diff options
Diffstat (limited to 'etc/inc/disable-common.inc')
| -rw-r--r-- | etc/inc/disable-common.inc | 710 |
1 files changed, 355 insertions, 355 deletions
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 1283a3a3d..6df0c4990 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
| @@ -5,63 +5,63 @@ include disable-common.local | |||
| 5 | # The following block breaks trash functionality in file managers | 5 | # The following block breaks trash functionality in file managers |
| 6 | #read-only ${HOME}/.local | 6 | #read-only ${HOME}/.local |
| 7 | #read-write ${HOME}/.local/share | 7 | #read-write ${HOME}/.local/share |
| 8 | deny ${HOME}/.local/share/Trash | 8 | blacklist ${HOME}/.local/share/Trash |
| 9 | 9 | ||
| 10 | # History files in $HOME and clipboard managers | 10 | # History files in $HOME and clipboard managers |
| 11 | deny-nolog ${HOME}/.*_history | 11 | blacklist-nolog ${HOME}/.*_history |
| 12 | deny-nolog ${HOME}/.adobe | 12 | blacklist-nolog ${HOME}/.adobe |
| 13 | deny-nolog ${HOME}/.cache/greenclip* | 13 | blacklist-nolog ${HOME}/.cache/greenclip* |
| 14 | deny-nolog ${HOME}/.histfile | 14 | blacklist-nolog ${HOME}/.histfile |
| 15 | deny-nolog ${HOME}/.history | 15 | blacklist-nolog ${HOME}/.history |
| 16 | deny-nolog ${HOME}/.kde/share/apps/klipper | 16 | blacklist-nolog ${HOME}/.kde/share/apps/klipper |
| 17 | deny-nolog ${HOME}/.kde4/share/apps/klipper | 17 | blacklist-nolog ${HOME}/.kde4/share/apps/klipper |
| 18 | deny-nolog ${HOME}/.local/share/fish/fish_history | 18 | blacklist-nolog ${HOME}/.local/share/fish/fish_history |
| 19 | deny-nolog ${HOME}/.local/share/klipper | 19 | blacklist-nolog ${HOME}/.local/share/klipper |
| 20 | deny-nolog ${HOME}/.macromedia | 20 | blacklist-nolog ${HOME}/.macromedia |
| 21 | deny-nolog ${HOME}/.mupdf.history | 21 | blacklist-nolog ${HOME}/.mupdf.history |
| 22 | deny-nolog ${HOME}/.python-history | 22 | blacklist-nolog ${HOME}/.python-history |
| 23 | deny-nolog ${HOME}/.python_history | 23 | blacklist-nolog ${HOME}/.python_history |
| 24 | deny-nolog ${HOME}/.pythonhist | 24 | blacklist-nolog ${HOME}/.pythonhist |
| 25 | deny-nolog ${HOME}/.lesshst | 25 | blacklist-nolog ${HOME}/.lesshst |
| 26 | deny-nolog ${HOME}/.viminfo | 26 | blacklist-nolog ${HOME}/.viminfo |
| 27 | deny-nolog /tmp/clipmenu* | 27 | blacklist-nolog /tmp/clipmenu* |
| 28 | 28 | ||
| 29 | # X11 session autostart | 29 | # X11 session autostart |
| 30 | # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs | 30 | # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs |
| 31 | deny ${HOME}/.Xsession | 31 | blacklist ${HOME}/.Xsession |
| 32 | deny ${HOME}/.blackbox | 32 | blacklist ${HOME}/.blackbox |
| 33 | deny ${HOME}/.config/autostart | 33 | blacklist ${HOME}/.config/autostart |
| 34 | deny ${HOME}/.config/autostart-scripts | 34 | blacklist ${HOME}/.config/autostart-scripts |
| 35 | deny ${HOME}/.config/awesome | 35 | blacklist ${HOME}/.config/awesome |
| 36 | deny ${HOME}/.config/i3 | 36 | blacklist ${HOME}/.config/i3 |
| 37 | deny ${HOME}/.config/sway | 37 | blacklist ${HOME}/.config/sway |
| 38 | deny ${HOME}/.config/lxsession/LXDE/autostart | 38 | blacklist ${HOME}/.config/lxsession/LXDE/autostart |
| 39 | deny ${HOME}/.config/openbox | 39 | blacklist ${HOME}/.config/openbox |
| 40 | deny ${HOME}/.config/plasma-workspace | 40 | blacklist ${HOME}/.config/plasma-workspace |
| 41 | deny ${HOME}/.config/startupconfig | 41 | blacklist ${HOME}/.config/startupconfig |
| 42 | deny ${HOME}/.config/startupconfigkeys | 42 | blacklist ${HOME}/.config/startupconfigkeys |
| 43 | deny ${HOME}/.fluxbox | 43 | blacklist ${HOME}/.fluxbox |
| 44 | deny ${HOME}/.gnomerc | 44 | blacklist ${HOME}/.gnomerc |
| 45 | deny ${HOME}/.kde/Autostart | 45 | blacklist ${HOME}/.kde/Autostart |
| 46 | deny ${HOME}/.kde/env | 46 | blacklist ${HOME}/.kde/env |
| 47 | deny ${HOME}/.kde/share/autostart | 47 | blacklist ${HOME}/.kde/share/autostart |
| 48 | deny ${HOME}/.kde/share/config/startupconfig | 48 | blacklist ${HOME}/.kde/share/config/startupconfig |
| 49 | deny ${HOME}/.kde/share/config/startupconfigkeys | 49 | blacklist ${HOME}/.kde/share/config/startupconfigkeys |
| 50 | deny ${HOME}/.kde/shutdown | 50 | blacklist ${HOME}/.kde/shutdown |
| 51 | deny ${HOME}/.kde4/env | 51 | blacklist ${HOME}/.kde4/env |
| 52 | deny ${HOME}/.kde4/Autostart | 52 | blacklist ${HOME}/.kde4/Autostart |
| 53 | deny ${HOME}/.kde4/share/autostart | 53 | blacklist ${HOME}/.kde4/share/autostart |
| 54 | deny ${HOME}/.kde4/shutdown | 54 | blacklist ${HOME}/.kde4/shutdown |
| 55 | deny ${HOME}/.kde4/share/config/startupconfig | 55 | blacklist ${HOME}/.kde4/share/config/startupconfig |
| 56 | deny ${HOME}/.kde4/share/config/startupconfigkeys | 56 | blacklist ${HOME}/.kde4/share/config/startupconfigkeys |
| 57 | deny ${HOME}/.local/share/autostart | 57 | blacklist ${HOME}/.local/share/autostart |
| 58 | deny ${HOME}/.xinitrc | 58 | blacklist ${HOME}/.xinitrc |
| 59 | deny ${HOME}/.xprofile | 59 | blacklist ${HOME}/.xprofile |
| 60 | deny ${HOME}/.xserverrc | 60 | blacklist ${HOME}/.xserverrc |
| 61 | deny ${HOME}/.xsession | 61 | blacklist ${HOME}/.xsession |
| 62 | deny ${HOME}/.xsessionrc | 62 | blacklist ${HOME}/.xsessionrc |
| 63 | deny /etc/X11/Xsession.d | 63 | blacklist /etc/X11/Xsession.d |
| 64 | deny /etc/xdg/autostart | 64 | blacklist /etc/xdg/autostart |
| 65 | read-only ${HOME}/.Xauthority | 65 | read-only ${HOME}/.Xauthority |
| 66 | 66 | ||
| 67 | # Session manager | 67 | # Session manager |
| @@ -70,46 +70,46 @@ read-only ${HOME}/.Xauthority | |||
| 70 | #?HAS_X11: blacklist /tmp/.ICE-unix | 70 | #?HAS_X11: blacklist /tmp/.ICE-unix |
| 71 | 71 | ||
| 72 | # KDE config | 72 | # KDE config |
| 73 | deny ${HOME}/.cache/konsole | 73 | blacklist ${HOME}/.cache/konsole |
| 74 | deny ${HOME}/.config/khotkeysrc | 74 | blacklist ${HOME}/.config/khotkeysrc |
| 75 | deny ${HOME}/.config/krunnerrc | 75 | blacklist ${HOME}/.config/krunnerrc |
| 76 | deny ${HOME}/.config/kscreenlockerrc | 76 | blacklist ${HOME}/.config/kscreenlockerrc |
| 77 | deny ${HOME}/.config/ksslcertificatemanager | 77 | blacklist ${HOME}/.config/ksslcertificatemanager |
| 78 | deny ${HOME}/.config/kwalletrc | 78 | blacklist ${HOME}/.config/kwalletrc |
| 79 | deny ${HOME}/.config/kwinrc | 79 | blacklist ${HOME}/.config/kwinrc |
| 80 | deny ${HOME}/.config/kwinrulesrc | 80 | blacklist ${HOME}/.config/kwinrulesrc |
| 81 | deny ${HOME}/.config/plasma-locale-settings.sh | 81 | blacklist ${HOME}/.config/plasma-locale-settings.sh |
| 82 | deny ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc | 82 | blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc |
| 83 | deny ${HOME}/.config/plasmashellrc | 83 | blacklist ${HOME}/.config/plasmashellrc |
| 84 | deny ${HOME}/.config/plasmavaultrc | 84 | blacklist ${HOME}/.config/plasmavaultrc |
| 85 | deny ${HOME}/.kde/share/apps/kwin | 85 | blacklist ${HOME}/.kde/share/apps/kwin |
| 86 | deny ${HOME}/.kde/share/apps/plasma | 86 | blacklist ${HOME}/.kde/share/apps/plasma |
| 87 | deny ${HOME}/.kde/share/apps/solid | 87 | blacklist ${HOME}/.kde/share/apps/solid |
| 88 | deny ${HOME}/.kde/share/config/khotkeysrc | 88 | blacklist ${HOME}/.kde/share/config/khotkeysrc |
| 89 | deny ${HOME}/.kde/share/config/krunnerrc | 89 | blacklist ${HOME}/.kde/share/config/krunnerrc |
| 90 | deny ${HOME}/.kde/share/config/kscreensaverrc | 90 | blacklist ${HOME}/.kde/share/config/kscreensaverrc |
| 91 | deny ${HOME}/.kde/share/config/ksslcertificatemanager | 91 | blacklist ${HOME}/.kde/share/config/ksslcertificatemanager |
| 92 | deny ${HOME}/.kde/share/config/kwalletrc | 92 | blacklist ${HOME}/.kde/share/config/kwalletrc |
| 93 | deny ${HOME}/.kde/share/config/kwinrc | 93 | blacklist ${HOME}/.kde/share/config/kwinrc |
| 94 | deny ${HOME}/.kde/share/config/kwinrulesrc | 94 | blacklist ${HOME}/.kde/share/config/kwinrulesrc |
| 95 | deny ${HOME}/.kde/share/config/plasma-desktop-appletsrc | 95 | blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc |
| 96 | deny ${HOME}/.kde4/share/apps/kwin | 96 | blacklist ${HOME}/.kde4/share/apps/kwin |
| 97 | deny ${HOME}/.kde4/share/apps/plasma | 97 | blacklist ${HOME}/.kde4/share/apps/plasma |
| 98 | deny ${HOME}/.kde4/share/apps/solid | 98 | blacklist ${HOME}/.kde4/share/apps/solid |
| 99 | deny ${HOME}/.kde4/share/config/khotkeysrc | 99 | blacklist ${HOME}/.kde4/share/config/khotkeysrc |
| 100 | deny ${HOME}/.kde4/share/config/krunnerrc | 100 | blacklist ${HOME}/.kde4/share/config/krunnerrc |
| 101 | deny ${HOME}/.kde4/share/config/kscreensaverrc | 101 | blacklist ${HOME}/.kde4/share/config/kscreensaverrc |
| 102 | deny ${HOME}/.kde4/share/config/ksslcertificatemanager | 102 | blacklist ${HOME}/.kde4/share/config/ksslcertificatemanager |
| 103 | deny ${HOME}/.kde4/share/config/kwalletrc | 103 | blacklist ${HOME}/.kde4/share/config/kwalletrc |
| 104 | deny ${HOME}/.kde4/share/config/kwinrc | 104 | blacklist ${HOME}/.kde4/share/config/kwinrc |
| 105 | deny ${HOME}/.kde4/share/config/kwinrulesrc | 105 | blacklist ${HOME}/.kde4/share/config/kwinrulesrc |
| 106 | deny ${HOME}/.kde4/share/config/plasma-desktop-appletsrc | 106 | blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc |
| 107 | deny ${HOME}/.local/share/kglobalaccel | 107 | blacklist ${HOME}/.local/share/kglobalaccel |
| 108 | deny ${HOME}/.local/share/kwin | 108 | blacklist ${HOME}/.local/share/kwin |
| 109 | deny ${HOME}/.local/share/plasma | 109 | blacklist ${HOME}/.local/share/plasma |
| 110 | deny ${HOME}/.local/share/plasmashell | 110 | blacklist ${HOME}/.local/share/plasmashell |
| 111 | deny ${HOME}/.local/share/solid | 111 | blacklist ${HOME}/.local/share/solid |
| 112 | deny /tmp/konsole-*.history | 112 | blacklist /tmp/konsole-*.history |
| 113 | read-only ${HOME}/.cache/ksycoca5_* | 113 | read-only ${HOME}/.cache/ksycoca5_* |
| 114 | read-only ${HOME}/.config/*notifyrc | 114 | read-only ${HOME}/.config/*notifyrc |
| 115 | read-only ${HOME}/.config/kdeglobals | 115 | read-only ${HOME}/.config/kdeglobals |
| @@ -138,139 +138,139 @@ read-only ${HOME}/.local/share/kservices5 | |||
| 138 | read-only ${HOME}/.local/share/kssl | 138 | read-only ${HOME}/.local/share/kssl |
| 139 | 139 | ||
| 140 | # KDE sockets | 140 | # KDE sockets |
| 141 | deny ${RUNUSER}/*.slave-socket | 141 | blacklist ${RUNUSER}/*.slave-socket |
| 142 | deny ${RUNUSER}/kdeinit5__* | 142 | blacklist ${RUNUSER}/kdeinit5__* |
| 143 | deny ${RUNUSER}/kdesud_* | 143 | blacklist ${RUNUSER}/kdesud_* |
| 144 | # see #3358 | 144 | # see #3358 |
| 145 | #?HAS_NODBUS: blacklist ${RUNUSER}/ksocket-* | 145 | #?HAS_NODBUS: blacklist ${RUNUSER}/ksocket-* |
| 146 | #?HAS_NODBUS: blacklist /tmp/ksocket-* | 146 | #?HAS_NODBUS: blacklist /tmp/ksocket-* |
| 147 | 147 | ||
| 148 | # gnome | 148 | # gnome |
| 149 | # contains extensions, last used times of applications, and notifications | 149 | # contains extensions, last used times of applications, and notifications |
| 150 | deny ${HOME}/.local/share/gnome-shell | 150 | blacklist ${HOME}/.local/share/gnome-shell |
| 151 | # contains recently used files and serials of static/removable storage | 151 | # contains recently used files and serials of static/removable storage |
| 152 | deny ${HOME}/.local/share/gvfs-metadata | 152 | blacklist ${HOME}/.local/share/gvfs-metadata |
| 153 | # no direct modification of dconf database | 153 | # no direct modification of dconf database |
| 154 | read-only ${HOME}/.config/dconf | 154 | read-only ${HOME}/.config/dconf |
| 155 | deny ${RUNUSER}/gnome-session-leader-fifo | 155 | blacklist ${RUNUSER}/gnome-session-leader-fifo |
| 156 | deny ${RUNUSER}/gnome-shell | 156 | blacklist ${RUNUSER}/gnome-shell |
| 157 | deny ${RUNUSER}/gsconnect | 157 | blacklist ${RUNUSER}/gsconnect |
| 158 | 158 | ||
| 159 | # systemd | 159 | # systemd |
| 160 | deny ${HOME}/.config/systemd | 160 | blacklist ${HOME}/.config/systemd |
| 161 | deny ${HOME}/.local/share/systemd | 161 | blacklist ${HOME}/.local/share/systemd |
| 162 | deny /var/lib/systemd | 162 | blacklist /var/lib/systemd |
| 163 | deny ${PATH}/systemd-run | 163 | blacklist ${PATH}/systemd-run |
| 164 | deny ${RUNUSER}/systemd | 164 | blacklist ${RUNUSER}/systemd |
| 165 | deny ${PATH}/systemctl | 165 | blacklist ${PATH}/systemctl |
| 166 | deny /etc/systemd/system | 166 | blacklist /etc/systemd/system |
| 167 | deny /etc/systemd/network | 167 | blacklist /etc/systemd/network |
| 168 | # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf | 168 | # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf |
| 169 | #blacklist /var/run/systemd | 169 | #blacklist /var/run/systemd |
| 170 | 170 | ||
| 171 | # openrc | 171 | # openrc |
| 172 | deny /etc/runlevels/ | 172 | blacklist /etc/runlevels/ |
| 173 | deny /etc/init.d/ | 173 | blacklist /etc/init.d/ |
| 174 | deny /etc/rc.conf | 174 | blacklist /etc/rc.conf |
| 175 | 175 | ||
| 176 | # VirtualBox | 176 | # VirtualBox |
| 177 | deny ${HOME}/.VirtualBox | 177 | blacklist ${HOME}/.VirtualBox |
| 178 | deny ${HOME}/.config/VirtualBox | 178 | blacklist ${HOME}/.config/VirtualBox |
| 179 | deny ${HOME}/VirtualBox VMs | 179 | blacklist ${HOME}/VirtualBox VMs |
| 180 | 180 | ||
| 181 | # GNOME Boxes | 181 | # GNOME Boxes |
| 182 | deny ${HOME}/.config/gnome-boxes | 182 | blacklist ${HOME}/.config/gnome-boxes |
| 183 | deny ${HOME}/.local/share/gnome-boxes | 183 | blacklist ${HOME}/.local/share/gnome-boxes |
| 184 | 184 | ||
| 185 | # libvirt | 185 | # libvirt |
| 186 | deny ${HOME}/.cache/libvirt | 186 | blacklist ${HOME}/.cache/libvirt |
| 187 | deny ${HOME}/.config/libvirt | 187 | blacklist ${HOME}/.config/libvirt |
| 188 | deny ${RUNUSER}/libvirt | 188 | blacklist ${RUNUSER}/libvirt |
| 189 | deny /var/cache/libvirt | 189 | blacklist /var/cache/libvirt |
| 190 | deny /var/lib/libvirt | 190 | blacklist /var/lib/libvirt |
| 191 | deny /var/log/libvirt | 191 | blacklist /var/log/libvirt |
| 192 | 192 | ||
| 193 | # OCI-Containers / Podman | 193 | # OCI-Containers / Podman |
| 194 | deny ${RUNUSER}/containers | 194 | blacklist ${RUNUSER}/containers |
| 195 | deny ${RUNUSER}/crun | 195 | blacklist ${RUNUSER}/crun |
| 196 | deny ${RUNUSER}/libpod | 196 | blacklist ${RUNUSER}/libpod |
| 197 | deny ${RUNUSER}/runc | 197 | blacklist ${RUNUSER}/runc |
| 198 | deny ${RUNUSER}/toolbox | 198 | blacklist ${RUNUSER}/toolbox |
| 199 | 199 | ||
| 200 | # VeraCrypt | 200 | # VeraCrypt |
| 201 | deny ${HOME}/.VeraCrypt | 201 | blacklist ${HOME}/.VeraCrypt |
| 202 | deny ${PATH}/veracrypt | 202 | blacklist ${PATH}/veracrypt |
| 203 | deny ${PATH}/veracrypt-uninstall.sh | 203 | blacklist ${PATH}/veracrypt-uninstall.sh |
| 204 | deny /usr/share/applications/veracrypt.* | 204 | blacklist /usr/share/applications/veracrypt.* |
| 205 | deny /usr/share/pixmaps/veracrypt.* | 205 | blacklist /usr/share/pixmaps/veracrypt.* |
| 206 | deny /usr/share/veracrypt | 206 | blacklist /usr/share/veracrypt |
| 207 | 207 | ||
| 208 | # TrueCrypt | 208 | # TrueCrypt |
| 209 | deny ${HOME}/.TrueCrypt | 209 | blacklist ${HOME}/.TrueCrypt |
| 210 | deny ${PATH}/truecrypt | 210 | blacklist ${PATH}/truecrypt |
| 211 | deny ${PATH}/truecrypt-uninstall.sh | 211 | blacklist ${PATH}/truecrypt-uninstall.sh |
| 212 | deny /usr/share/applications/truecrypt.* | 212 | blacklist /usr/share/applications/truecrypt.* |
| 213 | deny /usr/share/pixmaps/truecrypt.* | 213 | blacklist /usr/share/pixmaps/truecrypt.* |
| 214 | deny /usr/share/truecrypt | 214 | blacklist /usr/share/truecrypt |
| 215 | 215 | ||
| 216 | # zuluCrypt | 216 | # zuluCrypt |
| 217 | deny ${HOME}/.zuluCrypt | 217 | blacklist ${HOME}/.zuluCrypt |
| 218 | deny ${HOME}/.zuluCrypt-socket | 218 | blacklist ${HOME}/.zuluCrypt-socket |
| 219 | deny ${PATH}/zuluCrypt-cli | 219 | blacklist ${PATH}/zuluCrypt-cli |
| 220 | deny ${PATH}/zuluMount-cli | 220 | blacklist ${PATH}/zuluMount-cli |
| 221 | 221 | ||
| 222 | # var | 222 | # var |
| 223 | deny /var/cache/apt | 223 | blacklist /var/cache/apt |
| 224 | deny /var/cache/pacman | 224 | blacklist /var/cache/pacman |
| 225 | deny /var/lib/apt | 225 | blacklist /var/lib/apt |
| 226 | deny /var/lib/clamav | 226 | blacklist /var/lib/clamav |
| 227 | deny /var/lib/dkms | 227 | blacklist /var/lib/dkms |
| 228 | deny /var/lib/mysql/mysql.sock | 228 | blacklist /var/lib/mysql/mysql.sock |
| 229 | deny /var/lib/mysqld/mysql.sock | 229 | blacklist /var/lib/mysqld/mysql.sock |
| 230 | deny /var/lib/pacman | 230 | blacklist /var/lib/pacman |
| 231 | deny /var/lib/upower | 231 | blacklist /var/lib/upower |
| 232 | # blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for | 232 | # blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for |
| 233 | # every sandbox, unless --writable-var-log switch is activated | 233 | # every sandbox, unless --writable-var-log switch is activated |
| 234 | deny /var/mail | 234 | blacklist /var/mail |
| 235 | deny /var/opt | 235 | blacklist /var/opt |
| 236 | deny /var/run/acpid.socket | 236 | blacklist /var/run/acpid.socket |
| 237 | deny /var/run/docker.sock | 237 | blacklist /var/run/docker.sock |
| 238 | deny /var/run/minissdpd.sock | 238 | blacklist /var/run/minissdpd.sock |
| 239 | deny /var/run/mysql/mysqld.sock | 239 | blacklist /var/run/mysql/mysqld.sock |
| 240 | deny /var/run/mysqld/mysqld.sock | 240 | blacklist /var/run/mysqld/mysqld.sock |
| 241 | deny /var/run/rpcbind.sock | 241 | blacklist /var/run/rpcbind.sock |
| 242 | deny /var/run/screens | 242 | blacklist /var/run/screens |
| 243 | deny /var/spool/anacron | 243 | blacklist /var/spool/anacron |
| 244 | deny /var/spool/cron | 244 | blacklist /var/spool/cron |
| 245 | deny /var/spool/mail | 245 | blacklist /var/spool/mail |
| 246 | 246 | ||
| 247 | # etc | 247 | # etc |
| 248 | deny /etc/anacrontab | 248 | blacklist /etc/anacrontab |
| 249 | deny /etc/cron* | 249 | blacklist /etc/cron* |
| 250 | deny /etc/profile.d | 250 | blacklist /etc/profile.d |
| 251 | deny /etc/rc.local | 251 | blacklist /etc/rc.local |
| 252 | # rc1.d, rc2.d, ... | 252 | # rc1.d, rc2.d, ... |
| 253 | deny /etc/rc?.d | 253 | blacklist /etc/rc?.d |
| 254 | deny /etc/kernel* | 254 | blacklist /etc/kernel* |
| 255 | deny /etc/grub* | 255 | blacklist /etc/grub* |
| 256 | deny /etc/dkms | 256 | blacklist /etc/dkms |
| 257 | deny /etc/apparmor* | 257 | blacklist /etc/apparmor* |
| 258 | deny /etc/selinux | 258 | blacklist /etc/selinux |
| 259 | deny /etc/modules* | 259 | blacklist /etc/modules* |
| 260 | deny /etc/logrotate* | 260 | blacklist /etc/logrotate* |
| 261 | deny /etc/adduser.conf | 261 | blacklist /etc/adduser.conf |
| 262 | 262 | ||
| 263 | # hide config for various intrusion detection systems | 263 | # hide config for various intrusion detection systems |
| 264 | deny /etc/rkhunter.conf | 264 | blacklist /etc/rkhunter.conf |
| 265 | deny /var/lib/rkhunter | 265 | blacklist /var/lib/rkhunter |
| 266 | deny /etc/chkrootkit.conf | 266 | blacklist /etc/chkrootkit.conf |
| 267 | deny /etc/lynis | 267 | blacklist /etc/lynis |
| 268 | deny /etc/aide | 268 | blacklist /etc/aide |
| 269 | deny /etc/logcheck | 269 | blacklist /etc/logcheck |
| 270 | deny /etc/tripwire | 270 | blacklist /etc/tripwire |
| 271 | deny /etc/snort | 271 | blacklist /etc/snort |
| 272 | deny /etc/fail2ban.conf | 272 | blacklist /etc/fail2ban.conf |
| 273 | deny /etc/suricata | 273 | blacklist /etc/suricata |
| 274 | 274 | ||
| 275 | # Startup files | 275 | # Startup files |
| 276 | read-only ${HOME}/.antigen | 276 | read-only ${HOME}/.antigen |
| @@ -307,13 +307,13 @@ read-only ${HOME}/.zshrc | |||
| 307 | read-only ${HOME}/.zshrc.local | 307 | read-only ${HOME}/.zshrc.local |
| 308 | 308 | ||
| 309 | # Remote access | 309 | # Remote access |
| 310 | deny ${HOME}/.rhosts | 310 | blacklist ${HOME}/.rhosts |
| 311 | deny ${HOME}/.shosts | 311 | blacklist ${HOME}/.shosts |
| 312 | deny ${HOME}/.ssh/authorized_keys | 312 | blacklist ${HOME}/.ssh/authorized_keys |
| 313 | deny ${HOME}/.ssh/authorized_keys2 | 313 | blacklist ${HOME}/.ssh/authorized_keys2 |
| 314 | deny ${HOME}/.ssh/environment | 314 | blacklist ${HOME}/.ssh/environment |
| 315 | deny ${HOME}/.ssh/rc | 315 | blacklist ${HOME}/.ssh/rc |
| 316 | deny /etc/hosts.equiv | 316 | blacklist /etc/hosts.equiv |
| 317 | read-only ${HOME}/.ssh/config | 317 | read-only ${HOME}/.ssh/config |
| 318 | read-only ${HOME}/.ssh/config.d | 318 | read-only ${HOME}/.ssh/config.d |
| 319 | 319 | ||
| @@ -374,200 +374,200 @@ read-only ${HOME}/.local/share/mime | |||
| 374 | read-only ${HOME}/.local/share/thumbnailers | 374 | read-only ${HOME}/.local/share/thumbnailers |
| 375 | 375 | ||
| 376 | # prevent access to ssh-agent | 376 | # prevent access to ssh-agent |
| 377 | deny /tmp/ssh-* | 377 | blacklist /tmp/ssh-* |
| 378 | 378 | ||
| 379 | # top secret | 379 | # top secret |
| 380 | deny ${HOME}/*.kdb | 380 | blacklist ${HOME}/*.kdb |
| 381 | deny ${HOME}/*.kdbx | 381 | blacklist ${HOME}/*.kdbx |
| 382 | deny ${HOME}/*.key | 382 | blacklist ${HOME}/*.key |
| 383 | deny ${HOME}/.Private | 383 | blacklist ${HOME}/.Private |
| 384 | deny ${HOME}/.caff | 384 | blacklist ${HOME}/.caff |
| 385 | deny ${HOME}/.cargo/credentials | 385 | blacklist ${HOME}/.cargo/credentials |
| 386 | deny ${HOME}/.cargo/credentials.toml | 386 | blacklist ${HOME}/.cargo/credentials.toml |
| 387 | deny ${HOME}/.cert | 387 | blacklist ${HOME}/.cert |
| 388 | deny ${HOME}/.config/keybase | 388 | blacklist ${HOME}/.config/keybase |
| 389 | deny ${HOME}/.davfs2/secrets | 389 | blacklist ${HOME}/.davfs2/secrets |
| 390 | deny ${HOME}/.ecryptfs | 390 | blacklist ${HOME}/.ecryptfs |
| 391 | deny ${HOME}/.fetchmailrc | 391 | blacklist ${HOME}/.fetchmailrc |
| 392 | deny ${HOME}/.fscrypt | 392 | blacklist ${HOME}/.fscrypt |
| 393 | deny ${HOME}/.git-credential-cache | 393 | blacklist ${HOME}/.git-credential-cache |
| 394 | deny ${HOME}/.git-credentials | 394 | blacklist ${HOME}/.git-credentials |
| 395 | deny ${HOME}/.gnome2/keyrings | 395 | blacklist ${HOME}/.gnome2/keyrings |
| 396 | deny ${HOME}/.gnupg | 396 | blacklist ${HOME}/.gnupg |
| 397 | deny ${HOME}/.config/hub | 397 | blacklist ${HOME}/.config/hub |
| 398 | deny ${HOME}/.kde/share/apps/kwallet | 398 | blacklist ${HOME}/.kde/share/apps/kwallet |
| 399 | deny ${HOME}/.kde4/share/apps/kwallet | 399 | blacklist ${HOME}/.kde4/share/apps/kwallet |
| 400 | deny ${HOME}/.local/share/keyrings | 400 | blacklist ${HOME}/.local/share/keyrings |
| 401 | deny ${HOME}/.local/share/kwalletd | 401 | blacklist ${HOME}/.local/share/kwalletd |
| 402 | deny ${HOME}/.local/share/plasma-vault | 402 | blacklist ${HOME}/.local/share/plasma-vault |
| 403 | deny ${HOME}/.msmtprc | 403 | blacklist ${HOME}/.msmtprc |
| 404 | deny ${HOME}/.mutt | 404 | blacklist ${HOME}/.mutt |
| 405 | deny ${HOME}/.muttrc | 405 | blacklist ${HOME}/.muttrc |
| 406 | deny ${HOME}/.netrc | 406 | blacklist ${HOME}/.netrc |
| 407 | deny ${HOME}/.nyx | 407 | blacklist ${HOME}/.nyx |
| 408 | deny ${HOME}/.pki | 408 | blacklist ${HOME}/.pki |
| 409 | deny ${HOME}/.local/share/pki | 409 | blacklist ${HOME}/.local/share/pki |
| 410 | deny ${HOME}/.smbcredentials | 410 | blacklist ${HOME}/.smbcredentials |
| 411 | deny ${HOME}/.ssh | 411 | blacklist ${HOME}/.ssh |
| 412 | deny ${HOME}/.vaults | 412 | blacklist ${HOME}/.vaults |
| 413 | deny /.fscrypt | 413 | blacklist /.fscrypt |
| 414 | deny /etc/davfs2/secrets | 414 | blacklist /etc/davfs2/secrets |
| 415 | deny /etc/group+ | 415 | blacklist /etc/group+ |
| 416 | deny /etc/group- | 416 | blacklist /etc/group- |
| 417 | deny /etc/gshadow | 417 | blacklist /etc/gshadow |
| 418 | deny /etc/gshadow+ | 418 | blacklist /etc/gshadow+ |
| 419 | deny /etc/gshadow- | 419 | blacklist /etc/gshadow- |
| 420 | deny /etc/passwd+ | 420 | blacklist /etc/passwd+ |
| 421 | deny /etc/passwd- | 421 | blacklist /etc/passwd- |
| 422 | deny /etc/shadow | 422 | blacklist /etc/shadow |
| 423 | deny /etc/shadow+ | 423 | blacklist /etc/shadow+ |
| 424 | deny /etc/shadow- | 424 | blacklist /etc/shadow- |
| 425 | deny /etc/ssh | 425 | blacklist /etc/ssh |
| 426 | deny /etc/ssh/* | 426 | blacklist /etc/ssh/* |
| 427 | deny /home/.ecryptfs | 427 | blacklist /home/.ecryptfs |
| 428 | deny /home/.fscrypt | 428 | blacklist /home/.fscrypt |
| 429 | deny /var/backup | 429 | blacklist /var/backup |
| 430 | 430 | ||
| 431 | # cloud provider configuration | 431 | # cloud provider configuration |
| 432 | deny ${HOME}/.aws | 432 | blacklist ${HOME}/.aws |
| 433 | deny ${HOME}/.boto | 433 | blacklist ${HOME}/.boto |
| 434 | deny ${HOME}/.config/gcloud | 434 | blacklist ${HOME}/.config/gcloud |
| 435 | deny ${HOME}/.kube | 435 | blacklist ${HOME}/.kube |
| 436 | deny ${HOME}/.passwd-s3fs | 436 | blacklist ${HOME}/.passwd-s3fs |
| 437 | deny ${HOME}/.s3cmd | 437 | blacklist ${HOME}/.s3cmd |
| 438 | deny /etc/boto.cfg | 438 | blacklist /etc/boto.cfg |
| 439 | 439 | ||
| 440 | # system directories | 440 | # system directories |
| 441 | deny /sbin | 441 | blacklist /sbin |
| 442 | deny /usr/local/sbin | 442 | blacklist /usr/local/sbin |
| 443 | deny /usr/sbin | 443 | blacklist /usr/sbin |
| 444 | 444 | ||
| 445 | # system management | 445 | # system management |
| 446 | deny ${PATH}/at | 446 | blacklist ${PATH}/at |
| 447 | deny ${PATH}/busybox | 447 | blacklist ${PATH}/busybox |
| 448 | deny ${PATH}/chage | 448 | blacklist ${PATH}/chage |
| 449 | deny ${PATH}/chfn | 449 | blacklist ${PATH}/chfn |
| 450 | deny ${PATH}/chsh | 450 | blacklist ${PATH}/chsh |
| 451 | deny ${PATH}/crontab | 451 | blacklist ${PATH}/crontab |
| 452 | deny ${PATH}/evtest | 452 | blacklist ${PATH}/evtest |
| 453 | deny ${PATH}/expiry | 453 | blacklist ${PATH}/expiry |
| 454 | deny ${PATH}/fusermount | 454 | blacklist ${PATH}/fusermount |
| 455 | deny ${PATH}/gksu | 455 | blacklist ${PATH}/gksu |
| 456 | deny ${PATH}/gksudo | 456 | blacklist ${PATH}/gksudo |
| 457 | deny ${PATH}/gpasswd | 457 | blacklist ${PATH}/gpasswd |
| 458 | deny ${PATH}/kdesudo | 458 | blacklist ${PATH}/kdesudo |
| 459 | deny ${PATH}/ksu | 459 | blacklist ${PATH}/ksu |
| 460 | deny ${PATH}/mount | 460 | blacklist ${PATH}/mount |
| 461 | deny ${PATH}/mount.ecryptfs_private | 461 | blacklist ${PATH}/mount.ecryptfs_private |
| 462 | deny ${PATH}/nc | 462 | blacklist ${PATH}/nc |
| 463 | deny ${PATH}/ncat | 463 | blacklist ${PATH}/ncat |
| 464 | deny ${PATH}/nmap | 464 | blacklist ${PATH}/nmap |
| 465 | deny ${PATH}/newgidmap | 465 | blacklist ${PATH}/newgidmap |
| 466 | deny ${PATH}/newgrp | 466 | blacklist ${PATH}/newgrp |
| 467 | deny ${PATH}/newuidmap | 467 | blacklist ${PATH}/newuidmap |
| 468 | deny ${PATH}/ntfs-3g | 468 | blacklist ${PATH}/ntfs-3g |
| 469 | deny ${PATH}/pkexec | 469 | blacklist ${PATH}/pkexec |
| 470 | deny ${PATH}/procmail | 470 | blacklist ${PATH}/procmail |
| 471 | deny ${PATH}/sg | 471 | blacklist ${PATH}/sg |
| 472 | deny ${PATH}/strace | 472 | blacklist ${PATH}/strace |
| 473 | deny ${PATH}/su | 473 | blacklist ${PATH}/su |
| 474 | deny ${PATH}/sudo | 474 | blacklist ${PATH}/sudo |
| 475 | deny ${PATH}/tcpdump | 475 | blacklist ${PATH}/tcpdump |
| 476 | deny ${PATH}/umount | 476 | blacklist ${PATH}/umount |
| 477 | deny ${PATH}/unix_chkpwd | 477 | blacklist ${PATH}/unix_chkpwd |
| 478 | deny ${PATH}/xev | 478 | blacklist ${PATH}/xev |
| 479 | deny ${PATH}/xinput | 479 | blacklist ${PATH}/xinput |
| 480 | 480 | ||
| 481 | # other SUID binaries | 481 | # other SUID binaries |
| 482 | deny /usr/lib/virtualbox | 482 | blacklist /usr/lib/virtualbox |
| 483 | deny /usr/lib64/virtualbox | 483 | blacklist /usr/lib64/virtualbox |
| 484 | 484 | ||
| 485 | # prevent lxterminal connecting to an existing lxterminal session | 485 | # prevent lxterminal connecting to an existing lxterminal session |
| 486 | deny /tmp/.lxterminal-socket* | 486 | blacklist /tmp/.lxterminal-socket* |
| 487 | # prevent tmux connecting to an existing session | 487 | # prevent tmux connecting to an existing session |
| 488 | deny /tmp/tmux-* | 488 | blacklist /tmp/tmux-* |
| 489 | 489 | ||
| 490 | # disable terminals running as server resulting in sandbox escape | 490 | # disable terminals running as server resulting in sandbox escape |
| 491 | deny ${PATH}/lxterminal | 491 | blacklist ${PATH}/lxterminal |
| 492 | deny ${PATH}/gnome-terminal | 492 | blacklist ${PATH}/gnome-terminal |
| 493 | deny ${PATH}/gnome-terminal.wrapper | 493 | blacklist ${PATH}/gnome-terminal.wrapper |
| 494 | deny ${PATH}/lilyterm | 494 | blacklist ${PATH}/lilyterm |
| 495 | deny ${PATH}/mate-terminal | 495 | blacklist ${PATH}/mate-terminal |
| 496 | deny ${PATH}/mate-terminal.wrapper | 496 | blacklist ${PATH}/mate-terminal.wrapper |
| 497 | deny ${PATH}/pantheon-terminal | 497 | blacklist ${PATH}/pantheon-terminal |
| 498 | deny ${PATH}/roxterm | 498 | blacklist ${PATH}/roxterm |
| 499 | deny ${PATH}/roxterm-config | 499 | blacklist ${PATH}/roxterm-config |
| 500 | deny ${PATH}/terminix | 500 | blacklist ${PATH}/terminix |
| 501 | deny ${PATH}/tilix | 501 | blacklist ${PATH}/tilix |
| 502 | deny ${PATH}/urxvtc | 502 | blacklist ${PATH}/urxvtc |
| 503 | deny ${PATH}/urxvtcd | 503 | blacklist ${PATH}/urxvtcd |
| 504 | deny ${PATH}/xfce4-terminal | 504 | blacklist ${PATH}/xfce4-terminal |
| 505 | deny ${PATH}/xfce4-terminal.wrapper | 505 | blacklist ${PATH}/xfce4-terminal.wrapper |
| 506 | # blacklist ${PATH}/konsole | 506 | # blacklist ${PATH}/konsole |
| 507 | # konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 | 507 | # konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 |
| 508 | 508 | ||
| 509 | # kernel files | 509 | # kernel files |
| 510 | deny /initrd* | 510 | blacklist /initrd* |
| 511 | deny /vmlinuz* | 511 | blacklist /vmlinuz* |
| 512 | 512 | ||
| 513 | # snapshot files | 513 | # snapshot files |
| 514 | deny /.snapshots | 514 | blacklist /.snapshots |
| 515 | 515 | ||
| 516 | # flatpak | 516 | # flatpak |
| 517 | deny ${HOME}/.cache/flatpak | 517 | blacklist ${HOME}/.cache/flatpak |
| 518 | deny ${HOME}/.config/flatpak | 518 | blacklist ${HOME}/.config/flatpak |
| 519 | nodeny ${HOME}/.local/share/flatpak/exports | 519 | noblacklist ${HOME}/.local/share/flatpak/exports |
| 520 | read-only ${HOME}/.local/share/flatpak/exports | 520 | read-only ${HOME}/.local/share/flatpak/exports |
| 521 | deny ${HOME}/.local/share/flatpak/* | 521 | blacklist ${HOME}/.local/share/flatpak/* |
| 522 | deny ${HOME}/.var | 522 | blacklist ${HOME}/.var |
| 523 | deny ${RUNUSER}/app | 523 | blacklist ${RUNUSER}/app |
| 524 | deny ${RUNUSER}/doc | 524 | blacklist ${RUNUSER}/doc |
| 525 | deny ${RUNUSER}/.dbus-proxy | 525 | blacklist ${RUNUSER}/.dbus-proxy |
| 526 | deny ${RUNUSER}/.flatpak | 526 | blacklist ${RUNUSER}/.flatpak |
| 527 | deny ${RUNUSER}/.flatpak-cache | 527 | blacklist ${RUNUSER}/.flatpak-cache |
| 528 | deny ${RUNUSER}/.flatpak-helper | 528 | blacklist ${RUNUSER}/.flatpak-helper |
| 529 | deny /usr/share/flatpak | 529 | blacklist /usr/share/flatpak |
| 530 | nodeny /var/lib/flatpak/exports | 530 | noblacklist /var/lib/flatpak/exports |
| 531 | deny /var/lib/flatpak/* | 531 | blacklist /var/lib/flatpak/* |
| 532 | # most of the time bwrap is SUID binary | 532 | # most of the time bwrap is SUID binary |
| 533 | deny ${PATH}/bwrap | 533 | blacklist ${PATH}/bwrap |
| 534 | 534 | ||
| 535 | # snap | 535 | # snap |
| 536 | deny ${RUNUSER}/snapd-session-agent.socket | 536 | blacklist ${RUNUSER}/snapd-session-agent.socket |
| 537 | 537 | ||
| 538 | # mail directories used by mutt | 538 | # mail directories used by mutt |
| 539 | deny ${HOME}/.Mail | 539 | blacklist ${HOME}/.Mail |
| 540 | deny ${HOME}/.mail | 540 | blacklist ${HOME}/.mail |
| 541 | deny ${HOME}/.signature | 541 | blacklist ${HOME}/.signature |
| 542 | deny ${HOME}/Mail | 542 | blacklist ${HOME}/Mail |
| 543 | deny ${HOME}/mail | 543 | blacklist ${HOME}/mail |
| 544 | deny ${HOME}/postponed | 544 | blacklist ${HOME}/postponed |
| 545 | deny ${HOME}/sent | 545 | blacklist ${HOME}/sent |
| 546 | 546 | ||
| 547 | # kernel configuration | 547 | # kernel configuration |
| 548 | deny /proc/config.gz | 548 | blacklist /proc/config.gz |
| 549 | 549 | ||
| 550 | # prevent DNS malware attempting to communicate with the server | 550 | # prevent DNS malware attempting to communicate with the server |
| 551 | # using regular DNS tools | 551 | # using regular DNS tools |
| 552 | deny ${PATH}/dig | 552 | blacklist ${PATH}/dig |
| 553 | deny ${PATH}/dlint | 553 | blacklist ${PATH}/dlint |
| 554 | deny ${PATH}/dns2tcp | 554 | blacklist ${PATH}/dns2tcp |
| 555 | deny ${PATH}/dnssec-* | 555 | blacklist ${PATH}/dnssec-* |
| 556 | deny ${PATH}/dnswalk | 556 | blacklist ${PATH}/dnswalk |
| 557 | deny ${PATH}/drill | 557 | blacklist ${PATH}/drill |
| 558 | deny ${PATH}/host | 558 | blacklist ${PATH}/host |
| 559 | deny ${PATH}/iodine | 559 | blacklist ${PATH}/iodine |
| 560 | deny ${PATH}/kdig | 560 | blacklist ${PATH}/kdig |
| 561 | deny ${PATH}/khost | 561 | blacklist ${PATH}/khost |
| 562 | deny ${PATH}/knsupdate | 562 | blacklist ${PATH}/knsupdate |
| 563 | deny ${PATH}/ldns-* | 563 | blacklist ${PATH}/ldns-* |
| 564 | deny ${PATH}/ldnsd | 564 | blacklist ${PATH}/ldnsd |
| 565 | deny ${PATH}/nslookup | 565 | blacklist ${PATH}/nslookup |
| 566 | deny ${PATH}/resolvectl | 566 | blacklist ${PATH}/resolvectl |
| 567 | deny ${PATH}/unbound-host | 567 | blacklist ${PATH}/unbound-host |
| 568 | 568 | ||
| 569 | # rest of ${RUNUSER} | 569 | # rest of ${RUNUSER} |
| 570 | deny ${RUNUSER}/*.lock | 570 | blacklist ${RUNUSER}/*.lock |
| 571 | deny ${RUNUSER}/inaccessible | 571 | blacklist ${RUNUSER}/inaccessible |
| 572 | deny ${RUNUSER}/pk-debconf-socket | 572 | blacklist ${RUNUSER}/pk-debconf-socket |
| 573 | deny ${RUNUSER}/update-notifier.pid | 573 | blacklist ${RUNUSER}/update-notifier.pid |