diff options
Diffstat (limited to 'etc/disable-common.inc')
-rw-r--r-- | etc/disable-common.inc | 270 |
1 files changed, 135 insertions, 135 deletions
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index f23a03876..103399f7d 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -3,102 +3,102 @@ | |||
3 | include /etc/firejail/disable-common.local | 3 | include /etc/firejail/disable-common.local |
4 | 4 | ||
5 | # History files in $HOME | 5 | # History files in $HOME |
6 | blacklist-nolog ${HOME}/.history | ||
7 | blacklist-nolog ${HOME}/.*_history | 6 | blacklist-nolog ${HOME}/.*_history |
7 | blacklist-nolog ${HOME}/.adobe | ||
8 | blacklist-nolog ${HOME}/.bash_history | 8 | blacklist-nolog ${HOME}/.bash_history |
9 | blacklist-nolog ${HOME}/.history | ||
9 | blacklist-nolog ${HOME}/.local/share/fish/fish_history | 10 | blacklist-nolog ${HOME}/.local/share/fish/fish_history |
10 | blacklist-nolog ${HOME}/.adobe | ||
11 | blacklist-nolog ${HOME}/.macromedia | 11 | blacklist-nolog ${HOME}/.macromedia |
12 | 12 | ||
13 | # X11 session autostart | 13 | # X11 session autostart |
14 | blacklist ${HOME}/.xinitrc | 14 | # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs |
15 | blacklist ${HOME}/.xserverrc | ||
16 | blacklist /etc/X11/Xsession.d | ||
17 | blacklist ${HOME}/.Xsession | 15 | blacklist ${HOME}/.Xsession |
18 | blacklist ${HOME}/.xsession | ||
19 | blacklist ${HOME}/.xsessionrc | ||
20 | blacklist ${HOME}/.xprofile | ||
21 | blacklist ${HOME}/.gnomerc | ||
22 | blacklist /etc/xdg/autostart | ||
23 | blacklist ${HOME}/.config/autostart | 16 | blacklist ${HOME}/.config/autostart |
24 | blacklist ${HOME}/.local/share/autostart | ||
25 | blacklist ${HOME}/.kde4/share/config/startupconfig | ||
26 | blacklist ${HOME}/.kde4/env | ||
27 | blacklist ${HOME}/.kde4/Autostart | ||
28 | blacklist ${HOME}/.kde4/share/autostart | ||
29 | blacklist ${HOME}/.kde4/shutdown | ||
30 | blacklist ${HOME}/.kde/share/config/startupconfig | ||
31 | blacklist ${HOME}/.kde/env | ||
32 | blacklist ${HOME}/.kde/Autostart | ||
33 | blacklist ${HOME}/.kde/share/autostart | ||
34 | blacklist ${HOME}/.kde/shutdown | ||
35 | blacklist ${HOME}/.config/startupconfig | ||
36 | blacklist ${HOME}/.config/autostart-scripts | 17 | blacklist ${HOME}/.config/autostart-scripts |
37 | blacklist ${HOME}/.config/plasma-workspace/env | ||
38 | blacklist ${HOME}/.config/plasma-workspace/shutdown | ||
39 | blacklist ${HOME}/.config/lxsession/LXDE/autostart | 18 | blacklist ${HOME}/.config/lxsession/LXDE/autostart |
40 | blacklist ${HOME}/.config/openbox/autostart | 19 | blacklist ${HOME}/.config/openbox/autostart |
41 | blacklist ${HOME}/.config/openbox/environment | 20 | blacklist ${HOME}/.config/openbox/environment |
21 | blacklist ${HOME}/.config/plasma-workspace/env | ||
22 | blacklist ${HOME}/.config/plasma-workspace/shutdown | ||
23 | blacklist ${HOME}/.config/startupconfig | ||
42 | blacklist ${HOME}/.fluxbox/startup | 24 | blacklist ${HOME}/.fluxbox/startup |
43 | # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs | 25 | blacklist ${HOME}/.gnomerc |
26 | blacklist ${HOME}/.kde/Autostart | ||
27 | blacklist ${HOME}/.kde/env | ||
28 | blacklist ${HOME}/.kde/share/autostart | ||
29 | blacklist ${HOME}/.kde/share/config/startupconfig | ||
30 | blacklist ${HOME}/.kde/shutdown | ||
31 | blacklist ${HOME}/.kde4/env | ||
32 | blacklist ${HOME}/.kde4/Autostart | ||
33 | blacklist ${HOME}/.kde4/share/autostart | ||
34 | blacklist ${HOME}/.kde4/shutdown | ||
35 | blacklist ${HOME}/.kde4/share/config/startupconfig | ||
36 | blacklist ${HOME}/.local/share/autostart | ||
37 | blacklist ${HOME}/.xinitrc | ||
38 | blacklist ${HOME}/.xprofile | ||
39 | blacklist ${HOME}/.xserverrc | ||
40 | blacklist ${HOME}/.xsession | ||
41 | blacklist ${HOME}/.xsessionrc | ||
42 | blacklist /etc/X11/Xsession.d | ||
43 | blacklist /etc/xdg/autostart | ||
44 | 44 | ||
45 | # KDE config | 45 | # KDE config |
46 | blacklist ${HOME}/.kde4/share/apps/konsole | 46 | blacklist ${HOME}/.config/*.notifyrc |
47 | blacklist ${HOME}/.kde4/share/apps/kwin | 47 | blacklist ${HOME}/.config/khotkeysrc |
48 | blacklist ${HOME}/.kde4/share/apps/plasma | 48 | blacklist ${HOME}/.config/krunnerrc |
49 | blacklist ${HOME}/.kde4/share/apps/solid | 49 | blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc |
50 | blacklist ${HOME}/.kde4/share/config/*.notifyrc | ||
51 | read-only ${HOME}/.kde4/share/config/kdeglobals | ||
52 | blacklist ${HOME}/.kde4/share/config/khotkeysrc | ||
53 | blacklist ${HOME}/.kde4/share/config/krunnerrc | ||
54 | blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc | ||
55 | read-only ${HOME}/.kde4/share/kde4/services | ||
56 | blacklist ${HOME}/.kde/share/apps/konsole | 50 | blacklist ${HOME}/.kde/share/apps/konsole |
57 | blacklist ${HOME}/.kde/share/apps/kwin | 51 | blacklist ${HOME}/.kde/share/apps/kwin |
58 | blacklist ${HOME}/.kde/share/apps/plasma | 52 | blacklist ${HOME}/.kde/share/apps/plasma |
59 | blacklist ${HOME}/.kde/share/apps/solid | 53 | blacklist ${HOME}/.kde/share/apps/solid |
60 | blacklist ${HOME}/.kde/share/config/*.notifyrc | 54 | blacklist ${HOME}/.kde/share/config/*.notifyrc |
61 | read-only ${HOME}/.kde/share/config/kdeglobals | ||
62 | blacklist ${HOME}/.kde/share/config/khotkeysrc | 55 | blacklist ${HOME}/.kde/share/config/khotkeysrc |
63 | blacklist ${HOME}/.kde/share/config/krunnerrc | 56 | blacklist ${HOME}/.kde/share/config/krunnerrc |
64 | blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc | 57 | blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc |
65 | read-only ${HOME}/.kde/share/kde4/services | 58 | blacklist ${HOME}/.kde4/share/apps/plasma |
66 | blacklist ${HOME}/.config/*.notifyrc | 59 | blacklist ${HOME}/.kde4/share/apps/konsole |
67 | read-only ${HOME}/.config/kdeglobals | 60 | blacklist ${HOME}/.kde4/share/apps/kwin |
68 | blacklist ${HOME}/.config/khotkeysrc | 61 | blacklist ${HOME}/.kde4/share/config/krunnerrc |
69 | blacklist ${HOME}/.config/krunnerrc | 62 | blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc |
70 | blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc | 63 | blacklist ${HOME}/.kde4/share/config/khotkeysrc |
64 | blacklist ${HOME}/.kde4/share/apps/solid | ||
65 | blacklist ${HOME}/.kde4/share/config/*.notifyrc | ||
71 | blacklist ${HOME}/.local/share/kglobalaccel | 66 | blacklist ${HOME}/.local/share/kglobalaccel |
72 | blacklist ${HOME}/.local/share/konsole | 67 | blacklist ${HOME}/.local/share/konsole |
73 | read-only ${HOME}/.local/share/kservices5 | ||
74 | blacklist ${HOME}/.local/share/kwin | 68 | blacklist ${HOME}/.local/share/kwin |
75 | blacklist ${HOME}/.local/share/plasma | 69 | blacklist ${HOME}/.local/share/plasma |
76 | blacklist ${HOME}/.local/share/solid | 70 | blacklist ${HOME}/.local/share/solid |
71 | read-only ${HOME}/.config/kdeglobals | ||
72 | read-only ${HOME}/.kde/share/config/kdeglobals | ||
73 | read-only ${HOME}/.kde/share/kde4/services | ||
74 | read-only ${HOME}/.kde4/share/kde4/services | ||
75 | read-only ${HOME}/.kde4/share/config/kdeglobals | ||
76 | read-only ${HOME}/.local/share/kservices5 | ||
77 | 77 | ||
78 | # systemd | 78 | # systemd |
79 | blacklist ${HOME}/.local/share/systemd | ||
80 | blacklist ${HOME}/.config/systemd | 79 | blacklist ${HOME}/.config/systemd |
80 | blacklist ${HOME}/.local/share/systemd | ||
81 | 81 | ||
82 | # VirtualBox | 82 | # VirtualBox |
83 | blacklist ${HOME}/.VirtualBox | 83 | blacklist ${HOME}/.VirtualBox |
84 | blacklist ${HOME}/VirtualBox VMs | ||
85 | blacklist ${HOME}/.config/VirtualBox | 84 | blacklist ${HOME}/.config/VirtualBox |
85 | blacklist ${HOME}/VirtualBox VMs | ||
86 | 86 | ||
87 | # VeraCrypt | 87 | # VeraCrypt |
88 | blacklist ${HOME}/.VeraCrypt | ||
88 | blacklist ${PATH}/veracrypt | 89 | blacklist ${PATH}/veracrypt |
89 | blacklist ${PATH}/veracrypt-uninstall.sh | 90 | blacklist ${PATH}/veracrypt-uninstall.sh |
90 | blacklist /usr/share/veracrypt | ||
91 | blacklist /usr/share/applications/veracrypt.* | 91 | blacklist /usr/share/applications/veracrypt.* |
92 | blacklist /usr/share/pixmaps/veracrypt.* | 92 | blacklist /usr/share/pixmaps/veracrypt.* |
93 | blacklist ${HOME}/.VeraCrypt | 93 | blacklist /usr/share/veracrypt |
94 | 94 | ||
95 | # TrueCrypt | 95 | # TrueCrypt |
96 | blacklist ${HOME}/.TrueCrypt | ||
96 | blacklist ${PATH}/truecrypt | 97 | blacklist ${PATH}/truecrypt |
97 | blacklist ${PATH}/truecrypt-uninstall.sh | 98 | blacklist ${PATH}/truecrypt-uninstall.sh |
98 | blacklist /usr/share/truecrypt | ||
99 | blacklist /usr/share/applications/truecrypt.* | 99 | blacklist /usr/share/applications/truecrypt.* |
100 | blacklist /usr/share/pixmaps/truecrypt.* | 100 | blacklist /usr/share/pixmaps/truecrypt.* |
101 | blacklist ${HOME}/.TrueCrypt | 101 | blacklist /usr/share/truecrypt |
102 | 102 | ||
103 | # zuluCrypt | 103 | # zuluCrypt |
104 | blacklist ${HOME}/.zuluCrypt | 104 | blacklist ${HOME}/.zuluCrypt |
@@ -107,162 +107,162 @@ blacklist ${PATH}/zuluCrypt-cli | |||
107 | blacklist ${PATH}/zuluMount-cli | 107 | blacklist ${PATH}/zuluMount-cli |
108 | 108 | ||
109 | # var | 109 | # var |
110 | blacklist /var/spool/cron | 110 | blacklist /var/lib/mysql/mysql.sock |
111 | blacklist /var/spool/anacron | 111 | blacklist /var/lib/mysqld/mysql.sock |
112 | blacklist /var/mail | 112 | blacklist /var/mail |
113 | blacklist /var/run/acpid.socket | 113 | blacklist /var/run/acpid.socket |
114 | blacklist /var/run/docker.sock | ||
114 | blacklist /var/run/minissdpd.sock | 115 | blacklist /var/run/minissdpd.sock |
115 | blacklist /var/run/rpcbind.sock | ||
116 | blacklist /var/run/mysqld/mysqld.sock | ||
117 | blacklist /var/run/mysql/mysqld.sock | 116 | blacklist /var/run/mysql/mysqld.sock |
118 | blacklist /var/lib/mysqld/mysql.sock | 117 | blacklist /var/run/mysqld/mysqld.sock |
119 | blacklist /var/lib/mysql/mysql.sock | 118 | blacklist /var/run/rpcbind.sock |
120 | blacklist /var/run/docker.sock | 119 | blacklist /var/spool/anacron |
120 | blacklist /var/spool/cron | ||
121 | 121 | ||
122 | # etc | 122 | # etc |
123 | blacklist /etc/anacrontab | ||
123 | blacklist /etc/cron* | 124 | blacklist /etc/cron* |
124 | blacklist /etc/profile.d | 125 | blacklist /etc/profile.d |
125 | blacklist /etc/rc.local | 126 | blacklist /etc/rc.local |
126 | blacklist /etc/anacrontab | ||
127 | 127 | ||
128 | # Startup files | 128 | # Startup files |
129 | read-only ${HOME}/.antigen | 129 | read-only ${HOME}/.antigen |
130 | read-only ${HOME}/.bash_login | ||
131 | read-only ${HOME}/.bashrc | ||
132 | read-only ${HOME}/.bash_aliases | 130 | read-only ${HOME}/.bash_aliases |
133 | read-only ${HOME}/.bash_profile | 131 | read-only ${HOME}/.bash_login |
134 | read-only ${HOME}/.bash_logout | 132 | read-only ${HOME}/.bash_logout |
135 | read-only ${HOME}/.zsh.d | 133 | read-only ${HOME}/.bash_profile |
136 | read-only ${HOME}/.zshenv | 134 | read-only ${HOME}/.bashrc |
137 | read-only ${HOME}/.zshrc | ||
138 | read-only ${HOME}/.zshrc.local | ||
139 | read-only ${HOME}/.zlogin | ||
140 | read-only ${HOME}/.zprofile | ||
141 | read-only ${HOME}/.zlogout | ||
142 | read-only ${HOME}/.zsh_files | ||
143 | read-only ${HOME}/.tcshrc | ||
144 | read-only ${HOME}/.cshrc | ||
145 | read-only ${HOME}/.csh_files | ||
146 | read-only ${HOME}/.config/fish | 135 | read-only ${HOME}/.config/fish |
147 | read-only ${HOME}/.local/share/fish | 136 | read-only ${HOME}/.csh_files |
148 | read-only ${HOME}/.profile | 137 | read-only ${HOME}/.cshrc |
149 | read-only ${HOME}/.forward | 138 | read-only ${HOME}/.forward |
139 | read-only ${HOME}/.local/share/fish | ||
150 | read-only ${HOME}/.login | 140 | read-only ${HOME}/.login |
151 | read-only ${HOME}/.logout | 141 | read-only ${HOME}/.logout |
142 | read-only ${HOME}/.pam_environment | ||
152 | read-only ${HOME}/.pgpkey | 143 | read-only ${HOME}/.pgpkey |
153 | read-only ${HOME}/.plan | 144 | read-only ${HOME}/.plan |
145 | read-only ${HOME}/.profile | ||
154 | read-only ${HOME}/.project | 146 | read-only ${HOME}/.project |
155 | read-only ${HOME}/.pam_environment | 147 | read-only ${HOME}/.tcshrc |
148 | read-only ${HOME}/.zlogin | ||
149 | read-only ${HOME}/.zlogout | ||
150 | read-only ${HOME}/.zprofile | ||
151 | read-only ${HOME}/.zsh.d | ||
152 | read-only ${HOME}/.zsh_files | ||
153 | read-only ${HOME}/.zshenv | ||
154 | read-only ${HOME}/.zshrc | ||
155 | read-only ${HOME}/.zshrc.local | ||
156 | 156 | ||
157 | # Initialization files that allow arbitrary command execution | 157 | # Initialization files that allow arbitrary command execution |
158 | read-only ${HOME}/.caffrc | 158 | read-only ${HOME}/.caffrc |
159 | read-only ${HOME}/.dotfiles | 159 | read-only ${HOME}/.dotfiles |
160 | read-only ${HOME}/dotfiles | ||
161 | read-only ${HOME}/.mailcap | ||
162 | read-only ${HOME}/.muttrc | ||
163 | read-only ${HOME}/.mutt/muttrc | ||
164 | read-only ${HOME}/.msmtprc | ||
165 | read-only ${HOME}/.exrc | ||
166 | read-only ${HOME}/_exrc | ||
167 | read-only ${HOME}/.vimrc | ||
168 | read-only ${HOME}/_vimrc | ||
169 | read-only ${HOME}/.gvimrc | ||
170 | read-only ${HOME}/_gvimrc | ||
171 | read-only ${HOME}/.vim | ||
172 | read-only ${HOME}/.emacs | 160 | read-only ${HOME}/.emacs |
173 | read-only ${HOME}/.emacs.d | 161 | read-only ${HOME}/.emacs.d |
174 | read-only ${HOME}/.nano | 162 | read-only ${HOME}/.exrc |
175 | read-only ${HOME}/.tmux.conf | 163 | read-only ${HOME}/.gvimrc |
176 | read-only ${HOME}/.iscreenrc | 164 | read-only ${HOME}/.iscreenrc |
165 | read-only ${HOME}/.mailcap | ||
166 | read-only ${HOME}/.msmtprc | ||
167 | read-only ${HOME}/.mutt/muttrc | ||
168 | read-only ${HOME}/.muttrc | ||
169 | read-only ${HOME}/.nano | ||
177 | read-only ${HOME}/.reportbugrc | 170 | read-only ${HOME}/.reportbugrc |
171 | read-only ${HOME}/.tmux.conf | ||
172 | read-only ${HOME}/.vim | ||
173 | read-only ${HOME}/.vimrc | ||
178 | read-only ${HOME}/.xmonad | 174 | read-only ${HOME}/.xmonad |
179 | read-only ${HOME}/.xscreensaver | 175 | read-only ${HOME}/.xscreensaver |
176 | read-only ${HOME}/_exrc | ||
177 | read-only ${HOME}/_gvimrc | ||
178 | read-only ${HOME}/_vimrc | ||
179 | read-only ${HOME}/dotfiles | ||
180 | 180 | ||
181 | # Make directories commonly found in $PATH read-only | 181 | # Make directories commonly found in $PATH read-only |
182 | read-only ${HOME}/bin | ||
183 | read-only ${HOME}/.gem | 182 | read-only ${HOME}/.gem |
184 | read-only ${HOME}/.luarocks | 183 | read-only ${HOME}/.luarocks |
185 | read-only ${HOME}/.npm-packages | 184 | read-only ${HOME}/.npm-packages |
185 | read-only ${HOME}/bin | ||
186 | 186 | ||
187 | # The following block breaks trash functionality in file managers | 187 | # The following block breaks trash functionality in file managers |
188 | #noexec ${HOME}/.local/share | ||
188 | #read-only ${HOME}/.local | 189 | #read-only ${HOME}/.local |
189 | #read-write ${HOME}/.local/share | 190 | #read-write ${HOME}/.local/share |
190 | #noexec ${HOME}/.local/share | ||
191 | blacklist ${HOME}/.local/share/Trash | 191 | blacklist ${HOME}/.local/share/Trash |
192 | 192 | ||
193 | # Write-protection for desktop entries | 193 | # Write-protection for desktop entries |
194 | read-only ${HOME}/.local/share/applications | 194 | read-only ${HOME}/.local/share/applications |
195 | 195 | ||
196 | # top secret | 196 | # top secret |
197 | blacklist ${HOME}/.ecryptfs | 197 | blacklist ${HOME}/*.kdb |
198 | blacklist ${HOME}/*.kdbx | ||
199 | blacklist ${HOME}/*.key | ||
198 | blacklist ${HOME}/.Private | 200 | blacklist ${HOME}/.Private |
199 | blacklist ${HOME}/.ssh | 201 | blacklist ${HOME}/.caff |
200 | blacklist ${HOME}/.cert | 202 | blacklist ${HOME}/.cert |
203 | blacklist ${HOME}/.config/keybase | ||
204 | blacklist ${HOME}/.ecryptfs | ||
201 | blacklist ${HOME}/.gnome2/keyrings | 205 | blacklist ${HOME}/.gnome2/keyrings |
202 | blacklist ${HOME}/.local/share/keyrings | 206 | blacklist ${HOME}/.gnupg |
203 | blacklist ${HOME}/.kde4/share/apps/kwallet | ||
204 | blacklist ${HOME}/.kde/share/apps/kwallet | 207 | blacklist ${HOME}/.kde/share/apps/kwallet |
208 | blacklist ${HOME}/.kde4/share/apps/kwallet | ||
209 | blacklist ${HOME}/.local/share/keyrings | ||
205 | blacklist ${HOME}/.local/share/kwalletd | 210 | blacklist ${HOME}/.local/share/kwalletd |
206 | blacklist ${HOME}/.config/keybase | ||
207 | blacklist ${HOME}/.netrc | ||
208 | blacklist ${HOME}/.gnupg | ||
209 | blacklist ${HOME}/.caff | ||
210 | blacklist ${HOME}/.smbcredentials | ||
211 | blacklist ${HOME}/*.kdbx | ||
212 | blacklist ${HOME}/*.kdb | ||
213 | blacklist ${HOME}/*.key | ||
214 | blacklist ${HOME}/.muttrc | ||
215 | blacklist ${HOME}/.mutt/muttrc | ||
216 | blacklist ${HOME}/.msmtprc | 211 | blacklist ${HOME}/.msmtprc |
212 | blacklist ${HOME}/.mutt/muttrc | ||
213 | blacklist ${HOME}/.muttrc | ||
214 | blacklist ${HOME}/.netrc | ||
217 | blacklist ${HOME}/.pki | 215 | blacklist ${HOME}/.pki |
218 | blacklist /etc/shadow | 216 | blacklist ${HOME}/.smbcredentials |
219 | blacklist /etc/gshadow | 217 | blacklist ${HOME}/.ssh |
220 | blacklist /etc/passwd- | 218 | blacklist /etc/group+ |
221 | blacklist /etc/group- | 219 | blacklist /etc/group- |
222 | blacklist /etc/shadow- | 220 | blacklist /etc/gshadow |
221 | blacklist /etc/gshadow+ | ||
223 | blacklist /etc/gshadow- | 222 | blacklist /etc/gshadow- |
224 | blacklist /etc/passwd+ | 223 | blacklist /etc/passwd+ |
225 | blacklist /etc/group+ | 224 | blacklist /etc/passwd- |
225 | blacklist /etc/shadow | ||
226 | blacklist /etc/shadow+ | 226 | blacklist /etc/shadow+ |
227 | blacklist /etc/gshadow+ | 227 | blacklist /etc/shadow- |
228 | blacklist /etc/ssh | 228 | blacklist /etc/ssh |
229 | blacklist /var/backup | ||
230 | blacklist /home/.ecryptfs | 229 | blacklist /home/.ecryptfs |
230 | blacklist /var/backup | ||
231 | 231 | ||
232 | # system directories | 232 | # system directories |
233 | blacklist /sbin | 233 | blacklist /sbin |
234 | blacklist /usr/sbin | ||
235 | blacklist /usr/local/sbin | 234 | blacklist /usr/local/sbin |
235 | blacklist /usr/sbin | ||
236 | 236 | ||
237 | # system management | 237 | # system management |
238 | blacklist ${PATH}/umount | ||
239 | blacklist ${PATH}/mount | ||
240 | blacklist ${PATH}/fusermount | ||
241 | blacklist ${PATH}/ntfs-3g | ||
242 | blacklist ${PATH}/at | 238 | blacklist ${PATH}/at |
243 | blacklist ${PATH}/su | 239 | blacklist ${PATH}/chage |
244 | blacklist ${PATH}/sudo | 240 | blacklist ${PATH}/chfn |
245 | blacklist ${PATH}/xinput | 241 | blacklist ${PATH}/chsh |
242 | blacklist ${PATH}/crontab | ||
246 | blacklist ${PATH}/evtest | 243 | blacklist ${PATH}/evtest |
247 | blacklist ${PATH}/xev | 244 | blacklist ${PATH}/expiry |
248 | blacklist ${PATH}/strace | 245 | blacklist ${PATH}/fusermount |
246 | blacklist ${PATH}/gpasswd | ||
247 | blacklist ${PATH}/ksu | ||
248 | blacklist ${PATH}/mount | ||
249 | blacklist ${PATH}/mount.ecryptfs_private | ||
249 | blacklist ${PATH}/nc | 250 | blacklist ${PATH}/nc |
250 | blacklist ${PATH}/ncat | 251 | blacklist ${PATH}/ncat |
251 | blacklist ${PATH}/gpasswd | ||
252 | blacklist ${PATH}/newgidmap | 252 | blacklist ${PATH}/newgidmap |
253 | blacklist ${PATH}/newgrp | 253 | blacklist ${PATH}/newgrp |
254 | blacklist ${PATH}/newuidmap | 254 | blacklist ${PATH}/newuidmap |
255 | blacklist ${PATH}/ntfs-3g | ||
255 | blacklist ${PATH}/pkexec | 256 | blacklist ${PATH}/pkexec |
257 | blacklist ${PATH}/procmail | ||
256 | blacklist ${PATH}/sg | 258 | blacklist ${PATH}/sg |
257 | blacklist ${PATH}/crontab | 259 | blacklist ${PATH}/strace |
258 | blacklist ${PATH}/ksu | 260 | blacklist ${PATH}/su |
259 | blacklist ${PATH}/chsh | 261 | blacklist ${PATH}/sudo |
260 | blacklist ${PATH}/chfn | 262 | blacklist ${PATH}/umount |
261 | blacklist ${PATH}/chage | ||
262 | blacklist ${PATH}/expiry | ||
263 | blacklist ${PATH}/unix_chkpwd | 263 | blacklist ${PATH}/unix_chkpwd |
264 | blacklist ${PATH}/procmail | 264 | blacklist ${PATH}/xev |
265 | blacklist ${PATH}/mount.ecryptfs_private | 265 | blacklist ${PATH}/xinput |
266 | 266 | ||
267 | # other SUID binaries | 267 | # other SUID binaries |
268 | blacklist /usr/lib/virtualbox | 268 | blacklist /usr/lib/virtualbox |
@@ -276,11 +276,9 @@ blacklist /tmp/tmux-* | |||
276 | # disable terminals running as server resulting in sandbox escape | 276 | # disable terminals running as server resulting in sandbox escape |
277 | blacklist ${PATH}/gnome-terminal | 277 | blacklist ${PATH}/gnome-terminal |
278 | blacklist ${PATH}/gnome-terminal.wrapper | 278 | blacklist ${PATH}/gnome-terminal.wrapper |
279 | blacklist ${PATH}/xfce4-terminal | 279 | blacklist ${PATH}/lilyterm |
280 | blacklist ${PATH}/xfce4-terminal.wrapper | ||
281 | blacklist ${PATH}/mate-terminal | 280 | blacklist ${PATH}/mate-terminal |
282 | blacklist ${PATH}/mate-terminal.wrapper | 281 | blacklist ${PATH}/mate-terminal.wrapper |
283 | blacklist ${PATH}/lilyterm | ||
284 | blacklist ${PATH}/pantheon-terminal | 282 | blacklist ${PATH}/pantheon-terminal |
285 | blacklist ${PATH}/roxterm | 283 | blacklist ${PATH}/roxterm |
286 | blacklist ${PATH}/roxterm-config | 284 | blacklist ${PATH}/roxterm-config |
@@ -288,12 +286,14 @@ blacklist ${PATH}/terminix | |||
288 | blacklist ${PATH}/tilix | 286 | blacklist ${PATH}/tilix |
289 | blacklist ${PATH}/urxvtc | 287 | blacklist ${PATH}/urxvtc |
290 | blacklist ${PATH}/urxvtcd | 288 | blacklist ${PATH}/urxvtcd |
291 | # konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 | 289 | blacklist ${PATH}/xfce4-terminal |
290 | blacklist ${PATH}/xfce4-terminal.wrapper | ||
292 | # blacklist ${PATH}/konsole | 291 | # blacklist ${PATH}/konsole |
292 | # konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 | ||
293 | 293 | ||
294 | # kernel files | 294 | # kernel files |
295 | blacklist /vmlinuz* | ||
296 | blacklist /initrd* | 295 | blacklist /initrd* |
296 | blacklist /vmlinuz* | ||
297 | 297 | ||
298 | # complement noexec ${HOME} and noexec /tmp | 298 | # complement noexec ${HOME} and noexec /tmp |
299 | noexec ${HOME}/.config/pulse | 299 | noexec ${HOME}/.config/pulse |