diff options
Diffstat (limited to 'etc')
34 files changed, 163 insertions, 95 deletions
diff --git a/etc/7z.profile b/etc/7z.profile index 44ab377b3..ee2b493f8 100644 --- a/etc/7z.profile +++ b/etc/7z.profile | |||
@@ -4,23 +4,34 @@ quiet | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include 7z.local | 5 | include 7z.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | # added by included profile | 7 | include globals.local |
8 | #include globals.local | ||
9 | 8 | ||
10 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
11 | 10 | ||
12 | ignore noroot | 11 | include disable-common.inc |
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | caps.drop all | ||
19 | ipc-namespace | ||
20 | machine-id | ||
13 | net none | 21 | net none |
14 | no3d | 22 | no3d |
15 | nodbus | 23 | nodbus |
16 | nodvd | 24 | nodvd |
25 | #nogroups | ||
26 | nonewprivs | ||
27 | #noroot | ||
17 | nosound | 28 | nosound |
18 | notv | 29 | notv |
19 | nou2f | 30 | nou2f |
20 | novideo | 31 | novideo |
32 | protocol unix | ||
33 | seccomp | ||
21 | shell none | 34 | shell none |
22 | tracelog | 35 | tracelog |
23 | 36 | ||
24 | private-dev | 37 | private-dev |
25 | |||
26 | include default.profile | ||
diff --git a/etc/atool.profile b/etc/atool.profile index 4ea3c02dc..3df32baac 100644 --- a/etc/atool.profile +++ b/etc/atool.profile | |||
@@ -7,11 +7,11 @@ include atool.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | ||
11 | |||
12 | # Allow perl (blacklisted by disable-interpreters.inc) | 10 | # Allow perl (blacklisted by disable-interpreters.inc) |
13 | include allow-perl.inc | 11 | include allow-perl.inc |
14 | 12 | ||
13 | blacklist /tmp/.X11-unix | ||
14 | |||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | # include disable-devel.inc | 16 | # include disable-devel.inc |
17 | include disable-exec.inc | 17 | include disable-exec.inc |
diff --git a/etc/bibletime.profile b/etc/bibletime.profile index c41aafd47..4f1b05c88 100644 --- a/etc/bibletime.profile +++ b/etc/bibletime.profile | |||
@@ -6,12 +6,12 @@ include bibletime.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${HOME}/.bashrc | ||
10 | |||
11 | noblacklist ${HOME}/.bibletime | 9 | noblacklist ${HOME}/.bibletime |
12 | noblacklist ${HOME}/.sword | 10 | noblacklist ${HOME}/.sword |
13 | noblacklist ${HOME}/.local/share/bibletime | 11 | noblacklist ${HOME}/.local/share/bibletime |
14 | 12 | ||
13 | blacklist ${HOME}/.bashrc | ||
14 | |||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | 17 | include disable-exec.inc |
diff --git a/etc/cpio.profile b/etc/cpio.profile index b6f7e7f9f..0bb45f5cd 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile | |||
@@ -7,11 +7,11 @@ include cpio.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | ||
11 | |||
12 | noblacklist /sbin | 10 | noblacklist /sbin |
13 | noblacklist /usr/sbin | 11 | noblacklist /usr/sbin |
14 | 12 | ||
13 | blacklist /tmp/.X11-unix | ||
14 | |||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | # include disable-devel.inc | 16 | # include disable-devel.inc |
17 | include disable-exec.inc | 17 | include disable-exec.inc |
diff --git a/etc/curl.profile b/etc/curl.profile index 2703c6fe8..b8b91d278 100644 --- a/etc/curl.profile +++ b/etc/curl.profile | |||
@@ -7,10 +7,10 @@ include curl.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | ||
11 | |||
12 | noblacklist ${HOME}/.curlrc | 10 | noblacklist ${HOME}/.curlrc |
13 | 11 | ||
12 | blacklist /tmp/.X11-unix | ||
13 | |||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-exec.inc | 15 | include disable-exec.inc |
16 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index 0dc0cc793..ffced747b 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile | |||
@@ -6,11 +6,11 @@ include dnscrypt-proxy.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist /sbin | 9 | noblacklist /sbin |
12 | noblacklist /usr/sbin | 10 | noblacklist /usr/sbin |
13 | 11 | ||
12 | blacklist /tmp/.X11-unix | ||
13 | |||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index bb41b71d1..daf4795c3 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile | |||
@@ -6,11 +6,11 @@ include dnsmasq.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist /sbin | 9 | noblacklist /sbin |
12 | noblacklist /usr/sbin | 10 | noblacklist /usr/sbin |
13 | 11 | ||
12 | blacklist /tmp/.X11-unix | ||
13 | |||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
diff --git a/etc/elinks.profile b/etc/elinks.profile index 842a0db04..980fa7617 100644 --- a/etc/elinks.profile +++ b/etc/elinks.profile | |||
@@ -6,10 +6,10 @@ include elinks.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist ${HOME}/.elinks | 9 | noblacklist ${HOME}/.elinks |
12 | 10 | ||
11 | blacklist /tmp/.X11-unix | ||
12 | |||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
diff --git a/etc/exiftool.profile b/etc/exiftool.profile index b33d73233..52e090b89 100644 --- a/etc/exiftool.profile +++ b/etc/exiftool.profile | |||
@@ -6,11 +6,11 @@ include exiftool.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | # Allow perl (blacklisted by disable-interpreters.inc) | 9 | # Allow perl (blacklisted by disable-interpreters.inc) |
12 | include allow-perl.inc | 10 | include allow-perl.inc |
13 | 11 | ||
12 | blacklist /tmp/.X11-unix | ||
13 | |||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-exec.inc | 16 | include disable-exec.inc |
diff --git a/etc/franz.profile b/etc/franz.profile index d6445ff8e..e917e5517 100644 --- a/etc/franz.profile +++ b/etc/franz.profile | |||
@@ -5,6 +5,8 @@ include franz.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | ignore noexec /tmp | ||
9 | |||
8 | noblacklist ${HOME}/.cache/Franz | 10 | noblacklist ${HOME}/.cache/Franz |
9 | noblacklist ${HOME}/.config/Franz | 11 | noblacklist ${HOME}/.config/Franz |
10 | noblacklist ${HOME}/.pki | 12 | noblacklist ${HOME}/.pki |
@@ -12,6 +14,7 @@ noblacklist ${HOME}/.local/share/pki | |||
12 | 14 | ||
13 | include disable-common.inc | 15 | include disable-common.inc |
14 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
16 | include disable-programs.inc | 19 | include disable-programs.inc |
17 | 20 | ||
@@ -41,5 +44,3 @@ shell none | |||
41 | disable-mnt | 44 | disable-mnt |
42 | private-dev | 45 | private-dev |
43 | private-tmp | 46 | private-tmp |
44 | |||
45 | noexec ${HOME} | ||
diff --git a/etc/git.profile b/etc/git.profile index 0eb69faed..f7c812e65 100644 --- a/etc/git.profile +++ b/etc/git.profile | |||
@@ -7,8 +7,6 @@ include git.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | ||
11 | |||
12 | noblacklist ${HOME}/.config/git | 10 | noblacklist ${HOME}/.config/git |
13 | noblacklist ${HOME}/.config/nano | 11 | noblacklist ${HOME}/.config/nano |
14 | noblacklist ${HOME}/.emacs | 12 | noblacklist ${HOME}/.emacs |
@@ -22,6 +20,8 @@ noblacklist ${HOME}/.ssh | |||
22 | noblacklist ${HOME}/.vim | 20 | noblacklist ${HOME}/.vim |
23 | noblacklist ${HOME}/.viminfo | 21 | noblacklist ${HOME}/.viminfo |
24 | 22 | ||
23 | blacklist /tmp/.X11-unix | ||
24 | |||
25 | include disable-common.inc | 25 | include disable-common.inc |
26 | include disable-exec.inc | 26 | include disable-exec.inc |
27 | include disable-passwdmgr.inc | 27 | include disable-passwdmgr.inc |
diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile index 4932c9e42..daa385234 100644 --- a/etc/google-play-music-desktop-player.profile +++ b/etc/google-play-music-desktop-player.profile | |||
@@ -5,14 +5,19 @@ include google-play-music-desktop-player.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # noexec /tmp breaks mpris support | ||
9 | ignore noexec /tmp | ||
10 | |||
8 | noblacklist ${HOME}/.config/Google Play Music Desktop Player | 11 | noblacklist ${HOME}/.config/Google Play Music Desktop Player |
9 | 12 | ||
10 | include disable-common.inc | 13 | include disable-common.inc |
11 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
13 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 18 | include disable-programs.inc |
15 | 19 | ||
20 | mkdir ${HOME}/.config/Google Play Music Desktop Player | ||
16 | # whitelist ${HOME}/.config/pulse | 21 | # whitelist ${HOME}/.config/pulse |
17 | # whitelist ${HOME}/.pulse | 22 | # whitelist ${HOME}/.pulse |
18 | whitelist ${HOME}/.config/Google Play Music Desktop Player | 23 | whitelist ${HOME}/.config/Google Play Music Desktop Player |
@@ -35,7 +40,3 @@ shell none | |||
35 | disable-mnt | 40 | disable-mnt |
36 | private-dev | 41 | private-dev |
37 | private-tmp | 42 | private-tmp |
38 | |||
39 | noexec ${HOME} | ||
40 | # noexec /tmp breaks mpris support | ||
41 | #noexec /tmp | ||
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile index 7181837d5..61b485df5 100644 --- a/etc/gpg-agent.profile +++ b/etc/gpg-agent.profile | |||
@@ -6,10 +6,10 @@ include gpg-agent.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist ${HOME}/.gnupg | 9 | noblacklist ${HOME}/.gnupg |
12 | 10 | ||
11 | blacklist /tmp/.X11-unix | ||
12 | |||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
diff --git a/etc/gpg.profile b/etc/gpg.profile index 51662b59c..99ad1b888 100644 --- a/etc/gpg.profile +++ b/etc/gpg.profile | |||
@@ -6,10 +6,10 @@ include gpg.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist ${HOME}/.gnupg | 9 | noblacklist ${HOME}/.gnupg |
12 | 10 | ||
11 | blacklist /tmp/.X11-unix | ||
12 | |||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
diff --git a/etc/links.profile b/etc/links.profile index 99b445fe0..bd0b0cc92 100644 --- a/etc/links.profile +++ b/etc/links.profile | |||
@@ -6,10 +6,10 @@ include links.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist ${HOME}/.links | 9 | noblacklist ${HOME}/.links |
12 | 10 | ||
11 | blacklist /tmp/.X11-unix | ||
12 | |||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | 15 | include disable-exec.inc |
diff --git a/etc/mutt.profile b/etc/mutt.profile index cc3a323e0..419e17e95 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile | |||
@@ -6,8 +6,6 @@ include mutt.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist /var/mail | 9 | noblacklist /var/mail |
12 | noblacklist /var/spool/mail | 10 | noblacklist /var/spool/mail |
13 | noblacklist ${HOME}/.Mail | 11 | noblacklist ${HOME}/.Mail |
@@ -34,6 +32,8 @@ noblacklist ${HOME}/mail | |||
34 | noblacklist ${HOME}/postponed | 32 | noblacklist ${HOME}/postponed |
35 | noblacklist ${HOME}/sent | 33 | noblacklist ${HOME}/sent |
36 | 34 | ||
35 | blacklist /tmp/.X11-unix | ||
36 | |||
37 | include disable-common.inc | 37 | include disable-common.inc |
38 | include disable-devel.inc | 38 | include disable-devel.inc |
39 | include disable-interpreters.inc | 39 | include disable-interpreters.inc |
diff --git a/etc/natron.profile b/etc/natron.profile index 329f79f9b..7ad217b72 100644 --- a/etc/natron.profile +++ b/etc/natron.profile | |||
@@ -8,7 +8,6 @@ include globals.local | |||
8 | noblacklist ${HOME}/.Natron | 8 | noblacklist ${HOME}/.Natron |
9 | noblacklist ${HOME}/.cache/INRIA/Natron | 9 | noblacklist ${HOME}/.cache/INRIA/Natron |
10 | noblacklist ${HOME}/.config/INRIA | 10 | noblacklist ${HOME}/.config/INRIA |
11 | noblacklist /opt/natron | ||
12 | 11 | ||
13 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
14 | include allow-python2.inc | 13 | include allow-python2.inc |
@@ -29,9 +28,9 @@ nogroups | |||
29 | nonewprivs | 28 | nonewprivs |
30 | noroot | 29 | noroot |
31 | notv | 30 | notv |
32 | protocol unix,inet,inet6 | 31 | nou2f |
32 | protocol unix | ||
33 | seccomp | 33 | seccomp |
34 | shell none | 34 | shell none |
35 | 35 | ||
36 | private-bin natron,Natron,NatronRenderer | 36 | private-bin natron,Natron,NatronRenderer |
37 | |||
diff --git a/etc/nyx.profile b/etc/nyx.profile index f50014a4d..1ea33ac4d 100644 --- a/etc/nyx.profile +++ b/etc/nyx.profile | |||
@@ -11,8 +11,6 @@ include allow-python2.inc | |||
11 | include allow-python3.inc | 11 | include allow-python3.inc |
12 | 12 | ||
13 | noblacklist ${HOME}/.nyx | 13 | noblacklist ${HOME}/.nyx |
14 | mkdir ${HOME}/.nyx | ||
15 | whitelist ${HOME}/.nyx | ||
16 | 14 | ||
17 | include disable-common.inc | 15 | include disable-common.inc |
18 | include disable-devel.inc | 16 | include disable-devel.inc |
@@ -22,6 +20,11 @@ include disable-passwdmgr.inc | |||
22 | include disable-programs.inc | 20 | include disable-programs.inc |
23 | include disable-xdg.inc | 21 | include disable-xdg.inc |
24 | 22 | ||
23 | mkdir ${HOME}/.nyx | ||
24 | whitelist ${HOME}/.nyx | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
25 | caps.drop all | 28 | caps.drop all |
26 | netfilter | 29 | netfilter |
27 | no3d | 30 | no3d |
diff --git a/etc/server.profile b/etc/server.profile index 686268a18..6e077ff84 100644 --- a/etc/server.profile +++ b/etc/server.profile | |||
@@ -9,12 +9,12 @@ include globals.local | |||
9 | # it allows /sbin and /usr/sbin directories - this is where servers are installed | 9 | # it allows /sbin and /usr/sbin directories - this is where servers are installed |
10 | # depending on your usage, you can enable some of the commands below: | 10 | # depending on your usage, you can enable some of the commands below: |
11 | 11 | ||
12 | blacklist /tmp/.X11-unix | ||
13 | |||
14 | noblacklist /sbin | 12 | noblacklist /sbin |
15 | noblacklist /usr/sbin | 13 | noblacklist /usr/sbin |
16 | # noblacklist /var/opt | 14 | # noblacklist /var/opt |
17 | 15 | ||
16 | blacklist /tmp/.X11-unix | ||
17 | |||
18 | include disable-common.inc | 18 | include disable-common.inc |
19 | # include disable-devel.inc | 19 | # include disable-devel.inc |
20 | # include disable-exec.inc | 20 | # include disable-exec.inc |
diff --git a/etc/signal-desktop.profile b/etc/signal-desktop.profile index 008cd218e..04696a918 100644 --- a/etc/signal-desktop.profile +++ b/etc/signal-desktop.profile | |||
@@ -5,10 +5,13 @@ include signal-desktop.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | ignore noexec /tmp | ||
9 | |||
8 | noblacklist ${HOME}/.config/Signal | 10 | noblacklist ${HOME}/.config/Signal |
9 | 11 | ||
10 | include disable-common.inc | 12 | include disable-common.inc |
11 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
13 | include disable-programs.inc | 16 | include disable-programs.inc |
14 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
@@ -34,5 +37,3 @@ shell none | |||
34 | disable-mnt | 37 | disable-mnt |
35 | private-dev | 38 | private-dev |
36 | private-tmp | 39 | private-tmp |
37 | |||
38 | noexec ${HOME} | ||
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile index ad200be37..eae7dada0 100644 --- a/etc/skypeforlinux.profile +++ b/etc/skypeforlinux.profile | |||
@@ -5,10 +5,14 @@ include skypeforlinux.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # breaks Skype | ||
9 | ignore noexec /tmp | ||
10 | |||
8 | noblacklist ${HOME}/.config/skypeforlinux | 11 | noblacklist ${HOME}/.config/skypeforlinux |
9 | 12 | ||
10 | include disable-common.inc | 13 | include disable-common.inc |
11 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
13 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -28,6 +32,3 @@ disable-mnt | |||
28 | private-cache | 32 | private-cache |
29 | # private-dev - needs /dev/disk | 33 | # private-dev - needs /dev/disk |
30 | private-tmp | 34 | private-tmp |
31 | |||
32 | noexec ${HOME} | ||
33 | # noexec /tmp - breaks Skype | ||
diff --git a/etc/spotify.profile b/etc/spotify.profile index 00c2aabe2..2d5c4a48f 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile | |||
@@ -5,12 +5,12 @@ include spotify.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | blacklist ${HOME}/.bashrc | ||
9 | |||
10 | noblacklist ${HOME}/.cache/spotify | 8 | noblacklist ${HOME}/.cache/spotify |
11 | noblacklist ${HOME}/.config/spotify | 9 | noblacklist ${HOME}/.config/spotify |
12 | noblacklist ${HOME}/.local/share/spotify | 10 | noblacklist ${HOME}/.local/share/spotify |
13 | 11 | ||
12 | blacklist ${HOME}/.bashrc | ||
13 | |||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-exec.inc | 16 | include disable-exec.inc |
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile index 8aafca8aa..9af747b62 100644 --- a/etc/ssh-agent.profile +++ b/etc/ssh-agent.profile | |||
@@ -6,12 +6,12 @@ include ssh-agent.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist /etc/ssh | 9 | noblacklist /etc/ssh |
12 | noblacklist /tmp/ssh-* | 10 | noblacklist /tmp/ssh-* |
13 | noblacklist ${HOME}/.ssh | 11 | noblacklist ${HOME}/.ssh |
14 | 12 | ||
13 | blacklist /tmp/.X11-unix | ||
14 | |||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 17 | include disable-programs.inc |
diff --git a/etc/tar.profile b/etc/tar.profile index 14fc00d21..b6a874217 100644 --- a/etc/tar.profile +++ b/etc/tar.profile | |||
@@ -5,17 +5,19 @@ quiet | |||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include tar.local | 6 | include tar.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | # added by included profile | 8 | include globals.local |
9 | #include globals.local | ||
10 | 9 | ||
11 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
12 | 11 | ||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
13 | include disable-exec.inc | 14 | include disable-exec.inc |
14 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
15 | 16 | include disable-passwdmgr.inc | |
16 | ignore noroot | 17 | include disable-programs.inc |
17 | 18 | ||
18 | apparmor | 19 | apparmor |
20 | caps.drop all | ||
19 | hostname tar | 21 | hostname tar |
20 | ipc-namespace | 22 | ipc-namespace |
21 | machine-id | 23 | machine-id |
@@ -24,10 +26,14 @@ no3d | |||
24 | nodbus | 26 | nodbus |
25 | nodvd | 27 | nodvd |
26 | nogroups | 28 | nogroups |
29 | nonewprivs | ||
30 | #noroot | ||
27 | nosound | 31 | nosound |
28 | notv | 32 | notv |
29 | nou2f | 33 | nou2f |
30 | novideo | 34 | novideo |
35 | protocol unix | ||
36 | seccomp | ||
31 | shell none | 37 | shell none |
32 | tracelog | 38 | tracelog |
33 | 39 | ||
@@ -39,8 +45,5 @@ private-etc alternatives,passwd,group,localtime | |||
39 | private-lib libfakeroot | 45 | private-lib libfakeroot |
40 | 46 | ||
41 | memory-deny-write-execute | 47 | memory-deny-write-execute |
42 | |||
43 | # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) | 48 | # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) |
44 | writable-var | 49 | writable-var |
45 | |||
46 | include default.profile | ||
diff --git a/etc/terasology.profile b/etc/terasology.profile index b01b4fdb3..2a7212395 100644 --- a/etc/terasology.profile +++ b/etc/terasology.profile | |||
@@ -5,6 +5,8 @@ include terasology.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | ignore noexec /tmp | ||
9 | |||
8 | noblacklist ${HOME}/.java | 10 | noblacklist ${HOME}/.java |
9 | noblacklist ${HOME}/.local/share/terasology | 11 | noblacklist ${HOME}/.local/share/terasology |
10 | 12 | ||
@@ -13,6 +15,7 @@ include allow-java.inc | |||
13 | 15 | ||
14 | include disable-common.inc | 16 | include disable-common.inc |
15 | include disable-devel.inc | 17 | include disable-devel.inc |
18 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | 19 | include disable-interpreters.inc |
17 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 21 | include disable-programs.inc |
@@ -43,5 +46,3 @@ disable-mnt | |||
43 | private-dev | 46 | private-dev |
44 | private-etc alternatives,asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,java-8-openjdk,java-7-openjdk,pki,crypto-policies | 47 | private-etc alternatives,asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,java-8-openjdk,java-7-openjdk,pki,crypto-policies |
45 | private-tmp | 48 | private-tmp |
46 | |||
47 | noexec ${HOME} | ||
diff --git a/etc/unbound.profile b/etc/unbound.profile index 6e4b5ed1c..8e7a4a8a8 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile | |||
@@ -6,11 +6,11 @@ include unbound.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist /sbin | 9 | noblacklist /sbin |
12 | noblacklist /usr/sbin | 10 | noblacklist /usr/sbin |
13 | 11 | ||
12 | blacklist /tmp/.X11-unix | ||
13 | |||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
diff --git a/etc/unrar.profile b/etc/unrar.profile index 7fe37f061..5b55f30d2 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile | |||
@@ -5,21 +5,34 @@ quiet | |||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include unrar.local | 6 | include unrar.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | # added by included profile | 8 | include globals.local |
9 | #include globals.local | ||
10 | 9 | ||
11 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
12 | 11 | ||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | caps.drop all | ||
13 | hostname unrar | 20 | hostname unrar |
14 | ignore noroot | 21 | ipc-namespace |
22 | machine-id | ||
15 | net none | 23 | net none |
16 | no3d | 24 | no3d |
17 | nodbus | 25 | nodbus |
18 | nodvd | 26 | nodvd |
27 | #nogroups | ||
28 | nonewprivs | ||
29 | #noroot | ||
19 | nosound | 30 | nosound |
20 | notv | 31 | notv |
21 | nou2f | 32 | nou2f |
22 | novideo | 33 | novideo |
34 | protocol unix | ||
35 | seccomp | ||
23 | shell none | 36 | shell none |
24 | tracelog | 37 | tracelog |
25 | 38 | ||
@@ -27,5 +40,3 @@ private-bin unrar | |||
27 | private-dev | 40 | private-dev |
28 | private-etc alternatives,passwd,group,localtime | 41 | private-etc alternatives,passwd,group,localtime |
29 | private-tmp | 42 | private-tmp |
30 | |||
31 | include default.profile | ||
diff --git a/etc/unzip.profile b/etc/unzip.profile index be6b6c321..deda8fe64 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile | |||
@@ -5,29 +5,41 @@ quiet | |||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include unzip.local | 6 | include unzip.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | # added by included profile | 8 | include globals.local |
9 | #include globals.local | 9 | |
10 | # GNOME Shell integration (chrome-gnome-shell) | ||
11 | noblacklist ${HOME}/.local/share/gnome-shell | ||
10 | 12 | ||
11 | blacklist /tmp/.X11-unix | 13 | blacklist /tmp/.X11-unix |
12 | 14 | ||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | |||
22 | caps.drop all | ||
23 | ipc-namespace | ||
24 | machine-id | ||
13 | hostname unzip | 25 | hostname unzip |
14 | ignore noroot | ||
15 | net none | 26 | net none |
16 | no3d | 27 | no3d |
17 | nodbus | 28 | nodbus |
18 | nodvd | 29 | nodvd |
30 | #nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
19 | nosound | 33 | nosound |
20 | notv | 34 | notv |
21 | nou2f | 35 | nou2f |
22 | novideo | 36 | novideo |
37 | protocol unix | ||
38 | seccomp | ||
23 | shell none | 39 | shell none |
24 | tracelog | 40 | tracelog |
25 | 41 | ||
26 | private-bin unzip | 42 | private-bin unzip |
43 | private-cache | ||
27 | private-dev | 44 | private-dev |
28 | private-etc alternatives,passwd,group,localtime | 45 | private-etc alternatives,passwd,group,localtime |
29 | |||
30 | # GNOME Shell integration (chrome-gnome-shell) | ||
31 | noblacklist ${HOME}/.local/share/gnome-shell | ||
32 | |||
33 | include default.profile | ||
diff --git a/etc/uudeview.profile b/etc/uudeview.profile index 859656fa5..9b7c4f5ba 100644 --- a/etc/uudeview.profile +++ b/etc/uudeview.profile | |||
@@ -5,18 +5,31 @@ quiet | |||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include uudeview.local | 6 | include uudeview.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | # added by included profile | 8 | include globals.local |
9 | #include globals.local | ||
10 | 9 | ||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | |||
17 | caps.drop all | ||
18 | ipc-namespace | ||
19 | machine-id | ||
11 | hostname uudeview | 20 | hostname uudeview |
12 | ignore noroot | ||
13 | net none | 21 | net none |
14 | nodbus | 22 | nodbus |
15 | nodvd | 23 | nodvd |
24 | #nogroups | ||
25 | nonewprivs | ||
26 | #noroot | ||
16 | nosound | 27 | nosound |
17 | notv | 28 | notv |
18 | nou2f | 29 | nou2f |
19 | novideo | 30 | novideo |
31 | protocol unix | ||
32 | seccomp | ||
20 | shell none | 33 | shell none |
21 | tracelog | 34 | tracelog |
22 | 35 | ||
@@ -24,5 +37,3 @@ private-bin uudeview | |||
24 | private-cache | 37 | private-cache |
25 | private-dev | 38 | private-dev |
26 | private-etc alternatives,ld.so.preload | 39 | private-etc alternatives,ld.so.preload |
27 | |||
28 | include default.profile | ||
diff --git a/etc/viewnior.profile b/etc/viewnior.profile index f9fb1cefe..943719e75 100644 --- a/etc/viewnior.profile +++ b/etc/viewnior.profile | |||
@@ -6,12 +6,12 @@ include viewnior.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${HOME}/.bashrc | ||
10 | |||
11 | noblacklist ${HOME}/.Steam | 9 | noblacklist ${HOME}/.Steam |
12 | noblacklist ${HOME}/.config/viewnior | 10 | noblacklist ${HOME}/.config/viewnior |
13 | noblacklist ${HOME}/.steam | 11 | noblacklist ${HOME}/.steam |
14 | 12 | ||
13 | blacklist ${HOME}/.bashrc | ||
14 | |||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | 17 | include disable-exec.inc |
diff --git a/etc/w3m.profile b/etc/w3m.profile index 143ac4f63..d577932e3 100644 --- a/etc/w3m.profile +++ b/etc/w3m.profile | |||
@@ -6,10 +6,10 @@ include w3m.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist ${HOME}/.w3m | 9 | noblacklist ${HOME}/.w3m |
12 | 10 | ||
11 | blacklist /tmp/.X11-unix | ||
12 | |||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
diff --git a/etc/wget.profile b/etc/wget.profile index a7ef32e2c..ff10b2316 100644 --- a/etc/wget.profile +++ b/etc/wget.profile | |||
@@ -7,11 +7,11 @@ include wget.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | ||
11 | |||
12 | noblacklist ${HOME}/.wget-hsts | 10 | noblacklist ${HOME}/.wget-hsts |
13 | noblacklist ${HOME}/.wgetrc | 11 | noblacklist ${HOME}/.wgetrc |
14 | 12 | ||
13 | blacklist /tmp/.X11-unix | ||
14 | |||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | include disable-exec.inc | 16 | include disable-exec.inc |
17 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
diff --git a/etc/xiphos.profile b/etc/xiphos.profile index 33056395e..043e513bd 100644 --- a/etc/xiphos.profile +++ b/etc/xiphos.profile | |||
@@ -6,11 +6,11 @@ include xiphos.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${HOME}/.bashrc | ||
10 | |||
11 | noblacklist ${HOME}/.sword | 9 | noblacklist ${HOME}/.sword |
12 | noblacklist ${HOME}/.xiphos | 10 | noblacklist ${HOME}/.xiphos |
13 | 11 | ||
12 | blacklist ${HOME}/.bashrc | ||
13 | |||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-exec.inc | 16 | include disable-exec.inc |
@@ -18,6 +18,8 @@ include disable-interpreters.inc | |||
18 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | 20 | ||
21 | mkdir ${HOME}/.sword | ||
22 | mkdir ${HOME}/.xiphos | ||
21 | whitelist ${HOME}/.sword | 23 | whitelist ${HOME}/.sword |
22 | whitelist ${HOME}/.xiphos | 24 | whitelist ${HOME}/.xiphos |
23 | include whitelist-common.inc | 25 | include whitelist-common.inc |
diff --git a/etc/xzdec.profile b/etc/xzdec.profile index a1f265c1e..3adaa557c 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile | |||
@@ -5,23 +5,34 @@ quiet | |||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include xzdec.local | 6 | include xzdec.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | # added by included profile | 8 | include globals.local |
9 | #include globals.local | ||
10 | 9 | ||
11 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
12 | 11 | ||
13 | ignore noroot | 12 | include disable-common.inc |
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | caps.drop all | ||
20 | ipc-namespace | ||
21 | machine-id | ||
14 | net none | 22 | net none |
15 | no3d | 23 | no3d |
16 | nodbus | 24 | nodbus |
17 | nodvd | 25 | nodvd |
26 | #nogroups | ||
27 | nonewprivs | ||
28 | #noroot | ||
18 | nosound | 29 | nosound |
19 | notv | 30 | notv |
20 | nou2f | 31 | nou2f |
21 | novideo | 32 | novideo |
33 | protocol unix | ||
34 | seccomp | ||
22 | shell none | 35 | shell none |
23 | tracelog | 36 | tracelog |
24 | 37 | ||
25 | private-dev | 38 | private-dev |
26 | |||
27 | include default.profile | ||