diff options
Diffstat (limited to 'etc')
60 files changed, 90 insertions, 5 deletions
diff --git a/etc/inc/firefox-common-addons.inc b/etc/inc/firefox-common-addons.inc index 198941ac9..03f09fece 100644 --- a/etc/inc/firefox-common-addons.inc +++ b/etc/inc/firefox-common-addons.inc | |||
@@ -2,6 +2,8 @@ | |||
2 | # Persistent customizations should go in a .local file. | 2 | # Persistent customizations should go in a .local file. |
3 | include firefox-common-addons.local | 3 | include firefox-common-addons.local |
4 | 4 | ||
5 | ignore include whitelist-runuser-common.inc | ||
6 | |||
5 | noblacklist ${HOME}/.config/kgetrc | 7 | noblacklist ${HOME}/.config/kgetrc |
6 | noblacklist ${HOME}/.config/okularpartrc | 8 | noblacklist ${HOME}/.config/okularpartrc |
7 | noblacklist ${HOME}/.config/okularrc | 9 | noblacklist ${HOME}/.config/okularrc |
diff --git a/etc/profile-a-l/0ad.profile b/etc/profile-a-l/0ad.profile index 6869ea631..c4e820078 100644 --- a/etc/profile-a-l/0ad.profile +++ b/etc/profile-a-l/0ad.profile | |||
@@ -16,6 +16,7 @@ include disable-exec.inc | |||
16 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
17 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | include disable-xdg.inc | ||
19 | 20 | ||
20 | mkdir ${HOME}/.cache/0ad | 21 | mkdir ${HOME}/.cache/0ad |
21 | mkdir ${HOME}/.config/0ad | 22 | mkdir ${HOME}/.config/0ad |
@@ -40,6 +41,7 @@ nou2f | |||
40 | novideo | 41 | novideo |
41 | protocol unix,inet,inet6 | 42 | protocol unix,inet,inet6 |
42 | seccomp | 43 | seccomp |
44 | seccomp.block-secondary | ||
43 | shell none | 45 | shell none |
44 | tracelog | 46 | tracelog |
45 | 47 | ||
diff --git a/etc/profile-a-l/baobab.profile b/etc/profile-a-l/baobab.profile index 3937e1966..4401c9dfd 100644 --- a/etc/profile-a-l/baobab.profile +++ b/etc/profile-a-l/baobab.profile | |||
@@ -30,6 +30,7 @@ nou2f | |||
30 | novideo | 30 | novideo |
31 | protocol unix | 31 | protocol unix |
32 | seccomp | 32 | seccomp |
33 | seccomp.block-secondary | ||
33 | shell none | 34 | shell none |
34 | tracelog | 35 | tracelog |
35 | 36 | ||
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile index c1c338536..dbde3e4de 100644 --- a/etc/profile-a-l/bijiben.profile +++ b/etc/profile-a-l/bijiben.profile | |||
@@ -41,6 +41,7 @@ nou2f | |||
41 | novideo | 41 | novideo |
42 | protocol unix | 42 | protocol unix |
43 | seccomp | 43 | seccomp |
44 | seccomp.block-secondary | ||
44 | shell none | 45 | shell none |
45 | tracelog | 46 | tracelog |
46 | 47 | ||
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile index 8bf086ab4..56709a466 100644 --- a/etc/profile-a-l/celluloid.profile +++ b/etc/profile-a-l/celluloid.profile | |||
@@ -46,6 +46,7 @@ noroot | |||
46 | nou2f | 46 | nou2f |
47 | protocol unix,inet,inet6 | 47 | protocol unix,inet,inet6 |
48 | seccomp | 48 | seccomp |
49 | seccomp.block-secondary | ||
49 | shell none | 50 | shell none |
50 | tracelog | 51 | tracelog |
51 | 52 | ||
diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile index d6541850d..b41a73916 100644 --- a/etc/profile-a-l/dconf-editor.profile +++ b/etc/profile-a-l/dconf-editor.profile | |||
@@ -35,6 +35,7 @@ nou2f | |||
35 | novideo | 35 | novideo |
36 | protocol unix | 36 | protocol unix |
37 | seccomp | 37 | seccomp |
38 | seccomp.block-secondary | ||
38 | shell none | 39 | shell none |
39 | tracelog | 40 | tracelog |
40 | 41 | ||
diff --git a/etc/profile-a-l/dia.profile b/etc/profile-a-l/dia.profile index 52bf1c7f8..e409eb044 100644 --- a/etc/profile-a-l/dia.profile +++ b/etc/profile-a-l/dia.profile | |||
@@ -9,16 +9,24 @@ include globals.local | |||
9 | noblacklist ${HOME}/.dia | 9 | noblacklist ${HOME}/.dia |
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
11 | 11 | ||
12 | include allow-python2.inc | ||
13 | include allow-python3.inc | ||
14 | |||
12 | include disable-common.inc | 15 | include disable-common.inc |
13 | include disable-devel.inc | 16 | include disable-devel.inc |
14 | include disable-exec.inc | 17 | include disable-exec.inc |
15 | include allow-python2.inc | ||
16 | include allow-python3.inc | ||
17 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
18 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 20 | include disable-programs.inc |
20 | include disable-xdg.inc | 21 | include disable-xdg.inc |
21 | 22 | ||
23 | #mkdir ${HOME}/.dia | ||
24 | #whitelist ${HOME}/.dia | ||
25 | #whitelist ${DOCUMENTS} | ||
26 | #include whitelist-common.inc | ||
27 | whitelist /usr/share/dia | ||
28 | include whitelist-runuser-common.inc | ||
29 | include whitelist-usr-share-common.inc | ||
22 | include whitelist-var-common.inc | 30 | include whitelist-var-common.inc |
23 | 31 | ||
24 | apparmor | 32 | apparmor |
@@ -36,6 +44,7 @@ novideo | |||
36 | protocol unix | 44 | protocol unix |
37 | seccomp | 45 | seccomp |
38 | shell none | 46 | shell none |
47 | tracelog | ||
39 | 48 | ||
40 | disable-mnt | 49 | disable-mnt |
41 | #private-bin dia | 50 | #private-bin dia |
diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile index e8b49a395..e059f3b74 100644 --- a/etc/profile-a-l/eo-common.profile +++ b/etc/profile-a-l/eo-common.profile | |||
@@ -27,6 +27,7 @@ apparmor | |||
27 | caps.drop all | 27 | caps.drop all |
28 | ipc-namespace | 28 | ipc-namespace |
29 | machine-id | 29 | machine-id |
30 | net none | ||
30 | no3d | 31 | no3d |
31 | nodvd | 32 | nodvd |
32 | nogroups | 33 | nogroups |
@@ -38,6 +39,7 @@ nou2f | |||
38 | novideo | 39 | novideo |
39 | protocol unix,netlink | 40 | protocol unix,netlink |
40 | seccomp | 41 | seccomp |
42 | seccomp.block-secondary | ||
41 | shell none | 43 | shell none |
42 | tracelog | 44 | tracelog |
43 | 45 | ||
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile index 77a48f0ba..c0c16e929 100644 --- a/etc/profile-a-l/evince.profile +++ b/etc/profile-a-l/evince.profile | |||
@@ -41,6 +41,7 @@ nou2f | |||
41 | novideo | 41 | novideo |
42 | protocol unix | 42 | protocol unix |
43 | seccomp | 43 | seccomp |
44 | seccomp.block-secondary | ||
44 | shell none | 45 | shell none |
45 | tracelog | 46 | tracelog |
46 | 47 | ||
diff --git a/etc/profile-a-l/ffmpeg.profile b/etc/profile-a-l/ffmpeg.profile index fb5c9ee57..c6e9ba095 100644 --- a/etc/profile-a-l/ffmpeg.profile +++ b/etc/profile-a-l/ffmpeg.profile | |||
@@ -41,6 +41,7 @@ novideo | |||
41 | protocol inet,inet6 | 41 | protocol inet,inet6 |
42 | # allow set_mempolicy, which is required to encode using libx265 | 42 | # allow set_mempolicy, which is required to encode using libx265 |
43 | seccomp !set_mempolicy | 43 | seccomp !set_mempolicy |
44 | seccomp.block-secondary | ||
44 | shell none | 45 | shell none |
45 | tracelog | 46 | tracelog |
46 | 47 | ||
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile index 745b8b8e9..2a1eb2001 100644 --- a/etc/profile-a-l/file-roller.profile +++ b/etc/profile-a-l/file-roller.profile | |||
@@ -34,6 +34,7 @@ nou2f | |||
34 | novideo | 34 | novideo |
35 | protocol unix | 35 | protocol unix |
36 | seccomp | 36 | seccomp |
37 | seccomp.block-secondary | ||
37 | shell none | 38 | shell none |
38 | tracelog | 39 | tracelog |
39 | 40 | ||
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index 7c343c26d..fe0a27828 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile | |||
@@ -27,6 +27,7 @@ whitelist ${DOWNLOADS} | |||
27 | whitelist ${HOME}/.pki | 27 | whitelist ${HOME}/.pki |
28 | whitelist ${HOME}/.local/share/pki | 28 | whitelist ${HOME}/.local/share/pki |
29 | include whitelist-common.inc | 29 | include whitelist-common.inc |
30 | include whitelist-runuser-common.inc | ||
30 | include whitelist-var-common.inc | 31 | include whitelist-var-common.inc |
31 | 32 | ||
32 | apparmor | 33 | apparmor |
diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile index 357354e70..851a7c747 100644 --- a/etc/profile-a-l/flameshot.profile +++ b/etc/profile-a-l/flameshot.profile | |||
@@ -45,6 +45,7 @@ nou2f | |||
45 | novideo | 45 | novideo |
46 | protocol unix,inet,inet6 | 46 | protocol unix,inet,inet6 |
47 | seccomp | 47 | seccomp |
48 | seccomp.block-secondary | ||
48 | shell none | 49 | shell none |
49 | tracelog | 50 | tracelog |
50 | 51 | ||
diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile index 653272499..23d259337 100644 --- a/etc/profile-a-l/frogatto.profile +++ b/etc/profile-a-l/frogatto.profile | |||
@@ -36,6 +36,7 @@ nou2f | |||
36 | novideo | 36 | novideo |
37 | protocol unix | 37 | protocol unix |
38 | seccomp | 38 | seccomp |
39 | seccomp.block-secondary | ||
39 | shell none | 40 | shell none |
40 | tracelog | 41 | tracelog |
41 | 42 | ||
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile index 74b468020..e339f6abb 100644 --- a/etc/profile-a-l/gapplication.profile +++ b/etc/profile-a-l/gapplication.profile | |||
@@ -38,6 +38,7 @@ nou2f | |||
38 | novideo | 38 | novideo |
39 | protocol unix | 39 | protocol unix |
40 | seccomp | 40 | seccomp |
41 | seccomp.block-secondary | ||
41 | shell none | 42 | shell none |
42 | tracelog | 43 | tracelog |
43 | x11 none | 44 | x11 none |
diff --git a/etc/profile-a-l/gedit.profile b/etc/profile-a-l/gedit.profile index 17b7ad563..30251fbe5 100644 --- a/etc/profile-a-l/gedit.profile +++ b/etc/profile-a-l/gedit.profile | |||
@@ -37,6 +37,7 @@ nou2f | |||
37 | novideo | 37 | novideo |
38 | protocol unix | 38 | protocol unix |
39 | seccomp | 39 | seccomp |
40 | seccomp.block-secondary | ||
40 | shell none | 41 | shell none |
41 | tracelog | 42 | tracelog |
42 | 43 | ||
diff --git a/etc/profile-a-l/gfeeds.profile b/etc/profile-a-l/gfeeds.profile index d97ab530b..b8d1b9608 100644 --- a/etc/profile-a-l/gfeeds.profile +++ b/etc/profile-a-l/gfeeds.profile | |||
@@ -49,6 +49,7 @@ nou2f | |||
49 | novideo | 49 | novideo |
50 | protocol unix,inet,inet6 | 50 | protocol unix,inet,inet6 |
51 | seccomp | 51 | seccomp |
52 | seccomp.block-secondary | ||
52 | shell none | 53 | shell none |
53 | tracelog | 54 | tracelog |
54 | 55 | ||
diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile index 5bb410278..c15174815 100644 --- a/etc/profile-a-l/ghostwriter.profile +++ b/etc/profile-a-l/ghostwriter.profile | |||
@@ -26,6 +26,7 @@ whitelist /usr/share/texlive | |||
26 | whitelist /usr/share/pandoc* | 26 | whitelist /usr/share/pandoc* |
27 | include whitelist-runuser-common.inc | 27 | include whitelist-runuser-common.inc |
28 | include whitelist-usr-share-common.inc | 28 | include whitelist-usr-share-common.inc |
29 | include whitelist-var-common.inc | ||
29 | 30 | ||
30 | apparmor | 31 | apparmor |
31 | caps.drop all | 32 | caps.drop all |
@@ -41,6 +42,7 @@ nou2f | |||
41 | novideo | 42 | novideo |
42 | protocol unix,inet,inet6,netlink | 43 | protocol unix,inet,inet6,netlink |
43 | seccomp !chroot | 44 | seccomp !chroot |
45 | seccomp.block-secondary | ||
44 | shell none | 46 | shell none |
45 | #tracelog -- breaks | 47 | #tracelog -- breaks |
46 | 48 | ||
diff --git a/etc/profile-a-l/gitg.profile b/etc/profile-a-l/gitg.profile index 71b8e9b11..3d80c1ed2 100644 --- a/etc/profile-a-l/gitg.profile +++ b/etc/profile-a-l/gitg.profile | |||
@@ -45,6 +45,7 @@ nou2f | |||
45 | novideo | 45 | novideo |
46 | protocol unix,inet,inet6 | 46 | protocol unix,inet,inet6 |
47 | seccomp | 47 | seccomp |
48 | seccomp.block-secondary | ||
48 | shell none | 49 | shell none |
49 | tracelog | 50 | tracelog |
50 | 51 | ||
diff --git a/etc/profile-a-l/gnome-calculator.profile b/etc/profile-a-l/gnome-calculator.profile index ceb01f2a0..7780dfa65 100644 --- a/etc/profile-a-l/gnome-calculator.profile +++ b/etc/profile-a-l/gnome-calculator.profile | |||
@@ -38,6 +38,7 @@ nou2f | |||
38 | novideo | 38 | novideo |
39 | protocol unix,inet,inet6 | 39 | protocol unix,inet,inet6 |
40 | seccomp | 40 | seccomp |
41 | seccomp.block-secondary | ||
41 | shell none | 42 | shell none |
42 | tracelog | 43 | tracelog |
43 | 44 | ||
diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile index 3e815234c..9927fb869 100644 --- a/etc/profile-a-l/gnome-calendar.profile +++ b/etc/profile-a-l/gnome-calendar.profile | |||
@@ -36,6 +36,7 @@ nou2f | |||
36 | novideo | 36 | novideo |
37 | protocol unix,inet,inet6 | 37 | protocol unix,inet,inet6 |
38 | seccomp | 38 | seccomp |
39 | seccomp.block-secondary | ||
39 | shell none | 40 | shell none |
40 | tracelog | 41 | tracelog |
41 | 42 | ||
diff --git a/etc/profile-a-l/gnome-characters.profile b/etc/profile-a-l/gnome-characters.profile index f4f3ae2d7..4d53a67dd 100644 --- a/etc/profile-a-l/gnome-characters.profile +++ b/etc/profile-a-l/gnome-characters.profile | |||
@@ -39,6 +39,7 @@ nou2f | |||
39 | novideo | 39 | novideo |
40 | protocol unix | 40 | protocol unix |
41 | seccomp | 41 | seccomp |
42 | seccomp.block-secondary | ||
42 | shell none | 43 | shell none |
43 | tracelog | 44 | tracelog |
44 | 45 | ||
diff --git a/etc/profile-a-l/gnome-contacts.profile b/etc/profile-a-l/gnome-contacts.profile index 7a38bdc8a..03b89e394 100644 --- a/etc/profile-a-l/gnome-contacts.profile +++ b/etc/profile-a-l/gnome-contacts.profile | |||
@@ -32,6 +32,7 @@ nou2f | |||
32 | novideo | 32 | novideo |
33 | protocol unix,inet,inet6,netlink | 33 | protocol unix,inet,inet6,netlink |
34 | seccomp | 34 | seccomp |
35 | seccomp.block-secondary | ||
35 | 36 | ||
36 | disable-mnt | 37 | disable-mnt |
37 | private-dev | 38 | private-dev |
diff --git a/etc/profile-a-l/gnome-hexgl.profile b/etc/profile-a-l/gnome-hexgl.profile index 5ae7bbe01..bb5ef0eab 100644 --- a/etc/profile-a-l/gnome-hexgl.profile +++ b/etc/profile-a-l/gnome-hexgl.profile | |||
@@ -33,6 +33,7 @@ nou2f | |||
33 | novideo | 33 | novideo |
34 | protocol unix | 34 | protocol unix |
35 | seccomp | 35 | seccomp |
36 | seccomp.block-secondary | ||
36 | shell none | 37 | shell none |
37 | tracelog | 38 | tracelog |
38 | 39 | ||
diff --git a/etc/profile-a-l/gnome-keyring.profile b/etc/profile-a-l/gnome-keyring.profile index ecbb74158..a0b9ef04e 100644 --- a/etc/profile-a-l/gnome-keyring.profile +++ b/etc/profile-a-l/gnome-keyring.profile | |||
@@ -9,8 +9,6 @@ include globals.local | |||
9 | 9 | ||
10 | noblacklist ${HOME}/.gnupg | 10 | noblacklist ${HOME}/.gnupg |
11 | 11 | ||
12 | whitelist ${HOME}/.gnupg | ||
13 | whitelist ${DOWNLOADS} | ||
14 | include disable-common.inc | 12 | include disable-common.inc |
15 | include disable-devel.inc | 13 | include disable-devel.inc |
16 | include disable-exec.inc | 14 | include disable-exec.inc |
@@ -19,9 +17,15 @@ include disable-interpreters.inc | |||
19 | include disable-programs.inc | 17 | include disable-programs.inc |
20 | include disable-xdg.inc | 18 | include disable-xdg.inc |
21 | 19 | ||
20 | mkdir ${HOME}/.gnupg | ||
21 | whitelist ${HOME}/.gnupg | ||
22 | whitelist ${DOWNLOADS} | ||
23 | whitelist ${RUNUSER}/gnupg | ||
24 | whitelist ${RUNUSER}/keyring | ||
22 | whitelist /usr/share/gnupg | 25 | whitelist /usr/share/gnupg |
23 | whitelist /usr/share/gnupg2 | 26 | whitelist /usr/share/gnupg2 |
24 | include whitelist-common.inc | 27 | include whitelist-common.inc |
28 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | 29 | include whitelist-usr-share-common.inc |
26 | include whitelist-var-common.inc | 30 | include whitelist-var-common.inc |
27 | 31 | ||
@@ -41,6 +45,7 @@ nou2f | |||
41 | novideo | 45 | novideo |
42 | protocol unix,inet,inet6 | 46 | protocol unix,inet,inet6 |
43 | seccomp | 47 | seccomp |
48 | seccomp.block-secondary | ||
44 | shell none | 49 | shell none |
45 | tracelog | 50 | tracelog |
46 | 51 | ||
@@ -52,6 +57,6 @@ private-dev | |||
52 | private-tmp | 57 | private-tmp |
53 | 58 | ||
54 | # dbus-user none | 59 | # dbus-user none |
55 | # dbus-system none | 60 | dbus-system none |
56 | 61 | ||
57 | memory-deny-write-execute | 62 | memory-deny-write-execute |
diff --git a/etc/profile-a-l/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile index 11d184bc6..87376da40 100644 --- a/etc/profile-a-l/gnome-latex.profile +++ b/etc/profile-a-l/gnome-latex.profile | |||
@@ -41,6 +41,7 @@ nou2f | |||
41 | novideo | 41 | novideo |
42 | protocol unix | 42 | protocol unix |
43 | seccomp | 43 | seccomp |
44 | seccomp.block-secondary | ||
44 | shell none | 45 | shell none |
45 | tracelog | 46 | tracelog |
46 | 47 | ||
diff --git a/etc/profile-a-l/gnome-maps.profile b/etc/profile-a-l/gnome-maps.profile index eb0030dda..23629df95 100644 --- a/etc/profile-a-l/gnome-maps.profile +++ b/etc/profile-a-l/gnome-maps.profile | |||
@@ -54,6 +54,7 @@ nou2f | |||
54 | novideo | 54 | novideo |
55 | protocol unix,inet,inet6 | 55 | protocol unix,inet,inet6 |
56 | seccomp | 56 | seccomp |
57 | seccomp.block-secondary | ||
57 | shell none | 58 | shell none |
58 | tracelog | 59 | tracelog |
59 | 60 | ||
diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile index ed430b654..073de47b9 100644 --- a/etc/profile-a-l/gnome-passwordsafe.profile +++ b/etc/profile-a-l/gnome-passwordsafe.profile | |||
@@ -43,6 +43,7 @@ nou2f | |||
43 | novideo | 43 | novideo |
44 | protocol unix | 44 | protocol unix |
45 | seccomp | 45 | seccomp |
46 | seccomp.block-secondary | ||
46 | shell none | 47 | shell none |
47 | tracelog | 48 | tracelog |
48 | 49 | ||
diff --git a/etc/profile-a-l/gnome-photos.profile b/etc/profile-a-l/gnome-photos.profile index 2af406af9..65cc23b5f 100644 --- a/etc/profile-a-l/gnome-photos.profile +++ b/etc/profile-a-l/gnome-photos.profile | |||
@@ -33,6 +33,7 @@ nou2f | |||
33 | novideo | 33 | novideo |
34 | protocol unix | 34 | protocol unix |
35 | seccomp | 35 | seccomp |
36 | seccomp.block-secondary | ||
36 | shell none | 37 | shell none |
37 | tracelog | 38 | tracelog |
38 | 39 | ||
diff --git a/etc/profile-a-l/gnome-screenshot.profile b/etc/profile-a-l/gnome-screenshot.profile index 82fb1b658..2534eed5a 100644 --- a/etc/profile-a-l/gnome-screenshot.profile +++ b/etc/profile-a-l/gnome-screenshot.profile | |||
@@ -35,6 +35,7 @@ nou2f | |||
35 | novideo | 35 | novideo |
36 | protocol unix | 36 | protocol unix |
37 | seccomp | 37 | seccomp |
38 | seccomp.block-secondary | ||
38 | shell none | 39 | shell none |
39 | tracelog | 40 | tracelog |
40 | 41 | ||
diff --git a/etc/profile-a-l/gnome-sound-recorder.profile b/etc/profile-a-l/gnome-sound-recorder.profile index a64ec25a9..2e063ebfe 100644 --- a/etc/profile-a-l/gnome-sound-recorder.profile +++ b/etc/profile-a-l/gnome-sound-recorder.profile | |||
@@ -33,6 +33,7 @@ nou2f | |||
33 | novideo | 33 | novideo |
34 | protocol unix | 34 | protocol unix |
35 | seccomp | 35 | seccomp |
36 | seccomp.block-secondary | ||
36 | shell none | 37 | shell none |
37 | tracelog | 38 | tracelog |
38 | 39 | ||
diff --git a/etc/profile-a-l/gnome-weather.profile b/etc/profile-a-l/gnome-weather.profile index a181f1b9e..beed92a7d 100644 --- a/etc/profile-a-l/gnome-weather.profile +++ b/etc/profile-a-l/gnome-weather.profile | |||
@@ -37,6 +37,7 @@ nou2f | |||
37 | novideo | 37 | novideo |
38 | protocol unix,inet,inet6 | 38 | protocol unix,inet,inet6 |
39 | seccomp | 39 | seccomp |
40 | seccomp.block-secondary | ||
40 | shell none | 41 | shell none |
41 | tracelog | 42 | tracelog |
42 | 43 | ||
diff --git a/etc/profile-a-l/gnome_games-common.profile b/etc/profile-a-l/gnome_games-common.profile index c46fbc1d9..56ed7a436 100644 --- a/etc/profile-a-l/gnome_games-common.profile +++ b/etc/profile-a-l/gnome_games-common.profile | |||
@@ -34,6 +34,7 @@ nou2f | |||
34 | novideo | 34 | novideo |
35 | protocol unix | 35 | protocol unix |
36 | seccomp | 36 | seccomp |
37 | seccomp.block-secondary | ||
37 | shell none | 38 | shell none |
38 | tracelog | 39 | tracelog |
39 | 40 | ||
diff --git a/etc/profile-a-l/gucharmap.profile b/etc/profile-a-l/gucharmap.profile index c0254b5ec..3df42d209 100644 --- a/etc/profile-a-l/gucharmap.profile +++ b/etc/profile-a-l/gucharmap.profile | |||
@@ -35,6 +35,7 @@ nou2f | |||
35 | novideo | 35 | novideo |
36 | protocol unix | 36 | protocol unix |
37 | seccomp | 37 | seccomp |
38 | seccomp.block-secondary | ||
38 | shell none | 39 | shell none |
39 | tracelog | 40 | tracelog |
40 | 41 | ||
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile index 06447c3e6..58db056b2 100644 --- a/etc/profile-a-l/keepassxc.profile +++ b/etc/profile-a-l/keepassxc.profile | |||
@@ -55,6 +55,7 @@ nou2f | |||
55 | novideo | 55 | novideo |
56 | protocol unix,netlink | 56 | protocol unix,netlink |
57 | seccomp | 57 | seccomp |
58 | seccomp.block-secondary | ||
58 | shell none | 59 | shell none |
59 | tracelog | 60 | tracelog |
60 | 61 | ||
diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile index f9c92f6f6..031f0e19f 100644 --- a/etc/profile-a-l/libreoffice.profile +++ b/etc/profile-a-l/libreoffice.profile | |||
@@ -43,6 +43,8 @@ shell none | |||
43 | # comment tracelog when using the ubuntu 18.04/debian 10 apparmor profile | 43 | # comment tracelog when using the ubuntu 18.04/debian 10 apparmor profile |
44 | tracelog | 44 | tracelog |
45 | 45 | ||
46 | #private-bin libreoffice,sh,uname,dirname,grep,sed,basename,ls | ||
47 | private-cache | ||
46 | private-dev | 48 | private-dev |
47 | private-tmp | 49 | private-tmp |
48 | 50 | ||
diff --git a/etc/profile-m-z/megaglest.profile b/etc/profile-m-z/megaglest.profile index 19f9edf05..37ac9e304 100644 --- a/etc/profile-m-z/megaglest.profile +++ b/etc/profile-m-z/megaglest.profile | |||
@@ -14,6 +14,7 @@ include disable-exec.inc | |||
14 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-shell.inc | ||
17 | include disable-xdg.inc | 18 | include disable-xdg.inc |
18 | 19 | ||
19 | mkdir ${HOME}/.megaglest | 20 | mkdir ${HOME}/.megaglest |
@@ -37,6 +38,7 @@ nou2f | |||
37 | novideo | 38 | novideo |
38 | protocol unix,inet,inet6,netlink | 39 | protocol unix,inet,inet6,netlink |
39 | seccomp | 40 | seccomp |
41 | seccomp.block-secondary | ||
40 | shell none | 42 | shell none |
41 | tracelog | 43 | tracelog |
42 | 44 | ||
diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile index 385700648..6ceeb867f 100644 --- a/etc/profile-m-z/meld.profile +++ b/etc/profile-m-z/meld.profile | |||
@@ -62,6 +62,7 @@ nou2f | |||
62 | novideo | 62 | novideo |
63 | protocol unix,inet,inet6 | 63 | protocol unix,inet,inet6 |
64 | seccomp | 64 | seccomp |
65 | seccomp.block-secondary | ||
65 | shell none | 66 | shell none |
66 | tracelog | 67 | tracelog |
67 | 68 | ||
diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile index 3468bc22d..c70090a25 100644 --- a/etc/profile-m-z/menulibre.profile +++ b/etc/profile-m-z/menulibre.profile | |||
@@ -44,6 +44,7 @@ nou2f | |||
44 | novideo | 44 | novideo |
45 | protocol unix | 45 | protocol unix |
46 | seccomp | 46 | seccomp |
47 | seccomp.block-secondary | ||
47 | shell none | 48 | shell none |
48 | tracelog | 49 | tracelog |
49 | 50 | ||
diff --git a/etc/profile-m-z/minetest.profile b/etc/profile-m-z/minetest.profile index a22d2c2e3..5678a781c 100644 --- a/etc/profile-m-z/minetest.profile +++ b/etc/profile-m-z/minetest.profile | |||
@@ -47,6 +47,7 @@ nou2f | |||
47 | novideo | 47 | novideo |
48 | protocol unix,inet,inet6 | 48 | protocol unix,inet,inet6 |
49 | seccomp | 49 | seccomp |
50 | seccomp.block-secondary | ||
50 | shell none | 51 | shell none |
51 | tracelog | 52 | tracelog |
52 | 53 | ||
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index 389b64535..ce3bfe421 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile | |||
@@ -67,6 +67,7 @@ noroot | |||
67 | nou2f | 67 | nou2f |
68 | protocol unix,inet,inet6,netlink | 68 | protocol unix,inet,inet6,netlink |
69 | seccomp | 69 | seccomp |
70 | seccomp.block-secondary | ||
70 | shell none | 71 | shell none |
71 | tracelog | 72 | tracelog |
72 | 73 | ||
diff --git a/etc/profile-m-z/patch.profile b/etc/profile-m-z/patch.profile index 8663fb453..6cbaa66ad 100644 --- a/etc/profile-m-z/patch.profile +++ b/etc/profile-m-z/patch.profile | |||
@@ -37,6 +37,7 @@ nou2f | |||
37 | novideo | 37 | novideo |
38 | protocol unix | 38 | protocol unix |
39 | seccomp | 39 | seccomp |
40 | seccomp.block-secondary | ||
40 | shell none | 41 | shell none |
41 | tracelog | 42 | tracelog |
42 | x11 none | 43 | x11 none |
diff --git a/etc/profile-m-z/pdftotext.profile b/etc/profile-m-z/pdftotext.profile index eee42424f..2a7d0cec1 100644 --- a/etc/profile-m-z/pdftotext.profile +++ b/etc/profile-m-z/pdftotext.profile | |||
@@ -13,6 +13,7 @@ noblacklist ${DOCUMENTS} | |||
13 | 13 | ||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | 17 | include disable-interpreters.inc |
17 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 19 | include disable-programs.inc |
@@ -40,6 +41,7 @@ nou2f | |||
40 | novideo | 41 | novideo |
41 | protocol unix | 42 | protocol unix |
42 | seccomp | 43 | seccomp |
44 | seccomp.block-secondary | ||
43 | shell none | 45 | shell none |
44 | tracelog | 46 | tracelog |
45 | x11 none | 47 | x11 none |
diff --git a/etc/profile-m-z/peek.profile b/etc/profile-m-z/peek.profile index 28a7da404..710a533a9 100644 --- a/etc/profile-m-z/peek.profile +++ b/etc/profile-m-z/peek.profile | |||
@@ -41,6 +41,7 @@ nou2f | |||
41 | novideo | 41 | novideo |
42 | protocol unix | 42 | protocol unix |
43 | seccomp | 43 | seccomp |
44 | seccomp.block-secondary | ||
44 | shell none | 45 | shell none |
45 | tracelog | 46 | tracelog |
46 | 47 | ||
diff --git a/etc/profile-m-z/pngquant.profile b/etc/profile-m-z/pngquant.profile index 83905b108..3513e91cc 100644 --- a/etc/profile-m-z/pngquant.profile +++ b/etc/profile-m-z/pngquant.profile | |||
@@ -7,6 +7,8 @@ include pngquant.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | noblacklist ${PICTURES} | ||
11 | |||
10 | blacklist ${RUNUSER}/wayland-* | 12 | blacklist ${RUNUSER}/wayland-* |
11 | 13 | ||
12 | include disable-common.inc | 14 | include disable-common.inc |
@@ -16,6 +18,7 @@ include disable-interpreters.inc | |||
16 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 19 | include disable-programs.inc |
18 | include disable-shell.inc | 20 | include disable-shell.inc |
21 | include disable-xdg.inc | ||
19 | 22 | ||
20 | include whitelist-runuser-common.inc | 23 | include whitelist-runuser-common.inc |
21 | include whitelist-usr-share-common.inc | 24 | include whitelist-usr-share-common.inc |
diff --git a/etc/profile-m-z/rhythmbox.profile b/etc/profile-m-z/rhythmbox.profile index f906ec31d..e7f379509 100644 --- a/etc/profile-m-z/rhythmbox.profile +++ b/etc/profile-m-z/rhythmbox.profile | |||
@@ -45,10 +45,12 @@ nou2f | |||
45 | novideo | 45 | novideo |
46 | protocol unix,inet,inet6,netlink | 46 | protocol unix,inet,inet6,netlink |
47 | seccomp | 47 | seccomp |
48 | seccomp.block-secondary | ||
48 | shell none | 49 | shell none |
49 | tracelog | 50 | tracelog |
50 | 51 | ||
51 | private-bin rhythmbox,rhythmbox-client | 52 | private-bin rhythmbox,rhythmbox-client |
53 | private-cache | ||
52 | private-dev | 54 | private-dev |
53 | private-tmp | 55 | private-tmp |
54 | 56 | ||
diff --git a/etc/profile-m-z/shellcheck.profile b/etc/profile-m-z/shellcheck.profile index 6cd70c2ea..c67a88161 100644 --- a/etc/profile-m-z/shellcheck.profile +++ b/etc/profile-m-z/shellcheck.profile | |||
@@ -40,6 +40,7 @@ nou2f | |||
40 | novideo | 40 | novideo |
41 | protocol unix | 41 | protocol unix |
42 | seccomp | 42 | seccomp |
43 | seccomp.block-secondary | ||
43 | shell none | 44 | shell none |
44 | tracelog | 45 | tracelog |
45 | x11 none | 46 | x11 none |
diff --git a/etc/profile-m-z/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile index cdb20b4e0..110434736 100644 --- a/etc/profile-m-z/sqlitebrowser.profile +++ b/etc/profile-m-z/sqlitebrowser.profile | |||
@@ -18,6 +18,7 @@ include disable-programs.inc | |||
18 | include disable-shell.inc | 18 | include disable-shell.inc |
19 | include disable-xdg.inc | 19 | include disable-xdg.inc |
20 | 20 | ||
21 | include whitelist-runuser-common.inc | ||
21 | include whitelist-usr-share-common.inc | 22 | include whitelist-usr-share-common.inc |
22 | include whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
23 | 24 | ||
@@ -35,6 +36,7 @@ nou2f | |||
35 | novideo | 36 | novideo |
36 | protocol unix,inet,inet6,netlink | 37 | protocol unix,inet,inet6,netlink |
37 | seccomp | 38 | seccomp |
39 | seccomp.block-secondary | ||
38 | shell none | 40 | shell none |
39 | 41 | ||
40 | private-bin sqlitebrowser | 42 | private-bin sqlitebrowser |
diff --git a/etc/profile-m-z/strings.profile b/etc/profile-m-z/strings.profile index 426b2dc1c..09ada1e25 100644 --- a/etc/profile-m-z/strings.profile +++ b/etc/profile-m-z/strings.profile | |||
@@ -38,6 +38,7 @@ nou2f | |||
38 | novideo | 38 | novideo |
39 | protocol unix | 39 | protocol unix |
40 | seccomp | 40 | seccomp |
41 | seccomp.block-secondary | ||
41 | shell none | 42 | shell none |
42 | tracelog | 43 | tracelog |
43 | x11 none | 44 | x11 none |
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile index ceaae8fbf..9cc023765 100644 --- a/etc/profile-m-z/supertux2.profile +++ b/etc/profile-m-z/supertux2.profile | |||
@@ -36,6 +36,7 @@ nou2f | |||
36 | novideo | 36 | novideo |
37 | protocol unix,netlink | 37 | protocol unix,netlink |
38 | seccomp | 38 | seccomp |
39 | seccomp.block-secondary | ||
39 | shell none | 40 | shell none |
40 | tracelog | 41 | tracelog |
41 | 42 | ||
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile index 40b996794..ff99c234e 100644 --- a/etc/profile-m-z/supertuxkart.profile +++ b/etc/profile-m-z/supertuxkart.profile | |||
@@ -43,6 +43,7 @@ nou2f | |||
43 | novideo | 43 | novideo |
44 | protocol unix,inet,inet6 | 44 | protocol unix,inet,inet6 |
45 | seccomp | 45 | seccomp |
46 | seccomp.block-secondary | ||
46 | shell none | 47 | shell none |
47 | tracelog | 48 | tracelog |
48 | 49 | ||
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile index e3eb73730..2e7b69cec 100644 --- a/etc/profile-m-z/thunderbird.profile +++ b/etc/profile-m-z/thunderbird.profile | |||
@@ -6,6 +6,8 @@ include thunderbird.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | ignore whitelist-runuser-common.inc | ||
10 | |||
9 | # writable-run-user and dbus are needed by enigmail | 11 | # writable-run-user and dbus are needed by enigmail |
10 | ignore dbus-user none | 12 | ignore dbus-user none |
11 | ignore dbus-system none | 13 | ignore dbus-system none |
diff --git a/etc/profile-m-z/transmission-common.profile b/etc/profile-m-z/transmission-common.profile index 9d2e8e990..d601f0f15 100644 --- a/etc/profile-m-z/transmission-common.profile +++ b/etc/profile-m-z/transmission-common.profile | |||
@@ -39,6 +39,7 @@ nou2f | |||
39 | novideo | 39 | novideo |
40 | protocol unix,inet,inet6 | 40 | protocol unix,inet,inet6 |
41 | seccomp | 41 | seccomp |
42 | seccomp.block-secondary | ||
42 | shell none | 43 | shell none |
43 | tracelog | 44 | tracelog |
44 | 45 | ||
diff --git a/etc/profile-m-z/vivaldi.profile b/etc/profile-m-z/vivaldi.profile index 541942453..cd06b7f4c 100644 --- a/etc/profile-m-z/vivaldi.profile +++ b/etc/profile-m-z/vivaldi.profile | |||
@@ -29,6 +29,8 @@ whitelist ${HOME}/.config/vivaldi | |||
29 | whitelist ${HOME}/.config/vivaldi-snapshot | 29 | whitelist ${HOME}/.config/vivaldi-snapshot |
30 | whitelist ${HOME}/.local/lib/vivaldi | 30 | whitelist ${HOME}/.local/lib/vivaldi |
31 | 31 | ||
32 | #private-bin bash,cat,dirname,readlink,rm,vivaldi,vivaldi-stable,vivaldi-snapshot | ||
33 | |||
32 | # breaks vivaldi sync | 34 | # breaks vivaldi sync |
33 | ignore dbus-user none | 35 | ignore dbus-user none |
34 | ignore dbus-system none | 36 | ignore dbus-system none |
diff --git a/etc/profile-m-z/wget.profile b/etc/profile-m-z/wget.profile index cdb8f0b93..8a64d2d73 100644 --- a/etc/profile-m-z/wget.profile +++ b/etc/profile-m-z/wget.profile | |||
@@ -44,6 +44,7 @@ nou2f | |||
44 | novideo | 44 | novideo |
45 | protocol unix,inet,inet6 | 45 | protocol unix,inet,inet6 |
46 | seccomp | 46 | seccomp |
47 | seccomp.block-secondary | ||
47 | shell none | 48 | shell none |
48 | tracelog | 49 | tracelog |
49 | 50 | ||
diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile index 2af1379e0..a9cecb18d 100644 --- a/etc/profile-m-z/whois.profile +++ b/etc/profile-m-z/whois.profile | |||
@@ -39,6 +39,7 @@ nou2f | |||
39 | novideo | 39 | novideo |
40 | protocol inet,inet6 | 40 | protocol inet,inet6 |
41 | seccomp | 41 | seccomp |
42 | seccomp.block-secondary | ||
42 | shell none | 43 | shell none |
43 | tracelog | 44 | tracelog |
44 | 45 | ||
diff --git a/etc/profile-m-z/xournal.profile b/etc/profile-m-z/xournal.profile index b842b5307..0c6969e09 100644 --- a/etc/profile-m-z/xournal.profile +++ b/etc/profile-m-z/xournal.profile | |||
@@ -36,6 +36,7 @@ nou2f | |||
36 | novideo | 36 | novideo |
37 | protocol unix | 37 | protocol unix |
38 | seccomp | 38 | seccomp |
39 | seccomp.block-secondary | ||
39 | shell none | 40 | shell none |
40 | tracelog | 41 | tracelog |
41 | 42 | ||
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile index fd95ceb04..e198af8b2 100644 --- a/etc/profile-m-z/yelp.profile +++ b/etc/profile-m-z/yelp.profile | |||
@@ -41,6 +41,7 @@ nou2f | |||
41 | novideo | 41 | novideo |
42 | protocol unix | 42 | protocol unix |
43 | seccomp | 43 | seccomp |
44 | seccomp.block-secondary | ||
44 | shell none | 45 | shell none |
45 | tracelog | 46 | tracelog |
46 | 47 | ||
diff --git a/etc/profile-m-z/youtube-dl.profile b/etc/profile-m-z/youtube-dl.profile index db3535f78..d9dee6891 100644 --- a/etc/profile-m-z/youtube-dl.profile +++ b/etc/profile-m-z/youtube-dl.profile | |||
@@ -52,6 +52,7 @@ nou2f | |||
52 | novideo | 52 | novideo |
53 | protocol unix,inet,inet6 | 53 | protocol unix,inet,inet6 |
54 | seccomp | 54 | seccomp |
55 | seccomp.block-secondary | ||
55 | shell none | 56 | shell none |
56 | tracelog | 57 | tracelog |
57 | 58 | ||
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index d57306aee..3d37fc827 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -157,6 +157,7 @@ include globals.local | |||
157 | #seccomp | 157 | #seccomp |
158 | ##seccomp !chroot | 158 | ##seccomp !chroot |
159 | ##seccomp.drop SYSCALLS (see syscalls.txt) | 159 | ##seccomp.drop SYSCALLS (see syscalls.txt) |
160 | #seccomp.block-secondary | ||
160 | #shell none | 161 | #shell none |
161 | #tracelog | 162 | #tracelog |
162 | # Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set | 163 | # Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set |