5 files changed, 22 insertions, 2 deletions

diff --git a/etc/dig.profile b/etc/dig.profile
index 270a95c05..f283db962 100644
--- a/etc/dig.profile
+++ b/etc/dig.profile
@@ -25,6 +25,7 @@ include disable-xdg.inc
 #mkfile ${HOME}/.digrc -- see #903
 whitelist ${HOME}/.digrc
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -32,6 +33,7 @@ apparmor
 caps.drop all
 ipc-namespace
 machine-id
+memory-deny-write-execute
 netfilter
 no3d
 nodbus
@@ -49,7 +51,6 @@ shell none
 tracelog
 
 disable-mnt
-private
 private-bin bash,dig,sh
 private-dev
 # Uncomment the next line (or put 'private-lib' in your dig.local) on non Debian/Ubuntu OS (see issue #3038)
diff --git a/etc/nslookup.profile b/etc/nslookup.profile
index 4aa1cfcbf..9ed6ef1e9 100644
--- a/etc/nslookup.profile
+++ b/etc/nslookup.profile
@@ -21,6 +21,9 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+whitelist ${HOME}/.nslookuprc
+include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -28,6 +31,7 @@ apparmor
 caps.drop all
 ipc-namespace
 machine-id
+memory-deny-write-execute
 netfilter
 no3d
 nodbus
@@ -45,7 +49,6 @@ shell none
 tracelog
 
 disable-mnt
-private
 private-bin bash,nslookup,sh
 private-dev
 private-tmp
diff --git a/etc/unknown-horizons.profile b/etc/unknown-horizons.profile
index 1e623f9ce..489de67bb 100644
--- a/etc/unknown-horizons.profile
+++ b/etc/unknown-horizons.profile
@@ -16,10 +16,14 @@ include disable-programs.inc
 mkdir ${HOME}/.unknown-horizons
 whitelist ${HOME}/.unknown-horizons
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+whitelist /usr/share/unknown-horizons
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
 caps.drop all
+# memory-deny-write-execute - doesn't work
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/whitelist-usr-share-common.inc b/etc/whitelist-usr-share-common.inc
index 8a0f6774a..193b00a2a 100644
--- a/etc/whitelist-usr-share-common.inc
+++ b/etc/whitelist-usr-share-common.inc
@@ -50,6 +50,7 @@ whitelist /usr/share/qt4
 whitelist /usr/share/qt5
 whitelist /usr/share/sounds
 whitelist /usr/share/tcl8.6
+whitelist /usr/share/tcltk
 whitelist /usr/share/terminfo
 whitelist /usr/share/texlive
 whitelist /usr/share/texmf
diff --git a/src/profstats/main.c b/src/profstats/main.c
index 7c6bfce9d..ac02c69bc 100644
--- a/src/profstats/main.c
+++ b/src/profstats/main.c
@@ -38,6 +38,7 @@ static int cnt_whitelistvar = 0;	// include whitelist-var-common.inc
 static int cnt_whitelistrunuser = 0;    // include whitelist-runuser-common.inc
 static int cnt_whitelistusrshare = 0;   // include whitelist-usr-share-common.inc
 static int cnt_ssh = 0;
+static int cnt_mdwx = 0;
 
 static int level = 0;
 static int arg_debug = 0;
@@ -51,6 +52,7 @@ static int arg_whitelistvar = 0;
 static int arg_whitelistrunuser = 0;
 static int arg_whitelistusrshare = 0;
 static int arg_ssh = 0;
+static int arg_mdwx = 0;
 
 static char *profile = NULL;
 
@@ -66,6 +68,7 @@ static void usage(void) {
         printf("   --private-dev - print profiles without private-dev\n");
         printf("   --private-tmp - print profiles without private-tmp\n");
         printf("   --seccomp - print profiles without seccomp\n");
+        printf("   --memory-deny-write-execute - profile without it\n");
         printf("   --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n");
         printf("   --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\"\n");
         printf("   --whitelist-usrshare - print profiles without \"include whitelist-usr-share-common.inc\"\n");
@@ -114,6 +117,8 @@ void process_file(const char *fname) {
                         cnt_whitelistusrshare++;
                 else if (strncmp(ptr, "include disable-common.inc", 26) == 0)
                         cnt_ssh++;
+                else if (strncmp(ptr, "memory-deny-write-execute", 25) == 0)
+                        cnt_mdwx++;
                 else if (strncmp(ptr, "net none", 8) == 0)
                         cnt_netnone++;
                 else if (strncmp(ptr, "apparmor", 8) == 0)
@@ -161,6 +166,8 @@ int main(int argc, char **argv) {
                         arg_caps = 1;
                 else if (strcmp(argv[i], "--seccomp") == 0)
                         arg_seccomp = 1;
+                else if (strcmp(argv[i], "--memory-deny-write-execute") == 0)
+                        arg_mdwx = 1;
                 else if (strcmp(argv[i], "--noexec") == 0)
                         arg_noexec = 1;
                 else if (strcmp(argv[i], "--private-dev") == 0)
@@ -205,6 +212,7 @@ int main(int argc, char **argv) {
                 int whitelistrunuser = cnt_whitelistrunuser;
                 int whitelistusrshare = cnt_whitelistusrshare;
                 int ssh = cnt_ssh;
+                int mdwx = cnt_mdwx;
 
                 // process file
                 profile = argv[i];
@@ -242,6 +250,8 @@ int main(int argc, char **argv) {
                         printf("No include whitelist-usr-share-common.inc found in %s\n", argv[i]);
                 if (arg_ssh && ssh == cnt_ssh)
                         printf("No include disable-common.inc found in %s\n", argv[i]);
+                if (arg_mdwx && mdwx == cnt_mdwx)
+                        printf("No memory-deny-write-execute found in %s\n", argv[i]);
 
                 assert(level == 0);
         }
@@ -255,6 +265,7 @@ int main(int argc, char **argv) {
         printf("    seccomp\t\t\t%d\n", cnt_seccomp);
         printf("    capabilities\t\t%d\n", cnt_caps);
         printf("    noexec\t\t\t%d   (include disable-exec.inc)\n", cnt_noexec);
+        printf("    memory-deny-write-execute\t%d\n", cnt_mdwx);
         printf("    apparmor\t\t\t%d\n", cnt_apparmor);
         printf("    private-dev\t\t\t%d\n", cnt_privatedev);
         printf("    private-tmp\t\t\t%d\n", cnt_privatetmp);