diff options
Diffstat (limited to 'etc/inc/disable-common.inc')
-rw-r--r-- | etc/inc/disable-common.inc | 497 |
1 files changed, 497 insertions, 0 deletions
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc new file mode 100644 index 000000000..92c6cd2a8 --- /dev/null +++ b/etc/inc/disable-common.inc | |||
@@ -0,0 +1,497 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include disable-common.local | ||
4 | |||
5 | # The following block breaks trash functionality in file managers | ||
6 | #read-only ${HOME}/.local | ||
7 | #read-write ${HOME}/.local/share | ||
8 | blacklist ${HOME}/.local/share/Trash | ||
9 | |||
10 | # History files in $HOME and clipboard managers | ||
11 | blacklist-nolog ${HOME}/.*_history | ||
12 | blacklist-nolog ${HOME}/.adobe | ||
13 | blacklist-nolog ${HOME}/.cache/greenclip* | ||
14 | blacklist-nolog ${HOME}/.histfile | ||
15 | blacklist-nolog ${HOME}/.history | ||
16 | blacklist-nolog ${HOME}/.kde/share/apps/klipper | ||
17 | blacklist-nolog ${HOME}/.kde4/share/apps/klipper | ||
18 | blacklist-nolog ${HOME}/.local/share/fish/fish_history | ||
19 | blacklist-nolog ${HOME}/.local/share/klipper | ||
20 | blacklist-nolog ${HOME}/.macromedia | ||
21 | blacklist-nolog ${HOME}/.mupdf.history | ||
22 | blacklist-nolog ${HOME}/.python-history | ||
23 | blacklist-nolog ${HOME}/.python_history | ||
24 | blacklist-nolog ${HOME}/.pythonhist | ||
25 | blacklist-nolog ${HOME}/.lesshst | ||
26 | blacklist-nolog ${HOME}/.viminfo | ||
27 | blacklist-nolog /tmp/clipmenu* | ||
28 | |||
29 | # X11 session autostart | ||
30 | # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs | ||
31 | blacklist ${HOME}/.Xsession | ||
32 | blacklist ${HOME}/.blackbox | ||
33 | blacklist ${HOME}/.config/autostart | ||
34 | blacklist ${HOME}/.config/autostart-scripts | ||
35 | blacklist ${HOME}/.config/awesome | ||
36 | blacklist ${HOME}/.config/i3 | ||
37 | blacklist ${HOME}/.config/lxsession/LXDE/autostart | ||
38 | blacklist ${HOME}/.config/openbox | ||
39 | blacklist ${HOME}/.config/plasma-workspace | ||
40 | blacklist ${HOME}/.config/startupconfig | ||
41 | blacklist ${HOME}/.config/startupconfigkeys | ||
42 | blacklist ${HOME}/.fluxbox | ||
43 | blacklist ${HOME}/.gnomerc | ||
44 | blacklist ${HOME}/.kde/Autostart | ||
45 | blacklist ${HOME}/.kde/env | ||
46 | blacklist ${HOME}/.kde/share/autostart | ||
47 | blacklist ${HOME}/.kde/share/config/startupconfig | ||
48 | blacklist ${HOME}/.kde/share/config/startupconfigkeys | ||
49 | blacklist ${HOME}/.kde/shutdown | ||
50 | blacklist ${HOME}/.kde4/env | ||
51 | blacklist ${HOME}/.kde4/Autostart | ||
52 | blacklist ${HOME}/.kde4/share/autostart | ||
53 | blacklist ${HOME}/.kde4/shutdown | ||
54 | blacklist ${HOME}/.kde4/share/config/startupconfig | ||
55 | blacklist ${HOME}/.kde4/share/config/startupconfigkeys | ||
56 | blacklist ${HOME}/.local/share/autostart | ||
57 | blacklist ${HOME}/.xinitrc | ||
58 | blacklist ${HOME}/.xprofile | ||
59 | blacklist ${HOME}/.xserverrc | ||
60 | blacklist ${HOME}/.xsession | ||
61 | blacklist ${HOME}/.xsessionrc | ||
62 | blacklist /etc/X11/Xsession.d | ||
63 | blacklist /etc/xdg/autostart | ||
64 | read-only ${HOME}/.Xauthority | ||
65 | |||
66 | # Session manager | ||
67 | ?HAS_X11: blacklist ${HOME}/.ICEauthority | ||
68 | ?HAS_X11: blacklist /tmp/.ICE-unix | ||
69 | |||
70 | # KDE config | ||
71 | blacklist ${HOME}/.config/khotkeysrc | ||
72 | blacklist ${HOME}/.config/krunnerrc | ||
73 | blacklist ${HOME}/.config/kscreenlockerrc | ||
74 | blacklist ${HOME}/.config/ksslcertificatemanager | ||
75 | blacklist ${HOME}/.config/kwalletrc | ||
76 | blacklist ${HOME}/.config/kwinrc | ||
77 | blacklist ${HOME}/.config/kwinrulesrc | ||
78 | blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc | ||
79 | blacklist ${HOME}/.config/plasmashellrc | ||
80 | blacklist ${HOME}/.config/plasmavaultrc | ||
81 | blacklist ${HOME}/.kde/share/apps/kwin | ||
82 | blacklist ${HOME}/.kde/share/apps/plasma | ||
83 | blacklist ${HOME}/.kde/share/apps/solid | ||
84 | blacklist ${HOME}/.kde/share/config/khotkeysrc | ||
85 | blacklist ${HOME}/.kde/share/config/krunnerrc | ||
86 | blacklist ${HOME}/.kde/share/config/kscreensaverrc | ||
87 | blacklist ${HOME}/.kde/share/config/ksslcertificatemanager | ||
88 | blacklist ${HOME}/.kde/share/config/kwalletrc | ||
89 | blacklist ${HOME}/.kde/share/config/kwinrc | ||
90 | blacklist ${HOME}/.kde/share/config/kwinrulesrc | ||
91 | blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc | ||
92 | blacklist ${HOME}/.kde4/share/apps/kwin | ||
93 | blacklist ${HOME}/.kde4/share/apps/plasma | ||
94 | blacklist ${HOME}/.kde4/share/apps/solid | ||
95 | blacklist ${HOME}/.kde4/share/config/khotkeysrc | ||
96 | blacklist ${HOME}/.kde4/share/config/krunnerrc | ||
97 | blacklist ${HOME}/.kde4/share/config/kscreensaverrc | ||
98 | blacklist ${HOME}/.kde4/share/config/ksslcertificatemanager | ||
99 | blacklist ${HOME}/.kde4/share/config/kwalletrc | ||
100 | blacklist ${HOME}/.kde4/share/config/kwinrc | ||
101 | blacklist ${HOME}/.kde4/share/config/kwinrulesrc | ||
102 | blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc | ||
103 | blacklist ${HOME}/.local/share/kglobalaccel | ||
104 | blacklist ${HOME}/.local/share/kwin | ||
105 | blacklist ${HOME}/.local/share/plasma | ||
106 | blacklist ${HOME}/.local/share/plasmashell | ||
107 | blacklist ${HOME}/.local/share/solid | ||
108 | read-only ${HOME}/.cache/ksycoca5_* | ||
109 | read-only ${HOME}/.config/*notifyrc | ||
110 | read-only ${HOME}/.config/kdeglobals | ||
111 | read-only ${HOME}/.config/kio_httprc | ||
112 | read-only ${HOME}/.config/kiorc | ||
113 | read-only ${HOME}/.config/kioslaverc | ||
114 | read-only ${HOME}/.config/ksslcablacklist | ||
115 | read-only ${HOME}/.kde/share/apps/konsole | ||
116 | read-only ${HOME}/.kde/share/apps/kssl | ||
117 | read-only ${HOME}/.kde/share/config/*notifyrc | ||
118 | read-only ${HOME}/.kde/share/config/kdeglobals | ||
119 | read-only ${HOME}/.kde/share/config/kio_httprc | ||
120 | read-only ${HOME}/.kde/share/config/kioslaverc | ||
121 | read-only ${HOME}/.kde/share/config/ksslcablacklist | ||
122 | read-only ${HOME}/.kde/share/kde4/services | ||
123 | read-only ${HOME}/.kde4/share/apps/konsole | ||
124 | read-only ${HOME}/.kde4/share/apps/kssl | ||
125 | read-only ${HOME}/.kde4/share/config/*notifyrc | ||
126 | read-only ${HOME}/.kde4/share/config/kdeglobals | ||
127 | read-only ${HOME}/.kde4/share/config/kio_httprc | ||
128 | read-only ${HOME}/.kde4/share/config/kioslaverc | ||
129 | read-only ${HOME}/.kde4/share/config/ksslcablacklist | ||
130 | read-only ${HOME}/.kde4/share/kde4/services | ||
131 | read-only ${HOME}/.local/share/konsole | ||
132 | read-only ${HOME}/.local/share/kservices5 | ||
133 | read-only ${HOME}/.local/share/kssl | ||
134 | |||
135 | # KDE sockets | ||
136 | blacklist ${RUNUSER}/*.slave-socket | ||
137 | blacklist ${RUNUSER}/kdeinit5__* | ||
138 | blacklist ${RUNUSER}/kdesud_* | ||
139 | ?HAS_NODBUS: blacklist ${RUNUSER}/ksocket-* | ||
140 | ?HAS_NODBUS: blacklist /tmp/ksocket-* | ||
141 | |||
142 | # gnome | ||
143 | # contains extensions, last used times of applications, and notifications | ||
144 | blacklist ${HOME}/.local/share/gnome-shell | ||
145 | # no direct modification of dconf database | ||
146 | read-only ${HOME}/.config/dconf | ||
147 | |||
148 | # systemd | ||
149 | blacklist ${HOME}/.config/systemd | ||
150 | blacklist ${HOME}/.local/share/systemd | ||
151 | blacklist /var/lib/systemd | ||
152 | # blacklist /var/run/systemd | ||
153 | # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf | ||
154 | |||
155 | # openrc | ||
156 | blacklist /etc/runlevels/ | ||
157 | blacklist /etc/init.d/ | ||
158 | blacklist /etc/rc.conf | ||
159 | |||
160 | # VirtualBox | ||
161 | blacklist ${HOME}/.VirtualBox | ||
162 | blacklist ${HOME}/.config/VirtualBox | ||
163 | blacklist ${HOME}/VirtualBox VMs | ||
164 | |||
165 | # GNOME Boxes | ||
166 | blacklist ${HOME}/.config/gnome-boxes | ||
167 | blacklist ${HOME}/.local/share/gnome-boxes | ||
168 | |||
169 | # libvirt | ||
170 | blacklist ${HOME}/.cache/libvirt | ||
171 | blacklist ${HOME}/.config/libvirt | ||
172 | blacklist ${RUNUSER}/libvirt | ||
173 | blacklist /var/cache/libvirt | ||
174 | blacklist /var/lib/libvirt | ||
175 | blacklist /var/log/libvirt | ||
176 | |||
177 | # VeraCrypt | ||
178 | blacklist ${HOME}/.VeraCrypt | ||
179 | blacklist ${PATH}/veracrypt | ||
180 | blacklist ${PATH}/veracrypt-uninstall.sh | ||
181 | blacklist /usr/share/applications/veracrypt.* | ||
182 | blacklist /usr/share/pixmaps/veracrypt.* | ||
183 | blacklist /usr/share/veracrypt | ||
184 | |||
185 | # TrueCrypt | ||
186 | blacklist ${HOME}/.TrueCrypt | ||
187 | blacklist ${PATH}/truecrypt | ||
188 | blacklist ${PATH}/truecrypt-uninstall.sh | ||
189 | blacklist /usr/share/applications/truecrypt.* | ||
190 | blacklist /usr/share/pixmaps/truecrypt.* | ||
191 | blacklist /usr/share/truecrypt | ||
192 | |||
193 | # zuluCrypt | ||
194 | blacklist ${HOME}/.zuluCrypt | ||
195 | blacklist ${HOME}/.zuluCrypt-socket | ||
196 | blacklist ${PATH}/zuluCrypt-cli | ||
197 | blacklist ${PATH}/zuluMount-cli | ||
198 | |||
199 | # var | ||
200 | blacklist /var/cache/apt | ||
201 | blacklist /var/cache/pacman | ||
202 | blacklist /var/lib/apt | ||
203 | blacklist /var/lib/clamav | ||
204 | blacklist /var/lib/dkms | ||
205 | blacklist /var/lib/mysql/mysql.sock | ||
206 | blacklist /var/lib/mysqld/mysql.sock | ||
207 | blacklist /var/lib/pacman | ||
208 | blacklist /var/lib/upower | ||
209 | # blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for | ||
210 | # every sandbox, unless --writable-var-log switch is activated | ||
211 | blacklist /var/mail | ||
212 | blacklist /var/opt | ||
213 | blacklist /var/run/acpid.socket | ||
214 | blacklist /var/run/docker.sock | ||
215 | blacklist /var/run/minissdpd.sock | ||
216 | blacklist /var/run/mysql/mysqld.sock | ||
217 | blacklist /var/run/mysqld/mysqld.sock | ||
218 | blacklist /var/run/rpcbind.sock | ||
219 | blacklist /var/run/screens | ||
220 | blacklist /var/spool/anacron | ||
221 | blacklist /var/spool/cron | ||
222 | blacklist /var/spool/mail | ||
223 | |||
224 | # etc | ||
225 | blacklist /etc/anacrontab | ||
226 | blacklist /etc/cron* | ||
227 | blacklist /etc/profile.d | ||
228 | blacklist /etc/rc.local | ||
229 | # rc1.d, rc2.d, ... | ||
230 | blacklist /etc/rc?.d | ||
231 | blacklist /etc/kernel* | ||
232 | blacklist /etc/grub* | ||
233 | blacklist /etc/dkms | ||
234 | blacklist /etc/apparmor* | ||
235 | blacklist /etc/selinux | ||
236 | blacklist /etc/modules* | ||
237 | blacklist /etc/logrotate* | ||
238 | blacklist /etc/adduser.conf | ||
239 | |||
240 | # Startup files | ||
241 | read-only ${HOME}/.antigen | ||
242 | read-only ${HOME}/.bash_aliases | ||
243 | read-only ${HOME}/.bash_login | ||
244 | read-only ${HOME}/.bash_logout | ||
245 | read-only ${HOME}/.bash_profile | ||
246 | read-only ${HOME}/.bashrc | ||
247 | read-only ${HOME}/.config/environment.d | ||
248 | read-only ${HOME}/.config/fish | ||
249 | read-only ${HOME}/.csh_files | ||
250 | read-only ${HOME}/.cshrc | ||
251 | read-only ${HOME}/.forward | ||
252 | read-only ${HOME}/.local/share/fish | ||
253 | read-only ${HOME}/.login | ||
254 | read-only ${HOME}/.logout | ||
255 | read-only ${HOME}/.oh-my-zsh | ||
256 | read-only ${HOME}/.pam_environment | ||
257 | read-only ${HOME}/.pgpkey | ||
258 | read-only ${HOME}/.plan | ||
259 | read-only ${HOME}/.profile | ||
260 | read-only ${HOME}/.project | ||
261 | read-only ${HOME}/.tcshrc | ||
262 | read-only ${HOME}/.zlogin | ||
263 | read-only ${HOME}/.zlogout | ||
264 | read-only ${HOME}/.zprofile | ||
265 | read-only ${HOME}/.zsh.d | ||
266 | read-only ${HOME}/.zsh_files | ||
267 | read-only ${HOME}/.zshenv | ||
268 | read-only ${HOME}/.zshrc | ||
269 | read-only ${HOME}/.zshrc.local | ||
270 | |||
271 | # Remote access | ||
272 | read-only ${HOME}/.ssh/authorized_keys | ||
273 | |||
274 | # Initialization files that allow arbitrary command execution | ||
275 | read-only ${HOME}/.caffrc | ||
276 | read-only ${HOME}/.cargo/env | ||
277 | read-only ${HOME}/.dotfiles | ||
278 | read-only ${HOME}/.emacs | ||
279 | read-only ${HOME}/.emacs.d | ||
280 | read-only ${HOME}/.exrc | ||
281 | read-only ${HOME}/.gvimrc | ||
282 | read-only ${HOME}/.homesick | ||
283 | read-only ${HOME}/.iscreenrc | ||
284 | read-only ${HOME}/.local/share/cool-retro-term | ||
285 | read-only ${HOME}/.mailcap | ||
286 | read-only ${HOME}/.msmtprc | ||
287 | read-only ${HOME}/.mutt/muttrc | ||
288 | read-only ${HOME}/.muttrc | ||
289 | read-only ${HOME}/.nano | ||
290 | read-only ${HOME}/.pythonrc.py | ||
291 | read-only ${HOME}/.reportbugrc | ||
292 | read-only ${HOME}/.tmux.conf | ||
293 | read-only ${HOME}/.vim | ||
294 | read-only ${HOME}/.viminfo | ||
295 | read-only ${HOME}/.vimrc | ||
296 | read-only ${HOME}/.xmonad | ||
297 | read-only ${HOME}/.xscreensaver | ||
298 | read-only ${HOME}/_exrc | ||
299 | read-only ${HOME}/_gvimrc | ||
300 | read-only ${HOME}/_vimrc | ||
301 | read-only ${HOME}/dotfiles | ||
302 | |||
303 | # Make directories commonly found in $PATH read-only | ||
304 | read-only ${HOME}/.gem | ||
305 | read-only ${HOME}/.luarocks | ||
306 | read-only ${HOME}/.npm-packages | ||
307 | read-only ${HOME}/bin | ||
308 | read-only ${HOME}/.bin | ||
309 | read-only ${HOME}/.local/bin | ||
310 | read-only ${HOME}/.cargo/bin | ||
311 | read-only ${HOME}/.cargo/env | ||
312 | |||
313 | # Write-protection for desktop entries | ||
314 | read-only ${HOME}/.config/menus | ||
315 | read-only ${HOME}/.gnome/apps | ||
316 | read-only ${HOME}/.local/share/applications | ||
317 | |||
318 | # Write-protection for thumbnailer dir | ||
319 | read-only ${HOME}/.local/share/thumbnailers | ||
320 | |||
321 | # top secret | ||
322 | blacklist ${HOME}/*.kdb | ||
323 | blacklist ${HOME}/*.kdbx | ||
324 | blacklist ${HOME}/*.key | ||
325 | blacklist ${HOME}/.Private | ||
326 | blacklist ${HOME}/.caff | ||
327 | blacklist ${HOME}/.cargo/credentials | ||
328 | blacklist ${HOME}/.cert | ||
329 | blacklist ${HOME}/.config/keybase | ||
330 | blacklist ${HOME}/.davfs2/secrets | ||
331 | blacklist ${HOME}/.ecryptfs | ||
332 | blacklist ${HOME}/.fetchmailrc | ||
333 | blacklist ${HOME}/.fscrypt | ||
334 | blacklist ${HOME}/.git-credential-cache | ||
335 | blacklist ${HOME}/.git-credentials | ||
336 | blacklist ${HOME}/.gnome2/keyrings | ||
337 | blacklist ${HOME}/.gnupg | ||
338 | blacklist ${HOME}/.config/hub | ||
339 | blacklist ${HOME}/.kde/share/apps/kwallet | ||
340 | blacklist ${HOME}/.kde4/share/apps/kwallet | ||
341 | blacklist ${HOME}/.local/share/keyrings | ||
342 | blacklist ${HOME}/.local/share/kwalletd | ||
343 | blacklist ${HOME}/.local/share/plasma-vault | ||
344 | blacklist ${HOME}/.msmtprc | ||
345 | blacklist ${HOME}/.mutt | ||
346 | blacklist ${HOME}/.muttrc | ||
347 | blacklist ${HOME}/.netrc | ||
348 | blacklist ${HOME}/.nyx | ||
349 | blacklist ${HOME}/.pki | ||
350 | blacklist ${HOME}/.local/share/pki | ||
351 | blacklist ${HOME}/.smbcredentials | ||
352 | blacklist ${HOME}/.ssh | ||
353 | blacklist ${HOME}/.vaults | ||
354 | blacklist /.fscrypt | ||
355 | blacklist /etc/davfs2/secrets | ||
356 | blacklist /etc/group+ | ||
357 | blacklist /etc/group- | ||
358 | blacklist /etc/gshadow | ||
359 | blacklist /etc/gshadow+ | ||
360 | blacklist /etc/gshadow- | ||
361 | blacklist /etc/passwd+ | ||
362 | blacklist /etc/passwd- | ||
363 | blacklist /etc/shadow | ||
364 | blacklist /etc/shadow+ | ||
365 | blacklist /etc/shadow- | ||
366 | blacklist /etc/ssh | ||
367 | blacklist /home/.ecryptfs | ||
368 | blacklist /home/.fscrypt | ||
369 | blacklist /var/backup | ||
370 | |||
371 | # cloud provider configuration | ||
372 | blacklist ${HOME}/.aws | ||
373 | blacklist ${HOME}/.boto | ||
374 | blacklist ${HOME}/.config/gcloud | ||
375 | blacklist ${HOME}/.kube | ||
376 | blacklist ${HOME}/.passwd-s3fs | ||
377 | blacklist ${HOME}/.s3cmd | ||
378 | blacklist /etc/boto.cfg | ||
379 | |||
380 | # system directories | ||
381 | blacklist /sbin | ||
382 | blacklist /usr/local/sbin | ||
383 | blacklist /usr/sbin | ||
384 | |||
385 | # system management | ||
386 | blacklist ${PATH}/at | ||
387 | blacklist ${PATH}/chage | ||
388 | blacklist ${PATH}/chfn | ||
389 | blacklist ${PATH}/chsh | ||
390 | blacklist ${PATH}/crontab | ||
391 | blacklist ${PATH}/evtest | ||
392 | blacklist ${PATH}/expiry | ||
393 | blacklist ${PATH}/fusermount | ||
394 | blacklist ${PATH}/gksu | ||
395 | blacklist ${PATH}/gksudo | ||
396 | blacklist ${PATH}/gpasswd | ||
397 | blacklist ${PATH}/kdesudo | ||
398 | blacklist ${PATH}/ksu | ||
399 | blacklist ${PATH}/mount | ||
400 | blacklist ${PATH}/mount.ecryptfs_private | ||
401 | blacklist ${PATH}/nc | ||
402 | blacklist ${PATH}/ncat | ||
403 | blacklist ${PATH}/newgidmap | ||
404 | blacklist ${PATH}/newgrp | ||
405 | blacklist ${PATH}/newuidmap | ||
406 | blacklist ${PATH}/ntfs-3g | ||
407 | blacklist ${PATH}/pkexec | ||
408 | blacklist ${PATH}/procmail | ||
409 | blacklist ${PATH}/sg | ||
410 | blacklist ${PATH}/strace | ||
411 | blacklist ${PATH}/su | ||
412 | blacklist ${PATH}/sudo | ||
413 | blacklist ${PATH}/umount | ||
414 | blacklist ${PATH}/unix_chkpwd | ||
415 | blacklist ${PATH}/xev | ||
416 | blacklist ${PATH}/xinput | ||
417 | |||
418 | # other SUID binaries | ||
419 | blacklist /usr/lib/virtualbox | ||
420 | blacklist /usr/lib64/virtualbox | ||
421 | |||
422 | # prevent lxterminal connecting to an existing lxterminal session | ||
423 | blacklist /tmp/.lxterminal-socket* | ||
424 | # prevent tmux connecting to an existing session | ||
425 | blacklist /tmp/tmux-* | ||
426 | |||
427 | # disable terminals running as server resulting in sandbox escape | ||
428 | blacklist ${PATH}/lxterminal | ||
429 | blacklist ${PATH}/gnome-terminal | ||
430 | blacklist ${PATH}/gnome-terminal.wrapper | ||
431 | blacklist ${PATH}/lilyterm | ||
432 | blacklist ${PATH}/mate-terminal | ||
433 | blacklist ${PATH}/mate-terminal.wrapper | ||
434 | blacklist ${PATH}/pantheon-terminal | ||
435 | blacklist ${PATH}/roxterm | ||
436 | blacklist ${PATH}/roxterm-config | ||
437 | blacklist ${PATH}/terminix | ||
438 | blacklist ${PATH}/tilix | ||
439 | blacklist ${PATH}/urxvtc | ||
440 | blacklist ${PATH}/urxvtcd | ||
441 | blacklist ${PATH}/xfce4-terminal | ||
442 | blacklist ${PATH}/xfce4-terminal.wrapper | ||
443 | # blacklist ${PATH}/konsole | ||
444 | # konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 | ||
445 | |||
446 | # kernel files | ||
447 | blacklist /initrd* | ||
448 | blacklist /vmlinuz* | ||
449 | |||
450 | # snapshot files | ||
451 | blacklist /.snapshots | ||
452 | |||
453 | # flatpak | ||
454 | blacklist ${HOME}/.config/flatpak | ||
455 | blacklist ${HOME}/.local/share/flatpak/app | ||
456 | blacklist ${HOME}/.local/share/flatpak/appstream | ||
457 | blacklist ${HOME}/.local/share/flatpak/db | ||
458 | read-only ${HOME}/.local/share/flatpak/exports | ||
459 | blacklist ${HOME}/.local/share/flatpak/oci | ||
460 | blacklist ${HOME}/.local/share/flatpak/overrides | ||
461 | blacklist ${HOME}/.local/share/flatpak/repo | ||
462 | blacklist ${HOME}/.local/share/flatpak/runtime | ||
463 | blacklist ${HOME}/.var | ||
464 | blacklist ${RUNUSER}/app | ||
465 | blacklist ${RUNUSER}/doc | ||
466 | blacklist ${RUNUSER}/.dbus-proxy | ||
467 | blacklist ${RUNUSER}/.flatpak | ||
468 | blacklist ${RUNUSER}/.flatpak-helper | ||
469 | blacklist /usr/share/flatpak | ||
470 | blacklist /var/lib/flatpak | ||
471 | # most of the time bwrap is SUID binary | ||
472 | blacklist ${PATH}/bwrap | ||
473 | |||
474 | # mail directories used by mutt | ||
475 | blacklist ${HOME}/.Mail | ||
476 | blacklist ${HOME}/.mail | ||
477 | blacklist ${HOME}/.signature | ||
478 | blacklist ${HOME}/Mail | ||
479 | blacklist ${HOME}/mail | ||
480 | blacklist ${HOME}/postponed | ||
481 | blacklist ${HOME}/sent | ||
482 | |||
483 | # kernel configuration | ||
484 | blacklist /proc/config.gz | ||
485 | |||
486 | # prevent DNS malware attempting to communicate with the server | ||
487 | # using regular DNS tools | ||
488 | blacklist ${PATH}/dig | ||
489 | blacklist ${PATH}/kdig | ||
490 | blacklist ${PATH}/nslookup | ||
491 | blacklist ${PATH}/host | ||
492 | blacklist ${PATH}/dlint | ||
493 | blacklist ${PATH}/dnswalk | ||
494 | blacklist ${PATH}/dns2tcp | ||
495 | blacklist ${PATH}/iodine | ||
496 | blacklist ${PATH}/knsupdate | ||
497 | blacklist ${PATH}/resolvectl | ||