aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--README8
-rw-r--r--README.md2
-rw-r--r--RELNOTES2
-rw-r--r--etc/Documents.profile7
-rw-r--r--etc/Fritzing.profile3
-rw-r--r--etc/JDownloader.profile3
-rw-r--r--etc/QMediathekView.profile3
-rw-r--r--etc/QOwnNotes.profile3
-rw-r--r--etc/Viber.profile3
-rw-r--r--etc/XMind.profile3
-rw-r--r--etc/akregator.profile3
-rw-r--r--etc/amule.profile3
-rw-r--r--etc/apktool.profile4
-rw-r--r--etc/archaudit-report.profile3
-rw-r--r--etc/ardour5.profile3
-rw-r--r--etc/arduino.profile3
-rw-r--r--etc/aria2c.profile3
-rw-r--r--etc/arm.profile3
-rw-r--r--etc/atom.profile4
-rw-r--r--etc/baobab.profile3
-rw-r--r--etc/bibletime.profile7
-rw-r--r--etc/bitcoin-qt.profile3
-rw-r--r--etc/bleachbit.profile3
-rw-r--r--etc/blender.profile3
-rw-r--r--etc/bless.profile3
-rw-r--r--etc/bluefish.profile3
-rw-r--r--etc/brasero.profile3
-rw-r--r--etc/cin.profile3
-rw-r--r--etc/conky.profile3
-rw-r--r--etc/corebird.profile3
-rw-r--r--etc/cower.profile3
-rw-r--r--etc/crow.profile3
-rw-r--r--etc/curl.profile4
-rw-r--r--etc/darktable.profile3
-rw-r--r--etc/deadbeef.profile3
-rw-r--r--etc/default.profile3
-rw-r--r--etc/dex2jar.profile3
-rw-r--r--etc/dia.profile3
-rw-r--r--etc/dino.profile3
-rw-r--r--etc/discord-common.profile2
-rw-r--r--etc/display.profile1
-rw-r--r--etc/dooble.profile3
-rw-r--r--etc/dragon.profile3
-rw-r--r--etc/electrum.profile3
-rw-r--r--etc/enpass.profile3
-rw-r--r--etc/etr.profile11
-rw-r--r--etc/evolution.profile3
-rw-r--r--etc/exfalso.profile3
-rw-r--r--etc/falkon.profile3
-rw-r--r--etc/feedreader.profile3
-rw-r--r--etc/feh.profile1
-rw-r--r--etc/filezilla.profile3
-rw-r--r--etc/flameshot.profile3
-rw-r--r--etc/flowblade.profile3
-rw-r--r--etc/fontforge.profile3
-rw-r--r--etc/freecad.profile3
-rw-r--r--etc/gajim.profile3
-rw-r--r--etc/gitg.profile3
-rw-r--r--etc/github-desktop.profile3
-rw-r--r--etc/gitter.profile3
-rw-r--r--etc/globaltime.profile3
-rw-r--r--etc/gnome-2048.profile3
-rw-r--r--etc/gnome-books.profile3
-rw-r--r--etc/gnome-documents.profile3
-rw-r--r--etc/gnome-font-viewer.profile3
-rw-r--r--etc/gnome-mplayer.profile3
-rw-r--r--etc/gnome-music.profile3
-rw-r--r--etc/gnome-nettool.profile3
-rw-r--r--etc/gnome-photos.profile3
-rw-r--r--etc/gnome-pie.profile3
-rw-r--r--etc/gnome-recipes.profile3
-rw-r--r--etc/gnome-ring.profile3
-rw-r--r--etc/gnome-twitch.profile3
-rw-r--r--etc/gnome-weather.profile3
-rw-r--r--etc/google-earth.profile3
-rw-r--r--etc/gpredict.profile3
-rw-r--r--etc/gradio.profile3
-rw-r--r--etc/guayadeque.profile3
-rw-r--r--etc/hashcat.profile3
-rw-r--r--etc/hugin.profile3
-rw-r--r--etc/imagej.profile3
-rw-r--r--etc/jd-gui.profile3
-rw-r--r--etc/kaffeine.profile3
-rw-r--r--etc/kdeinit4.profile3
-rw-r--r--etc/keepass.profile3
-rw-r--r--etc/kino.profile3
-rw-r--r--etc/klavaro.profile4
-rw-r--r--etc/kopete.profile3
-rw-r--r--etc/less.profile3
-rw-r--r--etc/liferea.profile3
-rw-r--r--etc/linphone.profile3
-rw-r--r--etc/lmms.profile3
-rw-r--r--etc/lollypop.profile3
-rw-r--r--etc/luminance-hdr.profile3
-rw-r--r--etc/lximage-qt.profile3
-rw-r--r--etc/lxmusic.profile3
-rw-r--r--etc/macrofusion.profile3
-rw-r--r--etc/makepkg.profile3
-rw-r--r--etc/mate-calc.profile3
-rw-r--r--etc/mate-color-select.profile3
-rw-r--r--etc/mate-dictionary.profile3
-rw-r--r--etc/mediathekview.profile3
-rw-r--r--etc/mendeleydesktop.profile3
-rw-r--r--etc/midori.profile4
-rw-r--r--etc/min.profile6
-rw-r--r--etc/mpDris2.profile3
-rw-r--r--etc/mpd.profile3
-rw-r--r--etc/mplayer.profile3
-rw-r--r--etc/ms-office.profile3
-rw-r--r--etc/multimc5.profile3
-rw-r--r--etc/mumble.profile3
-rw-r--r--etc/musixmatch.profile3
-rw-r--r--etc/natron.profile3
-rw-r--r--etc/ncdu.profile4
-rw-r--r--etc/nemo.profile3
-rw-r--r--etc/nethack-vultures.profile3
-rw-r--r--etc/nethack.profile3
-rw-r--r--etc/neverball.profile3
-rw-r--r--etc/nheko.profile3
-rw-r--r--etc/nitroshare.profile3
-rw-r--r--etc/nomacs.profile3
-rw-r--r--etc/nyx.profile3
-rw-r--r--etc/obs.profile3
-rw-r--r--etc/onionshare-gui.profile3
-rw-r--r--etc/orage.profile3
-rw-r--r--etc/pdfmod.profile3
-rw-r--r--etc/pdfsam.profile3
-rw-r--r--etc/peek.profile3
-rw-r--r--etc/picard.profile3
-rw-r--r--etc/pithos.profile3
-rw-r--r--etc/pitivi.profile3
-rw-r--r--etc/polari.profile3
-rw-r--r--etc/ppsspp.profile3
-rw-r--r--etc/pragha.profile3
-rw-r--r--etc/psi-plus.profile3
-rw-r--r--etc/pybitmessage.profile3
-rw-r--r--etc/qlipper.profile3
-rw-r--r--etc/qmmp.profile3
-rw-r--r--etc/quiterss.profile3
-rw-r--r--etc/qupzilla.profile3
-rw-r--r--etc/redeclipse.profile3
-rw-r--r--etc/remmina.profile3
-rw-r--r--etc/ricochet.profile3
-rw-r--r--etc/ristretto.profile3
-rw-r--r--etc/sayonara.profile3
-rw-r--r--etc/scallion.profile4
-rw-r--r--etc/scribus.profile3
-rw-r--r--etc/sdat2img.profile3
-rw-r--r--etc/shellcheck.profile3
-rw-r--r--etc/silentarmy.profile3
-rw-r--r--etc/skype.profile4
-rw-r--r--etc/slashem.profile3
-rw-r--r--etc/smtube.profile3
-rw-r--r--etc/spectre-meltdown-checker.profile3
-rw-r--r--etc/spotify.profile3
-rw-r--r--etc/stellarium.profile3
-rw-r--r--etc/surf.profile3
-rw-r--r--etc/synfigstudio.profile3
-rw-r--r--etc/teamspeak3.profile3
-rw-r--r--etc/telegram.profile3
-rw-r--r--etc/tilp.profile3
-rw-r--r--etc/tor.profile3
-rw-r--r--etc/transmission-remote.profile6
-rw-r--r--etc/transmission-show.profile6
-rw-r--r--etc/truecraft.profile3
-rw-r--r--etc/uefitool.profile3
-rw-r--r--etc/utox.profile47
-rw-r--r--etc/viking.profile3
-rw-r--r--etc/vym.profile3
-rw-r--r--etc/webui-aria2.profile3
-rw-r--r--etc/whois.profile3
-rw-r--r--etc/xfce4-dict.profile3
-rw-r--r--etc/xfce4-notes.profile3
-rw-r--r--etc/xmr-stak.profile3
-rw-r--r--etc/xonotic.profile3
-rw-r--r--etc/xpdf.profile3
-rw-r--r--etc/zaproxy.profile3
-rw-r--r--etc/zart.profile3
-rw-r--r--src/firecfg/firecfg.config2
-rw-r--r--src/firejail/Makefile.in2
-rw-r--r--src/firejail/firejail.h79
-rw-r--r--src/include/rundefs.h102
-rw-r--r--src/libpostexecseccomp/Makefile.in3
-rw-r--r--src/libpostexecseccomp/libpostexecseccomp.c12
-rw-r--r--src/libpostexecseccomp/libpostexecseccomp.h25
-rw-r--r--src/libtracelog/Makefile.in2
-rw-r--r--src/libtracelog/libtracelog.c2
-rwxr-xr-xtest/filters/seccomp-debug.exp46
-rwxr-xr-xtest/filters/seccomp-join.exp44
189 files changed, 425 insertions, 503 deletions
diff --git a/README b/README
index 6bb17d4f3..a06ffe535 100644
--- a/README
+++ b/README
@@ -38,10 +38,12 @@ Committers
38- glitsj16 (https://github.com/glitsj16) 38- glitsj16 (https://github.com/glitsj16)
39- Fred-Barclay (https://github.com/Fred-Barclay) 39- Fred-Barclay (https://github.com/Fred-Barclay)
40- Reiner Herrmann (https://github.com/reinerh - Debian/Ubuntu maintainer) 40- Reiner Herrmann (https://github.com/reinerh - Debian/Ubuntu maintainer)
41- rusty-snake (https://github.com/rusty-snake)
41- smithsohu (https://github.com/smitsohu) 42- smithsohu (https://github.com/smitsohu)
42- SkewedZeppelin (https://github.com/SkewedZeppelin) 43- SkewedZeppelin (https://github.com/SkewedZeppelin)
43- startx2017 (https://github.com/startx2017) - LTS and *bugfixes branches maintainer) 44- startx2017 (https://github.com/startx2017) - LTS and *bugfixes branches maintainer)
44- Topi Miettinen (https://github.com/topimiettinen) 45- Topi Miettinen (https://github.com/topimiettinen)
46- veloute (https://github.com/veloute)
45- Vincent43 (https://github.com/Vincent43) 47- Vincent43 (https://github.com/Vincent43)
46- netblue30 (netblue30@yahoo.com) 48- netblue30 (netblue30@yahoo.com)
47 49
@@ -542,14 +544,16 @@ rusty-snake (https://github.com/rusty-snake)
542 - added profiles: thunderbird-wayland, supertuxkart, ghostwriter 544 - added profiles: thunderbird-wayland, supertuxkart, ghostwriter
543 - added profiles: klavaro, mypaint, mypaint-ora-thumbnailer, nano 545 - added profiles: klavaro, mypaint, mypaint-ora-thumbnailer, nano
544 - added profiles: gajim-history-manager, freemind, nomacs, kid3 546 - added profiles: gajim-history-manager, freemind, nomacs, kid3
545 - added profiles: kid3-qt, kid3-cli, anki 547 - added profiles: kid3-qt, kid3-cli, anki, utox
546 - fixed profiles: kdenlive, bibletime, rhythmbox, gajim, seahorse 548 - fixed profiles: kdenlive, bibletime, rhythmbox, gajim, seahorse
547 - fixed profiles: libreoffice, gnome-maps, wget, seahorse-tool 549 - fixed profiles: libreoffice, gnome-maps, wget, seahorse-tool
548 - fixed profiles: gnome-logs, atom, brackets, gnome-builder, geany 550 - fixed profiles: gnome-logs, atom, brackets, gnome-builder, geany
549 - fixed profiles: vim, emacs, pycharm-community, gedit 551 - fixed profiles: vim, emacs, pycharm-community, gedit, klavaro
552 - fixed profiles: default
550 - hardened profiles: disable-common.inc, disable-programs.inc 553 - hardened profiles: disable-common.inc, disable-programs.inc
551 - hardened profiles: gajim, evince, ffmpeg, feh-network.inc, qtox 554 - hardened profiles: gajim, evince, ffmpeg, feh-network.inc, qtox
552 - hardened profiles: gnome-clocks, meld, minetest, youtube-dl 555 - hardened profiles: gnome-clocks, meld, minetest, youtube-dl
556 - hardened profiles: bibletime, whois, etr, display, feh
553 - gnome-mpv was renamed to celluloid 557 - gnome-mpv was renamed to celluloid
554Salvo 'LtWorf' Tomaselli (https://github.com/ltworf) 558Salvo 'LtWorf' Tomaselli (https://github.com/ltworf)
555 - fixed ktorrent profile 559 - fixed ktorrent profile
diff --git a/README.md b/README.md
index 8509bf44d..846e9d374 100644
--- a/README.md
+++ b/README.md
@@ -102,4 +102,4 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
102## Current development version: 0.9.59 102## Current development version: 0.9.59
103 103
104## New profiles: 104## New profiles:
105anki, assogiate, autokey-gtk, autokey-qt, autokey-run, autokey-shell, bzflag, celluoid, code-oss, crawl, crawl-tiles, crow, d-feet, dconf, dconf-editor, devhelp, exfalso, font-manager, freeciv, freecol, freemind, gconf-editor, geekbench, gnome-keyring, gnome-nettool, gnome-system-log, gsettings, kid3, kid3-cli, kid3-qt, klavaro, lincity-ng, lugaru, Maelstrom, manaplus, megaglest, mpdris2, mypaint, nano, netactview, nomacs, nyx, opencity, openclonk, openttd, ostrichriders, pavucontrol, pioneer, pragha, redshift, regextester, seahorse, seahorse-tool, scorched3d, secret-tool, simplescreenrecorder, slashem, subdownloader, sysprof, sysprof-cli, teeworlds, torcs, tremulous, transgui, vulturesclaw, vultureseye, warsow, widelands, xfce4-mixer, cheese 105anki, assogiate, autokey-gtk, autokey-qt, autokey-run, autokey-shell, bzflag, celluoid, cheese, code-oss, crawl, crawl-tiles, crow, d-feet, dconf, dconf-editor, devhelp, exfalso, font-manager, freeciv, freecol, freemind, gconf-editor, geekbench, gnome-keyring, gnome-nettool, gnome-system-log, gsettings, kid3, kid3-cli, kid3-qt, klavaro, lincity-ng, lugaru, Maelstrom, manaplus, megaglest, mpdris2, mypaint, nano, netactview, nomacs, nyx, opencity, openclonk, openttd, ostrichriders, pavucontrol, pioneer, pragha, redshift, regextester, seahorse, seahorse-tool, scorched3d, secret-tool, simplescreenrecorder, slashem, subdownloader, sysprof, sysprof-cli, teeworlds, torcs, tremulous, transgui, utox, vulturesclaw, vultureseye, warsow, widelands, xfce4-mixer
diff --git a/RELNOTES b/RELNOTES
index 2238ee57d..4ced2cde6 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -11,7 +11,7 @@ firejail (0.9.59) baseline; urgency=low
11 * new profiles: teeworlds, torcs, tremulous, warsow, lugaru, manaplus 11 * new profiles: teeworlds, torcs, tremulous, warsow, lugaru, manaplus
12 * new profiles: pioneer, scorched3d, widelands, freemind, kid3, kid3-qt 12 * new profiles: pioneer, scorched3d, widelands, freemind, kid3, kid3-qt
13 * new profiles: kid3-cli, nomacs, freecol, opencity, openclonk, slashem 13 * new profiles: kid3-cli, nomacs, freecol, opencity, openclonk, slashem
14 * new profiles: vultureseye, vulturesclaw, anki, cheese 14 * new profiles: vultureseye, vulturesclaw, anki, cheese, utox
15 * new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell 15 * new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell
16 * memory-deny-write-execute now also blocks memfd_create 16 * memory-deny-write-execute now also blocks memfd_create
17 * drop support for flatpak/snap packages 17 * drop support for flatpak/snap packages
diff --git a/etc/Documents.profile b/etc/Documents.profile
new file mode 100644
index 000000000..c965c55a8
--- /dev/null
+++ b/etc/Documents.profile
@@ -0,0 +1,7 @@
1# Firejail profile for gnome-documents
2# This file is overwritten after every install/update
3
4
5# Temporary fix for https://github.com/netblue30/firejail/issues/2624
6# Redirect
7include gnome-documents.profile
diff --git a/etc/Fritzing.profile b/etc/Fritzing.profile
index 55fb7bae7..d318da885 100644
--- a/etc/Fritzing.profile
+++ b/etc/Fritzing.profile
@@ -11,6 +11,7 @@ noblacklist ${DOCUMENTS}
11 11
12include disable-common.inc 12include disable-common.inc
13include disable-devel.inc 13include disable-devel.inc
14include disable-exec.inc
14include disable-interpreters.inc 15include disable-interpreters.inc
15include disable-passwdmgr.inc 16include disable-passwdmgr.inc
16include disable-programs.inc 17include disable-programs.inc
@@ -36,5 +37,3 @@ shell none
36private-dev 37private-dev
37private-tmp 38private-tmp
38 39
39noexec ${HOME}
40noexec /tmp
diff --git a/etc/JDownloader.profile b/etc/JDownloader.profile
index 2803ebe07..d1bd5c9b2 100644
--- a/etc/JDownloader.profile
+++ b/etc/JDownloader.profile
@@ -16,6 +16,7 @@ noblacklist /usr/share/java
16 16
17include disable-common.inc 17include disable-common.inc
18include disable-devel.inc 18include disable-devel.inc
19include disable-exec.inc
19include disable-interpreters.inc 20include disable-interpreters.inc
20include disable-passwdmgr.inc 21include disable-passwdmgr.inc
21include disable-programs.inc 22include disable-programs.inc
@@ -48,5 +49,3 @@ private-cache
48private-dev 49private-dev
49private-tmp 50private-tmp
50 51
51noexec ${HOME}
52noexec /tmp
diff --git a/etc/QMediathekView.profile b/etc/QMediathekView.profile
index 69dfbecfe..7cc50da15 100644
--- a/etc/QMediathekView.profile
+++ b/etc/QMediathekView.profile
@@ -21,6 +21,7 @@ noblacklist ${VIDEOS}
21 21
22include disable-common.inc 22include disable-common.inc
23include disable-devel.inc 23include disable-devel.inc
24include disable-exec.inc
24include disable-interpreters.inc 25include disable-interpreters.inc
25include disable-passwdmgr.inc 26include disable-passwdmgr.inc
26include disable-programs.inc 27include disable-programs.inc
@@ -52,5 +53,3 @@ private-dev
52private-tmp 53private-tmp
53 54
54# memory-deny-write-execute - breaks on Arch 55# memory-deny-write-execute - breaks on Arch
55noexec ${HOME}
56noexec /tmp
diff --git a/etc/QOwnNotes.profile b/etc/QOwnNotes.profile
index 090845259..27ba00857 100644
--- a/etc/QOwnNotes.profile
+++ b/etc/QOwnNotes.profile
@@ -13,6 +13,7 @@ noblacklist ${HOME}/.local/share/PBE
13 13
14include disable-common.inc 14include disable-common.inc
15include disable-devel.inc 15include disable-devel.inc
16include disable-exec.inc
16include disable-interpreters.inc 17include disable-interpreters.inc
17include disable-passwdmgr.inc 18include disable-passwdmgr.inc
18include disable-programs.inc 19include disable-programs.inc
@@ -51,5 +52,3 @@ private-dev
51private-etc alternatives,fonts,ld.so.cache,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies 52private-etc alternatives,fonts,ld.so.cache,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies
52private-tmp 53private-tmp
53 54
54noexec ${HOME}
55noexec /tmp
diff --git a/etc/Viber.profile b/etc/Viber.profile
index 01bb49a99..3f3ee8590 100644
--- a/etc/Viber.profile
+++ b/etc/Viber.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.ViberPC
10 10
11include disable-common.inc 11include disable-common.inc
12include disable-devel.inc 12include disable-devel.inc
13include disable-exec.inc
13include disable-interpreters.inc 14include disable-interpreters.inc
14include disable-passwdmgr.inc 15include disable-passwdmgr.inc
15include disable-programs.inc 16include disable-programs.inc
@@ -35,7 +36,5 @@ private-bin sh,bash,dig,awk,Viber
35private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf,pki,ca-certificates,crypto-policies,machine-id,asound.conf 36private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf,pki,ca-certificates,crypto-policies,machine-id,asound.conf
36private-tmp 37private-tmp
37 38
38noexec ${HOME}
39noexec /tmp
40 39
41env QTWEBENGINE_DISABLE_SANDBOX=1 40env QTWEBENGINE_DISABLE_SANDBOX=1
diff --git a/etc/XMind.profile b/etc/XMind.profile
index 6b767555c..a5b0a864e 100644
--- a/etc/XMind.profile
+++ b/etc/XMind.profile
@@ -9,6 +9,7 @@ noblacklist ${HOME}/.xmind
9 9
10include disable-common.inc 10include disable-common.inc
11include disable-devel.inc 11include disable-devel.inc
12include disable-exec.inc
12include disable-interpreters.inc 13include disable-interpreters.inc
13include disable-passwdmgr.inc 14include disable-passwdmgr.inc
14include disable-programs.inc 15include disable-programs.inc
@@ -35,5 +36,3 @@ private-bin XMind,sh,cp
35private-tmp 36private-tmp
36private-dev 37private-dev
37 38
38noexec ${HOME}
39noexec /tmp
diff --git a/etc/akregator.profile b/etc/akregator.profile
index e7d0b74b9..2f35c55c0 100644
--- a/etc/akregator.profile
+++ b/etc/akregator.profile
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.local/share/akregator
11 11
12include disable-common.inc 12include disable-common.inc
13include disable-devel.inc 13include disable-devel.inc
14include disable-exec.inc
14include disable-interpreters.inc 15include disable-interpreters.inc
15include disable-passwdmgr.inc 16include disable-passwdmgr.inc
16include disable-programs.inc 17include disable-programs.inc
@@ -43,5 +44,3 @@ private-bin akregator,akregatorstorageexporter,dbus-launch,kdeinit5,kshell5,kdei
43private-dev 44private-dev
44private-tmp 45private-tmp
45 46
46noexec ${HOME}
47noexec /tmp
diff --git a/etc/amule.profile b/etc/amule.profile
index e969bb1df..7cb2130bb 100644
--- a/etc/amule.profile
+++ b/etc/amule.profile
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.aMule
11 11
12include disable-common.inc 12include disable-common.inc
13include disable-devel.inc 13include disable-devel.inc
14include disable-exec.inc
14include disable-interpreters.inc 15include disable-interpreters.inc
15include disable-passwdmgr.inc 16include disable-passwdmgr.inc
16include disable-programs.inc 17include disable-programs.inc
@@ -39,5 +40,3 @@ private-bin amule
39private-dev 40private-dev
40private-tmp 41private-tmp
41 42
42noexec ${HOME}
43noexec /tmp
diff --git a/etc/apktool.profile b/etc/apktool.profile
index bad0c9346..acddf010b 100644
--- a/etc/apktool.profile
+++ b/etc/apktool.profile
@@ -8,6 +8,7 @@ include apktool.local
8include globals.local 8include globals.local
9 9
10include disable-common.inc 10include disable-common.inc
11include disable-exec.inc
11include disable-passwdmgr.inc 12include disable-passwdmgr.inc
12include disable-programs.inc 13include disable-programs.inc
13include disable-xdg.inc 14include disable-xdg.inc
@@ -33,6 +34,3 @@ shell none
33private-bin apktool,bash,java,dirname,basename,expr,sh 34private-bin apktool,bash,java,dirname,basename,expr,sh
34private-cache 35private-cache
35private-dev 36private-dev
36
37noexec ${HOME}
38noexec /tmp
diff --git a/etc/archaudit-report.profile b/etc/archaudit-report.profile
index 1b029d1ac..2f1715da1 100644
--- a/etc/archaudit-report.profile
+++ b/etc/archaudit-report.profile
@@ -11,6 +11,7 @@ noblacklist /var/lib/pacman
11 11
12include disable-common.inc 12include disable-common.inc
13include disable-devel.inc 13include disable-devel.inc
14include disable-exec.inc
14include disable-interpreters.inc 15include disable-interpreters.inc
15include disable-passwdmgr.inc 16include disable-passwdmgr.inc
16include disable-programs.inc 17include disable-programs.inc
@@ -40,5 +41,3 @@ private-bin archaudit-report,arch-audit,bash,cat,comm,cut,date,fold,grep,pacman,
40private-tmp 41private-tmp
41 42
42memory-deny-write-execute 43memory-deny-write-execute
43noexec ${HOME}
44noexec /tmp
diff --git a/etc/ardour5.profile b/etc/ardour5.profile
index 377ce0a2c..211a32e22 100644
--- a/etc/ardour5.profile
+++ b/etc/ardour5.profile
@@ -14,6 +14,7 @@ noblacklist ${MUSIC}
14 14
15include disable-common.inc 15include disable-common.inc
16include disable-devel.inc 16include disable-devel.inc
17include disable-exec.inc
17include disable-interpreters.inc 18include disable-interpreters.inc
18include disable-passwdmgr.inc 19include disable-passwdmgr.inc
19include disable-programs.inc 20include disable-programs.inc
@@ -39,5 +40,3 @@ private-dev
39#private-etc alternatives,pulse,X11,alternatives,ardour4,ardour5,fonts,machine-id,asound.conf 40#private-etc alternatives,pulse,X11,alternatives,ardour4,ardour5,fonts,machine-id,asound.conf
40private-tmp 41private-tmp
41 42
42noexec ${HOME}
43noexec /tmp
diff --git a/etc/arduino.profile b/etc/arduino.profile
index ce4609340..2ea8445fe 100644
--- a/etc/arduino.profile
+++ b/etc/arduino.profile
@@ -19,6 +19,7 @@ noblacklist /usr/share/java
19 19
20include disable-common.inc 20include disable-common.inc
21include disable-devel.inc 21include disable-devel.inc
22include disable-exec.inc
22include disable-interpreters.inc 23include disable-interpreters.inc
23include disable-passwdmgr.inc 24include disable-passwdmgr.inc
24include disable-programs.inc 25include disable-programs.inc
@@ -41,5 +42,3 @@ shell none
41private-cache 42private-cache
42private-tmp 43private-tmp
43 44
44noexec ${HOME}
45noexec /tmp
diff --git a/etc/aria2c.profile b/etc/aria2c.profile
index 6e5a87dab..68c83e573 100644
--- a/etc/aria2c.profile
+++ b/etc/aria2c.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.aria2
10 10
11include disable-common.inc 11include disable-common.inc
12include disable-devel.inc 12include disable-devel.inc
13include disable-exec.inc
13include disable-interpreters.inc 14include disable-interpreters.inc
14include disable-passwdmgr.inc 15include disable-passwdmgr.inc
15include disable-programs.inc 16include disable-programs.inc
@@ -41,5 +42,3 @@ private-lib libreadline.so.*
41private-tmp 42private-tmp
42 43
43memory-deny-write-execute 44memory-deny-write-execute
44noexec ${HOME}
45noexec /tmp
diff --git a/etc/arm.profile b/etc/arm.profile
index d31b962ca..ae93e9665 100644
--- a/etc/arm.profile
+++ b/etc/arm.profile
@@ -18,6 +18,7 @@ noblacklist /usr/local/lib/python3*
18 18
19include disable-common.inc 19include disable-common.inc
20include disable-devel.inc 20include disable-devel.inc
21include disable-exec.inc
21include disable-interpreters.inc 22include disable-interpreters.inc
22include disable-passwdmgr.inc 23include disable-passwdmgr.inc
23include disable-programs.inc 24include disable-programs.inc
@@ -49,5 +50,3 @@ private-dev
49private-etc alternatives,tor,passwd,ca-certificates,ssl,pki,crypto-policies 50private-etc alternatives,tor,passwd,ca-certificates,ssl,pki,crypto-policies
50private-tmp 51private-tmp
51 52
52noexec ${HOME}
53noexec /tmp
diff --git a/etc/atom.profile b/etc/atom.profile
index 1c0afb277..e4ca96eaa 100644
--- a/etc/atom.profile
+++ b/etc/atom.profile
@@ -13,6 +13,7 @@ noblacklist ${HOME}/.cargo/registry
13noblacklist ${HOME}/.gitconfig 13noblacklist ${HOME}/.gitconfig
14 14
15include disable-common.inc 15include disable-common.inc
16include disable-exec.inc
16include disable-passwdmgr.inc 17include disable-passwdmgr.inc
17include disable-programs.inc 18include disable-programs.inc
18 19
@@ -35,6 +36,3 @@ shell none
35private-cache 36private-cache
36private-dev 37private-dev
37private-tmp 38private-tmp
38
39noexec ${HOME}
40noexec /tmp
diff --git a/etc/baobab.profile b/etc/baobab.profile
index c223b138e..fc4e7f268 100644
--- a/etc/baobab.profile
+++ b/etc/baobab.profile
@@ -8,6 +8,7 @@ include globals.local
8 8
9include disable-common.inc 9include disable-common.inc
10include disable-devel.inc 10include disable-devel.inc
11include disable-exec.inc
11include disable-interpreters.inc 12include disable-interpreters.inc
12include disable-passwdmgr.inc 13include disable-passwdmgr.inc
13# include disable-programs.inc 14# include disable-programs.inc
@@ -33,5 +34,3 @@ private-dev
33private-tmp 34private-tmp
34 35
35#memory-deny-write-execute - breaks on Arch 36#memory-deny-write-execute - breaks on Arch
36noexec ${HOME}
37noexec /tmp
diff --git a/etc/bibletime.profile b/etc/bibletime.profile
index 6e40054f7..c41aafd47 100644
--- a/etc/bibletime.profile
+++ b/etc/bibletime.profile
@@ -14,6 +14,7 @@ noblacklist ${HOME}/.local/share/bibletime
14 14
15include disable-common.inc 15include disable-common.inc
16include disable-devel.inc 16include disable-devel.inc
17include disable-exec.inc
17include disable-interpreters.inc 18include disable-interpreters.inc
18include disable-passwdmgr.inc 19include disable-passwdmgr.inc
19include disable-programs.inc 20include disable-programs.inc
@@ -25,7 +26,9 @@ whitelist ${HOME}/.bibletime
25whitelist ${HOME}/.sword 26whitelist ${HOME}/.sword
26whitelist ${HOME}/.local/share/bibletime 27whitelist ${HOME}/.local/share/bibletime
27include whitelist-common.inc 28include whitelist-common.inc
29include whitelist-var-common.inc
28 30
31apparmor
29caps.drop all 32caps.drop all
30machine-id 33machine-id
31netfilter 34netfilter
@@ -42,7 +45,9 @@ protocol unix,inet,inet6,netlink
42seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice 45seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
43shell none 46shell none
44 47
48disable-mnt
45# private-bin bibletime,qt5ct 49# private-bin bibletime,qt5ct
50private-cache
46private-dev 51private-dev
47private-etc alternatives,fonts,resolv.conf,sword,sword.conf,passwd,machine-id,ca-certificates,ssl,pki,crypto-policies 52private-etc alternatives,ca-certificates,crypto-policies,fonts,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf
48private-tmp 53private-tmp
diff --git a/etc/bitcoin-qt.profile b/etc/bitcoin-qt.profile
index 74123ee51..8aae5d668 100644
--- a/etc/bitcoin-qt.profile
+++ b/etc/bitcoin-qt.profile
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.config/Bitcoin
11 11
12include disable-common.inc 12include disable-common.inc
13include disable-devel.inc 13include disable-devel.inc
14include disable-exec.inc
14include disable-interpreters.inc 15include disable-interpreters.inc
15include disable-passwdmgr.inc 16include disable-passwdmgr.inc
16include disable-programs.inc 17include disable-programs.inc
@@ -46,5 +47,3 @@ private-dev
46private-tmp 47private-tmp
47 48
48memory-deny-write-execute 49memory-deny-write-execute
49noexec ${HOME}
50noexec /tmp
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile
index fae7d8133..cbc8c25d6 100644
--- a/etc/bleachbit.profile
+++ b/etc/bleachbit.profile
@@ -16,6 +16,7 @@ noblacklist /usr/local/lib/python3*
16 16
17include disable-common.inc 17include disable-common.inc
18include disable-devel.inc 18include disable-devel.inc
19include disable-exec.inc
19include disable-interpreters.inc 20include disable-interpreters.inc
20include disable-passwdmgr.inc 21include disable-passwdmgr.inc
21# include disable-programs.inc 22# include disable-programs.inc
@@ -41,5 +42,3 @@ private-dev
41 42
42# memory-deny-write-execute breaks some systems, see issue #1850 43# memory-deny-write-execute breaks some systems, see issue #1850
43# memory-deny-write-execute 44# memory-deny-write-execute
44noexec ${HOME}
45noexec /tmp
diff --git a/etc/blender.profile b/etc/blender.profile
index d23fe0810..bfe906408 100644
--- a/etc/blender.profile
+++ b/etc/blender.profile
@@ -18,6 +18,7 @@ noblacklist /usr/local/lib/python3*
18 18
19include disable-common.inc 19include disable-common.inc
20include disable-devel.inc 20include disable-devel.inc
21include disable-exec.inc
21include disable-interpreters.inc 22include disable-interpreters.inc
22include disable-passwdmgr.inc 23include disable-passwdmgr.inc
23include disable-programs.inc 24include disable-programs.inc
@@ -42,5 +43,3 @@ shell none
42private-dev 43private-dev
43private-tmp 44private-tmp
44 45
45noexec ${HOME}
46noexec /tmp
diff --git a/etc/bless.profile b/etc/bless.profile
index 8315f4563..d4ac80db1 100644
--- a/etc/bless.profile
+++ b/etc/bless.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/bless
10 10
11include disable-common.inc 11include disable-common.inc
12include disable-devel.inc 12include disable-devel.inc
13include disable-exec.inc
13include disable-interpreters.inc 14include disable-interpreters.inc
14include disable-passwdmgr.inc 15include disable-passwdmgr.inc
15include disable-programs.inc 16include disable-programs.inc
@@ -38,5 +39,3 @@ private-dev
38private-etc alternatives,fonts,mono 39private-etc alternatives,fonts,mono
39private-tmp 40private-tmp
40 41
41noexec ${HOME}
42noexec /tmp
diff --git a/etc/bluefish.profile b/etc/bluefish.profile
index ce47cb9ab..412088ba9 100644
--- a/etc/bluefish.profile
+++ b/etc/bluefish.profile
@@ -8,6 +8,7 @@ include globals.local
8 8
9include disable-common.inc 9include disable-common.inc
10include disable-devel.inc 10include disable-devel.inc
11include disable-exec.inc
11include disable-interpreters.inc 12include disable-interpreters.inc
12include disable-passwdmgr.inc 13include disable-passwdmgr.inc
13include disable-programs.inc 14include disable-programs.inc
@@ -35,5 +36,3 @@ private-bin bluefish
35private-dev 36private-dev
36private-tmp 37private-tmp
37 38
38noexec ${HOME}
39noexec /tmp
diff --git a/etc/brasero.profile b/etc/brasero.profile
index 5021db254..aa838380a 100644
--- a/etc/brasero.profile
+++ b/etc/brasero.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/brasero
10 10
11include disable-common.inc 11include disable-common.inc
12include disable-devel.inc 12include disable-devel.inc
13include disable-exec.inc
13include disable-interpreters.inc 14include disable-interpreters.inc
14include disable-passwdmgr.inc 15include disable-passwdmgr.inc
15include disable-programs.inc 16include disable-programs.inc
@@ -34,5 +35,3 @@ private-cache
34# private-tmp 35# private-tmp
35 36
36memory-deny-write-execute 37memory-deny-write-execute
37noexec ${HOME}
38noexec /tmp
diff --git a/etc/cin.profile b/etc/cin.profile
index 02511c478..efeb9cd14 100644
--- a/etc/cin.profile
+++ b/etc/cin.profile
@@ -9,6 +9,7 @@ noblacklist ${HOME}/.bcast5
9 9
10include disable-common.inc 10include disable-common.inc
11include disable-devel.inc 11include disable-devel.inc
12include disable-exec.inc
12include disable-interpreters.inc 13include disable-interpreters.inc
13include disable-passwdmgr.inc 14include disable-passwdmgr.inc
14include disable-programs.inc 15include disable-programs.inc
@@ -33,5 +34,3 @@ shell none
33private-cache 34private-cache
34private-dev 35private-dev
35 36
36noexec ${HOME}
37noexec /tmp
diff --git a/etc/conky.profile b/etc/conky.profile
index 846868be2..d5949ecfd 100644
--- a/etc/conky.profile
+++ b/etc/conky.profile
@@ -10,6 +10,7 @@ noblacklist ${PICTURES}
10 10
11include disable-common.inc 11include disable-common.inc
12include disable-devel.inc 12include disable-devel.inc
13include disable-exec.inc
13include disable-interpreters.inc 14include disable-interpreters.inc
14include disable-passwdmgr.inc 15include disable-passwdmgr.inc
15include disable-programs.inc 16include disable-programs.inc
@@ -37,5 +38,3 @@ private-dev
37private-tmp 38private-tmp
38 39
39memory-deny-write-execute 40memory-deny-write-execute
40noexec ${HOME}
41noexec /tmp
diff --git a/etc/corebird.profile b/etc/corebird.profile
index bf2e97356..dbb043c17 100644
--- a/etc/corebird.profile
+++ b/etc/corebird.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/corebird
10 10
11include disable-common.inc 11include disable-common.inc
12include disable-devel.inc 12include disable-devel.inc
13include disable-exec.inc
13include disable-interpreters.inc 14include disable-interpreters.inc
14include disable-passwdmgr.inc 15include disable-passwdmgr.inc
15include disable-programs.inc 16include disable-programs.inc
@@ -34,5 +35,3 @@ private-bin corebird
34private-dev 35private-dev
35private-tmp 36private-tmp
36 37
37noexec ${HOME}
38noexec /tmp
diff --git a/etc/cower.profile b/etc/cower.profile
index ebd83b326..bc1eeedc0 100644
--- a/etc/cower.profile
+++ b/etc/cower.profile
@@ -19,6 +19,7 @@ noblacklist /var/lib/pacman
19 19
20include disable-common.inc 20include disable-common.inc
21include disable-devel.inc 21include disable-devel.inc
22include disable-exec.inc
22include disable-interpreters.inc 23include disable-interpreters.inc
23include disable-passwdmgr.inc 24include disable-passwdmgr.inc
24include disable-programs.inc 25include disable-programs.inc
@@ -45,5 +46,3 @@ private-dev
45private-tmp 46private-tmp
46 47
47memory-deny-write-execute 48memory-deny-write-execute
48noexec ${HOME}
49noexec /tmp
diff --git a/etc/crow.profile b/etc/crow.profile
index 93f71cef8..8aa70a09c 100644
--- a/etc/crow.profile
+++ b/etc/crow.profile
@@ -13,6 +13,7 @@ whitelist ${HOME}/.cache/gstreamer-1.0
13 13
14include disable-common.inc 14include disable-common.inc
15include disable-devel.inc 15include disable-devel.inc
16include disable-exec.inc
16include disable-interpreters.inc 17include disable-interpreters.inc
17include disable-passwdmgr.inc 18include disable-passwdmgr.inc
18include disable-programs.inc 19include disable-programs.inc
@@ -42,5 +43,3 @@ private-opt none
42private-tmp 43private-tmp
43private-srv none 44private-srv none
44 45
45noexec ${HOME}
46noexec /tmp
diff --git a/etc/curl.profile b/etc/curl.profile
index 1783f1337..2703c6fe8 100644
--- a/etc/curl.profile
+++ b/etc/curl.profile
@@ -12,6 +12,7 @@ blacklist /tmp/.X11-unix
12noblacklist ${HOME}/.curlrc 12noblacklist ${HOME}/.curlrc
13 13
14include disable-common.inc 14include disable-common.inc
15include disable-exec.inc
15include disable-passwdmgr.inc 16include disable-passwdmgr.inc
16include disable-programs.inc 17include disable-programs.inc
17 18
@@ -35,6 +36,3 @@ private-cache
35private-dev 36private-dev
36# private-etc alternatives,resolv.conf,ca-certificates,ssl,pki,crypto-policies 37# private-etc alternatives,resolv.conf,ca-certificates,ssl,pki,crypto-policies
37private-tmp 38private-tmp
38
39noexec ${HOME}
40noexec /tmp
diff --git a/etc/darktable.profile b/etc/darktable.profile
index af834f90b..2a71ad11c 100644
--- a/etc/darktable.profile
+++ b/etc/darktable.profile
@@ -12,6 +12,7 @@ noblacklist ${PICTURES}
12 12
13include disable-common.inc 13include disable-common.inc
14include disable-devel.inc 14include disable-devel.inc
15include disable-exec.inc
15include disable-interpreters.inc 16include disable-interpreters.inc
16include disable-passwdmgr.inc 17include disable-passwdmgr.inc
17include disable-programs.inc 18include disable-programs.inc
@@ -35,5 +36,3 @@ shell none
35private-dev 36private-dev
36private-tmp 37private-tmp
37 38
38noexec ${HOME}
39noexec /tmp
diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile
index f751b7bb0..8e67d9daa 100644
--- a/etc/deadbeef.profile
+++ b/etc/deadbeef.profile
@@ -11,6 +11,7 @@ noblacklist ${MUSIC}
11 11
12include disable-common.inc 12include disable-common.inc
13include disable-devel.inc 13include disable-devel.inc
14include disable-exec.inc
14include disable-interpreters.inc 15include disable-interpreters.inc
15include disable-passwdmgr.inc 16include disable-passwdmgr.inc
16include disable-programs.inc 17include disable-programs.inc
@@ -32,5 +33,3 @@ shell none
32private-dev 33private-dev
33private-tmp 34private-tmp
34 35
35noexec ${HOME}
36noexec /tmp
diff --git a/etc/default.profile b/etc/default.profile
index 3eacf9546..95a6e8095 100644
--- a/etc/default.profile
+++ b/etc/default.profile
@@ -19,6 +19,8 @@ include disable-programs.inc
19# apparmor 19# apparmor
20caps.drop all 20caps.drop all
21# ipc-namespace 21# ipc-namespace
22# machine-id
23# net none
22netfilter 24netfilter
23# no3d 25# no3d
24# nodbus 26# nodbus
@@ -33,6 +35,7 @@ noroot
33protocol unix,inet,inet6 35protocol unix,inet,inet6
34seccomp 36seccomp
35# shell none 37# shell none
38# tracelog
36 39
37# disable-mnt 40# disable-mnt
38# private 41# private
diff --git a/etc/dex2jar.profile b/etc/dex2jar.profile
index b0226f1e9..06a6be3aa 100644
--- a/etc/dex2jar.profile
+++ b/etc/dex2jar.profile
@@ -14,6 +14,7 @@ noblacklist /usr/share/java
14 14
15include disable-common.inc 15include disable-common.inc
16include disable-devel.inc 16include disable-devel.inc
17include disable-exec.inc
17include disable-interpreters.inc 18include disable-interpreters.inc
18include disable-passwdmgr.inc 19include disable-passwdmgr.inc
19include disable-programs.inc 20include disable-programs.inc
@@ -41,5 +42,3 @@ private-bin dex2jar,java,sh,bash,expr,dirname,ls,uname,grep
41private-cache 42private-cache
42private-dev 43private-dev
43 44
44noexec ${HOME}
45noexec /tmp
diff --git a/etc/dia.profile b/etc/dia.profile
index a0075acaf..921adaad5 100644
--- a/etc/dia.profile
+++ b/etc/dia.profile
@@ -11,6 +11,7 @@ noblacklist ${DOCUMENTS}
11 11
12include disable-common.inc 12include disable-common.inc
13include disable-devel.inc 13include disable-devel.inc
14include disable-exec.inc
14include disable-interpreters.inc 15include disable-interpreters.inc
15include disable-passwdmgr.inc 16include disable-passwdmgr.inc
16include disable-programs.inc 17include disable-programs.inc
@@ -38,5 +39,3 @@ private-cache
38private-dev 39private-dev
39private-tmp 40private-tmp
40 41
41noexec ${HOME}
42noexec /tmp
diff --git a/etc/dino.profile b/etc/dino.profile
index e76499f8f..2db395e02 100644
--- a/etc/dino.profile
+++ b/etc/dino.profile
@@ -9,6 +9,7 @@ noblacklist ${HOME}/.local/share/dino
9 9
10include disable-common.inc 10include disable-common.inc
11include disable-devel.inc 11include disable-devel.inc
12include disable-exec.inc
12include disable-interpreters.inc 13include disable-interpreters.inc
13include disable-passwdmgr.inc 14include disable-passwdmgr.inc
14include disable-programs.inc 15include disable-programs.inc
@@ -39,5 +40,3 @@ private-dev
39# private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies # breaks server connection 40# private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies # breaks server connection
40private-tmp 41private-tmp
41 42
42noexec ${HOME}
43noexec /tmp
diff --git a/etc/discord-common.profile b/etc/discord-common.profile
index 44b42aefa..a791c7a06 100644
--- a/etc/discord-common.profile
+++ b/etc/discord-common.profile
@@ -29,7 +29,7 @@ seccomp
29 29
30private-bin sh,xdg-mime,tr,sed,echo,head,cut,xdg-open,grep,egrep,bash,zsh 30private-bin sh,xdg-mime,tr,sed,echo,head,cut,xdg-open,grep,egrep,bash,zsh
31private-dev 31private-dev
32private-etc alternatives,fonts,machine-id,localtime,ld.so.cache,ca-certificates,ssl,pki,crypto-policies,resolv.conf 32private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id,ld.so.cache,localtime,login.defs,password,pki,resolv.conf,ssl
33private-tmp 33private-tmp
34 34
35noexec /tmp 35noexec /tmp
diff --git a/etc/display.profile b/etc/display.profile
index e66fa3ae9..0bab32db1 100644
--- a/etc/display.profile
+++ b/etc/display.profile
@@ -17,6 +17,7 @@ noblacklist /usr/local/lib/python3*
17 17
18include disable-common.inc 18include disable-common.inc
19include disable-devel.inc 19include disable-devel.inc
20include disable-exec.inc
20include disable-interpreters.inc 21include disable-interpreters.inc
21include disable-passwdmgr.inc 22include disable-passwdmgr.inc
22include disable-programs.inc 23include disable-programs.inc
diff --git a/etc/dooble.profile b/etc/dooble.profile
index bc4a4c348..80bcce463 100644
--- a/etc/dooble.profile
+++ b/etc/dooble.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.dooble
10 10
11include disable-common.inc 11include disable-common.inc
12include disable-devel.inc 12include disable-devel.inc
13include disable-exec.inc
13include disable-interpreters.inc 14include disable-interpreters.inc
14include disable-passwdmgr.inc 15include disable-passwdmgr.inc
15include disable-programs.inc 16include disable-programs.inc
@@ -37,5 +38,3 @@ disable-mnt
37private-dev 38private-dev
38private-tmp 39private-tmp
39 40
40noexec ${HOME}
41noexec /tmp
diff --git a/etc/dragon.profile b/etc/dragon.profile
index cdf941acd..fb8aaaf96 100644
--- a/etc/dragon.profile
+++ b/etc/dragon.profile
@@ -12,6 +12,7 @@ noblacklist ${VIDEOS}
12 12
13include disable-common.inc 13include disable-common.inc
14include disable-devel.inc 14include disable-devel.inc
15include disable-exec.inc
15include disable-interpreters.inc 16include disable-interpreters.inc
16include disable-passwdmgr.inc 17include disable-passwdmgr.inc
17include disable-programs.inc 18include disable-programs.inc
@@ -35,5 +36,3 @@ private-bin dragon
35private-dev 36private-dev
36private-tmp 37private-tmp
37 38
38noexec ${HOME}
39noexec /tmp
diff --git a/etc/electrum.profile b/etc/electrum.profile
index 9d5cf7fab..88d27e47e 100644
--- a/etc/electrum.profile
+++ b/etc/electrum.profile
@@ -18,6 +18,7 @@ noblacklist /usr/local/lib/python3*
18 18
19include disable-common.inc 19include disable-common.inc
20include disable-devel.inc 20include disable-devel.inc
21include disable-exec.inc
21include disable-interpreters.inc 22include disable-interpreters.inc
22include disable-passwdmgr.inc 23include disable-passwdmgr.inc
23include disable-programs.inc 24include disable-programs.inc
@@ -52,5 +53,3 @@ private-dev
52private-etc alternatives,fonts,dconf,ca-certificates,ssl,pki,crypto-policies,machine-id 53private-etc alternatives,fonts,dconf,ca-certificates,ssl,pki,crypto-policies,machine-id
53private-tmp 54private-tmp
54 55
55noexec ${HOME}
56noexec /tmp
diff --git a/etc/enpass.profile b/etc/enpass.profile
index 5e461bc43..284b9259d 100644
--- a/etc/enpass.profile
+++ b/etc/enpass.profile
@@ -11,6 +11,7 @@ noblacklist ${DOCUMENTS}
11 11
12include disable-common.inc 12include disable-common.inc
13include disable-devel.inc 13include disable-devel.inc
14include disable-exec.inc
14include disable-interpreters.inc 15include disable-interpreters.inc
15include disable-passwdmgr.inc 16include disable-passwdmgr.inc
16include disable-programs.inc 17include disable-programs.inc
@@ -41,5 +42,3 @@ private-opt Enpass
41private-tmp 42private-tmp
42 43
43memory-deny-write-execute 44memory-deny-write-execute
44noexec ${HOME}
45noexec /tmp
diff --git a/etc/etr.profile b/etc/etr.profile
index cf13a42de..d93d3de63 100644
--- a/etc/etr.profile
+++ b/etc/etr.profile
@@ -8,14 +8,18 @@ include globals.local
8noblacklist ${HOME}/.etr 8noblacklist ${HOME}/.etr
9 9
10include disable-common.inc 10include disable-common.inc
11include disable-exec.inc
12include disable-interpreters.inc
11include disable-passwdmgr.inc 13include disable-passwdmgr.inc
12include disable-programs.inc 14include disable-programs.inc
15include disable-xdg.inc
13 16
14mkdir ${HOME}/.etr 17mkdir ${HOME}/.etr
15whitelist ${HOME}/.etr 18whitelist ${HOME}/.etr
16include whitelist-common.inc 19include whitelist-common.inc
17include whitelist-var-common.inc 20include whitelist-var-common.inc
18 21
22apparmor
19caps.drop all 23caps.drop all
20net none 24net none
21nodbus 25nodbus
@@ -28,8 +32,11 @@ nou2f
28protocol unix,netlink 32protocol unix,netlink
29seccomp 33seccomp
30shell none 34shell none
35tracelog
31 36
32# private-bin etr 37disable-mnt
38private-bin etr
39private-cache
33private-dev 40private-dev
34# private-etc alternatives 41# private-etc alternatives,drirc,machine-id,openal
35private-tmp 42private-tmp
diff --git a/etc/evolution.profile b/etc/evolution.profile
index 9b6387538..71a7a5600 100644
--- a/etc/evolution.profile
+++ b/etc/evolution.profile
@@ -18,6 +18,7 @@ noblacklist ${HOME}/.local/share/pki
18 18
19include disable-common.inc 19include disable-common.inc
20include disable-devel.inc 20include disable-devel.inc
21include disable-exec.inc
21include disable-interpreters.inc 22include disable-interpreters.inc
22include disable-passwdmgr.inc 23include disable-passwdmgr.inc
23include disable-programs.inc 24include disable-programs.inc
@@ -41,5 +42,3 @@ shell none
41private-dev 42private-dev
42private-tmp 43private-tmp
43 44
44noexec ${HOME}
45noexec /tmp
diff --git a/etc/exfalso.profile b/etc/exfalso.profile
index b4d275d22..6146a8952 100644
--- a/etc/exfalso.profile
+++ b/etc/exfalso.profile
@@ -19,6 +19,7 @@ noblacklist /usr/local/lib/python3*
19 19
20include disable-common.inc 20include disable-common.inc
21include disable-devel.inc 21include disable-devel.inc
22include disable-exec.inc
22include disable-interpreters.inc 23include disable-interpreters.inc
23include disable-passwdmgr.inc 24include disable-passwdmgr.inc
24include disable-programs.inc 25include disable-programs.inc
@@ -49,5 +50,3 @@ private-lib libatk-1.0.so.*,libgdk-3.so.*,libgdk_pixbuf-2.0.so.*,libgirepository
49private-tmp 50private-tmp
50 51
51# memory-deny-write-execute - Breaks on Arch 52# memory-deny-write-execute - Breaks on Arch
52noexec ${HOME}
53noexec /tmp
diff --git a/etc/falkon.profile b/etc/falkon.profile
index 9fd446fe1..af6aaa1a7 100644
--- a/etc/falkon.profile
+++ b/etc/falkon.profile
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.config/falkon
11 11
12include disable-common.inc 12include disable-common.inc
13include disable-devel.inc 13include disable-devel.inc
14include disable-exec.inc
14include disable-interpreters.inc 15include disable-interpreters.inc
15include disable-passwdmgr.inc 16include disable-passwdmgr.inc
16include disable-programs.inc 17include disable-programs.inc
@@ -37,5 +38,3 @@ seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@res
37private-dev 38private-dev
38# private-tmp - interferes with the opening of downloaded files 39# private-tmp - interferes with the opening of downloaded files
39 40
40noexec ${HOME}
41noexec /tmp
diff --git a/etc/feedreader.profile b/etc/feedreader.profile
index 44ed475bc..e453cc611 100644
--- a/etc/feedreader.profile
+++ b/etc/feedreader.profile
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.local/share/feedreader
11 11
12include disable-common.inc 12include disable-common.inc
13include disable-devel.inc 13include disable-devel.inc
14include disable-exec.inc
14include disable-interpreters.inc 15include disable-interpreters.inc
15include disable-passwdmgr.inc 16include disable-passwdmgr.inc
16include disable-programs.inc 17include disable-programs.inc
@@ -41,5 +42,3 @@ disable-mnt
41private-dev 42private-dev
42private-tmp 43private-tmp
43 44
44noexec ${HOME}
45noexec /tmp
diff --git a/etc/feh.profile b/etc/feh.profile
index f020bace5..6a8071c28 100644
--- a/etc/feh.profile
+++ b/etc/feh.profile
@@ -8,6 +8,7 @@ include globals.local
8 8
9include disable-common.inc 9include disable-common.inc
10include disable-devel.inc 10include disable-devel.inc
11include disable-exec.inc
11include disable-interpreters.inc 12include disable-interpreters.inc
12include disable-passwdmgr.inc 13include disable-passwdmgr.inc
13include disable-programs.inc 14include disable-programs.inc
diff --git a/etc/filezilla.profile b/etc/filezilla.profile
index fb96d9d87..d1bebafb5 100644
--- a/etc/filezilla.profile
+++ b/etc/filezilla.profile
@@ -36,6 +36,7 @@ protocol unix,inet,inet6
36seccomp 36seccomp
37shell none 37shell none
38 38
39private-bin filezilla,uname,sh,bash,python*,lsb_release,fzputtygen,fzsftp 39# private-bin breaks --join if the user has zsh set as $SHELL - adding zsh on private-bin
40private-bin filezilla,uname,sh,bash,zsh,python*,lsb_release,fzputtygen,fzsftp
40private-dev 41private-dev
41private-tmp 42private-tmp
diff --git a/etc/flameshot.profile b/etc/flameshot.profile
index 39a23c813..cd3e07455 100644
--- a/etc/flameshot.profile
+++ b/etc/flameshot.profile
@@ -11,6 +11,7 @@ noblacklist ${PICTURES}
11 11
12include disable-common.inc 12include disable-common.inc
13include disable-devel.inc 13include disable-devel.inc
14include disable-exec.inc
14include disable-interpreters.inc 15include disable-interpreters.inc
15include disable-passwdmgr.inc 16include disable-passwdmgr.inc
16include disable-programs.inc 17include disable-programs.inc
@@ -40,5 +41,3 @@ private-etc alternatives,fonts,ld.so.conf,resolv.conf,ca-certificates,ssl,pki,cr
40private-dev 41private-dev
41private-tmp 42private-tmp
42 43
43noexec ${HOME}
44noexec /tmp
diff --git a/etc/flowblade.profile b/etc/flowblade.profile
index b57c27936..1e84d4ca6 100644
--- a/etc/flowblade.profile
+++ b/etc/flowblade.profile
@@ -19,6 +19,7 @@ noblacklist /usr/local/lib/python3*
19 19
20include disable-common.inc 20include disable-common.inc
21include disable-devel.inc 21include disable-devel.inc
22include disable-exec.inc
22include disable-interpreters.inc 23include disable-interpreters.inc
23include disable-passwdmgr.inc 24include disable-passwdmgr.inc
24include disable-programs.inc 25include disable-programs.inc
@@ -39,5 +40,3 @@ private-cache
39private-dev 40private-dev
40private-tmp 41private-tmp
41 42
42noexec ${HOME}
43noexec /tmp
diff --git a/etc/fontforge.profile b/etc/fontforge.profile
index dc4e43b09..f98ad9983 100644
--- a/etc/fontforge.profile
+++ b/etc/fontforge.profile
@@ -19,6 +19,7 @@ noblacklist /usr/local/lib/python3*
19 19
20include disable-common.inc 20include disable-common.inc
21include disable-devel.inc 21include disable-devel.inc
22include disable-exec.inc
22include disable-interpreters.inc 23include disable-interpreters.inc
23include disable-passwdmgr.inc 24include disable-passwdmgr.inc
24include disable-programs.inc 25include disable-programs.inc
@@ -42,5 +43,3 @@ private-cache
42private-dev 43private-dev
43private-tmp 44private-tmp
44 45
45noexec ${HOME}
46noexec /tmp
diff --git a/etc/freecad.profile b/etc/freecad.profile
index 11fe3245c..079c85fb1 100644
--- a/etc/freecad.profile
+++ b/etc/freecad.profile
@@ -11,6 +11,7 @@ noblacklist ${DOCUMENTS}
11 11
12include disable-common.inc 12include disable-common.inc
13include disable-devel.inc 13include disable-devel.inc
14include disable-exec.inc
14include disable-interpreters.inc 15include disable-interpreters.inc
15include disable-passwdmgr.inc 16include disable-passwdmgr.inc
16include disable-programs.inc 17include disable-programs.inc
@@ -37,5 +38,3 @@ private-cache
37private-dev 38private-dev
38private-tmp 39private-tmp
39 40
40noexec ${HOME}
41noexec /tmp
diff --git a/etc/gajim.profile b/etc/gajim.profile
index bdb40d7e1..36121c4b9 100644
--- a/etc/gajim.profile
+++ b/etc/gajim.profile
@@ -20,6 +20,7 @@ noblacklist /usr/local/lib/python3*
20 20
21include disable-common.inc 21include disable-common.inc
22include disable-devel.inc 22include disable-devel.inc
23include disable-exec.inc
23include disable-interpreters.inc 24include disable-interpreters.inc
24include disable-passwdmgr.inc 25include disable-passwdmgr.inc
25include disable-programs.inc 26include disable-programs.inc
@@ -52,7 +53,5 @@ private-dev
52private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl 53private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl
53private-tmp 54private-tmp
54 55
55noexec ${HOME}
56noexec /tmp
57 56
58join-or-start gajim 57join-or-start gajim
diff --git a/etc/gitg.profile b/etc/gitg.profile
index f6d78cc54..a40d8791c 100644
--- a/etc/gitg.profile
+++ b/etc/gitg.profile
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.ssh
12 12
13include disable-common.inc 13include disable-common.inc
14include disable-devel.inc 14include disable-devel.inc
15include disable-exec.inc
15include disable-interpreters.inc 16include disable-interpreters.inc
16include disable-passwdmgr.inc 17include disable-passwdmgr.inc
17include disable-programs.inc 18include disable-programs.inc
@@ -39,5 +40,3 @@ private-tmp
39 40
40# mdwe breaks diff in older versions 41# mdwe breaks diff in older versions
41#memory-deny-write-execute 42#memory-deny-write-execute
42noexec ${HOME}
43noexec /tmp
diff --git a/etc/github-desktop.profile b/etc/github-desktop.profile
index 934ac7c40..cddb5fcbf 100644
--- a/etc/github-desktop.profile
+++ b/etc/github-desktop.profile
@@ -13,6 +13,7 @@ include disable-common.inc
13include disable-passwdmgr.inc 13include disable-passwdmgr.inc
14include disable-programs.inc 14include disable-programs.inc
15include disable-devel.inc 15include disable-devel.inc
16include disable-exec.inc
16include disable-interpreters.inc 17include disable-interpreters.inc
17 18
18caps.drop all 19caps.drop all
@@ -44,5 +45,3 @@ private-dev
44private-tmp 45private-tmp
45 46
46# memory-deny-write-execute 47# memory-deny-write-execute
47noexec ${HOME}
48noexec /tmp
diff --git a/etc/gitter.profile b/etc/gitter.profile
index ab333d1fb..7d0831bc4 100644
--- a/etc/gitter.profile
+++ b/etc/gitter.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/Gitter
10 10
11include disable-common.inc 11include disable-common.inc
12include disable-devel.inc 12include disable-devel.inc
13include disable-exec.inc
13include disable-interpreters.inc 14include disable-interpreters.inc
14include disable-passwdmgr.inc 15include disable-passwdmgr.inc
15include disable-programs.inc 16include disable-programs.inc
@@ -41,5 +42,3 @@ private-opt Gitter
41private-dev 42private-dev
42private-tmp 43private-tmp
43 44
44noexec ${HOME}
45noexec /tmp
diff --git a/etc/globaltime.profile b/etc/globaltime.profile
index c007fb0cc..bb78a608e 100644
--- a/etc/globaltime.profile
+++ b/etc/globaltime.profile
@@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/globaltime
9 9
10include disable-common.inc 10include disable-common.inc
11include disable-devel.inc 11include disable-devel.inc
12include disable-exec.inc
12include disable-interpreters.inc 13include disable-interpreters.inc
13include disable-passwdmgr.inc 14include disable-passwdmgr.inc
14include disable-programs.inc 15include disable-programs.inc
@@ -34,5 +35,3 @@ private-cache
34private-dev 35private-dev
35private-tmp 36private-tmp
36 37
37noexec ${HOME}
38noexec /tmp
diff --git a/etc/gnome-2048.profile b/etc/gnome-2048.profile
index ce83fbb66..9eb4c147d 100644
--- a/etc/gnome-2048.profile
+++ b/etc/gnome-2048.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.local/share/gnome-2048
10 10
11include disable-common.inc 11include disable-common.inc
12include disable-devel.inc 12include disable-devel.inc
13include disable-exec.inc
13include disable-interpreters.inc 14include disable-interpreters.inc
14include disable-passwdmgr.inc 15include disable-passwdmgr.inc
15include disable-programs.inc 16include disable-programs.inc
@@ -35,5 +36,3 @@ disable-mnt
35private-dev 36private-dev
36private-tmp 37private-tmp
37 38
38noexec ${HOME}
39noexec /tmp
diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile
index b880980bc..184751132 100644
--- a/etc/gnome-books.profile
+++ b/etc/gnome-books.profile
@@ -12,6 +12,7 @@ noblacklist ${DOCUMENTS}
12 12
13include disable-common.inc 13include disable-common.inc
14include disable-devel.inc 14include disable-devel.inc
15include disable-exec.inc
15include disable-interpreters.inc 16include disable-interpreters.inc
16include disable-passwdmgr.inc 17include disable-passwdmgr.inc
17include disable-programs.inc 18include disable-programs.inc
@@ -40,5 +41,3 @@ private-dev
40# private-etc alternatives,fonts 41# private-etc alternatives,fonts
41private-tmp 42private-tmp
42 43
43noexec ${HOME}
44noexec /tmp
diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile
index 36b69ce90..078e8c34e 100644
--- a/etc/gnome-documents.profile
+++ b/etc/gnome-documents.profile
@@ -13,6 +13,7 @@ noblacklist ${DOCUMENTS}
13 13
14include disable-common.inc 14include disable-common.inc
15include disable-devel.inc 15include disable-devel.inc
16include disable-exec.inc
16include disable-interpreters.inc 17include disable-interpreters.inc
17include disable-passwdmgr.inc 18include disable-passwdmgr.inc
18include disable-programs.inc 19include disable-programs.inc
@@ -38,5 +39,3 @@ private-cache
38private-dev 39private-dev
39private-tmp 40private-tmp
40 41
41noexec ${HOME}
42noexec /tmp
diff --git a/etc/gnome-font-viewer.profile b/etc/gnome-font-viewer.profile
index c616b7381..468ef0401 100644
--- a/etc/gnome-font-viewer.profile
+++ b/etc/gnome-font-viewer.profile
@@ -9,6 +9,7 @@ include globals.local
9 9
10include disable-common.inc 10include disable-common.inc
11include disable-devel.inc 11include disable-devel.inc
12include disable-exec.inc
12include disable-interpreters.inc 13include disable-interpreters.inc
13include disable-passwdmgr.inc 14include disable-passwdmgr.inc
14include disable-programs.inc 15include disable-programs.inc
@@ -33,5 +34,3 @@ disable-mnt
33private-dev 34private-dev
34private-tmp 35private-tmp
35 36
36noexec ${HOME}
37noexec /tmp
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile
index 3dd623ea9..12bee6448 100644
--- a/etc/gnome-mplayer.profile
+++ b/etc/gnome-mplayer.profile
@@ -12,6 +12,7 @@ noblacklist ${VIDEOS}
12 12
13include disable-common.inc 13include disable-common.inc
14include disable-devel.inc 14include disable-devel.inc
15include disable-exec.inc
15include disable-interpreters.inc 16include disable-interpreters.inc
16include disable-passwdmgr.inc 17include disable-passwdmgr.inc
17include disable-programs.inc 18include disable-programs.inc
@@ -31,5 +32,3 @@ private-cache
31private-dev 32private-dev
32private-tmp 33private-tmp
33 34
34noexec ${HOME}
35noexec /tmp
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile
index f31b8af2c..6bebeb526 100644
--- a/etc/gnome-music.profile
+++ b/etc/gnome-music.profile
@@ -19,6 +19,7 @@ noblacklist /usr/local/lib/python3*
19 19
20include disable-common.inc 20include disable-common.inc
21include disable-devel.inc 21include disable-devel.inc
22include disable-exec.inc
22include disable-interpreters.inc 23include disable-interpreters.inc
23include disable-passwdmgr.inc 24include disable-passwdmgr.inc
24include disable-programs.inc 25include disable-programs.inc
@@ -45,5 +46,3 @@ private-dev
45private-etc alternatives,fonts,machine-id,pulse,asound.conf 46private-etc alternatives,fonts,machine-id,pulse,asound.conf
46private-tmp 47private-tmp
47 48
48noexec ${HOME}
49noexec /tmp
diff --git a/etc/gnome-nettool.profile b/etc/gnome-nettool.profile
index dd58f12d5..a763917d1 100644
--- a/etc/gnome-nettool.profile
+++ b/etc/gnome-nettool.profile
@@ -8,6 +8,7 @@ include globals.local
8 8
9include disable-common.inc 9include disable-common.inc
10include disable-devel.inc 10include disable-devel.inc
11include disable-exec.inc
11include disable-interpreters.inc 12include disable-interpreters.inc
12include disable-passwdmgr.inc 13include disable-passwdmgr.inc
13include disable-programs.inc 14include disable-programs.inc
@@ -41,5 +42,3 @@ private-dev
41private-lib libbind9.so.*,libcrypto.so.*,libdns.so.*,libirs.so.*,liblua.so.*,libssh2.so.*,libssl.so.* 42private-lib libbind9.so.*,libcrypto.so.*,libdns.so.*,libirs.so.*,liblua.so.*,libssh2.so.*,libssl.so.*
42private-tmp 43private-tmp
43 44
44noexec ${HOME}
45noexec /tmp
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile
index c48ca50a5..4e5a3b109 100644
--- a/etc/gnome-photos.profile
+++ b/etc/gnome-photos.profile
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.local/share/gnome-photos
12 12
13include disable-common.inc 13include disable-common.inc
14include disable-devel.inc 14include disable-devel.inc
15include disable-exec.inc
15include disable-interpreters.inc 16include disable-interpreters.inc
16include disable-passwdmgr.inc 17include disable-passwdmgr.inc
17include disable-programs.inc 18include disable-programs.inc
@@ -37,5 +38,3 @@ private-dev
37# private-etc alternatives,fonts 38# private-etc alternatives,fonts
38private-tmp 39private-tmp
39 40
40noexec ${HOME}
41noexec /tmp
diff --git a/etc/gnome-pie.profile b/etc/gnome-pie.profile
index e542181fa..c1d2dae35 100644
--- a/etc/gnome-pie.profile
+++ b/etc/gnome-pie.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/gnome-pie
10 10
11#include disable-common.inc 11#include disable-common.inc
12include disable-devel.inc 12include disable-devel.inc
13include disable-exec.inc
13#include disable-interpreters.inc 14#include disable-interpreters.inc
14include disable-passwdmgr.inc 15include disable-passwdmgr.inc
15#include disable-programs.inc 16#include disable-programs.inc
@@ -38,5 +39,3 @@ private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.s
38private-tmp 39private-tmp
39 40
40memory-deny-write-execute 41memory-deny-write-execute
41noexec ${HOME}
42noexec /tmp
diff --git a/etc/gnome-recipes.profile b/etc/gnome-recipes.profile
index 24d3cbd87..1a897a5d8 100644
--- a/etc/gnome-recipes.profile
+++ b/etc/gnome-recipes.profile
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.local/share/gnome-recipes
12 12
13include disable-common.inc 13include disable-common.inc
14include disable-devel.inc 14include disable-devel.inc
15include disable-exec.inc
15include disable-interpreters.inc 16include disable-interpreters.inc
16include disable-passwdmgr.inc 17include disable-passwdmgr.inc
17include disable-programs.inc 18include disable-programs.inc
@@ -46,5 +47,3 @@ private-etc alternatives,ca-certificates,fonts,ssl,crypto-policies,pki
46private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,libgnutls.so.*,libjpeg.so.*,libp11-kit.so.*,libproxy.so.*,librsvg-2.so.* 47private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,libgnutls.so.*,libjpeg.so.*,libp11-kit.so.*,libproxy.so.*,librsvg-2.so.*
47private-tmp 48private-tmp
48 49
49noexec ${HOME}
50noexec /tmp
diff --git a/etc/gnome-ring.profile b/etc/gnome-ring.profile
index f660df690..78ceb9c4f 100644
--- a/etc/gnome-ring.profile
+++ b/etc/gnome-ring.profile
@@ -9,6 +9,7 @@ noblacklist ${HOME}/.local/share/gnome-ring
9 9
10include disable-common.inc 10include disable-common.inc
11include disable-devel.inc 11include disable-devel.inc
12include disable-exec.inc
12include disable-interpreters.inc 13include disable-interpreters.inc
13include disable-passwdmgr.inc 14include disable-passwdmgr.inc
14include disable-programs.inc 15include disable-programs.inc
@@ -31,5 +32,3 @@ disable-mnt
31# private-dev 32# private-dev
32private-tmp 33private-tmp
33 34
34noexec ${HOME}
35noexec /tmp
diff --git a/etc/gnome-twitch.profile b/etc/gnome-twitch.profile
index 4b54d9627..5e8153035 100644
--- a/etc/gnome-twitch.profile
+++ b/etc/gnome-twitch.profile
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.local/share/gnome-twitch
11 11
12include disable-common.inc 12include disable-common.inc
13include disable-devel.inc 13include disable-devel.inc
14include disable-exec.inc
14include disable-interpreters.inc 15include disable-interpreters.inc
15include disable-passwdmgr.inc 16include disable-passwdmgr.inc
16include disable-programs.inc 17include disable-programs.inc
@@ -37,5 +38,3 @@ disable-mnt
37private-dev 38private-dev
38private-tmp 39private-tmp
39 40
40noexec ${HOME}
41noexec /tmp
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile
index baa5d39fd..ef7255130 100644
--- a/etc/gnome-weather.profile
+++ b/etc/gnome-weather.profile
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.cache/libgweather
12 12
13include disable-common.inc 13include disable-common.inc
14include disable-devel.inc 14include disable-devel.inc
15include disable-exec.inc
15include disable-interpreters.inc 16include disable-interpreters.inc
16include disable-passwdmgr.inc 17include disable-passwdmgr.inc
17include disable-programs.inc 18include disable-programs.inc
@@ -41,5 +42,3 @@ private-dev
41# private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies 42# private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies
42private-tmp 43private-tmp
43 44
44noexec ${HOME}
45noexec /tmp
diff --git a/etc/google-earth.profile b/etc/google-earth.profile
index e075bfe9a..a29e0d563 100644
--- a/etc/google-earth.profile
+++ b/etc/google-earth.profile
@@ -13,6 +13,7 @@ noblacklist ${HOME}/.googleearth/myplaces.kml
13 13
14include disable-common.inc 14include disable-common.inc
15include disable-devel.inc 15include disable-devel.inc
16include disable-exec.inc
16include disable-interpreters.inc 17include disable-interpreters.inc
17include disable-passwdmgr.inc 18include disable-passwdmgr.inc
18include disable-programs.inc 19include disable-programs.inc
@@ -48,5 +49,3 @@ private-bin google-earth,sh,bash,grep,sed,ls,dirname
48private-dev 49private-dev
49private-opt google 50private-opt google
50 51
51noexec ${HOME}
52noexec /tmp
diff --git a/etc/gpredict.profile b/etc/gpredict.profile
index 38897f184..be3742fe3 100644
--- a/etc/gpredict.profile
+++ b/etc/gpredict.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/Gpredict
10 10
11include disable-common.inc 11include disable-common.inc
12include disable-devel.inc 12include disable-devel.inc
13include disable-exec.inc
13include disable-interpreters.inc 14include disable-interpreters.inc
14include disable-passwdmgr.inc 15include disable-passwdmgr.inc
15include disable-programs.inc 16include disable-programs.inc
@@ -36,5 +37,3 @@ private-dev
36private-etc alternatives,fonts,resolv.conf,ca-certificates,ssl,pki,crypto-policies 37private-etc alternatives,fonts,resolv.conf,ca-certificates,ssl,pki,crypto-policies
37private-tmp 38private-tmp
38 39
39noexec ${HOME}
40noexec /tmp
diff --git a/etc/gradio.profile b/etc/gradio.profile
index eec7376b4..75c793f61 100644
--- a/etc/gradio.profile
+++ b/etc/gradio.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.local/share/gradio
10 10
11include disable-common.inc 11include disable-common.inc
12include disable-devel.inc 12include disable-devel.inc
13include disable-exec.inc
13include disable-interpreters.inc 14include disable-interpreters.inc
14include disable-passwdmgr.inc 15include disable-passwdmgr.inc
15include disable-programs.inc 16include disable-programs.inc
@@ -37,5 +38,3 @@ shell none
37private-etc alternatives,asound.conf,ca-certificates,fonts,host.conf,hostname,hosts,pulse,resolv.conf,ssl,pki,crypto-policies,gtk-3.0,xdg,machine-id 38private-etc alternatives,asound.conf,ca-certificates,fonts,host.conf,hostname,hosts,pulse,resolv.conf,ssl,pki,crypto-policies,gtk-3.0,xdg,machine-id
38private-tmp 39private-tmp
39 40
40noexec ${HOME}
41noexec /tmp
diff --git a/etc/guayadeque.profile b/etc/guayadeque.profile
index 22457c547..8ffd7ff58 100644
--- a/etc/guayadeque.profile
+++ b/etc/guayadeque.profile
@@ -10,6 +10,7 @@ noblacklist ${MUSIC}
10 10
11include disable-common.inc 11include disable-common.inc
12include disable-devel.inc 12include disable-devel.inc
13include disable-exec.inc
13include disable-interpreters.inc 14include disable-interpreters.inc
14include disable-passwdmgr.inc 15include disable-passwdmgr.inc
15include disable-programs.inc 16include disable-programs.inc
@@ -31,5 +32,3 @@ private-bin guayadeque
31private-dev 32private-dev
32private-tmp 33private-tmp
33 34
34noexec ${HOME}
35noexec /tmp
diff --git a/etc/hashcat.profile b/etc/hashcat.profile
index bf4836c45..4ed099fae 100644
--- a/etc/hashcat.profile
+++ b/etc/hashcat.profile
@@ -13,6 +13,7 @@ noblacklist ${DOCUMENTS}
13 13
14include disable-common.inc 14include disable-common.inc
15include disable-devel.inc 15include disable-devel.inc
16include disable-exec.inc
16include disable-interpreters.inc 17include disable-interpreters.inc
17include disable-passwdmgr.inc 18include disable-passwdmgr.inc
18include disable-programs.inc 19include disable-programs.inc
@@ -39,5 +40,3 @@ private-cache
39private-dev 40private-dev
40private-tmp 41private-tmp
41 42
42noexec ${HOME}
43noexec /tmp
diff --git a/etc/hugin.profile b/etc/hugin.profile
index 1e235f381..3d8921120 100644
--- a/etc/hugin.profile
+++ b/etc/hugin.profile
@@ -12,6 +12,7 @@ noblacklist ${PICTURES}
12 12
13include disable-common.inc 13include disable-common.inc
14include disable-devel.inc 14include disable-devel.inc
15include disable-exec.inc
15include disable-interpreters.inc 16include disable-interpreters.inc
16include disable-passwdmgr.inc 17include disable-passwdmgr.inc
17include disable-programs.inc 18include disable-programs.inc
@@ -37,5 +38,3 @@ private-cache
37private-dev 38private-dev
38private-tmp 39private-tmp
39 40
40noexec ${HOME}
41noexec /tmp
diff --git a/etc/imagej.profile b/etc/imagej.profile
index 9ff0f9203..9d0ab43a0 100644
--- a/etc/imagej.profile
+++ b/etc/imagej.profile
@@ -16,6 +16,7 @@ noblacklist /usr/share/java
16 16
17include disable-common.inc 17include disable-common.inc
18include disable-devel.inc 18include disable-devel.inc
19include disable-exec.inc
19include disable-interpreters.inc 20include disable-interpreters.inc
20include disable-passwdmgr.inc 21include disable-passwdmgr.inc
21include disable-programs.inc 22include disable-programs.inc
@@ -40,5 +41,3 @@ private-bin imagej,bash,grep,sort,tail,tr,cut,whoami,hostname,uname,mkdir,ls,tou
40private-dev 41private-dev
41private-tmp 42private-tmp
42 43
43noexec ${HOME}
44noexec /tmp
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile
index 443e6b550..dce44e5d4 100644
--- a/etc/jd-gui.profile
+++ b/etc/jd-gui.profile
@@ -16,6 +16,7 @@ noblacklist /usr/share/java
16 16
17include disable-common.inc 17include disable-common.inc
18include disable-devel.inc 18include disable-devel.inc
19include disable-exec.inc
19include disable-interpreters.inc 20include disable-interpreters.inc
20include disable-passwdmgr.inc 21include disable-passwdmgr.inc
21include disable-programs.inc 22include disable-programs.inc
@@ -44,5 +45,3 @@ private-cache
44private-dev 45private-dev
45private-tmp 46private-tmp
46 47
47noexec ${HOME}
48noexec /tmp
diff --git a/etc/kaffeine.profile b/etc/kaffeine.profile
index 85870da36..c7f811939 100644
--- a/etc/kaffeine.profile
+++ b/etc/kaffeine.profile
@@ -17,6 +17,7 @@ noblacklist ${VIDEOS}
17 17
18include disable-common.inc 18include disable-common.inc
19include disable-devel.inc 19include disable-devel.inc
20include disable-exec.inc
20include disable-interpreters.inc 21include disable-interpreters.inc
21include disable-passwdmgr.inc 22include disable-passwdmgr.inc
22include disable-programs.inc 23include disable-programs.inc
@@ -39,5 +40,3 @@ shell none
39private-dev 40private-dev
40private-tmp 41private-tmp
41 42
42noexec ${HOME}
43noexec /tmp
diff --git a/etc/kdeinit4.profile b/etc/kdeinit4.profile
index cd7c4cae3..f786c78d5 100644
--- a/etc/kdeinit4.profile
+++ b/etc/kdeinit4.profile
@@ -9,6 +9,7 @@ include globals.local
9 9
10include disable-common.inc 10include disable-common.inc
11include disable-devel.inc 11include disable-devel.inc
12include disable-exec.inc
12include disable-interpreters.inc 13include disable-interpreters.inc
13include disable-passwdmgr.inc 14include disable-passwdmgr.inc
14include disable-programs.inc 15include disable-programs.inc
@@ -33,5 +34,3 @@ private-bin kdeinit4,kbuildsycoca4,kded4,knotify4
33private-dev 34private-dev
34private-tmp 35private-tmp
35 36
36noexec ${HOME}
37noexec /tmp
diff --git a/etc/keepass.profile b/etc/keepass.profile
index 788561a14..57a24d821 100644
--- a/etc/keepass.profile
+++ b/etc/keepass.profile
@@ -17,6 +17,7 @@ noblacklist ${DOCUMENTS}
17 17
18include disable-common.inc 18include disable-common.inc
19include disable-devel.inc 19include disable-devel.inc
20include disable-exec.inc
20include disable-interpreters.inc 21include disable-interpreters.inc
21include disable-passwdmgr.inc 22include disable-passwdmgr.inc
22include disable-programs.inc 23include disable-programs.inc
@@ -41,5 +42,3 @@ private-cache
41private-dev 42private-dev
42private-tmp 43private-tmp
43 44
44noexec ${HOME}
45noexec /tmp
diff --git a/etc/kino.profile b/etc/kino.profile
index ead42f9ca..9e8d61391 100644
--- a/etc/kino.profile
+++ b/etc/kino.profile
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.kinorc
11 11
12include disable-common.inc 12include disable-common.inc
13include disable-devel.inc 13include disable-devel.inc
14include disable-exec.inc
14include disable-interpreters.inc 15include disable-interpreters.inc
15include disable-passwdmgr.inc 16include disable-passwdmgr.inc
16include disable-programs.inc 17include disable-programs.inc
@@ -31,5 +32,3 @@ private-cache
31private-dev 32private-dev
32private-tmp 33private-tmp
33 34
34noexec ${HOME}
35noexec /tmp
diff --git a/etc/klavaro.profile b/etc/klavaro.profile
index 5ad5e2699..b6b538557 100644
--- a/etc/klavaro.profile
+++ b/etc/klavaro.profile
@@ -43,12 +43,10 @@ shell none
43tracelog 43tracelog
44 44
45disable-mnt 45disable-mnt
46private-bin klavaro,tclsh,tclsh*,bash 46private-bin bash,klavaro,sh,tclsh,tclsh*
47private-cache 47private-cache
48private-dev 48private-dev
49private-etc alternatives,fonts 49private-etc alternatives,fonts
50private-tmp 50private-tmp
51private-opt none 51private-opt none
52private-srv none 52private-srv none
53
54memory-deny-write-execute
diff --git a/etc/kopete.profile b/etc/kopete.profile
index fef415f6e..5e931ddac 100644
--- a/etc/kopete.profile
+++ b/etc/kopete.profile
@@ -13,6 +13,7 @@ noblacklist ${HOME}/.kde4/share/config/kopeterc
13 13
14include disable-common.inc 14include disable-common.inc
15include disable-devel.inc 15include disable-devel.inc
16include disable-exec.inc
16include disable-interpreters.inc 17include disable-interpreters.inc
17include disable-passwdmgr.inc 18include disable-passwdmgr.inc
18include disable-programs.inc 19include disable-programs.inc
@@ -35,5 +36,3 @@ writable-var
35private-dev 36private-dev
36private-tmp 37private-tmp
37 38
38noexec ${HOME}
39noexec /tmp
diff --git a/etc/less.profile b/etc/less.profile
index 16940853c..5ad7cb959 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -9,6 +9,7 @@ include less.local
9#include globals.local 9#include globals.local
10 10
11blacklist /tmp/.X11-unix 11blacklist /tmp/.X11-unix
12include disable-exec.inc
12 13
13ignore noroot 14ignore noroot
14apparmor 15apparmor
@@ -34,7 +35,5 @@ private-cache
34private-dev 35private-dev
35 36
36memory-deny-write-execute 37memory-deny-write-execute
37noexec ${HOME}
38noexec /tmp
39 38
40include default.profile 39include default.profile
diff --git a/etc/liferea.profile b/etc/liferea.profile
index 5927747b8..e778d7b55 100644
--- a/etc/liferea.profile
+++ b/etc/liferea.profile
@@ -20,6 +20,7 @@ noblacklist /usr/local/lib/python3*
20 20
21include disable-common.inc 21include disable-common.inc
22include disable-devel.inc 22include disable-devel.inc
23include disable-exec.inc
23include disable-interpreters.inc 24include disable-interpreters.inc
24include disable-passwdmgr.inc 25include disable-passwdmgr.inc
25include disable-programs.inc 26include disable-programs.inc
@@ -52,5 +53,3 @@ disable-mnt
52private-dev 53private-dev
53private-tmp 54private-tmp
54 55
55noexec ${HOME}
56noexec /tmp
diff --git a/etc/linphone.profile b/etc/linphone.profile
index cd35dc2bf..dc156b298 100644
--- a/etc/linphone.profile
+++ b/etc/linphone.profile
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.linphonerc
11 11
12include disable-common.inc 12include disable-common.inc
13include disable-devel.inc 13include disable-devel.inc
14include disable-exec.inc
14include disable-interpreters.inc 15include disable-interpreters.inc
15include disable-passwdmgr.inc 16include disable-passwdmgr.inc
16include disable-programs.inc 17include disable-programs.inc
@@ -40,5 +41,3 @@ disable-mnt
40private-dev 41private-dev
41private-tmp 42private-tmp
42 43
43noexec ${HOME}
44noexec /tmp
diff --git a/etc/lmms.profile b/etc/lmms.profile
index 6c81b9172..98ddd03e5 100644
--- a/etc/lmms.profile
+++ b/etc/lmms.profile
@@ -12,6 +12,7 @@ noblacklist ${MUSIC}
12 12
13include disable-common.inc 13include disable-common.inc
14include disable-devel.inc 14include disable-devel.inc
15include disable-exec.inc
15include disable-interpreters.inc 16include disable-interpreters.inc
16include disable-passwdmgr.inc 17include disable-passwdmgr.inc
17include disable-programs.inc 18include disable-programs.inc
@@ -36,5 +37,3 @@ shell none
36private-dev 37private-dev
37private-tmp 38private-tmp
38 39
39noexec ${HOME}
40noexec /tmp
diff --git a/etc/lollypop.profile b/etc/lollypop.profile
index c4717965a..76b8ed75c 100644
--- a/etc/lollypop.profile
+++ b/etc/lollypop.profile
@@ -19,6 +19,7 @@ noblacklist /usr/local/lib/python3*
19 19
20include disable-common.inc 20include disable-common.inc
21include disable-devel.inc 21include disable-devel.inc
22include disable-exec.inc
22include disable-interpreters.inc 23include disable-interpreters.inc
23include disable-passwdmgr.inc 24include disable-passwdmgr.inc
24include disable-programs.inc 25include disable-programs.inc
@@ -43,5 +44,3 @@ private-dev
43private-etc alternatives,asound.conf,ca-certificates,fonts,host.conf,hostname,hosts,pulse,resolv.conf,ssl,pki,crypto-policies,gtk-3.0,xdg,machine-id 44private-etc alternatives,asound.conf,ca-certificates,fonts,host.conf,hostname,hosts,pulse,resolv.conf,ssl,pki,crypto-policies,gtk-3.0,xdg,machine-id
44private-tmp 45private-tmp
45 46
46noexec ${HOME}
47noexec /tmp
diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile
index 38f2ab10c..2b0feaa17 100644
--- a/etc/luminance-hdr.profile
+++ b/etc/luminance-hdr.profile
@@ -11,6 +11,7 @@ noblacklist ${PICTURES}
11 11
12include disable-common.inc 12include disable-common.inc
13include disable-devel.inc 13include disable-devel.inc
14include disable-exec.inc
14include disable-interpreters.inc 15include disable-interpreters.inc
15include disable-passwdmgr.inc 16include disable-passwdmgr.inc
16include disable-programs.inc 17include disable-programs.inc
@@ -36,5 +37,3 @@ private-cache
36private-dev 37private-dev
37private-tmp 38private-tmp
38 39
39noexec ${HOME}
40noexec /tmp
diff --git a/etc/lximage-qt.profile b/etc/lximage-qt.profile
index c275a69c8..74adb7a67 100644
--- a/etc/lximage-qt.profile
+++ b/etc/lximage-qt.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/lximage-qt
10 10
11include disable-common.inc 11include disable-common.inc
12include disable-devel.inc 12include disable-devel.inc
13include disable-exec.inc
13include disable-interpreters.inc 14include disable-interpreters.inc
14include disable-passwdmgr.inc 15include disable-passwdmgr.inc
15include disable-programs.inc 16include disable-programs.inc
@@ -33,5 +34,3 @@ private-cache
33private-dev 34private-dev
34private-tmp 35private-tmp
35 36
36noexec ${HOME}
37noexec /tmp
diff --git a/etc/lxmusic.profile b/etc/lxmusic.profile
index e0c03db50..e1a37343e 100644
--- a/etc/lxmusic.profile
+++ b/etc/lxmusic.profile
@@ -12,6 +12,7 @@ noblacklist ${MUSIC}
12 12
13include disable-common.inc 13include disable-common.inc
14include disable-devel.inc 14include disable-devel.inc
15include disable-exec.inc
15include disable-interpreters.inc 16include disable-interpreters.inc
16include disable-passwdmgr.inc 17include disable-passwdmgr.inc
17include disable-programs.inc 18include disable-programs.inc
@@ -36,5 +37,3 @@ shell none
36private-dev 37private-dev
37private-tmp 38private-tmp
38 39
39noexec ${HOME}
40noexec /tmp
diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile
index 793cd59bb..7d42f2bfe 100644
--- a/etc/macrofusion.profile
+++ b/etc/macrofusion.profile
@@ -18,6 +18,7 @@ noblacklist /usr/local/lib/python3*
18 18
19include disable-common.inc 19include disable-common.inc
20include disable-devel.inc 20include disable-devel.inc
21include disable-exec.inc
21include disable-interpreters.inc 22include disable-interpreters.inc
22include disable-passwdmgr.inc 23include disable-passwdmgr.inc
23include disable-programs.inc 24include disable-programs.inc
@@ -44,5 +45,3 @@ private-cache
44private-dev 45private-dev
45private-tmp 46private-tmp
46 47
47noexec ${HOME}
48noexec /tmp
diff --git a/etc/makepkg.profile b/etc/makepkg.profile
index 317a3dd78..55bea9c5e 100644
--- a/etc/makepkg.profile
+++ b/etc/makepkg.profile
@@ -31,6 +31,7 @@ blacklist ${HOME}/.gnupg/openpgp-revocs.d
31noblacklist /var/lib/pacman 31noblacklist /var/lib/pacman
32 32
33include disable-common.inc 33include disable-common.inc
34include disable-exec.inc
34include disable-passwdmgr.inc 35include disable-passwdmgr.inc
35include disable-programs.inc 36include disable-programs.inc
36 37
@@ -54,5 +55,3 @@ disable-mnt
54private-tmp 55private-tmp
55 56
56memory-deny-write-execute 57memory-deny-write-execute
57noexec ${HOME}
58noexec /tmp
diff --git a/etc/mate-calc.profile b/etc/mate-calc.profile
index 1d3c21e3f..ac5577b4c 100644
--- a/etc/mate-calc.profile
+++ b/etc/mate-calc.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/mate-calc
10 10
11include disable-common.inc 11include disable-common.inc
12include disable-devel.inc 12include disable-devel.inc
13include disable-exec.inc
13include disable-interpreters.inc 14include disable-interpreters.inc
14include disable-passwdmgr.inc 15include disable-passwdmgr.inc
15include disable-programs.inc 16include disable-programs.inc
@@ -45,5 +46,3 @@ private-opt none
45private-tmp 46private-tmp
46 47
47memory-deny-write-execute 48memory-deny-write-execute
48noexec ${HOME}
49noexec /tmp
diff --git a/etc/mate-color-select.profile b/etc/mate-color-select.profile
index a344f70e1..bd3631445 100644
--- a/etc/mate-color-select.profile
+++ b/etc/mate-color-select.profile
@@ -8,6 +8,7 @@ include globals.local
8 8
9include disable-common.inc 9include disable-common.inc
10include disable-devel.inc 10include disable-devel.inc
11include disable-exec.inc
11include disable-interpreters.inc 12include disable-interpreters.inc
12include disable-passwdmgr.inc 13include disable-passwdmgr.inc
13include disable-programs.inc 14include disable-programs.inc
@@ -40,5 +41,3 @@ private-lib
40private-tmp 41private-tmp
41 42
42memory-deny-write-execute 43memory-deny-write-execute
43noexec ${HOME}
44noexec /tmp
diff --git a/etc/mate-dictionary.profile b/etc/mate-dictionary.profile
index 196f5b2c3..1217910a0 100644
--- a/etc/mate-dictionary.profile
+++ b/etc/mate-dictionary.profile
@@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/mate/mate-dictionary
9 9
10include disable-common.inc 10include disable-common.inc
11include disable-devel.inc 11include disable-devel.inc
12include disable-exec.inc
12include disable-interpreters.inc 13include disable-interpreters.inc
13include disable-passwdmgr.inc 14include disable-passwdmgr.inc
14include disable-programs.inc 15include disable-programs.inc
@@ -42,5 +43,3 @@ private-dev
42private-tmp 43private-tmp
43 44
44memory-deny-write-execute 45memory-deny-write-execute
45noexec ${HOME}
46noexec /tmp
diff --git a/etc/mediathekview.profile b/etc/mediathekview.profile
index a438634f3..497014dab 100644
--- a/etc/mediathekview.profile
+++ b/etc/mediathekview.profile
@@ -26,6 +26,7 @@ noblacklist /usr/share/java
26 26
27include disable-common.inc 27include disable-common.inc
28include disable-devel.inc 28include disable-devel.inc
29include disable-exec.inc
29include disable-interpreters.inc 30include disable-interpreters.inc
30include disable-passwdmgr.inc 31include disable-passwdmgr.inc
31include disable-programs.inc 32include disable-programs.inc
@@ -50,5 +51,3 @@ private-cache
50private-dev 51private-dev
51private-tmp 52private-tmp
52 53
53noexec ${HOME}
54noexec /tmp
diff --git a/etc/mendeleydesktop.profile b/etc/mendeleydesktop.profile
index a3d6092f1..d54371371 100644
--- a/etc/mendeleydesktop.profile
+++ b/etc/mendeleydesktop.profile
@@ -24,6 +24,7 @@ noblacklist /usr/local/lib/python3*
24 24
25include disable-common.inc 25include disable-common.inc
26include disable-devel.inc 26include disable-devel.inc
27include disable-exec.inc
27include disable-interpreters.inc 28include disable-interpreters.inc
28include disable-passwdmgr.inc 29include disable-passwdmgr.inc
29include disable-programs.inc 30include disable-programs.inc
@@ -50,5 +51,3 @@ private-bin mendeleydesktop,python*,env,gconftool-2,which,sh,ln,cat,update-deskt
50private-dev 51private-dev
51private-tmp 52private-tmp
52 53
53noexec ${HOME}
54noexec /tmp
diff --git a/etc/midori.profile b/etc/midori.profile
index 4e9a6c63d..d59a6a16b 100644
--- a/etc/midori.profile
+++ b/etc/midori.profile
@@ -13,8 +13,12 @@ noblacklist ${HOME}/.local/share/midori
13noblacklist ${HOME}/.pki 13noblacklist ${HOME}/.pki
14noblacklist ${HOME}/.local/share/pki 14noblacklist ${HOME}/.local/share/pki
15 15
16# noexec ${HOME} breaks DRM binaries.
17ignore noexec ${HOME}
18
16include disable-common.inc 19include disable-common.inc
17include disable-devel.inc 20include disable-devel.inc
21include disable-exec.inc
18include disable-interpreters.inc 22include disable-interpreters.inc
19include disable-programs.inc 23include disable-programs.inc
20 24
diff --git a/etc/min.profile b/etc/min.profile
index eb1163175..eec81677d 100644
--- a/etc/min.profile
+++ b/etc/min.profile
@@ -11,8 +11,12 @@ noblacklist ${HOME}/.config/Min
11noblacklist ${HOME}/.pki 11noblacklist ${HOME}/.pki
12noblacklist ${HOME}/.local/share/pki 12noblacklist ${HOME}/.local/share/pki
13 13
14# noexec ${HOME} breaks DRM binaries.
15ignore noexec ${HOME}
16
14include disable-common.inc 17include disable-common.inc
15include disable-devel.inc 18include disable-devel.inc
19include disable-exec.inc
16include disable-interpreters.inc 20include disable-interpreters.inc
17include disable-programs.inc 21include disable-programs.inc
18 22
@@ -48,5 +52,3 @@ private-etc alternatives,ca-certificates,ssl,machine-id,dconf,selinux,passwd,gro
48private-tmp 52private-tmp
49 53
50# memory-deny-write-execute 54# memory-deny-write-execute
51noexec ${HOME}
52noexec /tmp
diff --git a/etc/mpDris2.profile b/etc/mpDris2.profile
index b179ecfaf..81bf88b8b 100644
--- a/etc/mpDris2.profile
+++ b/etc/mpDris2.profile
@@ -18,6 +18,7 @@ noblacklist /usr/local/lib/python3*
18 18
19include disable-common.inc 19include disable-common.inc
20include disable-devel.inc 20include disable-devel.inc
21include disable-exec.inc
21include disable-interpreters.inc 22include disable-interpreters.inc
22include disable-passwdmgr.inc 23include disable-passwdmgr.inc
23include disable-programs.inc 24include disable-programs.inc
@@ -47,7 +48,5 @@ private-lib libdbus-1.so.*,libdbus-glib-1.so.*,libgirepository-1.0.so.*,libnotif
47private-tmp 48private-tmp
48 49
49# memory-deny-write-execute - Breaks on Arch 50# memory-deny-write-execute - Breaks on Arch
50noexec ${HOME}
51noexec /tmp
52 51
53read-only ${HOME} 52read-only ${HOME}
diff --git a/etc/mpd.profile b/etc/mpd.profile
index e06b83aa9..0a98de7c4 100644
--- a/etc/mpd.profile
+++ b/etc/mpd.profile
@@ -13,6 +13,7 @@ noblacklist ${MUSIC}
13 13
14include disable-common.inc 14include disable-common.inc
15include disable-devel.inc 15include disable-devel.inc
16include disable-exec.inc
16include disable-interpreters.inc 17include disable-interpreters.inc
17include disable-passwdmgr.inc 18include disable-passwdmgr.inc
18include disable-programs.inc 19include disable-programs.inc
@@ -38,5 +39,3 @@ private-cache
38private-dev 39private-dev
39private-tmp 40private-tmp
40 41
41noexec ${HOME}
42noexec /tmp
diff --git a/etc/mplayer.profile b/etc/mplayer.profile
index 8c0b50eca..877b92564 100644
--- a/etc/mplayer.profile
+++ b/etc/mplayer.profile
@@ -12,6 +12,7 @@ noblacklist ${VIDEOS}
12 12
13include disable-common.inc 13include disable-common.inc
14include disable-devel.inc 14include disable-devel.inc
15include disable-exec.inc
15include disable-interpreters.inc 16include disable-interpreters.inc
16include disable-passwdmgr.inc 17include disable-passwdmgr.inc
17include disable-programs.inc 18include disable-programs.inc
@@ -33,5 +34,3 @@ private-bin mplayer
33private-dev 34private-dev
34private-tmp 35private-tmp
35 36
36noexec ${HOME}
37noexec /tmp
diff --git a/etc/ms-office.profile b/etc/ms-office.profile
index f23617f8d..f8e75379e 100644
--- a/etc/ms-office.profile
+++ b/etc/ms-office.profile
@@ -18,6 +18,7 @@ noblacklist /usr/local/lib/python3*
18 18
19include disable-common.inc 19include disable-common.inc
20include disable-devel.inc 20include disable-devel.inc
21include disable-exec.inc
21include disable-interpreters.inc 22include disable-interpreters.inc
22include disable-passwdmgr.inc 23include disable-passwdmgr.inc
23include disable-programs.inc 24include disable-programs.inc
@@ -43,5 +44,3 @@ private-etc alternatives,resolv.conf,ca-certificates,ssl,pki,crypto-policies
43private-dev 44private-dev
44private-tmp 45private-tmp
45 46
46noexec ${HOME}
47noexec /tmp
diff --git a/etc/multimc5.profile b/etc/multimc5.profile
index 75e6e2804..b6407c4f9 100644
--- a/etc/multimc5.profile
+++ b/etc/multimc5.profile
@@ -18,6 +18,7 @@ noblacklist /usr/share/java
18 18
19include disable-common.inc 19include disable-common.inc
20include disable-devel.inc 20include disable-devel.inc
21include disable-exec.inc
21include disable-interpreters.inc 22include disable-interpreters.inc
22include disable-passwdmgr.inc 23include disable-passwdmgr.inc
23include disable-programs.inc 24include disable-programs.inc
@@ -47,5 +48,3 @@ disable-mnt
47private-dev 48private-dev
48private-tmp 49private-tmp
49 50
50noexec ${HOME}
51noexec /tmp
diff --git a/etc/mumble.profile b/etc/mumble.profile
index 276e77c68..04bb1b5f0 100644
--- a/etc/mumble.profile
+++ b/etc/mumble.profile
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.local/share/data/Mumble
11 11
12include disable-common.inc 12include disable-common.inc
13include disable-devel.inc 13include disable-devel.inc
14include disable-exec.inc
14include disable-interpreters.inc 15include disable-interpreters.inc
15include disable-passwdmgr.inc 16include disable-passwdmgr.inc
16include disable-programs.inc 17include disable-programs.inc
@@ -40,5 +41,3 @@ private-bin mumble
40private-tmp 41private-tmp
41 42
42memory-deny-write-execute 43memory-deny-write-execute
43noexec ${HOME}
44noexec /tmp
diff --git a/etc/musixmatch.profile b/etc/musixmatch.profile
index 54d9fb16e..727269a61 100644
--- a/etc/musixmatch.profile
+++ b/etc/musixmatch.profile
@@ -9,6 +9,7 @@ noblacklist ${MUSIC}
9 9
10include disable-common.inc 10include disable-common.inc
11include disable-devel.inc 11include disable-devel.inc
12include disable-exec.inc
12include disable-passwdmgr.inc 13include disable-passwdmgr.inc
13include disable-programs.inc 14include disable-programs.inc
14include disable-xdg.inc 15include disable-xdg.inc
@@ -33,5 +34,3 @@ disable-mnt
33private-dev 34private-dev
34private-etc alternatives,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies 35private-etc alternatives,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
35 36
36noexec ${HOME}
37noexec /tmp
diff --git a/etc/natron.profile b/etc/natron.profile
index 85e23c759..3f997a7a0 100644
--- a/etc/natron.profile
+++ b/etc/natron.profile
@@ -20,6 +20,7 @@ noblacklist /opt/natron
20 20
21include disable-common.inc 21include disable-common.inc
22include disable-devel.inc 22include disable-devel.inc
23include disable-exec.inc
23include disable-interpreters.inc 24include disable-interpreters.inc
24include disable-passwdmgr.inc 25include disable-passwdmgr.inc
25include disable-programs.inc 26include disable-programs.inc
@@ -38,5 +39,3 @@ shell none
38 39
39private-bin natron,Natron,NatronRenderer 40private-bin natron,Natron,NatronRenderer
40 41
41noexec ${HOME}
42noexec /tmp
diff --git a/etc/ncdu.profile b/etc/ncdu.profile
index ac0fd19b2..c18e1c4bf 100644
--- a/etc/ncdu.profile
+++ b/etc/ncdu.profile
@@ -6,6 +6,8 @@ include ncdu.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9include disable-exec.inc
10
9caps.drop all 11caps.drop all
10ipc-namespace 12ipc-namespace
11nodbus 13nodbus
@@ -27,5 +29,3 @@ private-dev
27# private-tmp 29# private-tmp
28 30
29memory-deny-write-execute 31memory-deny-write-execute
30noexec ${HOME}
31noexec /tmp
diff --git a/etc/nemo.profile b/etc/nemo.profile
index 2364ea4a7..a23ba1700 100644
--- a/etc/nemo.profile
+++ b/etc/nemo.profile
@@ -21,6 +21,7 @@ noblacklist /usr/local/lib/python3*
21 21
22include disable-common.inc 22include disable-common.inc
23include disable-devel.inc 23include disable-devel.inc
24include disable-exec.inc
24include disable-interpreters.inc 25include disable-interpreters.inc
25include disable-passwdmgr.inc 26include disable-passwdmgr.inc
26 27
@@ -38,5 +39,3 @@ protocol unix,inet,inet6
38seccomp 39seccomp
39shell none 40shell none
40 41
41noexec ${HOME}
42noexec /tmp
diff --git a/etc/nethack-vultures.profile b/etc/nethack-vultures.profile
index 771430337..2c23a4868 100644
--- a/etc/nethack-vultures.profile
+++ b/etc/nethack-vultures.profile
@@ -12,6 +12,7 @@ noblacklist /var/log
12 12
13include disable-common.inc 13include disable-common.inc
14include disable-devel.inc 14include disable-devel.inc
15include disable-exec.inc
15include disable-interpreters.inc 16include disable-interpreters.inc
16include disable-passwdmgr.inc 17include disable-passwdmgr.inc
17include disable-programs.inc 18include disable-programs.inc
@@ -43,5 +44,3 @@ private-dev
43private-tmp 44private-tmp
44writable-var 45writable-var
45 46
46noexec ${HOME}
47noexec /tmp
diff --git a/etc/nethack.profile b/etc/nethack.profile
index 8f63a133a..5375d2f4f 100644
--- a/etc/nethack.profile
+++ b/etc/nethack.profile
@@ -11,6 +11,7 @@ noblacklist /var/games/nethack
11 11
12include disable-common.inc 12include disable-common.inc
13include disable-devel.inc 13include disable-devel.inc
14include disable-exec.inc
14include disable-interpreters.inc 15include disable-interpreters.inc
15include disable-passwdmgr.inc 16include disable-passwdmgr.inc
16include disable-programs.inc 17include disable-programs.inc
@@ -43,5 +44,3 @@ private-tmp
43writable-var 44writable-var
44 45
45#memory-deny-write-execute 46#memory-deny-write-execute
46noexec ${HOME}
47noexec /tmp
diff --git a/etc/neverball.profile b/etc/neverball.profile
index 34493485a..84c634549 100644
--- a/etc/neverball.profile
+++ b/etc/neverball.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.neverball
10 10
11include disable-common.inc 11include disable-common.inc
12include disable-devel.inc 12include disable-devel.inc
13include disable-exec.inc
13include disable-interpreters.inc 14include disable-interpreters.inc
14include disable-passwdmgr.inc 15include disable-passwdmgr.inc
15include disable-programs.inc 16include disable-programs.inc
@@ -36,5 +37,3 @@ private-bin neverball
36private-dev 37private-dev
37private-tmp 38private-tmp
38 39
39noexec ${HOME}
40noexec /tmp
diff --git a/etc/nheko.profile b/etc/nheko.profile
index ea99b2f5a..2dfddf872 100644
--- a/etc/nheko.profile
+++ b/etc/nheko.profile
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.cache/nheko/nheko
11 11
12include disable-common.inc 12include disable-common.inc
13include disable-devel.inc 13include disable-devel.inc
14include disable-exec.inc
14include disable-interpreters.inc 15include disable-interpreters.inc
15include disable-passwdmgr.inc 16include disable-passwdmgr.inc
16include disable-programs.inc 17include disable-programs.inc
@@ -40,5 +41,3 @@ disable-mnt
40private-bin nheko 41private-bin nheko
41private-tmp 42private-tmp
42 43
43noexec ${HOME}
44noexec /tmp
diff --git a/etc/nitroshare.profile b/etc/nitroshare.profile
index 4d2c5bdf2..7aba69490 100644
--- a/etc/nitroshare.profile
+++ b/etc/nitroshare.profile
@@ -19,6 +19,7 @@ noblacklist /usr/local/lib/python3*
19 19
20include disable-common.inc 20include disable-common.inc
21include disable-devel.inc 21include disable-devel.inc
22include disable-exec.inc
22include disable-interpreters.inc 23include disable-interpreters.inc
23include disable-passwdmgr.inc 24include disable-passwdmgr.inc
24include disable-programs.inc 25include disable-programs.inc
@@ -48,5 +49,3 @@ private-etc alternatives,ca-certificates,dconf,fonts,hostname,hosts,ld.so.cache,
48private-tmp 49private-tmp
49 50
50# memory-deny-write-execute 51# memory-deny-write-execute
51noexec ${HOME}
52noexec /tmp
diff --git a/etc/nomacs.profile b/etc/nomacs.profile
index 4bda5cbce..fd154b1c4 100644
--- a/etc/nomacs.profile
+++ b/etc/nomacs.profile
@@ -13,6 +13,7 @@ noblacklist ${PICTURES}
13 13
14include disable-common.inc 14include disable-common.inc
15include disable-devel.inc 15include disable-devel.inc
16include disable-exec.inc
16include disable-interpreters.inc 17include disable-interpreters.inc
17include disable-passwdmgr.inc 18include disable-passwdmgr.inc
18include disable-programs.inc 19include disable-programs.inc
@@ -44,5 +45,3 @@ private-etc alternatives,hosts,ca-certificates,ssl,pki,crypto-policies,resolv.co
44private-tmp 45private-tmp
45 46
46memory-deny-write-execute 47memory-deny-write-execute
47noexec ${HOME}
48noexec /tmp
diff --git a/etc/nyx.profile b/etc/nyx.profile
index 2a078ef0f..ed39283b2 100644
--- a/etc/nyx.profile
+++ b/etc/nyx.profile
@@ -17,6 +17,7 @@ whitelist ${HOME}/.nyx
17 17
18include disable-common.inc 18include disable-common.inc
19include disable-devel.inc 19include disable-devel.inc
20include disable-exec.inc
20include disable-interpreters.inc 21include disable-interpreters.inc
21include disable-passwdmgr.inc 22include disable-passwdmgr.inc
22include disable-programs.inc 23include disable-programs.inc
@@ -47,5 +48,3 @@ private-opt none
47private-srv none 48private-srv none
48private-tmp 49private-tmp
49 50
50noexec ${HOME}
51noexec /tmp
diff --git a/etc/obs.profile b/etc/obs.profile
index 5e3ce092a..1f02efc7f 100644
--- a/etc/obs.profile
+++ b/etc/obs.profile
@@ -20,6 +20,7 @@ noblacklist /usr/local/lib/python3*
20 20
21include disable-common.inc 21include disable-common.inc
22include disable-devel.inc 22include disable-devel.inc
23include disable-exec.inc
23include disable-interpreters.inc 24include disable-interpreters.inc
24include disable-passwdmgr.inc 25include disable-passwdmgr.inc
25include disable-programs.inc 26include disable-programs.inc
@@ -44,5 +45,3 @@ private-cache
44private-dev 45private-dev
45private-tmp 46private-tmp
46 47
47noexec ${HOME}
48noexec /tmp
diff --git a/etc/onionshare-gui.profile b/etc/onionshare-gui.profile
index 75f6194a6..3ee78c59d 100644
--- a/etc/onionshare-gui.profile
+++ b/etc/onionshare-gui.profile
@@ -14,6 +14,7 @@ noblacklist /usr/local/lib/python3*
14 14
15include disable-common.inc 15include disable-common.inc
16include disable-devel.inc 16include disable-devel.inc
17include disable-exec.inc
17include disable-interpreters.inc 18include disable-interpreters.inc
18include disable-passwdmgr.inc 19include disable-passwdmgr.inc
19include disable-programs.inc 20include disable-programs.inc
@@ -40,5 +41,3 @@ private-dev
40private-tmp 41private-tmp
41 42
42memory-deny-write-execute 43memory-deny-write-execute
43noexec ${HOME}
44noexec /tmp
diff --git a/etc/orage.profile b/etc/orage.profile
index 29b8ef749..2c55ab909 100644
--- a/etc/orage.profile
+++ b/etc/orage.profile
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.local/share/orage
11 11
12include disable-common.inc 12include disable-common.inc
13include disable-devel.inc 13include disable-devel.inc
14include disable-exec.inc
14include disable-interpreters.inc 15include disable-interpreters.inc
15include disable-passwdmgr.inc 16include disable-passwdmgr.inc
16include disable-programs.inc 17include disable-programs.inc
@@ -36,5 +37,3 @@ private-cache
36private-dev 37private-dev
37private-tmp 38private-tmp
38 39
39noexec ${HOME}
40noexec /tmp
diff --git a/etc/pdfmod.profile b/etc/pdfmod.profile
index 3b6116c85..177070e83 100644
--- a/etc/pdfmod.profile
+++ b/etc/pdfmod.profile
@@ -12,6 +12,7 @@ noblacklist ${DOCUMENTS}
12 12
13include disable-common.inc 13include disable-common.inc
14include disable-devel.inc 14include disable-devel.inc
15include disable-exec.inc
15include disable-interpreters.inc 16include disable-interpreters.inc
16include disable-passwdmgr.inc 17include disable-passwdmgr.inc
17include disable-programs.inc 18include disable-programs.inc
@@ -40,5 +41,3 @@ shell none
40private-dev 41private-dev
41private-tmp 42private-tmp
42 43
43noexec ${HOME}
44noexec /tmp
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile
index 4eed98e88..98dcce0b7 100644
--- a/etc/pdfsam.profile
+++ b/etc/pdfsam.profile
@@ -17,6 +17,7 @@ noblacklist /usr/share/java
17 17
18include disable-common.inc 18include disable-common.inc
19include disable-devel.inc 19include disable-devel.inc
20include disable-exec.inc
20include disable-interpreters.inc 21include disable-interpreters.inc
21include disable-passwdmgr.inc 22include disable-passwdmgr.inc
22include disable-programs.inc 23include disable-programs.inc
@@ -44,5 +45,3 @@ private-cache
44private-dev 45private-dev
45private-tmp 46private-tmp
46 47
47noexec ${HOME}
48noexec /tmp
diff --git a/etc/peek.profile b/etc/peek.profile
index 06e7b3e62..fd836560e 100644
--- a/etc/peek.profile
+++ b/etc/peek.profile
@@ -11,6 +11,7 @@ noblacklist ${VIDEOS}
11 11
12include disable-common.inc 12include disable-common.inc
13include disable-devel.inc 13include disable-devel.inc
14include disable-exec.inc
14include disable-interpreters.inc 15include disable-interpreters.inc
15include disable-passwdmgr.inc 16include disable-passwdmgr.inc
16include disable-programs.inc 17include disable-programs.inc
@@ -38,5 +39,3 @@ private-dev
38private-tmp 39private-tmp
39 40
40memory-deny-write-execute 41memory-deny-write-execute
41noexec ${HOME}
42noexec /tmp
diff --git a/etc/picard.profile b/etc/picard.profile
index 26002e14d..b756ed629 100644
--- a/etc/picard.profile
+++ b/etc/picard.profile
@@ -20,6 +20,7 @@ noblacklist /usr/local/lib/python3*
20 20
21include disable-common.inc 21include disable-common.inc
22include disable-devel.inc 22include disable-devel.inc
23include disable-exec.inc
23include disable-interpreters.inc 24include disable-interpreters.inc
24include disable-passwdmgr.inc 25include disable-passwdmgr.inc
25include disable-programs.inc 26include disable-programs.inc
@@ -44,5 +45,3 @@ shell none
44private-dev 45private-dev
45private-tmp 46private-tmp
46 47
47noexec ${HOME}
48noexec /tmp
diff --git a/etc/pithos.profile b/etc/pithos.profile
index 6492ace7b..d6a0a7822 100644
--- a/etc/pithos.profile
+++ b/etc/pithos.profile
@@ -16,6 +16,7 @@ noblacklist /usr/local/lib/python3*
16 16
17include disable-common.inc 17include disable-common.inc
18include disable-devel.inc 18include disable-devel.inc
19include disable-exec.inc
19include disable-interpreters.inc 20include disable-interpreters.inc
20include disable-passwdmgr.inc 21include disable-passwdmgr.inc
21include disable-programs.inc 22include disable-programs.inc
@@ -43,5 +44,3 @@ private-bin pithos,env,python*
43private-dev 44private-dev
44private-tmp 45private-tmp
45 46
46noexec ${HOME}
47noexec /tmp
diff --git a/etc/pitivi.profile b/etc/pitivi.profile
index ac7922833..83f5ccbb9 100644
--- a/etc/pitivi.profile
+++ b/etc/pitivi.profile
@@ -19,6 +19,7 @@ noblacklist /usr/local/lib/python3*
19 19
20include disable-common.inc 20include disable-common.inc
21include disable-devel.inc 21include disable-devel.inc
22include disable-exec.inc
22include disable-interpreters.inc 23include disable-interpreters.inc
23include disable-passwdmgr.inc 24include disable-passwdmgr.inc
24include disable-programs.inc 25include disable-programs.inc
@@ -42,5 +43,3 @@ shell none
42private-dev 43private-dev
43private-tmp 44private-tmp
44 45
45noexec ${HOME}
46noexec /tmp
diff --git a/etc/polari.profile b/etc/polari.profile
index 5fa717cb3..b9f81eece 100644
--- a/etc/polari.profile
+++ b/etc/polari.profile
@@ -9,6 +9,7 @@ include globals.local
9 9
10include disable-common.inc 10include disable-common.inc
11include disable-devel.inc 11include disable-devel.inc
12include disable-exec.inc
12include disable-interpreters.inc 13include disable-interpreters.inc
13include disable-programs.inc 14include disable-programs.inc
14 15
@@ -45,5 +46,3 @@ disable-mnt
45private-dev 46private-dev
46private-tmp 47private-tmp
47 48
48noexec ${HOME}
49noexec /tmp
diff --git a/etc/ppsspp.profile b/etc/ppsspp.profile
index 0c8bfa770..480a03e49 100644
--- a/etc/ppsspp.profile
+++ b/etc/ppsspp.profile
@@ -13,6 +13,7 @@ noblacklist /usr/lib/llvm*
13 13
14include disable-common.inc 14include disable-common.inc
15include disable-devel.inc 15include disable-devel.inc
16include disable-exec.inc
16include disable-interpreters.inc 17include disable-interpreters.inc
17include disable-passwdmgr.inc 18include disable-passwdmgr.inc
18include disable-programs.inc 19include disable-programs.inc
@@ -41,5 +42,3 @@ private-etc alternatives,asound.conf,ca-certificates,drirc,fonts,group,host.conf
41private-opt ppsspp 42private-opt ppsspp
42private-tmp 43private-tmp
43 44
44noexec ${HOME}
45noexec /tmp
diff --git a/etc/pragha.profile b/etc/pragha.profile
index a595caee9..4e6840636 100644
--- a/etc/pragha.profile
+++ b/etc/pragha.profile
@@ -11,6 +11,7 @@ noblacklist ${MUSIC}
11 11
12include disable-common.inc 12include disable-common.inc
13include disable-devel.inc 13include disable-devel.inc
14include disable-exec.inc
14include disable-interpreters.inc 15include disable-interpreters.inc
15include disable-passwdmgr.inc 16include disable-passwdmgr.inc
16include disable-programs.inc 17include disable-programs.inc
@@ -35,5 +36,3 @@ private-dev
35private-etc alternatives,asound.conf,ca-certificates,fonts,host.conf,hostname,hosts,pulse,resolv.conf,ssl,pki,crypto-policies,gtk-3.0,xdg,machine-id 36private-etc alternatives,asound.conf,ca-certificates,fonts,host.conf,hostname,hosts,pulse,resolv.conf,ssl,pki,crypto-policies,gtk-3.0,xdg,machine-id
36private-tmp 37private-tmp
37 38
38noexec ${HOME}
39noexec /tmp
diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile
index 7ec789440..087f90966 100644
--- a/etc/psi-plus.profile
+++ b/etc/psi-plus.profile
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.local/share/psi+
11 11
12include disable-common.inc 12include disable-common.inc
13include disable-devel.inc 13include disable-devel.inc
14include disable-exec.inc
14include disable-interpreters.inc 15include disable-interpreters.inc
15include disable-passwdmgr.inc 16include disable-passwdmgr.inc
16include disable-programs.inc 17include disable-programs.inc
@@ -42,5 +43,3 @@ disable-mnt
42private-dev 43private-dev
43private-tmp 44private-tmp
44 45
45noexec ${HOME}
46noexec /tmp
diff --git a/etc/pybitmessage.profile b/etc/pybitmessage.profile
index 63ae156a1..28ab8caa6 100644
--- a/etc/pybitmessage.profile
+++ b/etc/pybitmessage.profile
@@ -19,6 +19,7 @@ noblacklist /usr/local/lib/python3*
19 19
20include disable-common.inc 20include disable-common.inc
21include disable-devel.inc 21include disable-devel.inc
22include disable-exec.inc
22include disable-passwdmgr.inc 23include disable-passwdmgr.inc
23include disable-programs.inc 24include disable-programs.inc
24include disable-interpreters.inc 25include disable-interpreters.inc
@@ -47,5 +48,3 @@ private-dev
47private-etc alternatives,PyBitmessage,PyBitmessage.conf,Trolltech.conf,fonts,gtk-2.0,hosts,ld.so.cache,ld.so.preload,localtime,pki,resolv.conf,selinux,sni-qt.conf,system-fips,xdg,ca-certificates,ssl,pki,crypto-policies 48private-etc alternatives,PyBitmessage,PyBitmessage.conf,Trolltech.conf,fonts,gtk-2.0,hosts,ld.so.cache,ld.so.preload,localtime,pki,resolv.conf,selinux,sni-qt.conf,system-fips,xdg,ca-certificates,ssl,pki,crypto-policies
48private-tmp 49private-tmp
49 50
50noexec ${HOME}
51noexec /tmp
diff --git a/etc/qlipper.profile b/etc/qlipper.profile
index ec0b6c64d..fb9dca48f 100644
--- a/etc/qlipper.profile
+++ b/etc/qlipper.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/Qlipper
10 10
11include disable-common.inc 11include disable-common.inc
12include disable-devel.inc 12include disable-devel.inc
13include disable-exec.inc
13include disable-interpreters.inc 14include disable-interpreters.inc
14include disable-passwdmgr.inc 15include disable-passwdmgr.inc
15include disable-programs.inc 16include disable-programs.inc
@@ -35,5 +36,3 @@ private-cache
35private-dev 36private-dev
36private-tmp 37private-tmp
37 38
38noexec ${HOME}
39noexec /tmp
diff --git a/etc/qmmp.profile b/etc/qmmp.profile
index 66c27a585..f786e73b7 100644
--- a/etc/qmmp.profile
+++ b/etc/qmmp.profile
@@ -11,6 +11,7 @@ noblacklist ${MUSIC}
11 11
12include disable-common.inc 12include disable-common.inc
13include disable-devel.inc 13include disable-devel.inc
14include disable-exec.inc
14include disable-passwdmgr.inc 15include disable-passwdmgr.inc
15include disable-programs.inc 16include disable-programs.inc
16include disable-xdg.inc 17include disable-xdg.inc
@@ -34,5 +35,3 @@ private-bin qmmp,tar,unzip,bzip2,gzip
34private-dev 35private-dev
35private-tmp 36private-tmp
36 37
37noexec ${HOME}
38noexec /tmp
diff --git a/etc/quiterss.profile b/etc/quiterss.profile
index e6c441e27..41c84425b 100644
--- a/etc/quiterss.profile
+++ b/etc/quiterss.profile
@@ -13,6 +13,7 @@ noblacklist ${HOME}/.local/share/QuiteRss
13 13
14include disable-common.inc 14include disable-common.inc
15include disable-devel.inc 15include disable-devel.inc
16include disable-exec.inc
16include disable-interpreters.inc 17include disable-interpreters.inc
17include disable-passwdmgr.inc 18include disable-passwdmgr.inc
18include disable-programs.inc 19include disable-programs.inc
@@ -49,5 +50,3 @@ private-bin quiterss
49private-dev 50private-dev
50# private-etc alternatives,X11,ssl,pki,ca-certificates,crypto-policies 51# private-etc alternatives,X11,ssl,pki,ca-certificates,crypto-policies
51 52
52noexec ${HOME}
53noexec /tmp
diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile
index eef0c8fa6..1b23b2baf 100644
--- a/etc/qupzilla.profile
+++ b/etc/qupzilla.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/qupzilla
10 10
11include disable-common.inc 11include disable-common.inc
12include disable-devel.inc 12include disable-devel.inc
13include disable-exec.inc
13include disable-interpreters.inc 14include disable-interpreters.inc
14include disable-passwdmgr.inc 15include disable-passwdmgr.inc
15include disable-programs.inc 16include disable-programs.inc
@@ -37,5 +38,3 @@ private-dev
37# private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies 38# private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies
38# private-tmp - interferes with the opening of downloaded files 39# private-tmp - interferes with the opening of downloaded files
39 40
40noexec ${HOME}
41noexec /tmp
diff --git a/etc/redeclipse.profile b/etc/redeclipse.profile
index 278514538..bb1ad56d3 100644
--- a/etc/redeclipse.profile
+++ b/etc/redeclipse.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.redeclipse
10 10
11include disable-common.inc 11include disable-common.inc
12include disable-devel.inc 12include disable-devel.inc
13include disable-exec.inc
13include disable-interpreters.inc 14include disable-interpreters.inc
14include disable-passwdmgr.inc 15include disable-passwdmgr.inc
15include disable-programs.inc 16include disable-programs.inc
@@ -36,5 +37,3 @@ disable-mnt
36private-dev 37private-dev
37private-tmp 38private-tmp
38 39
39noexec ${HOME}
40noexec /tmp
diff --git a/etc/remmina.profile b/etc/remmina.profile
index 888f3819f..a77f2d8aa 100644
--- a/etc/remmina.profile
+++ b/etc/remmina.profile
@@ -13,6 +13,7 @@ noblacklist ${HOME}/.ssh
13 13
14include disable-common.inc 14include disable-common.inc
15include disable-devel.inc 15include disable-devel.inc
16include disable-exec.inc
16include disable-interpreters.inc 17include disable-interpreters.inc
17include disable-passwdmgr.inc 18include disable-passwdmgr.inc
18include disable-programs.inc 19include disable-programs.inc
@@ -37,5 +38,3 @@ private-cache
37private-dev 38private-dev
38private-tmp 39private-tmp
39 40
40noexec ${HOME}
41noexec /tmp
diff --git a/etc/ricochet.profile b/etc/ricochet.profile
index a67d6b7ca..3cb30c459 100644
--- a/etc/ricochet.profile
+++ b/etc/ricochet.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.local/share/Ricochet
10 10
11include disable-common.inc 11include disable-common.inc
12include disable-devel.inc 12include disable-devel.inc
13include disable-exec.inc
13include disable-interpreters.inc 14include disable-interpreters.inc
14include disable-passwdmgr.inc 15include disable-passwdmgr.inc
15include disable-programs.inc 16include disable-programs.inc
@@ -38,5 +39,3 @@ private-bin ricochet,tor
38private-dev 39private-dev
39#private-etc alternatives,fonts,tor,X11,alternatives,ca-certificates,ssl,pki,crypto-policies 40#private-etc alternatives,fonts,tor,X11,alternatives,ca-certificates,ssl,pki,crypto-policies
40 41
41noexec ${HOME}
42noexec /tmp
diff --git a/etc/ristretto.profile b/etc/ristretto.profile
index e6b22b914..8fcbb203c 100644
--- a/etc/ristretto.profile
+++ b/etc/ristretto.profile
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.steam
12 12
13include disable-common.inc 13include disable-common.inc
14include disable-devel.inc 14include disable-devel.inc
15include disable-exec.inc
15include disable-interpreters.inc 16include disable-interpreters.inc
16include disable-passwdmgr.inc 17include disable-passwdmgr.inc
17include disable-programs.inc 18include disable-programs.inc
@@ -35,5 +36,3 @@ private-cache
35private-dev 36private-dev
36private-tmp 37private-tmp
37 38
38noexec ${HOME}
39noexec /tmp
diff --git a/etc/sayonara.profile b/etc/sayonara.profile
index ce86c80f9..8f0544f33 100644
--- a/etc/sayonara.profile
+++ b/etc/sayonara.profile
@@ -10,6 +10,7 @@ noblacklist ${MUSIC}
10 10
11include disable-common.inc 11include disable-common.inc
12include disable-devel.inc 12include disable-devel.inc
13include disable-exec.inc
13include disable-passwdmgr.inc 14include disable-passwdmgr.inc
14include disable-programs.inc 15include disable-programs.inc
15include disable-xdg.inc 16include disable-xdg.inc
@@ -32,5 +33,3 @@ private-bin sayonara
32private-dev 33private-dev
33private-tmp 34private-tmp
34 35
35noexec ${HOME}
36noexec /tmp
diff --git a/etc/scallion.profile b/etc/scallion.profile
index b4d0ef240..232ec4346 100644
--- a/etc/scallion.profile
+++ b/etc/scallion.profile
@@ -13,6 +13,7 @@ noblacklist ${PATH}/openssl-1.0
13noblacklist ${DOCUMENTS} 13noblacklist ${DOCUMENTS}
14 14
15include disable-common.inc 15include disable-common.inc
16include disable-exec.inc
16include disable-interpreters.inc 17include disable-interpreters.inc
17include disable-passwdmgr.inc 18include disable-passwdmgr.inc
18include disable-programs.inc 19include disable-programs.inc
@@ -40,6 +41,3 @@ disable-mnt
40private 41private
41private-dev 42private-dev
42private-tmp 43private-tmp
43
44noexec ${HOME}
45noexec /tmp
diff --git a/etc/scribus.profile b/etc/scribus.profile
index 5bec43d85..d8dc7b0e0 100644
--- a/etc/scribus.profile
+++ b/etc/scribus.profile
@@ -36,6 +36,7 @@ noblacklist /usr/local/lib/python3*
36 36
37include disable-common.inc 37include disable-common.inc
38include disable-devel.inc 38include disable-devel.inc
39include disable-exec.inc
39include disable-interpreters.inc 40include disable-interpreters.inc
40include disable-passwdmgr.inc 41include disable-passwdmgr.inc
41include disable-programs.inc 42include disable-programs.inc
@@ -63,5 +64,3 @@ tracelog
63private-dev 64private-dev
64private-tmp 65private-tmp
65 66
66noexec ${HOME}
67noexec /tmp
diff --git a/etc/sdat2img.profile b/etc/sdat2img.profile
index d78b51766..485326fcc 100644
--- a/etc/sdat2img.profile
+++ b/etc/sdat2img.profile
@@ -16,6 +16,7 @@ noblacklist /usr/local/lib/python3*
16 16
17include disable-common.inc 17include disable-common.inc
18include disable-devel.inc 18include disable-devel.inc
19include disable-exec.inc
19include disable-interpreters.inc 20include disable-interpreters.inc
20include disable-passwdmgr.inc 21include disable-passwdmgr.inc
21include disable-programs.inc 22include disable-programs.inc
@@ -43,5 +44,3 @@ private-bin sdat2img,env,python*
43private-cache 44private-cache
44private-dev 45private-dev
45 46
46noexec ${HOME}
47noexec /tmp
diff --git a/etc/shellcheck.profile b/etc/shellcheck.profile
index 429633a6d..b8974e416 100644
--- a/etc/shellcheck.profile
+++ b/etc/shellcheck.profile
@@ -11,6 +11,7 @@ noblacklist ${DOCUMENTS}
11 11
12include disable-common.inc 12include disable-common.inc
13include disable-devel.inc 13include disable-devel.inc
14include disable-exec.inc
14include disable-interpreters.inc 15include disable-interpreters.inc
15include disable-passwdmgr.inc 16include disable-passwdmgr.inc
16include disable-programs.inc 17include disable-programs.inc
@@ -39,5 +40,3 @@ private-dev
39private-tmp 40private-tmp
40 41
41memory-deny-write-execute 42memory-deny-write-execute
42noexec ${HOME}
43noexec /tmp
diff --git a/etc/silentarmy.profile b/etc/silentarmy.profile
index 5ef96a4ea..7aeb2909b 100644
--- a/etc/silentarmy.profile
+++ b/etc/silentarmy.profile
@@ -8,6 +8,7 @@ include globals.local
8 8
9include disable-common.inc 9include disable-common.inc
10# include disable-devel.inc 10# include disable-devel.inc
11include disable-exec.inc
11include disable-interpreters.inc 12include disable-interpreters.inc
12include disable-passwdmgr.inc 13include disable-passwdmgr.inc
13include disable-programs.inc 14include disable-programs.inc
@@ -36,5 +37,3 @@ private-dev
36private-opt none 37private-opt none
37private-tmp 38private-tmp
38 39
39noexec ${HOME}
40noexec /tmp
diff --git a/etc/skype.profile b/etc/skype.profile
index 09b9baa11..55057c546 100644
--- a/etc/skype.profile
+++ b/etc/skype.profile
@@ -9,8 +9,10 @@ noblacklist ${HOME}/.Skype
9 9
10include disable-common.inc 10include disable-common.inc
11include disable-devel.inc 11include disable-devel.inc
12include disable-exec.inc
12include disable-interpreters.inc 13include disable-interpreters.inc
13include disable-devel.inc 14include disable-devel.inc
15include disable-exec.inc
14include disable-programs.inc 16include disable-programs.inc
15 17
16caps.drop all 18caps.drop all
@@ -31,5 +33,3 @@ private-cache
31private-dev 33private-dev
32private-tmp 34private-tmp
33 35
34noexec ${HOME}
35noexec /tmp
diff --git a/etc/slashem.profile b/etc/slashem.profile
index 0a372ce5f..011698e1f 100644
--- a/etc/slashem.profile
+++ b/etc/slashem.profile
@@ -11,6 +11,7 @@ noblacklist /var/games/slashem
11 11
12include disable-common.inc 12include disable-common.inc
13include disable-devel.inc 13include disable-devel.inc
14include disable-exec.inc
14include disable-interpreters.inc 15include disable-interpreters.inc
15include disable-passwdmgr.inc 16include disable-passwdmgr.inc
16include disable-programs.inc 17include disable-programs.inc
@@ -43,5 +44,3 @@ private-tmp
43writable-var 44writable-var
44 45
45#memory-deny-write-execute 46#memory-deny-write-execute
46noexec ${HOME}
47noexec /tmp
diff --git a/etc/smtube.profile b/etc/smtube.profile
index 24f3db40a..1c7c6c0d2 100644
--- a/etc/smtube.profile
+++ b/etc/smtube.profile
@@ -17,6 +17,7 @@ noblacklist ${VIDEOS}
17 17
18include disable-common.inc 18include disable-common.inc
19include disable-devel.inc 19include disable-devel.inc
20include disable-exec.inc
20include disable-interpreters.inc 21include disable-interpreters.inc
21include disable-passwdmgr.inc 22include disable-passwdmgr.inc
22include disable-programs.inc 23include disable-programs.inc
@@ -41,5 +42,3 @@ shell none
41private-dev 42private-dev
42private-tmp 43private-tmp
43 44
44noexec ${HOME}
45noexec /tmp
diff --git a/etc/spectre-meltdown-checker.profile b/etc/spectre-meltdown-checker.profile
index b43047401..74582dd2f 100644
--- a/etc/spectre-meltdown-checker.profile
+++ b/etc/spectre-meltdown-checker.profile
@@ -20,6 +20,7 @@ noblacklist /usr/share/perl*
20 20
21include disable-common.inc 21include disable-common.inc
22include disable-devel.inc 22include disable-devel.inc
23include disable-exec.inc
23include disable-interpreters.inc 24include disable-interpreters.inc
24include disable-passwdmgr.inc 25include disable-passwdmgr.inc
25include disable-programs.inc 26include disable-programs.inc
@@ -49,5 +50,3 @@ private-cache
49private-tmp 50private-tmp
50 51
51memory-deny-write-execute 52memory-deny-write-execute
52noexec ${HOME}
53noexec /tmp
diff --git a/etc/spotify.profile b/etc/spotify.profile
index 60d15735d..6f7f6ec85 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -16,6 +16,7 @@ noblacklist ${HOME}/.local/share/spotify
16 16
17include disable-common.inc 17include disable-common.inc
18include disable-devel.inc 18include disable-devel.inc
19include disable-exec.inc
19include disable-interpreters.inc 20include disable-interpreters.inc
20include disable-passwdmgr.inc 21include disable-passwdmgr.inc
21include disable-programs.inc 22include disable-programs.inc
@@ -50,5 +51,3 @@ private-etc alternatives,fonts,group,ld.so.cache,machine-id,pulse,resolv.conf,ho
50private-opt spotify 51private-opt spotify
51private-tmp 52private-tmp
52 53
53noexec ${HOME}
54noexec /tmp
diff --git a/etc/stellarium.profile b/etc/stellarium.profile
index 7d0000fb3..d6df2e0ad 100644
--- a/etc/stellarium.profile
+++ b/etc/stellarium.profile
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.stellarium
11 11
12include disable-common.inc 12include disable-common.inc
13include disable-devel.inc 13include disable-devel.inc
14include disable-exec.inc
14include disable-interpreters.inc 15include disable-interpreters.inc
15include disable-passwdmgr.inc 16include disable-passwdmgr.inc
16include disable-programs.inc 17include disable-programs.inc
@@ -42,5 +43,3 @@ private-bin stellarium
42private-dev 43private-dev
43private-tmp 44private-tmp
44 45
45noexec ${HOME}
46noexec /tmp
diff --git a/etc/surf.profile b/etc/surf.profile
index 4fad4a81d..0504b5fe5 100644
--- a/etc/surf.profile
+++ b/etc/surf.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.surf
10 10
11include disable-common.inc 11include disable-common.inc
12include disable-devel.inc 12include disable-devel.inc
13include disable-exec.inc
13include disable-passwdmgr.inc 14include disable-passwdmgr.inc
14include disable-programs.inc 15include disable-programs.inc
15 16
@@ -35,5 +36,3 @@ private-dev
35private-etc alternatives,passwd,group,hosts,resolv.conf,fonts,ssl,pki,ca-certificates,crypto-policies 36private-etc alternatives,passwd,group,hosts,resolv.conf,fonts,ssl,pki,ca-certificates,crypto-policies
36private-tmp 37private-tmp
37 38
38noexec ${HOME}
39noexec /tmp
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile
index 9ce1bb183..33086a99d 100644
--- a/etc/synfigstudio.profile
+++ b/etc/synfigstudio.profile
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.synfig
11 11
12include disable-common.inc 12include disable-common.inc
13include disable-devel.inc 13include disable-devel.inc
14include disable-exec.inc
14include disable-interpreters.inc 15include disable-interpreters.inc
15include disable-passwdmgr.inc 16include disable-passwdmgr.inc
16include disable-programs.inc 17include disable-programs.inc
@@ -35,5 +36,3 @@ private-cache
35private-dev 36private-dev
36private-tmp 37private-tmp
37 38
38noexec ${HOME}
39noexec /tmp
diff --git a/etc/teamspeak3.profile b/etc/teamspeak3.profile
index 25928882b..8d5917148 100644
--- a/etc/teamspeak3.profile
+++ b/etc/teamspeak3.profile
@@ -11,6 +11,7 @@ noblacklist ${PATH}/openssl
11 11
12include disable-common.inc 12include disable-common.inc
13include disable-devel.inc 13include disable-devel.inc
14include disable-exec.inc
14include disable-interpreters.inc 15include disable-interpreters.inc
15include disable-passwdmgr.inc 16include disable-passwdmgr.inc
16include disable-programs.inc 17include disable-programs.inc
@@ -39,5 +40,3 @@ disable-mnt
39private-dev 40private-dev
40private-tmp 41private-tmp
41 42
42noexec ${HOME}
43noexec /tmp
diff --git a/etc/telegram.profile b/etc/telegram.profile
index fb2c06a27..e3af5600a 100644
--- a/etc/telegram.profile
+++ b/etc/telegram.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.local/share/TelegramDesktop
10 10
11include disable-common.inc 11include disable-common.inc
12include disable-devel.inc 12include disable-devel.inc
13include disable-exec.inc
13include disable-interpreters.inc 14include disable-interpreters.inc
14include disable-programs.inc 15include disable-programs.inc
15 16
@@ -26,5 +27,3 @@ disable-mnt
26private-cache 27private-cache
27private-tmp 28private-tmp
28 29
29noexec ${HOME}
30noexec /tmp
diff --git a/etc/tilp.profile b/etc/tilp.profile
index 2643c9a84..4d38d5184 100644
--- a/etc/tilp.profile
+++ b/etc/tilp.profile
@@ -9,6 +9,7 @@ noblacklist ${HOME}/.tilp
9 9
10include disable-common.inc 10include disable-common.inc
11include disable-devel.inc 11include disable-devel.inc
12include disable-exec.inc
12include disable-interpreters.inc 13include disable-interpreters.inc
13include disable-passwdmgr.inc 14include disable-passwdmgr.inc
14include disable-programs.inc 15include disable-programs.inc
@@ -32,5 +33,3 @@ private-cache
32private-etc alternatives,fonts 33private-etc alternatives,fonts
33private-tmp 34private-tmp
34 35
35noexec ${HOME}
36noexec /tmp
diff --git a/etc/tor.profile b/etc/tor.profile
index 418352639..e80fbadb0 100644
--- a/etc/tor.profile
+++ b/etc/tor.profile
@@ -19,6 +19,7 @@ include globals.local
19 19
20include disable-common.inc 20include disable-common.inc
21include disable-devel.inc 21include disable-devel.inc
22include disable-exec.inc
22include disable-interpreters.inc 23include disable-interpreters.inc
23include disable-passwdmgr.inc 24include disable-passwdmgr.inc
24include disable-programs.inc 25include disable-programs.inc
@@ -49,5 +50,3 @@ private-dev
49private-etc alternatives,tor,passwd,ca-certificates,ssl,pki,crypto-policies 50private-etc alternatives,tor,passwd,ca-certificates,ssl,pki,crypto-policies
50private-tmp 51private-tmp
51 52
52noexec ${HOME}
53noexec /tmp
diff --git a/etc/transmission-remote.profile b/etc/transmission-remote.profile
index d9ba7be71..ddeb9adf9 100644
--- a/etc/transmission-remote.profile
+++ b/etc/transmission-remote.profile
@@ -20,7 +20,7 @@ include disable-programs.inc
20apparmor 20apparmor
21caps.drop all 21caps.drop all
22machine-id 22machine-id
23net none 23netfilter
24nodbus 24nodbus
25nodvd 25nodvd
26nonewprivs 26nonewprivs
@@ -29,14 +29,14 @@ nosound
29notv 29notv
30nou2f 30nou2f
31novideo 31novideo
32protocol unix 32protocol inet,inet6
33seccomp 33seccomp
34shell none 34shell none
35tracelog 35tracelog
36 36
37# private-bin transmission-remote 37# private-bin transmission-remote
38private-dev 38private-dev
39private-etc alternatives 39private-etc alternatives,hosts,nsswitch.conf
40private-lib 40private-lib
41private-tmp 41private-tmp
42 42
diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile
index 58f7af47c..779606f04 100644
--- a/etc/transmission-show.profile
+++ b/etc/transmission-show.profile
@@ -19,7 +19,7 @@ include disable-programs.inc
19apparmor 19apparmor
20caps.drop all 20caps.drop all
21machine-id 21machine-id
22net none 22netfilter
23nodbus 23nodbus
24nodvd 24nodvd
25nonewprivs 25nonewprivs
@@ -28,13 +28,13 @@ nosound
28notv 28notv
29nou2f 29nou2f
30novideo 30novideo
31protocol unix 31protocol inet,inet6
32seccomp 32seccomp
33shell none 33shell none
34tracelog 34tracelog
35 35
36private-dev 36private-dev
37private-etc alternatives 37private-etc alternatives,hosts,nsswitch.conf
38private-lib 38private-lib
39private-tmp 39private-tmp
40 40
diff --git a/etc/truecraft.profile b/etc/truecraft.profile
index ae1d85473..e76d52219 100644
--- a/etc/truecraft.profile
+++ b/etc/truecraft.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/truecraft
10 10
11include disable-common.inc 11include disable-common.inc
12include disable-devel.inc 12include disable-devel.inc
13include disable-exec.inc
13include disable-interpreters.inc 14include disable-interpreters.inc
14include disable-passwdmgr.inc 15include disable-passwdmgr.inc
15include disable-programs.inc 16include disable-programs.inc
@@ -36,5 +37,3 @@ disable-mnt
36private-dev 37private-dev
37private-tmp 38private-tmp
38 39
39noexec ${HOME}
40noexec /tmp
diff --git a/etc/uefitool.profile b/etc/uefitool.profile
index 218b41e15..8ab0e9a26 100644
--- a/etc/uefitool.profile
+++ b/etc/uefitool.profile
@@ -9,6 +9,7 @@ noblacklist ${DOCUMENTS}
9 9
10include disable-common.inc 10include disable-common.inc
11include disable-devel.inc 11include disable-devel.inc
12include disable-exec.inc
12include disable-interpreters.inc 13include disable-interpreters.inc
13include disable-passwdmgr.inc 14include disable-passwdmgr.inc
14include disable-programs.inc 15include disable-programs.inc
@@ -35,5 +36,3 @@ private-cache
35private-dev 36private-dev
36private-tmp 37private-tmp
37 38
38noexec ${HOME}
39noexec /tmp
diff --git a/etc/utox.profile b/etc/utox.profile
new file mode 100644
index 000000000..9216a6a05
--- /dev/null
+++ b/etc/utox.profile
@@ -0,0 +1,47 @@
1# Firejail profile for utox
2# Description: Lightweight Tox client
3# This file is overwritten after every install/update
4# Persistent local customizations
5include utox.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.config/tox
10
11include disable-common.inc
12include disable-devel.inc
13include disable-exec.inc
14include disable-interpreters.inc
15include disable-passwdmgr.inc
16include disable-programs.inc
17include disable-xdg.inc
18
19mkdir ${HOME}/.config/tox
20whitelist ${DOWNLOADS}
21whitelist ${HOME}/.config/tox
22include whitelist-common.inc
23include whitelist-var-common.inc
24
25apparmor
26caps.drop all
27ipc-namespace
28netfilter
29nodvd
30nogroups
31nonewprivs
32noroot
33notv
34nou2f
35protocol unix,inet,inet6
36seccomp
37shell none
38tracelog
39
40disable-mnt
41private-bin utox
42private-cache
43private-dev
44private-etc alternatives,fonts,resolv.conf,ld.so.cache,localtime,ca-certificates,ssl,pki,crypto-policies,machine-id,pulse,openal
45private-tmp
46
47memory-deny-write-execute
diff --git a/etc/viking.profile b/etc/viking.profile
index baf268691..5b6228a94 100644
--- a/etc/viking.profile
+++ b/etc/viking.profile
@@ -12,6 +12,7 @@ noblacklist ${DOCUMENTS}
12 12
13include disable-common.inc 13include disable-common.inc
14include disable-devel.inc 14include disable-devel.inc
15include disable-exec.inc
15include disable-interpreters.inc 16include disable-interpreters.inc
16include disable-passwdmgr.inc 17include disable-passwdmgr.inc
17include disable-programs.inc 18include disable-programs.inc
@@ -34,5 +35,3 @@ shell none
34private-dev 35private-dev
35private-tmp 36private-tmp
36 37
37noexec ${HOME}
38noexec /tmp
diff --git a/etc/vym.profile b/etc/vym.profile
index bb3f6ac56..fbb53943c 100644
--- a/etc/vym.profile
+++ b/etc/vym.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/InSilmaril
10 10
11include disable-common.inc 11include disable-common.inc
12include disable-devel.inc 12include disable-devel.inc
13include disable-exec.inc
13include disable-interpreters.inc 14include disable-interpreters.inc
14include disable-passwdmgr.inc 15include disable-passwdmgr.inc
15include disable-programs.inc 16include disable-programs.inc
@@ -33,5 +34,3 @@ disable-mnt
33private-dev 34private-dev
34private-tmp 35private-tmp
35 36
36noexec ${HOME}
37noexec /tmp
diff --git a/etc/webui-aria2.profile b/etc/webui-aria2.profile
index 5bc9c122b..0cd1e05ab 100644
--- a/etc/webui-aria2.profile
+++ b/etc/webui-aria2.profile
@@ -10,6 +10,7 @@ noblacklist ${PATH}/node
10 10
11include disable-common.inc 11include disable-common.inc
12include disable-devel.inc 12include disable-devel.inc
13include disable-exec.inc
13include disable-interpreters.inc 14include disable-interpreters.inc
14include disable-passwdmgr.inc 15include disable-passwdmgr.inc
15include disable-programs.inc 16include disable-programs.inc
@@ -34,5 +35,3 @@ private-cache
34private-dev 35private-dev
35private-tmp 36private-tmp
36 37
37noexec ${HOME}
38noexec /tmp
diff --git a/etc/whois.profile b/etc/whois.profile
index 0e9eb05a5..cc2494f95 100644
--- a/etc/whois.profile
+++ b/etc/whois.profile
@@ -9,6 +9,7 @@ include globals.local
9 9
10include disable-common.inc 10include disable-common.inc
11# include disable-devel.inc 11# include disable-devel.inc
12include disable-exec.inc
12# include disable-interpreters.inc 13# include disable-interpreters.inc
13include disable-passwdmgr.inc 14include disable-passwdmgr.inc
14include disable-programs.inc 15include disable-programs.inc
@@ -43,5 +44,3 @@ private-lib
43private-tmp 44private-tmp
44 45
45memory-deny-write-execute 46memory-deny-write-execute
46# noexec ${HOME}
47# noexec /tmp
diff --git a/etc/xfce4-dict.profile b/etc/xfce4-dict.profile
index 0dc021ef3..bc499bd30 100644
--- a/etc/xfce4-dict.profile
+++ b/etc/xfce4-dict.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/xfce4-dict
10 10
11include disable-common.inc 11include disable-common.inc
12include disable-devel.inc 12include disable-devel.inc
13include disable-exec.inc
13include disable-interpreters.inc 14include disable-interpreters.inc
14include disable-passwdmgr.inc 15include disable-passwdmgr.inc
15include disable-programs.inc 16include disable-programs.inc
@@ -34,5 +35,3 @@ private-cache
34private-dev 35private-dev
35private-tmp 36private-tmp
36 37
37noexec ${HOME}
38noexec /tmp
diff --git a/etc/xfce4-notes.profile b/etc/xfce4-notes.profile
index df1b575b2..4dad1bf7a 100644
--- a/etc/xfce4-notes.profile
+++ b/etc/xfce4-notes.profile
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.local/share/notes
12 12
13include disable-common.inc 13include disable-common.inc
14include disable-devel.inc 14include disable-devel.inc
15include disable-exec.inc
15include disable-interpreters.inc 16include disable-interpreters.inc
16include disable-passwdmgr.inc 17include disable-passwdmgr.inc
17include disable-programs.inc 18include disable-programs.inc
@@ -36,5 +37,3 @@ private-cache
36private-dev 37private-dev
37private-tmp 38private-tmp
38 39
39noexec ${HOME}
40noexec /tmp
diff --git a/etc/xmr-stak.profile b/etc/xmr-stak.profile
index 99c9676b8..3fbdf66ab 100644
--- a/etc/xmr-stak.profile
+++ b/etc/xmr-stak.profile
@@ -10,6 +10,7 @@ noblacklist /usr/lib/llvm*
10 10
11include disable-common.inc 11include disable-common.inc
12include disable-devel.inc 12include disable-devel.inc
13include disable-exec.inc
13include disable-interpreters.inc 14include disable-interpreters.inc
14include disable-passwdmgr.inc 15include disable-passwdmgr.inc
15include disable-programs.inc 16include disable-programs.inc
@@ -43,5 +44,3 @@ private-opt cuda
43private-tmp 44private-tmp
44 45
45memory-deny-write-execute 46memory-deny-write-execute
46noexec ${HOME}
47noexec /tmp
diff --git a/etc/xonotic.profile b/etc/xonotic.profile
index 9d422a01e..09c0639f8 100644
--- a/etc/xonotic.profile
+++ b/etc/xonotic.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.xonotic
10 10
11include disable-common.inc 11include disable-common.inc
12include disable-devel.inc 12include disable-devel.inc
13include disable-exec.inc
13include disable-interpreters.inc 14include disable-interpreters.inc
14include disable-passwdmgr.inc 15include disable-passwdmgr.inc
15include disable-programs.inc 16include disable-programs.inc
@@ -39,5 +40,3 @@ private-dev
39private-etc alternatives,asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id 40private-etc alternatives,asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id
40private-tmp 41private-tmp
41 42
42noexec ${HOME}
43noexec /tmp
diff --git a/etc/xpdf.profile b/etc/xpdf.profile
index 4a82942ad..8c405ba1d 100644
--- a/etc/xpdf.profile
+++ b/etc/xpdf.profile
@@ -11,6 +11,7 @@ noblacklist ${DOCUMENTS}
11 11
12include disable-common.inc 12include disable-common.inc
13include disable-devel.inc 13include disable-devel.inc
14include disable-exec.inc
14include disable-interpreters.inc 15include disable-interpreters.inc
15include disable-passwdmgr.inc 16include disable-passwdmgr.inc
16include disable-programs.inc 17include disable-programs.inc
@@ -38,5 +39,3 @@ shell none
38private-dev 39private-dev
39private-tmp 40private-tmp
40 41
41noexec ${HOME}
42noexec /tmp
diff --git a/etc/zaproxy.profile b/etc/zaproxy.profile
index cc572cbfe..dc3164da1 100644
--- a/etc/zaproxy.profile
+++ b/etc/zaproxy.profile
@@ -17,6 +17,7 @@ noblacklist /usr/share/java
17 17
18include disable-common.inc 18include disable-common.inc
19include disable-devel.inc 19include disable-devel.inc
20include disable-exec.inc
20include disable-interpreters.inc 21include disable-interpreters.inc
21include disable-passwdmgr.inc 22include disable-passwdmgr.inc
22include disable-programs.inc 23include disable-programs.inc
@@ -47,5 +48,3 @@ disable-mnt
47private-dev 48private-dev
48private-tmp 49private-tmp
49 50
50noexec ${HOME}
51noexec /tmp
diff --git a/etc/zart.profile b/etc/zart.profile
index 32df94841..f380e93f0 100644
--- a/etc/zart.profile
+++ b/etc/zart.profile
@@ -11,6 +11,7 @@ noblacklist ${PICTURES}
11 11
12include disable-common.inc 12include disable-common.inc
13include disable-devel.inc 13include disable-devel.inc
14include disable-exec.inc
14include disable-interpreters.inc 15include disable-interpreters.inc
15include disable-passwdmgr.inc 16include disable-passwdmgr.inc
16include disable-programs.inc 17include disable-programs.inc
@@ -33,5 +34,3 @@ shell none
33private-bin zart,ffmpeg,melt,ffprobe,ffplay 34private-bin zart,ffmpeg,melt,ffprobe,ffplay
34private-dev 35private-dev
35 36
36noexec ${HOME}
37noexec /tmp
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 5125d0cca..7aec0f82a 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -9,6 +9,7 @@ Cryptocat
9Cyberfox 9Cyberfox
10Discord 10Discord
11DiscordCanary 11DiscordCanary
12Documents
12FossaMail 13FossaMail
13Fritzing 14Fritzing
14Gitter 15Gitter
@@ -565,6 +566,7 @@ uefitool
565uget-gtk 566uget-gtk
566unbound 567unbound
567unknown-horizons 568unknown-horizons
569utox
568uudeview 570uudeview
569uzbl-browser 571uzbl-browser
570viewnior 572viewnior
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index d0f43041c..8cb994aca 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -2,7 +2,7 @@ all: firejail
2 2
3include ../common.mk 3include ../common.mk
4 4
5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/ldd_utils.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h ../include/firejail_user.h 5%.o : %.c $(H_FILE_LIST) ../include/rundefs.h ../include/common.h ../include/ldd_utils.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h ../include/firejail_user.h
6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
7 7
8firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o 8firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 4cb10c875..b2c18d79f 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -21,90 +21,13 @@
21#define FIREJAIL_H 21#define FIREJAIL_H
22#include "../include/common.h" 22#include "../include/common.h"
23#include "../include/euid_common.h" 23#include "../include/euid_common.h"
24#include "../include/rundefs.h"
24#include <stdarg.h> 25#include <stdarg.h>
25#include <sys/stat.h> 26#include <sys/stat.h>
26 27
27// debug restricted shell 28// debug restricted shell
28//#define DEBUG_RESTRICTED_SHELL 29//#define DEBUG_RESTRICTED_SHELL
29 30
30// filesystem
31#define RUN_FIREJAIL_BASEDIR "/run"
32#define RUN_FIREJAIL_DIR "/run/firejail"
33#define RUN_FIREJAIL_APPIMAGE_DIR "/run/firejail/appimage"
34#define RUN_FIREJAIL_NAME_DIR "/run/firejail/name" // also used in src/lib/pid.c - todo: move it in a common place
35#define RUN_FIREJAIL_LIB_DIR "/run/firejail/lib"
36#define RUN_FIREJAIL_X11_DIR "/run/firejail/x11"
37#define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network"
38#define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth"
39#define RUN_FIREJAIL_PROFILE_DIR "/run/firejail/profile"
40#define RUN_NETWORK_LOCK_FILE "/run/firejail/firejail-network.lock"
41#define RUN_DIRECTORY_LOCK_FILE "/run/firejail/firejail-run.lock"
42#define RUN_RO_DIR "/run/firejail/firejail.ro.dir"
43#define RUN_RO_FILE "/run/firejail/firejail.ro.file"
44#define RUN_MNT_DIR "/run/firejail/mnt" // a tmpfs is mounted on this directory before any of the files below are created
45#define RUN_CGROUP_CFG "/run/firejail/mnt/cgroup"
46#define RUN_CPU_CFG "/run/firejail/mnt/cpu"
47#define RUN_GROUPS_CFG "/run/firejail/mnt/groups"
48#define RUN_PROTOCOL_CFG "/run/firejail/mnt/protocol"
49#define RUN_NONEWPRIVS_CFG "/run/firejail/mnt/nonewprivs"
50#define RUN_HOME_DIR "/run/firejail/mnt/home"
51#define RUN_ETC_DIR "/run/firejail/mnt/etc"
52#define RUN_OPT_DIR "/run/firejail/mnt/opt"
53#define RUN_SRV_DIR "/run/firejail/mnt/srv"
54#define RUN_BIN_DIR "/run/firejail/mnt/bin"
55#define RUN_PULSE_DIR "/run/firejail/mnt/pulse"
56#define RUN_LIB_DIR "/run/firejail/mnt/lib"
57#define RUN_LIB_FILE "/run/firejail/mnt/libfiles"
58#define RUN_DNS_ETC "/run/firejail/mnt/dns-etc"
59
60#define RUN_SECCOMP_DIR "/run/firejail/mnt/seccomp"
61#define RUN_SECCOMP_LIST "/run/firejail/mnt/seccomp/seccomp.list" // list of seccomp files installed
62#define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp/seccomp.protocol" // protocol filter
63#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp/seccomp" // configured filter
64#define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp/seccomp.32" // 32bit arch filter installed on 64bit architectures
65#define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp/seccomp.mdwx" // filter for memory-deny-write-execute
66#define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp/seccomp.block_secondary" // secondary arch blocking filter
67#define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp/seccomp.postexec" // filter for post-exec library
68#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make
69#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make
70#define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make
71#define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make
72#define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make
73
74
75#define RUN_DEV_DIR "/run/firejail/mnt/dev"
76#define RUN_DEVLOG_FILE "/run/firejail/mnt/devlog"
77
78#define RUN_WHITELIST_X11_DIR "/run/firejail/mnt/orig-x11"
79#define RUN_WHITELIST_HOME_DIR "/run/firejail/mnt/orig-home" // default home directory masking
80#define RUN_WHITELIST_RUN_DIR "/run/firejail/mnt/orig-run" // default run directory masking
81#define RUN_WHITELIST_HOME_USER_DIR "/run/firejail/mnt/orig-home-user" // home directory whitelisting
82#define RUN_WHITELIST_RUN_USER_DIR "/run/firejail/mnt/orig-run-user" // run directory whitelisting
83#define RUN_WHITELIST_TMP_DIR "/run/firejail/mnt/orig-tmp"
84#define RUN_WHITELIST_MEDIA_DIR "/run/firejail/mnt/orig-media"
85#define RUN_WHITELIST_MNT_DIR "/run/firejail/mnt/orig-mnt"
86#define RUN_WHITELIST_VAR_DIR "/run/firejail/mnt/orig-var"
87#define RUN_WHITELIST_DEV_DIR "/run/firejail/mnt/orig-dev"
88#define RUN_WHITELIST_OPT_DIR "/run/firejail/mnt/orig-opt"
89#define RUN_WHITELIST_SRV_DIR "/run/firejail/mnt/orig-srv"
90#define RUN_WHITELIST_ETC_DIR "/run/firejail/mnt/orig-etc"
91#define RUN_WHITELIST_SHARE_DIR "/run/firejail/mnt/orig-share"
92#define RUN_WHITELIST_MODULE_DIR "/run/firejail/mnt/orig-module"
93
94#define RUN_XAUTHORITY_FILE "/run/firejail/mnt/.Xauthority"
95#define RUN_XAUTHORITY_SEC_FILE "/run/firejail/mnt/sec.Xauthority"
96#define RUN_ASOUNDRC_FILE "/run/firejail/mnt/.asoundrc"
97#define RUN_HOSTNAME_FILE "/run/firejail/mnt/hostname"
98#define RUN_HOSTS_FILE "/run/firejail/mnt/hosts"
99#define RUN_MACHINEID "/run/firejail/mnt/machine-id"
100#define RUN_LDPRELOAD_FILE "/run/firejail/mnt/ld.so.preload"
101#define RUN_UTMP_FILE "/run/firejail/mnt/utmp"
102#define RUN_PASSWD_FILE "/run/firejail/mnt/passwd"
103#define RUN_GROUP_FILE "/run/firejail/mnt/group"
104#define RUN_FSLOGGER_FILE "/run/firejail/mnt/fslogger"
105#define RUN_UMASK_FILE "/run/firejail/mnt/umask"
106#define RUN_OVERLAY_ROOT "/run/firejail/mnt/oroot"
107#define RUN_READY_FOR_JOIN "/run/firejail/mnt/ready-for-join"
108 31
109 32
110// profiles 33// profiles
diff --git a/src/include/rundefs.h b/src/include/rundefs.h
new file mode 100644
index 000000000..67d7cfa4f
--- /dev/null
+++ b/src/include/rundefs.h
@@ -0,0 +1,102 @@
1/*
2 * Copyright (C) 2014-2019 Firejail Authors
3 *
4 * This file is part of firejail project
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License along
17 * with this program; if not, write to the Free Software Foundation, Inc.,
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19*/
20
21#ifndef RUNDEFS_H
22#define RUNDEFS_H
23// filesystem
24#define RUN_FIREJAIL_BASEDIR "/run"
25#define RUN_FIREJAIL_DIR "/run/firejail"
26#define RUN_FIREJAIL_APPIMAGE_DIR "/run/firejail/appimage"
27#define RUN_FIREJAIL_NAME_DIR "/run/firejail/name" // also used in src/lib/pid.c - todo: move it in a common place
28#define RUN_FIREJAIL_LIB_DIR "/run/firejail/lib"
29#define RUN_FIREJAIL_X11_DIR "/run/firejail/x11"
30#define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network"
31#define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth"
32#define RUN_FIREJAIL_PROFILE_DIR "/run/firejail/profile"
33#define RUN_NETWORK_LOCK_FILE "/run/firejail/firejail-network.lock"
34#define RUN_DIRECTORY_LOCK_FILE "/run/firejail/firejail-run.lock"
35#define RUN_RO_DIR "/run/firejail/firejail.ro.dir"
36#define RUN_RO_FILE "/run/firejail/firejail.ro.file"
37#define RUN_MNT_DIR "/run/firejail/mnt" // a tmpfs is mounted on this directory before any of the files below are created
38#define RUN_CGROUP_CFG "/run/firejail/mnt/cgroup"
39#define RUN_CPU_CFG "/run/firejail/mnt/cpu"
40#define RUN_GROUPS_CFG "/run/firejail/mnt/groups"
41#define RUN_PROTOCOL_CFG "/run/firejail/mnt/protocol"
42#define RUN_NONEWPRIVS_CFG "/run/firejail/mnt/nonewprivs"
43#define RUN_HOME_DIR "/run/firejail/mnt/home"
44#define RUN_ETC_DIR "/run/firejail/mnt/etc"
45#define RUN_OPT_DIR "/run/firejail/mnt/opt"
46#define RUN_SRV_DIR "/run/firejail/mnt/srv"
47#define RUN_BIN_DIR "/run/firejail/mnt/bin"
48#define RUN_PULSE_DIR "/run/firejail/mnt/pulse"
49#define RUN_LIB_DIR "/run/firejail/mnt/lib"
50#define RUN_LIB_FILE "/run/firejail/mnt/libfiles"
51#define RUN_DNS_ETC "/run/firejail/mnt/dns-etc"
52
53#define RUN_SECCOMP_DIR "/run/firejail/mnt/seccomp"
54#define RUN_SECCOMP_LIST "/run/firejail/mnt/seccomp/seccomp.list" // list of seccomp files installed
55#define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp/seccomp.protocol" // protocol filter
56#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp/seccomp" // configured filter
57#define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp/seccomp.32" // 32bit arch filter installed on 64bit architectures
58#define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp/seccomp.mdwx" // filter for memory-deny-write-execute
59#define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp/seccomp.block_secondary" // secondary arch blocking filter
60#define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp/seccomp.postexec" // filter for post-exec library
61#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make
62#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make
63#define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make
64#define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make
65#define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make
66
67
68#define RUN_DEV_DIR "/run/firejail/mnt/dev"
69#define RUN_DEVLOG_FILE "/run/firejail/mnt/devlog"
70
71#define RUN_WHITELIST_X11_DIR "/run/firejail/mnt/orig-x11"
72#define RUN_WHITELIST_HOME_DIR "/run/firejail/mnt/orig-home" // default home directory masking
73#define RUN_WHITELIST_RUN_DIR "/run/firejail/mnt/orig-run" // default run directory masking
74#define RUN_WHITELIST_HOME_USER_DIR "/run/firejail/mnt/orig-home-user" // home directory whitelisting
75#define RUN_WHITELIST_RUN_USER_DIR "/run/firejail/mnt/orig-run-user" // run directory whitelisting
76#define RUN_WHITELIST_TMP_DIR "/run/firejail/mnt/orig-tmp"
77#define RUN_WHITELIST_MEDIA_DIR "/run/firejail/mnt/orig-media"
78#define RUN_WHITELIST_MNT_DIR "/run/firejail/mnt/orig-mnt"
79#define RUN_WHITELIST_VAR_DIR "/run/firejail/mnt/orig-var"
80#define RUN_WHITELIST_DEV_DIR "/run/firejail/mnt/orig-dev"
81#define RUN_WHITELIST_OPT_DIR "/run/firejail/mnt/orig-opt"
82#define RUN_WHITELIST_SRV_DIR "/run/firejail/mnt/orig-srv"
83#define RUN_WHITELIST_ETC_DIR "/run/firejail/mnt/orig-etc"
84#define RUN_WHITELIST_SHARE_DIR "/run/firejail/mnt/orig-share"
85#define RUN_WHITELIST_MODULE_DIR "/run/firejail/mnt/orig-module"
86
87#define RUN_XAUTHORITY_FILE "/run/firejail/mnt/.Xauthority"
88#define RUN_XAUTHORITY_SEC_FILE "/run/firejail/mnt/sec.Xauthority"
89#define RUN_ASOUNDRC_FILE "/run/firejail/mnt/.asoundrc"
90#define RUN_HOSTNAME_FILE "/run/firejail/mnt/hostname"
91#define RUN_HOSTS_FILE "/run/firejail/mnt/hosts"
92#define RUN_MACHINEID "/run/firejail/mnt/machine-id"
93#define RUN_LDPRELOAD_FILE "/run/firejail/mnt/ld.so.preload"
94#define RUN_UTMP_FILE "/run/firejail/mnt/utmp"
95#define RUN_PASSWD_FILE "/run/firejail/mnt/passwd"
96#define RUN_GROUP_FILE "/run/firejail/mnt/group"
97#define RUN_FSLOGGER_FILE "/run/firejail/mnt/fslogger"
98#define RUN_UMASK_FILE "/run/firejail/mnt/umask"
99#define RUN_OVERLAY_ROOT "/run/firejail/mnt/oroot"
100#define RUN_READY_FOR_JOIN "/run/firejail/mnt/ready-for-join"
101
102#endif
diff --git a/src/libpostexecseccomp/Makefile.in b/src/libpostexecseccomp/Makefile.in
index 92803342c..8d6dde4e0 100644
--- a/src/libpostexecseccomp/Makefile.in
+++ b/src/libpostexecseccomp/Makefile.in
@@ -13,13 +13,12 @@ LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now
13 13
14all: libpostexecseccomp.so 14all: libpostexecseccomp.so
15 15
16%.o : %.c $(H_FILE_LIST) 16%.o : %.c $(H_FILE_LIST) ../include/seccomp.h ../include/rundefs.h
17 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ 17 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
18 18
19libpostexecseccomp.so: $(OBJS) 19libpostexecseccomp.so: $(OBJS)
20 $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl 20 $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl
21 21
22
23clean:; rm -f $(OBJS) libpostexecseccomp.so 22clean:; rm -f $(OBJS) libpostexecseccomp.so
24 23
25distclean: clean 24distclean: clean
diff --git a/src/libpostexecseccomp/libpostexecseccomp.c b/src/libpostexecseccomp/libpostexecseccomp.c
index e51445de4..3983510ec 100644
--- a/src/libpostexecseccomp/libpostexecseccomp.c
+++ b/src/libpostexecseccomp/libpostexecseccomp.c
@@ -17,19 +17,22 @@
17 * with this program; if not, write to the Free Software Foundation, Inc., 17 * with this program; if not, write to the Free Software Foundation, Inc.,
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19*/ 19*/
20#include "libpostexecseccomp.h"
21#include "../include/seccomp.h" 20#include "../include/seccomp.h"
21#include "../include/rundefs.h"
22#include <fcntl.h> 22#include <fcntl.h>
23#include <linux/filter.h> 23#include <linux/filter.h>
24#include <sys/mman.h> 24#include <sys/mman.h>
25#include <sys/prctl.h> 25#include <sys/prctl.h>
26#include <unistd.h> 26#include <unistd.h>
27#include <stdio.h>
27 28
28__attribute__((constructor)) 29__attribute__((constructor))
29static void load_seccomp(void) { 30static void load_seccomp(void) {
30 int fd = open(RUN_SECCOMP_POSTEXEC, O_RDONLY); 31 int fd = open(RUN_SECCOMP_POSTEXEC, O_RDONLY);
31 if (fd == -1) 32 if (fd == -1) {
33 fprintf(stderr, "Error: cannot open seccomp postexec filter file %s\n", RUN_SECCOMP_POSTEXEC);
32 return; 34 return;
35 }
33 36
34 off_t size = lseek(fd, 0, SEEK_END); 37 off_t size = lseek(fd, 0, SEEK_END);
35 if (size <= 0) { 38 if (size <= 0) {
@@ -40,11 +43,12 @@ static void load_seccomp(void) {
40 struct sock_filter *filter = MAP_FAILED; 43 struct sock_filter *filter = MAP_FAILED;
41 if (size != 0) 44 if (size != 0)
42 filter = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0); 45 filter = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
43
44 close(fd); 46 close(fd);
45 47
46 if (filter == MAP_FAILED) 48 if (filter == MAP_FAILED) {
49 fprintf(stderr, "Error: cannot map seccomp postexec filter data\n");
47 return; 50 return;
51 }
48 52
49 // install filter 53 // install filter
50 struct sock_fprog prog = { 54 struct sock_fprog prog = {
diff --git a/src/libpostexecseccomp/libpostexecseccomp.h b/src/libpostexecseccomp/libpostexecseccomp.h
deleted file mode 100644
index 908364d43..000000000
--- a/src/libpostexecseccomp/libpostexecseccomp.h
+++ /dev/null
@@ -1,25 +0,0 @@
1/*
2 * Copyright (C) 2014-2019 Firejail Authors
3 *
4 * This file is part of firejail project
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License along
17 * with this program; if not, write to the Free Software Foundation, Inc.,
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19*/
20#ifndef LIBPOSTEXECSECCOMP_H
21#define LIBPOSTEXECSECCOMP_H
22
23#define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec"
24
25#endif
diff --git a/src/libtracelog/Makefile.in b/src/libtracelog/Makefile.in
index 3927c762a..5c27f3cb3 100644
--- a/src/libtracelog/Makefile.in
+++ b/src/libtracelog/Makefile.in
@@ -13,7 +13,7 @@ LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now
13 13
14all: libtracelog.so 14all: libtracelog.so
15 15
16%.o : %.c $(H_FILE_LIST) 16%.o : %.c $(H_FILE_LIST) ../include/rundefs.h
17 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ 17 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
18 18
19libtracelog.so: $(OBJS) 19libtracelog.so: $(OBJS)
diff --git a/src/libtracelog/libtracelog.c b/src/libtracelog/libtracelog.c
index 420c9370c..3641a81af 100644
--- a/src/libtracelog/libtracelog.c
+++ b/src/libtracelog/libtracelog.c
@@ -32,6 +32,7 @@
32#include <syslog.h> 32#include <syslog.h>
33#include <dirent.h> 33#include <dirent.h>
34#include <limits.h> 34#include <limits.h>
35#include "../include/rundefs.h"
35 36
36//#define DEBUG 37//#define DEBUG
37 38
@@ -163,7 +164,6 @@ static char *storage_find(const char *str) {
163// 164//
164// load blacklist form /run/firejail/mnt/fslogger 165// load blacklist form /run/firejail/mnt/fslogger
165// 166//
166#define RUN_FSLOGGER_FILE "/run/firejail/mnt/fslogger"
167#define MAXBUF 4096 167#define MAXBUF 4096
168static int blacklist_loaded = 0; 168static int blacklist_loaded = 0;
169static char *sandbox_pid_str = NULL; 169static char *sandbox_pid_str = NULL;
diff --git a/test/filters/seccomp-debug.exp b/test/filters/seccomp-debug.exp
index 39f836ed0..dc4bf34f2 100755
--- a/test/filters/seccomp-debug.exp
+++ b/test/filters/seccomp-debug.exp
@@ -13,7 +13,7 @@ after 100
13send -- "firejail --debug sleep 1; echo done\r" 13send -- "firejail --debug sleep 1; echo done\r"
14expect { 14expect {
15 timeout {puts "TESTING ERROR 0\n";exit} 15 timeout {puts "TESTING ERROR 0\n";exit}
16 "seccomp entries in /run/firejail/mnt/seccomp" 16 "seccomp entries in /run/firejail/mnt/seccomp/seccomp"
17} 17}
18expect { 18expect {
19 timeout {puts "TESTING ERROR 2\n";exit} 19 timeout {puts "TESTING ERROR 2\n";exit}
@@ -38,15 +38,15 @@ expect {
38} 38}
39expect { 39expect {
40 timeout {puts "TESTING ERROR 6\n";exit} 40 timeout {puts "TESTING ERROR 6\n";exit}
41 "Installing /run/firejail/mnt/seccomp seccomp filter" 41 "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
42} 42}
43expect { 43expect {
44 timeout {puts "TESTING ERROR 7\n";exit} 44 timeout {puts "TESTING ERROR 7\n";exit}
45 "Installing /run/firejail/mnt/seccomp.32 seccomp filter" 45 "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter"
46} 46}
47expect { 47expect {
48 timeout {puts "TESTING ERROR 8\n";exit} 48 timeout {puts "TESTING ERROR 8\n";exit}
49 "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" 49 "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
50} 50}
51expect { 51expect {
52 timeout {puts "TESTING ERROR 9\n";exit} 52 timeout {puts "TESTING ERROR 9\n";exit}
@@ -58,15 +58,15 @@ after 100
58send -- "firejail --debug --ignore=seccomp sleep 1; echo done\r" 58send -- "firejail --debug --ignore=seccomp sleep 1; echo done\r"
59expect { 59expect {
60 timeout {puts "TESTING ERROR 10\n";exit} 60 timeout {puts "TESTING ERROR 10\n";exit}
61 "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit} 61 "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit}
62 "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 12\n";exit} 62 "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 12\n";exit}
63 "Child process initialized" 63 "Child process initialized"
64} 64}
65expect { 65expect {
66 timeout {puts "TESTING ERROR 13\n";exit} 66 timeout {puts "TESTING ERROR 13\n";exit}
67 "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 14\n";exit} 67 "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" {puts "TESTING ERROR 14\n";exit}
68 "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 15\n";exit} 68 "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 15\n";exit}
69 "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" 69 "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
70} 70}
71expect { 71expect {
72 timeout {puts "TESTING ERROR 16\n";exit} 72 timeout {puts "TESTING ERROR 16\n";exit}
@@ -78,18 +78,18 @@ after 100
78send -- "firejail --debug --ignore=protocol sleep 1; echo done\r" 78send -- "firejail --debug --ignore=protocol sleep 1; echo done\r"
79expect { 79expect {
80 timeout {puts "TESTING ERROR 17\n";exit} 80 timeout {puts "TESTING ERROR 17\n";exit}
81 "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 18\n";exit} 81 "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" {puts "TESTING ERROR 18\n";exit}
82 "Child process initialized" 82 "Child process initialized"
83} 83}
84expect { 84expect {
85 timeout {puts "TESTING ERROR 19\n";exit} 85 timeout {puts "TESTING ERROR 19\n";exit}
86 "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 20\n";exit} 86 "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" {puts "TESTING ERROR 20\n";exit}
87 "Installing /run/firejail/mnt/seccomp seccomp filter" 87 "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
88} 88}
89expect { 89expect {
90 timeout {puts "TESTING ERROR 21\n";exit} 90 timeout {puts "TESTING ERROR 21\n";exit}
91 "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 22\n";exit} 91 "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" {puts "TESTING ERROR 22\n";exit}
92 "Installing /run/firejail/mnt/seccomp.32 seccomp filter" 92 "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter"
93} 93}
94expect { 94expect {
95 timeout {puts "TESTING ERROR 23\n";exit} 95 timeout {puts "TESTING ERROR 23\n";exit}
@@ -105,7 +105,7 @@ expect {
105} 105}
106expect { 106expect {
107 timeout {puts "TESTING ERROR 25\n";exit} 107 timeout {puts "TESTING ERROR 25\n";exit}
108 "Installing /run/firejail/mnt/seccomp.mdwx seccomp filter" 108 "Installing /run/firejail/mnt/seccomp/seccomp.mdwx seccomp filter"
109} 109}
110expect { 110expect {
111 timeout {puts "TESTING ERROR 26\n";exit} 111 timeout {puts "TESTING ERROR 26\n";exit}
@@ -117,18 +117,18 @@ expect {
117send -- "firejail --debug --seccomp.block-secondary sleep 1; echo done\r" 117send -- "firejail --debug --seccomp.block-secondary sleep 1; echo done\r"
118expect { 118expect {
119 timeout {puts "TESTING ERROR 27\n";exit} 119 timeout {puts "TESTING ERROR 27\n";exit}
120 "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 28\n";exit} 120 "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 28\n";exit}
121 "Child process initialized" 121 "Child process initialized"
122} 122}
123expect { 123expect {
124 timeout {puts "TESTING ERROR 29\n";exit} 124 timeout {puts "TESTING ERROR 29\n";exit}
125 "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 30\n";exit} 125 "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 30\n";exit}
126 "Installing /run/firejail/mnt/seccomp seccomp filter" 126 "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
127} 127}
128expect { 128expect {
129 timeout {puts "TESTING ERROR 31\n";exit} 129 timeout {puts "TESTING ERROR 31\n";exit}
130 "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 32\n";exit} 130 "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 32\n";exit}
131 "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" 131 "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
132} 132}
133expect { 133expect {
134 timeout {puts "TESTING ERROR 33\n";exit} 134 timeout {puts "TESTING ERROR 33\n";exit}
@@ -140,13 +140,13 @@ after 100
140send -- "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r" 140send -- "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r"
141expect { 141expect {
142 timeout {puts "TESTING ERROR 33\n";exit} 142 timeout {puts "TESTING ERROR 33\n";exit}
143 "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 34\n";exit} 143 "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 34\n";exit}
144 "Child process initialized" 144 "Child process initialized"
145} 145}
146expect { 146expect {
147 timeout {puts "TESTING ERROR 35\n";exit} 147 timeout {puts "TESTING ERROR 35\n";exit}
148 "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 35\n";exit} 148 "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 35\n";exit}
149 "Installing /run/firejail/mnt/seccomp seccomp filter" 149 "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
150} 150}
151expect { 151expect {
152 timeout {puts "TESTING ERROR 37\n";exit} 152 timeout {puts "TESTING ERROR 37\n";exit}
diff --git a/test/filters/seccomp-join.exp b/test/filters/seccomp-join.exp
index f9201f926..f1d57238b 100755
--- a/test/filters/seccomp-join.exp
+++ b/test/filters/seccomp-join.exp
@@ -20,15 +20,15 @@ set spawn_id $id1
20send -- "firejail --name=jointesting --debug\r" 20send -- "firejail --name=jointesting --debug\r"
21expect { 21expect {
22 timeout {puts "TESTING ERROR 0\n";exit} 22 timeout {puts "TESTING ERROR 0\n";exit}
23 "Installing /run/firejail/mnt/seccomp seccomp filter" 23 "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
24} 24}
25expect { 25expect {
26 timeout {puts "TESTING ERROR 1\n";exit} 26 timeout {puts "TESTING ERROR 1\n";exit}
27 "Installing /run/firejail/mnt/seccomp.32 seccomp filter" 27 "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter"
28} 28}
29expect { 29expect {
30 timeout {puts "TESTING ERROR 2\n";exit} 30 timeout {puts "TESTING ERROR 2\n";exit}
31 "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" 31 "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
32} 32}
33sleep 1 33sleep 1
34 34
@@ -37,15 +37,15 @@ set spawn_id $id2
37send -- "firejail --debug --join=jointesting\r" 37send -- "firejail --debug --join=jointesting\r"
38expect { 38expect {
39 timeout {puts "TESTING ERROR 3\n";exit} 39 timeout {puts "TESTING ERROR 3\n";exit}
40 "Installing /run/firejail/mnt/seccomp seccomp filter" 40 "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
41} 41}
42expect { 42expect {
43 timeout {puts "TESTING ERROR 4\n";exit} 43 timeout {puts "TESTING ERROR 4\n";exit}
44 "Installing /run/firejail/mnt/seccomp.32 seccomp filter" 44 "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter"
45} 45}
46expect { 46expect {
47 timeout {puts "TESTING ERROR 5\n";exit} 47 timeout {puts "TESTING ERROR 5\n";exit}
48 "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" 48 "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
49} 49}
50sleep 1 50sleep 1
51 51
@@ -64,16 +64,16 @@ set spawn_id $id1
64send -- "firejail --name=jointesting --seccomp.block-secondary --debug\r" 64send -- "firejail --name=jointesting --seccomp.block-secondary --debug\r"
65expect { 65expect {
66 timeout {puts "TESTING ERROR 10\n";exit} 66 timeout {puts "TESTING ERROR 10\n";exit}
67 "Installing /run/firejail/mnt/seccomp seccomp filter" 67 "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
68} 68}
69expect { 69expect {
70 timeout {puts "TESTING ERROR 11\n";exit} 70 timeout {puts "TESTING ERROR 11\n";exit}
71 "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 12\n";exit} 71 "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 12\n";exit}
72 "Installing /run/firejail/mnt/seccomp.block_secondary seccomp filter" 72 "Installing /run/firejail/mnt/seccomp/seccomp.block_secondary seccomp filter"
73} 73}
74expect { 74expect {
75 timeout {puts "TESTING ERROR 13\n";exit} 75 timeout {puts "TESTING ERROR 13\n";exit}
76 "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" 76 "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
77} 77}
78sleep 1 78sleep 1
79 79
@@ -81,15 +81,15 @@ set spawn_id $id2
81send -- "firejail --debug --join=jointesting\r" 81send -- "firejail --debug --join=jointesting\r"
82expect { 82expect {
83 timeout {puts "TESTING ERROR 14\n";exit} 83 timeout {puts "TESTING ERROR 14\n";exit}
84 "Installing /run/firejail/mnt/seccomp seccomp filter" 84 "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
85} 85}
86expect { 86expect {
87 timeout {puts "TESTING ERROR 15\n";exit} 87 timeout {puts "TESTING ERROR 15\n";exit}
88 "Installing /run/firejail/mnt/seccomp.block_secondary seccomp filter" 88 "Installing /run/firejail/mnt/seccomp/seccomp.block_secondary seccomp filter"
89} 89}
90expect { 90expect {
91 timeout {puts "TESTING ERROR 16\n";exit} 91 timeout {puts "TESTING ERROR 16\n";exit}
92 "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" 92 "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
93} 93}
94sleep 1 94sleep 1
95 95
@@ -106,7 +106,7 @@ set spawn_id $id1
106send -- "firejail --name=jointesting --noprofile --protocol=inet --debug\r" 106send -- "firejail --name=jointesting --noprofile --protocol=inet --debug\r"
107expect { 107expect {
108 timeout {puts "TESTING ERROR 22\n";exit} 108 timeout {puts "TESTING ERROR 22\n";exit}
109 "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" 109 "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
110} 110}
111sleep 1 111sleep 1
112 112
@@ -115,9 +115,9 @@ set spawn_id $id2
115send -- "firejail --debug --join=jointesting\r" 115send -- "firejail --debug --join=jointesting\r"
116expect { 116expect {
117 timeout {puts "TESTING ERROR 23\n";exit} 117 timeout {puts "TESTING ERROR 23\n";exit}
118 "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 24\n";exit} 118 "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" {puts "TESTING ERROR 24\n";exit}
119 "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 25\n";exit} 119 "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 25\n";exit}
120 "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" 120 "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
121} 121}
122sleep 1 122sleep 1
123 123
@@ -134,7 +134,7 @@ set spawn_id $id1
134send -- "firejail --name=jointesting --noprofile --memory-deny-write-execute --debug\r" 134send -- "firejail --name=jointesting --noprofile --memory-deny-write-execute --debug\r"
135expect { 135expect {
136 timeout {puts "TESTING ERROR 32\n";exit} 136 timeout {puts "TESTING ERROR 32\n";exit}
137 "Installing /run/firejail/mnt/seccomp.mdwx seccomp filter" 137 "Installing /run/firejail/mnt/seccomp/seccomp.mdwx seccomp filter"
138} 138}
139sleep 1 139sleep 1
140 140
@@ -143,10 +143,10 @@ set spawn_id $id2
143send -- "firejail --debug --join=jointesting\r" 143send -- "firejail --debug --join=jointesting\r"
144expect { 144expect {
145 timeout {puts "TESTING ERROR 33\n";exit} 145 timeout {puts "TESTING ERROR 33\n";exit}
146 "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 34\n";exit} 146 "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" {puts "TESTING ERROR 34\n";exit}
147 "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 35\n";exit} 147 "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 35\n";exit}
148 "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 36\n";exit} 148 "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" {puts "TESTING ERROR 36\n";exit}
149 "Installing /run/firejail/mnt/seccomp.mdwx seccomp filter" 149 "Installing /run/firejail/mnt/seccomp/seccomp.mdwx seccomp filter"
150} 150}
151sleep 1 151sleep 1
152 152
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-21 02:16:00 +0000