aboutsummaryrefslogtreecommitdiffstats
path: root/etc/inc/disable-common.inc
diff options
context:
space:
mode:
Diffstat (limited to 'etc/inc/disable-common.inc')
-rw-r--r--etc/inc/disable-common.inc699
1 files changed, 357 insertions, 342 deletions
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 2dc53d311..1283a3a3d 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -5,63 +5,63 @@ include disable-common.local
5# The following block breaks trash functionality in file managers 5# The following block breaks trash functionality in file managers
6#read-only ${HOME}/.local 6#read-only ${HOME}/.local
7#read-write ${HOME}/.local/share 7#read-write ${HOME}/.local/share
8blacklist ${HOME}/.local/share/Trash 8deny ${HOME}/.local/share/Trash
9 9
10# History files in $HOME and clipboard managers 10# History files in $HOME and clipboard managers
11blacklist-nolog ${HOME}/.*_history 11deny-nolog ${HOME}/.*_history
12blacklist-nolog ${HOME}/.adobe 12deny-nolog ${HOME}/.adobe
13blacklist-nolog ${HOME}/.cache/greenclip* 13deny-nolog ${HOME}/.cache/greenclip*
14blacklist-nolog ${HOME}/.histfile 14deny-nolog ${HOME}/.histfile
15blacklist-nolog ${HOME}/.history 15deny-nolog ${HOME}/.history
16blacklist-nolog ${HOME}/.kde/share/apps/klipper 16deny-nolog ${HOME}/.kde/share/apps/klipper
17blacklist-nolog ${HOME}/.kde4/share/apps/klipper 17deny-nolog ${HOME}/.kde4/share/apps/klipper
18blacklist-nolog ${HOME}/.local/share/fish/fish_history 18deny-nolog ${HOME}/.local/share/fish/fish_history
19blacklist-nolog ${HOME}/.local/share/klipper 19deny-nolog ${HOME}/.local/share/klipper
20blacklist-nolog ${HOME}/.macromedia 20deny-nolog ${HOME}/.macromedia
21blacklist-nolog ${HOME}/.mupdf.history 21deny-nolog ${HOME}/.mupdf.history
22blacklist-nolog ${HOME}/.python-history 22deny-nolog ${HOME}/.python-history
23blacklist-nolog ${HOME}/.python_history 23deny-nolog ${HOME}/.python_history
24blacklist-nolog ${HOME}/.pythonhist 24deny-nolog ${HOME}/.pythonhist
25blacklist-nolog ${HOME}/.lesshst 25deny-nolog ${HOME}/.lesshst
26blacklist-nolog ${HOME}/.viminfo 26deny-nolog ${HOME}/.viminfo
27blacklist-nolog /tmp/clipmenu* 27deny-nolog /tmp/clipmenu*
28 28
29# X11 session autostart 29# X11 session autostart
30# blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs 30# blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs
31blacklist ${HOME}/.Xsession 31deny ${HOME}/.Xsession
32blacklist ${HOME}/.blackbox 32deny ${HOME}/.blackbox
33blacklist ${HOME}/.config/autostart 33deny ${HOME}/.config/autostart
34blacklist ${HOME}/.config/autostart-scripts 34deny ${HOME}/.config/autostart-scripts
35blacklist ${HOME}/.config/awesome 35deny ${HOME}/.config/awesome
36blacklist ${HOME}/.config/i3 36deny ${HOME}/.config/i3
37blacklist ${HOME}/.config/sway 37deny ${HOME}/.config/sway
38blacklist ${HOME}/.config/lxsession/LXDE/autostart 38deny ${HOME}/.config/lxsession/LXDE/autostart
39blacklist ${HOME}/.config/openbox 39deny ${HOME}/.config/openbox
40blacklist ${HOME}/.config/plasma-workspace 40deny ${HOME}/.config/plasma-workspace
41blacklist ${HOME}/.config/startupconfig 41deny ${HOME}/.config/startupconfig
42blacklist ${HOME}/.config/startupconfigkeys 42deny ${HOME}/.config/startupconfigkeys
43blacklist ${HOME}/.fluxbox 43deny ${HOME}/.fluxbox
44blacklist ${HOME}/.gnomerc 44deny ${HOME}/.gnomerc
45blacklist ${HOME}/.kde/Autostart 45deny ${HOME}/.kde/Autostart
46blacklist ${HOME}/.kde/env 46deny ${HOME}/.kde/env
47blacklist ${HOME}/.kde/share/autostart 47deny ${HOME}/.kde/share/autostart
48blacklist ${HOME}/.kde/share/config/startupconfig 48deny ${HOME}/.kde/share/config/startupconfig
49blacklist ${HOME}/.kde/share/config/startupconfigkeys 49deny ${HOME}/.kde/share/config/startupconfigkeys
50blacklist ${HOME}/.kde/shutdown 50deny ${HOME}/.kde/shutdown
51blacklist ${HOME}/.kde4/env 51deny ${HOME}/.kde4/env
52blacklist ${HOME}/.kde4/Autostart 52deny ${HOME}/.kde4/Autostart
53blacklist ${HOME}/.kde4/share/autostart 53deny ${HOME}/.kde4/share/autostart
54blacklist ${HOME}/.kde4/shutdown 54deny ${HOME}/.kde4/shutdown
55blacklist ${HOME}/.kde4/share/config/startupconfig 55deny ${HOME}/.kde4/share/config/startupconfig
56blacklist ${HOME}/.kde4/share/config/startupconfigkeys 56deny ${HOME}/.kde4/share/config/startupconfigkeys
57blacklist ${HOME}/.local/share/autostart 57deny ${HOME}/.local/share/autostart
58blacklist ${HOME}/.xinitrc 58deny ${HOME}/.xinitrc
59blacklist ${HOME}/.xprofile 59deny ${HOME}/.xprofile
60blacklist ${HOME}/.xserverrc 60deny ${HOME}/.xserverrc
61blacklist ${HOME}/.xsession 61deny ${HOME}/.xsession
62blacklist ${HOME}/.xsessionrc 62deny ${HOME}/.xsessionrc
63blacklist /etc/X11/Xsession.d 63deny /etc/X11/Xsession.d
64blacklist /etc/xdg/autostart 64deny /etc/xdg/autostart
65read-only ${HOME}/.Xauthority 65read-only ${HOME}/.Xauthority
66 66
67# Session manager 67# Session manager
@@ -70,46 +70,46 @@ read-only ${HOME}/.Xauthority
70#?HAS_X11: blacklist /tmp/.ICE-unix 70#?HAS_X11: blacklist /tmp/.ICE-unix
71 71
72# KDE config 72# KDE config
73blacklist ${HOME}/.cache/konsole 73deny ${HOME}/.cache/konsole
74blacklist ${HOME}/.config/khotkeysrc 74deny ${HOME}/.config/khotkeysrc
75blacklist ${HOME}/.config/krunnerrc 75deny ${HOME}/.config/krunnerrc
76blacklist ${HOME}/.config/kscreenlockerrc 76deny ${HOME}/.config/kscreenlockerrc
77blacklist ${HOME}/.config/ksslcertificatemanager 77deny ${HOME}/.config/ksslcertificatemanager
78blacklist ${HOME}/.config/kwalletrc 78deny ${HOME}/.config/kwalletrc
79blacklist ${HOME}/.config/kwinrc 79deny ${HOME}/.config/kwinrc
80blacklist ${HOME}/.config/kwinrulesrc 80deny ${HOME}/.config/kwinrulesrc
81blacklist ${HOME}/.config/plasma-locale-settings.sh 81deny ${HOME}/.config/plasma-locale-settings.sh
82blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc 82deny ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc
83blacklist ${HOME}/.config/plasmashellrc 83deny ${HOME}/.config/plasmashellrc
84blacklist ${HOME}/.config/plasmavaultrc 84deny ${HOME}/.config/plasmavaultrc
85blacklist ${HOME}/.kde/share/apps/kwin 85deny ${HOME}/.kde/share/apps/kwin
86blacklist ${HOME}/.kde/share/apps/plasma 86deny ${HOME}/.kde/share/apps/plasma
87blacklist ${HOME}/.kde/share/apps/solid 87deny ${HOME}/.kde/share/apps/solid
88blacklist ${HOME}/.kde/share/config/khotkeysrc 88deny ${HOME}/.kde/share/config/khotkeysrc
89blacklist ${HOME}/.kde/share/config/krunnerrc 89deny ${HOME}/.kde/share/config/krunnerrc
90blacklist ${HOME}/.kde/share/config/kscreensaverrc 90deny ${HOME}/.kde/share/config/kscreensaverrc
91blacklist ${HOME}/.kde/share/config/ksslcertificatemanager 91deny ${HOME}/.kde/share/config/ksslcertificatemanager
92blacklist ${HOME}/.kde/share/config/kwalletrc 92deny ${HOME}/.kde/share/config/kwalletrc
93blacklist ${HOME}/.kde/share/config/kwinrc 93deny ${HOME}/.kde/share/config/kwinrc
94blacklist ${HOME}/.kde/share/config/kwinrulesrc 94deny ${HOME}/.kde/share/config/kwinrulesrc
95blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc 95deny ${HOME}/.kde/share/config/plasma-desktop-appletsrc
96blacklist ${HOME}/.kde4/share/apps/kwin 96deny ${HOME}/.kde4/share/apps/kwin
97blacklist ${HOME}/.kde4/share/apps/plasma 97deny ${HOME}/.kde4/share/apps/plasma
98blacklist ${HOME}/.kde4/share/apps/solid 98deny ${HOME}/.kde4/share/apps/solid
99blacklist ${HOME}/.kde4/share/config/khotkeysrc 99deny ${HOME}/.kde4/share/config/khotkeysrc
100blacklist ${HOME}/.kde4/share/config/krunnerrc 100deny ${HOME}/.kde4/share/config/krunnerrc
101blacklist ${HOME}/.kde4/share/config/kscreensaverrc 101deny ${HOME}/.kde4/share/config/kscreensaverrc
102blacklist ${HOME}/.kde4/share/config/ksslcertificatemanager 102deny ${HOME}/.kde4/share/config/ksslcertificatemanager
103blacklist ${HOME}/.kde4/share/config/kwalletrc 103deny ${HOME}/.kde4/share/config/kwalletrc
104blacklist ${HOME}/.kde4/share/config/kwinrc 104deny ${HOME}/.kde4/share/config/kwinrc
105blacklist ${HOME}/.kde4/share/config/kwinrulesrc 105deny ${HOME}/.kde4/share/config/kwinrulesrc
106blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc 106deny ${HOME}/.kde4/share/config/plasma-desktop-appletsrc
107blacklist ${HOME}/.local/share/kglobalaccel 107deny ${HOME}/.local/share/kglobalaccel
108blacklist ${HOME}/.local/share/kwin 108deny ${HOME}/.local/share/kwin
109blacklist ${HOME}/.local/share/plasma 109deny ${HOME}/.local/share/plasma
110blacklist ${HOME}/.local/share/plasmashell 110deny ${HOME}/.local/share/plasmashell
111blacklist ${HOME}/.local/share/solid 111deny ${HOME}/.local/share/solid
112blacklist /tmp/konsole-*.history 112deny /tmp/konsole-*.history
113read-only ${HOME}/.cache/ksycoca5_* 113read-only ${HOME}/.cache/ksycoca5_*
114read-only ${HOME}/.config/*notifyrc 114read-only ${HOME}/.config/*notifyrc
115read-only ${HOME}/.config/kdeglobals 115read-only ${HOME}/.config/kdeglobals
@@ -138,124 +138,139 @@ read-only ${HOME}/.local/share/kservices5
138read-only ${HOME}/.local/share/kssl 138read-only ${HOME}/.local/share/kssl
139 139
140# KDE sockets 140# KDE sockets
141blacklist ${RUNUSER}/*.slave-socket 141deny ${RUNUSER}/*.slave-socket
142blacklist ${RUNUSER}/kdeinit5__* 142deny ${RUNUSER}/kdeinit5__*
143blacklist ${RUNUSER}/kdesud_* 143deny ${RUNUSER}/kdesud_*
144# see #3358 144# see #3358
145#?HAS_NODBUS: blacklist ${RUNUSER}/ksocket-* 145#?HAS_NODBUS: blacklist ${RUNUSER}/ksocket-*
146#?HAS_NODBUS: blacklist /tmp/ksocket-* 146#?HAS_NODBUS: blacklist /tmp/ksocket-*
147 147
148# gnome 148# gnome
149# contains extensions, last used times of applications, and notifications 149# contains extensions, last used times of applications, and notifications
150blacklist ${HOME}/.local/share/gnome-shell 150deny ${HOME}/.local/share/gnome-shell
151# contains recently used files and serials of static/removable storage 151# contains recently used files and serials of static/removable storage
152blacklist ${HOME}/.local/share/gvfs-metadata 152deny ${HOME}/.local/share/gvfs-metadata
153# no direct modification of dconf database 153# no direct modification of dconf database
154read-only ${HOME}/.config/dconf 154read-only ${HOME}/.config/dconf
155blacklist ${RUNUSER}/gnome-session-leader-fifo 155deny ${RUNUSER}/gnome-session-leader-fifo
156blacklist ${RUNUSER}/gnome-shell 156deny ${RUNUSER}/gnome-shell
157blacklist ${RUNUSER}/gsconnect 157deny ${RUNUSER}/gsconnect
158 158
159# systemd 159# systemd
160blacklist ${HOME}/.config/systemd 160deny ${HOME}/.config/systemd
161blacklist ${HOME}/.local/share/systemd 161deny ${HOME}/.local/share/systemd
162blacklist /var/lib/systemd 162deny /var/lib/systemd
163blacklist ${PATH}/systemd-run 163deny ${PATH}/systemd-run
164blacklist ${RUNUSER}/systemd 164deny ${RUNUSER}/systemd
165deny ${PATH}/systemctl
166deny /etc/systemd/system
167deny /etc/systemd/network
165# creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf 168# creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf
166#blacklist /var/run/systemd 169#blacklist /var/run/systemd
167 170
168# openrc 171# openrc
169blacklist /etc/runlevels/ 172deny /etc/runlevels/
170blacklist /etc/init.d/ 173deny /etc/init.d/
171blacklist /etc/rc.conf 174deny /etc/rc.conf
172 175
173# VirtualBox 176# VirtualBox
174blacklist ${HOME}/.VirtualBox 177deny ${HOME}/.VirtualBox
175blacklist ${HOME}/.config/VirtualBox 178deny ${HOME}/.config/VirtualBox
176blacklist ${HOME}/VirtualBox VMs 179deny ${HOME}/VirtualBox VMs
177 180
178# GNOME Boxes 181# GNOME Boxes
179blacklist ${HOME}/.config/gnome-boxes 182deny ${HOME}/.config/gnome-boxes
180blacklist ${HOME}/.local/share/gnome-boxes 183deny ${HOME}/.local/share/gnome-boxes
181 184
182# libvirt 185# libvirt
183blacklist ${HOME}/.cache/libvirt 186deny ${HOME}/.cache/libvirt
184blacklist ${HOME}/.config/libvirt 187deny ${HOME}/.config/libvirt
185blacklist ${RUNUSER}/libvirt 188deny ${RUNUSER}/libvirt
186blacklist /var/cache/libvirt 189deny /var/cache/libvirt
187blacklist /var/lib/libvirt 190deny /var/lib/libvirt
188blacklist /var/log/libvirt 191deny /var/log/libvirt
189 192
190# OCI-Containers / Podman 193# OCI-Containers / Podman
191blacklist ${RUNUSER}/containers 194deny ${RUNUSER}/containers
192blacklist ${RUNUSER}/crun 195deny ${RUNUSER}/crun
193blacklist ${RUNUSER}/libpod 196deny ${RUNUSER}/libpod
194blacklist ${RUNUSER}/runc 197deny ${RUNUSER}/runc
195blacklist ${RUNUSER}/toolbox 198deny ${RUNUSER}/toolbox
196 199
197# VeraCrypt 200# VeraCrypt
198blacklist ${HOME}/.VeraCrypt 201deny ${HOME}/.VeraCrypt
199blacklist ${PATH}/veracrypt 202deny ${PATH}/veracrypt
200blacklist ${PATH}/veracrypt-uninstall.sh 203deny ${PATH}/veracrypt-uninstall.sh
201blacklist /usr/share/applications/veracrypt.* 204deny /usr/share/applications/veracrypt.*
202blacklist /usr/share/pixmaps/veracrypt.* 205deny /usr/share/pixmaps/veracrypt.*
203blacklist /usr/share/veracrypt 206deny /usr/share/veracrypt
204 207
205# TrueCrypt 208# TrueCrypt
206blacklist ${HOME}/.TrueCrypt 209deny ${HOME}/.TrueCrypt
207blacklist ${PATH}/truecrypt 210deny ${PATH}/truecrypt
208blacklist ${PATH}/truecrypt-uninstall.sh 211deny ${PATH}/truecrypt-uninstall.sh
209blacklist /usr/share/applications/truecrypt.* 212deny /usr/share/applications/truecrypt.*
210blacklist /usr/share/pixmaps/truecrypt.* 213deny /usr/share/pixmaps/truecrypt.*
211blacklist /usr/share/truecrypt 214deny /usr/share/truecrypt
212 215
213# zuluCrypt 216# zuluCrypt
214blacklist ${HOME}/.zuluCrypt 217deny ${HOME}/.zuluCrypt
215blacklist ${HOME}/.zuluCrypt-socket 218deny ${HOME}/.zuluCrypt-socket
216blacklist ${PATH}/zuluCrypt-cli 219deny ${PATH}/zuluCrypt-cli
217blacklist ${PATH}/zuluMount-cli 220deny ${PATH}/zuluMount-cli
218 221
219# var 222# var
220blacklist /var/cache/apt 223deny /var/cache/apt
221blacklist /var/cache/pacman 224deny /var/cache/pacman
222blacklist /var/lib/apt 225deny /var/lib/apt
223blacklist /var/lib/clamav 226deny /var/lib/clamav
224blacklist /var/lib/dkms 227deny /var/lib/dkms
225blacklist /var/lib/mysql/mysql.sock 228deny /var/lib/mysql/mysql.sock
226blacklist /var/lib/mysqld/mysql.sock 229deny /var/lib/mysqld/mysql.sock
227blacklist /var/lib/pacman 230deny /var/lib/pacman
228blacklist /var/lib/upower 231deny /var/lib/upower
229# blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for 232# blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for
230# every sandbox, unless --writable-var-log switch is activated 233# every sandbox, unless --writable-var-log switch is activated
231blacklist /var/mail 234deny /var/mail
232blacklist /var/opt 235deny /var/opt
233blacklist /var/run/acpid.socket 236deny /var/run/acpid.socket
234blacklist /var/run/docker.sock 237deny /var/run/docker.sock
235blacklist /var/run/minissdpd.sock 238deny /var/run/minissdpd.sock
236blacklist /var/run/mysql/mysqld.sock 239deny /var/run/mysql/mysqld.sock
237blacklist /var/run/mysqld/mysqld.sock 240deny /var/run/mysqld/mysqld.sock
238blacklist /var/run/rpcbind.sock 241deny /var/run/rpcbind.sock
239blacklist /var/run/screens 242deny /var/run/screens
240blacklist /var/spool/anacron 243deny /var/spool/anacron
241blacklist /var/spool/cron 244deny /var/spool/cron
242blacklist /var/spool/mail 245deny /var/spool/mail
243 246
244# etc 247# etc
245blacklist /etc/anacrontab 248deny /etc/anacrontab
246blacklist /etc/cron* 249deny /etc/cron*
247blacklist /etc/profile.d 250deny /etc/profile.d
248blacklist /etc/rc.local 251deny /etc/rc.local
249# rc1.d, rc2.d, ... 252# rc1.d, rc2.d, ...
250blacklist /etc/rc?.d 253deny /etc/rc?.d
251blacklist /etc/kernel* 254deny /etc/kernel*
252blacklist /etc/grub* 255deny /etc/grub*
253blacklist /etc/dkms 256deny /etc/dkms
254blacklist /etc/apparmor* 257deny /etc/apparmor*
255blacklist /etc/selinux 258deny /etc/selinux
256blacklist /etc/modules* 259deny /etc/modules*
257blacklist /etc/logrotate* 260deny /etc/logrotate*
258blacklist /etc/adduser.conf 261deny /etc/adduser.conf
262
263# hide config for various intrusion detection systems
264deny /etc/rkhunter.conf
265deny /var/lib/rkhunter
266deny /etc/chkrootkit.conf
267deny /etc/lynis
268deny /etc/aide
269deny /etc/logcheck
270deny /etc/tripwire
271deny /etc/snort
272deny /etc/fail2ban.conf
273deny /etc/suricata
259 274
260# Startup files 275# Startup files
261read-only ${HOME}/.antigen 276read-only ${HOME}/.antigen
@@ -292,13 +307,13 @@ read-only ${HOME}/.zshrc
292read-only ${HOME}/.zshrc.local 307read-only ${HOME}/.zshrc.local
293 308
294# Remote access 309# Remote access
295blacklist ${HOME}/.rhosts 310deny ${HOME}/.rhosts
296blacklist ${HOME}/.shosts 311deny ${HOME}/.shosts
297blacklist ${HOME}/.ssh/authorized_keys 312deny ${HOME}/.ssh/authorized_keys
298blacklist ${HOME}/.ssh/authorized_keys2 313deny ${HOME}/.ssh/authorized_keys2
299blacklist ${HOME}/.ssh/environment 314deny ${HOME}/.ssh/environment
300blacklist ${HOME}/.ssh/rc 315deny ${HOME}/.ssh/rc
301blacklist /etc/hosts.equiv 316deny /etc/hosts.equiv
302read-only ${HOME}/.ssh/config 317read-only ${HOME}/.ssh/config
303read-only ${HOME}/.ssh/config.d 318read-only ${HOME}/.ssh/config.d
304 319
@@ -359,200 +374,200 @@ read-only ${HOME}/.local/share/mime
359read-only ${HOME}/.local/share/thumbnailers 374read-only ${HOME}/.local/share/thumbnailers
360 375
361# prevent access to ssh-agent 376# prevent access to ssh-agent
362blacklist /tmp/ssh-* 377deny /tmp/ssh-*
363 378
364# top secret 379# top secret
365blacklist ${HOME}/*.kdb 380deny ${HOME}/*.kdb
366blacklist ${HOME}/*.kdbx 381deny ${HOME}/*.kdbx
367blacklist ${HOME}/*.key 382deny ${HOME}/*.key
368blacklist ${HOME}/.Private 383deny ${HOME}/.Private
369blacklist ${HOME}/.caff 384deny ${HOME}/.caff
370blacklist ${HOME}/.cargo/credentials 385deny ${HOME}/.cargo/credentials
371blacklist ${HOME}/.cargo/credentials.toml 386deny ${HOME}/.cargo/credentials.toml
372blacklist ${HOME}/.cert 387deny ${HOME}/.cert
373blacklist ${HOME}/.config/keybase 388deny ${HOME}/.config/keybase
374blacklist ${HOME}/.davfs2/secrets 389deny ${HOME}/.davfs2/secrets
375blacklist ${HOME}/.ecryptfs 390deny ${HOME}/.ecryptfs
376blacklist ${HOME}/.fetchmailrc 391deny ${HOME}/.fetchmailrc
377blacklist ${HOME}/.fscrypt 392deny ${HOME}/.fscrypt
378blacklist ${HOME}/.git-credential-cache 393deny ${HOME}/.git-credential-cache
379blacklist ${HOME}/.git-credentials 394deny ${HOME}/.git-credentials
380blacklist ${HOME}/.gnome2/keyrings 395deny ${HOME}/.gnome2/keyrings
381blacklist ${HOME}/.gnupg 396deny ${HOME}/.gnupg
382blacklist ${HOME}/.config/hub 397deny ${HOME}/.config/hub
383blacklist ${HOME}/.kde/share/apps/kwallet 398deny ${HOME}/.kde/share/apps/kwallet
384blacklist ${HOME}/.kde4/share/apps/kwallet 399deny ${HOME}/.kde4/share/apps/kwallet
385blacklist ${HOME}/.local/share/keyrings 400deny ${HOME}/.local/share/keyrings
386blacklist ${HOME}/.local/share/kwalletd 401deny ${HOME}/.local/share/kwalletd
387blacklist ${HOME}/.local/share/plasma-vault 402deny ${HOME}/.local/share/plasma-vault
388blacklist ${HOME}/.msmtprc 403deny ${HOME}/.msmtprc
389blacklist ${HOME}/.mutt 404deny ${HOME}/.mutt
390blacklist ${HOME}/.muttrc 405deny ${HOME}/.muttrc
391blacklist ${HOME}/.netrc 406deny ${HOME}/.netrc
392blacklist ${HOME}/.nyx 407deny ${HOME}/.nyx
393blacklist ${HOME}/.pki 408deny ${HOME}/.pki
394blacklist ${HOME}/.local/share/pki 409deny ${HOME}/.local/share/pki
395blacklist ${HOME}/.smbcredentials 410deny ${HOME}/.smbcredentials
396blacklist ${HOME}/.ssh 411deny ${HOME}/.ssh
397blacklist ${HOME}/.vaults 412deny ${HOME}/.vaults
398blacklist /.fscrypt 413deny /.fscrypt
399blacklist /etc/davfs2/secrets 414deny /etc/davfs2/secrets
400blacklist /etc/group+ 415deny /etc/group+
401blacklist /etc/group- 416deny /etc/group-
402blacklist /etc/gshadow 417deny /etc/gshadow
403blacklist /etc/gshadow+ 418deny /etc/gshadow+
404blacklist /etc/gshadow- 419deny /etc/gshadow-
405blacklist /etc/passwd+ 420deny /etc/passwd+
406blacklist /etc/passwd- 421deny /etc/passwd-
407blacklist /etc/shadow 422deny /etc/shadow
408blacklist /etc/shadow+ 423deny /etc/shadow+
409blacklist /etc/shadow- 424deny /etc/shadow-
410blacklist /etc/ssh 425deny /etc/ssh
411blacklist /etc/ssh/* 426deny /etc/ssh/*
412blacklist /home/.ecryptfs 427deny /home/.ecryptfs
413blacklist /home/.fscrypt 428deny /home/.fscrypt
414blacklist /var/backup 429deny /var/backup
415 430
416# cloud provider configuration 431# cloud provider configuration
417blacklist ${HOME}/.aws 432deny ${HOME}/.aws
418blacklist ${HOME}/.boto 433deny ${HOME}/.boto
419blacklist ${HOME}/.config/gcloud 434deny ${HOME}/.config/gcloud
420blacklist ${HOME}/.kube 435deny ${HOME}/.kube
421blacklist ${HOME}/.passwd-s3fs 436deny ${HOME}/.passwd-s3fs
422blacklist ${HOME}/.s3cmd 437deny ${HOME}/.s3cmd
423blacklist /etc/boto.cfg 438deny /etc/boto.cfg
424 439
425# system directories 440# system directories
426blacklist /sbin 441deny /sbin
427blacklist /usr/local/sbin 442deny /usr/local/sbin
428blacklist /usr/sbin 443deny /usr/sbin
429 444
430# system management 445# system management
431blacklist ${PATH}/at 446deny ${PATH}/at
432blacklist ${PATH}/busybox 447deny ${PATH}/busybox
433blacklist ${PATH}/chage 448deny ${PATH}/chage
434blacklist ${PATH}/chfn 449deny ${PATH}/chfn
435blacklist ${PATH}/chsh 450deny ${PATH}/chsh
436blacklist ${PATH}/crontab 451deny ${PATH}/crontab
437blacklist ${PATH}/evtest 452deny ${PATH}/evtest
438blacklist ${PATH}/expiry 453deny ${PATH}/expiry
439blacklist ${PATH}/fusermount 454deny ${PATH}/fusermount
440blacklist ${PATH}/gksu 455deny ${PATH}/gksu
441blacklist ${PATH}/gksudo 456deny ${PATH}/gksudo
442blacklist ${PATH}/gpasswd 457deny ${PATH}/gpasswd
443blacklist ${PATH}/kdesudo 458deny ${PATH}/kdesudo
444blacklist ${PATH}/ksu 459deny ${PATH}/ksu
445blacklist ${PATH}/mount 460deny ${PATH}/mount
446blacklist ${PATH}/mount.ecryptfs_private 461deny ${PATH}/mount.ecryptfs_private
447blacklist ${PATH}/nc 462deny ${PATH}/nc
448blacklist ${PATH}/ncat 463deny ${PATH}/ncat
449blacklist ${PATH}/nmap 464deny ${PATH}/nmap
450blacklist ${PATH}/newgidmap 465deny ${PATH}/newgidmap
451blacklist ${PATH}/newgrp 466deny ${PATH}/newgrp
452blacklist ${PATH}/newuidmap 467deny ${PATH}/newuidmap
453blacklist ${PATH}/ntfs-3g 468deny ${PATH}/ntfs-3g
454blacklist ${PATH}/pkexec 469deny ${PATH}/pkexec
455blacklist ${PATH}/procmail 470deny ${PATH}/procmail
456blacklist ${PATH}/sg 471deny ${PATH}/sg
457blacklist ${PATH}/strace 472deny ${PATH}/strace
458blacklist ${PATH}/su 473deny ${PATH}/su
459blacklist ${PATH}/sudo 474deny ${PATH}/sudo
460blacklist ${PATH}/tcpdump 475deny ${PATH}/tcpdump
461blacklist ${PATH}/umount 476deny ${PATH}/umount
462blacklist ${PATH}/unix_chkpwd 477deny ${PATH}/unix_chkpwd
463blacklist ${PATH}/xev 478deny ${PATH}/xev
464blacklist ${PATH}/xinput 479deny ${PATH}/xinput
465 480
466# other SUID binaries 481# other SUID binaries
467blacklist /usr/lib/virtualbox 482deny /usr/lib/virtualbox
468blacklist /usr/lib64/virtualbox 483deny /usr/lib64/virtualbox
469 484
470# prevent lxterminal connecting to an existing lxterminal session 485# prevent lxterminal connecting to an existing lxterminal session
471blacklist /tmp/.lxterminal-socket* 486deny /tmp/.lxterminal-socket*
472# prevent tmux connecting to an existing session 487# prevent tmux connecting to an existing session
473blacklist /tmp/tmux-* 488deny /tmp/tmux-*
474 489
475# disable terminals running as server resulting in sandbox escape 490# disable terminals running as server resulting in sandbox escape
476blacklist ${PATH}/lxterminal 491deny ${PATH}/lxterminal
477blacklist ${PATH}/gnome-terminal 492deny ${PATH}/gnome-terminal
478blacklist ${PATH}/gnome-terminal.wrapper 493deny ${PATH}/gnome-terminal.wrapper
479blacklist ${PATH}/lilyterm 494deny ${PATH}/lilyterm
480blacklist ${PATH}/mate-terminal 495deny ${PATH}/mate-terminal
481blacklist ${PATH}/mate-terminal.wrapper 496deny ${PATH}/mate-terminal.wrapper
482blacklist ${PATH}/pantheon-terminal 497deny ${PATH}/pantheon-terminal
483blacklist ${PATH}/roxterm 498deny ${PATH}/roxterm
484blacklist ${PATH}/roxterm-config 499deny ${PATH}/roxterm-config
485blacklist ${PATH}/terminix 500deny ${PATH}/terminix
486blacklist ${PATH}/tilix 501deny ${PATH}/tilix
487blacklist ${PATH}/urxvtc 502deny ${PATH}/urxvtc
488blacklist ${PATH}/urxvtcd 503deny ${PATH}/urxvtcd
489blacklist ${PATH}/xfce4-terminal 504deny ${PATH}/xfce4-terminal
490blacklist ${PATH}/xfce4-terminal.wrapper 505deny ${PATH}/xfce4-terminal.wrapper
491# blacklist ${PATH}/konsole 506# blacklist ${PATH}/konsole
492# konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 507# konsole doesn't seem to have this problem - last tested on Ubuntu 16.04
493 508
494# kernel files 509# kernel files
495blacklist /initrd* 510deny /initrd*
496blacklist /vmlinuz* 511deny /vmlinuz*
497 512
498# snapshot files 513# snapshot files
499blacklist /.snapshots 514deny /.snapshots
500 515
501# flatpak 516# flatpak
502blacklist ${HOME}/.cache/flatpak 517deny ${HOME}/.cache/flatpak
503blacklist ${HOME}/.config/flatpak 518deny ${HOME}/.config/flatpak
504noblacklist ${HOME}/.local/share/flatpak/exports 519nodeny ${HOME}/.local/share/flatpak/exports
505read-only ${HOME}/.local/share/flatpak/exports 520read-only ${HOME}/.local/share/flatpak/exports
506blacklist ${HOME}/.local/share/flatpak/* 521deny ${HOME}/.local/share/flatpak/*
507blacklist ${HOME}/.var 522deny ${HOME}/.var
508blacklist ${RUNUSER}/app 523deny ${RUNUSER}/app
509blacklist ${RUNUSER}/doc 524deny ${RUNUSER}/doc
510blacklist ${RUNUSER}/.dbus-proxy 525deny ${RUNUSER}/.dbus-proxy
511blacklist ${RUNUSER}/.flatpak 526deny ${RUNUSER}/.flatpak
512blacklist ${RUNUSER}/.flatpak-cache 527deny ${RUNUSER}/.flatpak-cache
513blacklist ${RUNUSER}/.flatpak-helper 528deny ${RUNUSER}/.flatpak-helper
514blacklist /usr/share/flatpak 529deny /usr/share/flatpak
515noblacklist /var/lib/flatpak/exports 530nodeny /var/lib/flatpak/exports
516blacklist /var/lib/flatpak/* 531deny /var/lib/flatpak/*
517# most of the time bwrap is SUID binary 532# most of the time bwrap is SUID binary
518blacklist ${PATH}/bwrap 533deny ${PATH}/bwrap
519 534
520# snap 535# snap
521blacklist ${RUNUSER}/snapd-session-agent.socket 536deny ${RUNUSER}/snapd-session-agent.socket
522 537
523# mail directories used by mutt 538# mail directories used by mutt
524blacklist ${HOME}/.Mail 539deny ${HOME}/.Mail
525blacklist ${HOME}/.mail 540deny ${HOME}/.mail
526blacklist ${HOME}/.signature 541deny ${HOME}/.signature
527blacklist ${HOME}/Mail 542deny ${HOME}/Mail
528blacklist ${HOME}/mail 543deny ${HOME}/mail
529blacklist ${HOME}/postponed 544deny ${HOME}/postponed
530blacklist ${HOME}/sent 545deny ${HOME}/sent
531 546
532# kernel configuration 547# kernel configuration
533blacklist /proc/config.gz 548deny /proc/config.gz
534 549
535# prevent DNS malware attempting to communicate with the server 550# prevent DNS malware attempting to communicate with the server
536# using regular DNS tools 551# using regular DNS tools
537blacklist ${PATH}/dig 552deny ${PATH}/dig
538blacklist ${PATH}/dlint 553deny ${PATH}/dlint
539blacklist ${PATH}/dns2tcp 554deny ${PATH}/dns2tcp
540blacklist ${PATH}/dnssec-* 555deny ${PATH}/dnssec-*
541blacklist ${PATH}/dnswalk 556deny ${PATH}/dnswalk
542blacklist ${PATH}/drill 557deny ${PATH}/drill
543blacklist ${PATH}/host 558deny ${PATH}/host
544blacklist ${PATH}/iodine 559deny ${PATH}/iodine
545blacklist ${PATH}/kdig 560deny ${PATH}/kdig
546blacklist ${PATH}/khost 561deny ${PATH}/khost
547blacklist ${PATH}/knsupdate 562deny ${PATH}/knsupdate
548blacklist ${PATH}/ldns-* 563deny ${PATH}/ldns-*
549blacklist ${PATH}/ldnsd 564deny ${PATH}/ldnsd
550blacklist ${PATH}/nslookup 565deny ${PATH}/nslookup
551blacklist ${PATH}/resolvectl 566deny ${PATH}/resolvectl
552blacklist ${PATH}/unbound-host 567deny ${PATH}/unbound-host
553 568
554# rest of ${RUNUSER} 569# rest of ${RUNUSER}
555blacklist ${RUNUSER}/*.lock 570deny ${RUNUSER}/*.lock
556blacklist ${RUNUSER}/inaccessible 571deny ${RUNUSER}/inaccessible
557blacklist ${RUNUSER}/pk-debconf-socket 572deny ${RUNUSER}/pk-debconf-socket
558blacklist ${RUNUSER}/update-notifier.pid 573deny ${RUNUSER}/update-notifier.pid
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-21 07:29:42 +0000