ||
| 24 | include disable-programs.inc | ||
| 25 | include disable-shell.inc | ||
| 26 | include disable-xdg.inc | ||
| 27 | include disable-X11.inc | ||
| 28 | |||
| 29 | mkfile ${HOME}/dead.letter | ||
| 30 | whitelist ${HOME}/dead.letter | ||
| 31 | whitelist ${DOCUMENTS} | ||
| 32 | whitelist ${DOWNLOADS} | ||
| 33 | include whitelist-common.inc | ||
| 34 | include whitelist-run-common.inc | ||
| 35 | include whitelist-runuser-common.inc | ||
| 36 | include whitelist-usr-share-common.inc | ||
| 37 | include whitelist-var-common.inc | ||
| 38 | |||
| 39 | apparmor | ||
| 40 | caps.drop all | ||
| 41 | ipc-namespace | ||
| 42 | machine-id | ||
| 43 | netfilter | ||
| 44 | no3d | ||
| 45 | nodvd | ||
| 46 | #nogroups breaks app | ||
| 47 | noinput | ||
| 48 | nonewprivs | ||
| 49 | noprinters | ||
| 50 | #noroot breaks app | ||
| 51 | nosound | ||
| 52 | notv | ||
| 53 | nou2f | ||
| 54 | novideo | ||
| 55 | protocol unix,inet,inet6 | ||
| 56 | seccomp | ||
| 57 | seccomp.block-secondary | ||
| 58 | tracelog | ||
| 59 | |||
| 60 | disable-mnt | ||
| 61 | # private works but then we lose ${HOME}/dead.letter | ||
| 62 | # which is useful to get notified on mail issues | ||
| 63 | #private | ||
| 64 | private-bin mailq,newaliases,sendmail,ssmtp | ||
| 65 | private-cache | ||
| 66 | private-dev | ||
| 67 | private-tmp | ||
| 68 | |||
| 69 | dbus-user none | ||
| 70 | dbus-system none | ||
| 71 | |||
| 72 | memory-deny-write-execute | ||
| 73 | restrict-namespaces | ||
| 74 | read-only ${HOME} | ||
| 75 | read-write ${HOME}/dead.letter | ||
diff --git a/etc/profile-m-z/standardnotes-desktop.profile b/etc/profile-m-z/standardnotes-desktop.profile index 7a59274bf..868c724d2 100644 --- a/etc/profile-m-z/standardnotes-desktop.profile +++ b/etc/profile-m-z/standardnotes-desktop.profile | |||
| @@ -42,3 +42,5 @@ private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostnam | |||
| 42 | 42 | ||
| 43 | dbus-user none | 43 | dbus-user none |
| 44 | dbus-system none | 44 | dbus-system none |
| 45 | |||
| 46 | # restrict-namespaces | ||
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index 5e5a8e9bb..f807afdc7 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile | |||
| @@ -178,7 +178,8 @@ private-dev | |||
| 178 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl,vulkan | 178 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl,vulkan |
| 179 | private-tmp | 179 | private-tmp |
| 180 | 180 | ||
| 181 | # dbus-user none | 181 | #dbus-user none |
| 182 | # dbus-system none | 182 | #dbus-system none |
| 183 | 183 | ||
| 184 | read-only ${HOME}/.config/MangoHud | 184 | read-only ${HOME}/.config/MangoHud |
| 185 | #restrict-namespaces | ||
diff --git a/etc/profile-m-z/stellarium.profile b/etc/profile-m-z/stellarium.profile index ecb5201e0..c83ff40f8 100644 --- a/etc/profile-m-z/stellarium.profile +++ b/etc/profile-m-z/stellarium.profile | |||
| @@ -43,3 +43,4 @@ private-bin stellarium | |||
| 43 | private-dev | 43 | private-dev |
| 44 | private-tmp | 44 | private-tmp |
| 45 | 45 | ||
| 46 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/strawberry.profile b/etc/profile-m-z/strawberry.profile index a6723e9de..e9d2ca430 100644 --- a/etc/profile-m-z/strawberry.profile +++ b/etc/profile-m-z/strawberry.profile | |||
| @@ -46,3 +46,5 @@ private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostnam | |||
| 46 | private-tmp | 46 | private-tmp |
| 47 | 47 | ||
| 48 | dbus-system none | 48 | dbus-system none |
| 49 | |||
| 50 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/strings.profile b/etc/profile-m-z/strings.profile index 506a38145..8c14ca51f 100644 --- a/etc/profile-m-z/strings.profile +++ b/etc/profile-m-z/strings.profile | |||
| @@ -54,3 +54,4 @@ dbus-system none | |||
| 54 | 54 | ||
| 55 | memory-deny-write-execute | 55 | memory-deny-write-execute |
| 56 | read-only ${HOME} | 56 | read-only ${HOME} |
| 57 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/subdownloader.profile b/etc/profile-m-z/subdownloader.profile index b222b5be2..896d4bc3e 100644 --- a/etc/profile-m-z/subdownloader.profile +++ b/etc/profile-m-z/subdownloader.profile | |||
| @@ -50,3 +50,4 @@ dbus-user none | |||
| 50 | dbus-system none | 50 | dbus-system none |
| 51 | 51 | ||
| 52 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 52 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
| 53 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile index b082cc761..1f532d76c 100644 --- a/etc/profile-m-z/supertux2.profile +++ b/etc/profile-m-z/supertux2.profile | |||
| @@ -49,3 +49,5 @@ private-tmp | |||
| 49 | 49 | ||
| 50 | dbus-user none | 50 | dbus-user none |
| 51 | dbus-system none | 51 | dbus-system none |
| 52 | |||
| 53 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile index 7616217ff..b4eb70fcb 100644 --- a/etc/profile-m-z/supertuxkart.profile +++ b/etc/profile-m-z/supertuxkart.profile | |||
| @@ -60,3 +60,5 @@ private-srv none | |||
| 60 | 60 | ||
| 61 | dbus-user none | 61 | dbus-user none |
| 62 | dbus-system none | 62 | dbus-system none |
| 63 | |||
| 64 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/surf.profile b/etc/profile-m-z/surf.profile index 78432bf43..3508e11b0 100644 --- a/etc/profile-m-z/surf.profile +++ b/etc/profile-m-z/surf.profile | |||
| @@ -36,3 +36,4 @@ private-dev | |||
| 36 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,ld.so.cache,ld.so.preload,machine-id,passwd,pki,resolv.conf,ssl | 36 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,ld.so.cache,ld.so.preload,machine-id,passwd,pki,resolv.conf,ssl |
| 37 | private-tmp | 37 | private-tmp |
| 38 | 38 | ||
| 39 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/sushi.profile b/etc/profile-m-z/sushi.profile index 46f5348fd..7b6a87b31 100644 --- a/etc/profile-m-z/sushi.profile +++ b/etc/profile-m-z/sushi.profile | |||
| @@ -45,3 +45,4 @@ read-only /media | |||
| 45 | read-only /run/mount | 45 | read-only /run/mount |
| 46 | read-only /run/media | 46 | read-only /run/media |
| 47 | read-only ${HOME} | 47 | read-only ${HOME} |
| 48 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/sway.profile b/etc/profile-m-z/sway.profile index 046d1b4be..f71905150 100644 --- a/etc/profile-m-z/sway.profile +++ b/etc/profile-m-z/sway.profile | |||
| @@ -17,3 +17,5 @@ netfilter | |||
| 17 | noroot | 17 | noroot |
| 18 | protocol unix,inet,inet6 | 18 | protocol unix,inet,inet6 |
| 19 | seccomp | 19 | seccomp |
| 20 | |||
| 21 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/synfigstudio.profile b/etc/profile-m-z/synfigstudio.profile index 4c290aa01..a2bb7d8e5 100644 --- a/etc/profile-m-z/synfigstudio.profile +++ b/etc/profile-m-z/synfigstudio.profile | |||
| @@ -36,3 +36,5 @@ private-tmp | |||
| 36 | 36 | ||
| 37 | dbus-user none | 37 | dbus-user none |
| 38 | dbus-system none | 38 | dbus-system none |
| 39 | |||
| 40 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/sysprof.profile b/etc/profile-m-z/sysprof.profile index a0a2ec7bc..cef029401 100644 --- a/etc/profile-m-z/sysprof.profile +++ b/etc/profile-m-z/sysprof.profile | |||
| @@ -74,3 +74,4 @@ dbus-user.own org.gnome.Sysprof3 | |||
| 74 | dbus-user.talk ca.desrt.dconf | 74 | dbus-user.talk ca.desrt.dconf |
| 75 | 75 | ||
| 76 | # memory-deny-write-execute - breaks on Arch | 76 | # memory-deny-write-execute - breaks on Arch |
| 77 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/tcpdump.profile b/etc/profile-m-z/tcpdump.profile index 57301a54d..bc8444efd 100644 --- a/etc/profile-m-z/tcpdump.profile +++ b/etc/profile-m-z/tcpdump.profile | |||
| @@ -44,3 +44,4 @@ private-dev | |||
| 44 | private-tmp | 44 | private-tmp |
| 45 | 45 | ||
| 46 | memory-deny-write-execute | 46 | memory-deny-write-execute |
| 47 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/teamspeak3.profile b/etc/profile-m-z/teamspeak3.profile index 31df5b97c..41da4ee13 100644 --- a/etc/profile-m-z/teamspeak3.profile +++ b/etc/profile-m-z/teamspeak3.profile | |||
| @@ -39,3 +39,4 @@ disable-mnt | |||
| 39 | private-dev | 39 | private-dev |
| 40 | private-tmp | 40 | private-tmp |
| 41 | 41 | ||
| 42 | # restrict-namespaces | ||
diff --git a/etc/profile-m-z/teeworlds.profile b/etc/profile-m-z/teeworlds.profile index a253f9a76..f01cc1c74 100644 --- a/etc/profile-m-z/teeworlds.profile +++ b/etc/profile-m-z/teeworlds.profile | |||
| @@ -43,3 +43,5 @@ private-tmp | |||
| 43 | 43 | ||
| 44 | dbus-user none | 44 | dbus-user none |
| 45 | dbus-system none | 45 | dbus-system none |
| 46 | |||
| 47 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile index bdae44ad0..886d303c8 100644 --- a/etc/profile-m-z/telegram.profile +++ b/etc/profile-m-z/telegram.profile | |||
| @@ -56,3 +56,5 @@ dbus-user.talk org.freedesktop.Notifications | |||
| 56 | dbus-user.talk org.gnome.Mutter.IdleMonitor | 56 | dbus-user.talk org.gnome.Mutter.IdleMonitor |
| 57 | dbus-user.talk org.freedesktop.ScreenSaver | 57 | dbus-user.talk org.freedesktop.ScreenSaver |
| 58 | dbus-system none | 58 | dbus-system none |
| 59 | |||
| 60 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/telnet.profile b/etc/profile-m-z/telnet.profile index 527c3c99f..13a47c958 100644 --- a/etc/profile-m-z/telnet.profile +++ b/etc/profile-m-z/telnet.profile | |||
| @@ -51,3 +51,4 @@ dbus-system none | |||
| 51 | 51 | ||
| 52 | memory-deny-write-execute | 52 | memory-deny-write-execute |
| 53 | noexec ${HOME} | 53 | noexec ${HOME} |
| 54 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/terasology.profile b/etc/profile-m-z/terasology.profile index 4af30acc0..9249e33c8 100644 --- a/etc/profile-m-z/terasology.profile +++ b/etc/profile-m-z/terasology.profile | |||
| @@ -45,3 +45,5 @@ private-tmp | |||
| 45 | 45 | ||
| 46 | dbus-user none | 46 | dbus-user none |
| 47 | dbus-system none | 47 | dbus-system none |
| 48 | |||
| 49 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/tesseract.profile b/etc/profile-m-z/tesseract.profile new file mode 100644 index 000000000..11a21c471 --- /dev/null +++ b/etc/profile-m-z/tesseract.profile | |||
| @@ -0,0 +1,65 @@ | |||
| 1 | # Firejail profile for tesseract | ||
| 2 | # Description: An OCR program | ||
| 3 | # This file is overwritten after every install/update | ||
| 4 | # Persistent local customizations | ||
| 5 | include tesseract.local | ||
| 6 | # Persistent global definitions | ||
| 7 | include globals.local | ||
| 8 | |||
| 9 | blacklist ${RUNUSER} | ||
| 10 | |||
| 11 | noblacklist ${DOCUMENTS} | ||
| 12 | noblacklist ${PICTURES} | ||
| 13 | include disable-common.inc | ||
| 14 | include disable-devel.inc | ||
| 15 | include disable-exec.inc | ||
| 16 | include disable-interpreters.inc | ||
| 17 | include disable-proc.inc | ||
| 18 | include disable-programs.inc | ||
| 19 | include disable-shell.inc | ||
| 20 | include disable-xdg.inc | ||
| 21 | |||
| 22 | whitelist ${DOCUMENTS} | ||
| 23 | whitelist ${DOWNLOADS} | ||
| 24 | whitelist ${PICTURES} | ||
| 25 | include whitelist-common.inc | ||
| 26 | include whitelist-run-common.inc | ||
| 27 | include whitelist-runuser-common.inc | ||
| 28 | whitelist /usr/share/tessdata | ||
| 29 | include whitelist-usr-share-common.inc | ||
| 30 | include whitelist-var-common.inc | ||
| 31 | |||
| 32 | apparmor | ||
| 33 | caps.drop all | ||
| 34 | hostname tesseract | ||
| 35 | ipc-namespace | ||
| 36 | machine-id | ||
| 37 | net none | ||
| 38 | no3d | ||
| 39 | nodvd | ||
| 40 | nogroups | ||
| 41 | noinput | ||
| 42 | nonewprivs | ||
| 43 | noprinters | ||
| 44 | noroot | ||
| 45 | nosound | ||
| 46 | notv | ||
| 47 | nou2f | ||
| 48 | novideo | ||
| 49 | seccomp | ||
| 50 | tracelog | ||
| 51 | x11 none | ||
| 52 | |||
| 53 | #disable-mnt | ||
| 54 | private-bin ambiguous_words,classifier_tester,cntraining,combine_lang_model,combine_tessdata,dawg2wordlist,lstmeval,lstmtraining,merge_unicharsets,mftraining,set_unicharset_properties,shapeclustering,tesseract,text2image,unicharset_extractor,wordlist2dawg | ||
| 55 | private-cache | ||
| 56 | private-dev | ||
| 57 | private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload | ||
| 58 | #private-lib libtesseract.so.* | ||
| 59 | private-tmp | ||
| 60 | |||
| 61 | dbus-user none | ||
| 62 | dbus-system none | ||
| 63 | |||
| 64 | memory-deny-write-execute | ||
| 65 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/tilp.profile b/etc/profile-m-z/tilp.profile index 3dad84480..f49738f2b 100644 --- a/etc/profile-m-z/tilp.profile +++ b/etc/profile-m-z/tilp.profile | |||
| @@ -32,3 +32,4 @@ private-cache | |||
| 32 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload | 32 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
| 33 | private-tmp | 33 | private-tmp |
| 34 | 34 | ||
| 35 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile index 0ca9cc1ce..3cbf90660 100644 --- a/etc/profile-m-z/tin.profile +++ b/etc/profile-m-z/tin.profile | |||
| @@ -65,3 +65,4 @@ dbus-user none | |||
| 65 | dbus-system none | 65 | dbus-system none |
| 66 | 66 | ||
| 67 | memory-deny-write-execute | 67 | memory-deny-write-execute |
| 68 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/tmux.profile b/etc/profile-m-z/tmux.profile index bb710edc3..a855ff839 100644 --- a/etc/profile-m-z/tmux.profile +++ b/etc/profile-m-z/tmux.profile | |||
| @@ -42,3 +42,5 @@ private-dev | |||
| 42 | 42 | ||
| 43 | dbus-user none | 43 | dbus-user none |
| 44 | dbus-system none | 44 | dbus-system none |
| 45 | |||
| 46 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/tor.profile b/etc/profile-m-z/tor.profile index ba7672068..275b170ff 100644 --- a/etc/profile-m-z/tor.profile +++ b/etc/profile-m-z/tor.profile | |||
| @@ -48,3 +48,5 @@ private-dev | |||
| 48 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,passwd,pki,ssl,tor | 48 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,passwd,pki,ssl,tor |
| 49 | private-tmp | 49 | private-tmp |
| 50 | writable-var | 50 | writable-var |
| 51 | |||
| 52 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile index 9d66c5fa4..fab792826 100644 --- a/etc/profile-m-z/torbrowser-launcher.profile +++ b/etc/profile-m-z/torbrowser-launcher.profile | |||
| @@ -63,3 +63,5 @@ private-tmp | |||
| 63 | 63 | ||
| 64 | dbus-user none | 64 | dbus-user none |
| 65 | dbus-system none | 65 | dbus-system none |
| 66 | |||
| 67 | #restrict-namespaces | ||
diff --git a/etc/profile-m-z/torcs.profile b/etc/profile-m-z/torcs.profile index dfc20fc00..f83a74e9c 100644 --- a/etc/profile-m-z/torcs.profile +++ b/etc/profile-m-z/torcs.profile | |||
| @@ -45,3 +45,5 @@ private-tmp | |||
| 45 | 45 | ||
| 46 | dbus-user none | 46 | dbus-user none |
| 47 | dbus-system none | 47 | dbus-system none |
| 48 | |||
| 49 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile index 9ecc1e5ea..e21d37040 100644 --- a/etc/profile-m-z/totem.profile +++ b/etc/profile-m-z/totem.profile | |||
| @@ -57,3 +57,5 @@ private-tmp | |||
| 57 | # makes settings immutable | 57 | # makes settings immutable |
| 58 | # dbus-user none | 58 | # dbus-user none |
| 59 | dbus-system none | 59 | dbus-system none |
| 60 | |||
| 61 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/tracker.profile b/etc/profile-m-z/tracker.profile index 6d7751953..f30b0aef6 100644 --- a/etc/profile-m-z/tracker.profile +++ b/etc/profile-m-z/tracker.profile | |||
| @@ -36,3 +36,5 @@ tracelog | |||
| 36 | # private-bin tracker | 36 | # private-bin tracker |
| 37 | # private-dev | 37 | # private-dev |
| 38 | # private-tmp | 38 | # private-tmp |
| 39 | |||
| 40 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/transgui.profile b/etc/profile-m-z/transgui.profile index 6dcdf64b6..9937b7c11 100644 --- a/etc/profile-m-z/transgui.profile +++ b/etc/profile-m-z/transgui.profile | |||
| @@ -52,3 +52,4 @@ dbus-user none | |||
| 52 | dbus-system none | 52 | dbus-system none |
| 53 | 53 | ||
| 54 | memory-deny-write-execute | 54 | memory-deny-write-execute |
| 55 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/transmission-common.profile b/etc/profile-m-z/transmission-common.profile index 78df412d7..0a9029c97 100644 --- a/etc/profile-m-z/transmission-common.profile +++ b/etc/profile-m-z/transmission-common.profile | |||
| @@ -50,3 +50,4 @@ dbus-user none | |||
| 50 | dbus-system none | 50 | dbus-system none |
| 51 | 51 | ||
| 52 | memory-deny-write-execute | 52 | memory-deny-write-execute |
| 53 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/tremulous.profile b/etc/profile-m-z/tremulous.profile index 4bcc0affe..21c09067e 100644 --- a/etc/profile-m-z/tremulous.profile +++ b/etc/profile-m-z/tremulous.profile | |||
| @@ -50,3 +50,5 @@ private-tmp | |||
| 50 | 50 | ||
| 51 | dbus-user none | 51 | dbus-user none |
| 52 | dbus-system none | 52 | dbus-system none |
| 53 | |||
| 54 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile index eb3ae356a..63e964355 100644 --- a/etc/profile-m-z/trojita.profile +++ b/etc/profile-m-z/trojita.profile | |||
| @@ -61,3 +61,4 @@ dbus-user.talk org.freedesktop.secrets | |||
| 61 | dbus-system none | 61 | dbus-system none |
| 62 | 62 | ||
| 63 | read-only ${HOME}/.mozilla/firefox/profiles.ini | 63 | read-only ${HOME}/.mozilla/firefox/profiles.ini |
| 64 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/truecraft.profile b/etc/profile-m-z/truecraft.profile index 58f600259..f02532936 100644 --- a/etc/profile-m-z/truecraft.profile +++ b/etc/profile-m-z/truecraft.profile | |||
| @@ -36,3 +36,4 @@ disable-mnt | |||
| 36 | private-dev | 36 | private-dev |
| 37 | private-tmp | 37 | private-tmp |
| 38 | 38 | ||
| 39 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/tuxguitar.profile b/etc/profile-m-z/tuxguitar.profile index 807d43281..ab2b359e4 100644 --- a/etc/profile-m-z/tuxguitar.profile +++ b/etc/profile-m-z/tuxguitar.profile | |||
| @@ -43,3 +43,5 @@ tracelog | |||
| 43 | 43 | ||
| 44 | private-dev | 44 | private-dev |
| 45 | private-tmp | 45 | private-tmp |
| 46 | |||
| 47 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/tvbrowser.profile b/etc/profile-m-z/tvbrowser.profile index 6c1dcc603..518dc95c7 100644 --- a/etc/profile-m-z/tvbrowser.profile +++ b/etc/profile-m-z/tvbrowser.profile | |||
| @@ -50,3 +50,5 @@ private-tmp | |||
| 50 | 50 | ||
| 51 | dbus-user none | 51 | dbus-user none |
| 52 | dbus-system none | 52 | dbus-system none |
| 53 | |||
| 54 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/udiskie.profile b/etc/profile-m-z/udiskie.profile index e9a2745bf..7e3c7ac5a 100644 --- a/etc/profile-m-z/udiskie.profile +++ b/etc/profile-m-z/udiskie.profile | |||
| @@ -42,3 +42,5 @@ private-cache | |||
| 42 | private-dev | 42 | private-dev |
| 43 | private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg | 43 | private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg |
| 44 | private-tmp | 44 | private-tmp |
| 45 | |||
| 46 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/uefitool.profile b/etc/profile-m-z/uefitool.profile index 3629f66f8..3d8f59df6 100644 --- a/etc/profile-m-z/uefitool.profile +++ b/etc/profile-m-z/uefitool.profile | |||
| @@ -36,3 +36,5 @@ private-tmp | |||
| 36 | 36 | ||
| 37 | dbus-user none | 37 | dbus-user none |
| 38 | dbus-system none | 38 | dbus-system none |
| 39 | |||
| 40 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/uget-gtk.profile b/etc/profile-m-z/uget-gtk.profile index 948f61801..d8840fad3 100644 --- a/etc/profile-m-z/uget-gtk.profile +++ b/etc/profile-m-z/uget-gtk.profile | |||
| @@ -36,3 +36,5 @@ seccomp | |||
| 36 | private-bin uget-gtk | 36 | private-bin uget-gtk |
| 37 | private-dev | 37 | private-dev |
| 38 | private-tmp | 38 | private-tmp |
| 39 | |||
| 40 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/unbound.profile b/etc/profile-m-z/unbound.profile index d18c9fe94..63d84688c 100644 --- a/etc/profile-m-z/unbound.profile +++ b/etc/profile-m-z/unbound.profile | |||
| @@ -52,3 +52,4 @@ dbus-user none | |||
| 52 | dbus-system none | 52 | dbus-system none |
| 53 | 53 | ||
| 54 | memory-deny-write-execute | 54 | memory-deny-write-execute |
| 55 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/unf.profile b/etc/profile-m-z/unf.profile index 70c54a6bd..6ec6ea609 100644 --- a/etc/profile-m-z/unf.profile +++ b/etc/profile-m-z/unf.profile | |||
| @@ -56,3 +56,4 @@ dbus-user none | |||
| 56 | dbus-system none | 56 | dbus-system none |
| 57 | 57 | ||
| 58 | memory-deny-write-execute | 58 | memory-deny-write-execute |
| 59 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/unknown-horizons.profile b/etc/profile-m-z/unknown-horizons.profile index 755d087ea..3e2b28dec 100644 --- a/etc/profile-m-z/unknown-horizons.profile +++ b/etc/profile-m-z/unknown-horizons.profile | |||
| @@ -41,3 +41,4 @@ private-tmp | |||
| 41 | 41 | ||
| 42 | # doesn't work - maybe all Tcl/Tk programs have this problem | 42 | # doesn't work - maybe all Tcl/Tk programs have this problem |
| 43 | # memory-deny-write-execute | 43 | # memory-deny-write-execute |
| 44 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/utox.profile b/etc/profile-m-z/utox.profile index bb53917cf..f85e52273 100644 --- a/etc/profile-m-z/utox.profile +++ b/etc/profile-m-z/utox.profile | |||
| @@ -46,3 +46,4 @@ private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so | |||
| 46 | private-tmp | 46 | private-tmp |
| 47 | 47 | ||
| 48 | memory-deny-write-execute | 48 | memory-deny-write-execute |
| 49 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/uudeview.profile b/etc/profile-m-z/uudeview.profile index 7ac23bcb9..29d88832c 100644 --- a/etc/profile-m-z/uudeview.profile +++ b/etc/profile-m-z/uudeview.profile | |||
| @@ -44,3 +44,5 @@ private-etc alternatives,ld.so.cache,ld.so.preload | |||
| 44 | 44 | ||
| 45 | dbus-user none | 45 | dbus-user none |
| 46 | dbus-system none | 46 | dbus-system none |
| 47 | |||
| 48 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/uzbl-browser.profile b/etc/profile-m-z/uzbl-browser.profile index dcdae279f..dfda684e3 100644 --- a/etc/profile-m-z/uzbl-browser.profile +++ b/etc/profile-m-z/uzbl-browser.profile | |||
| @@ -39,3 +39,5 @@ notv | |||
| 39 | protocol unix,inet,inet6 | 39 | protocol unix,inet,inet6 |
| 40 | seccomp | 40 | seccomp |
| 41 | tracelog | 41 | tracelog |
| 42 | |||
| 43 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/viewnior.profile b/etc/profile-m-z/viewnior.profile index 6d7fa94e7..cdf615a02 100644 --- a/etc/profile-m-z/viewnior.profile +++ b/etc/profile-m-z/viewnior.profile | |||
| @@ -50,3 +50,4 @@ dbus-user none | |||
| 50 | dbus-system none | 50 | dbus-system none |
| 51 | 51 | ||
| 52 | #memory-deny-write-execute - breaks on Arch (see issues #1803 and #1808) | 52 | #memory-deny-write-execute - breaks on Arch (see issues #1803 and #1808) |
| 53 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/viking.profile b/etc/profile-m-z/viking.profile index 65f1e2619..6ec74edd8 100644 --- a/etc/profile-m-z/viking.profile +++ b/etc/profile-m-z/viking.profile | |||
| @@ -34,3 +34,4 @@ seccomp | |||
| 34 | private-dev | 34 | private-dev |
| 35 | private-tmp | 35 | private-tmp |
| 36 | 36 | ||
| 37 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/vim.profile b/etc/profile-m-z/vim.profile index a6e05a32a..6847f1f5e 100644 --- a/etc/profile-m-z/vim.profile +++ b/etc/profile-m-z/vim.profile | |||
| @@ -32,3 +32,5 @@ protocol unix,inet,inet6 | |||
| 32 | seccomp | 32 | seccomp |
| 33 | 33 | ||
| 34 | private-dev | 34 | private-dev |
| 35 | |||
| 36 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/vlc.profile b/etc/profile-m-z/vlc.profile index b9b40e348..34e580085 100644 --- a/etc/profile-m-z/vlc.profile +++ b/etc/profile-m-z/vlc.profile | |||
| @@ -53,3 +53,5 @@ dbus-user.talk org.freedesktop.ScreenSaver | |||
| 53 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher | 53 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher |
| 54 | dbus-user.talk org.mpris.MediaPlayer2.Player | 54 | dbus-user.talk org.mpris.MediaPlayer2.Player |
| 55 | dbus-system none | 55 | dbus-system none |
| 56 | |||
| 57 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/vmware-view.profile b/etc/profile-m-z/vmware-view.profile index 1703c95e1..ba4136413 100644 --- a/etc/profile-m-z/vmware-view.profile +++ b/etc/profile-m-z/vmware-view.profile | |||
| @@ -54,3 +54,5 @@ private-tmp | |||
| 54 | 54 | ||
| 55 | dbus-user none | 55 | dbus-user none |
| 56 | dbus-system none | 56 | dbus-system none |
| 57 | |||
| 58 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/vym.profile b/etc/profile-m-z/vym.profile index dbfbcca8a..be1ef153b 100644 --- a/etc/profile-m-z/vym.profile +++ b/etc/profile-m-z/vym.profile | |||
| @@ -33,3 +33,4 @@ disable-mnt | |||
| 33 | private-dev | 33 | private-dev |
| 34 | private-tmp | 34 | private-tmp |
| 35 | 35 | ||
| 36 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile index f5744e52c..fab5315aa 100644 --- a/etc/profile-m-z/w3m.profile +++ b/etc/profile-m-z/w3m.profile | |||
| @@ -68,3 +68,4 @@ dbus-user none | |||
| 68 | dbus-system none | 68 | dbus-system none |
| 69 | 69 | ||
| 70 | memory-deny-write-execute | 70 | memory-deny-write-execute |
| 71 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/warmux.profile b/etc/profile-m-z/warmux.profile index 6b32a1613..37a8f78bb 100644 --- a/etc/profile-m-z/warmux.profile +++ b/etc/profile-m-z/warmux.profile | |||
| @@ -53,3 +53,5 @@ private-tmp | |||
| 53 | 53 | ||
| 54 | dbus-user none | 54 | dbus-user none |
| 55 | dbus-system none | 55 | dbus-system none |
| 56 | |||
| 57 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/warsow.profile b/etc/profile-m-z/warsow.profile index 0e3b88a02..c7f1d4c50 100644 --- a/etc/profile-m-z/warsow.profile +++ b/etc/profile-m-z/warsow.profile | |||
| @@ -54,3 +54,5 @@ private-tmp | |||
| 54 | 54 | ||
| 55 | dbus-user none | 55 | dbus-user none |
| 56 | dbus-system none | 56 | dbus-system none |
| 57 | |||
| 58 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/warzone2100.profile b/etc/profile-m-z/warzone2100.profile index 3e2c9b929..50c776412 100644 --- a/etc/profile-m-z/warzone2100.profile +++ b/etc/profile-m-z/warzone2100.profile | |||
| @@ -47,3 +47,5 @@ disable-mnt | |||
| 47 | private-bin bash,dash,sh,warzone2100,which | 47 | private-bin bash,dash,sh,warzone2100,which |
| 48 | private-dev | 48 | private-dev |
| 49 | private-tmp | 49 | private-tmp |
| 50 | |||
| 51 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/webstorm.profile b/etc/profile-m-z/webstorm.profile index ec6a0d7ab..6e5a63911 100644 --- a/etc/profile-m-z/webstorm.profile +++ b/etc/profile-m-z/webstorm.profile | |||
| @@ -42,3 +42,5 @@ seccomp | |||
| 42 | private-cache | 42 | private-cache |
| 43 | private-dev | 43 | private-dev |
| 44 | private-tmp | 44 | private-tmp |
| 45 | |||
| 46 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/webui-aria2.profile b/etc/profile-m-z/webui-aria2.profile index 057e75372..b42d4c380 100644 --- a/etc/profile-m-z/webui-aria2.profile +++ b/etc/profile-m-z/webui-aria2.profile | |||
| @@ -36,3 +36,5 @@ private-tmp | |||
| 36 | 36 | ||
| 37 | dbus-user none | 37 | dbus-user none |
| 38 | dbus-system none | 38 | dbus-system none |
| 39 | |||
| 40 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/weechat.profile b/etc/profile-m-z/weechat.profile index 07babd502..b190bf5ff 100644 --- a/etc/profile-m-z/weechat.profile +++ b/etc/profile-m-z/weechat.profile | |||
| @@ -28,3 +28,5 @@ seccomp | |||
| 28 | # no private-bin support for various reasons: | 28 | # no private-bin support for various reasons: |
| 29 | # Plugins loaded: alias, aspell, charset, exec, fifo, guile, irc, | 29 | # Plugins loaded: alias, aspell, charset, exec, fifo, guile, irc, |
| 30 | # logger, lua, perl, python, relay, ruby, script, tcl, trigger, xferloading plugins | 30 | # logger, lua, perl, python, relay, ruby, script, tcl, trigger, xferloading plugins |
| 31 | |||
| 32 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/wesnoth.profile b/etc/profile-m-z/wesnoth.profile index 345b26a2c..b6f29cfbf 100644 --- a/etc/profile-m-z/wesnoth.profile +++ b/etc/profile-m-z/wesnoth.profile | |||
| @@ -36,3 +36,5 @@ seccomp | |||
| 36 | 36 | ||
| 37 | private-dev | 37 | private-dev |
| 38 | private-tmp | 38 | private-tmp |
| 39 | |||
| 40 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/wget.profile b/etc/profile-m-z/wget.profile index 1258b6fce..5e1823593 100644 --- a/etc/profile-m-z/wget.profile +++ b/etc/profile-m-z/wget.profile | |||
| @@ -61,3 +61,4 @@ dbus-user none | |||
| 61 | dbus-system none | 61 | dbus-system none |
| 62 | 62 | ||
| 63 | memory-deny-write-execute | 63 | memory-deny-write-execute |
| 64 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/whalebird.profile b/etc/profile-m-z/whalebird.profile index 92ebebdae..8a9614fb0 100644 --- a/etc/profile-m-z/whalebird.profile +++ b/etc/profile-m-z/whalebird.profile | |||
| @@ -10,6 +10,7 @@ include globals.local | |||
| 10 | ignore include whitelist-runuser-common.inc | 10 | ignore include whitelist-runuser-common.inc |
| 11 | ignore include whitelist-usr-share-common.inc | 11 | ignore include whitelist-usr-share-common.inc |
| 12 | 12 | ||
| 13 | ignore apparmor | ||
| 13 | ignore dbus-user none | 14 | ignore dbus-user none |
| 14 | ignore dbus-system none | 15 | ignore dbus-system none |
| 15 | 16 | ||
| @@ -21,7 +22,7 @@ whitelist ${HOME}/.config/Whalebird | |||
| 21 | no3d | 22 | no3d |
| 22 | 23 | ||
| 23 | private-bin electron,electron[0-9],electron[0-9][0-9],whalebird | 24 | private-bin electron,electron[0-9],electron[0-9][0-9],whalebird |
| 24 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id | 25 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl |
| 25 | 26 | ||
| 26 | # Redirect | 27 | # Redirect |
| 27 | include electron.profile | 28 | include electron.profile |
diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile index 4891af458..d8c72ac8b 100644 --- a/etc/profile-m-z/whois.profile +++ b/etc/profile-m-z/whois.profile | |||
| @@ -54,3 +54,4 @@ dbus-user none | |||
| 54 | dbus-system none | 54 | dbus-system none |
| 55 | 55 | ||
| 56 | memory-deny-write-execute | 56 | memory-deny-write-execute |
| 57 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/widelands.profile b/etc/profile-m-z/widelands.profile index 99a3fae8c..30a471fac 100644 --- a/etc/profile-m-z/widelands.profile +++ b/etc/profile-m-z/widelands.profile | |||
| @@ -45,3 +45,5 @@ private-tmp | |||
| 45 | 45 | ||
| 46 | dbus-user none | 46 | dbus-user none |
| 47 | dbus-system none | 47 | dbus-system none |
| 48 | |||
| 49 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/wine.profile b/etc/profile-m-z/wine.profile index f30fc971f..1e2b164b9 100644 --- a/etc/profile-m-z/wine.profile +++ b/etc/profile-m-z/wine.profile | |||
| @@ -40,3 +40,5 @@ notv | |||
| 40 | seccomp | 40 | seccomp |
| 41 | 41 | ||
| 42 | private-dev | 42 | private-dev |
| 43 | |||
| 44 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/wireshark.profile b/etc/profile-m-z/wireshark.profile index 0a13c25aa..5823a2ad7 100644 --- a/etc/profile-m-z/wireshark.profile +++ b/etc/profile-m-z/wireshark.profile | |||
| @@ -52,3 +52,5 @@ private-tmp | |||
| 52 | 52 | ||
| 53 | dbus-user none | 53 | dbus-user none |
| 54 | dbus-system none | 54 | dbus-system none |
| 55 | |||
| 56 | #restrict-namespaces | ||
diff --git a/etc/profile-m-z/wordwarvi.profile b/etc/profile-m-z/wordwarvi.profile index 8f9c44d7d..ccc2e8dd0 100644 --- a/etc/profile-m-z/wordwarvi.profile +++ b/etc/profile-m-z/wordwarvi.profile | |||
| @@ -49,3 +49,5 @@ private-tmp | |||
| 49 | 49 | ||
| 50 | dbus-user none | 50 | dbus-user none |
| 51 | dbus-system none | 51 | dbus-system none |
| 52 | |||
| 53 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/wps.profile b/etc/profile-m-z/wps.profile index 1287faa2c..7f85e1ede 100644 --- a/etc/profile-m-z/wps.profile +++ b/etc/profile-m-z/wps.profile | |||
| @@ -46,3 +46,5 @@ private-tmp | |||
| 46 | 46 | ||
| 47 | dbus-user none | 47 | dbus-user none |
| 48 | dbus-system none | 48 | dbus-system none |
| 49 | |||
| 50 | #restrict-namespaces | ||
diff --git a/etc/profile-m-z/x-terminal-emulator.profile b/etc/profile-m-z/x-terminal-emulator.profile index 141d167a8..4b88e8118 100644 --- a/etc/profile-m-z/x-terminal-emulator.profile +++ b/etc/profile-m-z/x-terminal-emulator.profile | |||
| @@ -21,3 +21,4 @@ dbus-user none | |||
| 21 | dbus-system none | 21 | dbus-system none |
| 22 | 22 | ||
| 23 | noexec /tmp | 23 | noexec /tmp |
| 24 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/x2goclient.profile b/etc/profile-m-z/x2goclient.profile index b8bbba072..6dd374aac 100644 --- a/etc/profile-m-z/x2goclient.profile +++ b/etc/profile-m-z/x2goclient.profile | |||
| @@ -48,3 +48,4 @@ dbus-user none | |||
| 48 | dbus-system none | 48 | dbus-system none |
| 49 | 49 | ||
| 50 | #memory-deny-write-execute | 50 | #memory-deny-write-execute |
| 51 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/xbill.profile b/etc/profile-m-z/xbill.profile index 72e6d04a0..1b44b63e0 100644 --- a/etc/profile-m-z/xbill.profile +++ b/etc/profile-m-z/xbill.profile | |||
| @@ -51,3 +51,4 @@ dbus-system none | |||
| 51 | 51 | ||
| 52 | memory-deny-write-execute | 52 | memory-deny-write-execute |
| 53 | read-only ${HOME} | 53 | read-only ${HOME} |
| 54 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/xcalc.profile b/etc/profile-m-z/xcalc.profile index fef5613ad..3d808ce1f 100644 --- a/etc/profile-m-z/xcalc.profile +++ b/etc/profile-m-z/xcalc.profile | |||
| @@ -40,3 +40,5 @@ private-tmp | |||
| 40 | 40 | ||
| 41 | dbus-user none | 41 | dbus-user none |
| 42 | dbus-system none | 42 | dbus-system none |
| 43 | |||
| 44 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/xchat.profile b/etc/profile-m-z/xchat.profile index a94444aab..4061e26a4 100644 --- a/etc/profile-m-z/xchat.profile +++ b/etc/profile-m-z/xchat.profile | |||
| @@ -21,3 +21,5 @@ protocol unix,inet,inet6 | |||
| 21 | seccomp | 21 | seccomp |
| 22 | 22 | ||
| 23 | # private-bin requires perl, python*, etc. | 23 | # private-bin requires perl, python*, etc. |
| 24 | |||
| 25 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/xed.profile b/etc/profile-m-z/xed.profile index f117e96ab..dda803bd5 100644 --- a/etc/profile-m-z/xed.profile +++ b/etc/profile-m-z/xed.profile | |||
| @@ -51,3 +51,4 @@ private-tmp | |||
| 51 | 51 | ||
| 52 | # xed uses python plugins, memory-deny-write-execute breaks python | 52 | # xed uses python plugins, memory-deny-write-execute breaks python |
| 53 | # memory-deny-write-execute | 53 | # memory-deny-write-execute |
| 54 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/xfburn.profile b/etc/profile-m-z/xfburn.profile index 930d2755b..141fda909 100644 --- a/etc/profile-m-z/xfburn.profile +++ b/etc/profile-m-z/xfburn.profile | |||
| @@ -28,3 +28,5 @@ tracelog | |||
| 28 | # private-bin xfburn | 28 | # private-bin xfburn |
| 29 | # private-dev | 29 | # private-dev |
| 30 | # private-tmp | 30 | # private-tmp |
| 31 | |||
| 32 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/xfce4-dict.profile b/etc/profile-m-z/xfce4-dict.profile index 7afe69814..633a9967c 100644 --- a/etc/profile-m-z/xfce4-dict.profile +++ b/etc/profile-m-z/xfce4-dict.profile | |||
| @@ -37,3 +37,4 @@ private-cache | |||
| 37 | private-dev | 37 | private-dev |
| 38 | private-tmp | 38 | private-tmp |
| 39 | 39 | ||
| 40 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile index 006e1859b..95eb2046e 100644 --- a/etc/profile-m-z/xfce4-mixer.profile +++ b/etc/profile-m-z/xfce4-mixer.profile | |||
| @@ -54,3 +54,4 @@ dbus-user.talk org.xfce.Xfconf | |||
| 54 | dbus-system none | 54 | dbus-system none |
| 55 | 55 | ||
| 56 | # memory-deny-write-execute - breaks on Arch | 56 | # memory-deny-write-execute - breaks on Arch |
| 57 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/xfce4-notes.profile b/etc/profile-m-z/xfce4-notes.profile index 4ab8f34f4..f7d890eef 100644 --- a/etc/profile-m-z/xfce4-notes.profile +++ b/etc/profile-m-z/xfce4-notes.profile | |||
| @@ -39,3 +39,4 @@ private-cache | |||
| 39 | private-dev | 39 | private-dev |
| 40 | private-tmp | 40 | private-tmp |
| 41 | 41 | ||
| 42 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/xfce4-screenshooter.profile b/etc/profile-m-z/xfce4-screenshooter.profile index ca4d77d73..575acc9b2 100644 --- a/etc/profile-m-z/xfce4-screenshooter.profile +++ b/etc/profile-m-z/xfce4-screenshooter.profile | |||
| @@ -48,3 +48,4 @@ dbus-user none | |||
| 48 | dbus-system none | 48 | dbus-system none |
| 49 | 49 | ||
| 50 | # memory-deny-write-execute -- see #3790 | 50 | # memory-deny-write-execute -- see #3790 |
| 51 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/xiphos.profile b/etc/profile-m-z/xiphos.profile index c755632ca..371db722c 100644 --- a/etc/profile-m-z/xiphos.profile +++ b/etc/profile-m-z/xiphos.profile | |||
| @@ -48,3 +48,5 @@ private-cache | |||
| 48 | private-dev | 48 | private-dev |
| 49 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssli,sword,sword.conf | 49 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssli,sword,sword.conf |
| 50 | private-tmp | 50 | private-tmp |
| 51 | |||
| 52 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/xlinks2 b/etc/profile-m-z/xlinks2.profile index d7edd3543..d7edd3543 100644 --- a/etc/profile-m-z/xlinks2 +++ b/etc/profile-m-z/xlinks2.profile | |||
diff --git a/etc/profile-m-z/xmms.profile b/etc/profile-m-z/xmms.profile index e255ad927..ef8fd1d7f 100644 --- a/etc/profile-m-z/xmms.profile +++ b/etc/profile-m-z/xmms.profile | |||
| @@ -29,3 +29,5 @@ seccomp | |||
| 29 | 29 | ||
| 30 | private-bin xmms | 30 | private-bin xmms |
| 31 | private-dev | 31 | private-dev |
| 32 | |||
| 33 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/xmr-stak.profile b/etc/profile-m-z/xmr-stak.profile index 64b6bcaeb..ad1ba8ca3 100644 --- a/etc/profile-m-z/xmr-stak.profile +++ b/etc/profile-m-z/xmr-stak.profile | |||
| @@ -43,3 +43,4 @@ private-opt cuda | |||
| 43 | private-tmp | 43 | private-tmp |
| 44 | 44 | ||
| 45 | memory-deny-write-execute | 45 | memory-deny-write-execute |
| 46 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/xonotic.profile b/etc/profile-m-z/xonotic.profile index 3c5ef1ac0..9128c330b 100644 --- a/etc/profile-m-z/xonotic.profile +++ b/etc/profile-m-z/xonotic.profile | |||
| @@ -53,3 +53,4 @@ dbus-system none | |||
| 53 | 53 | ||
| 54 | read-only ${HOME} | 54 | read-only ${HOME} |
| 55 | read-write ${HOME}/.xonotic | 55 | read-write ${HOME}/.xonotic |
| 56 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/xournal.profile b/etc/profile-m-z/xournal.profile index 71942edab..a17464a2a 100644 --- a/etc/profile-m-z/xournal.profile +++ b/etc/profile-m-z/xournal.profile | |||
| @@ -48,3 +48,5 @@ private-tmp | |||
| 48 | 48 | ||
| 49 | dbus-user none | 49 | dbus-user none |
| 50 | dbus-system none | 50 | dbus-system none |
| 51 | |||
| 52 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/xpdf.profile b/etc/profile-m-z/xpdf.profile index 33803a741..fdfb3bf59 100644 --- a/etc/profile-m-z/xpdf.profile +++ b/etc/profile-m-z/xpdf.profile | |||
| @@ -42,3 +42,4 @@ dbus-user none | |||
| 42 | dbus-system none | 42 | dbus-system none |
| 43 | 43 | ||
| 44 | memory-deny-write-execute | 44 | memory-deny-write-execute |
| 45 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/xplayer.profile b/etc/profile-m-z/xplayer.profile index 1087d7cd0..a673d6aa3 100644 --- a/etc/profile-m-z/xplayer.profile +++ b/etc/profile-m-z/xplayer.profile | |||
| @@ -47,3 +47,5 @@ private-tmp | |||
| 47 | # makes settings immutable | 47 | # makes settings immutable |
| 48 | # dbus-user none | 48 | # dbus-user none |
| 49 | # dbus-system none | 49 | # dbus-system none |
| 50 | |||
| 51 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/xpra.profile b/etc/profile-m-z/xpra.profile index c10ea4a63..05c12b9a2 100644 --- a/etc/profile-m-z/xpra.profile +++ b/etc/profile-m-z/xpra.profile | |||
| @@ -51,3 +51,5 @@ disable-mnt | |||
| 51 | private-dev | 51 | private-dev |
| 52 | # private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,nsswitch.conf,resolv.conf,X11,xpra | 52 | # private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,nsswitch.conf,resolv.conf,X11,xpra |
| 53 | private-tmp | 53 | private-tmp |
| 54 | |||
| 55 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/xreader.profile b/etc/profile-m-z/xreader.profile index ec966fc5c..ff5dc619b 100644 --- a/etc/profile-m-z/xreader.profile +++ b/etc/profile-m-z/xreader.profile | |||
| @@ -42,3 +42,4 @@ private-etc alternatives,fonts,ld.so.cache,ld.so.preload | |||
| 42 | private-tmp | 42 | private-tmp |
| 43 | 43 | ||
| 44 | memory-deny-write-execute | 44 | memory-deny-write-execute |
| 45 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/xviewer.profile b/etc/profile-m-z/xviewer.profile index e7fa7051e..6c31df4a9 100644 --- a/etc/profile-m-z/xviewer.profile +++ b/etc/profile-m-z/xviewer.profile | |||
| @@ -46,3 +46,4 @@ private-tmp | |||
| 46 | # dbus-system none | 46 | # dbus-system none |
| 47 | 47 | ||
| 48 | memory-deny-write-execute | 48 | memory-deny-write-execute |
| 49 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile index ae0ccced6..6ea7fdfbd 100644 --- a/etc/profile-m-z/yelp.profile +++ b/etc/profile-m-z/yelp.profile | |||
| @@ -74,3 +74,5 @@ read-write ${HOME}/.cache | |||
| 74 | # your yelp.local if you need PDF printing support. | 74 | # your yelp.local if you need PDF printing support. |
| 75 | #noblacklist ${DOCUMENTS} | 75 | #noblacklist ${DOCUMENTS} |
| 76 | #whitelist ${DOCUMENTS} | 76 | #whitelist ${DOCUMENTS} |
| 77 | |||
| 78 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/youtube-dl-gui.profile b/etc/profile-m-z/youtube-dl-gui.profile index 48e18060f..c846893ef 100644 --- a/etc/profile-m-z/youtube-dl-gui.profile +++ b/etc/profile-m-z/youtube-dl-gui.profile | |||
| @@ -53,3 +53,5 @@ private-tmp | |||
| 53 | 53 | ||
| 54 | dbus-user none | 54 | dbus-user none |
| 55 | dbus-system none | 55 | dbus-system none |
| 56 | |||
| 57 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/youtube-dl.profile b/etc/profile-m-z/youtube-dl.profile index 19e176877..4f2cc9523 100644 --- a/etc/profile-m-z/youtube-dl.profile +++ b/etc/profile-m-z/youtube-dl.profile | |||
| @@ -64,3 +64,4 @@ dbus-user none | |||
| 64 | dbus-system none | 64 | dbus-system none |
| 65 | 65 | ||
| 66 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 66 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
| 67 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile index 8582e2462..f66e2938b 100644 --- a/etc/profile-m-z/youtube-viewers-common.profile +++ b/etc/profile-m-z/youtube-viewers-common.profile | |||
| @@ -19,6 +19,13 @@ include allow-perl.inc | |||
| 19 | include allow-python2.inc | 19 | include allow-python2.inc |
| 20 | include allow-python3.inc | 20 | include allow-python3.inc |
| 21 | 21 | ||
| 22 | # The lines below are needed to find the default Firefox profile name, to allow | ||
| 23 | # opening links in an existing instance of Firefox (note that it still fails if | ||
| 24 | # there isn't a Firefox instance running with the default profile; see #5352) | ||
| 25 | noblacklist ${HOME}/.mozilla | ||
| 26 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
| 27 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
| 28 | |||
| 22 | include disable-common.inc | 29 | include disable-common.inc |
| 23 | include disable-devel.inc | 30 | include disable-devel.inc |
| 24 | include disable-exec.inc | 31 | include disable-exec.inc |
| @@ -55,5 +62,10 @@ private-dev | |||
| 55 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg | 62 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg |
| 56 | private-tmp | 63 | private-tmp |
| 57 | 64 | ||
| 58 | dbus-user none | 65 | dbus-user filter |
| 66 | # allow D-Bus communication with firefox for opening links | ||
| 67 | dbus-user.talk org.mozilla.* | ||
| 68 | |||
| 59 | dbus-system none | 69 | dbus-system none |
| 70 | |||
| 71 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/ytmdesktop.profile b/etc/profile-m-z/ytmdesktop.profile index 59b6e2543..aa466871c 100644 --- a/etc/profile-m-z/ytmdesktop.profile +++ b/etc/profile-m-z/ytmdesktop.profile | |||
| @@ -1,5 +1,5 @@ | |||
| 1 | # Firejail profile for ytmdesktop | 1 | # Firejail profile for ytmdesktop |
| 2 | # Description: Unofficial electron based desktop warpper for YouTube Music | 2 | # Description: Unofficial electron based desktop wrapper for YouTube Music |
| 3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
| 4 | # Persistent local customizations | 4 | # Persistent local customizations |
| 5 | include youtube.local | 5 | include youtube.local |
diff --git a/etc/profile-m-z/zaproxy.profile b/etc/profile-m-z/zaproxy.profile index 0caca9792..96324ebda 100644 --- a/etc/profile-m-z/zaproxy.profile +++ b/etc/profile-m-z/zaproxy.profile | |||
| @@ -44,3 +44,4 @@ disable-mnt | |||
| 44 | private-dev | 44 | private-dev |
| 45 | private-tmp | 45 | private-tmp |
| 46 | 46 | ||
| 47 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/zart.profile b/etc/profile-m-z/zart.profile index cd94a3fbd..5816ea5e3 100644 --- a/etc/profile-m-z/zart.profile +++ b/etc/profile-m-z/zart.profile | |||
| @@ -35,3 +35,5 @@ private-dev | |||
| 35 | 35 | ||
| 36 | dbus-user none | 36 | dbus-user none |
| 37 | dbus-system none | 37 | dbus-system none |
| 38 | |||
| 39 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/zathura.profile b/etc/profile-m-z/zathura.profile index 12b090d35..1daf89c84 100644 --- a/etc/profile-m-z/zathura.profile +++ b/etc/profile-m-z/zathura.profile | |||
| @@ -59,3 +59,4 @@ dbus-system none | |||
| 59 | read-only ${HOME} | 59 | read-only ${HOME} |
| 60 | read-write ${HOME}/.config/zathura | 60 | read-write ${HOME}/.config/zathura |
| 61 | read-write ${HOME}/.local/share/zathura | 61 | read-write ${HOME}/.local/share/zathura |
| 62 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/zeal.profile b/etc/profile-m-z/zeal.profile index 84f6d52dd..453f40e73 100644 --- a/etc/profile-m-z/zeal.profile +++ b/etc/profile-m-z/zeal.profile | |||
| @@ -69,3 +69,4 @@ dbus-user.talk org.mozilla.* | |||
| 69 | dbus-system none | 69 | dbus-system none |
| 70 | 70 | ||
| 71 | # memory-deny-write-execute - breaks on Arch | 71 | # memory-deny-write-execute - breaks on Arch |
| 72 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/zim.profile b/etc/profile-m-z/zim.profile index 7350ed5a6..a9e5aa5c3 100644 --- a/etc/profile-m-z/zim.profile +++ b/etc/profile-m-z/zim.profile | |||
| @@ -68,3 +68,5 @@ private-tmp | |||
| 68 | 68 | ||
| 69 | dbus-user none | 69 | dbus-user none |
| 70 | dbus-system none | 70 | dbus-system none |
| 71 | |||
| 72 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/zulip.profile b/etc/profile-m-z/zulip.profile index 5f7d83a7c..b69de3be1 100644 --- a/etc/profile-m-z/zulip.profile +++ b/etc/profile-m-z/zulip.profile | |||
| @@ -45,3 +45,5 @@ private-cache | |||
| 45 | private-dev | 45 | private-dev |
| 46 | private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,machine-id | 46 | private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,machine-id |
| 47 | private-tmp | 47 | private-tmp |
| 48 | |||
| 49 | restrict-namespaces | ||
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 59083f660..fd328f36c 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
| @@ -214,7 +214,7 @@ include globals.local | |||
| 214 | # - In order to make dconf work (when used by the app) you need to allow | 214 | # - In order to make dconf work (when used by the app) you need to allow |
| 215 | # 'ca.desrt.dconf' even when not allowed by flatpak. | 215 | # 'ca.desrt.dconf' even when not allowed by flatpak. |
| 216 | # Notes and policies about addresses can be found at | 216 | # Notes and policies about addresses can be found at |
| 217 | # <https://github.com/netblue30/firejail/wiki/Restrict-D-Bus> | 217 | # <https://github.com/netblue30/firejail/wiki/Restrict-DBus> |
| 218 | #dbus-user filter | 218 | #dbus-user filter |
| 219 | #dbus-user.own com.github.netblue30.firejail | 219 | #dbus-user.own com.github.netblue30.firejail |
| 220 | #dbus-user.talk ca.desrt.dconf | 220 | #dbus-user.talk ca.desrt.dconf |
diff --git a/src/common.mk b/src/common.mk deleted file mode 100644 index 07b5e373d..000000000 --- a/src/common.mk +++ /dev/null | |||
| @@ -1,16 +0,0 @@ | |||
| 1 | # Common definitions for building C programs and non-shared objects. | ||
| 2 | # | ||
| 3 | # Note: "ROOT" must be defined before including this file. | ||
| 4 | |||
| 5 | -include $(ROOT)/config.mk | ||
| 6 | |||
| 7 | H_FILE_LIST = $(sort $(wildcard *.h)) | ||
| 8 | C_FILE_LIST = $(sort $(wildcard *.c)) | ||
| 9 | OBJS = $(C_FILE_LIST:.c=.o) | ||
| 10 | BINOBJS = $(foreach file, $(OBJS), $file) | ||
| 11 | |||
| 12 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) | ||
| 13 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' -DVARDIR='"/var/lib/firejail"' | ||
| 14 | CFLAGS += $(MANFLAGS) | ||
| 15 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security | ||
| 16 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now | ||
diff --git a/src/fbuilder/Makefile b/src/fbuilder/Makefile index da0403c6e..ad73e8960 100644 --- a/src/fbuilder/Makefile +++ b/src/fbuilder/Makefile | |||
| @@ -1,17 +1,9 @@ | |||
| 1 | .PHONY: all | ||
| 2 | all: fbuilder | ||
| 3 | |||
| 4 | ROOT = ../.. | 1 | ROOT = ../.. |
| 5 | include $(ROOT)/src/common.mk | 2 | -include $(ROOT)/config.mk |
| 6 | |||
| 7 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h $(ROOT)/config.mk | ||
| 8 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | ||
| 9 | 3 | ||
| 10 | fbuilder: $(OBJS) $(ROOT)/config.mk | 4 | PROG = fbuilder |
| 11 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | 5 | TARGET = $(PROG) |
| 12 | 6 | ||
| 13 | .PHONY: clean | 7 | MOD_HDRS = ../include/common.h ../include/syscall.h |
| 14 | clean:; rm -fr *.o fbuilder *.gcov *.gcda *.gcno *.plist | ||
| 15 | 8 | ||
| 16 | .PHONY: distclean | 9 | include $(ROOT)/src/prog.mk |
| 17 | distclean: clean | ||
diff --git a/src/fcopy/Makefile b/src/fcopy/Makefile index ae128df9b..27054627c 100644 --- a/src/fcopy/Makefile +++ b/src/fcopy/Makefile | |||
| @@ -1,17 +1,10 @@ | |||
| 1 | .PHONY: all | ||
| 2 | all: fcopy | ||
| 3 | |||
| 4 | ROOT = ../.. | 1 | ROOT = ../.. |
| 5 | include $(ROOT)/src/common.mk | 2 | -include $(ROOT)/config.mk |
| 6 | |||
| 7 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h $(ROOT)/config.mk | ||
| 8 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | ||
| 9 | 3 | ||
| 10 | fcopy: $(OBJS) ../lib/common.o $(ROOT)/config.mk | 4 | PROG = fcopy |
| 11 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) | 5 | TARGET = $(PROG) |
| 12 | 6 | ||
| 13 | .PHONY: clean | 7 | MOD_HDRS = ../include/common.h ../include/syscall.h |
| 14 | clean:; rm -fr *.o fcopy *.gcov *.gcda *.gcno *.plist | 8 | MOD_OBJS = ../lib/common.o |
| 15 | 9 | ||
| 16 | .PHONY: distclean | 10 | include $(ROOT)/src/prog.mk |
| 17 | distclean: clean | ||
diff --git a/src/fids/Makefile b/src/fids/Makefile index e57c56b5b..44ea396d7 100644 --- a/src/fids/Makefile +++ b/src/fids/Makefile | |||
| @@ -1,18 +1,9 @@ | |||
| 1 | .PHONY: all | ||
| 2 | all: fids | ||
| 3 | |||
| 4 | ROOT = ../.. | 1 | ROOT = ../.. |
| 5 | include $(ROOT)/src/common.mk | 2 | -include $(ROOT)/config.mk |
| 6 | |||
| 7 | %.o : %.c $(H_FILE_LIST) ../include/common.h $(ROOT)/config.mk | ||
| 8 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | ||
| 9 | 3 | ||
| 10 | #fseccomp: $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o | 4 | PROG = fids |
| 11 | fids: $(OBJS) $(ROOT)/config.mk | 5 | TARGET = $(PROG) |
| 12 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | ||
| 13 | 6 | ||
| 14 | .PHONY: clean | 7 | MOD_HDRS = ../include/common.h |
| 15 | clean:; rm -fr *.o fids *.gcov *.gcda *.gcno *.plist | ||
| 16 | 8 | ||
| 17 | .PHONY: distclean | 9 | include $(ROOT)/src/prog.mk |
| 18 | distclean: clean | ||
diff --git a/src/firecfg/Makefile b/src/firecfg/Makefile index 3b0daed71..05cc088f4 100644 --- a/src/firecfg/Makefile +++ b/src/firecfg/Makefile | |||
| @@ -1,17 +1,16 @@ | |||
| 1 | .PHONY: all | ||
| 2 | all: firecfg | ||
| 3 | |||
| 4 | ROOT = ../.. | 1 | ROOT = ../.. |
| 5 | include $(ROOT)/src/common.mk | 2 | -include $(ROOT)/config.mk |
| 6 | 3 | ||
| 7 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/firejail_user.h ../include/pid.h $(ROOT)/config.mk | 4 | PROG = firecfg |
| 8 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | 5 | TARGET = $(PROG) |
| 9 | 6 | ||
| 10 | firecfg: $(OBJS) ../lib/common.o ../lib/firejail_user.o $(ROOT)/config.mk | 7 | MOD_HDRS = \ |
| 11 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/firejail_user.o $(LIBS) $(EXTRA_LDFLAGS) | 8 | ../include/common.h \ |
| 9 | ../include/euid_common.h \ | ||
| 10 | ../include/libnetlink.h \ | ||
| 11 | ../include/firejail_user.h \ | ||
| 12 | ../include/pid.h | ||
| 12 | 13 | ||
| 13 | .PHONY: clean | 14 | MOD_OBJS = ../lib/common.o ../lib/firejail_user.o |
| 14 | clean:; rm -fr *.o firecfg *.gcov *.gcda *.gcno *.plist | ||
| 15 | 15 | ||
| 16 | .PHONY: distclean | 16 | include $(ROOT)/src/prog.mk |
| 17 | distclean: clean | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 17563cde3..15169f983 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
| @@ -74,6 +74,8 @@ autokey-gtk | |||
| 74 | autokey-qt | 74 | autokey-qt |
| 75 | autokey-run | 75 | autokey-run |
| 76 | autokey-shell | 76 | autokey-shell |
| 77 | avidemux3_cli | ||
| 78 | avidemux3_jobs_qt5 | ||
| 77 | avidemux3_qt5 | 79 | avidemux3_qt5 |
| 78 | aweather | 80 | aweather |
| 79 | ballbuster | 81 | ballbuster |
| @@ -128,6 +130,7 @@ catfish | |||
| 128 | cawbird | 130 | cawbird |
| 129 | celluloid | 131 | celluloid |
| 130 | chafa | 132 | chafa |
| 133 | chatterino | ||
| 131 | checkbashisms | 134 | checkbashisms |
| 132 | cheese | 135 | cheese |
| 133 | cherrytree | 136 | cherrytree |
| @@ -788,6 +791,7 @@ telegram | |||
| 788 | telegram-desktop | 791 | telegram-desktop |
| 789 | telnet | 792 | telnet |
| 790 | terasology | 793 | terasology |
| 794 | tesseract | ||
| 791 | textmaker18 | 795 | textmaker18 |
| 792 | textmaker18free | 796 | textmaker18free |
| 793 | thunderbird | 797 | thunderbird |
diff --git a/src/firejail/Makefile b/src/firejail/Makefile index 23444107f..4e241af7e 100644 --- a/src/firejail/Makefile +++ b/src/firejail/Makefile | |||
| @@ -1,17 +1,25 @@ | |||
| 1 | .PHONY: all | ||
| 2 | all: firejail | ||
| 3 | |||
| 4 | ROOT = ../.. | 1 | ROOT = ../.. |
| 5 | include $(ROOT)/src/common.mk | 2 | -include $(ROOT)/config.mk |
| 6 | 3 | ||
| 7 | %.o : %.c $(H_FILE_LIST) ../include/rundefs.h ../include/common.h ../include/ldd_utils.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall_i386.h ../include/syscall_x86_64.h ../include/firejail_user.h $(ROOT)/config.mk | 4 | PROG = firejail |
| 8 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | 5 | TARGET = $(PROG) |
| 9 | 6 | ||
| 10 | firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o ../lib/errno.o ../lib/syscall.o $(ROOT)/config.mk | 7 | MOD_HDRS = \ |
| 11 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS) | 8 | ../include/rundefs.h \ |
| 9 | ../include/common.h \ | ||
| 10 | ../include/ldd_utils.h \ | ||
| 11 | ../include/euid_common.h \ | ||
| 12 | ../include/pid.h \ | ||
| 13 | ../include/seccomp.h \ | ||
| 14 | ../include/syscall_i386.h \ | ||
| 15 | ../include/syscall_x86_64.h \ | ||
| 16 | ../include/firejail_user.h | ||
| 12 | 17 | ||
| 13 | .PHONY: clean | 18 | MOD_OBJS = \ |
| 14 | clean:; rm -fr *.o firejail *.gcov *.gcda *.gcno *.plist | 19 | ../lib/common.o \ |
| 20 | ../lib/ldd_utils.o \ | ||
| 21 | ../lib/firejail_user.o \ | ||
| 22 | ../lib/errno.o \ | ||
| 23 | ../lib/syscall.o | ||
| 15 | 24 | ||
| 16 | .PHONY: distclean | 25 | include $(ROOT)/src/prog.mk |
| 17 | distclean: clean | ||
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c index 6f484e59a..72322221c 100644 --- a/src/firejail/chroot.c +++ b/src/firejail/chroot.c | |||
| @@ -119,6 +119,11 @@ void fs_chroot(const char *rootdir) { | |||
| 119 | int parentfd = safer_openat(-1, rootdir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | 119 | int parentfd = safer_openat(-1, rootdir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
| 120 | if (parentfd == -1) | 120 | if (parentfd == -1) |
| 121 | errExit("safer_openat"); | 121 | errExit("safer_openat"); |
| 122 | |||
| 123 | if (faccessat(parentfd, ".", X_OK, 0) != 0) { | ||
| 124 | fprintf(stderr, "Error: no search permission on chroot directory\n"); | ||
| 125 | exit(1); | ||
| 126 | } | ||
| 122 | // rootdir has to be owned by root and is not allowed to be generally writable, | 127 | // rootdir has to be owned by root and is not allowed to be generally writable, |
| 123 | // this also excludes /tmp and friends | 128 | // this also excludes /tmp and friends |
| 124 | struct stat s; | 129 | struct stat s; |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 65f93d9d1..4fe3a5974 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -355,6 +355,7 @@ extern int arg_noinput; // --noinput | |||
| 355 | extern int arg_deterministic_exit_code; // always exit with first child's exit status | 355 | extern int arg_deterministic_exit_code; // always exit with first child's exit status |
| 356 | extern int arg_deterministic_shutdown; // shut down the sandbox if first child dies | 356 | extern int arg_deterministic_shutdown; // shut down the sandbox if first child dies |
| 357 | extern int arg_keep_fd_all; // inherit all file descriptors to sandbox | 357 | extern int arg_keep_fd_all; // inherit all file descriptors to sandbox |
| 358 | extern int arg_netlock; // netlocker | ||
| 358 | 359 | ||
| 359 | typedef enum { | 360 | typedef enum { |
| 360 | DBUS_POLICY_ALLOW, // Allow unrestricted access to the bus | 361 | DBUS_POLICY_ALLOW, // Allow unrestricted access to the bus |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 54479dc0c..18e9ae651 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -159,6 +159,7 @@ int arg_dbus_log_system = 0; | |||
| 159 | int arg_tab = 0; | 159 | int arg_tab = 0; |
| 160 | int login_shell = 0; | 160 | int login_shell = 0; |
| 161 | int just_run_the_shell = 0; | 161 | int just_run_the_shell = 0; |
| 162 | int arg_netlock = 0; | ||
| 162 | 163 | ||
| 163 | int parent_to_child_fds[2]; | 164 | int parent_to_child_fds[2]; |
| 164 | int child_to_parent_fds[2]; | 165 | int child_to_parent_fds[2]; |
| @@ -1053,7 +1054,6 @@ int main(int argc, char **argv, char **envp) { | |||
| 1053 | int lockfd_directory = -1; | 1054 | int lockfd_directory = -1; |
| 1054 | int custom_profile = 0; // custom profile loaded | 1055 | int custom_profile = 0; // custom profile loaded |
| 1055 | int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) | 1056 | int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) |
| 1056 | int arg_netlock = 0; | ||
| 1057 | char **ptr; | 1057 | char **ptr; |
| 1058 | 1058 | ||
| 1059 | 1059 | ||
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 15e833288..acf206da6 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
| @@ -655,6 +655,16 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
| 655 | #endif | 655 | #endif |
| 656 | return 0; | 656 | return 0; |
| 657 | } | 657 | } |
| 658 | else if (strcmp(ptr, "netlock") == 0) { | ||
| 659 | #ifdef HAVE_NETWORK | ||
| 660 | if (checkcfg(CFG_NETWORK)) { | ||
| 661 | arg_netlock = 1; | ||
| 662 | } | ||
| 663 | else | ||
| 664 | warning_feature_disabled("networking"); | ||
| 665 | #endif | ||
| 666 | return 0; | ||
| 667 | } | ||
| 658 | else if (strncmp(ptr, "netns ", 6) == 0) { | 668 | else if (strncmp(ptr, "netns ", 6) == 0) { |
| 659 | #ifdef HAVE_NETWORK | 669 | #ifdef HAVE_NETWORK |
| 660 | if (checkcfg(CFG_NETWORK)) { | 670 | if (checkcfg(CFG_NETWORK)) { |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 3295362e1..77fe73174 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
| @@ -1134,8 +1134,10 @@ int sandbox(void* sandbox_arg) { | |||
| 1134 | struct stat s; | 1134 | struct stat s; |
| 1135 | if (stat(cfg.homedir, &s) == 0) { | 1135 | if (stat(cfg.homedir, &s) == 0) { |
| 1136 | /* coverity[toctou] */ | 1136 | /* coverity[toctou] */ |
| 1137 | if (chdir(cfg.homedir) < 0) | 1137 | if (chdir(cfg.homedir) < 0) { |
| 1138 | errExit("chdir"); | 1138 | fprintf(stderr, "Error: unable to enter home directory: %s: %s\n", cfg.homedir, strerror(errno)); |
| 1139 | exit(1); | ||
| 1140 | } | ||
| 1139 | } | 1141 | } |
| 1140 | } | 1142 | } |
| 1141 | } | 1143 | } |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 17f5af434..04c586f79 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
| @@ -91,6 +91,9 @@ static char *usage_str = | |||
| 91 | " --deterministic-shutdown - terminate orphan processes.\n" | 91 | " --deterministic-shutdown - terminate orphan processes.\n" |
| 92 | " --dns=address - set DNS server.\n" | 92 | " --dns=address - set DNS server.\n" |
| 93 | " --dns.print=name|pid - print DNS configuration.\n" | 93 | " --dns.print=name|pid - print DNS configuration.\n" |
| 94 | #ifdef HAVE_NETWORK | ||
| 95 | " --dnstrace - monitor DNS queries.\n" | ||
| 96 | #endif | ||
| 94 | " --env=name=value - set environment variable.\n" | 97 | " --env=name=value - set environment variable.\n" |
| 95 | " --fs.print=name|pid - print the filesystem log.\n" | 98 | " --fs.print=name|pid - print the filesystem log.\n" |
| 96 | #ifdef HAVE_FILE_TRANSFER | 99 | #ifdef HAVE_FILE_TRANSFER |
| @@ -99,6 +102,9 @@ static char *usage_str = | |||
| 99 | " --help, -? - this help screen.\n" | 102 | " --help, -? - this help screen.\n" |
| 100 | " --hostname=name - set sandbox hostname.\n" | 103 | " --hostname=name - set sandbox hostname.\n" |
| 101 | " --hosts-file=file - use file as /etc/hosts.\n" | 104 | " --hosts-file=file - use file as /etc/hosts.\n" |
| 105 | #ifdef HAVE_NETWORK | ||
| 106 | " --icmptrace - monitor Server Name Indiication (TLS/SNI).\n" | ||
| 107 | #endif | ||
| 102 | " --ids-check - verify file system.\n" | 108 | " --ids-check - verify file system.\n" |
| 103 | " --ids-init - initialize IDS database.\n" | 109 | " --ids-init - initialize IDS database.\n" |
| 104 | " --ignore=command - ignore command in profile files.\n" | 110 | " --ignore=command - ignore command in profile files.\n" |
| @@ -154,8 +160,6 @@ static char *usage_str = | |||
| 154 | " --netns=name - Run the program in a named, persistent network namespace.\n" | 160 | " --netns=name - Run the program in a named, persistent network namespace.\n" |
| 155 | " --netstats - monitor network statistics.\n" | 161 | " --netstats - monitor network statistics.\n" |
| 156 | " --nettrace - monitor received TCP, UDP and ICMP traffic.\n" | 162 | " --nettrace - monitor received TCP, UDP and ICMP traffic.\n" |
| 157 | " --nettrace - monitor DNS queries.\n" | ||
| 158 | " --nettrace - monitor Server Name Indiication (TLS/SNI).\n" | ||
| 159 | #endif | 163 | #endif |
| 160 | " --nice=value - set nice value.\n" | 164 | " --nice=value - set nice value.\n" |
| 161 | " --no3d - disable 3D hardware acceleration.\n" | 165 | " --no3d - disable 3D hardware acceleration.\n" |
diff --git a/src/firemon/Makefile b/src/firemon/Makefile index b2d2f4d14..433e4267d 100644 --- a/src/firemon/Makefile +++ b/src/firemon/Makefile | |||
| @@ -1,17 +1,10 @@ | |||
| 1 | .PHONY: all | ||
| 2 | all: firemon | ||
| 3 | |||
| 4 | ROOT = ../.. | 1 | ROOT = ../.. |
| 5 | include $(ROOT)/src/common.mk | 2 | -include $(ROOT)/config.mk |
| 6 | |||
| 7 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/pid.h $(ROOT)/config.mk | ||
| 8 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | ||
| 9 | 3 | ||
| 10 | firemon: $(OBJS) ../lib/common.o ../lib/pid.o $(ROOT)/config.mk | 4 | PROG = firemon |
| 11 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/pid.o $(LIBS) $(EXTRA_LDFLAGS) | 5 | TARGET = $(PROG) |
| 12 | 6 | ||
| 13 | .PHONY: clean | 7 | MOD_HDRS = ../include/common.h ../include/pid.h |
| 14 | clean:; rm -fr *.o firemon *.gcov *.gcda *.gcno *.plist | 8 | MOD_OBJS = ../lib/common.o ../lib/pid.o |
| 15 | 9 | ||
| 16 | .PHONY: distclean | 10 | include $(ROOT)/src/prog.mk |
| 17 | distclean: clean | ||
diff --git a/src/fldd/Makefile b/src/fldd/Makefile index d9a70529b..0c127af55 100644 --- a/src/fldd/Makefile +++ b/src/fldd/Makefile | |||
| @@ -1,17 +1,10 @@ | |||
| 1 | .PHONY: all | ||
| 2 | all: fldd | ||
| 3 | |||
| 4 | ROOT = ../.. | 1 | ROOT = ../.. |
| 5 | include $(ROOT)/src/common.mk | 2 | -include $(ROOT)/config.mk |
| 6 | |||
| 7 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h ../include/ldd_utils.h $(ROOT)/config.mk | ||
| 8 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | ||
| 9 | 3 | ||
| 10 | fldd: $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(ROOT)/config.mk | 4 | PROG = fldd |
| 11 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS) | 5 | TARGET = $(PROG) |
| 12 | 6 | ||
| 13 | .PHONY: clean | 7 | MOD_HDRS = ../include/common.h ../include/syscall.h ../include/ldd_utils.h |
| 14 | clean:; rm -fr *.o fldd *.gcov *.gcda *.gcno *.plist | 8 | MOD_OBJS = ../lib/common.o ../lib/ldd_utils.o |
| 15 | 9 | ||
| 16 | .PHONY: distclean | 10 | include $(ROOT)/src/prog.mk |
| 17 | distclean: clean | ||
diff --git a/src/fnet/Makefile b/src/fnet/Makefile index 36e95522f..91de109fa 100644 --- a/src/fnet/Makefile +++ b/src/fnet/Makefile | |||
| @@ -1,17 +1,10 @@ | |||
| 1 | .PHONY: all | ||
| 2 | all: fnet | ||
| 3 | |||
| 4 | ROOT = ../.. | 1 | ROOT = ../.. |
| 5 | include $(ROOT)/src/common.mk | 2 | -include $(ROOT)/config.mk |
| 6 | |||
| 7 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/libnetlink.h $(ROOT)/config.mk | ||
| 8 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | ||
| 9 | 3 | ||
| 10 | fnet: $(OBJS) ../lib/common.o ../lib/libnetlink.o $(ROOT)/config.mk | 4 | PROG = fnet |
| 11 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS) | 5 | TARGET = $(PROG) |
| 12 | 6 | ||
| 13 | .PHONY: clean | 7 | MOD_HDRS = ../include/common.h ../include/libnetlink.h |
| 14 | clean:; rm -fr *.o fnet *.gcov *.gcda *.gcno *.plist | 8 | MOD_OBJS = ../lib/common.o ../lib/libnetlink.o |
| 15 | 9 | ||
| 16 | .PHONY: distclean | 10 | include $(ROOT)/src/prog.mk |
| 17 | distclean: clean | ||
diff --git a/src/fnetfilter/Makefile b/src/fnetfilter/Makefile index 758561b9e..506d287ab 100644 --- a/src/fnetfilter/Makefile +++ b/src/fnetfilter/Makefile | |||
| @@ -1,17 +1,10 @@ | |||
| 1 | .PHONY: all | ||
| 2 | all: fnetfilter | ||
| 3 | |||
| 4 | ROOT = ../.. | 1 | ROOT = ../.. |
| 5 | include $(ROOT)/src/common.mk | 2 | -include $(ROOT)/config.mk |
| 6 | |||
| 7 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h $(ROOT)/config.mk | ||
| 8 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | ||
| 9 | 3 | ||
| 10 | fnetfilter: $(OBJS) ../lib/common.o $(ROOT)/config.mk | 4 | PROG = fnetfilter |
| 11 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) | 5 | TARGET = $(PROG) |
| 12 | 6 | ||
| 13 | .PHONY: clean | 7 | MOD_HDRS = ../include/common.h ../include/syscall.h |
| 14 | clean:; rm -fr *.o fnetfilter *.gcov *.gcda *.gcno *.plist | 8 | MOD_OBJS = ../lib/common.o |
| 15 | 9 | ||
| 16 | .PHONY: distclean | 10 | include $(ROOT)/src/prog.mk |
| 17 | distclean: clean | ||
diff --git a/src/fnettrace-dns/Makefile b/src/fnettrace-dns/Makefile index 101abd4d4..36542f567 100644 --- a/src/fnettrace-dns/Makefile +++ b/src/fnettrace-dns/Makefile | |||
| @@ -1,17 +1,7 @@ | |||
| 1 | .PHONY: all | ||
| 2 | all: fnettrace-dns | ||
| 3 | |||
| 4 | ROOT = ../.. | 1 | ROOT = ../.. |
| 5 | include $(ROOT)/src/common.mk | 2 | -include $(ROOT)/config.mk |
| 6 | |||
| 7 | %.o : %.c $(H_FILE_LIST) $(ROOT)/config.mk | ||
| 8 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | ||
| 9 | |||
| 10 | fnettrace-dns: $(OBJS) $(ROOT)/config.mk | ||
| 11 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | ||
| 12 | 3 | ||
| 13 | .PHONY: clean | 4 | PROG = fnettrace-dns |
| 14 | clean:; rm -fr *.o fnettrace-dns *.gcov *.gcda *.gcno *.plist | 5 | TARGET = $(PROG) |
| 15 | 6 | ||
| 16 | .PHONY: distclean | 7 | include $(ROOT)/src/prog.mk |
| 17 | distclean: clean | ||
diff --git a/src/fnettrace-dns/main.c b/src/fnettrace-dns/main.c index 32122754f..48bf14710 100644 --- a/src/fnettrace-dns/main.c +++ b/src/fnettrace-dns/main.c | |||
| @@ -70,6 +70,7 @@ void print_dns(uint32_t ip_src, unsigned char *pkt) { | |||
| 70 | type, (nxdomain)? " NXDOMAIN": ""); | 70 | type, (nxdomain)? " NXDOMAIN": ""); |
| 71 | if (strcmp(tmp, last)) { | 71 | if (strcmp(tmp, last)) { |
| 72 | printf("%s\n", tmp); | 72 | printf("%s\n", tmp); |
| 73 | fflush(0); | ||
| 73 | strcpy(last, tmp); | 74 | strcpy(last, tmp); |
| 74 | } | 75 | } |
| 75 | 76 | ||
| @@ -77,6 +78,7 @@ void print_dns(uint32_t ip_src, unsigned char *pkt) { | |||
| 77 | 78 | ||
| 78 | errout: | 79 | errout: |
| 79 | printf("%02d:%02d:%02d %15s Error: invalid DNS packet\n", t->tm_hour, t->tm_min, t->tm_sec, ip); | 80 | printf("%02d:%02d:%02d %15s Error: invalid DNS packet\n", t->tm_hour, t->tm_min, t->tm_sec, ip); |
| 81 | fflush(0); | ||
| 80 | } | 82 | } |
| 81 | 83 | ||
| 82 | // https://www.kernel.org/doc/html/latest/networking/filter.html | 84 | // https://www.kernel.org/doc/html/latest/networking/filter.html |
diff --git a/src/fnettrace-icmp/Makefile b/src/fnettrace-icmp/Makefile index 4dfdc891a..12ae42e9a 100644 --- a/src/fnettrace-icmp/Makefile +++ b/src/fnettrace-icmp/Makefile | |||
| @@ -1,17 +1,7 @@ | |||
| 1 | .PHONY: all | ||
| 2 | all: fnettrace-icmp | ||
| 3 | |||
| 4 | ROOT = ../.. | 1 | ROOT = ../.. |
| 5 | include $(ROOT)/src/common.mk | 2 | -include $(ROOT)/config.mk |
| 6 | |||
| 7 | %.o : %.c $(H_FILE_LIST) $(ROOT)/config.mk | ||
| 8 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | ||
| 9 | |||
| 10 | fnettrace-icmp: $(OBJS) $(ROOT)/config.mk | ||
| 11 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | ||
| 12 | 3 | ||
| 13 | .PHONY: clean | 4 | PROG = fnettrace-icmp |
| 14 | clean:; rm -fr *.o fnettrace-icmp *.gcov *.gcda *.gcno *.plist | 5 | TARGET = $(PROG) |
| 15 | 6 | ||
| 16 | .PHONY: distclean | 7 | include $(ROOT)/src/prog.mk |
| 17 | distclean: clean | ||
diff --git a/src/fnettrace-icmp/main.c b/src/fnettrace-icmp/main.c index 986091bb4..bb857c922 100644 --- a/src/fnettrace-icmp/main.c +++ b/src/fnettrace-icmp/main.c | |||
| @@ -64,19 +64,19 @@ char *code_dest_unreachable[16] = { | |||
| 64 | "Host unreachable for ToS", | 64 | "Host unreachable for ToS", |
| 65 | "Communication administratively prohibited", | 65 | "Communication administratively prohibited", |
| 66 | "Host Precedence Violation", | 66 | "Host Precedence Violation", |
| 67 | "Precedence cutoff in effect " | 67 | "Precedence cutoff in effect" |
| 68 | }; | 68 | }; |
| 69 | 69 | ||
| 70 | char *code_redirect_message[4] = { | 70 | char *code_redirect_message[4] = { |
| 71 | "Datagram for the Network", | 71 | "Datagram for the Network", |
| 72 | "Datagram for the Host", | 72 | "Datagram for the Host", |
| 73 | "Datagram for the ToS & network", | 73 | "Datagram for the ToS & network", |
| 74 | "Datagram for the ToS & host " | 74 | "Datagram for the ToS & host" |
| 75 | }; | 75 | }; |
| 76 | 76 | ||
| 77 | char *code_time_exceeded[2] = { | 77 | char *code_time_exceeded[2] = { |
| 78 | "TTL expired in transit", | 78 | "TTL expired in transit", |
| 79 | "Fragment reassembly time exceeded " | 79 | "Fragment reassembly time exceeded" |
| 80 | }; | 80 | }; |
| 81 | 81 | ||
| 82 | char *code_bad_ip_header[3] = { | 82 | char *code_bad_ip_header[3] = { |
| @@ -115,6 +115,7 @@ static void print_icmp(uint32_t ip_dest, uint32_t ip_src, uint8_t type, uint8_t | |||
| 115 | icmp_bytes, | 115 | icmp_bytes, |
| 116 | type_ptr, | 116 | type_ptr, |
| 117 | code_ptr); | 117 | code_ptr); |
| 118 | fflush(0); | ||
| 118 | } | 119 | } |
| 119 | 120 | ||
| 120 | // https://www.kernel.org/doc/html/latest/networking/filter.html | 121 | // https://www.kernel.org/doc/html/latest/networking/filter.html |
diff --git a/src/fnettrace-sni/Makefile b/src/fnettrace-sni/Makefile index da7c1ca4e..8d9a437d5 100644 --- a/src/fnettrace-sni/Makefile +++ b/src/fnettrace-sni/Makefile | |||
| @@ -1,17 +1,7 @@ | |||
| 1 | .PHONY: all | ||
| 2 | all: fnettrace-sni | ||
| 3 | |||
| 4 | ROOT = ../.. | 1 | ROOT = ../.. |
| 5 | include $(ROOT)/src/common.mk | 2 | -include $(ROOT)/config.mk |
| 6 | |||
| 7 | %.o : %.c $(H_FILE_LIST) $(ROOT)/config.mk | ||
| 8 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | ||
| 9 | |||
| 10 | fnettrace-sni: $(OBJS) $(ROOT)/config.mk | ||
| 11 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | ||
| 12 | 3 | ||
| 13 | .PHONY: clean | 4 | PROG = fnettrace-sni |
| 14 | clean:; rm -fr *.o fnettrace-sni *.gcov *.gcda *.gcno *.plist | 5 | TARGET = $(PROG) |
| 15 | 6 | ||
| 16 | .PHONY: distclean | 7 | include $(ROOT)/src/prog.mk |
| 17 | distclean: clean | ||
diff --git a/src/fnettrace-sni/main.c b/src/fnettrace-sni/main.c index 71793a560..d0f75dac9 100644 --- a/src/fnettrace-sni/main.c +++ b/src/fnettrace-sni/main.c | |||
| @@ -77,6 +77,7 @@ static void print_tls(uint32_t ip_dest, unsigned char *pkt, unsigned len) { | |||
| 77 | snprintf(tmp, sizeof(last), "%02d:%02d:%02d %-15s %s", t->tm_hour, t->tm_min, t->tm_sec, ip, name); | 77 | snprintf(tmp, sizeof(last), "%02d:%02d:%02d %-15s %s", t->tm_hour, t->tm_min, t->tm_sec, ip, name); |
| 78 | if (strcmp(tmp, last)) { | 78 | if (strcmp(tmp, last)) { |
| 79 | printf("%s\n", tmp); | 79 | printf("%s\n", tmp); |
| 80 | fflush(0); | ||
| 80 | strcpy(last, tmp); | 81 | strcpy(last, tmp); |
| 81 | } | 82 | } |
| 82 | } | 83 | } |
| @@ -86,6 +87,7 @@ static void print_tls(uint32_t ip_dest, unsigned char *pkt, unsigned len) { | |||
| 86 | 87 | ||
| 87 | errout: | 88 | errout: |
| 88 | printf("%02d:%02d:%02d %-15s Error: invalid TLS packet\n", t->tm_hour, t->tm_min, t->tm_sec, ip); | 89 | printf("%02d:%02d:%02d %-15s Error: invalid TLS packet\n", t->tm_hour, t->tm_min, t->tm_sec, ip); |
| 90 | fflush(0); | ||
| 89 | return; | 91 | return; |
| 90 | 92 | ||
| 91 | nosni: | 93 | nosni: |
diff --git a/src/fnettrace/Makefile b/src/fnettrace/Makefile index f41a4d36d..952036ad3 100644 --- a/src/fnettrace/Makefile +++ b/src/fnettrace/Makefile | |||
| @@ -1,17 +1,7 @@ | |||
| 1 | .PHONY: all | ||
| 2 | all: fnettrace | ||
| 3 | |||
| 4 | ROOT = ../.. | 1 | ROOT = ../.. |
| 5 | include $(ROOT)/src/common.mk | 2 | -include $(ROOT)/config.mk |
| 6 | |||
| 7 | %.o : %.c $(H_FILE_LIST) $(ROOT)/config.mk | ||
| 8 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | ||
| 9 | |||
| 10 | fnettrace: $(OBJS) $(ROOT)/config.mk | ||
| 11 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | ||
| 12 | 3 | ||
| 13 | .PHONY: clean | 4 | PROG = fnettrace |
| 14 | clean:; rm -fr *.o fnettrace *.gcov *.gcda *.gcno *.plist | 5 | TARGET = $(PROG) |
| 15 | 6 | ||
| 16 | .PHONY: distclean | 7 | include $(ROOT)/src/prog.mk |
| 17 | distclean: clean | ||
diff --git a/src/fnettrace/static-ip-map b/src/fnettrace/static-ip-map index d3d234f5a..c630b6688 100644 --- a/src/fnettrace/static-ip-map +++ b/src/fnettrace/static-ip-map | |||
| @@ -48,6 +48,7 @@ | |||
| 48 | 4.0.0.0/9 Level 3 | 48 | 4.0.0.0/9 Level 3 |
| 49 | 6.0.0.0/8 US Army | 49 | 6.0.0.0/8 US Army |
| 50 | 7.0.0.0/8 US Army | 50 | 7.0.0.0/8 US Army |
| 51 | 8.0.0.0/9 Level 3 | ||
| 51 | 9.0.0.0/8 IBM | 52 | 9.0.0.0/8 IBM |
| 52 | 11.0.0.0/8 US Army | 53 | 11.0.0.0/8 US Army |
| 53 | 17.0.0.0/8 Apple | 54 | 17.0.0.0/8 Apple |
| @@ -199,7 +200,103 @@ | |||
| 199 | 151.139.0.0/16 StackPath | 200 | 151.139.0.0/16 StackPath |
| 200 | 201 | ||
| 201 | # Linode | 202 | # Linode |
| 203 | 103.29.68.0/22 Linode | ||
| 204 | 104.200.16.0/21 Linode | ||
| 205 | 104.200.24.0/22 Linode | ||
| 206 | 104.200.25.0/24 Linode | ||
| 207 | 104.200.26.0/24 Linode | ||
| 208 | 104.200.27.0/24 Linode | ||
| 209 | 104.200.28.0/22 Linode | ||
| 210 | 104.237.128.0/21 Linode | ||
| 211 | 104.237.136.0/21 Linode | ||
| 212 | 104.237.144.0/21 Linode | ||
| 213 | 104.237.152.0/21 Linode | ||
| 214 | 104.237.152.0/24 Linode | ||
| 215 | 104.237.153.0/24 Linode | ||
| 216 | 104.237.154.0/24 Linode | ||
| 217 | 104.237.155.0/24 Linode | ||
| 218 | 104.237.156.0/24 Linode | ||
| 219 | 104.237.157.0/24 Linode | ||
| 220 | 104.237.158.0/24 Linode | ||
| 221 | 104.237.159.0/24 Linode | ||
| 222 | 109.237.24.0/22 Linode | ||
| 223 | 109.74.192.0/20 Linode | ||
| 224 | 139.144.0.0/20 Linode | ||
| 225 | 139.144.104.0/21 Linode | ||
| 226 | 139.144.112.0/20 Linode | ||
| 227 | 139.144.128.0/21 Linode | ||
| 228 | 139.144.136.0/21 Linode | ||
| 229 | 139.144.144.0/20 Linode | ||
| 230 | 139.144.160.0/22 Linode | ||
| 231 | 139.144.16.0/20 Linode | ||
| 232 | 139.144.164.0/22 Linode | ||
| 233 | 139.144.168.0/21 Linode | ||
| 234 | 139.144.176.0/21 Linode | ||
| 235 | 139.144.184.0/21 Linode | ||
| 236 | 139.144.192.0/19 Linode | ||
| 237 | 139.144.224.0/21 Linode | ||
| 238 | 139.144.232.0/21 Linode | ||
| 239 | 139.144.240.0/22 Linode | ||
| 240 | 139.144.32.0/21 Linode | ||
| 241 | 139.144.40.0/21 Linode | ||
| 242 | 139.144.48.0/20 Linode | ||
| 243 | 139.144.64.0/20 Linode | ||
| 244 | 139.144.80.0/21 Linode | ||
| 245 | 139.144.88.0/21 Linode | ||
| 246 | 139.144.96.0/21 Linode | ||
| 247 | 139.162.0.0/19 Linode | ||
| 248 | 139.162.128.0/19 Linode | ||
| 249 | 139.162.160.0/19 Linode | ||
| 250 | 139.162.192.0/19 Linode | ||
| 251 | 139.162.224.0/19 Linode | ||
| 252 | 139.162.32.0/19 Linode | ||
| 253 | 139.162.64.0/19 Linode | ||
| 254 | 139.162.96.0/19 Linode | ||
| 255 | 139.177.176.0/21 Linode | ||
| 256 | 139.177.184.0/21 Linode | ||
| 257 | 139.177.192.0/21 Linode | ||
| 258 | 139.177.200.0/21 Linode | ||
| 259 | 151.236.216.0/21 Linode | ||
| 260 | 162.216.16.0/22 Linode | ||
| 261 | 170.187.128.0/24 Linode | ||
| 262 | 170.187.129.0/24 Linode | ||
| 263 | 170.187.131.0/24 Linode | ||
| 264 | 170.187.132.0/24 Linode | ||
| 265 | 170.187.134.0/23 Linode | ||
| 266 | 170.187.136.0/21 Linode | ||
| 267 | 170.187.144.0/20 Linode | ||
| 268 | 170.187.160.0/21 Linode | ||
| 269 | 170.187.168.0/21 Linode | ||
| 270 | 170.187.176.0/21 Linode | ||
| 271 | 170.187.184.0/21 Linode | ||
| 272 | 170.187.192.0/22 Linode | ||
| 273 | 170.187.196.0/22 Linode | ||
| 274 | 170.187.200.0/21 Linode | ||
| 275 | 170.187.208.0/20 Linode | ||
| 276 | 170.187.224.0/21 Linode | ||
| 277 | 170.187.232.0/21 Linode | ||
| 278 | 170.187.240.0/21 Linode | ||
| 279 | 170.187.248.0/21 Linode | ||
| 202 | 172.104.0.0/15 Linode | 280 | 172.104.0.0/15 Linode |
| 281 | 172.104.128.0/19 Linode | ||
| 282 | 172.104.160.0/19 Linode | ||
| 283 | 172.104.192.0/21 Linode | ||
| 284 | 172.104.200.0/23 Linode | ||
| 285 | 172.104.202.0/23 Linode | ||
| 286 | 172.104.205.0/24 Linode | ||
| 287 | 172.104.206.0/24 Linode | ||
| 288 | 172.104.207.0/24 Linode | ||
| 289 | 172.104.208.0/20 Linode | ||
| 290 | 172.104.220.0/24 Linode | ||
| 291 | 172.104.224.0/19 Linode | ||
| 292 | 172.104.32.0/19 Linode | ||
| 293 | 172.104.4.0/22 Linode | ||
| 294 | 172.104.64.0/19 Linode | ||
| 295 | 172.104.8.0/21 Linode | ||
| 296 | 172.104.96.0/19 Linode | ||
| 297 | 172.105.0.0/19 Linode | ||
| 298 | 172.105.112.0/20 Linode | ||
| 299 | 172.105.128.0/23 Linode | ||
| 203 | 300 | ||
| 204 | # Akamai | 301 | # Akamai |
| 205 | 23.0.0.0/12 Akamai | 302 | 23.0.0.0/12 Akamai |
diff --git a/src/fsec-optimize/Makefile b/src/fsec-optimize/Makefile index 1aa49d34b..ce65f4719 100644 --- a/src/fsec-optimize/Makefile +++ b/src/fsec-optimize/Makefile | |||
| @@ -1,17 +1,10 @@ | |||
| 1 | .PHONY: all | ||
| 2 | all: fsec-optimize | ||
| 3 | |||
| 4 | ROOT = ../.. | 1 | ROOT = ../.. |
| 5 | include $(ROOT)/src/common.mk | 2 | -include $(ROOT)/config.mk |
| 6 | |||
| 7 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h $(ROOT)/config.mk | ||
| 8 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | ||
| 9 | 3 | ||
| 10 | fsec-optimize: $(OBJS) ../lib/common.o ../lib/libnetlink.o $(ROOT)/config.mk | 4 | PROG = fsec-optimize |
| 11 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o $(LIBS) $(EXTRA_LDFLAGS) | 5 | TARGET = $(PROG) |
| 12 | 6 | ||
| 13 | .PHONY: clean | 7 | MOD_HDRS = ../include/common.h ../include/seccomp.h ../include/syscall.h |
| 14 | clean:; rm -fr *.o fsec-optimize *.gcov *.gcda *.gcno *.plist | 8 | MOD_OBJS = ../lib/common.o ../lib/errno.o |
| 15 | 9 | ||
| 16 | .PHONY: distclean | 10 | include $(ROOT)/src/prog.mk |
| 17 | distclean: clean | ||
diff --git a/src/fsec-print/Makefile b/src/fsec-print/Makefile index b076c0588..cbe061d45 100644 --- a/src/fsec-print/Makefile +++ b/src/fsec-print/Makefile | |||
| @@ -1,17 +1,10 @@ | |||
| 1 | .PHONY: all | ||
| 2 | all: fsec-print | ||
| 3 | |||
| 4 | ROOT = ../.. | 1 | ROOT = ../.. |
| 5 | include $(ROOT)/src/common.mk | 2 | -include $(ROOT)/config.mk |
| 6 | |||
| 7 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h $(ROOT)/config.mk | ||
| 8 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | ||
| 9 | 3 | ||
| 10 | fsec-print: $(OBJS) ../lib/common.o ../lib/libnetlink.o ../lib/errno.o ../lib/syscall.o $(ROOT)/config.mk | 4 | PROG = fsec-print |
| 11 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS) | 5 | TARGET = $(PROG) |
| 12 | 6 | ||
| 13 | .PHONY: clean | 7 | MOD_HDRS = ../include/common.h ../include/seccomp.h ../include/syscall.h |
| 14 | clean:; rm -fr *.o fsec-print *.gcov *.gcda *.gcno *.plist | 8 | MOD_OBJS = ../lib/common.o ../lib/errno.o ../lib/syscall.o |
| 15 | 9 | ||
| 16 | .PHONY: distclean | 10 | include $(ROOT)/src/prog.mk |
| 17 | distclean: clean | ||
diff --git a/src/fseccomp/Makefile b/src/fseccomp/Makefile index 9bf4c050b..1b8d0bb48 100644 --- a/src/fseccomp/Makefile +++ b/src/fseccomp/Makefile | |||
| @@ -1,17 +1,10 @@ | |||
| 1 | .PHONY: all | ||
| 2 | all: fseccomp | ||
| 3 | |||
| 4 | ROOT = ../.. | 1 | ROOT = ../.. |
| 5 | include $(ROOT)/src/common.mk | 2 | -include $(ROOT)/config.mk |
| 6 | |||
| 7 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h $(ROOT)/config.mk | ||
| 8 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | ||
| 9 | 3 | ||
| 10 | fseccomp: $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(ROOT)/config.mk | 4 | PROG = fseccomp |
| 11 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS) | 5 | TARGET = $(PROG) |
| 12 | 6 | ||
| 13 | .PHONY: clean | 7 | MOD_HDRS = ../include/common.h ../include/syscall.h |
| 14 | clean:; rm -fr *.o fseccomp *.gcov *.gcda *.gcno *.plist | 8 | MOD_OBJS = ../lib/common.o ../lib/errno.o ../lib/syscall.o |
| 15 | 9 | ||
| 16 | .PHONY: distclean | 10 | include $(ROOT)/src/prog.mk |
| 17 | distclean: clean | ||
diff --git a/src/ftee/Makefile b/src/ftee/Makefile index 535d7ff63..2f26ab900 100644 --- a/src/ftee/Makefile +++ b/src/ftee/Makefile | |||
| @@ -1,17 +1,7 @@ | |||
| 1 | .PHONY: all | ||
| 2 | all: ftee | ||
| 3 | |||
| 4 | ROOT = ../.. | 1 | ROOT = ../.. |
| 5 | include $(ROOT)/src/common.mk | 2 | -include $(ROOT)/config.mk |
| 6 | |||
| 7 | %.o : %.c $(H_FILE_LIST) $(ROOT)/config.mk | ||
| 8 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | ||
| 9 | |||
| 10 | ftee: $(OBJS) $(ROOT)/config.mk | ||
| 11 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | ||
| 12 | 3 | ||
| 13 | .PHONY: clean | 4 | PROG = ftee |
| 14 | clean:; rm -fr *.o ftee *.gcov *.gcda *.gcno *.plist | 5 | TARGET = $(PROG) |
| 15 | 6 | ||
| 16 | .PHONY: distclean | 7 | include $(ROOT)/src/prog.mk |
| 17 | distclean: clean | ||
diff --git a/src/fzenity/Makefile b/src/fzenity/Makefile index 0358dd3e9..aeb862d9b 100644 --- a/src/fzenity/Makefile +++ b/src/fzenity/Makefile | |||
| @@ -1,17 +1,9 @@ | |||
| 1 | .PHONY: all | ||
| 2 | all: fzenity | ||
| 3 | |||
| 4 | ROOT = ../.. | 1 | ROOT = ../.. |
| 5 | include $(ROOT)/src/common.mk | 2 | -include $(ROOT)/config.mk |
| 6 | |||
| 7 | %.o : %.c $(H_FILE_LIST) ../include/common.h $(ROOT)/config.mk | ||
| 8 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | ||
| 9 | 3 | ||
| 10 | fzenity: $(OBJS) $(ROOT)/config.mk | 4 | PROG = fzenity |
| 11 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | 5 | TARGET = $(PROG) |
| 12 | 6 | ||
| 13 | .PHONY: clean | 7 | MOD_HDRS = ../include/common.h |
| 14 | clean:; rm -fr *.o fzenity *.gcov *.gcda *.gcno *.plist | ||
| 15 | 8 | ||
| 16 | .PHONY: distclean | 9 | include $(ROOT)/src/prog.mk |
| 17 | distclean: clean | ||
diff --git a/src/jailcheck/Makefile b/src/jailcheck/Makefile index 52feb86e6..e3b84fbf3 100644 --- a/src/jailcheck/Makefile +++ b/src/jailcheck/Makefile | |||
| @@ -1,17 +1,10 @@ | |||
| 1 | .PHONY: all | ||
| 2 | all: jailcheck | ||
| 3 | |||
| 4 | ROOT = ../.. | 1 | ROOT = ../.. |
| 5 | include $(ROOT)/src/common.mk | 2 | -include $(ROOT)/config.mk |
| 6 | |||
| 7 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/pid.h $(ROOT)/config.mk | ||
| 8 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | ||
| 9 | 3 | ||
| 10 | jailcheck: $(OBJS) $(ROOT)/config.mk | 4 | PROG = jailcheck |
| 11 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/pid.o $(LIBS) $(EXTRA_LDFLAGS) | 5 | TARGET = $(PROG) |
| 12 | 6 | ||
| 13 | .PHONY: clean | 7 | MOD_HDRS = ../include/common.h ../include/pid.h |
| 14 | clean:; rm -fr *.o jailcheck *.gcov *.gcda *.gcno *.plist | 8 | MOD_OBJS = ../lib/common.o ../lib/pid.o |
| 15 | 9 | ||
| 16 | .PHONY: distclean | 10 | include $(ROOT)/src/prog.mk |
| 17 | distclean: clean | ||
diff --git a/src/lib/Makefile b/src/lib/Makefile index d9bc63ef7..f5b92e389 100644 --- a/src/lib/Makefile +++ b/src/lib/Makefile | |||
| @@ -1,14 +1,9 @@ | |||
| 1 | ROOT = ../.. | 1 | ROOT = ../.. |
| 2 | include $(ROOT)/src/common.mk | 2 | -include $(ROOT)/config.mk |
| 3 | 3 | ||
| 4 | .PHONY: all | 4 | TARGET = lib |
| 5 | all: $(OBJS) | ||
| 6 | 5 | ||
| 7 | %.o : %.c $(H_FILE_LIST) $(ROOT)/config.mk | 6 | include $(ROOT)/src/prog.mk |
| 8 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | ||
| 9 | 7 | ||
| 10 | .PHONY: clean | 8 | .PHONY: lib |
| 11 | clean:; rm -fr $(OBJS) *.gcov *.gcda *.gcno *.plist | 9 | lib: $(OBJS) |
| 12 | |||
| 13 | .PHONY: distclean | ||
| 14 | distclean: clean | ||
diff --git a/src/libpostexecseccomp/Makefile b/src/libpostexecseccomp/Makefile index 5386af58b..62e167b73 100644 --- a/src/libpostexecseccomp/Makefile +++ b/src/libpostexecseccomp/Makefile | |||
| @@ -1,24 +1,9 @@ | |||
| 1 | ROOT = ../.. | 1 | ROOT = ../.. |
| 2 | -include $(ROOT)/config.mk | 2 | -include $(ROOT)/config.mk |
| 3 | 3 | ||
| 4 | H_FILE_LIST = $(sort $(wildcard *.h)) | 4 | SO = libpostexecseccomp.so |
| 5 | C_FILE_LIST = $(sort $(wildcard *.c)) | 5 | TARGET = $(SO) |
| 6 | OBJS = $(C_FILE_LIST:.c=.o) | ||
| 7 | BINOBJS = $(foreach file, $(OBJS), $file) | ||
| 8 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security | ||
| 9 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now | ||
| 10 | 6 | ||
| 11 | .PHONY: all | 7 | MOD_HDRS = ../include/seccomp.h ../include/rundefs.h |
| 12 | all: libpostexecseccomp.so | ||
| 13 | 8 | ||
| 14 | %.o : %.c $(H_FILE_LIST) ../include/seccomp.h ../include/rundefs.h $(ROOT)/config.mk | 9 | include $(ROOT)/src/so.mk |
| 15 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ | ||
| 16 | |||
| 17 | libpostexecseccomp.so: $(OBJS) $(ROOT)/config.mk | ||
| 18 | $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl | ||
| 19 | |||
| 20 | .PHONY: clean | ||
| 21 | clean:; rm -fr $(OBJS) libpostexecseccomp.so *.plist | ||
| 22 | |||
| 23 | .PHONY: distclean | ||
| 24 | distclean: clean | ||
diff --git a/src/libtrace/Makefile b/src/libtrace/Makefile index 6f28b3442..d45b3e2f6 100644 --- a/src/libtrace/Makefile +++ b/src/libtrace/Makefile | |||
| @@ -1,24 +1,7 @@ | |||
| 1 | ROOT = ../.. | 1 | ROOT = ../.. |
| 2 | -include $(ROOT)/config.mk | 2 | -include $(ROOT)/config.mk |
| 3 | 3 | ||
| 4 | H_FILE_LIST = $(sort $(wildcard *.h)) | 4 | SO = libtrace.so |
| 5 | C_FILE_LIST = $(sort $(wildcard *.c)) | 5 | TARGET = $(SO) |
| 6 | OBJS = $(C_FILE_LIST:.c=.o) | ||
| 7 | BINOBJS = $(foreach file, $(OBJS), $file) | ||
| 8 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security | ||
| 9 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now | ||
| 10 | 6 | ||
| 11 | .PHONY: all | 7 | include $(ROOT)/src/so.mk |
| 12 | all: libtrace.so | ||
| 13 | |||
| 14 | %.o : %.c $(H_FILE_LIST) $(ROOT)/config.mk | ||
| 15 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ | ||
| 16 | |||
| 17 | libtrace.so: $(OBJS) $(ROOT)/config.mk | ||
| 18 | $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl | ||
| 19 | |||
| 20 | .PHONY: clean | ||
| 21 | clean:; rm -fr $(OBJS) libtrace.so *.plist | ||
| 22 | |||
| 23 | .PHONY: distclean | ||
| 24 | distclean: clean | ||
diff --git a/src/libtracelog/Makefile b/src/libtracelog/Makefile index c5d9c131d..bfc5adddc 100644 --- a/src/libtracelog/Makefile +++ b/src/libtracelog/Makefile | |||
| @@ -1,24 +1,9 @@ | |||
| 1 | ROOT = ../.. | 1 | ROOT = ../.. |
| 2 | -include $(ROOT)/config.mk | 2 | -include $(ROOT)/config.mk |
| 3 | 3 | ||
| 4 | H_FILE_LIST = $(sort $(wildcard *.h)) | 4 | SO = libtracelog.so |
| 5 | C_FILE_LIST = $(sort $(wildcard *.c)) | 5 | TARGET = $(SO) |
| 6 | OBJS = $(C_FILE_LIST:.c=.o) | ||
| 7 | BINOBJS = $(foreach file, $(OBJS), $file) | ||
| 8 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security | ||
| 9 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now | ||
| 10 | 6 | ||
| 11 | .PHONY: all | 7 | MOD_HDRS = ../include/rundefs.h |
| 12 | all: libtracelog.so | ||
| 13 | 8 | ||
| 14 | %.o : %.c $(H_FILE_LIST) ../include/rundefs.h $(ROOT)/config.mk | 9 | include $(ROOT)/src/so.mk |
| 15 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ | ||
| 16 | |||
| 17 | libtracelog.so: $(OBJS) $(ROOT)/config.mk | ||
| 18 | $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl | ||
| 19 | |||
| 20 | .PHONY: clean | ||
| 21 | clean:; rm -fr $(OBJS) libtracelog.so *.plist | ||
| 22 | |||
| 23 | .PHONY: distclean | ||
| 24 | distclean: clean | ||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 138aae8af..5b16179ac 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
| @@ -14,7 +14,7 @@ Using a specific profile: | |||
| 14 | .br | 14 | .br |
| 15 | Example: | 15 | Example: |
| 16 | .br | 16 | .br |
| 17 | $ firejail --profile=/etc/firejail/kdenlive.profile --appimage kdenlive.appimage | 17 | $ firejail --appimage --profile=/etc/firejail/kdenlive.profile kdenlive.appimage |
| 18 | .br | 18 | .br |
| 19 | 19 | ||
| 20 | .br | 20 | .br |
| @@ -25,7 +25,7 @@ $ firejail --profile=/etc/firejail/kdenlive.profile --appimage kdenlive.appimage | |||
| 25 | .br | 25 | .br |
| 26 | Example: | 26 | Example: |
| 27 | .br | 27 | .br |
| 28 | $ firejail --profile=kdenlive --appimage kdenlive.appimage | 28 | $ firejail --appimage --profile=kdenlive kdenlive.appimage |
| 29 | .br | 29 | .br |
| 30 | 30 | ||
| 31 | .br | 31 | .br |
| @@ -179,6 +179,11 @@ can be enabled or disabled globally in Firejail's configuration file. | |||
| 179 | 179 | ||
| 180 | The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. | 180 | The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. |
| 181 | 181 | ||
| 182 | Note: When using one or more conditionals and \fB--profile\fR, it is | ||
| 183 | recommended that the relevant option(s) (such as \fB--appimage\fR) be specified | ||
| 184 | before \fB--profile\fR, so that their respective conditional(s) (such as | ||
| 185 | \fB?HAS_APPIMAGE\fR) inside of the profile evaluate to true. | ||
| 186 | |||
| 182 | .TP | 187 | .TP |
| 183 | \fBinclude other.profile | 188 | \fBinclude other.profile |
| 184 | Include other.profile file. | 189 | Include other.profile file. |
| @@ -972,6 +977,10 @@ If a new network namespace is created, enabled default network filter. | |||
| 972 | \fBnetfilter filename | 977 | \fBnetfilter filename |
| 973 | If a new network namespace is created, enabled the network filter in filename. | 978 | If a new network namespace is created, enabled the network filter in filename. |
| 974 | 979 | ||
| 980 | .TP | ||
| 981 | \fBnetlock | ||
| 982 | Generate a custom network filter and enable it. | ||
| 983 | |||
| 975 | 984 | ||
| 976 | .TP | 985 | .TP |
| 977 | \fBnetmask address | 986 | \fBnetmask address |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index b4be1cd62..39c81312c 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
| @@ -11,7 +11,7 @@ firejail [OPTIONS] [program and arguments] | |||
| 11 | Start an AppImage program: | 11 | Start an AppImage program: |
| 12 | .PP | 12 | .PP |
| 13 | .RS | 13 | .RS |
| 14 | firejail [OPTIONS] --appimage [appimage-file and arguments] | 14 | firejail [OPTIONS] --appimage [OPTIONS] [appimage-file and arguments] |
| 15 | .RE | 15 | .RE |
| 16 | .PP | 16 | .PP |
| 17 | #ifdef HAVE_FILE_TRANSFER | 17 | #ifdef HAVE_FILE_TRANSFER |
| @@ -164,15 +164,22 @@ private-bin and private-lib are disabled by default when running appimages. | |||
| 164 | .br | 164 | .br |
| 165 | Example: | 165 | Example: |
| 166 | .br | 166 | .br |
| 167 | $ firejail --profile=krita --appimage krita-3.0-x86_64.appimage | 167 | $ firejail --appimage --profile=krita krita-3.0-x86_64.appimage |
| 168 | .br | 168 | .br |
| 169 | $ firejail --private --profile=krita --appimage krita-3.0-x86_64.appimage | 169 | $ firejail --quiet --appimage --private --profile=krita krita-3.0-x86_64.appimage |
| 170 | .br | 170 | .br |
| 171 | #ifdef HAVE_X11 | 171 | #ifdef HAVE_X11 |
| 172 | $ firejail --net=none --x11 --profile=krita --appimage krita-3.0-x86_64.appimage | 172 | $ firejail --appimage --net=none --x11 --profile=krita krita-3.0-x86_64.appimage |
| 173 | #endif | 173 | #endif |
| 174 | .TP | 174 | .br |
| 175 | |||
| 176 | .br | ||
| 177 | Note: When using both \fB--appimage\fR and \fB--profile\fR, it is recommended | ||
| 178 | to always specify the former before the latter, so that any \fB?HAS_APPIMAGE\fR | ||
| 179 | conditionals inside of the profile evaluate to true (see \fB?CONDITIONAL\fR in | ||
| 180 | firejail-profile(5)). | ||
| 175 | #ifdef HAVE_NETWORK | 181 | #ifdef HAVE_NETWORK |
| 182 | .TP | ||
| 176 | \fB\-\-bandwidth=name|pid | 183 | \fB\-\-bandwidth=name|pid |
| 177 | Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details. | 184 | Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details. |
| 178 | #endif | 185 | #endif |
diff --git a/src/profstats/Makefile b/src/profstats/Makefile index 0274aead2..47b39e76c 100644 --- a/src/profstats/Makefile +++ b/src/profstats/Makefile | |||
| @@ -1,17 +1,9 @@ | |||
| 1 | .PHONY: all | ||
| 2 | all: profstats | ||
| 3 | |||
| 4 | ROOT = ../.. | 1 | ROOT = ../.. |
| 5 | include $(ROOT)/src/common.mk | 2 | -include $(ROOT)/config.mk |
| 6 | |||
| 7 | %.o : %.c $(H_FILE_LIST) ../include/common.h $(ROOT)/config.mk | ||
| 8 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | ||
| 9 | 3 | ||
| 10 | profstats: $(OBJS) $(ROOT)/config.mk | 4 | PROG = profstats |
| 11 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | 5 | TARGET = $(PROG) |
| 12 | 6 | ||
| 13 | .PHONY: clean | 7 | MOD_HDRS = ../include/common.h |
| 14 | clean:; rm -fr *.o profstats *.gcov *.gcda *.gcno *.plist | ||
| 15 | 8 | ||
| 16 | .PHONY: distclean | 9 | include $(ROOT)/src/prog.mk |
| 17 | distclean: clean | ||
diff --git a/src/profstats/main.c b/src/profstats/main.c index 9deb72f7e..310319c69 100644 --- a/src/profstats/main.c +++ b/src/profstats/main.c | |||
| @@ -25,6 +25,7 @@ | |||
| 25 | static int cnt_profiles = 0; | 25 | static int cnt_profiles = 0; |
| 26 | static int cnt_apparmor = 0; | 26 | static int cnt_apparmor = 0; |
| 27 | static int cnt_seccomp = 0; | 27 | static int cnt_seccomp = 0; |
| 28 | static int cnt_restrict_namespaces = 0; | ||
| 28 | static int cnt_caps = 0; | 29 | static int cnt_caps = 0; |
| 29 | static int cnt_dbus_system_none = 0; | 30 | static int cnt_dbus_system_none = 0; |
| 30 | static int cnt_dbus_user_none = 0; | 31 | static int cnt_dbus_user_none = 0; |
| @@ -69,6 +70,7 @@ static int arg_whitelisthome = 0; | |||
| 69 | static int arg_noroot = 0; | 70 | static int arg_noroot = 0; |
| 70 | static int arg_print_blacklist = 0; | 71 | static int arg_print_blacklist = 0; |
| 71 | static int arg_print_whitelist = 0; | 72 | static int arg_print_whitelist = 0; |
| 73 | static int arg_restrict_namespaces = 0; | ||
| 72 | 74 | ||
| 73 | static char *profile = NULL; | 75 | static char *profile = NULL; |
| 74 | 76 | ||
| @@ -91,6 +93,7 @@ static void usage(void) { | |||
| 91 | printf(" --print-whitelist - print all --private and --whitelist for a profile\n"); | 93 | printf(" --print-whitelist - print all --private and --whitelist for a profile\n"); |
| 92 | printf(" --seccomp - print profiles without seccomp\n"); | 94 | printf(" --seccomp - print profiles without seccomp\n"); |
| 93 | printf(" --memory-deny-write-execute - print profiles without \"memory-deny-write-execute\"\n"); | 95 | printf(" --memory-deny-write-execute - print profiles without \"memory-deny-write-execute\"\n"); |
| 96 | printf(" --restrict-namespaces - print profiles without \"restrict-namespaces\"\n"); | ||
| 94 | printf(" --whitelist-home - print profiles whitelisting home directory\n"); | 97 | printf(" --whitelist-home - print profiles whitelisting home directory\n"); |
| 95 | printf(" --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n"); | 98 | printf(" --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n"); |
| 96 | printf(" --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\" or \"blacklist ${RUNUSER}\"\n"); | 99 | printf(" --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\" or \"blacklist ${RUNUSER}\"\n"); |
| @@ -152,6 +155,8 @@ static void process_file(char *fname) { | |||
| 152 | 155 | ||
| 153 | if (strncmp(ptr, "seccomp", 7) == 0) | 156 | if (strncmp(ptr, "seccomp", 7) == 0) |
| 154 | cnt_seccomp++; | 157 | cnt_seccomp++; |
| 158 | if (strncmp(ptr, "restrict-namespaces", 19) == 0) | ||
| 159 | cnt_restrict_namespaces++; | ||
| 155 | else if (strncmp(ptr, "caps", 4) == 0) | 160 | else if (strncmp(ptr, "caps", 4) == 0) |
| 156 | cnt_caps++; | 161 | cnt_caps++; |
| 157 | else if (strncmp(ptr, "include disable-exec.inc", 24) == 0) | 162 | else if (strncmp(ptr, "include disable-exec.inc", 24) == 0) |
| @@ -242,6 +247,8 @@ int main(int argc, char **argv) { | |||
| 242 | arg_caps = 1; | 247 | arg_caps = 1; |
| 243 | else if (strcmp(argv[i], "--seccomp") == 0) | 248 | else if (strcmp(argv[i], "--seccomp") == 0) |
| 244 | arg_seccomp = 1; | 249 | arg_seccomp = 1; |
| 250 | else if (strcmp(argv[i], "--restrict-namespaces") == 0) | ||
| 251 | arg_restrict_namespaces = 1; | ||
| 245 | else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) | 252 | else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) |
| 246 | arg_mdwx = 1; | 253 | arg_mdwx = 1; |
| 247 | else if (strcmp(argv[i], "--noexec") == 0) | 254 | else if (strcmp(argv[i], "--noexec") == 0) |
| @@ -291,7 +298,7 @@ int main(int argc, char **argv) { | |||
| 291 | for (i = start; i < argc; i++) { | 298 | for (i = start; i < argc; i++) { |
| 292 | cnt_profiles++; | 299 | cnt_profiles++; |
| 293 | 300 | ||
| 294 | // watch seccomp | 301 | int restrict_namespaces = cnt_restrict_namespaces; |
| 295 | int seccomp = cnt_seccomp; | 302 | int seccomp = cnt_seccomp; |
| 296 | int caps = cnt_caps; | 303 | int caps = cnt_caps; |
| 297 | int apparmor = cnt_apparmor; | 304 | int apparmor = cnt_apparmor; |
| @@ -334,6 +341,8 @@ int main(int argc, char **argv) { | |||
| 334 | cnt_whitelistrunuser = whitelistrunuser + 1; | 341 | cnt_whitelistrunuser = whitelistrunuser + 1; |
| 335 | if (cnt_seccomp > (seccomp + 1)) | 342 | if (cnt_seccomp > (seccomp + 1)) |
| 336 | cnt_seccomp = seccomp + 1; | 343 | cnt_seccomp = seccomp + 1; |
| 344 | if (cnt_restrict_namespaces > (restrict_namespaces + 1)) | ||
| 345 | cnt_seccomp = restrict_namespaces + 1; | ||
| 337 | if (cnt_dbus_user_none > (dbususernone + 1)) | 346 | if (cnt_dbus_user_none > (dbususernone + 1)) |
| 338 | cnt_dbus_user_none = dbususernone + 1; | 347 | cnt_dbus_user_none = dbususernone + 1; |
| 339 | if (cnt_dbus_user_filter > (dbususerfilter + 1)) | 348 | if (cnt_dbus_user_filter > (dbususerfilter + 1)) |
| @@ -353,6 +362,8 @@ int main(int argc, char **argv) { | |||
| 353 | printf("No caps found in %s\n", argv[i]); | 362 | printf("No caps found in %s\n", argv[i]); |
| 354 | if (arg_seccomp && seccomp == cnt_seccomp) | 363 | if (arg_seccomp && seccomp == cnt_seccomp) |
| 355 | printf("No seccomp found in %s\n", argv[i]); | 364 | printf("No seccomp found in %s\n", argv[i]); |
| 365 | if (arg_restrict_namespaces && restrict_namespaces == cnt_restrict_namespaces) | ||
| 366 | printf("No restrict-namespaces found in %s\n", argv[i]); | ||
| 356 | if (arg_noexec && noexec == cnt_noexec) | 367 | if (arg_noexec && noexec == cnt_noexec) |
| 357 | printf("No include disable-exec.inc found in %s\n", argv[i]); | 368 | printf("No include disable-exec.inc found in %s\n", argv[i]); |
| 358 | if (arg_noroot && noroot == cnt_noroot) | 369 | if (arg_noroot && noroot == cnt_noroot) |
| @@ -397,6 +408,7 @@ int main(int argc, char **argv) { | |||
| 397 | printf(" noexec\t\t\t%d (include disable-exec.inc)\n", cnt_noexec); | 408 | printf(" noexec\t\t\t%d (include disable-exec.inc)\n", cnt_noexec); |
| 398 | printf(" noroot\t\t\t%d\n", cnt_noroot); | 409 | printf(" noroot\t\t\t%d\n", cnt_noroot); |
| 399 | printf(" memory-deny-write-execute\t%d\n", cnt_mdwx); | 410 | printf(" memory-deny-write-execute\t%d\n", cnt_mdwx); |
| 411 | printf(" restrict-namespaces\t\t%d\n", cnt_restrict_namespaces); | ||
| 400 | printf(" apparmor\t\t\t%d\n", cnt_apparmor); | 412 | printf(" apparmor\t\t\t%d\n", cnt_apparmor); |
| 401 | printf(" private-bin\t\t\t%d\n", cnt_privatebin); | 413 | printf(" private-bin\t\t\t%d\n", cnt_privatebin); |
| 402 | printf(" private-dev\t\t\t%d\n", cnt_privatedev); | 414 | printf(" private-dev\t\t\t%d\n", cnt_privatedev); |
diff --git a/src/prog.mk b/src/prog.mk new file mode 100644 index 000000000..b2ccf6147 --- /dev/null +++ b/src/prog.mk | |||
| @@ -0,0 +1,37 @@ | |||
| 1 | # Common definitions for building C programs and non-shared objects. | ||
| 2 | # | ||
| 3 | # Note: $(ROOT)/config.mk must be included before this file. | ||
| 4 | # | ||
| 5 | # The includer should probably define PROG and TARGET and may also want to | ||
| 6 | # define MOD_HDRS, MOD_SRCS, MOD_OBJS, TOCLEAN and TODISTCLEAN. | ||
| 7 | |||
| 8 | HDRS := $(sort $(wildcard *.h)) $(MOD_HDRS) | ||
| 9 | SRCS := $(sort $(wildcard *.c)) $(MOD_SRCS) | ||
| 10 | OBJS := $(SRCS:.c=.o) $(MOD_OBJS) | ||
| 11 | |||
| 12 | PROG_CFLAGS = \ | ||
| 13 | -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' \ | ||
| 14 | -fstack-protector-all -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security \ | ||
| 15 | -fPIE \ | ||
| 16 | -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' \ | ||
| 17 | -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' \ | ||
| 18 | -DVARDIR='"/var/lib/firejail"' \ | ||
| 19 | $(HAVE_GCOV) $(MANFLAGS) \ | ||
| 20 | $(EXTRA_CFLAGS) | ||
| 21 | |||
| 22 | PROG_LDFLAGS = -pie -fPIE -Wl,-z,relro -Wl,-z,now $(EXTRA_LDFLAGS) | ||
| 23 | |||
| 24 | .PHONY: all | ||
| 25 | all: $(TARGET) | ||
| 26 | |||
| 27 | %.o : %.c $(HDRS) $(ROOT)/config.mk | ||
| 28 | $(CC) $(PROG_CFLAGS) $(CFLAGS) $(INCLUDE) -c $< -o $@ | ||
| 29 | |||
| 30 | $(PROG): $(OBJS) $(ROOT)/config.mk | ||
| 31 | $(CC) $(PROG_LDFLAGS) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) | ||
| 32 | |||
| 33 | .PHONY: clean | ||
| 34 | clean:; rm -fr *.o $(PROG) *.gcov *.gcda *.gcno *.plist $(TOCLEAN) | ||
| 35 | |||
| 36 | .PHONY: distclean | ||
| 37 | distclean: clean; rm -fr $(TODISTCLEAN) | ||
diff --git a/src/so.mk b/src/so.mk new file mode 100644 index 000000000..28bd229e5 --- /dev/null +++ b/src/so.mk | |||
| @@ -0,0 +1,32 @@ | |||
| 1 | # Common definitions for making shared objects. | ||
| 2 | # | ||
| 3 | # Note: $(ROOT)/config.mk must be included before this file. | ||
| 4 | # | ||
| 5 | # The includer should probably define SO and TARGET and may also want to define | ||
| 6 | # MOD_HDRS, MOD_SRCS, MOD_OBJS, TOCLEAN and TODISTCLEAN. | ||
| 7 | |||
| 8 | HDRS := $(sort $(wildcard *.h)) $(MOD_HDRS) | ||
| 9 | SRCS := $(sort $(wildcard *.c)) $(MOD_SRCS) | ||
| 10 | OBJS := $(SRCS:.c=.o) $(MOD_OBJS) | ||
| 11 | |||
| 12 | SO_CFLAGS = \ | ||
| 13 | -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' \ | ||
| 14 | -fstack-protector-all -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security \ | ||
| 15 | -fPIC | ||
| 16 | |||
| 17 | SO_LDFLAGS = -pie -fPIE -Wl,-z,relro -Wl,-z,now | ||
| 18 | |||
| 19 | .PHONY: all | ||
| 20 | all: $(TARGET) | ||
| 21 | |||
| 22 | %.o : %.c $(HDRS) $(ROOT)/config.mk | ||
| 23 | $(CC) $(SO_CFLAGS) $(CFLAGS) $(INCLUDE) -c $< -o $@ | ||
| 24 | |||
| 25 | $(SO): $(OBJS) $(ROOT)/config.mk | ||
| 26 | $(CC) $(SO_LDFLAGS) -shared -fPIC -z relro $(LDFLAGS) -o $@ $(OBJS) -ldl | ||
| 27 | |||
| 28 | .PHONY: clean | ||
| 29 | clean:; rm -fr $(OBJS) $(SO) *.plist $(TOCLEAN) | ||
| 30 | |||
| 31 | .PHONY: distclean | ||
| 32 | distclean: clean; rm -fr $(TODISTCLEAN) | ||
diff --git a/test/filters/filters.sh b/test/filters/filters.sh index 3b4a6b492..c313b80ed 100755 --- a/test/filters/filters.sh +++ b/test/filters/filters.sh | |||
| @@ -30,6 +30,16 @@ else | |||
| 30 | echo "TESTING SKIP: memwrexe binary only running on x86_64 and i686." | 30 | echo "TESTING SKIP: memwrexe binary only running on x86_64 and i686." |
| 31 | fi | 31 | fi |
| 32 | 32 | ||
| 33 | if [[ $(uname -m) == "x86_64" ]]; then | ||
| 34 | echo "TESTING: restrict-namespaces (test/filters/namespaces.exp)" | ||
| 35 | ./namespaces.exp | ||
| 36 | elif [[ $(uname -m) == "i686" ]]; then | ||
| 37 | echo "TESTING: restrict-namespaces (test/filters/namespaces-32.exp)" | ||
| 38 | ./namespaces-32.exp | ||
| 39 | else | ||
| 40 | echo "TESTING SKIP: namespaces binary only running on x86_64 and i686." | ||
| 41 | fi | ||
| 42 | |||
| 33 | echo "TESTING: debug options (test/filters/debug.exp)" | 43 | echo "TESTING: debug options (test/filters/debug.exp)" |
| 34 | ./debug.exp | 44 | ./debug.exp |
| 35 | 45 | ||
diff --git a/test/filters/namespaces b/test/filters/namespaces new file mode 100755 index 000000000..721ba092e --- /dev/null +++ b/test/filters/namespaces | |||
| Binary files differ | |||
diff --git a/test/filters/namespaces-32 b/test/filters/namespaces-32 new file mode 100755 index 000000000..4df674d1b --- /dev/null +++ b/test/filters/namespaces-32 | |||
| Binary files differ | |||
diff --git a/test/filters/namespaces-32.exp b/test/filters/namespaces-32.exp new file mode 100755 index 000000000..b643a28d3 --- /dev/null +++ b/test/filters/namespaces-32.exp | |||
| @@ -0,0 +1,173 @@ | |||
| 1 | #!/usr/bin/expect -f | ||
| 2 | # This file is part of Firejail project | ||
| 3 | # Copyright (C) 2014-2022 Firejail Authors | ||
| 4 | # License GPL v2 | ||
| 5 | |||
| 6 | set timeout 10 | ||
| 7 | spawn $env(SHELL) | ||
| 8 | match_max 100000 | ||
| 9 | |||
| 10 | # | ||
| 11 | # clone | ||
| 12 | # | ||
| 13 | |||
| 14 | send -- "firejail --noprofile ./namespaces-32 clone cgroup,ipc,mnt,net,pid,user,uts\r" | ||
| 15 | expect { | ||
| 16 | timeout {puts "TESTING ERROR 0\n";exit} | ||
| 17 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
| 18 | } | ||
| 19 | expect { | ||
| 20 | timeout {puts "TESTING ERROR 1\n";exit} | ||
| 21 | "clone successful" | ||
| 22 | } | ||
| 23 | after 100 | ||
| 24 | |||
| 25 | send -- "firejail --noprofile --restrict-namespaces ./namespaces-32 clone user\r" | ||
| 26 | expect { | ||
| 27 | timeout {puts "TESTING ERROR 2\n";exit} | ||
| 28 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
| 29 | } | ||
| 30 | expect { | ||
| 31 | timeout {puts "TESTING ERROR 3\n";exit} | ||
| 32 | "Error: clone: Operation not permitted" | ||
| 33 | } | ||
| 34 | after 100 | ||
| 35 | |||
| 36 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 clone user\r" | ||
| 37 | expect { | ||
| 38 | timeout {puts "TESTING ERROR 4\n";exit} | ||
| 39 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
| 40 | } | ||
| 41 | expect { | ||
| 42 | timeout {puts "TESTING ERROR 5\n";exit} | ||
| 43 | "Error: clone: Operation not permitted" | ||
| 44 | } | ||
| 45 | after 100 | ||
| 46 | |||
| 47 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 clone cgroup,ipc,mnt,net,pid,user,uts\r" | ||
| 48 | expect { | ||
| 49 | timeout {puts "TESTING ERROR 6\n";exit} | ||
| 50 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
| 51 | } | ||
| 52 | expect { | ||
| 53 | timeout {puts "TESTING ERROR 7\n";exit} | ||
| 54 | "Error: clone: Operation not permitted" | ||
| 55 | } | ||
| 56 | after 100 | ||
| 57 | |||
| 58 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone cgroup\r" | ||
| 59 | expect { | ||
| 60 | timeout {puts "TESTING ERROR 8\n";exit} | ||
| 61 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
| 62 | } | ||
| 63 | expect { | ||
| 64 | timeout {puts "TESTING ERROR 9\n";exit} | ||
| 65 | "Error: clone: Operation not permitted" | ||
| 66 | } | ||
| 67 | after 100 | ||
| 68 | |||
| 69 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone ipc\r" | ||
| 70 | expect { | ||
| 71 | timeout {puts "TESTING ERROR 10\n";exit} | ||
| 72 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
| 73 | } | ||
| 74 | expect { | ||
| 75 | timeout {puts "TESTING ERROR 11\n";exit} | ||
| 76 | "Error: clone: Operation not permitted" | ||
| 77 | } | ||
| 78 | after 100 | ||
| 79 | |||
| 80 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone mnt,net,pid,uts\r" | ||
| 81 | expect { | ||
| 82 | timeout {puts "TESTING ERROR 12\n";exit} | ||
| 83 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
| 84 | } | ||
| 85 | expect { | ||
| 86 | timeout {puts "TESTING ERROR 13\n";exit} | ||
| 87 | "clone successful" | ||
| 88 | } | ||
| 89 | after 100 | ||
| 90 | |||
| 91 | # | ||
| 92 | # unshare | ||
| 93 | # | ||
| 94 | |||
| 95 | send -- "firejail --noprofile ./namespaces-32 unshare cgroup,ipc,mnt,net,pid,user,uts\r" | ||
| 96 | expect { | ||
| 97 | timeout {puts "TESTING ERROR 14\n";exit} | ||
| 98 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
| 99 | } | ||
| 100 | expect { | ||
| 101 | timeout {puts "TESTING ERROR 15\n";exit} | ||
| 102 | "unshare successful" | ||
| 103 | } | ||
| 104 | after 100 | ||
| 105 | |||
| 106 | send -- "firejail --noprofile --restrict-namespaces ./namespaces-32 unshare user\r" | ||
| 107 | expect { | ||
| 108 | timeout {puts "TESTING ERROR 16\n";exit} | ||
| 109 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
| 110 | } | ||
| 111 | expect { | ||
| 112 | timeout {puts "TESTING ERROR 17\n";exit} | ||
| 113 | "Error: unshare: Operation not permitted" | ||
| 114 | } | ||
| 115 | after 100 | ||
| 116 | |||
| 117 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 unshare user\r" | ||
| 118 | expect { | ||
| 119 | timeout {puts "TESTING ERROR 18\n";exit} | ||
| 120 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
| 121 | } | ||
| 122 | expect { | ||
| 123 | timeout {puts "TESTING ERROR 19\n";exit} | ||
| 124 | "Error: unshare: Operation not permitted" | ||
| 125 | } | ||
| 126 | after 100 | ||
| 127 | |||
| 128 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 unshare cgroup,ipc,mnt,net,pid,user,uts\r" | ||
| 129 | expect { | ||
| 130 | timeout {puts "TESTING ERROR 20\n";exit} | ||
| 131 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
| 132 | } | ||
| 133 | expect { | ||
| 134 | timeout {puts "TESTING ERROR 21\n";exit} | ||
| 135 | "Error: unshare: Operation not permitted" | ||
| 136 | } | ||
| 137 | after 100 | ||
| 138 | |||
| 139 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare cgroup\r" | ||
| 140 | expect { | ||
| 141 | timeout {puts "TESTING ERROR 22\n";exit} | ||
| 142 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
| 143 | } | ||
| 144 | expect { | ||
| 145 | timeout {puts "TESTING ERROR 23\n";exit} | ||
| 146 | "Error: unshare: Operation not permitted" | ||
| 147 | } | ||
| 148 | after 100 | ||
| 149 | |||
| 150 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare ipc\r" | ||
| 151 | expect { | ||
| 152 | timeout {puts "TESTING ERROR 24\n";exit} | ||
| 153 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
| 154 | } | ||
| 155 | expect { | ||
| 156 | timeout {puts "TESTING ERROR 25\n";exit} | ||
| 157 | "Error: unshare: Operation not permitted" | ||
| 158 | } | ||
| 159 | after 100 | ||
| 160 | |||
| 161 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare mnt,net,pid,uts\r" | ||
| 162 | expect { | ||
| 163 | timeout {puts "TESTING ERROR 26\n";exit} | ||
| 164 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
| 165 | } | ||
| 166 | expect { | ||
| 167 | timeout {puts "TESTING ERROR 27\n";exit} | ||
| 168 | "unshare successful" | ||
| 169 | } | ||
| 170 | |||
| 171 | |||
| 172 | after 100 | ||
| 173 | puts "\nall done\n" | ||
diff --git a/test/filters/namespaces.c b/test/filters/namespaces.c new file mode 100644 index 000000000..06dfa4edf --- /dev/null +++ b/test/filters/namespaces.c | |||
| @@ -0,0 +1,96 @@ | |||
| 1 | #define _GNU_SOURCE | ||
| 2 | #include <errno.h> | ||
| 3 | #include <sched.h> | ||
| 4 | #include <signal.h> | ||
| 5 | #include <stdio.h> | ||
| 6 | #include <stdlib.h> | ||
| 7 | #include <string.h> | ||
| 8 | #include <sys/mman.h> | ||
| 9 | #include <unistd.h> | ||
| 10 | |||
| 11 | #ifndef CLONE_NEWTIME | ||
| 12 | #define CLONE_NEWTIME 0x00000080 | ||
| 13 | #endif | ||
| 14 | |||
| 15 | #define STACK_SIZE 1024 * 1024 | ||
| 16 | |||
| 17 | static int usage() { | ||
| 18 | fprintf(stderr, "Usage: namespaces <system call>[clone,unshare] <list of namespaces>[cgroup,ipc,mnt,net,pid,time,user,uts]\n"); | ||
| 19 | exit(1); | ||
| 20 | } | ||
| 21 | |||
| 22 | static void die(const char *msg) { | ||
| 23 | fprintf(stderr, "Error: %s: %s\n", msg, strerror(errno)); | ||
| 24 | exit(1); | ||
| 25 | } | ||
| 26 | |||
| 27 | static int ns_flags(const char *list) { | ||
| 28 | int flags = 0; | ||
| 29 | |||
| 30 | char *dup = strdup(list); | ||
| 31 | if (!dup) | ||
| 32 | die("cannot allocate memory"); | ||
| 33 | |||
| 34 | char *token = strtok(dup, ","); | ||
| 35 | while (token) { | ||
| 36 | if (strcmp(token, "cgroup") == 0) | ||
| 37 | flags |= CLONE_NEWCGROUP; | ||
| 38 | else if (strcmp(token, "ipc") == 0) | ||
| 39 | flags |= CLONE_NEWIPC; | ||
| 40 | else if (strcmp(token, "net") == 0) | ||
| 41 | flags |= CLONE_NEWNET; | ||
| 42 | else if (strcmp(token, "mnt") == 0) | ||
| 43 | flags |= CLONE_NEWNS; | ||
| 44 | else if (strcmp(token, "pid") == 0) | ||
| 45 | flags |= CLONE_NEWPID; | ||
| 46 | else if (strcmp(token, "time") == 0) | ||
| 47 | flags |= CLONE_NEWTIME; | ||
| 48 | else if (strcmp(token, "user") == 0) | ||
| 49 | flags |= CLONE_NEWUSER; | ||
| 50 | else if (strcmp(token, "uts") == 0) | ||
| 51 | flags |= CLONE_NEWUTS; | ||
| 52 | else | ||
| 53 | usage(); | ||
| 54 | |||
| 55 | token = strtok(NULL, ","); | ||
| 56 | } | ||
| 57 | |||
| 58 | free(dup); | ||
| 59 | return flags; | ||
| 60 | } | ||
| 61 | |||
| 62 | static int child(void *arg) { | ||
| 63 | (void) arg; | ||
| 64 | |||
| 65 | fprintf(stderr, "clone successful\n"); | ||
| 66 | return 0; | ||
| 67 | } | ||
| 68 | |||
| 69 | int main (int argc, char **argv) { | ||
| 70 | if (argc != 3) | ||
| 71 | usage(); | ||
| 72 | |||
| 73 | int flags = ns_flags(argv[2]); | ||
| 74 | if (getuid() != 0) | ||
| 75 | flags |= CLONE_NEWUSER; | ||
| 76 | |||
| 77 | if (strcmp(argv[1], "clone") == 0) { | ||
| 78 | void *stack = mmap(NULL, STACK_SIZE, PROT_READ | PROT_WRITE, | ||
| 79 | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); | ||
| 80 | if (stack == MAP_FAILED) | ||
| 81 | die("mmap"); | ||
| 82 | |||
| 83 | if (clone(child, stack + STACK_SIZE, flags | SIGCHLD, NULL) < 0) | ||
| 84 | die("clone"); | ||
| 85 | } | ||
| 86 | else if (strcmp(argv[1], "unshare") == 0) { | ||
| 87 | if (unshare(flags)) | ||
| 88 | die("unshare"); | ||
| 89 | |||
| 90 | fprintf(stderr, "unshare successful\n"); | ||
| 91 | } | ||
| 92 | else | ||
| 93 | usage(); | ||
| 94 | |||
| 95 | return 0; | ||
| 96 | } | ||
diff --git a/test/filters/namespaces.exp b/test/filters/namespaces.exp new file mode 100755 index 000000000..cfa92f0ba --- /dev/null +++ b/test/filters/namespaces.exp | |||
| @@ -0,0 +1,173 @@ | |||
| 1 | #!/usr/bin/expect -f | ||
| 2 | # This file is part of Firejail project | ||
| 3 | # Copyright (C) 2014-2022 Firejail Authors | ||
| 4 | # License GPL v2 | ||
| 5 | |||
| 6 | set timeout 10 | ||
| 7 | spawn $env(SHELL) | ||
| 8 | match_max 100000 | ||
| 9 | |||
| 10 | # | ||
| 11 | # clone | ||
| 12 | # | ||
| 13 | |||
| 14 | send -- "firejail --noprofile ./namespaces clone cgroup,ipc,mnt,net,pid,user,uts\r" | ||
| 15 | expect { | ||
| 16 | timeout {puts "TESTING ERROR 0\n";exit} | ||
| 17 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
| 18 | } | ||
| 19 | expect { | ||
| 20 | timeout {puts "TESTING ERROR 1\n";exit} | ||
| 21 | "clone successful" | ||
| 22 | } | ||
| 23 | after 100 | ||
| 24 | |||
| 25 | send -- "firejail --noprofile --restrict-namespaces ./namespaces clone user\r" | ||
| 26 | expect { | ||
| 27 | timeout {puts "TESTING ERROR 2\n";exit} | ||
| 28 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
| 29 | } | ||
| 30 | expect { | ||
| 31 | timeout {puts "TESTING ERROR 3\n";exit} | ||
| 32 | "Error: clone: Operation not permitted" | ||
| 33 | } | ||
| 34 | after 100 | ||
| 35 | |||
| 36 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces clone user\r" | ||
| 37 | expect { | ||
| 38 | timeout {puts "TESTING ERROR 4\n";exit} | ||
| 39 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
| 40 | } | ||
| 41 | expect { | ||
| 42 | timeout {puts "TESTING ERROR 5\n";exit} | ||
| 43 | "Error: clone: Operation not permitted" | ||
| 44 | } | ||
| 45 | after 100 | ||
| 46 | |||
| 47 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces clone cgroup,ipc,mnt,net,pid,user,uts\r" | ||
| 48 | expect { | ||
| 49 | timeout {puts "TESTING ERROR 6\n";exit} | ||
| 50 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
| 51 | } | ||
| 52 | expect { | ||
| 53 | timeout {puts "TESTING ERROR 7\n";exit} | ||
| 54 | "Error: clone: Operation not permitted" | ||
| 55 | } | ||
| 56 | after 100 | ||
| 57 | |||
| 58 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone cgroup\r" | ||
| 59 | expect { | ||
| 60 | timeout {puts "TESTING ERROR 8\n";exit} | ||
| 61 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
| 62 | } | ||
| 63 | expect { | ||
| 64 | timeout {puts "TESTING ERROR 9\n";exit} | ||
| 65 | "Error: clone: Operation not permitted" | ||
| 66 | } | ||
| 67 | after 100 | ||
| 68 | |||
| 69 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone ipc\r" | ||
| 70 | expect { | ||
| 71 | timeout {puts "TESTING ERROR 10\n";exit} | ||
| 72 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
| 73 | } | ||
| 74 | expect { | ||
| 75 | timeout {puts "TESTING ERROR 11\n";exit} | ||
| 76 | "Error: clone: Operation not permitted" | ||
| 77 | } | ||
| 78 | after 100 | ||
| 79 | |||
| 80 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone mnt,net,pid,uts\r" | ||
| 81 | expect { | ||
| 82 | timeout {puts "TESTING ERROR 12\n";exit} | ||
| 83 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
| 84 | } | ||
| 85 | expect { | ||
| 86 | timeout {puts "TESTING ERROR 13\n";exit} | ||
| 87 | "clone successful" | ||
| 88 | } | ||
| 89 | after 100 | ||
| 90 | |||
| 91 | # | ||
| 92 | # unshare | ||
| 93 | # | ||
| 94 | |||
| 95 | send -- "firejail --noprofile ./namespaces unshare cgroup,ipc,mnt,net,pid,user,uts\r" | ||
| 96 | expect { | ||
| 97 | timeout {puts "TESTING ERROR 14\n";exit} | ||
| 98 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
| 99 | } | ||
| 100 | expect { | ||
| 101 | timeout {puts "TESTING ERROR 15\n";exit} | ||
| 102 | "unshare successful" | ||
| 103 | } | ||
| 104 | after 100 | ||
| 105 | |||
| 106 | send -- "firejail --noprofile --restrict-namespaces ./namespaces unshare user\r" | ||
| 107 | expect { | ||
| 108 | timeout {puts "TESTING ERROR 16\n";exit} | ||
| 109 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
| 110 | } | ||
| 111 | expect { | ||
| 112 | timeout {puts "TESTING ERROR 17\n";exit} | ||
| 113 | "Error: unshare: Operation not permitted" | ||
| 114 | } | ||
| 115 | after 100 | ||
| 116 | |||
| 117 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces unshare user\r" | ||
| 118 | expect { | ||
| 119 | timeout {puts "TESTING ERROR 18\n";exit} | ||
| 120 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
| 121 | } | ||
| 122 | expect { | ||
| 123 | timeout {puts "TESTING ERROR 19\n";exit} | ||
| 124 | "Error: unshare: Operation not permitted" | ||
| 125 | } | ||
| 126 | after 100 | ||
| 127 | |||
| 128 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces unshare cgroup,ipc,mnt,net,pid,user,uts\r" | ||
| 129 | expect { | ||
| 130 | timeout {puts "TESTING ERROR 20\n";exit} | ||
| 131 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
| 132 | } | ||
| 133 | expect { | ||
| 134 | timeout {puts "TESTING ERROR 21\n";exit} | ||
| 135 | "Error: unshare: Operation not permitted" | ||
| 136 | } | ||
| 137 | after 100 | ||
| 138 | |||
| 139 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare cgroup\r" | ||
| 140 | expect { | ||
| 141 | timeout {puts "TESTING ERROR 22\n";exit} | ||
| 142 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
| 143 | } | ||
| 144 | expect { | ||
| 145 | timeout {puts "TESTING ERROR 23\n";exit} | ||
| 146 | "Error: unshare: Operation not permitted" | ||
| 147 | } | ||
| 148 | after 100 | ||
| 149 | |||
| 150 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare ipc\r" | ||
| 151 | expect { | ||
| 152 | timeout {puts "TESTING ERROR 24\n";exit} | ||
| 153 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
| 154 | } | ||
| 155 | expect { | ||
| 156 | timeout {puts "TESTING ERROR 25\n";exit} | ||
| 157 | "Error: unshare: Operation not permitted" | ||
| 158 | } | ||
| 159 | after 100 | ||
| 160 | |||
| 161 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare mnt,net,pid,uts\r" | ||
| 162 | expect { | ||
| 163 | timeout {puts "TESTING ERROR 26\n";exit} | ||
| 164 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
| 165 | } | ||
| 166 | expect { | ||
| 167 | timeout {puts "TESTING ERROR 27\n";exit} | ||
| 168 | "unshare successful" | ||
| 169 | } | ||
| 170 | |||
| 171 | |||
| 172 | after 100 | ||
| 173 | puts "\nall done\n" | ||