1 files changed, 128 insertions, 43 deletions

diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 35f89e11b..43332b4d0 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -16,7 +16,9 @@ blacklist-nolog ${HOME}/.history
 blacklist-nolog ${HOME}/.kde/share/apps/klipper
 blacklist-nolog ${HOME}/.kde4/share/apps/klipper
 blacklist-nolog ${HOME}/.local/share/fish/fish_history
+blacklist-nolog ${HOME}/.local/share/ibus-typing-booster
 blacklist-nolog ${HOME}/.local/share/klipper
+blacklist-nolog ${HOME}/.local/share/nvim
 blacklist-nolog ${HOME}/.macromedia
 blacklist-nolog ${HOME}/.mupdf.history
 blacklist-nolog ${HOME}/.python-history
@@ -159,20 +161,23 @@ blacklist ${RUNUSER}/gsconnect
 # systemd
 blacklist ${HOME}/.config/systemd
 blacklist ${HOME}/.local/share/systemd
-blacklist /var/lib/systemd
+blacklist ${PATH}/systemctl
 blacklist ${PATH}/systemd-run
 blacklist ${RUNUSER}/systemd
+blacklist /etc/systemd/network
+blacklist /etc/systemd/system
+blacklist /var/lib/systemd
 # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf
 #blacklist /var/run/systemd
 
 # openrc
-blacklist /etc/runlevels/
-blacklist /etc/init.d/
+blacklist /etc/init.d
 blacklist /etc/rc.conf
+blacklist /etc/runlevels
 
 # VirtualBox
-blacklist ${HOME}/.VirtualBox
 blacklist ${HOME}/.config/VirtualBox
+blacklist ${HOME}/.VirtualBox
 blacklist ${HOME}/VirtualBox VMs
 
 # GNOME Boxes
@@ -242,20 +247,34 @@ blacklist /var/spool/cron
 blacklist /var/spool/mail
 
 # etc
+blacklist /etc/adduser.conf
 blacklist /etc/anacrontab
+blacklist /etc/apparmor*
 blacklist /etc/cron*
+blacklist /etc/default
+blacklist /etc/dkms
+blacklist /etc/grub*
+blacklist /etc/kernel*
+blacklist /etc/logrotate*
+blacklist /etc/modules*
 blacklist /etc/profile.d
 blacklist /etc/rc.local
 # rc1.d, rc2.d, ...
 blacklist /etc/rc?.d
-blacklist /etc/kernel*
-blacklist /etc/grub*
-blacklist /etc/dkms
-blacklist /etc/apparmor*
-blacklist /etc/selinux
-blacklist /etc/modules*
-blacklist /etc/logrotate*
-blacklist /etc/adduser.conf
+blacklist /etc/sysconfig
+
+# hide config for various intrusion detection systems
+blacklist /etc/aide
+blacklist /etc/aide.conf
+blacklist /etc/chkrootkit.conf
+blacklist /etc/fail2ban.conf
+blacklist /etc/logcheck
+blacklist /etc/lynis
+blacklist /etc/rkhunter.*
+blacklist /etc/snort
+blacklist /etc/suricata
+blacklist /etc/tripwire
+blacklist /var/lib/rkhunter
 
 # Startup files
 read-only ${HOME}/.antigen
@@ -305,6 +324,7 @@ read-only ${HOME}/.ssh/config.d
 # Initialization files that allow arbitrary command execution
 read-only ${HOME}/.caffrc
 read-only ${HOME}/.cargo/env
+read-only ${HOME}/.config/nvim
 read-only ${HOME}/.dotfiles
 read-only ${HOME}/.emacs
 read-only ${HOME}/.emacs.d
@@ -314,6 +334,7 @@ read-only ${HOME}/.homesick
 read-only ${HOME}/.iscreenrc
 read-only ${HOME}/.local/lib
 read-only ${HOME}/.local/share/cool-retro-term
+read-only ${HOME}/.local/share/nvim
 read-only ${HOME}/.mailcap
 read-only ${HOME}/.msmtprc
 read-only ${HOME}/.mutt/muttrc
@@ -335,13 +356,15 @@ read-only ${HOME}/_vimrc
 read-only ${HOME}/dotfiles
 
 # Make directories commonly found in $PATH read-only
+read-only ${HOME}/.bin
+read-only ${HOME}/.cargo/bin
 read-only ${HOME}/.gem
+read-only ${HOME}/.local/bin
 read-only ${HOME}/.luarocks
 read-only ${HOME}/.npm-packages
+read-only ${HOME}/.nvm
+read-only ${HOME}/.rustup
 read-only ${HOME}/bin
-read-only ${HOME}/.bin
-read-only ${HOME}/.local/bin
-read-only ${HOME}/.cargo/bin
 
 # Write-protection for desktop entries
 read-only ${HOME}/.config/menus
@@ -360,13 +383,32 @@ read-only ${HOME}/.local/share/thumbnailers
 blacklist /tmp/ssh-*
 
 # top secret
+blacklist /.fscrypt
+blacklist /etc/davfs2/secrets
+blacklist /etc/group+
+blacklist /etc/group-
+blacklist /etc/gshadow
+blacklist /etc/gshadow+
+blacklist /etc/gshadow-
+blacklist /etc/passwd+
+blacklist /etc/passwd-
+blacklist /etc/shadow
+blacklist /etc/shadow+
+blacklist /etc/shadow-
+blacklist /etc/ssh
+blacklist /etc/ssh/*
+blacklist /home/.ecryptfs
+blacklist /home/.fscrypt
 blacklist ${HOME}/*.kdb
 blacklist ${HOME}/*.kdbx
 blacklist ${HOME}/*.key
+blacklist ${HOME}/Private
 blacklist ${HOME}/.Private
 blacklist ${HOME}/.caff
 blacklist ${HOME}/.cargo/credentials
+blacklist ${HOME}/.cargo/credentials.toml
 blacklist ${HOME}/.cert
+blacklist ${HOME}/.config/hub
 blacklist ${HOME}/.config/keybase
 blacklist ${HOME}/.davfs2/secrets
 blacklist ${HOME}/.ecryptfs
@@ -376,40 +418,37 @@ blacklist ${HOME}/.git-credential-cache
 blacklist ${HOME}/.git-credentials
 blacklist ${HOME}/.gnome2/keyrings
 blacklist ${HOME}/.gnupg
-blacklist ${HOME}/.config/hub
 blacklist ${HOME}/.kde/share/apps/kwallet
 blacklist ${HOME}/.kde4/share/apps/kwallet
 blacklist ${HOME}/.local/share/keyrings
 blacklist ${HOME}/.local/share/kwalletd
+blacklist ${HOME}/.local/share/pki
 blacklist ${HOME}/.local/share/plasma-vault
+blacklist ${HOME}/.minisign
 blacklist ${HOME}/.msmtprc
 blacklist ${HOME}/.mutt
 blacklist ${HOME}/.muttrc
 blacklist ${HOME}/.netrc
 blacklist ${HOME}/.nyx
 blacklist ${HOME}/.pki
-blacklist ${HOME}/.local/share/pki
 blacklist ${HOME}/.smbcredentials
 blacklist ${HOME}/.ssh
 blacklist ${HOME}/.vaults
-blacklist /.fscrypt
-blacklist /etc/davfs2/secrets
-blacklist /etc/group+
-blacklist /etc/group-
-blacklist /etc/gshadow
-blacklist /etc/gshadow+
-blacklist /etc/gshadow-
-blacklist /etc/passwd+
-blacklist /etc/passwd-
-blacklist /etc/shadow
-blacklist /etc/shadow+
-blacklist /etc/shadow-
-blacklist /etc/ssh
-blacklist /etc/ssh/*
-blacklist /home/.ecryptfs
-blacklist /home/.fscrypt
+blacklist /run/timeshift
 blacklist /var/backup
 
+# Remove environment variables with auth tokens.
+# Note however that the sandbox might still have access to the
+# files where these variables are set.
+rmenv GH_TOKEN
+rmenv GITHUB_TOKEN
+rmenv GH_ENTERPRISE_TOKEN
+rmenv GITHUB_ENTERPRISE_TOKEN
+rmenv CARGO_REGISTRY_TOKEN
+rmenv RESTIC_KEY_HINT
+rmenv RESTIC_PASSWORD_COMMAND
+rmenv RESTIC_PASSWORD_FILE
+
 # cloud provider configuration
 blacklist ${HOME}/.aws
 blacklist ${HOME}/.boto
@@ -424,7 +463,7 @@ blacklist /sbin
 blacklist /usr/local/sbin
 blacklist /usr/sbin
 
-# system management
+# system management and various SUID executables
 blacklist ${PATH}/at
 blacklist ${PATH}/busybox
 blacklist ${PATH}/chage
@@ -459,6 +498,42 @@ blacklist ${PATH}/umount
 blacklist ${PATH}/unix_chkpwd
 blacklist ${PATH}/xev
 blacklist ${PATH}/xinput
+# from 0.9.67
+blacklist /usr/lib/openssh
+blacklist /usr/lib/ssh
+blacklist /usr/libexec/openssh
+blacklist ${PATH}/passwd
+blacklist /usr/lib/xorg/Xorg.wrap
+blacklist /usr/lib/policykit-1/polkit-agent-helper-1
+blacklist /usr/lib/dbus-1.0/dbus-daemon-launch-helper
+blacklist /usr/lib/eject/dmcrypt-get-device
+blacklist /usr/lib/chromium/chrome-sandbox
+blacklist /usr/lib/vmware
+blacklist ${PATH}/suexec
+blacklist /usr/lib/squid/basic_pam_auth
+blacklist ${PATH}/slock
+blacklist ${PATH}/physlock
+blacklist ${PATH}/schroot
+blacklist ${PATH}/wshowkeys
+blacklist ${PATH}/pmount
+blacklist ${PATH}/pumount
+blacklist ${PATH}/bmon
+blacklist ${PATH}/fping
+blacklist ${PATH}/fping6
+blacklist ${PATH}/hostname
+# blacklist ${PATH}/ip - breaks --ip=dhcp
+blacklist ${PATH}/mtr
+blacklist ${PATH}/mtr-packet
+blacklist ${PATH}/netstat
+blacklist ${PATH}/nm-online
+blacklist ${PATH}/nmcli
+blacklist ${PATH}/nmtui
+blacklist ${PATH}/nmtui-connect
+blacklist ${PATH}/nmtui-edit
+blacklist ${PATH}/nmtui-hostname
+blacklist ${PATH}/networkctl
+blacklist ${PATH}/ss
+blacklist ${PATH}/traceroute
 
 # other SUID binaries
 blacklist /usr/lib/virtualbox
@@ -470,10 +545,12 @@ blacklist /tmp/.lxterminal-socket*
 blacklist /tmp/tmux-*
 
 # disable terminals running as server resulting in sandbox escape
-blacklist ${PATH}/lxterminal
 blacklist ${PATH}/gnome-terminal
 blacklist ${PATH}/gnome-terminal.wrapper
+# blacklist ${PATH}/konsole
+# konsole doesn't seem to have this problem - last tested on Ubuntu 16.04
 blacklist ${PATH}/lilyterm
+blacklist ${PATH}/lxterminal
 blacklist ${PATH}/mate-terminal
 blacklist ${PATH}/mate-terminal.wrapper
 blacklist ${PATH}/pantheon-terminal
@@ -485,8 +562,6 @@ blacklist ${PATH}/urxvtc
 blacklist ${PATH}/urxvtcd
 blacklist ${PATH}/xfce4-terminal
 blacklist ${PATH}/xfce4-terminal.wrapper
-# blacklist ${PATH}/konsole
-# konsole doesn't seem to have this problem - last tested on Ubuntu 16.04
 
 # kernel files
 blacklist /initrd*
@@ -502,17 +577,17 @@ noblacklist ${HOME}/.local/share/flatpak/exports
 read-only ${HOME}/.local/share/flatpak/exports
 blacklist ${HOME}/.local/share/flatpak/*
 blacklist ${HOME}/.var
-blacklist ${RUNUSER}/app
-blacklist ${RUNUSER}/doc
+# most of the time bwrap is SUID binary
+blacklist ${PATH}/bwrap
 blacklist ${RUNUSER}/.dbus-proxy
 blacklist ${RUNUSER}/.flatpak
 blacklist ${RUNUSER}/.flatpak-cache
 blacklist ${RUNUSER}/.flatpak-helper
+blacklist ${RUNUSER}/app
+blacklist ${RUNUSER}/doc
 blacklist /usr/share/flatpak
 noblacklist /var/lib/flatpak/exports
 blacklist /var/lib/flatpak/*
-# most of the time bwrap is SUID binary
-blacklist ${PATH}/bwrap
 
 # snap
 blacklist ${RUNUSER}/snapd-session-agent.socket
@@ -529,8 +604,7 @@ blacklist ${HOME}/sent
 # kernel configuration
 blacklist /proc/config.gz
 
-# prevent DNS malware attempting to communicate with the server
-# using regular DNS tools
+# prevent DNS malware attempting to communicate with the server using regular DNS tools
 blacklist ${PATH}/dig
 blacklist ${PATH}/dlint
 blacklist ${PATH}/dns2tcp
@@ -548,8 +622,19 @@ blacklist ${PATH}/nslookup
 blacklist ${PATH}/resolvectl
 blacklist ${PATH}/unbound-host
 
+# prevent an intruder to guess passwords using regular network tools
+blacklist ${PATH}/ftp
+blacklist ${PATH}/ssh
+blacklist ${PATH}/telnet
+
 # rest of ${RUNUSER}
 blacklist ${RUNUSER}/*.lock
 blacklist ${RUNUSER}/inaccessible
 blacklist ${RUNUSER}/pk-debconf-socket
 blacklist ${RUNUSER}/update-notifier.pid
+
+# tor-browser
+blacklist ${HOME}/.local/opt/tor-browser
+
+# pass utility (pass package in Debian etc.)
+blacklist ${HOME}/.password-store