diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/disable-programs.inc | 1 | ||||
-rw-r--r-- | etc/inc/whitelist-runuser-common.inc | 4 | ||||
-rw-r--r-- | etc/inc/whitelist-usr-share-common.inc | 1 | ||||
-rw-r--r-- | etc/profile-a-l/chromium-common.profile | 4 | ||||
-rw-r--r-- | etc/profile-a-l/evince.profile | 2 | ||||
-rw-r--r-- | etc/profile-a-l/firefox-common-addons.profile | 1 | ||||
-rw-r--r-- | etc/profile-a-l/firefox.profile | 6 | ||||
-rw-r--r-- | etc/profile-a-l/gallery-dl.profile | 3 | ||||
-rw-r--r-- | etc/profile-a-l/gimp.profile | 5 | ||||
-rw-r--r-- | etc/profile-a-l/librewolf.profile | 7 | ||||
-rw-r--r-- | etc/profile-m-z/nextcloud.profile | 3 | ||||
-rw-r--r-- | etc/profile-m-z/xournalpp.profile | 1 | ||||
-rw-r--r-- | etc/profile-m-z/yt-dlp.profile | 3 | ||||
-rw-r--r-- | etc/templates/profile.template | 4 |
14 files changed, 22 insertions, 23 deletions
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 444446156..4941630a2 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -77,6 +77,7 @@ blacklist ${HOME}/.config/Element | |||
77 | blacklist ${HOME}/.config/Element (Riot) | 77 | blacklist ${HOME}/.config/Element (Riot) |
78 | blacklist ${HOME}/.config/Enox | 78 | blacklist ${HOME}/.config/Enox |
79 | blacklist ${HOME}/.config/Epic | 79 | blacklist ${HOME}/.config/Epic |
80 | blacklist ${HOME}/.config/Exodus | ||
80 | blacklist ${HOME}/.config/Ferdi | 81 | blacklist ${HOME}/.config/Ferdi |
81 | blacklist ${HOME}/.config/Flavio Tordini | 82 | blacklist ${HOME}/.config/Flavio Tordini |
82 | blacklist ${HOME}/.config/Franz | 83 | blacklist ${HOME}/.config/Franz |
diff --git a/etc/inc/whitelist-runuser-common.inc b/etc/inc/whitelist-runuser-common.inc index 48309ffe3..a8cab8d07 100644 --- a/etc/inc/whitelist-runuser-common.inc +++ b/etc/inc/whitelist-runuser-common.inc | |||
@@ -10,7 +10,7 @@ whitelist ${RUNUSER}/gdm/Xauthority | |||
10 | whitelist ${RUNUSER}/ICEauthority | 10 | whitelist ${RUNUSER}/ICEauthority |
11 | whitelist ${RUNUSER}/.mutter-Xwaylandauth.* | 11 | whitelist ${RUNUSER}/.mutter-Xwaylandauth.* |
12 | whitelist ${RUNUSER}/pulse/native | 12 | whitelist ${RUNUSER}/pulse/native |
13 | whitelist ${RUNUSER}/wayland-0 | 13 | whitelist ${RUNUSER}/pipewire-? |
14 | whitelist ${RUNUSER}/wayland-1 | 14 | whitelist ${RUNUSER}/wayland-? |
15 | whitelist ${RUNUSER}/xauth_* | 15 | whitelist ${RUNUSER}/xauth_* |
16 | whitelist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]] | 16 | whitelist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]] |
diff --git a/etc/inc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc index fe0097934..0049ce804 100644 --- a/etc/inc/whitelist-usr-share-common.inc +++ b/etc/inc/whitelist-usr-share-common.inc | |||
@@ -45,6 +45,7 @@ whitelist /usr/share/myspell | |||
45 | whitelist /usr/share/p11-kit | 45 | whitelist /usr/share/p11-kit |
46 | whitelist /usr/share/perl | 46 | whitelist /usr/share/perl |
47 | whitelist /usr/share/perl5 | 47 | whitelist /usr/share/perl5 |
48 | whitelist /usr/share/pipewire | ||
48 | whitelist /usr/share/pixmaps | 49 | whitelist /usr/share/pixmaps |
49 | whitelist /usr/share/pki | 50 | whitelist /usr/share/pki |
50 | whitelist /usr/share/plasma | 51 | whitelist /usr/share/plasma |
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index b35b6ae80..c42243e02 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile | |||
@@ -37,10 +37,6 @@ include whitelist-var-common.inc | |||
37 | # Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone. | 37 | # Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone. |
38 | #include chromium-common-hardened.inc.profile | 38 | #include chromium-common-hardened.inc.profile |
39 | 39 | ||
40 | # Add the next two lines to your chromium-common.local to allow screen sharing under wayland. | ||
41 | #whitelist ${RUNUSER}/pipewire-0 | ||
42 | #whitelist /usr/share/pipewire/client.conf | ||
43 | |||
44 | apparmor | 40 | apparmor |
45 | caps.keep sys_admin,sys_chroot | 41 | caps.keep sys_admin,sys_chroot |
46 | netfilter | 42 | netfilter |
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile index 77fb458ca..19ad5799c 100644 --- a/etc/profile-a-l/evince.profile +++ b/etc/profile-a-l/evince.profile | |||
@@ -56,7 +56,7 @@ private-cache | |||
56 | private-dev | 56 | private-dev |
57 | private-etc alternatives,fonts,group,ld.so.cache,machine-id,passwd | 57 | private-etc alternatives,fonts,group,ld.so.cache,machine-id,passwd |
58 | # private-lib might break two-page-view on some systems | 58 | # private-lib might break two-page-view on some systems |
59 | private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.* | 59 | private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libarchive.so.*,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.* |
60 | private-tmp | 60 | private-tmp |
61 | 61 | ||
62 | # dbus-user filtering might break two-page-view on some systems | 62 | # dbus-user filtering might break two-page-view on some systems |
diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile index d282f9a60..b2b7c362a 100644 --- a/etc/profile-a-l/firefox-common-addons.profile +++ b/etc/profile-a-l/firefox-common-addons.profile | |||
@@ -2,6 +2,7 @@ | |||
2 | # Persistent customizations should go in a .local file. | 2 | # Persistent customizations should go in a .local file. |
3 | include firefox-common-addons.local | 3 | include firefox-common-addons.local |
4 | 4 | ||
5 | ignore whitelist ${RUNUSER}/*firefox* | ||
5 | ignore include whitelist-runuser-common.inc | 6 | ignore include whitelist-runuser-common.inc |
6 | ignore private-cache | 7 | ignore private-cache |
7 | 8 | ||
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index 5a123d081..9138fed90 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile | |||
@@ -58,10 +58,8 @@ dbus-user.own org.mpris.MediaPlayer2.firefox.* | |||
58 | #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration | 58 | #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration |
59 | #dbus-user.talk org.kde.JobViewServer | 59 | #dbus-user.talk org.kde.JobViewServer |
60 | #dbus-user.talk org.kde.kuiserver | 60 | #dbus-user.talk org.kde.kuiserver |
61 | # Add the next three lines to your firefox.local to allow screen sharing under wayland. | 61 | # Add the next line to your firefox.local to allow screen sharing under wayland. |
62 | #whitelist ${RUNUSER}/pipewire-0 | 62 | #dbus-user.talk org.freedesktop.portal.Desktop |
63 | #whitelist /usr/share/pipewire/client.conf | ||
64 | #dbus-user.talk org.freedesktop.portal.* | ||
65 | # Add the next line to your firefox.local if screen sharing sharing still does not work | 63 | # Add the next line to your firefox.local if screen sharing sharing still does not work |
66 | # with the above lines (might depend on the portal implementation). | 64 | # with the above lines (might depend on the portal implementation). |
67 | #ignore noroot | 65 | #ignore noroot |
diff --git a/etc/profile-a-l/gallery-dl.profile b/etc/profile-a-l/gallery-dl.profile index b2f482835..9c8200dc4 100644 --- a/etc/profile-a-l/gallery-dl.profile +++ b/etc/profile-a-l/gallery-dl.profile | |||
@@ -5,7 +5,8 @@ quiet | |||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include gallery-dl.local | 6 | include gallery-dl.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | # added by included profile |
9 | #include globals.local | ||
9 | 10 | ||
10 | noblacklist ${HOME}/.config/gallery-dl | 11 | noblacklist ${HOME}/.config/gallery-dl |
11 | noblacklist ${HOME}/.gallery-dl.conf | 12 | noblacklist ${HOME}/.gallery-dl.conf |
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile index 0786da6df..df9c2ac7a 100644 --- a/etc/profile-a-l/gimp.profile +++ b/etc/profile-a-l/gimp.profile | |||
@@ -13,7 +13,6 @@ include globals.local | |||
13 | #ignore net | 13 | #ignore net |
14 | #protocol unix,inet,inet6 | 14 | #protocol unix,inet,inet6 |
15 | 15 | ||
16 | |||
17 | # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory | 16 | # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory |
18 | # If you are not using external plugins, you can add 'noexec ${HOME}' to your gimp.local. | 17 | # If you are not using external plugins, you can add 'noexec ${HOME}' to your gimp.local. |
19 | ignore noexec ${HOME} | 18 | ignore noexec ${HOME} |
@@ -26,6 +25,10 @@ noblacklist ${HOME}/.gimp* | |||
26 | noblacklist ${DOCUMENTS} | 25 | noblacklist ${DOCUMENTS} |
27 | noblacklist ${PICTURES} | 26 | noblacklist ${PICTURES} |
28 | 27 | ||
28 | # See issue #4367, gimp 2.10.22-3: gegl:introspect broken | ||
29 | noblacklist /sbin | ||
30 | noblacklist /usr/sbin | ||
31 | |||
29 | include disable-common.inc | 32 | include disable-common.inc |
30 | include disable-exec.inc | 33 | include disable-exec.inc |
31 | include disable-devel.inc | 34 | include disable-devel.inc |
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile index da047357a..ebffbbabf 100644 --- a/etc/profile-a-l/librewolf.profile +++ b/etc/profile-a-l/librewolf.profile | |||
@@ -36,6 +36,7 @@ include whitelist-usr-share-common.inc | |||
36 | #private-etc librewolf | 36 | #private-etc librewolf |
37 | 37 | ||
38 | dbus-user filter | 38 | dbus-user filter |
39 | dbus-user.own org.mozilla.librewolf.* | ||
39 | # Add the next line to your librewolf.local to enable native notifications. | 40 | # Add the next line to your librewolf.local to enable native notifications. |
40 | #dbus-user.talk org.freedesktop.Notifications | 41 | #dbus-user.talk org.freedesktop.Notifications |
41 | # Add the next line to your librewolf.local to allow inhibiting screensavers. | 42 | # Add the next line to your librewolf.local to allow inhibiting screensavers. |
@@ -44,10 +45,8 @@ dbus-user filter | |||
44 | #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration | 45 | #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration |
45 | #dbus-user.talk org.kde.JobViewServer | 46 | #dbus-user.talk org.kde.JobViewServer |
46 | #dbus-user.talk org.kde.kuiserver | 47 | #dbus-user.talk org.kde.kuiserver |
47 | # Add the next three lines to your librewolf.local to allow screensharing under Wayland. | 48 | # Add the next line to your librewolf.local to allow screensharing under Wayland. |
48 | #whitelist ${RUNUSER}/pipewire-0 | 49 | #dbus-user.talk org.freedesktop.portal.Desktop |
49 | #whitelist /usr/share/pipewire/client.conf | ||
50 | #dbus-user.talk org.freedesktop.portal.* | ||
51 | # Also add the next line to your librewolf.local if screensharing does not work with | 50 | # Also add the next line to your librewolf.local if screensharing does not work with |
52 | # the above lines (depends on the portal implementation). | 51 | # the above lines (depends on the portal implementation). |
53 | #ignore noroot | 52 | #ignore noroot |
diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile index 06e19670a..cb499ba34 100644 --- a/etc/profile-m-z/nextcloud.profile +++ b/etc/profile-m-z/nextcloud.profile | |||
@@ -43,7 +43,6 @@ apparmor | |||
43 | caps.drop all | 43 | caps.drop all |
44 | machine-id | 44 | machine-id |
45 | netfilter | 45 | netfilter |
46 | no3d | ||
47 | nodvd | 46 | nodvd |
48 | nogroups | 47 | nogroups |
49 | noinput | 48 | noinput |
@@ -68,4 +67,6 @@ private-tmp | |||
68 | 67 | ||
69 | dbus-user filter | 68 | dbus-user filter |
70 | dbus-user.talk org.freedesktop.secrets | 69 | dbus-user.talk org.freedesktop.secrets |
70 | # Add the next line to your nextcloud.local for tray icon support | ||
71 | #dbus-user.talk org.kde.StatusNotifierWatcher | ||
71 | dbus-system none | 72 | dbus-system none |
diff --git a/etc/profile-m-z/xournalpp.profile b/etc/profile-m-z/xournalpp.profile index 1ef789689..a23ad68df 100644 --- a/etc/profile-m-z/xournalpp.profile +++ b/etc/profile-m-z/xournalpp.profile | |||
@@ -13,7 +13,6 @@ noblacklist ${HOME}/.xournalpp | |||
13 | 13 | ||
14 | include allow-lua.inc | 14 | include allow-lua.inc |
15 | 15 | ||
16 | whitelist /usr/share/pipewire | ||
17 | whitelist /usr/share/texlive | 16 | whitelist /usr/share/texlive |
18 | whitelist /usr/share/xournalpp | 17 | whitelist /usr/share/xournalpp |
19 | whitelist /var/lib/texmf | 18 | whitelist /var/lib/texmf |
diff --git a/etc/profile-m-z/yt-dlp.profile b/etc/profile-m-z/yt-dlp.profile index ab90c837e..1c3382a08 100644 --- a/etc/profile-m-z/yt-dlp.profile +++ b/etc/profile-m-z/yt-dlp.profile | |||
@@ -5,7 +5,8 @@ quiet | |||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include yt-dlp.local | 6 | include yt-dlp.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | # added by included profile |
9 | #include globals.local | ||
9 | 10 | ||
10 | noblacklist ${HOME}/.cache/yt-dlp | 11 | noblacklist ${HOME}/.cache/yt-dlp |
11 | noblacklist ${HOME}/.config/yt-dlp | 12 | noblacklist ${HOME}/.config/yt-dlp |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 02dcefd35..e580a0c0c 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -102,8 +102,6 @@ include globals.local | |||
102 | #include allow-ssh.inc | 102 | #include allow-ssh.inc |
103 | 103 | ||
104 | ##blacklist PATH | 104 | ##blacklist PATH |
105 | # Disable X11 (CLI only), see also 'x11 none' below | ||
106 | #blacklist /tmp/.X11-unix | ||
107 | # Disable Wayland | 105 | # Disable Wayland |
108 | #blacklist ${RUNUSER}/wayland-* | 106 | #blacklist ${RUNUSER}/wayland-* |
109 | # Disable RUNUSER (cli only; supersedes Disable Wayland) | 107 | # Disable RUNUSER (cli only; supersedes Disable Wayland) |
@@ -174,7 +172,7 @@ include globals.local | |||
174 | ##seccomp-error-action log (only for debugging seccomp issues) | 172 | ##seccomp-error-action log (only for debugging seccomp issues) |
175 | #shell none | 173 | #shell none |
176 | #tracelog | 174 | #tracelog |
177 | # Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set | 175 | # Prefer 'x11 none' instead of 'disable-X11.inc' if 'net none' is set |
178 | ##x11 none | 176 | ##x11 none |
179 | 177 | ||
180 | #disable-mnt | 178 | #disable-mnt |