diff options
Diffstat (limited to 'etc/profile-a-l')
129 files changed, 187 insertions, 105 deletions
diff --git a/etc/profile-a-l/abiword.profile b/etc/profile-a-l/abiword.profile index 256e2115a..0e7126458 100644 --- a/etc/profile-a-l/abiword.profile +++ b/etc/profile-a-l/abiword.profile | |||
@@ -42,7 +42,7 @@ tracelog | |||
42 | private-bin abiword | 42 | private-bin abiword |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc fonts,gtk-3.0,ld.so.preload,passwd | 45 | private-etc alternatives,fonts,gtk-3.0,ld.so.cache,ld.so.preload,passwd |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | # dbus-user none | 48 | # dbus-user none |
diff --git a/etc/profile-a-l/agetpkg.profile b/etc/profile-a-l/agetpkg.profile index 8652ae5f1..dd3b2e59b 100644 --- a/etc/profile-a-l/agetpkg.profile +++ b/etc/profile-a-l/agetpkg.profile | |||
@@ -50,7 +50,7 @@ tracelog | |||
50 | private-bin agetpkg,python3 | 50 | private-bin agetpkg,python3 |
51 | private-cache | 51 | private-cache |
52 | private-dev | 52 | private-dev |
53 | private-etc ca-certificates,crypto-policies,ld.so.preload,pki,resolv.conf,ssl | 53 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
56 | dbus-user none | 56 | dbus-user none |
diff --git a/etc/profile-a-l/akonadi_control.profile b/etc/profile-a-l/akonadi_control.profile index 168e81985..f3fb678d1 100644 --- a/etc/profile-a-l/akonadi_control.profile +++ b/etc/profile-a-l/akonadi_control.profile | |||
@@ -27,6 +27,7 @@ include disable-exec.inc | |||
27 | include disable-interpreters.inc | 27 | include disable-interpreters.inc |
28 | include disable-programs.inc | 28 | include disable-programs.inc |
29 | 29 | ||
30 | include whitelist-run-common.inc | ||
30 | include whitelist-var-common.inc | 31 | include whitelist-var-common.inc |
31 | 32 | ||
32 | # disabled options below are not compatible with the apparmor profile for mysqld-akonadi. | 33 | # disabled options below are not compatible with the apparmor profile for mysqld-akonadi. |
diff --git a/etc/profile-a-l/akregator.profile b/etc/profile-a-l/akregator.profile index d1e7df37b..47468a658 100644 --- a/etc/profile-a-l/akregator.profile +++ b/etc/profile-a-l/akregator.profile | |||
@@ -25,6 +25,7 @@ whitelist ${HOME}/.local/share/akregator | |||
25 | whitelist ${HOME}/.local/share/kssl | 25 | whitelist ${HOME}/.local/share/kssl |
26 | whitelist ${HOME}/.local/share/kxmlgui5/akregator | 26 | whitelist ${HOME}/.local/share/kxmlgui5/akregator |
27 | include whitelist-common.inc | 27 | include whitelist-common.inc |
28 | include whitelist-run-common.inc | ||
28 | include whitelist-var-common.inc | 29 | include whitelist-var-common.inc |
29 | 30 | ||
30 | caps.drop all | 31 | caps.drop all |
@@ -48,3 +49,4 @@ private-bin akregator,akregatorstorageexporter,dbus-launch,kdeinit4,kdeinit4_shu | |||
48 | private-dev | 49 | private-dev |
49 | private-tmp | 50 | private-tmp |
50 | 51 | ||
52 | deterministic-shutdown | ||
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile index 9b74b4d29..5a528595b 100644 --- a/etc/profile-a-l/alacarte.profile +++ b/etc/profile-a-l/alacarte.profile | |||
@@ -53,7 +53,7 @@ disable-mnt | |||
53 | # private-bin alacarte,bash,python*,sh | 53 | # private-bin alacarte,bash,python*,sh |
54 | private-cache | 54 | private-cache |
55 | private-dev | 55 | private-dev |
56 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg | 56 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg |
57 | private-tmp | 57 | private-tmp |
58 | 58 | ||
59 | dbus-user none | 59 | dbus-user none |
diff --git a/etc/profile-a-l/anki.profile b/etc/profile-a-l/anki.profile index b6e931be5..f6d711b2e 100644 --- a/etc/profile-a-l/anki.profile +++ b/etc/profile-a-l/anki.profile | |||
@@ -50,7 +50,7 @@ disable-mnt | |||
50 | private-bin anki,python* | 50 | private-bin anki,python* |
51 | private-cache | 51 | private-cache |
52 | private-dev | 52 | private-dev |
53 | private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,ld.so.preload,machine-id,pki,resolv.conf,ssl,Trolltech.conf | 53 | private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,resolv.conf,ssl,Trolltech.conf |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
56 | dbus-user none | 56 | dbus-user none |
diff --git a/etc/profile-a-l/aria2c.profile b/etc/profile-a-l/aria2c.profile index e96def048..8aef75cd1 100644 --- a/etc/profile-a-l/aria2c.profile +++ b/etc/profile-a-l/aria2c.profile | |||
@@ -45,7 +45,7 @@ private-bin aria2c,gzip | |||
45 | # Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772). | 45 | # Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772). |
46 | #private-cache | 46 | #private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,ca-certificates,crypto-policies,groups,ld.so.preload,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl | 48 | private-etc alternatives,ca-certificates,crypto-policies,groups,ld.so.cache,ld.so.preload,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl |
49 | private-lib libreadline.so.* | 49 | private-lib libreadline.so.* |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
diff --git a/etc/profile-a-l/ark.profile b/etc/profile-a-l/ark.profile index 45071dc62..a26592f3a 100644 --- a/etc/profile-a-l/ark.profile +++ b/etc/profile-a-l/ark.profile | |||
@@ -16,6 +16,7 @@ include disable-interpreters.inc | |||
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | whitelist /usr/share/ark | 18 | whitelist /usr/share/ark |
19 | include whitelist-run-common.inc | ||
19 | include whitelist-usr-share-common.inc | 20 | include whitelist-usr-share-common.inc |
20 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
21 | 22 | ||
diff --git a/etc/profile-a-l/arm.profile b/etc/profile-a-l/arm.profile index 98ae01950..6676d42e9 100644 --- a/etc/profile-a-l/arm.profile +++ b/etc/profile-a-l/arm.profile | |||
@@ -43,6 +43,6 @@ tracelog | |||
43 | disable-mnt | 43 | disable-mnt |
44 | private-bin arm,bash,ldconfig,lsof,ps,python*,sh,tor | 44 | private-bin arm,bash,ldconfig,lsof,ps,python*,sh,tor |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,passwd,pki,ssl,tor | 46 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,passwd,pki,ssl,tor |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
diff --git a/etc/profile-a-l/artha.profile b/etc/profile-a-l/artha.profile index adf4e16ee..254f3f571 100644 --- a/etc/profile-a-l/artha.profile +++ b/etc/profile-a-l/artha.profile | |||
@@ -56,7 +56,7 @@ disable-mnt | |||
56 | private-bin artha,enchant,notify-send | 56 | private-bin artha,enchant,notify-send |
57 | private-cache | 57 | private-cache |
58 | private-dev | 58 | private-dev |
59 | private-etc alternatives,fonts,ld.so.preload,machine-id | 59 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id |
60 | private-lib libnotify.so.* | 60 | private-lib libnotify.so.* |
61 | private-tmp | 61 | private-tmp |
62 | 62 | ||
diff --git a/etc/profile-a-l/atool.profile b/etc/profile-a-l/atool.profile index 272f9906d..6399bc1a3 100644 --- a/etc/profile-a-l/atool.profile +++ b/etc/profile-a-l/atool.profile | |||
@@ -13,7 +13,7 @@ include allow-perl.inc | |||
13 | noroot | 13 | noroot |
14 | 14 | ||
15 | # without login.defs atool complains and uses UID/GID 1000 by default | 15 | # without login.defs atool complains and uses UID/GID 1000 by default |
16 | private-etc alternatives,group,ld.so.preload,login.defs,passwd | 16 | private-etc alternatives,group,ld.so.cache,ld.so.preload,login.defs,passwd |
17 | private-tmp | 17 | private-tmp |
18 | 18 | ||
19 | # Redirect | 19 | # Redirect |
diff --git a/etc/profile-a-l/audacious.profile b/etc/profile-a-l/audacious.profile index d71370b7e..e9ecdd72e 100644 --- a/etc/profile-a-l/audacious.profile +++ b/etc/profile-a-l/audacious.profile | |||
@@ -17,6 +17,7 @@ include disable-interpreters.inc | |||
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | include disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | include whitelist-run-common.inc | ||
20 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
21 | 22 | ||
22 | apparmor | 23 | apparmor |
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile index 264bfb9ab..88bddfb22 100644 --- a/etc/profile-a-l/audacity.profile +++ b/etc/profile-a-l/audacity.profile | |||
@@ -32,7 +32,7 @@ noroot | |||
32 | notv | 32 | notv |
33 | nou2f | 33 | nou2f |
34 | novideo | 34 | novideo |
35 | protocol unix | 35 | protocol unix,inet |
36 | seccomp | 36 | seccomp |
37 | shell none | 37 | shell none |
38 | tracelog | 38 | tracelog |
diff --git a/etc/profile-a-l/authenticator-rs.profile b/etc/profile-a-l/authenticator-rs.profile index 8fefc1eb7..a8af1928b 100644 --- a/etc/profile-a-l/authenticator-rs.profile +++ b/etc/profile-a-l/authenticator-rs.profile | |||
@@ -47,7 +47,7 @@ disable-mnt | |||
47 | private-bin authenticator-rs | 47 | private-bin authenticator-rs |
48 | private-cache | 48 | private-cache |
49 | private-dev | 49 | private-dev |
50 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.preload,pki,resolv.conf,ssl,xdg | 50 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl,xdg |
51 | private-tmp | 51 | private-tmp |
52 | 52 | ||
53 | dbus-user filter | 53 | dbus-user filter |
diff --git a/etc/profile-a-l/baloo_file.profile b/etc/profile-a-l/baloo_file.profile index 252016bec..55d2453d8 100644 --- a/etc/profile-a-l/baloo_file.profile +++ b/etc/profile-a-l/baloo_file.profile | |||
@@ -25,6 +25,7 @@ include disable-exec.inc | |||
25 | include disable-interpreters.inc | 25 | include disable-interpreters.inc |
26 | include disable-programs.inc | 26 | include disable-programs.inc |
27 | 27 | ||
28 | include whitelist-run-common.inc | ||
28 | include whitelist-var-common.inc | 29 | include whitelist-var-common.inc |
29 | 30 | ||
30 | apparmor | 31 | apparmor |
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile index 2080aad62..be3543b08 100644 --- a/etc/profile-a-l/balsa.profile +++ b/etc/profile-a-l/balsa.profile | |||
@@ -66,7 +66,7 @@ tracelog | |||
66 | private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm | 66 | private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm |
67 | private-cache | 67 | private-cache |
68 | private-dev | 68 | private-dev |
69 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.preload,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg | 69 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg |
70 | private-tmp | 70 | private-tmp |
71 | writable-run-user | 71 | writable-run-user |
72 | writable-var | 72 | writable-var |
diff --git a/etc/profile-a-l/bibletime.profile b/etc/profile-a-l/bibletime.profile index 24db11c7e..be29ce8a7 100644 --- a/etc/profile-a-l/bibletime.profile +++ b/etc/profile-a-l/bibletime.profile | |||
@@ -52,7 +52,7 @@ disable-mnt | |||
52 | # private-bin bibletime,qt5ct | 52 | # private-bin bibletime,qt5ct |
53 | private-cache | 53 | private-cache |
54 | private-dev | 54 | private-dev |
55 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf | 55 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf |
56 | private-tmp | 56 | private-tmp |
57 | 57 | ||
58 | dbus-user none | 58 | dbus-user none |
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile index 61cd792b1..b86232860 100644 --- a/etc/profile-a-l/bijiben.profile +++ b/etc/profile-a-l/bijiben.profile | |||
@@ -51,7 +51,7 @@ disable-mnt | |||
51 | private-bin bijiben | 51 | private-bin bijiben |
52 | # private-cache -- access to .cache/tracker is required | 52 | # private-cache -- access to .cache/tracker is required |
53 | private-dev | 53 | private-dev |
54 | private-etc dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload | 54 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload |
55 | private-tmp | 55 | private-tmp |
56 | 56 | ||
57 | dbus-user filter | 57 | dbus-user filter |
diff --git a/etc/profile-a-l/bitwarden.profile b/etc/profile-a-l/bitwarden.profile index 91ce57966..f8114c71b 100644 --- a/etc/profile-a-l/bitwarden.profile +++ b/etc/profile-a-l/bitwarden.profile | |||
@@ -23,7 +23,7 @@ no3d | |||
23 | nosound | 23 | nosound |
24 | 24 | ||
25 | ?HAS_APPIMAGE: ignore private-dev | 25 | ?HAS_APPIMAGE: ignore private-dev |
26 | private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl | 26 | private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl |
27 | private-opt Bitwarden | 27 | private-opt Bitwarden |
28 | 28 | ||
29 | # Redirect | 29 | # Redirect |
diff --git a/etc/profile-a-l/bless.profile b/etc/profile-a-l/bless.profile index 8d8787174..3e20ed133 100644 --- a/etc/profile-a-l/bless.profile +++ b/etc/profile-a-l/bless.profile | |||
@@ -35,7 +35,7 @@ shell none | |||
35 | # private-bin bash,bless,mono,sh | 35 | # private-bin bash,bless,mono,sh |
36 | private-cache | 36 | private-cache |
37 | private-dev | 37 | private-dev |
38 | private-etc alternatives,fonts,ld.so.preload,mono | 38 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,mono |
39 | private-tmp | 39 | private-tmp |
40 | 40 | ||
41 | dbus-user none | 41 | dbus-user none |
diff --git a/etc/profile-a-l/blobby.profile b/etc/profile-a-l/blobby.profile index 7179bf4a5..d7df3bc49 100644 --- a/etc/profile-a-l/blobby.profile +++ b/etc/profile-a-l/blobby.profile | |||
@@ -41,7 +41,7 @@ tracelog | |||
41 | disable-mnt | 41 | disable-mnt |
42 | private-bin blobby | 42 | private-bin blobby |
43 | private-dev | 43 | private-dev |
44 | private-etc alsa,alternatives,asound.conf,drirc,group,hosts,ld.so.preload,login.defs,machine-id,passwd,pulse | 44 | private-etc alsa,alternatives,asound.conf,drirc,group,hosts,ld.so.cache,ld.so.preload,login.defs,machine-id,passwd,pulse |
45 | private-lib | 45 | private-lib |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
diff --git a/etc/profile-a-l/blobwars.profile b/etc/profile-a-l/blobwars.profile index 66f38b358..cc2fda3f2 100644 --- a/etc/profile-a-l/blobwars.profile +++ b/etc/profile-a-l/blobwars.profile | |||
@@ -43,7 +43,7 @@ disable-mnt | |||
43 | private-bin blobwars | 43 | private-bin blobwars |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc ld.so.preload,machine-id | 46 | private-etc alternatives,ld.so.cache,ld.so.preload,machine-id |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | dbus-user none | 49 | dbus-user none |
diff --git a/etc/profile-a-l/bsdtar.profile b/etc/profile-a-l/bsdtar.profile index dbfc90996..fbc7c9056 100644 --- a/etc/profile-a-l/bsdtar.profile +++ b/etc/profile-a-l/bsdtar.profile | |||
@@ -6,7 +6,7 @@ include bsdtar.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | private-etc alternatives,group,ld.so.preload,localtime,passwd | 9 | private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,passwd |
10 | 10 | ||
11 | # Redirect | 11 | # Redirect |
12 | include archiver-common.profile | 12 | include archiver-common.profile |
diff --git a/etc/profile-a-l/cameramonitor.profile b/etc/profile-a-l/cameramonitor.profile index d3c25d451..92c455144 100644 --- a/etc/profile-a-l/cameramonitor.profile +++ b/etc/profile-a-l/cameramonitor.profile | |||
@@ -46,7 +46,7 @@ tracelog | |||
46 | disable-mnt | 46 | disable-mnt |
47 | private-bin cameramonitor,python* | 47 | private-bin cameramonitor,python* |
48 | private-cache | 48 | private-cache |
49 | private-etc alternatives,fonts,ld.so.preload | 49 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
52 | # dbus-user none | 52 | # dbus-user none |
diff --git a/etc/profile-a-l/cawbird.profile b/etc/profile-a-l/cawbird.profile index ceba03269..c7a98250e 100644 --- a/etc/profile-a-l/cawbird.profile +++ b/etc/profile-a-l/cawbird.profile | |||
@@ -39,7 +39,7 @@ disable-mnt | |||
39 | private-bin cawbird | 39 | private-bin cawbird |
40 | private-cache | 40 | private-cache |
41 | private-dev | 41 | private-dev |
42 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,pki,resolv.conf,ssl,X11,xdg | 42 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,pki,resolv.conf,ssl,X11,xdg |
43 | private-tmp | 43 | private-tmp |
44 | 44 | ||
45 | # dbus-user none | 45 | # dbus-user none |
diff --git a/etc/profile-a-l/cheese.profile b/etc/profile-a-l/cheese.profile index 978d727f4..713d8a5e4 100644 --- a/etc/profile-a-l/cheese.profile +++ b/etc/profile-a-l/cheese.profile | |||
@@ -21,7 +21,6 @@ include disable-xdg.inc | |||
21 | 21 | ||
22 | whitelist ${VIDEOS} | 22 | whitelist ${VIDEOS} |
23 | whitelist ${PICTURES} | 23 | whitelist ${PICTURES} |
24 | whitelist /run/udev/data | ||
25 | whitelist /usr/libexec/gstreamer-1.0/gst-plugin-scanner | 24 | whitelist /usr/libexec/gstreamer-1.0/gst-plugin-scanner |
26 | whitelist /usr/share/gnome-video-effects | 25 | whitelist /usr/share/gnome-video-effects |
27 | whitelist /usr/share/gstreamer-1.0 | 26 | whitelist /usr/share/gstreamer-1.0 |
@@ -53,7 +52,7 @@ disable-mnt | |||
53 | private-bin cheese | 52 | private-bin cheese |
54 | private-cache | 53 | private-cache |
55 | private-dev | 54 | private-dev |
56 | private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0,ld.so.preload | 55 | private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0,ld.so.cache,ld.so.preload |
57 | private-tmp | 56 | private-tmp |
58 | 57 | ||
59 | dbus-user filter | 58 | dbus-user filter |
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index c42243e02..7bfb61688 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile | |||
@@ -11,6 +11,7 @@ include chromium-common.local | |||
11 | 11 | ||
12 | noblacklist ${HOME}/.pki | 12 | noblacklist ${HOME}/.pki |
13 | noblacklist ${HOME}/.local/share/pki | 13 | noblacklist ${HOME}/.local/share/pki |
14 | noblacklist /usr/lib/chromium/chrome-sandbox | ||
14 | 15 | ||
15 | # Add the next line to your chromium-common.local if you want Google Chrome/Chromium browser | 16 | # Add the next line to your chromium-common.local if you want Google Chrome/Chromium browser |
16 | # to have access to Gnome extensions (extensions.gnome.org) via browser connector | 17 | # to have access to Gnome extensions (extensions.gnome.org) via browser connector |
diff --git a/etc/profile-a-l/clawsker.profile b/etc/profile-a-l/clawsker.profile index 5eb2cb621..677d2b7eb 100644 --- a/etc/profile-a-l/clawsker.profile +++ b/etc/profile-a-l/clawsker.profile | |||
@@ -44,7 +44,7 @@ disable-mnt | |||
44 | private-bin bash,clawsker,perl,sh,which | 44 | private-bin bash,clawsker,perl,sh,which |
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-etc alternatives,fonts,ld.so.preload | 47 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
48 | private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-3.so.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl* | 48 | private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-3.so.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl* |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
diff --git a/etc/profile-a-l/cmus.profile b/etc/profile-a-l/cmus.profile index e51dd6bed..7421debe0 100644 --- a/etc/profile-a-l/cmus.profile +++ b/etc/profile-a-l/cmus.profile | |||
@@ -27,4 +27,4 @@ seccomp | |||
27 | shell none | 27 | shell none |
28 | 28 | ||
29 | private-bin cmus | 29 | private-bin cmus |
30 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl | 30 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl |
diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile index 6f08bc378..27780b669 100644 --- a/etc/profile-a-l/com.github.bleakgrey.tootle.profile +++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile | |||
@@ -45,7 +45,7 @@ disable-mnt | |||
45 | private-bin com.github.bleakgrey.tootle | 45 | private-bin com.github.bleakgrey.tootle |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,machine-id mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg | 48 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | # Settings are immutable | 51 | # Settings are immutable |
diff --git a/etc/profile-a-l/com.github.dahenson.agenda.profile b/etc/profile-a-l/com.github.dahenson.agenda.profile index d33b89e7c..0e29d90de 100644 --- a/etc/profile-a-l/com.github.dahenson.agenda.profile +++ b/etc/profile-a-l/com.github.dahenson.agenda.profile | |||
@@ -52,7 +52,7 @@ disable-mnt | |||
52 | private-bin com.github.dahenson.agenda | 52 | private-bin com.github.dahenson.agenda |
53 | private-cache | 53 | private-cache |
54 | private-dev | 54 | private-dev |
55 | private-etc dconf,fonts,gtk-3.0,ld.so.preload | 55 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload |
56 | private-tmp | 56 | private-tmp |
57 | 57 | ||
58 | dbus-user filter | 58 | dbus-user filter |
diff --git a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile index c75a09a51..24222164b 100644 --- a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile +++ b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile | |||
@@ -55,7 +55,7 @@ disable-mnt | |||
55 | private-bin com.github.johnfactotum.Foliate,gjs | 55 | private-bin com.github.johnfactotum.Foliate,gjs |
56 | private-cache | 56 | private-cache |
57 | private-dev | 57 | private-dev |
58 | private-etc dconf,fonts,gconf,gtk-3.0,ld.so.preload | 58 | private-etc alternatives,dconf,fonts,gconf,gtk-3.0,ld.so.cache,ld.so.preload |
59 | private-tmp | 59 | private-tmp |
60 | 60 | ||
61 | read-only ${HOME} | 61 | read-only ${HOME} |
diff --git a/etc/profile-a-l/coyim.profile b/etc/profile-a-l/coyim.profile index 1d623fa09..099253b21 100644 --- a/etc/profile-a-l/coyim.profile +++ b/etc/profile-a-l/coyim.profile | |||
@@ -40,7 +40,7 @@ tracelog | |||
40 | disable-mnt | 40 | disable-mnt |
41 | private-cache | 41 | private-cache |
42 | private-dev | 42 | private-dev |
43 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,machine-id,pki,ssl | 43 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,pki,ssl |
44 | private-tmp | 44 | private-tmp |
45 | 45 | ||
46 | dbus-user none | 46 | dbus-user none |
diff --git a/etc/profile-a-l/crow.profile b/etc/profile-a-l/crow.profile index deb2c0ef8..ed1213687 100644 --- a/etc/profile-a-l/crow.profile +++ b/etc/profile-a-l/crow.profile | |||
@@ -39,7 +39,7 @@ shell none | |||
39 | disable-mnt | 39 | disable-mnt |
40 | private-bin crow | 40 | private-bin crow |
41 | private-dev | 41 | private-dev |
42 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl | 42 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl |
43 | private-opt none | 43 | private-opt none |
44 | private-tmp | 44 | private-tmp |
45 | private-srv none | 45 | private-srv none |
diff --git a/etc/profile-a-l/d-feet.profile b/etc/profile-a-l/d-feet.profile index 0e754c448..c75bc756f 100644 --- a/etc/profile-a-l/d-feet.profile +++ b/etc/profile-a-l/d-feet.profile | |||
@@ -50,7 +50,7 @@ disable-mnt | |||
50 | private-bin d-feet,python* | 50 | private-bin d-feet,python* |
51 | private-cache | 51 | private-cache |
52 | private-dev | 52 | private-dev |
53 | private-etc alternatives,dbus-1,fonts,ld.so.preload,machine-id | 53 | private-etc alternatives,dbus-1,fonts,ld.so.cache,ld.so.preload,machine-id |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
56 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 56 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/profile-a-l/dbus-send.profile b/etc/profile-a-l/dbus-send.profile index c2532ed3b..e1b96f186 100644 --- a/etc/profile-a-l/dbus-send.profile +++ b/etc/profile-a-l/dbus-send.profile | |||
@@ -51,7 +51,7 @@ private | |||
51 | private-bin dbus-send | 51 | private-bin dbus-send |
52 | private-cache | 52 | private-cache |
53 | private-dev | 53 | private-dev |
54 | private-etc alternatives,dbus-1,ld.so.preload | 54 | private-etc alternatives,dbus-1,ld.so.cache,ld.so.preload |
55 | private-lib libpcre* | 55 | private-lib libpcre* |
56 | private-tmp | 56 | private-tmp |
57 | 57 | ||
diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile index 2b43c5ea3..8c3c22dcf 100644 --- a/etc/profile-a-l/dconf-editor.profile +++ b/etc/profile-a-l/dconf-editor.profile | |||
@@ -43,7 +43,7 @@ disable-mnt | |||
43 | private-bin dconf-editor | 43 | private-bin dconf-editor |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload,machine-id | 46 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id |
47 | private-lib | 47 | private-lib |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
diff --git a/etc/profile-a-l/dconf.profile b/etc/profile-a-l/dconf.profile index 1cbeee763..b170842c3 100644 --- a/etc/profile-a-l/dconf.profile +++ b/etc/profile-a-l/dconf.profile | |||
@@ -46,7 +46,7 @@ disable-mnt | |||
46 | private-bin dconf,gsettings | 46 | private-bin dconf,gsettings |
47 | private-cache | 47 | private-cache |
48 | private-dev | 48 | private-dev |
49 | private-etc alternatives,dconf,ld.so.preload | 49 | private-etc alternatives,dconf,ld.so.cache,ld.so.preload |
50 | private-lib | 50 | private-lib |
51 | private-tmp | 51 | private-tmp |
52 | 52 | ||
diff --git a/etc/profile-a-l/ddgtk.profile b/etc/profile-a-l/ddgtk.profile index 0669a5a6c..e9b8f5c47 100644 --- a/etc/profile-a-l/ddgtk.profile +++ b/etc/profile-a-l/ddgtk.profile | |||
@@ -45,7 +45,7 @@ tracelog | |||
45 | disable-mnt | 45 | disable-mnt |
46 | private-bin bash,dd,ddgtk,grep,lsblk,python*,sed,sh,tr | 46 | private-bin bash,dd,ddgtk,grep,lsblk,python*,sed,sh,tr |
47 | private-cache | 47 | private-cache |
48 | private-etc alternatives,fonts,ld.so.preload | 48 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | dbus-user none | 51 | dbus-user none |
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile index 0d8c224d7..dac842bb6 100644 --- a/etc/profile-a-l/default.profile +++ b/etc/profile-a-l/default.profile | |||
@@ -57,5 +57,6 @@ seccomp | |||
57 | # dbus-user none | 57 | # dbus-user none |
58 | # dbus-system none | 58 | # dbus-system none |
59 | 59 | ||
60 | # deterministic-shutdown | ||
60 | # memory-deny-write-execute | 61 | # memory-deny-write-execute |
61 | # read-only ${HOME} | 62 | # read-only ${HOME} |
diff --git a/etc/profile-a-l/devilspie.profile b/etc/profile-a-l/devilspie.profile index 19b6cffaf..a0f24c388 100644 --- a/etc/profile-a-l/devilspie.profile +++ b/etc/profile-a-l/devilspie.profile | |||
@@ -48,7 +48,7 @@ disable-mnt | |||
48 | private-bin devilspie | 48 | private-bin devilspie |
49 | private-cache | 49 | private-cache |
50 | private-dev | 50 | private-dev |
51 | private-etc alternatives,ld.so.preload | 51 | private-etc alternatives,ld.so.cache,ld.so.preload |
52 | private-lib gconv | 52 | private-lib gconv |
53 | private-tmp | 53 | private-tmp |
54 | 54 | ||
diff --git a/etc/profile-a-l/dillo.profile b/etc/profile-a-l/dillo.profile index 276ee251a..19b99b5fd 100644 --- a/etc/profile-a-l/dillo.profile +++ b/etc/profile-a-l/dillo.profile | |||
@@ -35,3 +35,5 @@ tracelog | |||
35 | 35 | ||
36 | private-dev | 36 | private-dev |
37 | private-tmp | 37 | private-tmp |
38 | |||
39 | deterministic-shutdown | ||
diff --git a/etc/profile-a-l/display.profile b/etc/profile-a-l/display.profile index 6eff39d40..8a8d816a3 100644 --- a/etc/profile-a-l/display.profile +++ b/etc/profile-a-l/display.profile | |||
@@ -40,7 +40,7 @@ shell none | |||
40 | private-bin display,python* | 40 | private-bin display,python* |
41 | private-dev | 41 | private-dev |
42 | # On Debian-based systems, display is a symlink in /etc/alternatives | 42 | # On Debian-based systems, display is a symlink in /etc/alternatives |
43 | private-etc alternatives,ld.so.preload | 43 | private-etc alternatives,ld.so.cache,ld.so.preload |
44 | private-tmp | 44 | private-tmp |
45 | 45 | ||
46 | dbus-user none | 46 | dbus-user none |
diff --git a/etc/profile-a-l/dragon.profile b/etc/profile-a-l/dragon.profile index 26243ab4e..d5591adfb 100644 --- a/etc/profile-a-l/dragon.profile +++ b/etc/profile-a-l/dragon.profile | |||
@@ -19,6 +19,7 @@ include disable-shell.inc | |||
19 | include disable-xdg.inc | 19 | include disable-xdg.inc |
20 | 20 | ||
21 | whitelist /usr/share/dragonplayer | 21 | whitelist /usr/share/dragonplayer |
22 | include whitelist-run-common.inc | ||
22 | include whitelist-usr-share-common.inc | 23 | include whitelist-usr-share-common.inc |
23 | include whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
24 | 25 | ||
diff --git a/etc/profile-a-l/drawio.profile b/etc/profile-a-l/drawio.profile index 253f5643e..df7be55de 100644 --- a/etc/profile-a-l/drawio.profile +++ b/etc/profile-a-l/drawio.profile | |||
@@ -45,7 +45,7 @@ shell none | |||
45 | private-bin drawio | 45 | private-bin drawio |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,fonts,ld.so.preload | 48 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | dbus-user none | 51 | dbus-user none |
diff --git a/etc/profile-a-l/easystroke.profile b/etc/profile-a-l/easystroke.profile index 0345f2b24..20cffae73 100644 --- a/etc/profile-a-l/easystroke.profile +++ b/etc/profile-a-l/easystroke.profile | |||
@@ -45,7 +45,7 @@ disable-mnt | |||
45 | #private-bin bash,easystroke,sh | 45 | #private-bin bash,easystroke,sh |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,fonts,group,ld.so.preload,passwd | 48 | private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,passwd |
49 | # breaks custom shell command functionality | 49 | # breaks custom shell command functionality |
50 | #private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* | 50 | #private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* |
51 | private-tmp | 51 | private-tmp |
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile index e472f57b6..09d14045a 100644 --- a/etc/profile-a-l/electron-mail.profile +++ b/etc/profile-a-l/electron-mail.profile | |||
@@ -45,7 +45,7 @@ shell none | |||
45 | private-bin electron-mail | 45 | private-bin electron-mail |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,ld.so.preload,nsswitch.conf,pki,resolv.conf,selinux,ssl,xdg | 48 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,selinux,ssl,xdg |
49 | private-opt ElectronMail | 49 | private-opt ElectronMail |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
diff --git a/etc/profile-a-l/electrum.profile b/etc/profile-a-l/electrum.profile index 8cfc9f797..dfbe5cee4 100644 --- a/etc/profile-a-l/electrum.profile +++ b/etc/profile-a-l/electrum.profile | |||
@@ -47,7 +47,7 @@ private-bin electrum,python* | |||
47 | private-cache | 47 | private-cache |
48 | ?HAS_APPIMAGE: ignore private-dev | 48 | ?HAS_APPIMAGE: ignore private-dev |
49 | private-dev | 49 | private-dev |
50 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,ld.so.preload,machine-id,pki,resolv.conf,ssl | 50 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,ld.so.cache,ld.so.preload,machine-id,pki,resolv.conf,ssl |
51 | private-tmp | 51 | private-tmp |
52 | 52 | ||
53 | # dbus-user none | 53 | # dbus-user none |
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile index 8673b65ca..ac73f002f 100644 --- a/etc/profile-a-l/email-common.profile +++ b/etc/profile-a-l/email-common.profile | |||
@@ -66,7 +66,7 @@ tracelog | |||
66 | # disable-mnt | 66 | # disable-mnt |
67 | private-cache | 67 | private-cache |
68 | private-dev | 68 | private-dev |
69 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,ld.so.preload,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg | 69 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg |
70 | private-tmp | 70 | private-tmp |
71 | # encrypting and signing email | 71 | # encrypting and signing email |
72 | writable-run-user | 72 | writable-run-user |
diff --git a/etc/profile-a-l/enchant.profile b/etc/profile-a-l/enchant.profile index 0a2e23996..eff0f64ea 100644 --- a/etc/profile-a-l/enchant.profile +++ b/etc/profile-a-l/enchant.profile | |||
@@ -48,7 +48,7 @@ x11 none | |||
48 | private-bin enchant,enchant-* | 48 | private-bin enchant,enchant-* |
49 | private-cache | 49 | private-cache |
50 | private-dev | 50 | private-dev |
51 | private-etc alternatives,ld.so.preload | 51 | private-etc alternatives,ld.so.cache,ld.so.preload |
52 | private-lib | 52 | private-lib |
53 | private-tmp | 53 | private-tmp |
54 | 54 | ||
diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile index ddc0ce0b9..31f39e210 100644 --- a/etc/profile-a-l/eo-common.profile +++ b/etc/profile-a-l/eo-common.profile | |||
@@ -47,6 +47,6 @@ tracelog | |||
47 | 47 | ||
48 | private-cache | 48 | private-cache |
49 | private-dev | 49 | private-dev |
50 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload | 50 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload |
51 | private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.* | 51 | private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.* |
52 | private-tmp | 52 | private-tmp |
diff --git a/etc/profile-a-l/equalx.profile b/etc/profile-a-l/equalx.profile index fe7b912bd..0c3b790d5 100644 --- a/etc/profile-a-l/equalx.profile +++ b/etc/profile-a-l/equalx.profile | |||
@@ -54,7 +54,7 @@ disable-mnt | |||
54 | private-bin equalx,gs,pdflatex,pdftocairo | 54 | private-bin equalx,gs,pdflatex,pdftocairo |
55 | private-cache | 55 | private-cache |
56 | private-dev | 56 | private-dev |
57 | private-etc equalx,equalx.conf,fonts,gtk-2.0,latexmk.conf,ld.so.preload,machine-id,papersize,passwd,texlive,Trolltech.conf | 57 | private-etc alternatives,equalx,equalx.conf,fonts,gtk-2.0,latexmk.conf,ld.so.cache,ld.so.preload,machine-id,papersize,passwd,texlive,Trolltech.conf |
58 | private-tmp | 58 | private-tmp |
59 | 59 | ||
60 | dbus-user none | 60 | dbus-user none |
diff --git a/etc/profile-a-l/exiftool.profile b/etc/profile-a-l/exiftool.profile index 12c22ba5b..ae550e842 100644 --- a/etc/profile-a-l/exiftool.profile +++ b/etc/profile-a-l/exiftool.profile | |||
@@ -48,7 +48,7 @@ x11 none | |||
48 | #private-bin exiftool,perl | 48 | #private-bin exiftool,perl |
49 | private-cache | 49 | private-cache |
50 | private-dev | 50 | private-dev |
51 | private-etc alternatives,ld.so.preload | 51 | private-etc alternatives,ld.so.cache,ld.so.preload |
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
54 | dbus-user none | 54 | dbus-user none |
diff --git a/etc/profile-a-l/falkon.profile b/etc/profile-a-l/falkon.profile index 62ea449a6..321cb0145 100644 --- a/etc/profile-a-l/falkon.profile +++ b/etc/profile-a-l/falkon.profile | |||
@@ -23,6 +23,7 @@ whitelist ${HOME}/.cache/falkon | |||
23 | whitelist ${HOME}/.config/falkon | 23 | whitelist ${HOME}/.config/falkon |
24 | whitelist /usr/share/falkon | 24 | whitelist /usr/share/falkon |
25 | include whitelist-common.inc | 25 | include whitelist-common.inc |
26 | include whitelist-run-common.inc | ||
26 | include whitelist-runuser-common.inc | 27 | include whitelist-runuser-common.inc |
27 | include whitelist-usr-share-common.inc | 28 | include whitelist-usr-share-common.inc |
28 | include whitelist-var-common.inc | 29 | include whitelist-var-common.inc |
@@ -46,7 +47,7 @@ disable-mnt | |||
46 | # private-bin falkon | 47 | # private-bin falkon |
47 | private-cache | 48 | private-cache |
48 | private-dev | 49 | private-dev |
49 | private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg | 50 | private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg |
50 | private-tmp | 51 | private-tmp |
51 | 52 | ||
52 | # dbus-user filter | 53 | # dbus-user filter |
diff --git a/etc/profile-a-l/fdns.profile b/etc/profile-a-l/fdns.profile index 25e1082ad..ee775566e 100644 --- a/etc/profile-a-l/fdns.profile +++ b/etc/profile-a-l/fdns.profile | |||
@@ -42,7 +42,7 @@ private | |||
42 | private-bin bash,fdns,sh | 42 | private-bin bash,fdns,sh |
43 | private-cache | 43 | private-cache |
44 | #private-dev | 44 | #private-dev |
45 | private-etc ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl | 45 | private-etc alternatives,ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl |
46 | # private-lib | 46 | # private-lib |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
diff --git a/etc/profile-a-l/feh-network.inc.profile b/etc/profile-a-l/feh-network.inc.profile index f9b3d58c9..7293e89a8 100644 --- a/etc/profile-a-l/feh-network.inc.profile +++ b/etc/profile-a-l/feh-network.inc.profile | |||
@@ -5,4 +5,4 @@ include feh-network.inc.local | |||
5 | ignore net none | 5 | ignore net none |
6 | netfilter | 6 | netfilter |
7 | protocol unix,inet,inet6 | 7 | protocol unix,inet,inet6 |
8 | private-etc ca-certificates,crypto-policies,hosts,ld.so.preload,pki,resolv.conf,ssl | 8 | private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl |
diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile index f2770f294..4b8d41170 100644 --- a/etc/profile-a-l/feh.profile +++ b/etc/profile-a-l/feh.profile | |||
@@ -36,7 +36,7 @@ shell none | |||
36 | private-bin feh,jpegexiforient,jpegtran | 36 | private-bin feh,jpegexiforient,jpegtran |
37 | private-cache | 37 | private-cache |
38 | private-dev | 38 | private-dev |
39 | private-etc alternatives,feh,ld.so.preload | 39 | private-etc alternatives,feh,ld.so.cache,ld.so.preload |
40 | private-tmp | 40 | private-tmp |
41 | 41 | ||
42 | dbus-user none | 42 | dbus-user none |
diff --git a/etc/profile-a-l/ffplay.profile b/etc/profile-a-l/ffplay.profile index 2284ccbe4..52abb99d4 100644 --- a/etc/profile-a-l/ffplay.profile +++ b/etc/profile-a-l/ffplay.profile | |||
@@ -14,7 +14,7 @@ ignore nogroups | |||
14 | ignore nosound | 14 | ignore nosound |
15 | 15 | ||
16 | private-bin ffplay | 16 | private-bin ffplay |
17 | private-etc alsa,asound.conf,group,ld.so.preload | 17 | private-etc alsa,alternatives,asound.conf,group,ld.so.cache,ld.so.preload |
18 | 18 | ||
19 | # Redirect | 19 | # Redirect |
20 | include ffmpeg.profile | 20 | include ffmpeg.profile |
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile index 54fa7dfa7..06a8f6170 100644 --- a/etc/profile-a-l/file-roller.profile +++ b/etc/profile-a-l/file-roller.profile | |||
@@ -43,7 +43,7 @@ tracelog | |||
43 | private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,unzstd,xz,xzdec,zip,zoo,zstd | 43 | private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,unzstd,xz,xzdec,zip,zoo,zstd |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc dconf,fonts,gtk-3.0,ld.so.preload,xdg | 46 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,xdg |
47 | # private-tmp | 47 | # private-tmp |
48 | 48 | ||
49 | dbus-system none | 49 | dbus-system none |
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index 20ae039aa..ef647b5a0 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile | |||
@@ -19,6 +19,7 @@ include disable-common.inc | |||
19 | include disable-devel.inc | 19 | include disable-devel.inc |
20 | include disable-exec.inc | 20 | include disable-exec.inc |
21 | include disable-interpreters.inc | 21 | include disable-interpreters.inc |
22 | include disable-proc.inc | ||
22 | include disable-programs.inc | 23 | include disable-programs.inc |
23 | 24 | ||
24 | mkdir ${HOME}/.pki | 25 | mkdir ${HOME}/.pki |
diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile index 862ef6ab6..f80297022 100644 --- a/etc/profile-a-l/flameshot.profile +++ b/etc/profile-a-l/flameshot.profile | |||
@@ -52,7 +52,7 @@ tracelog | |||
52 | disable-mnt | 52 | disable-mnt |
53 | private-bin flameshot | 53 | private-bin flameshot |
54 | private-cache | 54 | private-cache |
55 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,ld.so.preload,machine-id,pki,resolv.conf,ssl | 55 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.preload,machine-id,pki,resolv.conf,ssl |
56 | private-dev | 56 | private-dev |
57 | #private-tmp | 57 | #private-tmp |
58 | 58 | ||
diff --git a/etc/profile-a-l/freetube.profile b/etc/profile-a-l/freetube.profile index aeed313c8..cb00ce11b 100644 --- a/etc/profile-a-l/freetube.profile +++ b/etc/profile-a-l/freetube.profile | |||
@@ -16,7 +16,7 @@ mkdir ${HOME}/.config/FreeTube | |||
16 | whitelist ${HOME}/.config/FreeTube | 16 | whitelist ${HOME}/.config/FreeTube |
17 | 17 | ||
18 | private-bin electron,electron[0-9],electron[0-9][0-9],freetube,sh | 18 | private-bin electron,electron[0-9],electron[0-9][0-9],freetube,sh |
19 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg | 19 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg |
20 | 20 | ||
21 | # Redirect | 21 | # Redirect |
22 | include electron.profile | 22 | include electron.profile |
diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile index efd5246d6..8419998de 100644 --- a/etc/profile-a-l/frogatto.profile +++ b/etc/profile-a-l/frogatto.profile | |||
@@ -45,7 +45,7 @@ disable-mnt | |||
45 | private-bin frogatto,sh | 45 | private-bin frogatto,sh |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc ld.so.preload,machine-id | 48 | private-etc alternatives,ld.so.cache,ld.so.preload,machine-id |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | dbus-user none | 51 | dbus-user none |
diff --git a/etc/profile-a-l/ftp.profile b/etc/profile-a-l/ftp.profile new file mode 100644 index 000000000..29470360c --- /dev/null +++ b/etc/profile-a-l/ftp.profile | |||
@@ -0,0 +1,54 @@ | |||
1 | # Firejail profile for ftp | ||
2 | # Description: standard File Access Protocol utility | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include ftp.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${PATH}/ftp | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-proc.inc | ||
17 | include disable-programs.inc | ||
18 | #include disable-shell.inc | ||
19 | include disable-write-mnt.inc | ||
20 | include disable-X11.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | machine-id | ||
27 | netfilter | ||
28 | no3d | ||
29 | nodvd | ||
30 | nogroups | ||
31 | noinput | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol inet,inet6 | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | |||
43 | #disable-mnt | ||
44 | #private-bin PROGRAMS | ||
45 | private-cache | ||
46 | private-dev | ||
47 | #private-etc FILES | ||
48 | private-tmp | ||
49 | |||
50 | dbus-user none | ||
51 | dbus-system none | ||
52 | |||
53 | memory-deny-write-execute | ||
54 | noexec ${HOME} | ||
diff --git a/etc/profile-a-l/galculator.profile b/etc/profile-a-l/galculator.profile index c6280c488..4efe41f8d 100644 --- a/etc/profile-a-l/galculator.profile +++ b/etc/profile-a-l/galculator.profile | |||
@@ -43,7 +43,7 @@ tracelog | |||
43 | private-bin galculator | 43 | private-bin galculator |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,fonts,ld.so.preload | 46 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
47 | private-lib | 47 | private-lib |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
diff --git a/etc/profile-a-l/gallery-dl.profile b/etc/profile-a-l/gallery-dl.profile index a31dde21c..2947873ef 100644 --- a/etc/profile-a-l/gallery-dl.profile +++ b/etc/profile-a-l/gallery-dl.profile | |||
@@ -12,7 +12,7 @@ noblacklist ${HOME}/.config/gallery-dl | |||
12 | noblacklist ${HOME}/.gallery-dl.conf | 12 | noblacklist ${HOME}/.gallery-dl.conf |
13 | 13 | ||
14 | private-bin gallery-dl | 14 | private-bin gallery-dl |
15 | private-etc gallery-dl.conf,ld.so.preload | 15 | private-etc alternatives,gallery-dl.conf,ld.so.cache,ld.so.preload |
16 | 16 | ||
17 | # Redirect | 17 | # Redirect |
18 | include youtube-dl.profile | 18 | include youtube-dl.profile |
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile index e9eb55709..ec5b733c8 100644 --- a/etc/profile-a-l/gapplication.profile +++ b/etc/profile-a-l/gapplication.profile | |||
@@ -49,7 +49,7 @@ private | |||
49 | private-bin gapplication | 49 | private-bin gapplication |
50 | private-cache | 50 | private-cache |
51 | private-dev | 51 | private-dev |
52 | private-etc ld.so.preload,none | 52 | private-etc alternatives,ld.so.cache,ld.so.preload |
53 | private-tmp | 53 | private-tmp |
54 | 54 | ||
55 | # Add the next line to your gapplication.local to filter D-Bus names. | 55 | # Add the next line to your gapplication.local to filter D-Bus names. |
diff --git a/etc/profile-a-l/gconf.profile b/etc/profile-a-l/gconf.profile index 6532d85f0..a45374d4e 100644 --- a/etc/profile-a-l/gconf.profile +++ b/etc/profile-a-l/gconf.profile | |||
@@ -54,7 +54,7 @@ disable-mnt | |||
54 | private-bin gconf-editor,gconf-merge-*,gconfpkg,gconftool-2,gsettings-*-convert,python2* | 54 | private-bin gconf-editor,gconf-merge-*,gconfpkg,gconftool-2,gsettings-*-convert,python2* |
55 | private-cache | 55 | private-cache |
56 | private-dev | 56 | private-dev |
57 | private-etc alternatives,fonts,gconf,ld.so.preload | 57 | private-etc alternatives,fonts,gconf,ld.so.cache,ld.so.preload |
58 | private-lib GConf,libpython*,python2* | 58 | private-lib GConf,libpython*,python2* |
59 | private-tmp | 59 | private-tmp |
60 | 60 | ||
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile index b78f7e647..cececd9e9 100644 --- a/etc/profile-a-l/geary.profile +++ b/etc/profile-a-l/geary.profile | |||
@@ -70,7 +70,7 @@ tracelog | |||
70 | private-bin geary | 70 | private-bin geary |
71 | private-cache | 71 | private-cache |
72 | private-dev | 72 | private-dev |
73 | private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.preload,pki,resolv.conf,ssl,xdg | 73 | private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl,xdg |
74 | private-tmp | 74 | private-tmp |
75 | 75 | ||
76 | dbus-user filter | 76 | dbus-user filter |
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile index 4812e1368..243b893b9 100644 --- a/etc/profile-a-l/geekbench.profile +++ b/etc/profile-a-l/geekbench.profile | |||
@@ -48,7 +48,7 @@ disable-mnt | |||
48 | #private-bin bash,geekbench*,sh -- #4576 | 48 | #private-bin bash,geekbench*,sh -- #4576 |
49 | private-cache | 49 | private-cache |
50 | private-dev | 50 | private-dev |
51 | private-etc alternatives,group,ld.so.preload,lsb-release,passwd | 51 | private-etc alternatives,group,ld.so.cache,ld.so.preload,lsb-release,passwd |
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
54 | dbus-user none | 54 | dbus-user none |
diff --git a/etc/profile-a-l/gget.profile b/etc/profile-a-l/gget.profile index d8ca4ae41..bc1199914 100644 --- a/etc/profile-a-l/gget.profile +++ b/etc/profile-a-l/gget.profile | |||
@@ -49,7 +49,7 @@ disable-mnt | |||
49 | private-bin gget | 49 | private-bin gget |
50 | private-cache | 50 | private-cache |
51 | private-dev | 51 | private-dev |
52 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,pki,resolv.conf,ssl | 52 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl |
53 | private-lib | 53 | private-lib |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile index df9c2ac7a..28070cb9c 100644 --- a/etc/profile-a-l/gimp.profile +++ b/etc/profile-a-l/gimp.profile | |||
@@ -39,6 +39,7 @@ whitelist /usr/share/gegl-0.4 | |||
39 | whitelist /usr/share/gimp | 39 | whitelist /usr/share/gimp |
40 | whitelist /usr/share/mypaint-data | 40 | whitelist /usr/share/mypaint-data |
41 | whitelist /usr/share/lensfun | 41 | whitelist /usr/share/lensfun |
42 | include whitelist-run-common.inc | ||
42 | include whitelist-usr-share-common.inc | 43 | include whitelist-usr-share-common.inc |
43 | include whitelist-var-common.inc | 44 | include whitelist-var-common.inc |
44 | 45 | ||
diff --git a/etc/profile-a-l/gist.profile b/etc/profile-a-l/gist.profile index 010cdae06..506ab7127 100644 --- a/etc/profile-a-l/gist.profile +++ b/etc/profile-a-l/gist.profile | |||
@@ -52,7 +52,7 @@ tracelog | |||
52 | disable-mnt | 52 | disable-mnt |
53 | private-cache | 53 | private-cache |
54 | private-dev | 54 | private-dev |
55 | private-etc alternatives,ld.so.preload | 55 | private-etc alternatives,ld.so.cache,ld.so.preload |
56 | private-tmp | 56 | private-tmp |
57 | 57 | ||
58 | dbus-user none | 58 | dbus-user none |
diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile index c13273321..6439c8821 100644 --- a/etc/profile-a-l/git-cola.profile +++ b/etc/profile-a-l/git-cola.profile | |||
@@ -70,7 +70,7 @@ tracelog | |||
70 | private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed | 70 | private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed |
71 | private-cache | 71 | private-cache |
72 | private-dev | 72 | private-dev |
73 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg | 73 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg |
74 | private-tmp | 74 | private-tmp |
75 | writable-run-user | 75 | writable-run-user |
76 | 76 | ||
diff --git a/etc/profile-a-l/gitter.profile b/etc/profile-a-l/gitter.profile index 36b016e02..16358d064 100644 --- a/etc/profile-a-l/gitter.profile +++ b/etc/profile-a-l/gitter.profile | |||
@@ -37,7 +37,7 @@ shell none | |||
37 | 37 | ||
38 | disable-mnt | 38 | disable-mnt |
39 | private-bin bash,env,gitter | 39 | private-bin bash,env,gitter |
40 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,pki,pulse,resolv.conf,ssl | 40 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,pulse,resolv.conf,ssl |
41 | private-opt Gitter | 41 | private-opt Gitter |
42 | private-dev | 42 | private-dev |
43 | private-tmp | 43 | private-tmp |
diff --git a/etc/profile-a-l/gmpc.profile b/etc/profile-a-l/gmpc.profile index 0a1264888..e53297c06 100644 --- a/etc/profile-a-l/gmpc.profile +++ b/etc/profile-a-l/gmpc.profile | |||
@@ -44,7 +44,7 @@ tracelog | |||
44 | disable-mnt | 44 | disable-mnt |
45 | #private-bin gmpc | 45 | #private-bin gmpc |
46 | private-cache | 46 | private-cache |
47 | private-etc alternatives,fonts,ld.so.preload | 47 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
48 | private-tmp | 48 | private-tmp |
49 | writable-run-user | 49 | writable-run-user |
50 | 50 | ||
diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile index 2c1dee50c..f9df83e2a 100644 --- a/etc/profile-a-l/gnome-calendar.profile +++ b/etc/profile-a-l/gnome-calendar.profile | |||
@@ -45,7 +45,7 @@ private | |||
45 | private-bin gnome-calendar | 45 | private-bin gnome-calendar |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl | 48 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | dbus-user filter | 51 | dbus-user filter |
diff --git a/etc/profile-a-l/gnome-chess.profile b/etc/profile-a-l/gnome-chess.profile index 6261fcc27..dc9092a93 100644 --- a/etc/profile-a-l/gnome-chess.profile +++ b/etc/profile-a-l/gnome-chess.profile | |||
@@ -50,5 +50,5 @@ disable-mnt | |||
50 | private-bin fairymax,gnome-chess,gnuchess,hoichess | 50 | private-bin fairymax,gnome-chess,gnuchess,hoichess |
51 | private-cache | 51 | private-cache |
52 | private-dev | 52 | private-dev |
53 | private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0,ld.so.preload | 53 | private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0,ld.so.cache,ld.so.preload |
54 | private-tmp | 54 | private-tmp |
diff --git a/etc/profile-a-l/gnome-clocks.profile b/etc/profile-a-l/gnome-clocks.profile index 7d33ac94e..90665add6 100644 --- a/etc/profile-a-l/gnome-clocks.profile +++ b/etc/profile-a-l/gnome-clocks.profile | |||
@@ -42,6 +42,6 @@ disable-mnt | |||
42 | private-bin gnome-clocks,gsound-play | 42 | private-bin gnome-clocks,gsound-play |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.preload,localtime,machine-id,pkcs11,pki,ssl | 45 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,pkcs11,pki,ssl |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
diff --git a/etc/profile-a-l/gnome-hexgl.profile b/etc/profile-a-l/gnome-hexgl.profile index 28c7e3346..ab6279608 100644 --- a/etc/profile-a-l/gnome-hexgl.profile +++ b/etc/profile-a-l/gnome-hexgl.profile | |||
@@ -42,7 +42,7 @@ private | |||
42 | private-bin gnome-hexgl | 42 | private-bin gnome-hexgl |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc alsa,asound.conf,ld.so.preload,machine-id,pulse | 45 | private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.preload,machine-id,pulse |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | dbus-user none | 48 | dbus-user none |
diff --git a/etc/profile-a-l/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile index 1d2366365..39a6718a6 100644 --- a/etc/profile-a-l/gnome-latex.profile +++ b/etc/profile-a-l/gnome-latex.profile | |||
@@ -48,6 +48,6 @@ tracelog | |||
48 | private-cache | 48 | private-cache |
49 | private-dev | 49 | private-dev |
50 | # passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed | 50 | # passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed |
51 | private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,ld.so.preload,login.defs,passwd,texlive | 51 | private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,ld.so.cache,ld.so.preload,login.defs,passwd,texlive |
52 | 52 | ||
53 | dbus-system none | 53 | dbus-system none |
diff --git a/etc/profile-a-l/gnome-logs.profile b/etc/profile-a-l/gnome-logs.profile index 3d8218e99..7ee4d8b75 100644 --- a/etc/profile-a-l/gnome-logs.profile +++ b/etc/profile-a-l/gnome-logs.profile | |||
@@ -40,7 +40,7 @@ disable-mnt | |||
40 | private-bin gnome-logs | 40 | private-bin gnome-logs |
41 | private-cache | 41 | private-cache |
42 | private-dev | 42 | private-dev |
43 | private-etc alternatives,fonts,ld.so.preload,localtime,machine-id | 43 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,localtime,machine-id |
44 | private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* | 44 | private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* |
45 | private-tmp | 45 | private-tmp |
46 | writable-var-log | 46 | writable-var-log |
diff --git a/etc/profile-a-l/gnome-music.profile b/etc/profile-a-l/gnome-music.profile index fe8268530..7b79fa15d 100644 --- a/etc/profile-a-l/gnome-music.profile +++ b/etc/profile-a-l/gnome-music.profile | |||
@@ -42,6 +42,6 @@ tracelog | |||
42 | # private-bin calls a file manager - whatever is installed! | 42 | # private-bin calls a file manager - whatever is installed! |
43 | #private-bin env,gio-launch-desktop,gnome-music,python*,yelp | 43 | #private-bin env,gio-launch-desktop,gnome-music,python*,yelp |
44 | private-dev | 44 | private-dev |
45 | private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,ld.so.preload,machine-id,pulse,selinux,xdg | 45 | private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pulse,selinux,xdg |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile index bdc09b5ac..a96ec6f05 100644 --- a/etc/profile-a-l/gnome-passwordsafe.profile +++ b/etc/profile-a-l/gnome-passwordsafe.profile | |||
@@ -53,7 +53,7 @@ disable-mnt | |||
53 | private-bin gnome-passwordsafe,python3* | 53 | private-bin gnome-passwordsafe,python3* |
54 | private-cache | 54 | private-cache |
55 | private-dev | 55 | private-dev |
56 | private-etc dconf,fonts,gtk-3.0,ld.so.preload,passwd | 56 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,passwd |
57 | private-tmp | 57 | private-tmp |
58 | 58 | ||
59 | dbus-user filter | 59 | dbus-user filter |
diff --git a/etc/profile-a-l/gnome-pie.profile b/etc/profile-a-l/gnome-pie.profile index fb108ee97..6d30213cb 100644 --- a/etc/profile-a-l/gnome-pie.profile +++ b/etc/profile-a-l/gnome-pie.profile | |||
@@ -34,7 +34,7 @@ shell none | |||
34 | disable-mnt | 34 | disable-mnt |
35 | private-cache | 35 | private-cache |
36 | private-dev | 36 | private-dev |
37 | private-etc alternatives,fonts,ld.so.preload,machine-id | 37 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id |
38 | private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* | 38 | private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* |
39 | private-tmp | 39 | private-tmp |
40 | 40 | ||
diff --git a/etc/profile-a-l/gnome-pomodoro.profile b/etc/profile-a-l/gnome-pomodoro.profile index 256a0c69f..99d569a04 100644 --- a/etc/profile-a-l/gnome-pomodoro.profile +++ b/etc/profile-a-l/gnome-pomodoro.profile | |||
@@ -44,7 +44,7 @@ disable-mnt | |||
44 | private-bin gnome-pomodoro | 44 | private-bin gnome-pomodoro |
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-etc dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id | 47 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
50 | dbus-user filter | 50 | dbus-user filter |
diff --git a/etc/profile-a-l/gnome-recipes.profile b/etc/profile-a-l/gnome-recipes.profile index 9a5f878fc..b2ce4a92a 100644 --- a/etc/profile-a-l/gnome-recipes.profile +++ b/etc/profile-a-l/gnome-recipes.profile | |||
@@ -47,7 +47,7 @@ shell none | |||
47 | disable-mnt | 47 | disable-mnt |
48 | private-bin gnome-recipes,tar | 48 | private-bin gnome-recipes,tar |
49 | private-dev | 49 | private-dev |
50 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,pki,ssl | 50 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,ssl |
51 | private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,libgnutls.so.*,libjpeg.so.*,libp11-kit.so.*,libproxy.so.*,librsvg-2.so.* | 51 | private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,libgnutls.so.*,libjpeg.so.*,libp11-kit.so.*,libproxy.so.*,librsvg-2.so.* |
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
diff --git a/etc/profile-a-l/gnome-screenshot.profile b/etc/profile-a-l/gnome-screenshot.profile index a4e4ae38a..36c6693a9 100644 --- a/etc/profile-a-l/gnome-screenshot.profile +++ b/etc/profile-a-l/gnome-screenshot.profile | |||
@@ -42,7 +42,7 @@ tracelog | |||
42 | disable-mnt | 42 | disable-mnt |
43 | private-bin gnome-screenshot | 43 | private-bin gnome-screenshot |
44 | private-dev | 44 | private-dev |
45 | private-etc dconf,fonts,gtk-3.0,ld.so.preload,localtime,machine-id | 45 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,localtime,machine-id |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | dbus-user filter | 48 | dbus-user filter |
diff --git a/etc/profile-a-l/gnome-sound-recorder.profile b/etc/profile-a-l/gnome-sound-recorder.profile index 859d56bd9..28a0205b9 100644 --- a/etc/profile-a-l/gnome-sound-recorder.profile +++ b/etc/profile-a-l/gnome-sound-recorder.profile | |||
@@ -40,5 +40,5 @@ tracelog | |||
40 | disable-mnt | 40 | disable-mnt |
41 | private-cache | 41 | private-cache |
42 | private-dev | 42 | private-dev |
43 | private-etc alsa,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.preload,machine-id,openal,pango,pulse,xdg | 43 | private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,openal,pango,pulse,xdg |
44 | private-tmp | 44 | private-tmp |
diff --git a/etc/profile-a-l/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile index addd76f7f..02b023855 100644 --- a/etc/profile-a-l/gnome-system-log.profile +++ b/etc/profile-a-l/gnome-system-log.profile | |||
@@ -43,7 +43,7 @@ disable-mnt | |||
43 | private-bin gnome-system-log | 43 | private-bin gnome-system-log |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,fonts,ld.so.preload,localtime,machine-id | 46 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,localtime,machine-id |
47 | private-lib | 47 | private-lib |
48 | private-tmp | 48 | private-tmp |
49 | writable-var-log | 49 | writable-var-log |
diff --git a/etc/profile-a-l/gnome-todo.profile b/etc/profile-a-l/gnome-todo.profile index e7615e4f2..c6cd12250 100644 --- a/etc/profile-a-l/gnome-todo.profile +++ b/etc/profile-a-l/gnome-todo.profile | |||
@@ -46,7 +46,7 @@ disable-mnt | |||
46 | private-bin gnome-todo | 46 | private-bin gnome-todo |
47 | private-cache | 47 | private-cache |
48 | private-dev | 48 | private-dev |
49 | private-etc dconf,fonts,gtk-3.0,ld.so.preload,localtime,passwd,xdg | 49 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,localtime,passwd,xdg |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
52 | dbus-user filter | 52 | dbus-user filter |
diff --git a/etc/profile-a-l/gnome_games-common.profile b/etc/profile-a-l/gnome_games-common.profile index a76fbbb2c..9b4f68808 100644 --- a/etc/profile-a-l/gnome_games-common.profile +++ b/etc/profile-a-l/gnome_games-common.profile | |||
@@ -41,7 +41,7 @@ tracelog | |||
41 | disable-mnt | 41 | disable-mnt |
42 | private-cache | 42 | private-cache |
43 | private-dev | 43 | private-dev |
44 | private-etc dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.preload,machine-id,pango,passwd,X11 | 44 | private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pango,passwd,X11 |
45 | private-tmp | 45 | private-tmp |
46 | 46 | ||
47 | dbus-user filter | 47 | dbus-user filter |
diff --git a/etc/profile-a-l/gnote.profile b/etc/profile-a-l/gnote.profile index deda06f8e..928f2c548 100644 --- a/etc/profile-a-l/gnote.profile +++ b/etc/profile-a-l/gnote.profile | |||
@@ -51,7 +51,7 @@ disable-mnt | |||
51 | private-bin gnote | 51 | private-bin gnote |
52 | private-cache | 52 | private-cache |
53 | private-dev | 53 | private-dev |
54 | private-etc dconf,fonts,gtk-3.0,ld.so.preload,pango,X11 | 54 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,pango,X11 |
55 | private-tmp | 55 | private-tmp |
56 | 56 | ||
57 | dbus-user filter | 57 | dbus-user filter |
diff --git a/etc/profile-a-l/gnubik.profile b/etc/profile-a-l/gnubik.profile index e2e154216..c895b4ce9 100644 --- a/etc/profile-a-l/gnubik.profile +++ b/etc/profile-a-l/gnubik.profile | |||
@@ -43,7 +43,7 @@ private | |||
43 | private-bin gnubik | 43 | private-bin gnubik |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc drirc,fonts,gtk-2.0,ld.so.preload | 46 | private-etc alternatives,drirc,fonts,gtk-2.0,ld.so.cache,ld.so.preload |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | dbus-user none | 49 | dbus-user none |
diff --git a/etc/profile-a-l/godot.profile b/etc/profile-a-l/godot.profile index f33f63497..46b362db9 100644 --- a/etc/profile-a-l/godot.profile +++ b/etc/profile-a-l/godot.profile | |||
@@ -38,7 +38,7 @@ tracelog | |||
38 | # private-bin godot | 38 | # private-bin godot |
39 | private-cache | 39 | private-cache |
40 | private-dev | 40 | private-dev |
41 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,ld.so.preload,machine-id,mono,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl | 41 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,ld.so.cache,ld.so.preload,machine-id,mono,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl |
42 | private-tmp | 42 | private-tmp |
43 | 43 | ||
44 | dbus-user none | 44 | dbus-user none |
diff --git a/etc/profile-a-l/goldendict.profile b/etc/profile-a-l/goldendict.profile index 59a572319..5251ed427 100644 --- a/etc/profile-a-l/goldendict.profile +++ b/etc/profile-a-l/goldendict.profile | |||
@@ -50,7 +50,7 @@ disable-mnt | |||
50 | private-bin goldendict | 50 | private-bin goldendict |
51 | private-cache | 51 | private-cache |
52 | private-dev | 52 | private-dev |
53 | private-etc ca-certificates,crypto-policies,fonts,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl | 53 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
56 | dbus-user none | 56 | dbus-user none |
diff --git a/etc/profile-a-l/googler-common.profile b/etc/profile-a-l/googler-common.profile index a37c7ad77..a35813a09 100644 --- a/etc/profile-a-l/googler-common.profile +++ b/etc/profile-a-l/googler-common.profile | |||
@@ -54,7 +54,7 @@ disable-mnt | |||
54 | private-bin env,python3*,sh,w3m | 54 | private-bin env,python3*,sh,w3m |
55 | private-cache | 55 | private-cache |
56 | private-dev | 56 | private-dev |
57 | private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl | 57 | private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl |
58 | private-tmp | 58 | private-tmp |
59 | 59 | ||
60 | dbus-user none | 60 | dbus-user none |
diff --git a/etc/profile-a-l/gpicview.profile b/etc/profile-a-l/gpicview.profile index 436134e1b..26afe6e49 100644 --- a/etc/profile-a-l/gpicview.profile +++ b/etc/profile-a-l/gpicview.profile | |||
@@ -41,7 +41,7 @@ tracelog | |||
41 | private-bin gpicview | 41 | private-bin gpicview |
42 | private-cache | 42 | private-cache |
43 | private-dev | 43 | private-dev |
44 | private-etc alternatives,fonts,group,ld.so.preload,passwd | 44 | private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,passwd |
45 | private-lib | 45 | private-lib |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
diff --git a/etc/profile-a-l/gpredict.profile b/etc/profile-a-l/gpredict.profile index e421c6a0b..511be6fcc 100644 --- a/etc/profile-a-l/gpredict.profile +++ b/etc/profile-a-l/gpredict.profile | |||
@@ -36,6 +36,6 @@ tracelog | |||
36 | 36 | ||
37 | private-bin gpredict | 37 | private-bin gpredict |
38 | private-dev | 38 | private-dev |
39 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,pki,resolv.conf,ssl | 39 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl |
40 | private-tmp | 40 | private-tmp |
41 | 41 | ||
diff --git a/etc/profile-a-l/gradio.profile b/etc/profile-a-l/gradio.profile index efb6b39c6..9cc25e45c 100644 --- a/etc/profile-a-l/gradio.profile +++ b/etc/profile-a-l/gradio.profile | |||
@@ -45,7 +45,7 @@ disable-mnt | |||
45 | private-bin gradio | 45 | private-bin gradio |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg | 48 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | dbus-user filter | 51 | dbus-user filter |
diff --git a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile index 10d41735a..d76ca105f 100644 --- a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile +++ b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile | |||
@@ -40,7 +40,7 @@ private | |||
40 | private-bin gravity-beams-and-evaporating-stars | 40 | private-bin gravity-beams-and-evaporating-stars |
41 | private-cache | 41 | private-cache |
42 | private-dev | 42 | private-dev |
43 | private-etc fonts,ld.so.preload,machine-id | 43 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id |
44 | private-tmp | 44 | private-tmp |
45 | 45 | ||
46 | dbus-user none | 46 | dbus-user none |
diff --git a/etc/profile-a-l/gtk-update-icon-cache.profile b/etc/profile-a-l/gtk-update-icon-cache.profile index c6347efdf..ec8a614fd 100644 --- a/etc/profile-a-l/gtk-update-icon-cache.profile +++ b/etc/profile-a-l/gtk-update-icon-cache.profile | |||
@@ -46,7 +46,7 @@ disable-mnt | |||
46 | private-bin gtk-update-icon-cache | 46 | private-bin gtk-update-icon-cache |
47 | private-cache | 47 | private-cache |
48 | private-dev | 48 | private-dev |
49 | private-etc ld.so.preload,none | 49 | private-etc alternatives,ld.so.cache,ld.so.preload |
50 | private-lib | 50 | private-lib |
51 | private-tmp | 51 | private-tmp |
52 | 52 | ||
diff --git a/etc/profile-a-l/gwenview.profile b/etc/profile-a-l/gwenview.profile index 8becf6d84..d98d341ae 100644 --- a/etc/profile-a-l/gwenview.profile +++ b/etc/profile-a-l/gwenview.profile | |||
@@ -25,6 +25,7 @@ include disable-interpreters.inc | |||
25 | include disable-programs.inc | 25 | include disable-programs.inc |
26 | include disable-shell.inc | 26 | include disable-shell.inc |
27 | 27 | ||
28 | include whitelist-run-common.inc | ||
28 | include whitelist-var-common.inc | 29 | include whitelist-var-common.inc |
29 | 30 | ||
30 | apparmor | 31 | apparmor |
diff --git a/etc/profile-a-l/hyperrogue.profile b/etc/profile-a-l/hyperrogue.profile index 0baebdae1..74e0faa7f 100644 --- a/etc/profile-a-l/hyperrogue.profile +++ b/etc/profile-a-l/hyperrogue.profile | |||
@@ -44,7 +44,7 @@ private-bin hyperrogue | |||
44 | private-cache | 44 | private-cache |
45 | private-cwd ${HOME} | 45 | private-cwd ${HOME} |
46 | private-dev | 46 | private-dev |
47 | private-etc fonts,ld.so.preload,machine-id | 47 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
50 | dbus-user none | 50 | dbus-user none |
diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile index e0015e69a..016a4d6c8 100644 --- a/etc/profile-a-l/inkscape.profile +++ b/etc/profile-a-l/inkscape.profile | |||
@@ -29,6 +29,7 @@ include disable-programs.inc | |||
29 | include disable-xdg.inc | 29 | include disable-xdg.inc |
30 | 30 | ||
31 | whitelist /usr/share/inkscape | 31 | whitelist /usr/share/inkscape |
32 | include whitelist-run-common.inc | ||
32 | include whitelist-usr-share-common.inc | 33 | include whitelist-usr-share-common.inc |
33 | include whitelist-var-common.inc | 34 | include whitelist-var-common.inc |
34 | 35 | ||
diff --git a/etc/profile-a-l/ipcalc.profile b/etc/profile-a-l/ipcalc.profile index 2997328e8..6eefd2945 100644 --- a/etc/profile-a-l/ipcalc.profile +++ b/etc/profile-a-l/ipcalc.profile | |||
@@ -50,7 +50,7 @@ private-bin bash,ipcalc,ipcalc-ng,perl,sh | |||
50 | # private-cache | 50 | # private-cache |
51 | private-dev | 51 | private-dev |
52 | # empty etc directory | 52 | # empty etc directory |
53 | private-etc ld.so.preload,none | 53 | private-etc alternatives,ld.so.cache,ld.so.preload |
54 | private-lib | 54 | private-lib |
55 | private-opt none | 55 | private-opt none |
56 | private-tmp | 56 | private-tmp |
diff --git a/etc/profile-a-l/jerry.profile b/etc/profile-a-l/jerry.profile index 59260dc64..6ca977512 100644 --- a/etc/profile-a-l/jerry.profile +++ b/etc/profile-a-l/jerry.profile | |||
@@ -34,7 +34,7 @@ tracelog | |||
34 | 34 | ||
35 | private-bin bash,jerry,sh,stockfish | 35 | private-bin bash,jerry,sh,stockfish |
36 | private-dev | 36 | private-dev |
37 | private-etc fonts,gtk-2.0,gtk-3.0,ld.so.preload | 37 | private-etc alternatives,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload |
38 | private-tmp | 38 | private-tmp |
39 | 39 | ||
40 | dbus-user none | 40 | dbus-user none |
diff --git a/etc/profile-a-l/jumpnbump.profile b/etc/profile-a-l/jumpnbump.profile index 9726ff6fe..4a9232344 100644 --- a/etc/profile-a-l/jumpnbump.profile +++ b/etc/profile-a-l/jumpnbump.profile | |||
@@ -41,7 +41,7 @@ disable-mnt | |||
41 | private-bin jumpnbump | 41 | private-bin jumpnbump |
42 | private-cache | 42 | private-cache |
43 | private-dev | 43 | private-dev |
44 | private-etc ld.so.preload,none | 44 | private-etc alternatives,ld.so.cache,ld.so.preload |
45 | private-tmp | 45 | private-tmp |
46 | 46 | ||
47 | dbus-user none | 47 | dbus-user none |
diff --git a/etc/profile-a-l/kaffeine.profile b/etc/profile-a-l/kaffeine.profile index 8799a6f24..e74c57546 100644 --- a/etc/profile-a-l/kaffeine.profile +++ b/etc/profile-a-l/kaffeine.profile | |||
@@ -22,6 +22,7 @@ include disable-interpreters.inc | |||
22 | include disable-programs.inc | 22 | include disable-programs.inc |
23 | include disable-xdg.inc | 23 | include disable-xdg.inc |
24 | 24 | ||
25 | include whitelist-run-common.inc | ||
25 | include whitelist-var-common.inc | 26 | include whitelist-var-common.inc |
26 | 27 | ||
27 | caps.drop all | 28 | caps.drop all |
diff --git a/etc/profile-a-l/kalgebra.profile b/etc/profile-a-l/kalgebra.profile index 5253a78b0..6ad50cf14 100644 --- a/etc/profile-a-l/kalgebra.profile +++ b/etc/profile-a-l/kalgebra.profile | |||
@@ -42,7 +42,7 @@ disable-mnt | |||
42 | private-bin kalgebra,kalgebramobile | 42 | private-bin kalgebra,kalgebramobile |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc fonts,ld.so.preload,machine-id | 45 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | dbus-user none | 48 | dbus-user none |
diff --git a/etc/profile-a-l/kate.profile b/etc/profile-a-l/kate.profile index d8b2dddb1..8c340d536 100644 --- a/etc/profile-a-l/kate.profile +++ b/etc/profile-a-l/kate.profile | |||
@@ -29,6 +29,7 @@ include disable-exec.inc | |||
29 | # include disable-interpreters.inc | 29 | # include disable-interpreters.inc |
30 | include disable-programs.inc | 30 | include disable-programs.inc |
31 | 31 | ||
32 | include whitelist-run-common.inc | ||
32 | include whitelist-var-common.inc | 33 | include whitelist-var-common.inc |
33 | 34 | ||
34 | # apparmor | 35 | # apparmor |
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile index d88631005..277db1c24 100644 --- a/etc/profile-a-l/kazam.profile +++ b/etc/profile-a-l/kazam.profile | |||
@@ -49,7 +49,7 @@ disable-mnt | |||
49 | # private-bin kazam,python* | 49 | # private-bin kazam,python* |
50 | private-cache | 50 | private-cache |
51 | private-dev | 51 | private-dev |
52 | private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.preload,machine-id,pulse,selinux,X11,xdg | 52 | private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pulse,selinux,X11,xdg |
53 | private-tmp | 53 | private-tmp |
54 | 54 | ||
55 | dbus-system none | 55 | dbus-system none |
diff --git a/etc/profile-a-l/kcalc.profile b/etc/profile-a-l/kcalc.profile index c551dbdbe..06978cbf1 100644 --- a/etc/profile-a-l/kcalc.profile +++ b/etc/profile-a-l/kcalc.profile | |||
@@ -28,6 +28,7 @@ whitelist /usr/share/config.kcfg/kcalc.kcfg | |||
28 | whitelist /usr/share/kcalc | 28 | whitelist /usr/share/kcalc |
29 | whitelist /usr/share/kconf_update/kcalcrc.upd | 29 | whitelist /usr/share/kconf_update/kcalcrc.upd |
30 | include whitelist-common.inc | 30 | include whitelist-common.inc |
31 | include whitelist-run-common.inc | ||
31 | include whitelist-runuser-common.inc | 32 | include whitelist-runuser-common.inc |
32 | include whitelist-usr-share-common.inc | 33 | include whitelist-usr-share-common.inc |
33 | include whitelist-var-common.inc | 34 | include whitelist-var-common.inc |
diff --git a/etc/profile-a-l/kdiff3.profile b/etc/profile-a-l/kdiff3.profile index fa50b0a20..df7ee31dc 100644 --- a/etc/profile-a-l/kdiff3.profile +++ b/etc/profile-a-l/kdiff3.profile | |||
@@ -23,6 +23,8 @@ include disable-interpreters.inc | |||
23 | include disable-shell.inc | 23 | include disable-shell.inc |
24 | include disable-xdg.inc | 24 | include disable-xdg.inc |
25 | 25 | ||
26 | # Add the next line to your kdiff3.local if you don't need to compare files in /run. | ||
27 | #include whitelist-run-common.inc | ||
26 | include whitelist-runuser-common.inc | 28 | include whitelist-runuser-common.inc |
27 | # Add the next line to your kdiff3.local if you don't need to compare files in /usr/share. | 29 | # Add the next line to your kdiff3.local if you don't need to compare files in /usr/share. |
28 | #include whitelist-usr-share-common.inc | 30 | #include whitelist-usr-share-common.inc |
diff --git a/etc/profile-a-l/keepassx.profile b/etc/profile-a-l/keepassx.profile index 616b87d7e..5e2d6d8df 100644 --- a/etc/profile-a-l/keepassx.profile +++ b/etc/profile-a-l/keepassx.profile | |||
@@ -41,7 +41,7 @@ tracelog | |||
41 | 41 | ||
42 | private-bin keepassx,keepassx2 | 42 | private-bin keepassx,keepassx2 |
43 | private-dev | 43 | private-dev |
44 | private-etc alternatives,fonts,ld.so.preload,machine-id | 44 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id |
45 | private-tmp | 45 | private-tmp |
46 | 46 | ||
47 | dbus-user none | 47 | dbus-user none |
diff --git a/etc/profile-a-l/kget.profile b/etc/profile-a-l/kget.profile index ec315b431..9b6646725 100644 --- a/etc/profile-a-l/kget.profile +++ b/etc/profile-a-l/kget.profile | |||
@@ -20,6 +20,7 @@ include disable-exec.inc | |||
20 | include disable-interpreters.inc | 20 | include disable-interpreters.inc |
21 | include disable-programs.inc | 21 | include disable-programs.inc |
22 | 22 | ||
23 | include whitelist-run-common.inc | ||
23 | include whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
24 | 25 | ||
25 | caps.drop all | 26 | caps.drop all |
diff --git a/etc/profile-a-l/kid3.profile b/etc/profile-a-l/kid3.profile index 8b35a8946..5563aa410 100644 --- a/etc/profile-a-l/kid3.profile +++ b/etc/profile-a-l/kid3.profile | |||
@@ -37,7 +37,7 @@ tracelog | |||
37 | 37 | ||
38 | private-cache | 38 | private-cache |
39 | private-dev | 39 | private-dev |
40 | private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hostname,hosts,kde5rc,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl | 40 | private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hostname,hosts,kde5rc,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl |
41 | private-tmp | 41 | private-tmp |
42 | private-opt none | 42 | private-opt none |
43 | private-srv none | 43 | private-srv none |
diff --git a/etc/profile-a-l/klavaro.profile b/etc/profile-a-l/klavaro.profile index 964175274..46164403b 100644 --- a/etc/profile-a-l/klavaro.profile +++ b/etc/profile-a-l/klavaro.profile | |||
@@ -45,7 +45,7 @@ disable-mnt | |||
45 | private-bin bash,klavaro,sh,tclsh,tclsh* | 45 | private-bin bash,klavaro,sh,tclsh,tclsh* |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,fonts,ld.so.preload | 48 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
49 | private-tmp | 49 | private-tmp |
50 | private-opt none | 50 | private-opt none |
51 | private-srv none | 51 | private-srv none |
diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile index 2c645677c..0796e6876 100644 --- a/etc/profile-a-l/kmail.profile +++ b/etc/profile-a-l/kmail.profile | |||
@@ -37,6 +37,7 @@ include disable-exec.inc | |||
37 | include disable-interpreters.inc | 37 | include disable-interpreters.inc |
38 | include disable-programs.inc | 38 | include disable-programs.inc |
39 | 39 | ||
40 | include whitelist-run-common.inc | ||
40 | include whitelist-var-common.inc | 41 | include whitelist-var-common.inc |
41 | 42 | ||
42 | # apparmor | 43 | # apparmor |
diff --git a/etc/profile-a-l/konversation.profile b/etc/profile-a-l/konversation.profile index 723fef0d2..1121dc8a5 100644 --- a/etc/profile-a-l/konversation.profile +++ b/etc/profile-a-l/konversation.profile | |||
@@ -20,6 +20,7 @@ include disable-programs.inc | |||
20 | include disable-shell.inc | 20 | include disable-shell.inc |
21 | include disable-xdg.inc | 21 | include disable-xdg.inc |
22 | 22 | ||
23 | include whitelist-run-common.inc | ||
23 | include whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
24 | 25 | ||
25 | caps.drop all | 26 | caps.drop all |
diff --git a/etc/profile-a-l/ktorrent.profile b/etc/profile-a-l/ktorrent.profile index 9d8aa1bd7..f3eae6780 100644 --- a/etc/profile-a-l/ktorrent.profile +++ b/etc/profile-a-l/ktorrent.profile | |||
@@ -37,6 +37,7 @@ whitelist ${HOME}/.kde4/share/config/ktorrentrc | |||
37 | whitelist ${HOME}/.local/share/ktorrent | 37 | whitelist ${HOME}/.local/share/ktorrent |
38 | whitelist ${HOME}/.local/share/kxmlgui5/ktorrent | 38 | whitelist ${HOME}/.local/share/kxmlgui5/ktorrent |
39 | include whitelist-common.inc | 39 | include whitelist-common.inc |
40 | include whitelist-run-common.inc | ||
40 | include whitelist-var-common.inc | 41 | include whitelist-var-common.inc |
41 | 42 | ||
42 | caps.drop all | 43 | caps.drop all |
@@ -61,4 +62,5 @@ private-dev | |||
61 | # private-lib - problems on Arch | 62 | # private-lib - problems on Arch |
62 | private-tmp | 63 | private-tmp |
63 | 64 | ||
65 | deterministic-shutdown | ||
64 | # memory-deny-write-execute | 66 | # memory-deny-write-execute |
diff --git a/etc/profile-a-l/ktouch.profile b/etc/profile-a-l/ktouch.profile index 78eb2e8f5..44da8acca 100644 --- a/etc/profile-a-l/ktouch.profile +++ b/etc/profile-a-l/ktouch.profile | |||
@@ -46,7 +46,7 @@ disable-mnt | |||
46 | private-bin ktouch | 46 | private-bin ktouch |
47 | private-cache | 47 | private-cache |
48 | private-dev | 48 | private-dev |
49 | private-etc alternatives,fonts,kde5rc,ld.so.preload,machine-id | 49 | private-etc alternatives,fonts,kde5rc,ld.so.cache,ld.so.preload,machine-id |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
52 | dbus-user none | 52 | dbus-user none |
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile index ad6b2f5fe..718cbbf40 100644 --- a/etc/profile-a-l/kube.profile +++ b/etc/profile-a-l/kube.profile | |||
@@ -68,7 +68,7 @@ tracelog | |||
68 | private-bin kube,sink_synchronizer | 68 | private-bin kube,sink_synchronizer |
69 | private-cache | 69 | private-cache |
70 | private-dev | 70 | private-dev |
71 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gcrypt,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.preload,pki,resolv.conf,selinux,ssl,xdg | 71 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gcrypt,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,selinux,ssl,xdg |
72 | private-tmp | 72 | private-tmp |
73 | writable-run-user | 73 | writable-run-user |
74 | 74 | ||
diff --git a/etc/profile-a-l/kwin_x11.profile b/etc/profile-a-l/kwin_x11.profile index 32e9870e5..0b8763c29 100644 --- a/etc/profile-a-l/kwin_x11.profile +++ b/etc/profile-a-l/kwin_x11.profile | |||
@@ -21,6 +21,7 @@ include disable-programs.inc | |||
21 | include disable-shell.inc | 21 | include disable-shell.inc |
22 | include disable-xdg.inc | 22 | include disable-xdg.inc |
23 | 23 | ||
24 | include whitelist-run-common.inc | ||
24 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
25 | 26 | ||
26 | caps.drop all | 27 | caps.drop all |
diff --git a/etc/profile-a-l/kwrite.profile b/etc/profile-a-l/kwrite.profile index cd5ce7034..aff6f3181 100644 --- a/etc/profile-a-l/kwrite.profile +++ b/etc/profile-a-l/kwrite.profile | |||
@@ -24,6 +24,7 @@ include disable-programs.inc | |||
24 | include disable-shell.inc | 24 | include disable-shell.inc |
25 | include disable-xdg.inc | 25 | include disable-xdg.inc |
26 | 26 | ||
27 | include whitelist-run-common.inc | ||
27 | include whitelist-var-common.inc | 28 | include whitelist-var-common.inc |
28 | 29 | ||
29 | apparmor | 30 | apparmor |
diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile index 328307705..12ff79748 100644 --- a/etc/profile-a-l/libreoffice.profile +++ b/etc/profile-a-l/libreoffice.profile | |||
@@ -21,6 +21,7 @@ include disable-devel.inc | |||
21 | include disable-exec.inc | 21 | include disable-exec.inc |
22 | include disable-programs.inc | 22 | include disable-programs.inc |
23 | 23 | ||
24 | include whitelist-run-common.inc | ||
24 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
25 | 26 | ||
26 | # Debian 10/Ubuntu 18.04 come with their own apparmor profile, but it is not in enforce mode. | 27 | # Debian 10/Ubuntu 18.04 come with their own apparmor profile, but it is not in enforce mode. |
diff --git a/etc/profile-a-l/links-common.profile b/etc/profile-a-l/links-common.profile index dac3eaee3..84f5dc50d 100644 --- a/etc/profile-a-l/links-common.profile +++ b/etc/profile-a-l/links-common.profile | |||
@@ -51,7 +51,7 @@ disable-mnt | |||
51 | private-bin sh | 51 | private-bin sh |
52 | private-cache | 52 | private-cache |
53 | private-dev | 53 | private-dev |
54 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl | 54 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl |
55 | # Add the next line to your links-common.local to allow external media players. | 55 | # Add the next line to your links-common.local to allow external media players. |
56 | # private-etc alsa,asound.conf,machine-id,openal,pulse | 56 | # private-etc alsa,asound.conf,machine-id,openal,pulse |
57 | private-tmp | 57 | private-tmp |
diff --git a/etc/profile-a-l/lollypop.profile b/etc/profile-a-l/lollypop.profile index a590c5fb7..fde338ff0 100644 --- a/etc/profile-a-l/lollypop.profile +++ b/etc/profile-a-l/lollypop.profile | |||
@@ -37,6 +37,6 @@ seccomp | |||
37 | shell none | 37 | shell none |
38 | 38 | ||
39 | private-dev | 39 | private-dev |
40 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg | 40 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg |
41 | private-tmp | 41 | private-tmp |
42 | 42 | ||
diff --git a/etc/profile-a-l/lyx.profile b/etc/profile-a-l/lyx.profile index 3213f3674..ae2f2d434 100644 --- a/etc/profile-a-l/lyx.profile +++ b/etc/profile-a-l/lyx.profile | |||
@@ -32,7 +32,7 @@ apparmor | |||
32 | machine-id | 32 | machine-id |
33 | 33 | ||
34 | # private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex | 34 | # private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex |
35 | private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.preload,locale,locale.alias,locale.conf,lyx,machine-id,mime.types,passwd,texmf,X11,xdg | 35 | private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,lyx,machine-id,mime.types,passwd,texmf,X11,xdg |
36 | 36 | ||
37 | # Redirect | 37 | # Redirect |
38 | include latex-common.profile | 38 | include latex-common.profile |