1 files changed, 72 insertions, 41 deletions
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 2dc53d311..ae84ee38a 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -159,20 +159,23 @@ blacklist ${RUNUSER}/gsconnect
 # systemd
 blacklist ${HOME}/.config/systemd
 blacklist ${HOME}/.local/share/systemd
-blacklist /var/lib/systemd
+blacklist ${PATH}/systemctl
 blacklist ${PATH}/systemd-run
 blacklist ${RUNUSER}/systemd
+blacklist /etc/systemd/network
+blacklist /etc/systemd/system
+blacklist /var/lib/systemd
 # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf
 #blacklist /var/run/systemd
 # openrc
-blacklist /etc/runlevels/
+blacklist /etc/init.d
-blacklist /etc/init.d/
 blacklist /etc/rc.conf
+blacklist /etc/runlevels
 # VirtualBox
-blacklist ${HOME}/.VirtualBox
 blacklist ${HOME}/.config/VirtualBox
+blacklist ${HOME}/.VirtualBox
 blacklist ${HOME}/VirtualBox VMs
 # GNOME Boxes
@@ -242,20 +245,34 @@ blacklist /var/spool/cron
 blacklist /var/spool/mail
 # etc
+blacklist /etc/adduser.conf
 blacklist /etc/anacrontab
+blacklist /etc/apparmor*
 blacklist /etc/cron*
+blacklist /etc/default
+blacklist /etc/dkms
+blacklist /etc/grub*
+blacklist /etc/kernel*
+blacklist /etc/logrotate*
+blacklist /etc/modules*
 blacklist /etc/profile.d
 blacklist /etc/rc.local
 # rc1.d, rc2.d, ...
 blacklist /etc/rc?.d
-blacklist /etc/kernel*
+blacklist /etc/sysconfig
-blacklist /etc/grub*
-blacklist /etc/dkms
+# hide config for various intrusion detection systems
-blacklist /etc/apparmor*
+blacklist /etc/aide
-blacklist /etc/selinux
+blacklist /etc/aide.conf
-blacklist /etc/modules*
+blacklist /etc/chkrootkit.conf
-blacklist /etc/logrotate*
+blacklist /etc/fail2ban.conf
-blacklist /etc/adduser.conf
+blacklist /etc/logcheck
+blacklist /etc/lynis
+blacklist /etc/rkhunter.*
+blacklist /etc/snort
+blacklist /etc/suricata
+blacklist /etc/tripwire
+blacklist /var/lib/rkhunter
 # Startup files
 read-only ${HOME}/.antigen
@@ -335,15 +352,15 @@ read-only ${HOME}/_vimrc
 read-only ${HOME}/dotfiles
 # Make directories commonly found in $PATH read-only
+read-only ${HOME}/.bin
+read-only ${HOME}/.cargo/bin
 read-only ${HOME}/.gem
+read-only ${HOME}/.local/bin
 read-only ${HOME}/.luarocks
 read-only ${HOME}/.npm-packages
 read-only ${HOME}/.nvm
-read-only ${HOME}/bin
-read-only ${HOME}/.bin
-read-only ${HOME}/.local/bin
-read-only ${HOME}/.cargo/bin
 read-only ${HOME}/.rustup
+read-only ${HOME}/bin
 # Write-protection for desktop entries
 read-only ${HOME}/.config/menus
@@ -362,14 +379,32 @@ read-only ${HOME}/.local/share/thumbnailers
 blacklist /tmp/ssh-*
 # top secret
+blacklist /.fscrypt
+blacklist /etc/davfs2/secrets
+blacklist /etc/group+
+blacklist /etc/group-
+blacklist /etc/gshadow
+blacklist /etc/gshadow+
+blacklist /etc/gshadow-
+blacklist /etc/passwd+
+blacklist /etc/passwd-
+blacklist /etc/shadow
+blacklist /etc/shadow+
+blacklist /etc/shadow-
+blacklist /etc/ssh
+blacklist /etc/ssh/*
+blacklist /home/.ecryptfs
+blacklist /home/.fscrypt
 blacklist ${HOME}/*.kdb
 blacklist ${HOME}/*.kdbx
 blacklist ${HOME}/*.key
+blacklist ${HOME}/Private
 blacklist ${HOME}/.Private
 blacklist ${HOME}/.caff
 blacklist ${HOME}/.cargo/credentials
 blacklist ${HOME}/.cargo/credentials.toml
 blacklist ${HOME}/.cert
+blacklist ${HOME}/.config/hub
 blacklist ${HOME}/.config/keybase
 blacklist ${HOME}/.davfs2/secrets
 blacklist ${HOME}/.ecryptfs
@@ -379,40 +414,36 @@ blacklist ${HOME}/.git-credential-cache
 blacklist ${HOME}/.git-credentials
 blacklist ${HOME}/.gnome2/keyrings
 blacklist ${HOME}/.gnupg
-blacklist ${HOME}/.config/hub
 blacklist ${HOME}/.kde/share/apps/kwallet
 blacklist ${HOME}/.kde4/share/apps/kwallet
 blacklist ${HOME}/.local/share/keyrings
 blacklist ${HOME}/.local/share/kwalletd
+blacklist ${HOME}/.local/share/pki
 blacklist ${HOME}/.local/share/plasma-vault
+blacklist ${HOME}/.minisign
 blacklist ${HOME}/.msmtprc
 blacklist ${HOME}/.mutt
 blacklist ${HOME}/.muttrc
 blacklist ${HOME}/.netrc
 blacklist ${HOME}/.nyx
 blacklist ${HOME}/.pki
-blacklist ${HOME}/.local/share/pki
 blacklist ${HOME}/.smbcredentials
 blacklist ${HOME}/.ssh
 blacklist ${HOME}/.vaults
-blacklist /.fscrypt
-blacklist /etc/davfs2/secrets
-blacklist /etc/group+
-blacklist /etc/group-
-blacklist /etc/gshadow
-blacklist /etc/gshadow+
-blacklist /etc/gshadow-
-blacklist /etc/passwd+
-blacklist /etc/passwd-
-blacklist /etc/shadow
-blacklist /etc/shadow+
-blacklist /etc/shadow-
-blacklist /etc/ssh
-blacklist /etc/ssh/*
-blacklist /home/.ecryptfs
-blacklist /home/.fscrypt
 blacklist /var/backup
+# Remove environment variables with auth tokens.
+# Note however that the sandbox might still have access to the
+# files where these variables are set.
+rmenv GH_TOKEN
+rmenv GITHUB_TOKEN
+rmenv GH_ENTERPRISE_TOKEN
+rmenv GITHUB_ENTERPRISE_TOKEN
+rmenv CARGO_REGISTRY_TOKEN
+rmenv RESTIC_KEY_HINT
+rmenv RESTIC_PASSWORD_COMMAND
+rmenv RESTIC_PASSWORD_FILE
 # cloud provider configuration
 blacklist ${HOME}/.aws
 blacklist ${HOME}/.boto
@@ -473,10 +504,12 @@ blacklist /tmp/.lxterminal-socket*
 blacklist /tmp/tmux-*
 # disable terminals running as server resulting in sandbox escape
-blacklist ${PATH}/lxterminal
 blacklist ${PATH}/gnome-terminal
 blacklist ${PATH}/gnome-terminal.wrapper
+# blacklist ${PATH}/konsole
+# konsole doesn't seem to have this problem - last tested on Ubuntu 16.04
 blacklist ${PATH}/lilyterm
+blacklist ${PATH}/lxterminal
 blacklist ${PATH}/mate-terminal
 blacklist ${PATH}/mate-terminal.wrapper
 blacklist ${PATH}/pantheon-terminal
@@ -488,8 +521,6 @@ blacklist ${PATH}/urxvtc
 blacklist ${PATH}/urxvtcd
 blacklist ${PATH}/xfce4-terminal
 blacklist ${PATH}/xfce4-terminal.wrapper
-# blacklist ${PATH}/konsole
-# konsole doesn't seem to have this problem - last tested on Ubuntu 16.04
 # kernel files
 blacklist /initrd*
@@ -505,17 +536,17 @@ noblacklist ${HOME}/.local/share/flatpak/exports
 read-only ${HOME}/.local/share/flatpak/exports
 blacklist ${HOME}/.local/share/flatpak/*
 blacklist ${HOME}/.var
-blacklist ${RUNUSER}/app
+# most of the time bwrap is SUID binary
-blacklist ${RUNUSER}/doc
+blacklist ${PATH}/bwrap
 blacklist ${RUNUSER}/.dbus-proxy
 blacklist ${RUNUSER}/.flatpak
 blacklist ${RUNUSER}/.flatpak-cache
 blacklist ${RUNUSER}/.flatpak-helper
+blacklist ${RUNUSER}/app
+blacklist ${RUNUSER}/doc
 blacklist /usr/share/flatpak
 noblacklist /var/lib/flatpak/exports
 blacklist /var/lib/flatpak/*
-# most of the time bwrap is SUID binary
-blacklist ${PATH}/bwrap
 # snap
 blacklist ${RUNUSER}/snapd-session-agent.socket

diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 2dc53d311..ae84ee38a 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc
@@ -159,20 +159,23 @@ blacklist ${RUNUSER}/gsconnect
159	# systemd	159	# systemd
160	blacklist ${HOME}/.config/systemd	160	blacklist ${HOME}/.config/systemd
161	blacklist ${HOME}/.local/share/systemd	161	blacklist ${HOME}/.local/share/systemd
162	blacklist /var/lib/systemd	162	blacklist ${PATH}/systemctl
163	blacklist ${PATH}/systemd-run	163	blacklist ${PATH}/systemd-run
164	blacklist ${RUNUSER}/systemd	164	blacklist ${RUNUSER}/systemd
		165	blacklist /etc/systemd/network
		166	blacklist /etc/systemd/system
		167	blacklist /var/lib/systemd
165	# creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf	168	# creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf
166	#blacklist /var/run/systemd	169	#blacklist /var/run/systemd
167		170
168	# openrc	171	# openrc
169	blacklist /etc/runlevels/	172	blacklist /etc/init.d
170	blacklist /etc/init.d/
171	blacklist /etc/rc.conf	173	blacklist /etc/rc.conf
		174	blacklist /etc/runlevels
172		175
173	# VirtualBox	176	# VirtualBox
174	blacklist ${HOME}/.VirtualBox
175	blacklist ${HOME}/.config/VirtualBox	177	blacklist ${HOME}/.config/VirtualBox
		178	blacklist ${HOME}/.VirtualBox
176	blacklist ${HOME}/VirtualBox VMs	179	blacklist ${HOME}/VirtualBox VMs
177		180
178	# GNOME Boxes	181	# GNOME Boxes
@@ -242,20 +245,34 @@ blacklist /var/spool/cron
242	blacklist /var/spool/mail	245	blacklist /var/spool/mail
243		246
244	# etc	247	# etc
		248	blacklist /etc/adduser.conf
245	blacklist /etc/anacrontab	249	blacklist /etc/anacrontab
		250	blacklist /etc/apparmor*
246	blacklist /etc/cron*	251	blacklist /etc/cron*
		252	blacklist /etc/default
		253	blacklist /etc/dkms
		254	blacklist /etc/grub*
		255	blacklist /etc/kernel*
		256	blacklist /etc/logrotate*
		257	blacklist /etc/modules*
247	blacklist /etc/profile.d	258	blacklist /etc/profile.d
248	blacklist /etc/rc.local	259	blacklist /etc/rc.local
249	# rc1.d, rc2.d, ...	260	# rc1.d, rc2.d, ...
250	blacklist /etc/rc?.d	261	blacklist /etc/rc?.d
251	blacklist /etc/kernel*	262	blacklist /etc/sysconfig
252	blacklist /etc/grub*	263
253	blacklist /etc/dkms	264	# hide config for various intrusion detection systems
254	blacklist /etc/apparmor*	265	blacklist /etc/aide
255	blacklist /etc/selinux	266	blacklist /etc/aide.conf
256	blacklist /etc/modules*	267	blacklist /etc/chkrootkit.conf
257	blacklist /etc/logrotate*	268	blacklist /etc/fail2ban.conf
258	blacklist /etc/adduser.conf	269	blacklist /etc/logcheck
		270	blacklist /etc/lynis
		271	blacklist /etc/rkhunter.*
		272	blacklist /etc/snort
		273	blacklist /etc/suricata
		274	blacklist /etc/tripwire
		275	blacklist /var/lib/rkhunter
259		276
260	# Startup files	277	# Startup files
261	read-only ${HOME}/.antigen	278	read-only ${HOME}/.antigen
@@ -335,15 +352,15 @@ read-only ${HOME}/_vimrc
335	read-only ${HOME}/dotfiles	352	read-only ${HOME}/dotfiles
336		353
337	# Make directories commonly found in $PATH read-only	354	# Make directories commonly found in $PATH read-only
		355	read-only ${HOME}/.bin
		356	read-only ${HOME}/.cargo/bin
338	read-only ${HOME}/.gem	357	read-only ${HOME}/.gem
		358	read-only ${HOME}/.local/bin
339	read-only ${HOME}/.luarocks	359	read-only ${HOME}/.luarocks
340	read-only ${HOME}/.npm-packages	360	read-only ${HOME}/.npm-packages
341	read-only ${HOME}/.nvm	361	read-only ${HOME}/.nvm
342	read-only ${HOME}/bin
343	read-only ${HOME}/.bin
344	read-only ${HOME}/.local/bin
345	read-only ${HOME}/.cargo/bin
346	read-only ${HOME}/.rustup	362	read-only ${HOME}/.rustup
		363	read-only ${HOME}/bin
347		364
348	# Write-protection for desktop entries	365	# Write-protection for desktop entries
349	read-only ${HOME}/.config/menus	366	read-only ${HOME}/.config/menus
@@ -362,14 +379,32 @@ read-only ${HOME}/.local/share/thumbnailers
362	blacklist /tmp/ssh-*	379	blacklist /tmp/ssh-*
363		380
364	# top secret	381	# top secret
		382	blacklist /.fscrypt
		383	blacklist /etc/davfs2/secrets
		384	blacklist /etc/group+
		385	blacklist /etc/group-
		386	blacklist /etc/gshadow
		387	blacklist /etc/gshadow+
		388	blacklist /etc/gshadow-
		389	blacklist /etc/passwd+
		390	blacklist /etc/passwd-
		391	blacklist /etc/shadow
		392	blacklist /etc/shadow+
		393	blacklist /etc/shadow-
		394	blacklist /etc/ssh
		395	blacklist /etc/ssh/*
		396	blacklist /home/.ecryptfs
		397	blacklist /home/.fscrypt
365	blacklist ${HOME}/*.kdb	398	blacklist ${HOME}/*.kdb
366	blacklist ${HOME}/*.kdbx	399	blacklist ${HOME}/*.kdbx
367	blacklist ${HOME}/*.key	400	blacklist ${HOME}/*.key
		401	blacklist ${HOME}/Private
368	blacklist ${HOME}/.Private	402	blacklist ${HOME}/.Private
369	blacklist ${HOME}/.caff	403	blacklist ${HOME}/.caff
370	blacklist ${HOME}/.cargo/credentials	404	blacklist ${HOME}/.cargo/credentials
371	blacklist ${HOME}/.cargo/credentials.toml	405	blacklist ${HOME}/.cargo/credentials.toml
372	blacklist ${HOME}/.cert	406	blacklist ${HOME}/.cert
		407	blacklist ${HOME}/.config/hub
373	blacklist ${HOME}/.config/keybase	408	blacklist ${HOME}/.config/keybase
374	blacklist ${HOME}/.davfs2/secrets	409	blacklist ${HOME}/.davfs2/secrets
375	blacklist ${HOME}/.ecryptfs	410	blacklist ${HOME}/.ecryptfs
@@ -379,40 +414,36 @@ blacklist ${HOME}/.git-credential-cache
379	blacklist ${HOME}/.git-credentials	414	blacklist ${HOME}/.git-credentials
380	blacklist ${HOME}/.gnome2/keyrings	415	blacklist ${HOME}/.gnome2/keyrings
381	blacklist ${HOME}/.gnupg	416	blacklist ${HOME}/.gnupg
382	blacklist ${HOME}/.config/hub
383	blacklist ${HOME}/.kde/share/apps/kwallet	417	blacklist ${HOME}/.kde/share/apps/kwallet
384	blacklist ${HOME}/.kde4/share/apps/kwallet	418	blacklist ${HOME}/.kde4/share/apps/kwallet
385	blacklist ${HOME}/.local/share/keyrings	419	blacklist ${HOME}/.local/share/keyrings
386	blacklist ${HOME}/.local/share/kwalletd	420	blacklist ${HOME}/.local/share/kwalletd
		421	blacklist ${HOME}/.local/share/pki
387	blacklist ${HOME}/.local/share/plasma-vault	422	blacklist ${HOME}/.local/share/plasma-vault
		423	blacklist ${HOME}/.minisign
388	blacklist ${HOME}/.msmtprc	424	blacklist ${HOME}/.msmtprc
389	blacklist ${HOME}/.mutt	425	blacklist ${HOME}/.mutt
390	blacklist ${HOME}/.muttrc	426	blacklist ${HOME}/.muttrc
391	blacklist ${HOME}/.netrc	427	blacklist ${HOME}/.netrc
392	blacklist ${HOME}/.nyx	428	blacklist ${HOME}/.nyx
393	blacklist ${HOME}/.pki	429	blacklist ${HOME}/.pki
394	blacklist ${HOME}/.local/share/pki
395	blacklist ${HOME}/.smbcredentials	430	blacklist ${HOME}/.smbcredentials
396	blacklist ${HOME}/.ssh	431	blacklist ${HOME}/.ssh
397	blacklist ${HOME}/.vaults	432	blacklist ${HOME}/.vaults
398	blacklist /.fscrypt
399	blacklist /etc/davfs2/secrets
400	blacklist /etc/group+
401	blacklist /etc/group-
402	blacklist /etc/gshadow
403	blacklist /etc/gshadow+
404	blacklist /etc/gshadow-
405	blacklist /etc/passwd+
406	blacklist /etc/passwd-
407	blacklist /etc/shadow
408	blacklist /etc/shadow+
409	blacklist /etc/shadow-
410	blacklist /etc/ssh
411	blacklist /etc/ssh/*
412	blacklist /home/.ecryptfs
413	blacklist /home/.fscrypt
414	blacklist /var/backup	433	blacklist /var/backup
415		434
		435	# Remove environment variables with auth tokens.
		436	# Note however that the sandbox might still have access to the
		437	# files where these variables are set.
		438	rmenv GH_TOKEN
		439	rmenv GITHUB_TOKEN
		440	rmenv GH_ENTERPRISE_TOKEN
		441	rmenv GITHUB_ENTERPRISE_TOKEN
		442	rmenv CARGO_REGISTRY_TOKEN
		443	rmenv RESTIC_KEY_HINT
		444	rmenv RESTIC_PASSWORD_COMMAND
		445	rmenv RESTIC_PASSWORD_FILE
		446
416	# cloud provider configuration	447	# cloud provider configuration
417	blacklist ${HOME}/.aws	448	blacklist ${HOME}/.aws
418	blacklist ${HOME}/.boto	449	blacklist ${HOME}/.boto
@@ -473,10 +504,12 @@ blacklist /tmp/.lxterminal-socket*
473	blacklist /tmp/tmux-*	504	blacklist /tmp/tmux-*
474		505
475	# disable terminals running as server resulting in sandbox escape	506	# disable terminals running as server resulting in sandbox escape
476	blacklist ${PATH}/lxterminal
477	blacklist ${PATH}/gnome-terminal	507	blacklist ${PATH}/gnome-terminal
478	blacklist ${PATH}/gnome-terminal.wrapper	508	blacklist ${PATH}/gnome-terminal.wrapper
		509	# blacklist ${PATH}/konsole
		510	# konsole doesn't seem to have this problem - last tested on Ubuntu 16.04
479	blacklist ${PATH}/lilyterm	511	blacklist ${PATH}/lilyterm
		512	blacklist ${PATH}/lxterminal
480	blacklist ${PATH}/mate-terminal	513	blacklist ${PATH}/mate-terminal
481	blacklist ${PATH}/mate-terminal.wrapper	514	blacklist ${PATH}/mate-terminal.wrapper
482	blacklist ${PATH}/pantheon-terminal	515	blacklist ${PATH}/pantheon-terminal
@@ -488,8 +521,6 @@ blacklist ${PATH}/urxvtc
488	blacklist ${PATH}/urxvtcd	521	blacklist ${PATH}/urxvtcd
489	blacklist ${PATH}/xfce4-terminal	522	blacklist ${PATH}/xfce4-terminal
490	blacklist ${PATH}/xfce4-terminal.wrapper	523	blacklist ${PATH}/xfce4-terminal.wrapper
491	# blacklist ${PATH}/konsole
492	# konsole doesn't seem to have this problem - last tested on Ubuntu 16.04
493		524
494	# kernel files	525	# kernel files
495	blacklist /initrd*	526	blacklist /initrd*
@@ -505,17 +536,17 @@ noblacklist ${HOME}/.local/share/flatpak/exports
505	read-only ${HOME}/.local/share/flatpak/exports	536	read-only ${HOME}/.local/share/flatpak/exports
506	blacklist ${HOME}/.local/share/flatpak/*	537	blacklist ${HOME}/.local/share/flatpak/*
507	blacklist ${HOME}/.var	538	blacklist ${HOME}/.var
508	blacklist ${RUNUSER}/app	539	# most of the time bwrap is SUID binary
509	blacklist ${RUNUSER}/doc	540	blacklist ${PATH}/bwrap
510	blacklist ${RUNUSER}/.dbus-proxy	541	blacklist ${RUNUSER}/.dbus-proxy
511	blacklist ${RUNUSER}/.flatpak	542	blacklist ${RUNUSER}/.flatpak
512	blacklist ${RUNUSER}/.flatpak-cache	543	blacklist ${RUNUSER}/.flatpak-cache
513	blacklist ${RUNUSER}/.flatpak-helper	544	blacklist ${RUNUSER}/.flatpak-helper
		545	blacklist ${RUNUSER}/app
		546	blacklist ${RUNUSER}/doc
514	blacklist /usr/share/flatpak	547	blacklist /usr/share/flatpak
515	noblacklist /var/lib/flatpak/exports	548	noblacklist /var/lib/flatpak/exports
516	blacklist /var/lib/flatpak/*	549	blacklist /var/lib/flatpak/*
517	# most of the time bwrap is SUID binary
518	blacklist ${PATH}/bwrap
519		550
520	# snap	551	# snap
521	blacklist ${RUNUSER}/snapd-session-agent.socket	552	blacklist ${RUNUSER}/snapd-session-agent.socket