diff options
Diffstat (limited to 'etc/profile-a-l')
33 files changed, 129 insertions, 159 deletions
diff --git a/etc/profile-a-l/archiver-common.profile b/etc/profile-a-l/archiver-common.profile index 74b0b6ef6..0ab6465ca 100644 --- a/etc/profile-a-l/archiver-common.profile +++ b/etc/profile-a-l/archiver-common.profile | |||
@@ -6,24 +6,19 @@ include archiver-common.local | |||
6 | 6 | ||
7 | blacklist ${RUNUSER} | 7 | blacklist ${RUNUSER} |
8 | 8 | ||
9 | # WARNING: Users can (un)restrict file access for **all** archivers by | 9 | # Comment/uncomment the relevant include file(s) in your archiver-common.local |
10 | # commenting/uncommenting the needed include file(s) here or by putting those | 10 | # to (un)restrict file access for **all** archivers. Another option is to do this **per archiver** |
11 | # into archiver-common.local. | 11 | # in the relevant <archiver>.local. Beware that things tend to break when overtightening |
12 | # | 12 | # profiles. For example, because you only need to (un)compress files in ${DOWNLOADS}, |
13 | # Another option is to do this **per archiver** in the relevant | 13 | # other applications may need access to ${HOME}/.local/share. |
14 | # <archiver>.local. Just beware that things tend to break when overtightening | 14 | |
15 | # profiles. For example, because you only need to (un)compress files in | 15 | # Add the next line to your archiver-common.local if you don't need to compress files in disable-common.inc. |
16 | # ${DOWNLOADS}, other applications may need access to ${HOME}/.local/share. | ||
17 | |||
18 | # Uncomment the next line (or put it into your archiver-common.local) if you | ||
19 | # don't need to compress files in disable-common.inc. | ||
20 | #include disable-common.inc | 16 | #include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
22 | include disable-exec.inc | 18 | include disable-exec.inc |
23 | include disable-interpreters.inc | 19 | include disable-interpreters.inc |
24 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
25 | # Uncomment the next line (or put it into your archiver-common.local) if you | 21 | # Add the next line to your archiver-common.local if you don't need to compress files in disable-programs.inc. |
26 | # don't need to compress files in disable-programs.inc. | ||
27 | #include disable-programs.inc | 22 | #include disable-programs.inc |
28 | include disable-shell.inc | 23 | include disable-shell.inc |
29 | 24 | ||
diff --git a/etc/profile-a-l/aria2c.profile b/etc/profile-a-l/aria2c.profile index d2dcaace1..bef708bdc 100644 --- a/etc/profile-a-l/aria2c.profile +++ b/etc/profile-a-l/aria2c.profile | |||
@@ -40,9 +40,9 @@ seccomp | |||
40 | shell none | 40 | shell none |
41 | 41 | ||
42 | # disable-mnt | 42 | # disable-mnt |
43 | # Add your custom event hook commands to 'private-bin' in your aria2c.local | 43 | # Add your custom event hook commands to 'private-bin' in your aria2c.local. |
44 | private-bin aria2c,gzip | 44 | private-bin aria2c,gzip |
45 | # Uncomment the next line (or put 'private-cache' in your aria2c.local) if you don't use Lutris/winetricks (see issue #2772) | 45 | # Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772). |
46 | #private-cache | 46 | #private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,ca-certificates,crypto-policies,groups,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl | 48 | private-etc alternatives,ca-certificates,crypto-policies,groups,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl |
diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile index 178e2dc9f..5c93f8be9 100644 --- a/etc/profile-a-l/bcompare.profile +++ b/etc/profile-a-l/bcompare.profile | |||
@@ -12,37 +12,25 @@ noblacklist ${HOME}/.config/bcompare | |||
12 | # KDE's Gwenview to view images via right click -> Open With -> Associated Application | 12 | # KDE's Gwenview to view images via right click -> Open With -> Associated Application |
13 | noblacklist ${HOME}/.config/gwenviewrc | 13 | noblacklist ${HOME}/.config/gwenviewrc |
14 | 14 | ||
15 | # Uncomment the next line (or put it into your bcompare.local) if you don't need to compare files in disable-common.inc | 15 | # Add the next line to your bcompare.local if you don't need to compare files in disable-common.inc. |
16 | #include disable-common.inc | 16 | #include disable-common.inc |
17 | include disable-devel.inc | 17 | include disable-devel.inc |
18 | include disable-exec.inc | 18 | include disable-exec.inc |
19 | include disable-interpreters.inc | 19 | include disable-interpreters.inc |
20 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
21 | # Uncomment the next line (or put it into your bcompare.local) if you don't need to compare files in disable-programs.inc | 21 | # Add the next line to your bcompare.local if you don't need to compare files in disable-programs.inc. |
22 | #include disable-programs.inc | 22 | #include disable-programs.inc |
23 | # Uncommenting this breaks launch | 23 | #include disable-shell.inc - breaks launch |
24 | # include disable-shell.inc | ||
25 | include disable-write-mnt.inc | 24 | include disable-write-mnt.inc |
26 | # Don't disable ${DOCUMENTS}, ${MUSIC}, ${PICTURES}, ${VIDEOS} | ||
27 | # include disable-xdg.inc | ||
28 | |||
29 | # include whitelist-common.inc | ||
30 | # include whitelist-runuser-common.inc | ||
31 | # include whitelist-usr-share-common.inc | ||
32 | # include whitelist-var-common.inc | ||
33 | 25 | ||
34 | apparmor | 26 | apparmor |
35 | caps.drop all | 27 | caps.drop all |
36 | # Uncommenting might break Pulse Audio | ||
37 | #machine-id | ||
38 | net none | 28 | net none |
39 | no3d | 29 | no3d |
40 | nodvd | 30 | nodvd |
41 | nogroups | 31 | nogroups |
42 | nonewprivs | 32 | nonewprivs |
43 | noroot | 33 | noroot |
44 | # Allow applications launched on sound files to play them | ||
45 | #nosound | ||
46 | notv | 34 | notv |
47 | nou2f | 35 | nou2f |
48 | novideo | 36 | novideo |
@@ -53,9 +41,6 @@ tracelog | |||
53 | 41 | ||
54 | private-cache | 42 | private-cache |
55 | private-dev | 43 | private-dev |
56 | # see /usr/share/doc/firejail/profile.template for more common private-etc paths. | ||
57 | # private-etc alternatives,fonts,machine-id | ||
58 | # Necessary because of the `include disable-exec.inc` line. Prevents error "Error fstat: fs.c:504 fs_remount_simple: Transport endpoint is not connected ... cannot sync with peer: unexpected EOF Peer [...] unexpectedly exited with status 1" | ||
59 | private-tmp | 44 | private-tmp |
60 | 45 | ||
61 | dbus-user none | 46 | dbus-user none |
diff --git a/etc/profile-a-l/chromium-common-hardened.inc.profile b/etc/profile-a-l/chromium-common-hardened.inc.profile index 19addd285..e6df50b43 100644 --- a/etc/profile-a-l/chromium-common-hardened.inc.profile +++ b/etc/profile-a-l/chromium-common-hardened.inc.profile | |||
@@ -6,4 +6,5 @@ caps.drop all | |||
6 | nonewprivs | 6 | nonewprivs |
7 | noroot | 7 | noroot |
8 | protocol unix,inet,inet6,netlink | 8 | protocol unix,inet,inet6,netlink |
9 | seccomp !chroot | 9 | # kcmp is requeired for ozone-platform=wayland, see #3783. |
10 | seccomp !chroot,!kcmp | ||
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index 3667c350d..e9bef8df7 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile | |||
@@ -30,12 +30,10 @@ include whitelist-runuser-common.inc | |||
30 | include whitelist-usr-share-common.inc | 30 | include whitelist-usr-share-common.inc |
31 | include whitelist-var-common.inc | 31 | include whitelist-var-common.inc |
32 | 32 | ||
33 | # Uncomment the next line (or add it to your chromium-common.local) | 33 | # Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone. |
34 | # if your kernel allows unprivileged userns clone. | ||
35 | #include chromium-common-hardened.inc.profile | 34 | #include chromium-common-hardened.inc.profile |
36 | 35 | ||
37 | # Uncomment or put in your chromium-common.local to allow screen sharing under | 36 | # Add the next line to your chromium-common.local to allow screen sharing under wayland. |
38 | # wayland. | ||
39 | #whitelist ${RUNUSER}/pipewire-0 | 37 | #whitelist ${RUNUSER}/pipewire-0 |
40 | 38 | ||
41 | apparmor | 39 | apparmor |
@@ -50,12 +48,10 @@ shell none | |||
50 | disable-mnt | 48 | disable-mnt |
51 | private-cache | 49 | private-cache |
52 | ?BROWSER_DISABLE_U2F: private-dev | 50 | ?BROWSER_DISABLE_U2F: private-dev |
53 | # problems with multiple browser sessions | 51 | #private-tmp - issues when using multiple browser sessions |
54 | #private-tmp | ||
55 | 52 | ||
56 | # prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector | 53 | #dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector. |
57 | # dbus-user none | ||
58 | dbus-system none | 54 | dbus-system none |
59 | 55 | ||
60 | # the file dialog needs to work without d-bus | 56 | # The file dialog needs to work without d-bus. |
61 | ?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1 | 57 | ?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1 |
diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile index b4a8303a2..691657fa0 100644 --- a/etc/profile-a-l/claws-mail.profile +++ b/etc/profile-a-l/claws-mail.profile | |||
@@ -11,7 +11,7 @@ noblacklist ${HOME}/.claws-mail | |||
11 | mkdir ${HOME}/.claws-mail | 11 | mkdir ${HOME}/.claws-mail |
12 | whitelist ${HOME}/.claws-mail | 12 | whitelist ${HOME}/.claws-mail |
13 | 13 | ||
14 | # If you use python-based plugins you need to uncomment the below (or put them in your claws-mail.local) | 14 | # Add the below lines to your claws-mail.local if you use python-based plugins. |
15 | # Allow python (blacklisted by disable-interpreters.inc) | 15 | # Allow python (blacklisted by disable-interpreters.inc) |
16 | #include allow-python2.inc | 16 | #include allow-python2.inc |
17 | #include allow-python3.inc | 17 | #include allow-python3.inc |
@@ -23,7 +23,7 @@ whitelist /usr/share/doc/claws-mail | |||
23 | dbus-user filter | 23 | dbus-user filter |
24 | dbus-user.talk ca.desrt.dconf | 24 | dbus-user.talk ca.desrt.dconf |
25 | dbus-user.talk org.gnome.keyring.SystemPrompter | 25 | dbus-user.talk org.gnome.keyring.SystemPrompter |
26 | # if you use the notification plugin you need to uncomment the below (or put them in your claws-mail.local) | 26 | # Add the next line to your claws-mail.local if you use the notification plugin. |
27 | # dbus-user.talk org.freedesktop.Notifications | 27 | # dbus-user.talk org.freedesktop.Notifications |
28 | 28 | ||
29 | # Redirect | 29 | # Redirect |
diff --git a/etc/profile-a-l/clipgrab.profile b/etc/profile-a-l/clipgrab.profile index dace5e83e..130d23522 100644 --- a/etc/profile-a-l/clipgrab.profile +++ b/etc/profile-a-l/clipgrab.profile | |||
@@ -42,6 +42,6 @@ private-cache | |||
42 | private-dev | 42 | private-dev |
43 | private-tmp | 43 | private-tmp |
44 | 44 | ||
45 | # Breaks tray icon, uncomment or add to clipgrab.local if you don't need it | 45 | # 'dbus-user none' breaks tray menu - add 'dbus-user none' to your clipgrab.local if you don't need it. |
46 | # dbus-user none | 46 | # dbus-user none |
47 | # dbus-system none | 47 | # dbus-system none |
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile index f8b194044..9366edfa1 100644 --- a/etc/profile-a-l/curl.profile +++ b/etc/profile-a-l/curl.profile | |||
@@ -9,9 +9,9 @@ include globals.local | |||
9 | 9 | ||
10 | # curl 7.74.0 introduces experimental support for HSTS cache | 10 | # curl 7.74.0 introduces experimental support for HSTS cache |
11 | # https://daniel.haxx.se/blog/2020/11/03/hsts-your-curl/ | 11 | # https://daniel.haxx.se/blog/2020/11/03/hsts-your-curl/ |
12 | # technically this file can be anywhere but let's assume users have it in ${HOME}/.curl-hsts | 12 | # Technically this file can be anywhere but let's assume users have it in ${HOME}/.curl-hsts. |
13 | # if your setup diverts, add 'blacklist /path/to/curl/hsts/file' to your disable-programs.local | 13 | # If your setup diverts, add 'blacklist /path/to/curl/hsts/file' to your disable-programs.local |
14 | # and 'noblacklist /path/to/curl/hsts/file' to curl.local to keep the sandbox logic intact | 14 | # and 'noblacklist /path/to/curl/hsts/file' to curl.local to keep the sandbox logic intact. |
15 | noblacklist ${HOME}/.curl-hsts | 15 | noblacklist ${HOME}/.curl-hsts |
16 | noblacklist ${HOME}/.curlrc | 16 | noblacklist ${HOME}/.curlrc |
17 | 17 | ||
@@ -22,7 +22,7 @@ include disable-common.inc | |||
22 | include disable-exec.inc | 22 | include disable-exec.inc |
23 | include disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
24 | include disable-programs.inc | 24 | include disable-programs.inc |
25 | # depending on workflow you can uncomment the below or put 'include disable-xdg.inc' in your curl.local | 25 | # Depending on workflow you can add 'include disable-xdg.inc' to your curl.local. |
26 | #include disable-xdg.inc | 26 | #include disable-xdg.inc |
27 | 27 | ||
28 | include whitelist-usr-share-common.inc | 28 | include whitelist-usr-share-common.inc |
diff --git a/etc/profile-a-l/dig.profile b/etc/profile-a-l/dig.profile index 80d97a31f..b99b31df8 100644 --- a/etc/profile-a-l/dig.profile +++ b/etc/profile-a-l/dig.profile | |||
@@ -21,7 +21,7 @@ include disable-passwdmgr.inc | |||
21 | include disable-programs.inc | 21 | include disable-programs.inc |
22 | include disable-xdg.inc | 22 | include disable-xdg.inc |
23 | 23 | ||
24 | #mkfile ${HOME}/.digrc -- see #903 | 24 | #mkfile ${HOME}/.digrc - see #903 |
25 | whitelist ${HOME}/.digrc | 25 | whitelist ${HOME}/.digrc |
26 | include whitelist-common.inc | 26 | include whitelist-common.inc |
27 | include whitelist-usr-share-common.inc | 27 | include whitelist-usr-share-common.inc |
@@ -49,7 +49,7 @@ tracelog | |||
49 | disable-mnt | 49 | disable-mnt |
50 | private-bin bash,dig,sh | 50 | private-bin bash,dig,sh |
51 | private-dev | 51 | private-dev |
52 | # Uncomment the next line (or put 'private-lib' in your dig.local) on non Debian/Ubuntu OS (see issue #3038) | 52 | # Add the next line to your dig.local on non Debian/Ubuntu OS (see issue #3038). |
53 | #private-lib | 53 | #private-lib |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
diff --git a/etc/profile-a-l/dolphin-emu.profile b/etc/profile-a-l/dolphin-emu.profile index fc920a065..49feec32e 100644 --- a/etc/profile-a-l/dolphin-emu.profile +++ b/etc/profile-a-l/dolphin-emu.profile | |||
@@ -6,7 +6,7 @@ include dolphin-emu.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Note: you must whitelist your games folder in a dolphin-emu.local | 9 | # Note: you must whitelist your games folder in your dolphin-emu.local. |
10 | 10 | ||
11 | noblacklist ${HOME}/.cache/dolphin-emu | 11 | noblacklist ${HOME}/.cache/dolphin-emu |
12 | noblacklist ${HOME}/.config/dolphin-emu | 12 | noblacklist ${HOME}/.config/dolphin-emu |
@@ -36,10 +36,10 @@ include whitelist-var-common.inc | |||
36 | apparmor | 36 | apparmor |
37 | caps.drop all | 37 | caps.drop all |
38 | ipc-namespace | 38 | ipc-namespace |
39 | # uncomment the following line if you do not need NetPlay support | 39 | # Add the next line to your dolphin-emu.local if you do not need NetPlay support. |
40 | # net none | 40 | # net none |
41 | netfilter | 41 | netfilter |
42 | # uncomment the following line if you do not need disc support | 42 | # Add the next line to your dolphin-emu.local if you do not need disc support. |
43 | #nodvd | 43 | #nodvd |
44 | nogroups | 44 | nogroups |
45 | nonewprivs | 45 | nonewprivs |
@@ -54,7 +54,7 @@ tracelog | |||
54 | 54 | ||
55 | private-bin bash,dolphin-emu,dolphin-emu-x11,sh | 55 | private-bin bash,dolphin-emu,dolphin-emu-x11,sh |
56 | private-cache | 56 | private-cache |
57 | # uncomment the following line if you do not need controller support | 57 | # Add the next line to your dolphin-emu.local if you do not need controller support. |
58 | #private-dev | 58 | #private-dev |
59 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg | 59 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg |
60 | private-opt none | 60 | private-opt none |
diff --git a/etc/profile-a-l/electron.profile b/etc/profile-a-l/electron.profile index 79b449ab1..8785a192c 100644 --- a/etc/profile-a-l/electron.profile +++ b/etc/profile-a-l/electron.profile | |||
@@ -18,8 +18,7 @@ include whitelist-runuser-common.inc | |||
18 | include whitelist-usr-share-common.inc | 18 | include whitelist-usr-share-common.inc |
19 | include whitelist-var-common.inc | 19 | include whitelist-var-common.inc |
20 | 20 | ||
21 | # Uncomment the next line (or add it to your chromium-common.local) | 21 | # Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone. |
22 | # if your kernel allows unprivileged userns clone. | ||
23 | #include chromium-common-hardened.inc.profile | 22 | #include chromium-common-hardened.inc.profile |
24 | 23 | ||
25 | apparmor | 24 | apparmor |
diff --git a/etc/profile-a-l/emacs.profile b/etc/profile-a-l/emacs.profile index 226237b5b..55bf743ef 100644 --- a/etc/profile-a-l/emacs.profile +++ b/etc/profile-a-l/emacs.profile | |||
@@ -8,8 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.emacs | 9 | noblacklist ${HOME}/.emacs |
10 | noblacklist ${HOME}/.emacs.d | 10 | noblacklist ${HOME}/.emacs.d |
11 | # if you need gpg uncomment the following line | 11 | # Add the next line to your emacs.local if you need gpg support. |
12 | # or put it into your emacs.local | ||
13 | #noblacklist ${HOME}/.gnupg | 12 | #noblacklist ${HOME}/.gnupg |
14 | 13 | ||
15 | # Allows files commonly used by IDEs | 14 | # Allows files commonly used by IDEs |
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile index 25d5196fc..eeccb81be 100644 --- a/etc/profile-a-l/evince.profile +++ b/etc/profile-a-l/evince.profile | |||
@@ -6,8 +6,8 @@ include evince.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Uncomment this line and the bottom ones to use bookmarks | 9 | # WARNING: using bookmarks possibly exposes information, including file history from other programs. |
10 | # NOTE: This possibly exposes information, including file history from other programs. | 10 | # Add the next line to your evince.local if you need bookmarks support. This also needs additional dbus-user filtering (see below). |
11 | #noblacklist ${HOME}/.local/share/gvfs-metadata | 11 | #noblacklist ${HOME}/.local/share/gvfs-metadata |
12 | 12 | ||
13 | noblacklist ${HOME}/.config/evince | 13 | noblacklist ${HOME}/.config/evince |
@@ -57,9 +57,9 @@ private-etc alternatives,fonts,group,ld.so.cache,machine-id,passwd | |||
57 | private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.* | 57 | private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.* |
58 | private-tmp | 58 | private-tmp |
59 | 59 | ||
60 | # might break two-page-view on some systems | 60 | # dbus-user filtering might break two-page-view on some systems |
61 | dbus-user filter | 61 | dbus-user filter |
62 | # Also uncomment these two lines if you want to use bookmarks | 62 | # Add the next two lines to your evince.local if you need bookmarks support. |
63 | #dbus-user.talk org.gtk.vfs.Daemon | 63 | #dbus-user.talk org.gtk.vfs.Daemon |
64 | #dbus-user.talk org.gtk.vfs.Metadata | 64 | #dbus-user.talk org.gtk.vfs.Metadata |
65 | dbus-system none | 65 | dbus-system none |
diff --git a/etc/profile-a-l/exiftool.profile b/etc/profile-a-l/exiftool.profile index 30135d4bc..b6741d701 100644 --- a/etc/profile-a-l/exiftool.profile +++ b/etc/profile-a-l/exiftool.profile | |||
@@ -42,8 +42,9 @@ shell none | |||
42 | tracelog | 42 | tracelog |
43 | x11 none | 43 | x11 none |
44 | 44 | ||
45 | # To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool to /usr/bin/exiftool and uncomment the below. | 45 | # To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool |
46 | # Users on non-Arch Linux distributions can safely uncomment (or put in exiftool.local) the line below to enable extra hardening. | 46 | # to /usr/bin/exiftool and add the below to your exiftool.local. |
47 | # Non-Arch Linux users can safely add the below to their exiftool.local for extra hardening. | ||
47 | #private-bin exiftool,perl | 48 | #private-bin exiftool,perl |
48 | private-cache | 49 | private-cache |
49 | private-dev | 50 | private-dev |
diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile index 4d6a0c33a..68ce0da61 100644 --- a/etc/profile-a-l/feh.profile +++ b/etc/profile-a-l/feh.profile | |||
@@ -15,10 +15,8 @@ include disable-passwdmgr.inc | |||
15 | include disable-programs.inc | 15 | include disable-programs.inc |
16 | include disable-shell.inc | 16 | include disable-shell.inc |
17 | 17 | ||
18 | # This profile disables network access | 18 | # Add the next line to your feh.local to enable network access. |
19 | # In order to enable network access, | 19 | #include feh-network.inc.profile |
20 | # uncomment the following or put it in your feh.local: | ||
21 | # include feh-network.inc.profile | ||
22 | 20 | ||
23 | caps.drop all | 21 | caps.drop all |
24 | net none | 22 | net none |
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index a955722c8..b0ead7590 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile | |||
@@ -9,7 +9,7 @@ include firefox-common.local | |||
9 | # noexec ${HOME} breaks DRM binaries. | 9 | # noexec ${HOME} breaks DRM binaries. |
10 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} | 10 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} |
11 | 11 | ||
12 | # Uncomment the following line (or put it in your firefox-common.local) to allow access to common programs/addons/plugins. | 12 | # Add the next line to your firefox-common.local to allow access to common programs/addons/plugins. |
13 | #include firefox-common-addons.profile | 13 | #include firefox-common-addons.profile |
14 | 14 | ||
15 | noblacklist ${HOME}/.pki | 15 | noblacklist ${HOME}/.pki |
@@ -32,7 +32,7 @@ include whitelist-var-common.inc | |||
32 | 32 | ||
33 | apparmor | 33 | apparmor |
34 | caps.drop all | 34 | caps.drop all |
35 | # machine-id breaks pulse audio; it should work fine in setups where sound is not required. | 35 | # machine-id breaks pulse audio; add it to your firefox-common.local if sound is not required. |
36 | #machine-id | 36 | #machine-id |
37 | netfilter | 37 | netfilter |
38 | nodvd | 38 | nodvd |
@@ -52,10 +52,11 @@ shell none | |||
52 | disable-mnt | 52 | disable-mnt |
53 | ?BROWSER_DISABLE_U2F: private-dev | 53 | ?BROWSER_DISABLE_U2F: private-dev |
54 | # private-etc below works fine on most distributions. There are some problems on CentOS. | 54 | # private-etc below works fine on most distributions. There are some problems on CentOS. |
55 | # Add it to your firefox-common.local if you want to enable it. | ||
55 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 56 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
56 | private-tmp | 57 | private-tmp |
57 | 58 | ||
58 | # breaks various desktop integration features | 59 | # 'dbus-user none' breaks various desktop integration features like global menus, native notifications, |
59 | # among other things global menus, native notifications, Gnome connector, KDE connect and power management on KDE Plasma | 60 | # Gnome connector, KDE connect and power management on KDE Plasma. |
60 | dbus-user none | 61 | dbus-user none |
61 | dbus-system none | 62 | dbus-system none |
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index 68dd350ca..cefba93d4 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile | |||
@@ -14,8 +14,8 @@ mkdir ${HOME}/.mozilla | |||
14 | whitelist ${HOME}/.cache/mozilla/firefox | 14 | whitelist ${HOME}/.cache/mozilla/firefox |
15 | whitelist ${HOME}/.mozilla | 15 | whitelist ${HOME}/.mozilla |
16 | 16 | ||
17 | # Uncomment or put in your firefox.local one of the following whitelist to enable KeePassXC Plugin | 17 | # Add one of the following whitelist options to your firefox.local to enable KeePassXC Plugin support. |
18 | # NOTE: start KeePassXC before Firefox and keep it open to allow communication between them | 18 | # NOTE: start KeePassXC before Firefox and keep it open to allow communication between them. |
19 | #whitelist ${RUNUSER}/kpxc_server | 19 | #whitelist ${RUNUSER}/kpxc_server |
20 | #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer | 20 | #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer |
21 | 21 | ||
@@ -27,31 +27,30 @@ whitelist /usr/share/mozilla | |||
27 | whitelist /usr/share/webext | 27 | whitelist /usr/share/webext |
28 | include whitelist-usr-share-common.inc | 28 | include whitelist-usr-share-common.inc |
29 | 29 | ||
30 | # firefox requires a shell to launch on Arch. | 30 | # firefox requires a shell to launch on Arch - add the next line to your firefox.local to enable private-bin. |
31 | #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which | 31 | #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which |
32 | # Fedora use shell scripts to launch firefox, at least this is required | 32 | # Fedora uses shell scripts to launch firefox - add the next line to your firefox.local to enable private-bin. |
33 | #private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname | 33 | #private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname |
34 | # private-etc must first be enabled in firefox-common.profile | 34 | # Add the next line to your firefox.local to enable private-etc support - note that this must be enabled in your firefox-common.local too. |
35 | #private-etc firefox | 35 | #private-etc firefox |
36 | 36 | ||
37 | dbus-user filter | 37 | dbus-user filter |
38 | dbus-user.own org.mozilla.Firefox.* | 38 | dbus-user.own org.mozilla.Firefox.* |
39 | dbus-user.own org.mozilla.firefox.* | 39 | dbus-user.own org.mozilla.firefox.* |
40 | dbus-user.own org.mpris.MediaPlayer2.firefox.* | 40 | dbus-user.own org.mpris.MediaPlayer2.firefox.* |
41 | # Uncomment or put in your firefox.local to enable native notifications. | 41 | # Add the next line to your firefox.local to enable native notifications. |
42 | #dbus-user.talk org.freedesktop.Notifications | 42 | #dbus-user.talk org.freedesktop.Notifications |
43 | # Uncomment or put in your firefox.local to allow to inhibit screensavers | 43 | # Add the next line to your firefox.local to allow inhibiting screensavers. |
44 | #dbus-user.talk org.freedesktop.ScreenSaver | 44 | #dbus-user.talk org.freedesktop.ScreenSaver |
45 | # Uncomment or put in your firefox.local for plasma browser integration | 45 | # Add the next lines to your firefox.local for plasma browser integration. |
46 | #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration | 46 | #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration |
47 | #dbus-user.talk org.kde.JobViewServer | 47 | #dbus-user.talk org.kde.JobViewServer |
48 | #dbus-user.talk org.kde.kuiserver | 48 | #dbus-user.talk org.kde.kuiserver |
49 | # Uncomment or put in your firefox.local to allow screen sharing under wayland. | 49 | # Add the next two lines to your firefox.local to allow screen sharing under wayland. |
50 | #whitelist ${RUNUSER}/pipewire-0 | 50 | #whitelist ${RUNUSER}/pipewire-0 |
51 | #dbus-user.talk org.freedesktop.portal.* | 51 | #dbus-user.talk org.freedesktop.portal.* |
52 | # Also uncomment or put in your firefox.local if screen sharing sharing still | 52 | # Add the next line to your firefox.local if screen sharing sharing still does not work |
53 | # does not work with the above lines (might depend on the portal | 53 | # with the above lines (might depend on the portal implementation). |
54 | # implementation) | ||
55 | #ignore noroot | 54 | #ignore noroot |
56 | ignore dbus-user none | 55 | ignore dbus-user none |
57 | 56 | ||
diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile index 125ddf79c..e2da1747e 100644 --- a/etc/profile-a-l/gajim.profile +++ b/etc/profile-a-l/gajim.profile | |||
@@ -21,7 +21,7 @@ include disable-exec.inc | |||
21 | include disable-interpreters.inc | 21 | include disable-interpreters.inc |
22 | include disable-passwdmgr.inc | 22 | include disable-passwdmgr.inc |
23 | include disable-programs.inc | 23 | include disable-programs.inc |
24 | # Comment the following line if you need to whitelist folders other than ~/Downloads | 24 | # Add 'ignore include disable-xdg.inc' to your gajim.local if you need to whitelist folders other than ~/Downloads. |
25 | include disable-xdg.inc | 25 | include disable-xdg.inc |
26 | 26 | ||
27 | mkdir ${HOME}/.gnupg | 27 | mkdir ${HOME}/.gnupg |
@@ -73,7 +73,7 @@ dbus-user.talk org.kde.kwalletd5 | |||
73 | dbus-user.talk org.mpris.MediaPlayer2.* | 73 | dbus-user.talk org.mpris.MediaPlayer2.* |
74 | dbus-system filter | 74 | dbus-system filter |
75 | dbus-system.talk org.freedesktop.login1 | 75 | dbus-system.talk org.freedesktop.login1 |
76 | # Uncomment for location plugin support | 76 | # Add the next line to your gajim.local to enable location plugin support. |
77 | #dbus-system.talk org.freedesktop.GeoClue2 | 77 | #dbus-system.talk org.freedesktop.GeoClue2 |
78 | 78 | ||
79 | join-or-start gajim | 79 | join-or-start gajim |
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile index e339f6abb..5e1b024fe 100644 --- a/etc/profile-a-l/gapplication.profile +++ b/etc/profile-a-l/gapplication.profile | |||
@@ -51,8 +51,8 @@ private-dev | |||
51 | private-etc none | 51 | private-etc none |
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
54 | # Uncomment (or add to your gapplcation.local) the next line to filter D-Bus names. | 54 | # Add the next line to your gapplication.local to filter D-Bus names. |
55 | # You might need to add additional dbus-user.talk rules. see 'gapplication list-apps'. | 55 | # You might need to add additional dbus-user.talk rules (see 'gapplication list-apps'). |
56 | #dbus-user filter | 56 | #dbus-user filter |
57 | dbus-user.talk org.gnome.Boxes | 57 | dbus-user.talk org.gnome.Boxes |
58 | dbus-user.talk org.gnome.Builder | 58 | dbus-user.talk org.gnome.Builder |
diff --git a/etc/profile-a-l/gedit.profile b/etc/profile-a-l/gedit.profile index 30251fbe5..d61bea6c4 100644 --- a/etc/profile-a-l/gedit.profile +++ b/etc/profile-a-l/gedit.profile | |||
@@ -43,7 +43,7 @@ tracelog | |||
43 | 43 | ||
44 | # private-bin gedit | 44 | # private-bin gedit |
45 | private-dev | 45 | private-dev |
46 | # private-lib breaks python plugins, uncomment or add to your gedit.local if you don't use them. | 46 | # private-lib breaks python plugins - add the next line to your gedit.local if you don't use them. |
47 | #private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.* | 47 | #private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.* |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile index bc5ef966c..e26fadca2 100644 --- a/etc/profile-a-l/gimp.profile +++ b/etc/profile-a-l/gimp.profile | |||
@@ -6,7 +6,7 @@ include gimp.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Uncomment or add to gimp.local in order to support scanning via xsane (see #3640). | 9 | # Add the next lines to your gimp.local in order to support scanning via xsane (see #3640). |
10 | # TODO: Replace 'ignore seccomp' with a less permissive option. | 10 | # TODO: Replace 'ignore seccomp' with a less permissive option. |
11 | #ignore seccomp | 11 | #ignore seccomp |
12 | #ignore dbus-system | 12 | #ignore dbus-system |
@@ -15,8 +15,7 @@ include globals.local | |||
15 | 15 | ||
16 | 16 | ||
17 | # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory | 17 | # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory |
18 | # if you are not using external plugins, you can comment 'ignore noexec' statement below | 18 | # If you are not using external plugins, you can add 'noexec ${HOME}' to your gimp.local. |
19 | # or put 'noexec ${HOME}' in your gimp.local | ||
20 | ignore noexec ${HOME} | 19 | ignore noexec ${HOME} |
21 | 20 | ||
22 | noblacklist ${HOME}/.cache/babl | 21 | noblacklist ${HOME}/.cache/babl |
diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile index 312655b9b..7894e4d8d 100644 --- a/etc/profile-a-l/git-cola.profile +++ b/etc/profile-a-l/git-cola.profile | |||
@@ -14,8 +14,8 @@ noblacklist ${HOME}/.gnupg | |||
14 | noblacklist ${HOME}/.subversion | 14 | noblacklist ${HOME}/.subversion |
15 | noblacklist ${HOME}/.config/git | 15 | noblacklist ${HOME}/.config/git |
16 | noblacklist ${HOME}/.config/git-cola | 16 | noblacklist ${HOME}/.config/git-cola |
17 | # Put your editor,diff viewer config path below and uncomment to load settings | 17 | # Add your editor/diff viewer config paths and the next line to your git-cola.local to load settings. |
18 | # noblacklist ${HOME}/ | 18 | #noblacklist ${HOME}/ |
19 | 19 | ||
20 | # Allow python (blacklisted by disable-interpreters.inc) | 20 | # Allow python (blacklisted by disable-interpreters.inc) |
21 | include allow-python2.inc | 21 | include allow-python2.inc |
@@ -34,7 +34,7 @@ include disable-xdg.inc | |||
34 | 34 | ||
35 | whitelist ${RUNUSER}/gnupg | 35 | whitelist ${RUNUSER}/gnupg |
36 | whitelist ${RUNUSER}/keyring | 36 | whitelist ${RUNUSER}/keyring |
37 | # Whitelist your editor, diff viewer, gnupg path below in /usr/share/ | 37 | # Add additional whitelist paths below /usr/share to your git-cola.local to support your editor/diff viewer. |
38 | whitelist /usr/share/git | 38 | whitelist /usr/share/git |
39 | whitelist /usr/share/git-cola | 39 | whitelist /usr/share/git-cola |
40 | whitelist /usr/share/git-core | 40 | whitelist /usr/share/git-core |
@@ -65,8 +65,8 @@ seccomp | |||
65 | shell none | 65 | shell none |
66 | tracelog | 66 | tracelog |
67 | 67 | ||
68 | # Add your own diff viewer,editor,pinentry program | 68 | # Add your own diff viewer,editor,pinentry program to private-bin in your git-cola.local. |
69 | # pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg | 69 | #private-bin pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg |
70 | private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed | 70 | private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed |
71 | private-cache | 71 | private-cache |
72 | private-dev | 72 | private-dev |
@@ -74,13 +74,14 @@ private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitc | |||
74 | private-tmp | 74 | private-tmp |
75 | writable-run-user | 75 | writable-run-user |
76 | 76 | ||
77 | # Breaks meld as diff viewer | 77 | # dbus-user filtering breaks meld as diff viewer |
78 | # dbus-user filter | 78 | # Add the next line to your git-cola.local if you don't use meld. |
79 | # Uncomment if you need keyring access | 79 | #dbus-user filter |
80 | # dbus-user.talk org.freedesktop.secrets | 80 | # Add the next line to your git-cola.local if you need keyring access |
81 | #dbus-user.talk org.freedesktop.secrets | ||
81 | dbus-system none | 82 | dbus-system none |
82 | 83 | ||
83 | read-only ${HOME}/.git-credentials | 84 | read-only ${HOME}/.git-credentials |
84 | 85 | ||
85 | # Comment if you need to allow hosts | 86 | # Add 'ignore read-only ${HOME}/.ssh' to your git-cola.local if you need to allow hosts. |
86 | read-only ${HOME}/.ssh | 87 | read-only ${HOME}/.ssh |
diff --git a/etc/profile-a-l/gitg.profile b/etc/profile-a-l/gitg.profile index 93b90eb9e..7b6820a81 100644 --- a/etc/profile-a-l/gitg.profile +++ b/etc/profile-a-l/gitg.profile | |||
@@ -59,6 +59,6 @@ private-tmp | |||
59 | dbus-user filter | 59 | dbus-user filter |
60 | dbus-user.own org.gnome.gitg | 60 | dbus-user.own org.gnome.gitg |
61 | dbus-user.talk ca.desrt.dconf | 61 | dbus-user.talk ca.desrt.dconf |
62 | # Uncomment (or put in your gitg.local) if you need keyring access. | 62 | # Add the next line to your gitg.local if you need keyring access. |
63 | #dbus-user.talk org.freedesktop.secrets | 63 | #dbus-user.talk org.freedesktop.secrets |
64 | dbus-system none | 64 | dbus-system none |
diff --git a/etc/profile-a-l/gnome-characters.profile b/etc/profile-a-l/gnome-characters.profile index 4d53a67dd..048fad65c 100644 --- a/etc/profile-a-l/gnome-characters.profile +++ b/etc/profile-a-l/gnome-characters.profile | |||
@@ -44,8 +44,7 @@ shell none | |||
44 | tracelog | 44 | tracelog |
45 | 45 | ||
46 | disable-mnt | 46 | disable-mnt |
47 | # Uncomment the next line (or add it to your gnome-characters.local) | 47 | # Add the next line to your gnome-characters.local if you don't need access to recently used chars. |
48 | # if you don't need recently used chars | ||
49 | #private | 48 | #private |
50 | private-bin gjs,gnome-characters | 49 | private-bin gjs,gnome-characters |
51 | private-cache | 50 | private-cache |
@@ -53,8 +52,7 @@ private-dev | |||
53 | private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,pango,X11,xdg | 52 | private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,pango,X11,xdg |
54 | private-tmp | 53 | private-tmp |
55 | 54 | ||
56 | # Uncomment the next lines (or add it to your gnome-characters.local) | 55 | # Add the next lines to your gnome-characters.local if you don't need access to recently used chars. |
57 | # if you don't need recently used chars | ||
58 | # dbus-user none | 56 | # dbus-user none |
59 | # dbus-system none | 57 | # dbus-system none |
60 | 58 | ||
diff --git a/etc/profile-a-l/google-earth-pro.profile b/etc/profile-a-l/google-earth-pro.profile index 1240dc3b7..249ae187d 100644 --- a/etc/profile-a-l/google-earth-pro.profile +++ b/etc/profile-a-l/google-earth-pro.profile | |||
@@ -22,8 +22,7 @@ include google-earth-pro.local | |||
22 | #[[ -e "$_lock_icon_cache" ]] && rm -f "${_lock_icon_cache:?}" | 22 | #[[ -e "$_lock_icon_cache" ]] && rm -f "${_lock_icon_cache:?}" |
23 | # <--- end of snippet ---> | 23 | # <--- end of snippet ---> |
24 | 24 | ||
25 | # If you see errors about missing commands, uncomment the below or put 'ignore private-bin' into your google-earth-pro.local | 25 | # If you see errors about missing commands, add 'ignore private-bin' to your google-earth-pro.local. |
26 | #ignore private-bin | ||
27 | private-bin google-earth-pro,googleearth,googleearth-bin,gpsbabel,readlink,repair_tool,rm,which,xdg-mime,xdg-settings | 26 | private-bin google-earth-pro,googleearth,googleearth-bin,gpsbabel,readlink,repair_tool,rm,which,xdg-mime,xdg-settings |
28 | 27 | ||
29 | # Redirect | 28 | # Redirect |
diff --git a/etc/profile-a-l/hasher-common.profile b/etc/profile-a-l/hasher-common.profile index 2f684349d..1633cc3ee 100644 --- a/etc/profile-a-l/hasher-common.profile +++ b/etc/profile-a-l/hasher-common.profile | |||
@@ -6,24 +6,23 @@ include hasher-common.local | |||
6 | 6 | ||
7 | blacklist ${RUNUSER} | 7 | blacklist ${RUNUSER} |
8 | 8 | ||
9 | # WARNING: | 9 | # Comment/uncomment the relevant include file(s) in your hasher-common.local |
10 | # Users can (un)restrict file access for **all** hashers by commenting/uncommenting the needed | 10 | # to (un)restrict file access for **all** hashers. Another option is to do this **per hasher** |
11 | # include file(s) here or by putting those into hasher-common.local. | 11 | # in the relevant <hasher>.local. Beware that things tend to break when overtightening |
12 | # Another option is to do this **per hasher** in the relevant <hasher>.local. | 12 | # profiles. For example, because you only need to hash/check files in ${DOWNLOADS}, |
13 | # Just beware that things tend to break when overtightening profiles. For example, because you only | 13 | # other applications may need access to ${HOME}/.local/share. |
14 | # need to hash/check files in ${DOWNLOADS}, other applications may need access to ${HOME}/.local/share. | 14 | |
15 | 15 | # Add the next line to your hasher-common.local if you don't need to hash files in disable-common.inc. | |
16 | # Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in disable-common.inc. | ||
17 | #include disable-common.inc | 16 | #include disable-common.inc |
18 | include disable-devel.inc | 17 | include disable-devel.inc |
19 | include disable-exec.inc | 18 | include disable-exec.inc |
20 | include disable-interpreters.inc | 19 | include disable-interpreters.inc |
21 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
22 | # Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in disable-programs.inc. | 21 | # Add the next line to your hasher-common.local if you don't need to hash files in disable-programs.inc. |
23 | #include disable-programs.inc | 22 | #include disable-programs.inc |
24 | include disable-shell.inc | 23 | include disable-shell.inc |
25 | include disable-write-mnt.inc | 24 | include disable-write-mnt.inc |
26 | # Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in disable-xdg.inc. | 25 | # Add the next line to your hasher-common.local if you don't need to hash files in disable-xdg.inc. |
27 | #include disable-xdg.inc | 26 | #include disable-xdg.inc |
28 | 27 | ||
29 | apparmor | 28 | apparmor |
@@ -47,10 +46,10 @@ shell none | |||
47 | tracelog | 46 | tracelog |
48 | x11 none | 47 | x11 none |
49 | 48 | ||
50 | # Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in /tmp. | 49 | # Add the next line to your hasher-common.local if you don't need to hash files in ~/.cache. |
51 | #private-cache | 50 | #private-cache |
52 | private-dev | 51 | private-dev |
53 | # Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in /tmp. | 52 | # Add the next line to your hasher-common.local if you don't need to hash files in /tmp. |
54 | #private-tmp | 53 | #private-tmp |
55 | 54 | ||
56 | dbus-user none | 55 | dbus-user none |
diff --git a/etc/profile-a-l/i2prouter.profile b/etc/profile-a-l/i2prouter.profile index 9ffdb9e9b..d95d53b7a 100644 --- a/etc/profile-a-l/i2prouter.profile +++ b/etc/profile-a-l/i2prouter.profile | |||
@@ -9,16 +9,16 @@ include globals.local | |||
9 | # Notice: default browser will most likely not be able to automatically open, due to sandbox. | 9 | # Notice: default browser will most likely not be able to automatically open, due to sandbox. |
10 | # Auto-opening default browser can be disabled in the I2P router console. | 10 | # Auto-opening default browser can be disabled in the I2P router console. |
11 | # This profile will not currently work with any Arch User Repository I2P packages, | 11 | # This profile will not currently work with any Arch User Repository I2P packages, |
12 | # use the distro-independent official I2P java installer instead | 12 | # use the distro-independent official I2P java installer instead. |
13 | 13 | ||
14 | # Only needed if i2prouter binary is in home directory, official I2P java installer does this | 14 | # Only needed when i2prouter binary resides in home directory (official I2P java installer does so). |
15 | ignore noexec ${HOME} | 15 | ignore noexec ${HOME} |
16 | 16 | ||
17 | noblacklist ${HOME}/.config/i2p | 17 | noblacklist ${HOME}/.config/i2p |
18 | noblacklist ${HOME}/.i2p | 18 | noblacklist ${HOME}/.i2p |
19 | noblacklist ${HOME}/.local/share/i2p | 19 | noblacklist ${HOME}/.local/share/i2p |
20 | noblacklist ${HOME}/i2p | 20 | noblacklist ${HOME}/i2p |
21 | # Only needed if wrapper is placed in /usr/sbin/, ubuntu official I2P ppa package does this | 21 | # Only needed when wrapper resides in /usr/sbin/ (Ubuntu official I2P PPA package does so). |
22 | noblacklist /usr/sbin | 22 | noblacklist /usr/sbin |
23 | 23 | ||
24 | # Allow java (blacklisted by disable-devel.inc) | 24 | # Allow java (blacklisted by disable-devel.inc) |
@@ -40,13 +40,14 @@ whitelist ${HOME}/.config/i2p | |||
40 | whitelist ${HOME}/.i2p | 40 | whitelist ${HOME}/.i2p |
41 | whitelist ${HOME}/.local/share/i2p | 41 | whitelist ${HOME}/.local/share/i2p |
42 | whitelist ${HOME}/i2p | 42 | whitelist ${HOME}/i2p |
43 | # Only needed if wrapper is placed in /usr/sbin/, ubuntu official I2P ppa package does this | 43 | # Only needed when wrapper resides in /usr/sbin/ (Ubuntu official I2P PPA package does so). |
44 | whitelist /usr/sbin/wrapper* | 44 | whitelist /usr/sbin/wrapper* |
45 | 45 | ||
46 | include whitelist-common.inc | 46 | include whitelist-common.inc |
47 | 47 | ||
48 | # May break I2P if wrapper is placed in the home directory; official I2P java installer does this | 48 | # May break I2P if wrapper resides in the home directory (official I2P java installer does so). |
49 | # If using ubuntu official I2P ppa, this should be fine to uncomment, as it puts wrapper in /usr/sbin/ | 49 | # When using the Ubuntu official I2P PPA it should be fine to add 'apparmor' to your i2prouter.local, |
50 | # as it places the wrapper in /usr/sbin/ | ||
50 | #apparmor | 51 | #apparmor |
51 | caps.drop all | 52 | caps.drop all |
52 | ipc-namespace | 53 | ipc-namespace |
diff --git a/etc/profile-a-l/kdiff3.profile b/etc/profile-a-l/kdiff3.profile index 5786a4687..eb1e219ab 100644 --- a/etc/profile-a-l/kdiff3.profile +++ b/etc/profile-a-l/kdiff3.profile | |||
@@ -9,8 +9,8 @@ include globals.local | |||
9 | noblacklist ${HOME}/.config/kdiff3fileitemactionrc | 9 | noblacklist ${HOME}/.config/kdiff3fileitemactionrc |
10 | noblacklist ${HOME}/.config/kdiff3rc | 10 | noblacklist ${HOME}/.config/kdiff3rc |
11 | 11 | ||
12 | # Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in disable-common.inc. | 12 | # Add the next line to your kdiff3.local if you don't need to compare files in disable-common.inc. |
13 | # by default we deny access only to .ssh and .gnupg | 13 | # By default we deny access only to .ssh and .gnupg. |
14 | #include disable-common.inc | 14 | #include disable-common.inc |
15 | blacklist ${HOME}/.ssh | 15 | blacklist ${HOME}/.ssh |
16 | blacklist ${HOME}/.gnupg | 16 | blacklist ${HOME}/.gnupg |
@@ -19,15 +19,15 @@ include disable-devel.inc | |||
19 | include disable-exec.inc | 19 | include disable-exec.inc |
20 | include disable-interpreters.inc | 20 | include disable-interpreters.inc |
21 | include disable-passwdmgr.inc | 21 | include disable-passwdmgr.inc |
22 | # Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in disable-programs.inc. | 22 | # Add the next line to your kdiff3.local if you don't need to compare files in disable-programs.inc. |
23 | #include disable-programs.inc | 23 | #include disable-programs.inc |
24 | include disable-shell.inc | 24 | include disable-shell.inc |
25 | include disable-xdg.inc | 25 | include disable-xdg.inc |
26 | 26 | ||
27 | include whitelist-runuser-common.inc | 27 | include whitelist-runuser-common.inc |
28 | # Uncomment the next lines (or put it into your kdiff3.local) if you don't need to compare files in /usr/share. | 28 | # Add the next line to your kdiff3.local if you don't need to compare files in /usr/share. |
29 | #include whitelist-usr-share-common.inc | 29 | #include whitelist-usr-share-common.inc |
30 | # Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in /var. | 30 | # Add the next line to your kdiff3.local if you don't need to compare files in /var. |
31 | #include whitelist-var-common.inc | 31 | #include whitelist-var-common.inc |
32 | 32 | ||
33 | apparmor | 33 | apparmor |
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile index 3ad779a12..11c279911 100644 --- a/etc/profile-a-l/keepassxc.profile +++ b/etc/profile-a-l/keepassxc.profile | |||
@@ -30,11 +30,11 @@ include disable-programs.inc | |||
30 | include disable-shell.inc | 30 | include disable-shell.inc |
31 | include disable-xdg.inc | 31 | include disable-xdg.inc |
32 | 32 | ||
33 | # You can enable whitelisting for keepassxc by uncommenting (or adding to you keepassxc.local) the following lines. | 33 | # You can enable whitelisting for keepassxc by adding the below to your keepassxc.local. |
34 | # If you do so, you MUST store your database under ${HOME}/Documents/KeePassXC/foo.kdbx | 34 | # If you do, you MUST store your database under ${HOME}/Documents/KeePassXC/foo.kdbx. |
35 | #mkdir ${HOME}/Documents/KeePassXC | 35 | #mkdir ${HOME}/Documents/KeePassXC |
36 | #whitelist ${HOME}/Documents/KeePassXC | 36 | #whitelist ${HOME}/Documents/KeePassXC |
37 | # Needed for KeePassXC-Browser | 37 | # Needed for KeePassXC-Browser. |
38 | #mkfile ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json | 38 | #mkfile ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json |
39 | #whitelist ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json | 39 | #whitelist ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json |
40 | #mkfile ${HOME}/.config/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json | 40 | #mkfile ${HOME}/.config/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json |
@@ -89,12 +89,12 @@ dbus-user.talk org.freedesktop.login1.Session | |||
89 | dbus-user.talk org.gnome.ScreenSaver | 89 | dbus-user.talk org.gnome.ScreenSaver |
90 | dbus-user.talk org.gnome.SessionManager | 90 | dbus-user.talk org.gnome.SessionManager |
91 | dbus-user.talk org.gnome.SessionManager.Presence | 91 | dbus-user.talk org.gnome.SessionManager.Presence |
92 | # Uncomment or add to your keepassxc.local to allow Notifications. | 92 | # Add the next line to your keepassxc.local to allow notifications. |
93 | #dbus-user.talk org.freedesktop.Notifications | 93 | #dbus-user.talk org.freedesktop.Notifications |
94 | # Uncomment or add to your keepassxc.local to allow Tray. | 94 | # Add the next line to your keepassxc.local to allow the tray menu. |
95 | #dbus-user.talk org.kde.StatusNotifierWatcher | 95 | #dbus-user.talk org.kde.StatusNotifierWatcher |
96 | #dbus-user.own org.kde.* | 96 | #dbus-user.own org.kde.* |
97 | dbus-system none | 97 | dbus-system none |
98 | 98 | ||
99 | # Mutex is stored in /tmp by default, which is broken by private-tmp | 99 | # Mutex is stored in /tmp by default, which is broken by private-tmp. |
100 | join-or-start keepassxc | 100 | join-or-start keepassxc |
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile index 5208cb979..8e891a930 100644 --- a/etc/profile-a-l/librewolf.profile +++ b/etc/profile-a-l/librewolf.profile | |||
@@ -14,14 +14,15 @@ mkdir ${HOME}/.librewolf | |||
14 | whitelist ${HOME}/.cache/librewolf | 14 | whitelist ${HOME}/.cache/librewolf |
15 | whitelist ${HOME}/.librewolf | 15 | whitelist ${HOME}/.librewolf |
16 | 16 | ||
17 | # Uncomment (or add to librewolf.local) the following lines if you want to | 17 | # Add the next lines to your librewolf.local if you want to use the migration wizard. |
18 | # use the migration wizard. | ||
19 | #noblacklist ${HOME}/.mozilla | 18 | #noblacklist ${HOME}/.mozilla |
20 | #whitelist ${HOME}/.mozilla | 19 | #whitelist ${HOME}/.mozilla |
21 | 20 | ||
22 | # librewolf requires a shell to launch on Arch. We can possibly remove sh though. | 21 | # librewolf requires a shell to launch on Arch. We can possibly remove sh though. |
22 | # Add the next line to your librewolf.local to enable private-bin. | ||
23 | #private-bin bash,dbus-launch,dbus-send,env,librewolf,python*,sh,which | 23 | #private-bin bash,dbus-launch,dbus-send,env,librewolf,python*,sh,which |
24 | # private-etc must first be enabled in firefox-common.profile | 24 | # Add the next line to your librewolf.local to enable private-etc. Note |
25 | # that private-etc must first be enabled in firefox-common.local. | ||
25 | #private-etc librewolf | 26 | #private-etc librewolf |
26 | 27 | ||
27 | # Redirect | 28 | # Redirect |
diff --git a/etc/profile-a-l/liferea.profile b/etc/profile-a-l/liferea.profile index a122e9bbc..1b10f0934 100644 --- a/etc/profile-a-l/liferea.profile +++ b/etc/profile-a-l/liferea.profile | |||
@@ -55,8 +55,8 @@ private-tmp | |||
55 | dbus-user filter | 55 | dbus-user filter |
56 | dbus-user.own net.sourceforge.liferea | 56 | dbus-user.own net.sourceforge.liferea |
57 | dbus-user.talk ca.desrt.dconf | 57 | dbus-user.talk ca.desrt.dconf |
58 | # Uncomment the below if you use the 'Popup Notifications' plugin or add 'dbus-user.talk org.freedesktop.Notifications' to your liferea.local | 58 | # Add the next line to your liferea.local if you use the 'Popup Notifications' plugin. |
59 | #dbus-user.talk org.freedesktop.Notifications | 59 | #dbus-user.talk org.freedesktop.Notifications |
60 | # Uncomment the below if you use the 'Libsecret Support' plugin or add 'dbus-user.talk org.freedesktop.secrets' to your liferea.local | 60 | # Add the next line to your liferea.local if you use the 'Libsecret Support' plugin. |
61 | #dbus-user.talk org.freedesktop.secrets | 61 | #dbus-user.talk org.freedesktop.secrets |
62 | dbus-system none | 62 | dbus-system none |
diff --git a/etc/profile-a-l/links.profile b/etc/profile-a-l/links.profile index ccc77f274..272bc4f3a 100644 --- a/etc/profile-a-l/links.profile +++ b/etc/profile-a-l/links.profile | |||
@@ -17,8 +17,8 @@ include disable-devel.inc | |||
17 | include disable-exec.inc | 17 | include disable-exec.inc |
18 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
19 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
20 | # you may want to noblacklist files/directories blacklisted in | 20 | # Additional noblacklist files/directories (blacklisted in disable-programs.inc) |
21 | # disable-programs.inc and used as associated programs | 21 | # used as associated programs can be added in your links.local. |
22 | include disable-programs.inc | 22 | include disable-programs.inc |
23 | include disable-xdg.inc | 23 | include disable-xdg.inc |
24 | 24 | ||
@@ -30,19 +30,19 @@ include whitelist-var-common.inc | |||
30 | 30 | ||
31 | caps.drop all | 31 | caps.drop all |
32 | ipc-namespace | 32 | ipc-namespace |
33 | # comment machine-id (or put 'ignore machine-id' in your links.local) if you want | 33 | # Add 'ignore machine-id' to your links.local if you want to restrict access to |
34 | # to allow access only to user-configured associated media player | 34 | # the user-configured associated media player. |
35 | machine-id | 35 | machine-id |
36 | netfilter | 36 | netfilter |
37 | # comment no3d (or put 'ignore no3d' in your links.local) if you want | 37 | # Add 'ignore no3d' to your links.local if you want to restrict access to |
38 | # to allow access only to user-configured associated media player | 38 | # the user-configured associated media player. |
39 | no3d | 39 | no3d |
40 | nodvd | 40 | nodvd |
41 | nogroups | 41 | nogroups |
42 | nonewprivs | 42 | nonewprivs |
43 | noroot | 43 | noroot |
44 | # comment nosound (or put 'ignore nosound' in your links.local) if you want | 44 | # Add 'ignore nosound' to your links.local if you want to restrict access to |
45 | # to allow access only to user-configured associated media player | 45 | # the user-configured associated media player. |
46 | nosound | 46 | nosound |
47 | notv | 47 | notv |
48 | nou2f | 48 | nou2f |
@@ -53,14 +53,12 @@ shell none | |||
53 | tracelog | 53 | tracelog |
54 | 54 | ||
55 | disable-mnt | 55 | disable-mnt |
56 | # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' to your links.local | 56 | # Add 'private-bin PROGRAM1,PROGRAM2' to your links.local if you want to use user-configured programs. |
57 | # or append 'PROGRAM1,PROGRAM2' to this private-bin line | ||
58 | private-bin links,sh | 57 | private-bin links,sh |
59 | private-cache | 58 | private-cache |
60 | private-dev | 59 | private-dev |
61 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl | 60 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl |
62 | # Uncomment the following line (or put it in your links.local) allow external | 61 | # Add the next line to your links.local to allow external media players. |
63 | # media players | ||
64 | # private-etc alsa,asound.conf,machine-id,openal,pulse | 62 | # private-etc alsa,asound.conf,machine-id,openal,pulse |
65 | private-tmp | 63 | private-tmp |
66 | 64 | ||
diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile index 5d05631ec..d750e5fcd 100644 --- a/etc/profile-a-l/lutris.profile +++ b/etc/profile-a-l/lutris.profile | |||
@@ -66,8 +66,8 @@ protocol unix,inet,inet6,netlink | |||
66 | seccomp | 66 | seccomp |
67 | shell none | 67 | shell none |
68 | 68 | ||
69 | # uncomment the following line if you do not need controller support | 69 | # Add the next line to your lutris.local if you do not need controller support. |
70 | # private-dev | 70 | #private-dev |
71 | private-tmp | 71 | private-tmp |
72 | 72 | ||
73 | dbus-user none | 73 | dbus-user none |