diff options
Diffstat (limited to 'etc/inc/disable-common.inc')
-rw-r--r-- | etc/inc/disable-common.inc | 684 |
1 files changed, 342 insertions, 342 deletions
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 2dc53d311..4c83284ee 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -5,63 +5,63 @@ include disable-common.local | |||
5 | # The following block breaks trash functionality in file managers | 5 | # The following block breaks trash functionality in file managers |
6 | #read-only ${HOME}/.local | 6 | #read-only ${HOME}/.local |
7 | #read-write ${HOME}/.local/share | 7 | #read-write ${HOME}/.local/share |
8 | blacklist ${HOME}/.local/share/Trash | 8 | deny ${HOME}/.local/share/Trash |
9 | 9 | ||
10 | # History files in $HOME and clipboard managers | 10 | # History files in $HOME and clipboard managers |
11 | blacklist-nolog ${HOME}/.*_history | 11 | deny-nolog ${HOME}/.*_history |
12 | blacklist-nolog ${HOME}/.adobe | 12 | deny-nolog ${HOME}/.adobe |
13 | blacklist-nolog ${HOME}/.cache/greenclip* | 13 | deny-nolog ${HOME}/.cache/greenclip* |
14 | blacklist-nolog ${HOME}/.histfile | 14 | deny-nolog ${HOME}/.histfile |
15 | blacklist-nolog ${HOME}/.history | 15 | deny-nolog ${HOME}/.history |
16 | blacklist-nolog ${HOME}/.kde/share/apps/klipper | 16 | deny-nolog ${HOME}/.kde/share/apps/klipper |
17 | blacklist-nolog ${HOME}/.kde4/share/apps/klipper | 17 | deny-nolog ${HOME}/.kde4/share/apps/klipper |
18 | blacklist-nolog ${HOME}/.local/share/fish/fish_history | 18 | deny-nolog ${HOME}/.local/share/fish/fish_history |
19 | blacklist-nolog ${HOME}/.local/share/klipper | 19 | deny-nolog ${HOME}/.local/share/klipper |
20 | blacklist-nolog ${HOME}/.macromedia | 20 | deny-nolog ${HOME}/.macromedia |
21 | blacklist-nolog ${HOME}/.mupdf.history | 21 | deny-nolog ${HOME}/.mupdf.history |
22 | blacklist-nolog ${HOME}/.python-history | 22 | deny-nolog ${HOME}/.python-history |
23 | blacklist-nolog ${HOME}/.python_history | 23 | deny-nolog ${HOME}/.python_history |
24 | blacklist-nolog ${HOME}/.pythonhist | 24 | deny-nolog ${HOME}/.pythonhist |
25 | blacklist-nolog ${HOME}/.lesshst | 25 | deny-nolog ${HOME}/.lesshst |
26 | blacklist-nolog ${HOME}/.viminfo | 26 | deny-nolog ${HOME}/.viminfo |
27 | blacklist-nolog /tmp/clipmenu* | 27 | deny-nolog /tmp/clipmenu* |
28 | 28 | ||
29 | # X11 session autostart | 29 | # X11 session autostart |
30 | # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs | 30 | # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs |
31 | blacklist ${HOME}/.Xsession | 31 | deny ${HOME}/.Xsession |
32 | blacklist ${HOME}/.blackbox | 32 | deny ${HOME}/.blackbox |
33 | blacklist ${HOME}/.config/autostart | 33 | deny ${HOME}/.config/autostart |
34 | blacklist ${HOME}/.config/autostart-scripts | 34 | deny ${HOME}/.config/autostart-scripts |
35 | blacklist ${HOME}/.config/awesome | 35 | deny ${HOME}/.config/awesome |
36 | blacklist ${HOME}/.config/i3 | 36 | deny ${HOME}/.config/i3 |
37 | blacklist ${HOME}/.config/sway | 37 | deny ${HOME}/.config/sway |
38 | blacklist ${HOME}/.config/lxsession/LXDE/autostart | 38 | deny ${HOME}/.config/lxsession/LXDE/autostart |
39 | blacklist ${HOME}/.config/openbox | 39 | deny ${HOME}/.config/openbox |
40 | blacklist ${HOME}/.config/plasma-workspace | 40 | deny ${HOME}/.config/plasma-workspace |
41 | blacklist ${HOME}/.config/startupconfig | 41 | deny ${HOME}/.config/startupconfig |
42 | blacklist ${HOME}/.config/startupconfigkeys | 42 | deny ${HOME}/.config/startupconfigkeys |
43 | blacklist ${HOME}/.fluxbox | 43 | deny ${HOME}/.fluxbox |
44 | blacklist ${HOME}/.gnomerc | 44 | deny ${HOME}/.gnomerc |
45 | blacklist ${HOME}/.kde/Autostart | 45 | deny ${HOME}/.kde/Autostart |
46 | blacklist ${HOME}/.kde/env | 46 | deny ${HOME}/.kde/env |
47 | blacklist ${HOME}/.kde/share/autostart | 47 | deny ${HOME}/.kde/share/autostart |
48 | blacklist ${HOME}/.kde/share/config/startupconfig | 48 | deny ${HOME}/.kde/share/config/startupconfig |
49 | blacklist ${HOME}/.kde/share/config/startupconfigkeys | 49 | deny ${HOME}/.kde/share/config/startupconfigkeys |
50 | blacklist ${HOME}/.kde/shutdown | 50 | deny ${HOME}/.kde/shutdown |
51 | blacklist ${HOME}/.kde4/env | 51 | deny ${HOME}/.kde4/env |
52 | blacklist ${HOME}/.kde4/Autostart | 52 | deny ${HOME}/.kde4/Autostart |
53 | blacklist ${HOME}/.kde4/share/autostart | 53 | deny ${HOME}/.kde4/share/autostart |
54 | blacklist ${HOME}/.kde4/shutdown | 54 | deny ${HOME}/.kde4/shutdown |
55 | blacklist ${HOME}/.kde4/share/config/startupconfig | 55 | deny ${HOME}/.kde4/share/config/startupconfig |
56 | blacklist ${HOME}/.kde4/share/config/startupconfigkeys | 56 | deny ${HOME}/.kde4/share/config/startupconfigkeys |
57 | blacklist ${HOME}/.local/share/autostart | 57 | deny ${HOME}/.local/share/autostart |
58 | blacklist ${HOME}/.xinitrc | 58 | deny ${HOME}/.xinitrc |
59 | blacklist ${HOME}/.xprofile | 59 | deny ${HOME}/.xprofile |
60 | blacklist ${HOME}/.xserverrc | 60 | deny ${HOME}/.xserverrc |
61 | blacklist ${HOME}/.xsession | 61 | deny ${HOME}/.xsession |
62 | blacklist ${HOME}/.xsessionrc | 62 | deny ${HOME}/.xsessionrc |
63 | blacklist /etc/X11/Xsession.d | 63 | deny /etc/X11/Xsession.d |
64 | blacklist /etc/xdg/autostart | 64 | deny /etc/xdg/autostart |
65 | read-only ${HOME}/.Xauthority | 65 | read-only ${HOME}/.Xauthority |
66 | 66 | ||
67 | # Session manager | 67 | # Session manager |
@@ -70,46 +70,46 @@ read-only ${HOME}/.Xauthority | |||
70 | #?HAS_X11: blacklist /tmp/.ICE-unix | 70 | #?HAS_X11: blacklist /tmp/.ICE-unix |
71 | 71 | ||
72 | # KDE config | 72 | # KDE config |
73 | blacklist ${HOME}/.cache/konsole | 73 | deny ${HOME}/.cache/konsole |
74 | blacklist ${HOME}/.config/khotkeysrc | 74 | deny ${HOME}/.config/khotkeysrc |
75 | blacklist ${HOME}/.config/krunnerrc | 75 | deny ${HOME}/.config/krunnerrc |
76 | blacklist ${HOME}/.config/kscreenlockerrc | 76 | deny ${HOME}/.config/kscreenlockerrc |
77 | blacklist ${HOME}/.config/ksslcertificatemanager | 77 | deny ${HOME}/.config/ksslcertificatemanager |
78 | blacklist ${HOME}/.config/kwalletrc | 78 | deny ${HOME}/.config/kwalletrc |
79 | blacklist ${HOME}/.config/kwinrc | 79 | deny ${HOME}/.config/kwinrc |
80 | blacklist ${HOME}/.config/kwinrulesrc | 80 | deny ${HOME}/.config/kwinrulesrc |
81 | blacklist ${HOME}/.config/plasma-locale-settings.sh | 81 | deny ${HOME}/.config/plasma-locale-settings.sh |
82 | blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc | 82 | deny ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc |
83 | blacklist ${HOME}/.config/plasmashellrc | 83 | deny ${HOME}/.config/plasmashellrc |
84 | blacklist ${HOME}/.config/plasmavaultrc | 84 | deny ${HOME}/.config/plasmavaultrc |
85 | blacklist ${HOME}/.kde/share/apps/kwin | 85 | deny ${HOME}/.kde/share/apps/kwin |
86 | blacklist ${HOME}/.kde/share/apps/plasma | 86 | deny ${HOME}/.kde/share/apps/plasma |
87 | blacklist ${HOME}/.kde/share/apps/solid | 87 | deny ${HOME}/.kde/share/apps/solid |
88 | blacklist ${HOME}/.kde/share/config/khotkeysrc | 88 | deny ${HOME}/.kde/share/config/khotkeysrc |
89 | blacklist ${HOME}/.kde/share/config/krunnerrc | 89 | deny ${HOME}/.kde/share/config/krunnerrc |
90 | blacklist ${HOME}/.kde/share/config/kscreensaverrc | 90 | deny ${HOME}/.kde/share/config/kscreensaverrc |
91 | blacklist ${HOME}/.kde/share/config/ksslcertificatemanager | 91 | deny ${HOME}/.kde/share/config/ksslcertificatemanager |
92 | blacklist ${HOME}/.kde/share/config/kwalletrc | 92 | deny ${HOME}/.kde/share/config/kwalletrc |
93 | blacklist ${HOME}/.kde/share/config/kwinrc | 93 | deny ${HOME}/.kde/share/config/kwinrc |
94 | blacklist ${HOME}/.kde/share/config/kwinrulesrc | 94 | deny ${HOME}/.kde/share/config/kwinrulesrc |
95 | blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc | 95 | deny ${HOME}/.kde/share/config/plasma-desktop-appletsrc |
96 | blacklist ${HOME}/.kde4/share/apps/kwin | 96 | deny ${HOME}/.kde4/share/apps/kwin |
97 | blacklist ${HOME}/.kde4/share/apps/plasma | 97 | deny ${HOME}/.kde4/share/apps/plasma |
98 | blacklist ${HOME}/.kde4/share/apps/solid | 98 | deny ${HOME}/.kde4/share/apps/solid |
99 | blacklist ${HOME}/.kde4/share/config/khotkeysrc | 99 | deny ${HOME}/.kde4/share/config/khotkeysrc |
100 | blacklist ${HOME}/.kde4/share/config/krunnerrc | 100 | deny ${HOME}/.kde4/share/config/krunnerrc |
101 | blacklist ${HOME}/.kde4/share/config/kscreensaverrc | 101 | deny ${HOME}/.kde4/share/config/kscreensaverrc |
102 | blacklist ${HOME}/.kde4/share/config/ksslcertificatemanager | 102 | deny ${HOME}/.kde4/share/config/ksslcertificatemanager |
103 | blacklist ${HOME}/.kde4/share/config/kwalletrc | 103 | deny ${HOME}/.kde4/share/config/kwalletrc |
104 | blacklist ${HOME}/.kde4/share/config/kwinrc | 104 | deny ${HOME}/.kde4/share/config/kwinrc |
105 | blacklist ${HOME}/.kde4/share/config/kwinrulesrc | 105 | deny ${HOME}/.kde4/share/config/kwinrulesrc |
106 | blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc | 106 | deny ${HOME}/.kde4/share/config/plasma-desktop-appletsrc |
107 | blacklist ${HOME}/.local/share/kglobalaccel | 107 | deny ${HOME}/.local/share/kglobalaccel |
108 | blacklist ${HOME}/.local/share/kwin | 108 | deny ${HOME}/.local/share/kwin |
109 | blacklist ${HOME}/.local/share/plasma | 109 | deny ${HOME}/.local/share/plasma |
110 | blacklist ${HOME}/.local/share/plasmashell | 110 | deny ${HOME}/.local/share/plasmashell |
111 | blacklist ${HOME}/.local/share/solid | 111 | deny ${HOME}/.local/share/solid |
112 | blacklist /tmp/konsole-*.history | 112 | deny /tmp/konsole-*.history |
113 | read-only ${HOME}/.cache/ksycoca5_* | 113 | read-only ${HOME}/.cache/ksycoca5_* |
114 | read-only ${HOME}/.config/*notifyrc | 114 | read-only ${HOME}/.config/*notifyrc |
115 | read-only ${HOME}/.config/kdeglobals | 115 | read-only ${HOME}/.config/kdeglobals |
@@ -138,124 +138,124 @@ read-only ${HOME}/.local/share/kservices5 | |||
138 | read-only ${HOME}/.local/share/kssl | 138 | read-only ${HOME}/.local/share/kssl |
139 | 139 | ||
140 | # KDE sockets | 140 | # KDE sockets |
141 | blacklist ${RUNUSER}/*.slave-socket | 141 | deny ${RUNUSER}/*.slave-socket |
142 | blacklist ${RUNUSER}/kdeinit5__* | 142 | deny ${RUNUSER}/kdeinit5__* |
143 | blacklist ${RUNUSER}/kdesud_* | 143 | deny ${RUNUSER}/kdesud_* |
144 | # see #3358 | 144 | # see #3358 |
145 | #?HAS_NODBUS: blacklist ${RUNUSER}/ksocket-* | 145 | #?HAS_NODBUS: blacklist ${RUNUSER}/ksocket-* |
146 | #?HAS_NODBUS: blacklist /tmp/ksocket-* | 146 | #?HAS_NODBUS: blacklist /tmp/ksocket-* |
147 | 147 | ||
148 | # gnome | 148 | # gnome |
149 | # contains extensions, last used times of applications, and notifications | 149 | # contains extensions, last used times of applications, and notifications |
150 | blacklist ${HOME}/.local/share/gnome-shell | 150 | deny ${HOME}/.local/share/gnome-shell |
151 | # contains recently used files and serials of static/removable storage | 151 | # contains recently used files and serials of static/removable storage |
152 | blacklist ${HOME}/.local/share/gvfs-metadata | 152 | deny ${HOME}/.local/share/gvfs-metadata |
153 | # no direct modification of dconf database | 153 | # no direct modification of dconf database |
154 | read-only ${HOME}/.config/dconf | 154 | read-only ${HOME}/.config/dconf |
155 | blacklist ${RUNUSER}/gnome-session-leader-fifo | 155 | deny ${RUNUSER}/gnome-session-leader-fifo |
156 | blacklist ${RUNUSER}/gnome-shell | 156 | deny ${RUNUSER}/gnome-shell |
157 | blacklist ${RUNUSER}/gsconnect | 157 | deny ${RUNUSER}/gsconnect |
158 | 158 | ||
159 | # systemd | 159 | # systemd |
160 | blacklist ${HOME}/.config/systemd | 160 | deny ${HOME}/.config/systemd |
161 | blacklist ${HOME}/.local/share/systemd | 161 | deny ${HOME}/.local/share/systemd |
162 | blacklist /var/lib/systemd | 162 | deny /var/lib/systemd |
163 | blacklist ${PATH}/systemd-run | 163 | deny ${PATH}/systemd-run |
164 | blacklist ${RUNUSER}/systemd | 164 | deny ${RUNUSER}/systemd |
165 | # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf | 165 | # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf |
166 | #blacklist /var/run/systemd | 166 | #blacklist /var/run/systemd |
167 | 167 | ||
168 | # openrc | 168 | # openrc |
169 | blacklist /etc/runlevels/ | 169 | deny /etc/runlevels/ |
170 | blacklist /etc/init.d/ | 170 | deny /etc/init.d/ |
171 | blacklist /etc/rc.conf | 171 | deny /etc/rc.conf |
172 | 172 | ||
173 | # VirtualBox | 173 | # VirtualBox |
174 | blacklist ${HOME}/.VirtualBox | 174 | deny ${HOME}/.VirtualBox |
175 | blacklist ${HOME}/.config/VirtualBox | 175 | deny ${HOME}/.config/VirtualBox |
176 | blacklist ${HOME}/VirtualBox VMs | 176 | deny ${HOME}/VirtualBox VMs |
177 | 177 | ||
178 | # GNOME Boxes | 178 | # GNOME Boxes |
179 | blacklist ${HOME}/.config/gnome-boxes | 179 | deny ${HOME}/.config/gnome-boxes |
180 | blacklist ${HOME}/.local/share/gnome-boxes | 180 | deny ${HOME}/.local/share/gnome-boxes |
181 | 181 | ||
182 | # libvirt | 182 | # libvirt |
183 | blacklist ${HOME}/.cache/libvirt | 183 | deny ${HOME}/.cache/libvirt |
184 | blacklist ${HOME}/.config/libvirt | 184 | deny ${HOME}/.config/libvirt |
185 | blacklist ${RUNUSER}/libvirt | 185 | deny ${RUNUSER}/libvirt |
186 | blacklist /var/cache/libvirt | 186 | deny /var/cache/libvirt |
187 | blacklist /var/lib/libvirt | 187 | deny /var/lib/libvirt |
188 | blacklist /var/log/libvirt | 188 | deny /var/log/libvirt |
189 | 189 | ||
190 | # OCI-Containers / Podman | 190 | # OCI-Containers / Podman |
191 | blacklist ${RUNUSER}/containers | 191 | deny ${RUNUSER}/containers |
192 | blacklist ${RUNUSER}/crun | 192 | deny ${RUNUSER}/crun |
193 | blacklist ${RUNUSER}/libpod | 193 | deny ${RUNUSER}/libpod |
194 | blacklist ${RUNUSER}/runc | 194 | deny ${RUNUSER}/runc |
195 | blacklist ${RUNUSER}/toolbox | 195 | deny ${RUNUSER}/toolbox |
196 | 196 | ||
197 | # VeraCrypt | 197 | # VeraCrypt |
198 | blacklist ${HOME}/.VeraCrypt | 198 | deny ${HOME}/.VeraCrypt |
199 | blacklist ${PATH}/veracrypt | 199 | deny ${PATH}/veracrypt |
200 | blacklist ${PATH}/veracrypt-uninstall.sh | 200 | deny ${PATH}/veracrypt-uninstall.sh |
201 | blacklist /usr/share/applications/veracrypt.* | 201 | deny /usr/share/applications/veracrypt.* |
202 | blacklist /usr/share/pixmaps/veracrypt.* | 202 | deny /usr/share/pixmaps/veracrypt.* |
203 | blacklist /usr/share/veracrypt | 203 | deny /usr/share/veracrypt |
204 | 204 | ||
205 | # TrueCrypt | 205 | # TrueCrypt |
206 | blacklist ${HOME}/.TrueCrypt | 206 | deny ${HOME}/.TrueCrypt |
207 | blacklist ${PATH}/truecrypt | 207 | deny ${PATH}/truecrypt |
208 | blacklist ${PATH}/truecrypt-uninstall.sh | 208 | deny ${PATH}/truecrypt-uninstall.sh |
209 | blacklist /usr/share/applications/truecrypt.* | 209 | deny /usr/share/applications/truecrypt.* |
210 | blacklist /usr/share/pixmaps/truecrypt.* | 210 | deny /usr/share/pixmaps/truecrypt.* |
211 | blacklist /usr/share/truecrypt | 211 | deny /usr/share/truecrypt |
212 | 212 | ||
213 | # zuluCrypt | 213 | # zuluCrypt |
214 | blacklist ${HOME}/.zuluCrypt | 214 | deny ${HOME}/.zuluCrypt |
215 | blacklist ${HOME}/.zuluCrypt-socket | 215 | deny ${HOME}/.zuluCrypt-socket |
216 | blacklist ${PATH}/zuluCrypt-cli | 216 | deny ${PATH}/zuluCrypt-cli |
217 | blacklist ${PATH}/zuluMount-cli | 217 | deny ${PATH}/zuluMount-cli |
218 | 218 | ||
219 | # var | 219 | # var |
220 | blacklist /var/cache/apt | 220 | deny /var/cache/apt |
221 | blacklist /var/cache/pacman | 221 | deny /var/cache/pacman |
222 | blacklist /var/lib/apt | 222 | deny /var/lib/apt |
223 | blacklist /var/lib/clamav | 223 | deny /var/lib/clamav |
224 | blacklist /var/lib/dkms | 224 | deny /var/lib/dkms |
225 | blacklist /var/lib/mysql/mysql.sock | 225 | deny /var/lib/mysql/mysql.sock |
226 | blacklist /var/lib/mysqld/mysql.sock | 226 | deny /var/lib/mysqld/mysql.sock |
227 | blacklist /var/lib/pacman | 227 | deny /var/lib/pacman |
228 | blacklist /var/lib/upower | 228 | deny /var/lib/upower |
229 | # blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for | 229 | # blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for |
230 | # every sandbox, unless --writable-var-log switch is activated | 230 | # every sandbox, unless --writable-var-log switch is activated |
231 | blacklist /var/mail | 231 | deny /var/mail |
232 | blacklist /var/opt | 232 | deny /var/opt |
233 | blacklist /var/run/acpid.socket | 233 | deny /var/run/acpid.socket |
234 | blacklist /var/run/docker.sock | 234 | deny /var/run/docker.sock |
235 | blacklist /var/run/minissdpd.sock | 235 | deny /var/run/minissdpd.sock |
236 | blacklist /var/run/mysql/mysqld.sock | 236 | deny /var/run/mysql/mysqld.sock |
237 | blacklist /var/run/mysqld/mysqld.sock | 237 | deny /var/run/mysqld/mysqld.sock |
238 | blacklist /var/run/rpcbind.sock | 238 | deny /var/run/rpcbind.sock |
239 | blacklist /var/run/screens | 239 | deny /var/run/screens |
240 | blacklist /var/spool/anacron | 240 | deny /var/spool/anacron |
241 | blacklist /var/spool/cron | 241 | deny /var/spool/cron |
242 | blacklist /var/spool/mail | 242 | deny /var/spool/mail |
243 | 243 | ||
244 | # etc | 244 | # etc |
245 | blacklist /etc/anacrontab | 245 | deny /etc/anacrontab |
246 | blacklist /etc/cron* | 246 | deny /etc/cron* |
247 | blacklist /etc/profile.d | 247 | deny /etc/profile.d |
248 | blacklist /etc/rc.local | 248 | deny /etc/rc.local |
249 | # rc1.d, rc2.d, ... | 249 | # rc1.d, rc2.d, ... |
250 | blacklist /etc/rc?.d | 250 | deny /etc/rc?.d |
251 | blacklist /etc/kernel* | 251 | deny /etc/kernel* |
252 | blacklist /etc/grub* | 252 | deny /etc/grub* |
253 | blacklist /etc/dkms | 253 | deny /etc/dkms |
254 | blacklist /etc/apparmor* | 254 | deny /etc/apparmor* |
255 | blacklist /etc/selinux | 255 | deny /etc/selinux |
256 | blacklist /etc/modules* | 256 | deny /etc/modules* |
257 | blacklist /etc/logrotate* | 257 | deny /etc/logrotate* |
258 | blacklist /etc/adduser.conf | 258 | deny /etc/adduser.conf |
259 | 259 | ||
260 | # Startup files | 260 | # Startup files |
261 | read-only ${HOME}/.antigen | 261 | read-only ${HOME}/.antigen |
@@ -292,13 +292,13 @@ read-only ${HOME}/.zshrc | |||
292 | read-only ${HOME}/.zshrc.local | 292 | read-only ${HOME}/.zshrc.local |
293 | 293 | ||
294 | # Remote access | 294 | # Remote access |
295 | blacklist ${HOME}/.rhosts | 295 | deny ${HOME}/.rhosts |
296 | blacklist ${HOME}/.shosts | 296 | deny ${HOME}/.shosts |
297 | blacklist ${HOME}/.ssh/authorized_keys | 297 | deny ${HOME}/.ssh/authorized_keys |
298 | blacklist ${HOME}/.ssh/authorized_keys2 | 298 | deny ${HOME}/.ssh/authorized_keys2 |
299 | blacklist ${HOME}/.ssh/environment | 299 | deny ${HOME}/.ssh/environment |
300 | blacklist ${HOME}/.ssh/rc | 300 | deny ${HOME}/.ssh/rc |
301 | blacklist /etc/hosts.equiv | 301 | deny /etc/hosts.equiv |
302 | read-only ${HOME}/.ssh/config | 302 | read-only ${HOME}/.ssh/config |
303 | read-only ${HOME}/.ssh/config.d | 303 | read-only ${HOME}/.ssh/config.d |
304 | 304 | ||
@@ -359,200 +359,200 @@ read-only ${HOME}/.local/share/mime | |||
359 | read-only ${HOME}/.local/share/thumbnailers | 359 | read-only ${HOME}/.local/share/thumbnailers |
360 | 360 | ||
361 | # prevent access to ssh-agent | 361 | # prevent access to ssh-agent |
362 | blacklist /tmp/ssh-* | 362 | deny /tmp/ssh-* |
363 | 363 | ||
364 | # top secret | 364 | # top secret |
365 | blacklist ${HOME}/*.kdb | 365 | deny ${HOME}/*.kdb |
366 | blacklist ${HOME}/*.kdbx | 366 | deny ${HOME}/*.kdbx |
367 | blacklist ${HOME}/*.key | 367 | deny ${HOME}/*.key |
368 | blacklist ${HOME}/.Private | 368 | deny ${HOME}/.Private |
369 | blacklist ${HOME}/.caff | 369 | deny ${HOME}/.caff |
370 | blacklist ${HOME}/.cargo/credentials | 370 | deny ${HOME}/.cargo/credentials |
371 | blacklist ${HOME}/.cargo/credentials.toml | 371 | deny ${HOME}/.cargo/credentials.toml |
372 | blacklist ${HOME}/.cert | 372 | deny ${HOME}/.cert |
373 | blacklist ${HOME}/.config/keybase | 373 | deny ${HOME}/.config/keybase |
374 | blacklist ${HOME}/.davfs2/secrets | 374 | deny ${HOME}/.davfs2/secrets |
375 | blacklist ${HOME}/.ecryptfs | 375 | deny ${HOME}/.ecryptfs |
376 | blacklist ${HOME}/.fetchmailrc | 376 | deny ${HOME}/.fetchmailrc |
377 | blacklist ${HOME}/.fscrypt | 377 | deny ${HOME}/.fscrypt |
378 | blacklist ${HOME}/.git-credential-cache | 378 | deny ${HOME}/.git-credential-cache |
379 | blacklist ${HOME}/.git-credentials | 379 | deny ${HOME}/.git-credentials |
380 | blacklist ${HOME}/.gnome2/keyrings | 380 | deny ${HOME}/.gnome2/keyrings |
381 | blacklist ${HOME}/.gnupg | 381 | deny ${HOME}/.gnupg |
382 | blacklist ${HOME}/.config/hub | 382 | deny ${HOME}/.config/hub |
383 | blacklist ${HOME}/.kde/share/apps/kwallet | 383 | deny ${HOME}/.kde/share/apps/kwallet |
384 | blacklist ${HOME}/.kde4/share/apps/kwallet | 384 | deny ${HOME}/.kde4/share/apps/kwallet |
385 | blacklist ${HOME}/.local/share/keyrings | 385 | deny ${HOME}/.local/share/keyrings |
386 | blacklist ${HOME}/.local/share/kwalletd | 386 | deny ${HOME}/.local/share/kwalletd |
387 | blacklist ${HOME}/.local/share/plasma-vault | 387 | deny ${HOME}/.local/share/plasma-vault |
388 | blacklist ${HOME}/.msmtprc | 388 | deny ${HOME}/.msmtprc |
389 | blacklist ${HOME}/.mutt | 389 | deny ${HOME}/.mutt |
390 | blacklist ${HOME}/.muttrc | 390 | deny ${HOME}/.muttrc |
391 | blacklist ${HOME}/.netrc | 391 | deny ${HOME}/.netrc |
392 | blacklist ${HOME}/.nyx | 392 | deny ${HOME}/.nyx |
393 | blacklist ${HOME}/.pki | 393 | deny ${HOME}/.pki |
394 | blacklist ${HOME}/.local/share/pki | 394 | deny ${HOME}/.local/share/pki |
395 | blacklist ${HOME}/.smbcredentials | 395 | deny ${HOME}/.smbcredentials |
396 | blacklist ${HOME}/.ssh | 396 | deny ${HOME}/.ssh |
397 | blacklist ${HOME}/.vaults | 397 | deny ${HOME}/.vaults |
398 | blacklist /.fscrypt | 398 | deny /.fscrypt |
399 | blacklist /etc/davfs2/secrets | 399 | deny /etc/davfs2/secrets |
400 | blacklist /etc/group+ | 400 | deny /etc/group+ |
401 | blacklist /etc/group- | 401 | deny /etc/group- |
402 | blacklist /etc/gshadow | 402 | deny /etc/gshadow |
403 | blacklist /etc/gshadow+ | 403 | deny /etc/gshadow+ |
404 | blacklist /etc/gshadow- | 404 | deny /etc/gshadow- |
405 | blacklist /etc/passwd+ | 405 | deny /etc/passwd+ |
406 | blacklist /etc/passwd- | 406 | deny /etc/passwd- |
407 | blacklist /etc/shadow | 407 | deny /etc/shadow |
408 | blacklist /etc/shadow+ | 408 | deny /etc/shadow+ |
409 | blacklist /etc/shadow- | 409 | deny /etc/shadow- |
410 | blacklist /etc/ssh | 410 | deny /etc/ssh |
411 | blacklist /etc/ssh/* | 411 | deny /etc/ssh/* |
412 | blacklist /home/.ecryptfs | 412 | deny /home/.ecryptfs |
413 | blacklist /home/.fscrypt | 413 | deny /home/.fscrypt |
414 | blacklist /var/backup | 414 | deny /var/backup |
415 | 415 | ||
416 | # cloud provider configuration | 416 | # cloud provider configuration |
417 | blacklist ${HOME}/.aws | 417 | deny ${HOME}/.aws |
418 | blacklist ${HOME}/.boto | 418 | deny ${HOME}/.boto |
419 | blacklist ${HOME}/.config/gcloud | 419 | deny ${HOME}/.config/gcloud |
420 | blacklist ${HOME}/.kube | 420 | deny ${HOME}/.kube |
421 | blacklist ${HOME}/.passwd-s3fs | 421 | deny ${HOME}/.passwd-s3fs |
422 | blacklist ${HOME}/.s3cmd | 422 | deny ${HOME}/.s3cmd |
423 | blacklist /etc/boto.cfg | 423 | deny /etc/boto.cfg |
424 | 424 | ||
425 | # system directories | 425 | # system directories |
426 | blacklist /sbin | 426 | deny /sbin |
427 | blacklist /usr/local/sbin | 427 | deny /usr/local/sbin |
428 | blacklist /usr/sbin | 428 | deny /usr/sbin |
429 | 429 | ||
430 | # system management | 430 | # system management |
431 | blacklist ${PATH}/at | 431 | deny ${PATH}/at |
432 | blacklist ${PATH}/busybox | 432 | deny ${PATH}/busybox |
433 | blacklist ${PATH}/chage | 433 | deny ${PATH}/chage |
434 | blacklist ${PATH}/chfn | 434 | deny ${PATH}/chfn |
435 | blacklist ${PATH}/chsh | 435 | deny ${PATH}/chsh |
436 | blacklist ${PATH}/crontab | 436 | deny ${PATH}/crontab |
437 | blacklist ${PATH}/evtest | 437 | deny ${PATH}/evtest |
438 | blacklist ${PATH}/expiry | 438 | deny ${PATH}/expiry |
439 | blacklist ${PATH}/fusermount | 439 | deny ${PATH}/fusermount |
440 | blacklist ${PATH}/gksu | 440 | deny ${PATH}/gksu |
441 | blacklist ${PATH}/gksudo | 441 | deny ${PATH}/gksudo |
442 | blacklist ${PATH}/gpasswd | 442 | deny ${PATH}/gpasswd |
443 | blacklist ${PATH}/kdesudo | 443 | deny ${PATH}/kdesudo |
444 | blacklist ${PATH}/ksu | 444 | deny ${PATH}/ksu |
445 | blacklist ${PATH}/mount | 445 | deny ${PATH}/mount |
446 | blacklist ${PATH}/mount.ecryptfs_private | 446 | deny ${PATH}/mount.ecryptfs_private |
447 | blacklist ${PATH}/nc | 447 | deny ${PATH}/nc |
448 | blacklist ${PATH}/ncat | 448 | deny ${PATH}/ncat |
449 | blacklist ${PATH}/nmap | 449 | deny ${PATH}/nmap |
450 | blacklist ${PATH}/newgidmap | 450 | deny ${PATH}/newgidmap |
451 | blacklist ${PATH}/newgrp | 451 | deny ${PATH}/newgrp |
452 | blacklist ${PATH}/newuidmap | 452 | deny ${PATH}/newuidmap |
453 | blacklist ${PATH}/ntfs-3g | 453 | deny ${PATH}/ntfs-3g |
454 | blacklist ${PATH}/pkexec | 454 | deny ${PATH}/pkexec |
455 | blacklist ${PATH}/procmail | 455 | deny ${PATH}/procmail |
456 | blacklist ${PATH}/sg | 456 | deny ${PATH}/sg |
457 | blacklist ${PATH}/strace | 457 | deny ${PATH}/strace |
458 | blacklist ${PATH}/su | 458 | deny ${PATH}/su |
459 | blacklist ${PATH}/sudo | 459 | deny ${PATH}/sudo |
460 | blacklist ${PATH}/tcpdump | 460 | deny ${PATH}/tcpdump |
461 | blacklist ${PATH}/umount | 461 | deny ${PATH}/umount |
462 | blacklist ${PATH}/unix_chkpwd | 462 | deny ${PATH}/unix_chkpwd |
463 | blacklist ${PATH}/xev | 463 | deny ${PATH}/xev |
464 | blacklist ${PATH}/xinput | 464 | deny ${PATH}/xinput |
465 | 465 | ||
466 | # other SUID binaries | 466 | # other SUID binaries |
467 | blacklist /usr/lib/virtualbox | 467 | deny /usr/lib/virtualbox |
468 | blacklist /usr/lib64/virtualbox | 468 | deny /usr/lib64/virtualbox |
469 | 469 | ||
470 | # prevent lxterminal connecting to an existing lxterminal session | 470 | # prevent lxterminal connecting to an existing lxterminal session |
471 | blacklist /tmp/.lxterminal-socket* | 471 | deny /tmp/.lxterminal-socket* |
472 | # prevent tmux connecting to an existing session | 472 | # prevent tmux connecting to an existing session |
473 | blacklist /tmp/tmux-* | 473 | deny /tmp/tmux-* |
474 | 474 | ||
475 | # disable terminals running as server resulting in sandbox escape | 475 | # disable terminals running as server resulting in sandbox escape |
476 | blacklist ${PATH}/lxterminal | 476 | deny ${PATH}/lxterminal |
477 | blacklist ${PATH}/gnome-terminal | 477 | deny ${PATH}/gnome-terminal |
478 | blacklist ${PATH}/gnome-terminal.wrapper | 478 | deny ${PATH}/gnome-terminal.wrapper |
479 | blacklist ${PATH}/lilyterm | 479 | deny ${PATH}/lilyterm |
480 | blacklist ${PATH}/mate-terminal | 480 | deny ${PATH}/mate-terminal |
481 | blacklist ${PATH}/mate-terminal.wrapper | 481 | deny ${PATH}/mate-terminal.wrapper |
482 | blacklist ${PATH}/pantheon-terminal | 482 | deny ${PATH}/pantheon-terminal |
483 | blacklist ${PATH}/roxterm | 483 | deny ${PATH}/roxterm |
484 | blacklist ${PATH}/roxterm-config | 484 | deny ${PATH}/roxterm-config |
485 | blacklist ${PATH}/terminix | 485 | deny ${PATH}/terminix |
486 | blacklist ${PATH}/tilix | 486 | deny ${PATH}/tilix |
487 | blacklist ${PATH}/urxvtc | 487 | deny ${PATH}/urxvtc |
488 | blacklist ${PATH}/urxvtcd | 488 | deny ${PATH}/urxvtcd |
489 | blacklist ${PATH}/xfce4-terminal | 489 | deny ${PATH}/xfce4-terminal |
490 | blacklist ${PATH}/xfce4-terminal.wrapper | 490 | deny ${PATH}/xfce4-terminal.wrapper |
491 | # blacklist ${PATH}/konsole | 491 | # blacklist ${PATH}/konsole |
492 | # konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 | 492 | # konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 |
493 | 493 | ||
494 | # kernel files | 494 | # kernel files |
495 | blacklist /initrd* | 495 | deny /initrd* |
496 | blacklist /vmlinuz* | 496 | deny /vmlinuz* |
497 | 497 | ||
498 | # snapshot files | 498 | # snapshot files |
499 | blacklist /.snapshots | 499 | deny /.snapshots |
500 | 500 | ||
501 | # flatpak | 501 | # flatpak |
502 | blacklist ${HOME}/.cache/flatpak | 502 | deny ${HOME}/.cache/flatpak |
503 | blacklist ${HOME}/.config/flatpak | 503 | deny ${HOME}/.config/flatpak |
504 | noblacklist ${HOME}/.local/share/flatpak/exports | 504 | nodeny ${HOME}/.local/share/flatpak/exports |
505 | read-only ${HOME}/.local/share/flatpak/exports | 505 | read-only ${HOME}/.local/share/flatpak/exports |
506 | blacklist ${HOME}/.local/share/flatpak/* | 506 | deny ${HOME}/.local/share/flatpak/* |
507 | blacklist ${HOME}/.var | 507 | deny ${HOME}/.var |
508 | blacklist ${RUNUSER}/app | 508 | deny ${RUNUSER}/app |
509 | blacklist ${RUNUSER}/doc | 509 | deny ${RUNUSER}/doc |
510 | blacklist ${RUNUSER}/.dbus-proxy | 510 | deny ${RUNUSER}/.dbus-proxy |
511 | blacklist ${RUNUSER}/.flatpak | 511 | deny ${RUNUSER}/.flatpak |
512 | blacklist ${RUNUSER}/.flatpak-cache | 512 | deny ${RUNUSER}/.flatpak-cache |
513 | blacklist ${RUNUSER}/.flatpak-helper | 513 | deny ${RUNUSER}/.flatpak-helper |
514 | blacklist /usr/share/flatpak | 514 | deny /usr/share/flatpak |
515 | noblacklist /var/lib/flatpak/exports | 515 | nodeny /var/lib/flatpak/exports |
516 | blacklist /var/lib/flatpak/* | 516 | deny /var/lib/flatpak/* |
517 | # most of the time bwrap is SUID binary | 517 | # most of the time bwrap is SUID binary |
518 | blacklist ${PATH}/bwrap | 518 | deny ${PATH}/bwrap |
519 | 519 | ||
520 | # snap | 520 | # snap |
521 | blacklist ${RUNUSER}/snapd-session-agent.socket | 521 | deny ${RUNUSER}/snapd-session-agent.socket |
522 | 522 | ||
523 | # mail directories used by mutt | 523 | # mail directories used by mutt |
524 | blacklist ${HOME}/.Mail | 524 | deny ${HOME}/.Mail |
525 | blacklist ${HOME}/.mail | 525 | deny ${HOME}/.mail |
526 | blacklist ${HOME}/.signature | 526 | deny ${HOME}/.signature |
527 | blacklist ${HOME}/Mail | 527 | deny ${HOME}/Mail |
528 | blacklist ${HOME}/mail | 528 | deny ${HOME}/mail |
529 | blacklist ${HOME}/postponed | 529 | deny ${HOME}/postponed |
530 | blacklist ${HOME}/sent | 530 | deny ${HOME}/sent |
531 | 531 | ||
532 | # kernel configuration | 532 | # kernel configuration |
533 | blacklist /proc/config.gz | 533 | deny /proc/config.gz |
534 | 534 | ||
535 | # prevent DNS malware attempting to communicate with the server | 535 | # prevent DNS malware attempting to communicate with the server |
536 | # using regular DNS tools | 536 | # using regular DNS tools |
537 | blacklist ${PATH}/dig | 537 | deny ${PATH}/dig |
538 | blacklist ${PATH}/dlint | 538 | deny ${PATH}/dlint |
539 | blacklist ${PATH}/dns2tcp | 539 | deny ${PATH}/dns2tcp |
540 | blacklist ${PATH}/dnssec-* | 540 | deny ${PATH}/dnssec-* |
541 | blacklist ${PATH}/dnswalk | 541 | deny ${PATH}/dnswalk |
542 | blacklist ${PATH}/drill | 542 | deny ${PATH}/drill |
543 | blacklist ${PATH}/host | 543 | deny ${PATH}/host |
544 | blacklist ${PATH}/iodine | 544 | deny ${PATH}/iodine |
545 | blacklist ${PATH}/kdig | 545 | deny ${PATH}/kdig |
546 | blacklist ${PATH}/khost | 546 | deny ${PATH}/khost |
547 | blacklist ${PATH}/knsupdate | 547 | deny ${PATH}/knsupdate |
548 | blacklist ${PATH}/ldns-* | 548 | deny ${PATH}/ldns-* |
549 | blacklist ${PATH}/ldnsd | 549 | deny ${PATH}/ldnsd |
550 | blacklist ${PATH}/nslookup | 550 | deny ${PATH}/nslookup |
551 | blacklist ${PATH}/resolvectl | 551 | deny ${PATH}/resolvectl |
552 | blacklist ${PATH}/unbound-host | 552 | deny ${PATH}/unbound-host |
553 | 553 | ||
554 | # rest of ${RUNUSER} | 554 | # rest of ${RUNUSER} |
555 | blacklist ${RUNUSER}/*.lock | 555 | deny ${RUNUSER}/*.lock |
556 | blacklist ${RUNUSER}/inaccessible | 556 | deny ${RUNUSER}/inaccessible |
557 | blacklist ${RUNUSER}/pk-debconf-socket | 557 | deny ${RUNUSER}/pk-debconf-socket |
558 | blacklist ${RUNUSER}/update-notifier.pid | 558 | deny ${RUNUSER}/update-notifier.pid |