8 files changed, 10 insertions, 11 deletions
diff --git a/etc/kmail.profile b/etc/kmail.profile
index 009b2c063..0b602c79a 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -53,9 +53,8 @@ protocol unix,inet,inet6,netlink
 # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls
 seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 # tracelog
-# writable-run-user is needed for signing and encrypting emails
-writable-run-user
 private-dev
 # private-tmp - interrupts connection to akonadi, breaks opening of email attachments
+# writable-run-user is needed for signing and encrypting emails
+writable-run-user
diff --git a/etc/kopete.profile b/etc/kopete.profile
index 5e931ddac..e0bdce059 100644
--- a/etc/kopete.profile
+++ b/etc/kopete.profile
@@ -31,8 +31,8 @@ notv
 nou2f
 protocol unix,inet,inet6,netlink
 seccomp
-writable-var
 private-dev
 private-tmp
+writable-var
diff --git a/etc/less.profile b/etc/less.profile
index bc85e5ad5..897d38b9d 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -34,7 +34,6 @@ protocol unix
 seccomp
 shell none
 tracelog
-writable-var-log
 # The user can have a custom coloring script configured in ${HOME}/.lessfilter.
 # Enable private-bin and private-lib if you are not using any filter.
@@ -42,5 +41,6 @@ writable-var-log
 # private-lib
 private-cache
 private-dev
+writable-var-log
 memory-deny-write-execute
diff --git a/etc/mutt.profile b/etc/mutt.profile
index 419e17e95..c424dbb85 100644
--- a/etc/mutt.profile
+++ b/etc/mutt.profile
@@ -54,6 +54,6 @@ novideo
 protocol unix,inet,inet6
 seccomp
 shell none
-writable-run-user
 private-dev
+writable-run-user
diff --git a/etc/ssh.profile b/etc/ssh.profile
index 17d286b18..ce0e54a0d 100644
--- a/etc/ssh.profile
+++ b/etc/ssh.profile
@@ -37,6 +37,6 @@ tracelog
 private-cache
 private-dev
 # private-tmp # Breaks when exiting
+writable-run-user
 memory-deny-write-execute
-writable-run-user
diff --git a/etc/tar.profile b/etc/tar.profile
index 71f7414bc..7e1fa8b92 100644
--- a/etc/tar.profile
+++ b/etc/tar.profile
@@ -43,7 +43,7 @@ private-cache
 private-dev
 private-etc alternatives,group,localtime,passwd
 private-lib libfakeroot
-memory-deny-write-execute
 # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
 writable-var
+memory-deny-write-execute
diff --git a/etc/tor.profile b/etc/tor.profile
index e896b609a..13d071635 100644
--- a/etc/tor.profile
+++ b/etc/tor.profile
@@ -40,7 +40,6 @@ novideo
 protocol unix,inet,inet6
 seccomp
 shell none
-writable-var
 disable-mnt
 private
@@ -49,3 +48,4 @@ private-cache
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor
 private-tmp
+writable-var
diff --git a/etc/unbound.profile b/etc/unbound.profile
index 50304d223..e152ee7ea 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -30,11 +30,11 @@ notv
 nou2f
 novideo
 seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice
-writable-var
 disable-mnt
 private
 private-dev
+writable-var
 # mdwe can break modules/plugins
 memory-deny-write-execute

diff --git a/etc/kmail.profile b/etc/kmail.profile index 009b2c063..0b602c79a 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile
@@ -53,9 +53,8 @@ protocol unix,inet,inet6,netlink
53	# we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls	53	# we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls
54	seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice	54	seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
55	# tracelog	55	# tracelog
56	# writable-run-user is needed for signing and encrypting emails
57	writable-run-user
58		56
59	private-dev	57	private-dev
60	# private-tmp - interrupts connection to akonadi, breaks opening of email attachments	58	# private-tmp - interrupts connection to akonadi, breaks opening of email attachments
61		59	# writable-run-user is needed for signing and encrypting emails
		60	writable-run-user


diff --git a/etc/kopete.profile b/etc/kopete.profile index 5e931ddac..e0bdce059 100644 --- a/etc/kopete.profile +++ b/etc/kopete.profile
@@ -31,8 +31,8 @@ notv
31	nou2f	31	nou2f
32	protocol unix,inet,inet6,netlink	32	protocol unix,inet,inet6,netlink
33	seccomp	33	seccomp
34	writable-var
35		34
36	private-dev	35	private-dev
37	private-tmp	36	private-tmp
		37	writable-var
38		38


diff --git a/etc/less.profile b/etc/less.profile index bc85e5ad5..897d38b9d 100644 --- a/etc/less.profile +++ b/etc/less.profile
@@ -34,7 +34,6 @@ protocol unix
34	seccomp	34	seccomp
35	shell none	35	shell none
36	tracelog	36	tracelog
37	writable-var-log
38		37
39	# The user can have a custom coloring script configured in ${HOME}/.lessfilter.	38	# The user can have a custom coloring script configured in ${HOME}/.lessfilter.
40	# Enable private-bin and private-lib if you are not using any filter.	39	# Enable private-bin and private-lib if you are not using any filter.
@@ -42,5 +41,6 @@ writable-var-log
42	# private-lib	41	# private-lib
43	private-cache	42	private-cache
44	private-dev	43	private-dev
		44	writable-var-log
45		45
46	memory-deny-write-execute	46	memory-deny-write-execute


diff --git a/etc/mutt.profile b/etc/mutt.profile index 419e17e95..c424dbb85 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile
@@ -54,6 +54,6 @@ novideo
54	protocol unix,inet,inet6	54	protocol unix,inet,inet6
55	seccomp	55	seccomp
56	shell none	56	shell none
57	writable-run-user
58		57
59	private-dev	58	private-dev
		59	writable-run-user


diff --git a/etc/ssh.profile b/etc/ssh.profile index 17d286b18..ce0e54a0d 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile
@@ -37,6 +37,6 @@ tracelog
37	private-cache	37	private-cache
38	private-dev	38	private-dev
39	# private-tmp # Breaks when exiting	39	# private-tmp # Breaks when exiting
		40	writable-run-user
40		41
41	memory-deny-write-execute	42	memory-deny-write-execute
42	writable-run-user


diff --git a/etc/tar.profile b/etc/tar.profile index 71f7414bc..7e1fa8b92 100644 --- a/etc/tar.profile +++ b/etc/tar.profile
@@ -43,7 +43,7 @@ private-cache
43	private-dev	43	private-dev
44	private-etc alternatives,group,localtime,passwd	44	private-etc alternatives,group,localtime,passwd
45	private-lib libfakeroot	45	private-lib libfakeroot
46
47	memory-deny-write-execute
48	# Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)	46	# Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
49	writable-var	47	writable-var
		48
		49	memory-deny-write-execute


diff --git a/etc/tor.profile b/etc/tor.profile index e896b609a..13d071635 100644 --- a/etc/tor.profile +++ b/etc/tor.profile
@@ -40,7 +40,6 @@ novideo
40	protocol unix,inet,inet6	40	protocol unix,inet,inet6
41	seccomp	41	seccomp
42	shell none	42	shell none
43	writable-var
44		43
45	disable-mnt	44	disable-mnt
46	private	45	private
@@ -49,3 +48,4 @@ private-cache
49	private-dev	48	private-dev
50	private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor	49	private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor
51	private-tmp	50	private-tmp
		51	writable-var


diff --git a/etc/unbound.profile b/etc/unbound.profile index 50304d223..e152ee7ea 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile
@@ -30,11 +30,11 @@ notv
30	nou2f	30	nou2f
31	novideo	31	novideo
32	seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice	32	seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice
33	writable-var
34		33
35	disable-mnt	34	disable-mnt
36	private	35	private
37	private-dev	36	private-dev
		37	writable-var
38		38
39	# mdwe can break modules/plugins	39	# mdwe can break modules/plugins
40	memory-deny-write-execute	40	memory-deny-write-execute