diff options
Diffstat (limited to 'etc')
63 files changed, 218 insertions, 248 deletions
diff --git a/etc/profile-a-l/archiver-common.profile b/etc/profile-a-l/archiver-common.profile index 74b0b6ef6..0ab6465ca 100644 --- a/etc/profile-a-l/archiver-common.profile +++ b/etc/profile-a-l/archiver-common.profile | |||
@@ -6,24 +6,19 @@ include archiver-common.local | |||
6 | 6 | ||
7 | blacklist ${RUNUSER} | 7 | blacklist ${RUNUSER} |
8 | 8 | ||
9 | # WARNING: Users can (un)restrict file access for **all** archivers by | 9 | # Comment/uncomment the relevant include file(s) in your archiver-common.local |
10 | # commenting/uncommenting the needed include file(s) here or by putting those | 10 | # to (un)restrict file access for **all** archivers. Another option is to do this **per archiver** |
11 | # into archiver-common.local. | 11 | # in the relevant <archiver>.local. Beware that things tend to break when overtightening |
12 | # | 12 | # profiles. For example, because you only need to (un)compress files in ${DOWNLOADS}, |
13 | # Another option is to do this **per archiver** in the relevant | 13 | # other applications may need access to ${HOME}/.local/share. |
14 | # <archiver>.local. Just beware that things tend to break when overtightening | 14 | |
15 | # profiles. For example, because you only need to (un)compress files in | 15 | # Add the next line to your archiver-common.local if you don't need to compress files in disable-common.inc. |
16 | # ${DOWNLOADS}, other applications may need access to ${HOME}/.local/share. | ||
17 | |||
18 | # Uncomment the next line (or put it into your archiver-common.local) if you | ||
19 | # don't need to compress files in disable-common.inc. | ||
20 | #include disable-common.inc | 16 | #include disable-common.inc |
21 | include disable-devel.inc | 17 | include disable-devel.inc |
22 | include disable-exec.inc | 18 | include disable-exec.inc |
23 | include disable-interpreters.inc | 19 | include disable-interpreters.inc |
24 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
25 | # Uncomment the next line (or put it into your archiver-common.local) if you | 21 | # Add the next line to your archiver-common.local if you don't need to compress files in disable-programs.inc. |
26 | # don't need to compress files in disable-programs.inc. | ||
27 | #include disable-programs.inc | 22 | #include disable-programs.inc |
28 | include disable-shell.inc | 23 | include disable-shell.inc |
29 | 24 | ||
diff --git a/etc/profile-a-l/aria2c.profile b/etc/profile-a-l/aria2c.profile index d2dcaace1..bef708bdc 100644 --- a/etc/profile-a-l/aria2c.profile +++ b/etc/profile-a-l/aria2c.profile | |||
@@ -40,9 +40,9 @@ seccomp | |||
40 | shell none | 40 | shell none |
41 | 41 | ||
42 | # disable-mnt | 42 | # disable-mnt |
43 | # Add your custom event hook commands to 'private-bin' in your aria2c.local | 43 | # Add your custom event hook commands to 'private-bin' in your aria2c.local. |
44 | private-bin aria2c,gzip | 44 | private-bin aria2c,gzip |
45 | # Uncomment the next line (or put 'private-cache' in your aria2c.local) if you don't use Lutris/winetricks (see issue #2772) | 45 | # Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772). |
46 | #private-cache | 46 | #private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,ca-certificates,crypto-policies,groups,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl | 48 | private-etc alternatives,ca-certificates,crypto-policies,groups,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl |
diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile index 178e2dc9f..5c93f8be9 100644 --- a/etc/profile-a-l/bcompare.profile +++ b/etc/profile-a-l/bcompare.profile | |||
@@ -12,37 +12,25 @@ noblacklist ${HOME}/.config/bcompare | |||
12 | # KDE's Gwenview to view images via right click -> Open With -> Associated Application | 12 | # KDE's Gwenview to view images via right click -> Open With -> Associated Application |
13 | noblacklist ${HOME}/.config/gwenviewrc | 13 | noblacklist ${HOME}/.config/gwenviewrc |
14 | 14 | ||
15 | # Uncomment the next line (or put it into your bcompare.local) if you don't need to compare files in disable-common.inc | 15 | # Add the next line to your bcompare.local if you don't need to compare files in disable-common.inc. |
16 | #include disable-common.inc | 16 | #include disable-common.inc |
17 | include disable-devel.inc | 17 | include disable-devel.inc |
18 | include disable-exec.inc | 18 | include disable-exec.inc |
19 | include disable-interpreters.inc | 19 | include disable-interpreters.inc |
20 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
21 | # Uncomment the next line (or put it into your bcompare.local) if you don't need to compare files in disable-programs.inc | 21 | # Add the next line to your bcompare.local if you don't need to compare files in disable-programs.inc. |
22 | #include disable-programs.inc | 22 | #include disable-programs.inc |
23 | # Uncommenting this breaks launch | 23 | #include disable-shell.inc - breaks launch |
24 | # include disable-shell.inc | ||
25 | include disable-write-mnt.inc | 24 | include disable-write-mnt.inc |
26 | # Don't disable ${DOCUMENTS}, ${MUSIC}, ${PICTURES}, ${VIDEOS} | ||
27 | # include disable-xdg.inc | ||
28 | |||
29 | # include whitelist-common.inc | ||
30 | # include whitelist-runuser-common.inc | ||
31 | # include whitelist-usr-share-common.inc | ||
32 | # include whitelist-var-common.inc | ||
33 | 25 | ||
34 | apparmor | 26 | apparmor |
35 | caps.drop all | 27 | caps.drop all |
36 | # Uncommenting might break Pulse Audio | ||
37 | #machine-id | ||
38 | net none | 28 | net none |
39 | no3d | 29 | no3d |
40 | nodvd | 30 | nodvd |
41 | nogroups | 31 | nogroups |
42 | nonewprivs | 32 | nonewprivs |
43 | noroot | 33 | noroot |
44 | # Allow applications launched on sound files to play them | ||
45 | #nosound | ||
46 | notv | 34 | notv |
47 | nou2f | 35 | nou2f |
48 | novideo | 36 | novideo |
@@ -53,9 +41,6 @@ tracelog | |||
53 | 41 | ||
54 | private-cache | 42 | private-cache |
55 | private-dev | 43 | private-dev |
56 | # see /usr/share/doc/firejail/profile.template for more common private-etc paths. | ||
57 | # private-etc alternatives,fonts,machine-id | ||
58 | # Necessary because of the `include disable-exec.inc` line. Prevents error "Error fstat: fs.c:504 fs_remount_simple: Transport endpoint is not connected ... cannot sync with peer: unexpected EOF Peer [...] unexpectedly exited with status 1" | ||
59 | private-tmp | 44 | private-tmp |
60 | 45 | ||
61 | dbus-user none | 46 | dbus-user none |
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index 3667c350d..e9bef8df7 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile | |||
@@ -30,12 +30,10 @@ include whitelist-runuser-common.inc | |||
30 | include whitelist-usr-share-common.inc | 30 | include whitelist-usr-share-common.inc |
31 | include whitelist-var-common.inc | 31 | include whitelist-var-common.inc |
32 | 32 | ||
33 | # Uncomment the next line (or add it to your chromium-common.local) | 33 | # Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone. |
34 | # if your kernel allows unprivileged userns clone. | ||
35 | #include chromium-common-hardened.inc.profile | 34 | #include chromium-common-hardened.inc.profile |
36 | 35 | ||
37 | # Uncomment or put in your chromium-common.local to allow screen sharing under | 36 | # Add the next line to your chromium-common.local to allow screen sharing under wayland. |
38 | # wayland. | ||
39 | #whitelist ${RUNUSER}/pipewire-0 | 37 | #whitelist ${RUNUSER}/pipewire-0 |
40 | 38 | ||
41 | apparmor | 39 | apparmor |
@@ -50,12 +48,10 @@ shell none | |||
50 | disable-mnt | 48 | disable-mnt |
51 | private-cache | 49 | private-cache |
52 | ?BROWSER_DISABLE_U2F: private-dev | 50 | ?BROWSER_DISABLE_U2F: private-dev |
53 | # problems with multiple browser sessions | 51 | #private-tmp - issues when using multiple browser sessions |
54 | #private-tmp | ||
55 | 52 | ||
56 | # prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector | 53 | #dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector. |
57 | # dbus-user none | ||
58 | dbus-system none | 54 | dbus-system none |
59 | 55 | ||
60 | # the file dialog needs to work without d-bus | 56 | # The file dialog needs to work without d-bus. |
61 | ?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1 | 57 | ?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1 |
diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile index b4a8303a2..691657fa0 100644 --- a/etc/profile-a-l/claws-mail.profile +++ b/etc/profile-a-l/claws-mail.profile | |||
@@ -11,7 +11,7 @@ noblacklist ${HOME}/.claws-mail | |||
11 | mkdir ${HOME}/.claws-mail | 11 | mkdir ${HOME}/.claws-mail |
12 | whitelist ${HOME}/.claws-mail | 12 | whitelist ${HOME}/.claws-mail |
13 | 13 | ||
14 | # If you use python-based plugins you need to uncomment the below (or put them in your claws-mail.local) | 14 | # Add the below lines to your claws-mail.local if you use python-based plugins. |
15 | # Allow python (blacklisted by disable-interpreters.inc) | 15 | # Allow python (blacklisted by disable-interpreters.inc) |
16 | #include allow-python2.inc | 16 | #include allow-python2.inc |
17 | #include allow-python3.inc | 17 | #include allow-python3.inc |
@@ -23,7 +23,7 @@ whitelist /usr/share/doc/claws-mail | |||
23 | dbus-user filter | 23 | dbus-user filter |
24 | dbus-user.talk ca.desrt.dconf | 24 | dbus-user.talk ca.desrt.dconf |
25 | dbus-user.talk org.gnome.keyring.SystemPrompter | 25 | dbus-user.talk org.gnome.keyring.SystemPrompter |
26 | # if you use the notification plugin you need to uncomment the below (or put them in your claws-mail.local) | 26 | # Add the next line to your claws-mail.local if you use the notification plugin. |
27 | # dbus-user.talk org.freedesktop.Notifications | 27 | # dbus-user.talk org.freedesktop.Notifications |
28 | 28 | ||
29 | # Redirect | 29 | # Redirect |
diff --git a/etc/profile-a-l/clipgrab.profile b/etc/profile-a-l/clipgrab.profile index dace5e83e..130d23522 100644 --- a/etc/profile-a-l/clipgrab.profile +++ b/etc/profile-a-l/clipgrab.profile | |||
@@ -42,6 +42,6 @@ private-cache | |||
42 | private-dev | 42 | private-dev |
43 | private-tmp | 43 | private-tmp |
44 | 44 | ||
45 | # Breaks tray icon, uncomment or add to clipgrab.local if you don't need it | 45 | # 'dbus-user none' breaks tray menu - add 'dbus-user none' to your clipgrab.local if you don't need it. |
46 | # dbus-user none | 46 | # dbus-user none |
47 | # dbus-system none | 47 | # dbus-system none |
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile index f8b194044..9366edfa1 100644 --- a/etc/profile-a-l/curl.profile +++ b/etc/profile-a-l/curl.profile | |||
@@ -9,9 +9,9 @@ include globals.local | |||
9 | 9 | ||
10 | # curl 7.74.0 introduces experimental support for HSTS cache | 10 | # curl 7.74.0 introduces experimental support for HSTS cache |
11 | # https://daniel.haxx.se/blog/2020/11/03/hsts-your-curl/ | 11 | # https://daniel.haxx.se/blog/2020/11/03/hsts-your-curl/ |
12 | # technically this file can be anywhere but let's assume users have it in ${HOME}/.curl-hsts | 12 | # Technically this file can be anywhere but let's assume users have it in ${HOME}/.curl-hsts. |
13 | # if your setup diverts, add 'blacklist /path/to/curl/hsts/file' to your disable-programs.local | 13 | # If your setup diverts, add 'blacklist /path/to/curl/hsts/file' to your disable-programs.local |
14 | # and 'noblacklist /path/to/curl/hsts/file' to curl.local to keep the sandbox logic intact | 14 | # and 'noblacklist /path/to/curl/hsts/file' to curl.local to keep the sandbox logic intact. |
15 | noblacklist ${HOME}/.curl-hsts | 15 | noblacklist ${HOME}/.curl-hsts |
16 | noblacklist ${HOME}/.curlrc | 16 | noblacklist ${HOME}/.curlrc |
17 | 17 | ||
@@ -22,7 +22,7 @@ include disable-common.inc | |||
22 | include disable-exec.inc | 22 | include disable-exec.inc |
23 | include disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
24 | include disable-programs.inc | 24 | include disable-programs.inc |
25 | # depending on workflow you can uncomment the below or put 'include disable-xdg.inc' in your curl.local | 25 | # Depending on workflow you can add 'include disable-xdg.inc' to your curl.local. |
26 | #include disable-xdg.inc | 26 | #include disable-xdg.inc |
27 | 27 | ||
28 | include whitelist-usr-share-common.inc | 28 | include whitelist-usr-share-common.inc |
diff --git a/etc/profile-a-l/dig.profile b/etc/profile-a-l/dig.profile index 80d97a31f..b99b31df8 100644 --- a/etc/profile-a-l/dig.profile +++ b/etc/profile-a-l/dig.profile | |||
@@ -21,7 +21,7 @@ include disable-passwdmgr.inc | |||
21 | include disable-programs.inc | 21 | include disable-programs.inc |
22 | include disable-xdg.inc | 22 | include disable-xdg.inc |
23 | 23 | ||
24 | #mkfile ${HOME}/.digrc -- see #903 | 24 | #mkfile ${HOME}/.digrc - see #903 |
25 | whitelist ${HOME}/.digrc | 25 | whitelist ${HOME}/.digrc |
26 | include whitelist-common.inc | 26 | include whitelist-common.inc |
27 | include whitelist-usr-share-common.inc | 27 | include whitelist-usr-share-common.inc |
@@ -49,7 +49,7 @@ tracelog | |||
49 | disable-mnt | 49 | disable-mnt |
50 | private-bin bash,dig,sh | 50 | private-bin bash,dig,sh |
51 | private-dev | 51 | private-dev |
52 | # Uncomment the next line (or put 'private-lib' in your dig.local) on non Debian/Ubuntu OS (see issue #3038) | 52 | # Add the next line to your dig.local on non Debian/Ubuntu OS (see issue #3038). |
53 | #private-lib | 53 | #private-lib |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
diff --git a/etc/profile-a-l/dolphin-emu.profile b/etc/profile-a-l/dolphin-emu.profile index fc920a065..49feec32e 100644 --- a/etc/profile-a-l/dolphin-emu.profile +++ b/etc/profile-a-l/dolphin-emu.profile | |||
@@ -6,7 +6,7 @@ include dolphin-emu.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Note: you must whitelist your games folder in a dolphin-emu.local | 9 | # Note: you must whitelist your games folder in your dolphin-emu.local. |
10 | 10 | ||
11 | noblacklist ${HOME}/.cache/dolphin-emu | 11 | noblacklist ${HOME}/.cache/dolphin-emu |
12 | noblacklist ${HOME}/.config/dolphin-emu | 12 | noblacklist ${HOME}/.config/dolphin-emu |
@@ -36,10 +36,10 @@ include whitelist-var-common.inc | |||
36 | apparmor | 36 | apparmor |
37 | caps.drop all | 37 | caps.drop all |
38 | ipc-namespace | 38 | ipc-namespace |
39 | # uncomment the following line if you do not need NetPlay support | 39 | # Add the next line to your dolphin-emu.local if you do not need NetPlay support. |
40 | # net none | 40 | # net none |
41 | netfilter | 41 | netfilter |
42 | # uncomment the following line if you do not need disc support | 42 | # Add the next line to your dolphin-emu.local if you do not need disc support. |
43 | #nodvd | 43 | #nodvd |
44 | nogroups | 44 | nogroups |
45 | nonewprivs | 45 | nonewprivs |
@@ -54,7 +54,7 @@ tracelog | |||
54 | 54 | ||
55 | private-bin bash,dolphin-emu,dolphin-emu-x11,sh | 55 | private-bin bash,dolphin-emu,dolphin-emu-x11,sh |
56 | private-cache | 56 | private-cache |
57 | # uncomment the following line if you do not need controller support | 57 | # Add the next line to your dolphin-emu.local if you do not need controller support. |
58 | #private-dev | 58 | #private-dev |
59 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg | 59 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg |
60 | private-opt none | 60 | private-opt none |
diff --git a/etc/profile-a-l/electron.profile b/etc/profile-a-l/electron.profile index 79b449ab1..8785a192c 100644 --- a/etc/profile-a-l/electron.profile +++ b/etc/profile-a-l/electron.profile | |||
@@ -18,8 +18,7 @@ include whitelist-runuser-common.inc | |||
18 | include whitelist-usr-share-common.inc | 18 | include whitelist-usr-share-common.inc |
19 | include whitelist-var-common.inc | 19 | include whitelist-var-common.inc |
20 | 20 | ||
21 | # Uncomment the next line (or add it to your chromium-common.local) | 21 | # Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone. |
22 | # if your kernel allows unprivileged userns clone. | ||
23 | #include chromium-common-hardened.inc.profile | 22 | #include chromium-common-hardened.inc.profile |
24 | 23 | ||
25 | apparmor | 24 | apparmor |
diff --git a/etc/profile-a-l/emacs.profile b/etc/profile-a-l/emacs.profile index 226237b5b..55bf743ef 100644 --- a/etc/profile-a-l/emacs.profile +++ b/etc/profile-a-l/emacs.profile | |||
@@ -8,8 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.emacs | 9 | noblacklist ${HOME}/.emacs |
10 | noblacklist ${HOME}/.emacs.d | 10 | noblacklist ${HOME}/.emacs.d |
11 | # if you need gpg uncomment the following line | 11 | # Add the next line to your emacs.local if you need gpg support. |
12 | # or put it into your emacs.local | ||
13 | #noblacklist ${HOME}/.gnupg | 12 | #noblacklist ${HOME}/.gnupg |
14 | 13 | ||
15 | # Allows files commonly used by IDEs | 14 | # Allows files commonly used by IDEs |
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile index 25d5196fc..eeccb81be 100644 --- a/etc/profile-a-l/evince.profile +++ b/etc/profile-a-l/evince.profile | |||
@@ -6,8 +6,8 @@ include evince.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Uncomment this line and the bottom ones to use bookmarks | 9 | # WARNING: using bookmarks possibly exposes information, including file history from other programs. |
10 | # NOTE: This possibly exposes information, including file history from other programs. | 10 | # Add the next line to your evince.local if you need bookmarks support. This also needs additional dbus-user filtering (see below). |
11 | #noblacklist ${HOME}/.local/share/gvfs-metadata | 11 | #noblacklist ${HOME}/.local/share/gvfs-metadata |
12 | 12 | ||
13 | noblacklist ${HOME}/.config/evince | 13 | noblacklist ${HOME}/.config/evince |
@@ -57,9 +57,9 @@ private-etc alternatives,fonts,group,ld.so.cache,machine-id,passwd | |||
57 | private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.* | 57 | private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.* |
58 | private-tmp | 58 | private-tmp |
59 | 59 | ||
60 | # might break two-page-view on some systems | 60 | # dbus-user filtering might break two-page-view on some systems |
61 | dbus-user filter | 61 | dbus-user filter |
62 | # Also uncomment these two lines if you want to use bookmarks | 62 | # Add the next two lines to your evince.local if you need bookmarks support. |
63 | #dbus-user.talk org.gtk.vfs.Daemon | 63 | #dbus-user.talk org.gtk.vfs.Daemon |
64 | #dbus-user.talk org.gtk.vfs.Metadata | 64 | #dbus-user.talk org.gtk.vfs.Metadata |
65 | dbus-system none | 65 | dbus-system none |
diff --git a/etc/profile-a-l/exiftool.profile b/etc/profile-a-l/exiftool.profile index 30135d4bc..b6741d701 100644 --- a/etc/profile-a-l/exiftool.profile +++ b/etc/profile-a-l/exiftool.profile | |||
@@ -42,8 +42,9 @@ shell none | |||
42 | tracelog | 42 | tracelog |
43 | x11 none | 43 | x11 none |
44 | 44 | ||
45 | # To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool to /usr/bin/exiftool and uncomment the below. | 45 | # To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool |
46 | # Users on non-Arch Linux distributions can safely uncomment (or put in exiftool.local) the line below to enable extra hardening. | 46 | # to /usr/bin/exiftool and add the below to your exiftool.local. |
47 | # Non-Arch Linux users can safely add the below to their exiftool.local for extra hardening. | ||
47 | #private-bin exiftool,perl | 48 | #private-bin exiftool,perl |
48 | private-cache | 49 | private-cache |
49 | private-dev | 50 | private-dev |
diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile index 4d6a0c33a..68ce0da61 100644 --- a/etc/profile-a-l/feh.profile +++ b/etc/profile-a-l/feh.profile | |||
@@ -15,10 +15,8 @@ include disable-passwdmgr.inc | |||
15 | include disable-programs.inc | 15 | include disable-programs.inc |
16 | include disable-shell.inc | 16 | include disable-shell.inc |
17 | 17 | ||
18 | # This profile disables network access | 18 | # Add the next line to your feh.local to enable network access. |
19 | # In order to enable network access, | 19 | #include feh-network.inc.profile |
20 | # uncomment the following or put it in your feh.local: | ||
21 | # include feh-network.inc.profile | ||
22 | 20 | ||
23 | caps.drop all | 21 | caps.drop all |
24 | net none | 22 | net none |
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index a955722c8..b0ead7590 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile | |||
@@ -9,7 +9,7 @@ include firefox-common.local | |||
9 | # noexec ${HOME} breaks DRM binaries. | 9 | # noexec ${HOME} breaks DRM binaries. |
10 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} | 10 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} |
11 | 11 | ||
12 | # Uncomment the following line (or put it in your firefox-common.local) to allow access to common programs/addons/plugins. | 12 | # Add the next line to your firefox-common.local to allow access to common programs/addons/plugins. |
13 | #include firefox-common-addons.profile | 13 | #include firefox-common-addons.profile |
14 | 14 | ||
15 | noblacklist ${HOME}/.pki | 15 | noblacklist ${HOME}/.pki |
@@ -32,7 +32,7 @@ include whitelist-var-common.inc | |||
32 | 32 | ||
33 | apparmor | 33 | apparmor |
34 | caps.drop all | 34 | caps.drop all |
35 | # machine-id breaks pulse audio; it should work fine in setups where sound is not required. | 35 | # machine-id breaks pulse audio; add it to your firefox-common.local if sound is not required. |
36 | #machine-id | 36 | #machine-id |
37 | netfilter | 37 | netfilter |
38 | nodvd | 38 | nodvd |
@@ -52,10 +52,11 @@ shell none | |||
52 | disable-mnt | 52 | disable-mnt |
53 | ?BROWSER_DISABLE_U2F: private-dev | 53 | ?BROWSER_DISABLE_U2F: private-dev |
54 | # private-etc below works fine on most distributions. There are some problems on CentOS. | 54 | # private-etc below works fine on most distributions. There are some problems on CentOS. |
55 | # Add it to your firefox-common.local if you want to enable it. | ||
55 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 56 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
56 | private-tmp | 57 | private-tmp |
57 | 58 | ||
58 | # breaks various desktop integration features | 59 | # 'dbus-user none' breaks various desktop integration features like global menus, native notifications, |
59 | # among other things global menus, native notifications, Gnome connector, KDE connect and power management on KDE Plasma | 60 | # Gnome connector, KDE connect and power management on KDE Plasma. |
60 | dbus-user none | 61 | dbus-user none |
61 | dbus-system none | 62 | dbus-system none |
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index 68dd350ca..cefba93d4 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile | |||
@@ -14,8 +14,8 @@ mkdir ${HOME}/.mozilla | |||
14 | whitelist ${HOME}/.cache/mozilla/firefox | 14 | whitelist ${HOME}/.cache/mozilla/firefox |
15 | whitelist ${HOME}/.mozilla | 15 | whitelist ${HOME}/.mozilla |
16 | 16 | ||
17 | # Uncomment or put in your firefox.local one of the following whitelist to enable KeePassXC Plugin | 17 | # Add one of the following whitelist options to your firefox.local to enable KeePassXC Plugin support. |
18 | # NOTE: start KeePassXC before Firefox and keep it open to allow communication between them | 18 | # NOTE: start KeePassXC before Firefox and keep it open to allow communication between them. |
19 | #whitelist ${RUNUSER}/kpxc_server | 19 | #whitelist ${RUNUSER}/kpxc_server |
20 | #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer | 20 | #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer |
21 | 21 | ||
@@ -27,31 +27,30 @@ whitelist /usr/share/mozilla | |||
27 | whitelist /usr/share/webext | 27 | whitelist /usr/share/webext |
28 | include whitelist-usr-share-common.inc | 28 | include whitelist-usr-share-common.inc |
29 | 29 | ||
30 | # firefox requires a shell to launch on Arch. | 30 | # firefox requires a shell to launch on Arch - add the next line to your firefox.local to enable private-bin. |
31 | #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which | 31 | #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which |
32 | # Fedora use shell scripts to launch firefox, at least this is required | 32 | # Fedora uses shell scripts to launch firefox - add the next line to your firefox.local to enable private-bin. |
33 | #private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname | 33 | #private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname |
34 | # private-etc must first be enabled in firefox-common.profile | 34 | # Add the next line to your firefox.local to enable private-etc support - note that this must be enabled in your firefox-common.local too. |
35 | #private-etc firefox | 35 | #private-etc firefox |
36 | 36 | ||
37 | dbus-user filter | 37 | dbus-user filter |
38 | dbus-user.own org.mozilla.Firefox.* | 38 | dbus-user.own org.mozilla.Firefox.* |
39 | dbus-user.own org.mozilla.firefox.* | 39 | dbus-user.own org.mozilla.firefox.* |
40 | dbus-user.own org.mpris.MediaPlayer2.firefox.* | 40 | dbus-user.own org.mpris.MediaPlayer2.firefox.* |
41 | # Uncomment or put in your firefox.local to enable native notifications. | 41 | # Add the next line to your firefox.local to enable native notifications. |
42 | #dbus-user.talk org.freedesktop.Notifications | 42 | #dbus-user.talk org.freedesktop.Notifications |
43 | # Uncomment or put in your firefox.local to allow to inhibit screensavers | 43 | # Add the next line to your firefox.local to allow inhibiting screensavers. |
44 | #dbus-user.talk org.freedesktop.ScreenSaver | 44 | #dbus-user.talk org.freedesktop.ScreenSaver |
45 | # Uncomment or put in your firefox.local for plasma browser integration | 45 | # Add the next lines to your firefox.local for plasma browser integration. |
46 | #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration | 46 | #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration |
47 | #dbus-user.talk org.kde.JobViewServer | 47 | #dbus-user.talk org.kde.JobViewServer |
48 | #dbus-user.talk org.kde.kuiserver | 48 | #dbus-user.talk org.kde.kuiserver |
49 | # Uncomment or put in your firefox.local to allow screen sharing under wayland. | 49 | # Add the next two lines to your firefox.local to allow screen sharing under wayland. |
50 | #whitelist ${RUNUSER}/pipewire-0 | 50 | #whitelist ${RUNUSER}/pipewire-0 |
51 | #dbus-user.talk org.freedesktop.portal.* | 51 | #dbus-user.talk org.freedesktop.portal.* |
52 | # Also uncomment or put in your firefox.local if screen sharing sharing still | 52 | # Add the next line to your firefox.local if screen sharing sharing still does not work |
53 | # does not work with the above lines (might depend on the portal | 53 | # with the above lines (might depend on the portal implementation). |
54 | # implementation) | ||
55 | #ignore noroot | 54 | #ignore noroot |
56 | ignore dbus-user none | 55 | ignore dbus-user none |
57 | 56 | ||
diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile index 125ddf79c..e2da1747e 100644 --- a/etc/profile-a-l/gajim.profile +++ b/etc/profile-a-l/gajim.profile | |||
@@ -21,7 +21,7 @@ include disable-exec.inc | |||
21 | include disable-interpreters.inc | 21 | include disable-interpreters.inc |
22 | include disable-passwdmgr.inc | 22 | include disable-passwdmgr.inc |
23 | include disable-programs.inc | 23 | include disable-programs.inc |
24 | # Comment the following line if you need to whitelist folders other than ~/Downloads | 24 | # Add 'ignore include disable-xdg.inc' to your gajim.local if you need to whitelist folders other than ~/Downloads. |
25 | include disable-xdg.inc | 25 | include disable-xdg.inc |
26 | 26 | ||
27 | mkdir ${HOME}/.gnupg | 27 | mkdir ${HOME}/.gnupg |
@@ -73,7 +73,7 @@ dbus-user.talk org.kde.kwalletd5 | |||
73 | dbus-user.talk org.mpris.MediaPlayer2.* | 73 | dbus-user.talk org.mpris.MediaPlayer2.* |
74 | dbus-system filter | 74 | dbus-system filter |
75 | dbus-system.talk org.freedesktop.login1 | 75 | dbus-system.talk org.freedesktop.login1 |
76 | # Uncomment for location plugin support | 76 | # Add the next line to your gajim.local to enable location plugin support. |
77 | #dbus-system.talk org.freedesktop.GeoClue2 | 77 | #dbus-system.talk org.freedesktop.GeoClue2 |
78 | 78 | ||
79 | join-or-start gajim | 79 | join-or-start gajim |
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile index e339f6abb..5e1b024fe 100644 --- a/etc/profile-a-l/gapplication.profile +++ b/etc/profile-a-l/gapplication.profile | |||
@@ -51,8 +51,8 @@ private-dev | |||
51 | private-etc none | 51 | private-etc none |
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
54 | # Uncomment (or add to your gapplcation.local) the next line to filter D-Bus names. | 54 | # Add the next line to your gapplication.local to filter D-Bus names. |
55 | # You might need to add additional dbus-user.talk rules. see 'gapplication list-apps'. | 55 | # You might need to add additional dbus-user.talk rules (see 'gapplication list-apps'). |
56 | #dbus-user filter | 56 | #dbus-user filter |
57 | dbus-user.talk org.gnome.Boxes | 57 | dbus-user.talk org.gnome.Boxes |
58 | dbus-user.talk org.gnome.Builder | 58 | dbus-user.talk org.gnome.Builder |
diff --git a/etc/profile-a-l/gedit.profile b/etc/profile-a-l/gedit.profile index 30251fbe5..d61bea6c4 100644 --- a/etc/profile-a-l/gedit.profile +++ b/etc/profile-a-l/gedit.profile | |||
@@ -43,7 +43,7 @@ tracelog | |||
43 | 43 | ||
44 | # private-bin gedit | 44 | # private-bin gedit |
45 | private-dev | 45 | private-dev |
46 | # private-lib breaks python plugins, uncomment or add to your gedit.local if you don't use them. | 46 | # private-lib breaks python plugins - add the next line to your gedit.local if you don't use them. |
47 | #private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.* | 47 | #private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.* |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile index bc5ef966c..e26fadca2 100644 --- a/etc/profile-a-l/gimp.profile +++ b/etc/profile-a-l/gimp.profile | |||
@@ -6,7 +6,7 @@ include gimp.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Uncomment or add to gimp.local in order to support scanning via xsane (see #3640). | 9 | # Add the next lines to your gimp.local in order to support scanning via xsane (see #3640). |
10 | # TODO: Replace 'ignore seccomp' with a less permissive option. | 10 | # TODO: Replace 'ignore seccomp' with a less permissive option. |
11 | #ignore seccomp | 11 | #ignore seccomp |
12 | #ignore dbus-system | 12 | #ignore dbus-system |
@@ -15,8 +15,7 @@ include globals.local | |||
15 | 15 | ||
16 | 16 | ||
17 | # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory | 17 | # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory |
18 | # if you are not using external plugins, you can comment 'ignore noexec' statement below | 18 | # If you are not using external plugins, you can add 'noexec ${HOME}' to your gimp.local. |
19 | # or put 'noexec ${HOME}' in your gimp.local | ||
20 | ignore noexec ${HOME} | 19 | ignore noexec ${HOME} |
21 | 20 | ||
22 | noblacklist ${HOME}/.cache/babl | 21 | noblacklist ${HOME}/.cache/babl |
diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile index 312655b9b..7894e4d8d 100644 --- a/etc/profile-a-l/git-cola.profile +++ b/etc/profile-a-l/git-cola.profile | |||
@@ -14,8 +14,8 @@ noblacklist ${HOME}/.gnupg | |||
14 | noblacklist ${HOME}/.subversion | 14 | noblacklist ${HOME}/.subversion |
15 | noblacklist ${HOME}/.config/git | 15 | noblacklist ${HOME}/.config/git |
16 | noblacklist ${HOME}/.config/git-cola | 16 | noblacklist ${HOME}/.config/git-cola |
17 | # Put your editor,diff viewer config path below and uncomment to load settings | 17 | # Add your editor/diff viewer config paths and the next line to your git-cola.local to load settings. |
18 | # noblacklist ${HOME}/ | 18 | #noblacklist ${HOME}/ |
19 | 19 | ||
20 | # Allow python (blacklisted by disable-interpreters.inc) | 20 | # Allow python (blacklisted by disable-interpreters.inc) |
21 | include allow-python2.inc | 21 | include allow-python2.inc |
@@ -34,7 +34,7 @@ include disable-xdg.inc | |||
34 | 34 | ||
35 | whitelist ${RUNUSER}/gnupg | 35 | whitelist ${RUNUSER}/gnupg |
36 | whitelist ${RUNUSER}/keyring | 36 | whitelist ${RUNUSER}/keyring |
37 | # Whitelist your editor, diff viewer, gnupg path below in /usr/share/ | 37 | # Add additional whitelist paths below /usr/share to your git-cola.local to support your editor/diff viewer. |
38 | whitelist /usr/share/git | 38 | whitelist /usr/share/git |
39 | whitelist /usr/share/git-cola | 39 | whitelist /usr/share/git-cola |
40 | whitelist /usr/share/git-core | 40 | whitelist /usr/share/git-core |
@@ -65,8 +65,8 @@ seccomp | |||
65 | shell none | 65 | shell none |
66 | tracelog | 66 | tracelog |
67 | 67 | ||
68 | # Add your own diff viewer,editor,pinentry program | 68 | # Add your own diff viewer,editor,pinentry program to private-bin in your git-cola.local. |
69 | # pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg | 69 | #private-bin pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg |
70 | private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed | 70 | private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed |
71 | private-cache | 71 | private-cache |
72 | private-dev | 72 | private-dev |
@@ -74,13 +74,14 @@ private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitc | |||
74 | private-tmp | 74 | private-tmp |
75 | writable-run-user | 75 | writable-run-user |
76 | 76 | ||
77 | # Breaks meld as diff viewer | 77 | # dbus-user filtering breaks meld as diff viewer |
78 | # dbus-user filter | 78 | # Add the next line to your git-cola.local if you don't use meld. |
79 | # Uncomment if you need keyring access | 79 | #dbus-user filter |
80 | # dbus-user.talk org.freedesktop.secrets | 80 | # Add the next line to your git-cola.local if you need keyring access |
81 | #dbus-user.talk org.freedesktop.secrets | ||
81 | dbus-system none | 82 | dbus-system none |
82 | 83 | ||
83 | read-only ${HOME}/.git-credentials | 84 | read-only ${HOME}/.git-credentials |
84 | 85 | ||
85 | # Comment if you need to allow hosts | 86 | # Add 'ignore read-only ${HOME}/.ssh' to your git-cola.local if you need to allow hosts. |
86 | read-only ${HOME}/.ssh | 87 | read-only ${HOME}/.ssh |
diff --git a/etc/profile-a-l/gitg.profile b/etc/profile-a-l/gitg.profile index 93b90eb9e..7b6820a81 100644 --- a/etc/profile-a-l/gitg.profile +++ b/etc/profile-a-l/gitg.profile | |||
@@ -59,6 +59,6 @@ private-tmp | |||
59 | dbus-user filter | 59 | dbus-user filter |
60 | dbus-user.own org.gnome.gitg | 60 | dbus-user.own org.gnome.gitg |
61 | dbus-user.talk ca.desrt.dconf | 61 | dbus-user.talk ca.desrt.dconf |
62 | # Uncomment (or put in your gitg.local) if you need keyring access. | 62 | # Add the next line to your gitg.local if you need keyring access. |
63 | #dbus-user.talk org.freedesktop.secrets | 63 | #dbus-user.talk org.freedesktop.secrets |
64 | dbus-system none | 64 | dbus-system none |
diff --git a/etc/profile-a-l/gnome-characters.profile b/etc/profile-a-l/gnome-characters.profile index 4d53a67dd..048fad65c 100644 --- a/etc/profile-a-l/gnome-characters.profile +++ b/etc/profile-a-l/gnome-characters.profile | |||
@@ -44,8 +44,7 @@ shell none | |||
44 | tracelog | 44 | tracelog |
45 | 45 | ||
46 | disable-mnt | 46 | disable-mnt |
47 | # Uncomment the next line (or add it to your gnome-characters.local) | 47 | # Add the next line to your gnome-characters.local if you don't need access to recently used chars. |
48 | # if you don't need recently used chars | ||
49 | #private | 48 | #private |
50 | private-bin gjs,gnome-characters | 49 | private-bin gjs,gnome-characters |
51 | private-cache | 50 | private-cache |
@@ -53,8 +52,7 @@ private-dev | |||
53 | private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,pango,X11,xdg | 52 | private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,pango,X11,xdg |
54 | private-tmp | 53 | private-tmp |
55 | 54 | ||
56 | # Uncomment the next lines (or add it to your gnome-characters.local) | 55 | # Add the next lines to your gnome-characters.local if you don't need access to recently used chars. |
57 | # if you don't need recently used chars | ||
58 | # dbus-user none | 56 | # dbus-user none |
59 | # dbus-system none | 57 | # dbus-system none |
60 | 58 | ||
diff --git a/etc/profile-a-l/google-earth-pro.profile b/etc/profile-a-l/google-earth-pro.profile index 1240dc3b7..249ae187d 100644 --- a/etc/profile-a-l/google-earth-pro.profile +++ b/etc/profile-a-l/google-earth-pro.profile | |||
@@ -22,8 +22,7 @@ include google-earth-pro.local | |||
22 | #[[ -e "$_lock_icon_cache" ]] && rm -f "${_lock_icon_cache:?}" | 22 | #[[ -e "$_lock_icon_cache" ]] && rm -f "${_lock_icon_cache:?}" |
23 | # <--- end of snippet ---> | 23 | # <--- end of snippet ---> |
24 | 24 | ||
25 | # If you see errors about missing commands, uncomment the below or put 'ignore private-bin' into your google-earth-pro.local | 25 | # If you see errors about missing commands, add 'ignore private-bin' to your google-earth-pro.local. |
26 | #ignore private-bin | ||
27 | private-bin google-earth-pro,googleearth,googleearth-bin,gpsbabel,readlink,repair_tool,rm,which,xdg-mime,xdg-settings | 26 | private-bin google-earth-pro,googleearth,googleearth-bin,gpsbabel,readlink,repair_tool,rm,which,xdg-mime,xdg-settings |
28 | 27 | ||
29 | # Redirect | 28 | # Redirect |
diff --git a/etc/profile-a-l/hasher-common.profile b/etc/profile-a-l/hasher-common.profile index 2f684349d..1633cc3ee 100644 --- a/etc/profile-a-l/hasher-common.profile +++ b/etc/profile-a-l/hasher-common.profile | |||
@@ -6,24 +6,23 @@ include hasher-common.local | |||
6 | 6 | ||
7 | blacklist ${RUNUSER} | 7 | blacklist ${RUNUSER} |
8 | 8 | ||
9 | # WARNING: | 9 | # Comment/uncomment the relevant include file(s) in your hasher-common.local |
10 | # Users can (un)restrict file access for **all** hashers by commenting/uncommenting the needed | 10 | # to (un)restrict file access for **all** hashers. Another option is to do this **per hasher** |
11 | # include file(s) here or by putting those into hasher-common.local. | 11 | # in the relevant <hasher>.local. Beware that things tend to break when overtightening |
12 | # Another option is to do this **per hasher** in the relevant <hasher>.local. | 12 | # profiles. For example, because you only need to hash/check files in ${DOWNLOADS}, |
13 | # Just beware that things tend to break when overtightening profiles. For example, because you only | 13 | # other applications may need access to ${HOME}/.local/share. |
14 | # need to hash/check files in ${DOWNLOADS}, other applications may need access to ${HOME}/.local/share. | 14 | |
15 | 15 | # Add the next line to your hasher-common.local if you don't need to hash files in disable-common.inc. | |
16 | # Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in disable-common.inc. | ||
17 | #include disable-common.inc | 16 | #include disable-common.inc |
18 | include disable-devel.inc | 17 | include disable-devel.inc |
19 | include disable-exec.inc | 18 | include disable-exec.inc |
20 | include disable-interpreters.inc | 19 | include disable-interpreters.inc |
21 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
22 | # Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in disable-programs.inc. | 21 | # Add the next line to your hasher-common.local if you don't need to hash files in disable-programs.inc. |
23 | #include disable-programs.inc | 22 | #include disable-programs.inc |
24 | include disable-shell.inc | 23 | include disable-shell.inc |
25 | include disable-write-mnt.inc | 24 | include disable-write-mnt.inc |
26 | # Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in disable-xdg.inc. | 25 | # Add the next line to your hasher-common.local if you don't need to hash files in disable-xdg.inc. |
27 | #include disable-xdg.inc | 26 | #include disable-xdg.inc |
28 | 27 | ||
29 | apparmor | 28 | apparmor |
@@ -47,10 +46,10 @@ shell none | |||
47 | tracelog | 46 | tracelog |
48 | x11 none | 47 | x11 none |
49 | 48 | ||
50 | # Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in /tmp. | 49 | # Add the next line to your hasher-common.local if you don't need to hash files in ~/.cache. |
51 | #private-cache | 50 | #private-cache |
52 | private-dev | 51 | private-dev |
53 | # Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in /tmp. | 52 | # Add the next line to your hasher-common.local if you don't need to hash files in /tmp. |
54 | #private-tmp | 53 | #private-tmp |
55 | 54 | ||
56 | dbus-user none | 55 | dbus-user none |
diff --git a/etc/profile-a-l/i2prouter.profile b/etc/profile-a-l/i2prouter.profile index 9ffdb9e9b..d95d53b7a 100644 --- a/etc/profile-a-l/i2prouter.profile +++ b/etc/profile-a-l/i2prouter.profile | |||
@@ -9,16 +9,16 @@ include globals.local | |||
9 | # Notice: default browser will most likely not be able to automatically open, due to sandbox. | 9 | # Notice: default browser will most likely not be able to automatically open, due to sandbox. |
10 | # Auto-opening default browser can be disabled in the I2P router console. | 10 | # Auto-opening default browser can be disabled in the I2P router console. |
11 | # This profile will not currently work with any Arch User Repository I2P packages, | 11 | # This profile will not currently work with any Arch User Repository I2P packages, |
12 | # use the distro-independent official I2P java installer instead | 12 | # use the distro-independent official I2P java installer instead. |
13 | 13 | ||
14 | # Only needed if i2prouter binary is in home directory, official I2P java installer does this | 14 | # Only needed when i2prouter binary resides in home directory (official I2P java installer does so). |
15 | ignore noexec ${HOME} | 15 | ignore noexec ${HOME} |
16 | 16 | ||
17 | noblacklist ${HOME}/.config/i2p | 17 | noblacklist ${HOME}/.config/i2p |
18 | noblacklist ${HOME}/.i2p | 18 | noblacklist ${HOME}/.i2p |
19 | noblacklist ${HOME}/.local/share/i2p | 19 | noblacklist ${HOME}/.local/share/i2p |
20 | noblacklist ${HOME}/i2p | 20 | noblacklist ${HOME}/i2p |
21 | # Only needed if wrapper is placed in /usr/sbin/, ubuntu official I2P ppa package does this | 21 | # Only needed when wrapper resides in /usr/sbin/ (Ubuntu official I2P PPA package does so). |
22 | noblacklist /usr/sbin | 22 | noblacklist /usr/sbin |
23 | 23 | ||
24 | # Allow java (blacklisted by disable-devel.inc) | 24 | # Allow java (blacklisted by disable-devel.inc) |
@@ -40,13 +40,14 @@ whitelist ${HOME}/.config/i2p | |||
40 | whitelist ${HOME}/.i2p | 40 | whitelist ${HOME}/.i2p |
41 | whitelist ${HOME}/.local/share/i2p | 41 | whitelist ${HOME}/.local/share/i2p |
42 | whitelist ${HOME}/i2p | 42 | whitelist ${HOME}/i2p |
43 | # Only needed if wrapper is placed in /usr/sbin/, ubuntu official I2P ppa package does this | 43 | # Only needed when wrapper resides in /usr/sbin/ (Ubuntu official I2P PPA package does so). |
44 | whitelist /usr/sbin/wrapper* | 44 | whitelist /usr/sbin/wrapper* |
45 | 45 | ||
46 | include whitelist-common.inc | 46 | include whitelist-common.inc |
47 | 47 | ||
48 | # May break I2P if wrapper is placed in the home directory; official I2P java installer does this | 48 | # May break I2P if wrapper resides in the home directory (official I2P java installer does so). |
49 | # If using ubuntu official I2P ppa, this should be fine to uncomment, as it puts wrapper in /usr/sbin/ | 49 | # When using the Ubuntu official I2P PPA it should be fine to add 'apparmor' to your i2prouter.local, |
50 | # as it places the wrapper in /usr/sbin/ | ||
50 | #apparmor | 51 | #apparmor |
51 | caps.drop all | 52 | caps.drop all |
52 | ipc-namespace | 53 | ipc-namespace |
diff --git a/etc/profile-a-l/kdiff3.profile b/etc/profile-a-l/kdiff3.profile index 5786a4687..eb1e219ab 100644 --- a/etc/profile-a-l/kdiff3.profile +++ b/etc/profile-a-l/kdiff3.profile | |||
@@ -9,8 +9,8 @@ include globals.local | |||
9 | noblacklist ${HOME}/.config/kdiff3fileitemactionrc | 9 | noblacklist ${HOME}/.config/kdiff3fileitemactionrc |
10 | noblacklist ${HOME}/.config/kdiff3rc | 10 | noblacklist ${HOME}/.config/kdiff3rc |
11 | 11 | ||
12 | # Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in disable-common.inc. | 12 | # Add the next line to your kdiff3.local if you don't need to compare files in disable-common.inc. |
13 | # by default we deny access only to .ssh and .gnupg | 13 | # By default we deny access only to .ssh and .gnupg. |
14 | #include disable-common.inc | 14 | #include disable-common.inc |
15 | blacklist ${HOME}/.ssh | 15 | blacklist ${HOME}/.ssh |
16 | blacklist ${HOME}/.gnupg | 16 | blacklist ${HOME}/.gnupg |
@@ -19,15 +19,15 @@ include disable-devel.inc | |||
19 | include disable-exec.inc | 19 | include disable-exec.inc |
20 | include disable-interpreters.inc | 20 | include disable-interpreters.inc |
21 | include disable-passwdmgr.inc | 21 | include disable-passwdmgr.inc |
22 | # Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in disable-programs.inc. | 22 | # Add the next line to your kdiff3.local if you don't need to compare files in disable-programs.inc. |
23 | #include disable-programs.inc | 23 | #include disable-programs.inc |
24 | include disable-shell.inc | 24 | include disable-shell.inc |
25 | include disable-xdg.inc | 25 | include disable-xdg.inc |
26 | 26 | ||
27 | include whitelist-runuser-common.inc | 27 | include whitelist-runuser-common.inc |
28 | # Uncomment the next lines (or put it into your kdiff3.local) if you don't need to compare files in /usr/share. | 28 | # Add the next line to your kdiff3.local if you don't need to compare files in /usr/share. |
29 | #include whitelist-usr-share-common.inc | 29 | #include whitelist-usr-share-common.inc |
30 | # Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in /var. | 30 | # Add the next line to your kdiff3.local if you don't need to compare files in /var. |
31 | #include whitelist-var-common.inc | 31 | #include whitelist-var-common.inc |
32 | 32 | ||
33 | apparmor | 33 | apparmor |
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile index 3ad779a12..11c279911 100644 --- a/etc/profile-a-l/keepassxc.profile +++ b/etc/profile-a-l/keepassxc.profile | |||
@@ -30,11 +30,11 @@ include disable-programs.inc | |||
30 | include disable-shell.inc | 30 | include disable-shell.inc |
31 | include disable-xdg.inc | 31 | include disable-xdg.inc |
32 | 32 | ||
33 | # You can enable whitelisting for keepassxc by uncommenting (or adding to you keepassxc.local) the following lines. | 33 | # You can enable whitelisting for keepassxc by adding the below to your keepassxc.local. |
34 | # If you do so, you MUST store your database under ${HOME}/Documents/KeePassXC/foo.kdbx | 34 | # If you do, you MUST store your database under ${HOME}/Documents/KeePassXC/foo.kdbx. |
35 | #mkdir ${HOME}/Documents/KeePassXC | 35 | #mkdir ${HOME}/Documents/KeePassXC |
36 | #whitelist ${HOME}/Documents/KeePassXC | 36 | #whitelist ${HOME}/Documents/KeePassXC |
37 | # Needed for KeePassXC-Browser | 37 | # Needed for KeePassXC-Browser. |
38 | #mkfile ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json | 38 | #mkfile ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json |
39 | #whitelist ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json | 39 | #whitelist ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json |
40 | #mkfile ${HOME}/.config/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json | 40 | #mkfile ${HOME}/.config/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json |
@@ -89,12 +89,12 @@ dbus-user.talk org.freedesktop.login1.Session | |||
89 | dbus-user.talk org.gnome.ScreenSaver | 89 | dbus-user.talk org.gnome.ScreenSaver |
90 | dbus-user.talk org.gnome.SessionManager | 90 | dbus-user.talk org.gnome.SessionManager |
91 | dbus-user.talk org.gnome.SessionManager.Presence | 91 | dbus-user.talk org.gnome.SessionManager.Presence |
92 | # Uncomment or add to your keepassxc.local to allow Notifications. | 92 | # Add the next line to your keepassxc.local to allow notifications. |
93 | #dbus-user.talk org.freedesktop.Notifications | 93 | #dbus-user.talk org.freedesktop.Notifications |
94 | # Uncomment or add to your keepassxc.local to allow Tray. | 94 | # Add the next line to your keepassxc.local to allow the tray menu. |
95 | #dbus-user.talk org.kde.StatusNotifierWatcher | 95 | #dbus-user.talk org.kde.StatusNotifierWatcher |
96 | #dbus-user.own org.kde.* | 96 | #dbus-user.own org.kde.* |
97 | dbus-system none | 97 | dbus-system none |
98 | 98 | ||
99 | # Mutex is stored in /tmp by default, which is broken by private-tmp | 99 | # Mutex is stored in /tmp by default, which is broken by private-tmp. |
100 | join-or-start keepassxc | 100 | join-or-start keepassxc |
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile index 5208cb979..8e891a930 100644 --- a/etc/profile-a-l/librewolf.profile +++ b/etc/profile-a-l/librewolf.profile | |||
@@ -14,14 +14,15 @@ mkdir ${HOME}/.librewolf | |||
14 | whitelist ${HOME}/.cache/librewolf | 14 | whitelist ${HOME}/.cache/librewolf |
15 | whitelist ${HOME}/.librewolf | 15 | whitelist ${HOME}/.librewolf |
16 | 16 | ||
17 | # Uncomment (or add to librewolf.local) the following lines if you want to | 17 | # Add the next lines to your librewolf.local if you want to use the migration wizard. |
18 | # use the migration wizard. | ||
19 | #noblacklist ${HOME}/.mozilla | 18 | #noblacklist ${HOME}/.mozilla |
20 | #whitelist ${HOME}/.mozilla | 19 | #whitelist ${HOME}/.mozilla |
21 | 20 | ||
22 | # librewolf requires a shell to launch on Arch. We can possibly remove sh though. | 21 | # librewolf requires a shell to launch on Arch. We can possibly remove sh though. |
22 | # Add the next line to your librewolf.local to enable private-bin. | ||
23 | #private-bin bash,dbus-launch,dbus-send,env,librewolf,python*,sh,which | 23 | #private-bin bash,dbus-launch,dbus-send,env,librewolf,python*,sh,which |
24 | # private-etc must first be enabled in firefox-common.profile | 24 | # Add the next line to your librewolf.local to enable private-etc. Note |
25 | # that private-etc must first be enabled in firefox-common.local. | ||
25 | #private-etc librewolf | 26 | #private-etc librewolf |
26 | 27 | ||
27 | # Redirect | 28 | # Redirect |
diff --git a/etc/profile-a-l/liferea.profile b/etc/profile-a-l/liferea.profile index a122e9bbc..1b10f0934 100644 --- a/etc/profile-a-l/liferea.profile +++ b/etc/profile-a-l/liferea.profile | |||
@@ -55,8 +55,8 @@ private-tmp | |||
55 | dbus-user filter | 55 | dbus-user filter |
56 | dbus-user.own net.sourceforge.liferea | 56 | dbus-user.own net.sourceforge.liferea |
57 | dbus-user.talk ca.desrt.dconf | 57 | dbus-user.talk ca.desrt.dconf |
58 | # Uncomment the below if you use the 'Popup Notifications' plugin or add 'dbus-user.talk org.freedesktop.Notifications' to your liferea.local | 58 | # Add the next line to your liferea.local if you use the 'Popup Notifications' plugin. |
59 | #dbus-user.talk org.freedesktop.Notifications | 59 | #dbus-user.talk org.freedesktop.Notifications |
60 | # Uncomment the below if you use the 'Libsecret Support' plugin or add 'dbus-user.talk org.freedesktop.secrets' to your liferea.local | 60 | # Add the next line to your liferea.local if you use the 'Libsecret Support' plugin. |
61 | #dbus-user.talk org.freedesktop.secrets | 61 | #dbus-user.talk org.freedesktop.secrets |
62 | dbus-system none | 62 | dbus-system none |
diff --git a/etc/profile-a-l/links.profile b/etc/profile-a-l/links.profile index ccc77f274..272bc4f3a 100644 --- a/etc/profile-a-l/links.profile +++ b/etc/profile-a-l/links.profile | |||
@@ -17,8 +17,8 @@ include disable-devel.inc | |||
17 | include disable-exec.inc | 17 | include disable-exec.inc |
18 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
19 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
20 | # you may want to noblacklist files/directories blacklisted in | 20 | # Additional noblacklist files/directories (blacklisted in disable-programs.inc) |
21 | # disable-programs.inc and used as associated programs | 21 | # used as associated programs can be added in your links.local. |
22 | include disable-programs.inc | 22 | include disable-programs.inc |
23 | include disable-xdg.inc | 23 | include disable-xdg.inc |
24 | 24 | ||
@@ -30,19 +30,19 @@ include whitelist-var-common.inc | |||
30 | 30 | ||
31 | caps.drop all | 31 | caps.drop all |
32 | ipc-namespace | 32 | ipc-namespace |
33 | # comment machine-id (or put 'ignore machine-id' in your links.local) if you want | 33 | # Add 'ignore machine-id' to your links.local if you want to restrict access to |
34 | # to allow access only to user-configured associated media player | 34 | # the user-configured associated media player. |
35 | machine-id | 35 | machine-id |
36 | netfilter | 36 | netfilter |
37 | # comment no3d (or put 'ignore no3d' in your links.local) if you want | 37 | # Add 'ignore no3d' to your links.local if you want to restrict access to |
38 | # to allow access only to user-configured associated media player | 38 | # the user-configured associated media player. |
39 | no3d | 39 | no3d |
40 | nodvd | 40 | nodvd |
41 | nogroups | 41 | nogroups |
42 | nonewprivs | 42 | nonewprivs |
43 | noroot | 43 | noroot |
44 | # comment nosound (or put 'ignore nosound' in your links.local) if you want | 44 | # Add 'ignore nosound' to your links.local if you want to restrict access to |
45 | # to allow access only to user-configured associated media player | 45 | # the user-configured associated media player. |
46 | nosound | 46 | nosound |
47 | notv | 47 | notv |
48 | nou2f | 48 | nou2f |
@@ -53,14 +53,12 @@ shell none | |||
53 | tracelog | 53 | tracelog |
54 | 54 | ||
55 | disable-mnt | 55 | disable-mnt |
56 | # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' to your links.local | 56 | # Add 'private-bin PROGRAM1,PROGRAM2' to your links.local if you want to use user-configured programs. |
57 | # or append 'PROGRAM1,PROGRAM2' to this private-bin line | ||
58 | private-bin links,sh | 57 | private-bin links,sh |
59 | private-cache | 58 | private-cache |
60 | private-dev | 59 | private-dev |
61 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl | 60 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl |
62 | # Uncomment the following line (or put it in your links.local) allow external | 61 | # Add the next line to your links.local to allow external media players. |
63 | # media players | ||
64 | # private-etc alsa,asound.conf,machine-id,openal,pulse | 62 | # private-etc alsa,asound.conf,machine-id,openal,pulse |
65 | private-tmp | 63 | private-tmp |
66 | 64 | ||
diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile index 5d05631ec..d750e5fcd 100644 --- a/etc/profile-a-l/lutris.profile +++ b/etc/profile-a-l/lutris.profile | |||
@@ -66,8 +66,8 @@ protocol unix,inet,inet6,netlink | |||
66 | seccomp | 66 | seccomp |
67 | shell none | 67 | shell none |
68 | 68 | ||
69 | # uncomment the following line if you do not need controller support | 69 | # Add the next line to your lutris.local if you do not need controller support. |
70 | # private-dev | 70 | #private-dev |
71 | private-tmp | 71 | private-tmp |
72 | 72 | ||
73 | dbus-user none | 73 | dbus-user none |
diff --git a/etc/profile-m-z/PCSX2.profile b/etc/profile-m-z/PCSX2.profile index b2687ba3c..e678b7204 100644 --- a/etc/profile-m-z/PCSX2.profile +++ b/etc/profile-m-z/PCSX2.profile | |||
@@ -6,7 +6,7 @@ include PCSX2.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Note: you must whitelist your games folder in a PCSX2.local | 9 | # Note: you must whitelist your games folder in your PCSX2.local. |
10 | 10 | ||
11 | noblacklist ${HOME}/.config/PCSX2 | 11 | noblacklist ${HOME}/.config/PCSX2 |
12 | 12 | ||
@@ -32,7 +32,7 @@ caps.drop all | |||
32 | ipc-namespace | 32 | ipc-namespace |
33 | net none | 33 | net none |
34 | netfilter | 34 | netfilter |
35 | # Uncomment the following line if not loading games from disc | 35 | # Add the next line to your PCSX2.local if you're not loading games from disc. |
36 | #nodvd | 36 | #nodvd |
37 | nogroups | 37 | nogroups |
38 | nonewprivs | 38 | nonewprivs |
@@ -47,7 +47,7 @@ shell none | |||
47 | 47 | ||
48 | private-bin PCSX2 | 48 | private-bin PCSX2 |
49 | private-cache | 49 | private-cache |
50 | # uncomment the following line if you do not need controller support | 50 | # Add the next line to your PCSX2.local if you do not need controller support. |
51 | #private-dev | 51 | #private-dev |
52 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | 52 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg |
53 | private-opt none | 53 | private-opt none |
diff --git a/etc/profile-m-z/marker.profile b/etc/profile-m-z/marker.profile index 70e5c72cf..84039aca3 100644 --- a/etc/profile-m-z/marker.profile +++ b/etc/profile-m-z/marker.profile | |||
@@ -6,7 +6,7 @@ include marker.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Uncomment (or add to your marker.local) if you need internet access. | 9 | # Add the next lines to your marker.local if you need internet access. |
10 | #ignore net none | 10 | #ignore net none |
11 | #protocol unix,inet,inet6 | 11 | #protocol unix,inet,inet6 |
12 | #private-etc ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf | 12 | #private-etc ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf |
diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile index d76522fce..900523b81 100644 --- a/etc/profile-m-z/meld.profile +++ b/etc/profile-m-z/meld.profile | |||
@@ -7,11 +7,11 @@ include meld.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # If you want to use meld as git mergetool (and maybe some other VCS integrations) you need | 9 | # If you want to use meld as git mergetool (and maybe some other VCS integrations) you need |
10 | # to bypass firejail, you can do this by removing the symlink or calling it by its absolute path | 10 | # to bypass firejail. You can do this by removing the symlink or by calling it by its absolute path. |
11 | # Removing the symlink: | 11 | # Removing the symlink: |
12 | # sudo rm /usr/local/bin/meld | 12 | # $ sudo rm /usr/local/bin/meld |
13 | # Calling it by its absolute path (example for git mergetool): | 13 | # Calling it by its absolute path (example for git mergetool): |
14 | # git config --global mergetool.meld.cmd /usr/bin/meld | 14 | # $ git config --global mergetool.meld.cmd /usr/bin/meld |
15 | 15 | ||
16 | noblacklist ${HOME}/.config/meld | 16 | noblacklist ${HOME}/.config/meld |
17 | noblacklist ${HOME}/.config/git | 17 | noblacklist ${HOME}/.config/git |
@@ -21,30 +21,31 @@ noblacklist ${HOME}/.local/share/meld | |||
21 | noblacklist ${HOME}/.subversion | 21 | noblacklist ${HOME}/.subversion |
22 | 22 | ||
23 | # Allow python (blacklisted by disable-interpreters.inc) | 23 | # Allow python (blacklisted by disable-interpreters.inc) |
24 | # Python 2 is EOL (see #3164). Uncomment the next line (or put it into your meld.local) if you understand the risks but want python 2 support for older meld versions. | 24 | # Python 2 is EOL (see #3164). Add the next line to your meld.local if you understand the risks |
25 | # but want to keep Python 2 support for older meld versions. | ||
25 | #include allow-python2.inc | 26 | #include allow-python2.inc |
26 | include allow-python3.inc | 27 | include allow-python3.inc |
27 | 28 | ||
28 | # Allow ssh (blacklisted by disable-common.inc) | 29 | # Allow ssh (blacklisted by disable-common.inc) |
29 | include allow-ssh.inc | 30 | include allow-ssh.inc |
30 | 31 | ||
31 | # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-common.inc. | 32 | # Add the next line to your meld.local if you don't need to compare files in disable-common.inc. |
32 | #include disable-common.inc | 33 | #include disable-common.inc |
33 | include disable-devel.inc | 34 | include disable-devel.inc |
34 | include disable-exec.inc | 35 | include disable-exec.inc |
35 | include disable-interpreters.inc | 36 | include disable-interpreters.inc |
36 | include disable-passwdmgr.inc | 37 | include disable-passwdmgr.inc |
37 | # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-programs.inc. | 38 | # Add the next line to your meld.local if you don't need to compare files in disable-programs.inc. |
38 | #include disable-programs.inc | 39 | #include disable-programs.inc |
39 | include disable-shell.inc | 40 | include disable-shell.inc |
40 | 41 | ||
41 | include whitelist-runuser-common.inc | 42 | include whitelist-runuser-common.inc |
42 | 43 | ||
43 | # Uncomment the next lines (or put it into your meld.local) if you don't need to compare files in /usr/share. | 44 | # Add the next lines to your meld.local if you don't need to compare files in /usr/share. |
44 | #whitelist /usr/share/meld | 45 | #whitelist /usr/share/meld |
45 | #include whitelist-usr-share-common.inc | 46 | #include whitelist-usr-share-common.inc |
46 | 47 | ||
47 | # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in /var. | 48 | # Add the next line to your meld.local if you don't need to compare files in /var. |
48 | #include whitelist-var-common.inc | 49 | #include whitelist-var-common.inc |
49 | 50 | ||
50 | apparmor | 51 | apparmor |
@@ -70,9 +71,9 @@ tracelog | |||
70 | private-bin bzr,cvs,git,hg,meld,python*,svn | 71 | private-bin bzr,cvs,git,hg,meld,python*,svn |
71 | private-cache | 72 | private-cache |
72 | private-dev | 73 | private-dev |
73 | # Uncomment the next line (or put it into your meld.local) if you don't need to compare in /etc. | 74 | # Add the next line to your meld.local if you don't need to compare files in /etc. |
74 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion | 75 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion |
75 | # Comment the next line (or add 'ignore private-tmp to your meld.local') if you want to use it as a difftool (#3551) | 76 | # Add 'ignore private-tmp' to your meld.local if you want to use it as difftool (#3551). |
76 | private-tmp | 77 | private-tmp |
77 | 78 | ||
78 | read-only ${HOME}/.ssh | 79 | read-only ${HOME}/.ssh |
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile index 24782c033..2c6e047d8 100644 --- a/etc/profile-m-z/mutt.profile +++ b/etc/profile-m-z/mutt.profile | |||
@@ -38,8 +38,7 @@ noblacklist ${HOME}/sent | |||
38 | blacklist /tmp/.X11-unix | 38 | blacklist /tmp/.X11-unix |
39 | blacklist ${RUNUSER}/wayland-* | 39 | blacklist ${RUNUSER}/wayland-* |
40 | 40 | ||
41 | # Uncomment or put them in mutt.local for oauth.py,S/MIME | 41 | # Add the next lines to your mutt.local for oauth.py,S/MIME support. |
42 | |||
43 | #include allow-perl.inc | 42 | #include allow-perl.inc |
44 | #include allow-python2.inc | 43 | #include allow-python2.inc |
45 | #include allow-python3.inc | 44 | #include allow-python3.inc |
diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile index 4e7c902d9..53dd3a05a 100644 --- a/etc/profile-m-z/nextcloud.profile +++ b/etc/profile-m-z/nextcloud.profile | |||
@@ -9,7 +9,7 @@ include globals.local | |||
9 | noblacklist ${HOME}/Nextcloud | 9 | noblacklist ${HOME}/Nextcloud |
10 | noblacklist ${HOME}/.config/Nextcloud | 10 | noblacklist ${HOME}/.config/Nextcloud |
11 | noblacklist ${HOME}/.local/share/Nextcloud | 11 | noblacklist ${HOME}/.local/share/Nextcloud |
12 | # Uncomment or put in your nextcloud.local to allow sync with more directories. | 12 | # Add the next lines to your nextcloud.local to allow sync in more directories. |
13 | #noblacklist ${DOCUMENTS} | 13 | #noblacklist ${DOCUMENTS} |
14 | #noblacklist ${MUSIC} | 14 | #noblacklist ${MUSIC} |
15 | #noblacklist ${PICTURES} | 15 | #noblacklist ${PICTURES} |
@@ -30,7 +30,7 @@ mkdir ${HOME}/.local/share/Nextcloud | |||
30 | whitelist ${HOME}/Nextcloud | 30 | whitelist ${HOME}/Nextcloud |
31 | whitelist ${HOME}/.config/Nextcloud | 31 | whitelist ${HOME}/.config/Nextcloud |
32 | whitelist ${HOME}/.local/share/Nextcloud | 32 | whitelist ${HOME}/.local/share/Nextcloud |
33 | # Uncomment or put in your nextcloud.local to allow sync with more directories. | 33 | # Add the next lines to your nextcloud.local to allow sync in more directories. |
34 | #whitelist ${DOCUMENTS} | 34 | #whitelist ${DOCUMENTS} |
35 | #whitelist ${MUSIC} | 35 | #whitelist ${MUSIC} |
36 | #whitelist ${PICTURES} | 36 | #whitelist ${PICTURES} |
diff --git a/etc/profile-m-z/nheko.profile b/etc/profile-m-z/nheko.profile index 2fbbef832..1b5da8d27 100644 --- a/etc/profile-m-z/nheko.profile +++ b/etc/profile-m-z/nheko.profile | |||
@@ -51,9 +51,11 @@ private-dev | |||
51 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 51 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
54 | |||
55 | # Add the next lines to your nheko.local to enable notification support. | ||
56 | #ignore dbus-user none | ||
57 | #dbus-user filter | ||
58 | #dbus-user.talk org.freedesktop.Notifications | ||
59 | #dbus-user.talk org.kde.StatusNotifierWatcher | ||
54 | dbus-user none | 60 | dbus-user none |
55 | # Comment the above line and uncomment below lines for notification popups | ||
56 | # dbus-user filter | ||
57 | # dbus-user.talk org.freedesktop.Notifications | ||
58 | # dbus-user.talk org.kde.StatusNotifierWatcher | ||
59 | dbus-system none | 61 | dbus-system none |
diff --git a/etc/profile-m-z/npm.profile b/etc/profile-m-z/npm.profile index e95e875be..f51d58782 100644 --- a/etc/profile-m-z/npm.profile +++ b/etc/profile-m-z/npm.profile | |||
@@ -15,7 +15,7 @@ noblacklist ${HOME}/.npm | |||
15 | noblacklist ${HOME}/.npmrc | 15 | noblacklist ${HOME}/.npmrc |
16 | 16 | ||
17 | # If you want whitelisting, change ${HOME}/Projects below to your npm projects directory | 17 | # If you want whitelisting, change ${HOME}/Projects below to your npm projects directory |
18 | # and uncomment the lines below. | 18 | # and add the next lines to your npm.local. |
19 | #mkdir ${HOME}/.node-gyp | 19 | #mkdir ${HOME}/.node-gyp |
20 | #mkdir ${HOME}/.npm | 20 | #mkdir ${HOME}/.npm |
21 | #mkfile ${HOME}/.npmrc | 21 | #mkfile ${HOME}/.npmrc |
diff --git a/etc/profile-m-z/ocenaudio.profile b/etc/profile-m-z/ocenaudio.profile index ae18cfff9..be3618e31 100644 --- a/etc/profile-m-z/ocenaudio.profile +++ b/etc/profile-m-z/ocenaudio.profile | |||
@@ -26,7 +26,7 @@ apparmor | |||
26 | caps.drop all | 26 | caps.drop all |
27 | ipc-namespace | 27 | ipc-namespace |
28 | # net none - breaks update functionality and AppArmor on Ubuntu systems | 28 | # net none - breaks update functionality and AppArmor on Ubuntu systems |
29 | # uncomment (or put 'net none' in your ocenaudio.local) when needed | 29 | # Add 'net none' to your ocenaudio.local when you want that functionality. |
30 | #net none | 30 | #net none |
31 | netfilter | 31 | netfilter |
32 | no3d | 32 | no3d |
diff --git a/etc/profile-m-z/openmw.profile b/etc/profile-m-z/openmw.profile index 270d64c1e..89b146619 100644 --- a/etc/profile-m-z/openmw.profile +++ b/etc/profile-m-z/openmw.profile | |||
@@ -22,8 +22,8 @@ include disable-xdg.inc | |||
22 | mkdir ${HOME}/.config/openmw | 22 | mkdir ${HOME}/.config/openmw |
23 | mkdir ${HOME}/.local/share/openmw | 23 | mkdir ${HOME}/.local/share/openmw |
24 | whitelist ${HOME}/.config/openmw | 24 | whitelist ${HOME}/.config/openmw |
25 | # Copy Morrowind data files into the following directory or load it from /mnt | 25 | # Copy Morrowind data files into ${HOME}/.local/share/openmw or load them from /mnt. |
26 | # or whitelist it in a openmw.local | 26 | # Alternatively you can whitelist custom paths in your openmw.local. |
27 | whitelist ${HOME}/.local/share/openmw | 27 | whitelist ${HOME}/.local/share/openmw |
28 | whitelist /usr/share/openmw | 28 | whitelist /usr/share/openmw |
29 | include whitelist-common.inc | 29 | include whitelist-common.inc |
@@ -36,7 +36,7 @@ caps.drop all | |||
36 | ipc-namespace | 36 | ipc-namespace |
37 | net none | 37 | net none |
38 | netfilter | 38 | netfilter |
39 | # Uncomment the following line if installing from disc | 39 | # Add 'ignore nodvd' to your openmw.local when installing from disc. |
40 | nodvd | 40 | nodvd |
41 | nogroups | 41 | nogroups |
42 | nonewprivs | 42 | nonewprivs |
diff --git a/etc/profile-m-z/pcsxr.profile b/etc/profile-m-z/pcsxr.profile index c25c4ae66..a6dab2a9a 100644 --- a/etc/profile-m-z/pcsxr.profile +++ b/etc/profile-m-z/pcsxr.profile | |||
@@ -6,7 +6,7 @@ include pcsxr.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Note: you must whitelist your games folder in a pcsxr.local | 9 | # Note: you must whitelist your games folder in your pcsxr.local |
10 | 10 | ||
11 | noblacklist ${HOME}/.pcsxr | 11 | noblacklist ${HOME}/.pcsxr |
12 | 12 | ||
@@ -32,7 +32,7 @@ caps.drop all | |||
32 | ipc-namespace | 32 | ipc-namespace |
33 | net none | 33 | net none |
34 | netfilter | 34 | netfilter |
35 | # Uncomment the following line if not loading games from disc | 35 | # Add the next line to your pcsxr.local when not loading games from disc. |
36 | #nodvd | 36 | #nodvd |
37 | nogroups | 37 | nogroups |
38 | nonewprivs | 38 | nonewprivs |
@@ -47,7 +47,7 @@ tracelog | |||
47 | 47 | ||
48 | private-bin pcsxr | 48 | private-bin pcsxr |
49 | private-cache | 49 | private-cache |
50 | # uncomment the following line if you do not need controller support | 50 | # Add the next line to your pcsxr.local if you do not need controller support. |
51 | #private-dev | 51 | #private-dev |
52 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | 52 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg |
53 | private-opt none | 53 | private-opt none |
diff --git a/etc/profile-m-z/ppsspp.profile b/etc/profile-m-z/ppsspp.profile index 263d99c83..1f73c1d89 100644 --- a/etc/profile-m-z/ppsspp.profile +++ b/etc/profile-m-z/ppsspp.profile | |||
@@ -6,7 +6,7 @@ include ppsspp.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Note: you must whitelist your games folder in a ppsspp.local | 9 | # Note: you must whitelist your games folder in your ppsspp.local. |
10 | 10 | ||
11 | noblacklist ${HOME}/.config/ppsspp | 11 | noblacklist ${HOME}/.config/ppsspp |
12 | 12 | ||
@@ -42,7 +42,7 @@ seccomp | |||
42 | shell none | 42 | shell none |
43 | 43 | ||
44 | private-bin ppsspp,PPSSPP,PPSSPPQt,PPSSPPSDL | 44 | private-bin ppsspp,PPSSPP,PPSSPPQt,PPSSPPSDL |
45 | # uncomment the following line if you do not need controller support | 45 | # Add the next line to your ppsspp.local if you do not need controller support. |
46 | #private-dev | 46 | #private-dev |
47 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl | 47 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl |
48 | private-opt ppsspp | 48 | private-opt ppsspp |
diff --git a/etc/profile-m-z/psi.profile b/etc/profile-m-z/psi.profile index d3112ae95..376743b8d 100644 --- a/etc/profile-m-z/psi.profile +++ b/etc/profile-m-z/psi.profile | |||
@@ -6,8 +6,8 @@ include psi.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Uncomment for GPG | 9 | # Add the next line to your psi.local to enable GPG support. |
10 | # noblacklist ${HOME}/.gnupg | 10 | #noblacklist ${HOME}/.gnupg |
11 | noblacklist ${HOME}/.cache/psi | 11 | noblacklist ${HOME}/.cache/psi |
12 | noblacklist ${HOME}/.cache/Psi | 12 | noblacklist ${HOME}/.cache/Psi |
13 | noblacklist ${HOME}/.config/psi | 13 | noblacklist ${HOME}/.config/psi |
@@ -23,28 +23,28 @@ include disable-programs.inc | |||
23 | include disable-shell.inc | 23 | include disable-shell.inc |
24 | include disable-xdg.inc | 24 | include disable-xdg.inc |
25 | 25 | ||
26 | # Uncomment for GPG | 26 | # Add the next line to your psi.local to enable GPG support. |
27 | # mkdir ${HOME}/.gnupg | 27 | #mkdir ${HOME}/.gnupg |
28 | mkdir ${HOME}/.cache/psi | 28 | mkdir ${HOME}/.cache/psi |
29 | mkdir ${HOME}/.cache/Psi | 29 | mkdir ${HOME}/.cache/Psi |
30 | mkdir ${HOME}/.config/psi | 30 | mkdir ${HOME}/.config/psi |
31 | mkdir ${HOME}/.local/share/psi | 31 | mkdir ${HOME}/.local/share/psi |
32 | mkdir ${HOME}/.local/share/Psi | 32 | mkdir ${HOME}/.local/share/Psi |
33 | # Uncomment for GPG | 33 | # Add the next line to your psi.local to enable GPG support. |
34 | # whitelist ${HOME}/.gnupg | 34 | #whitelist ${HOME}/.gnupg |
35 | whitelist ${HOME}/.cache/psi | 35 | whitelist ${HOME}/.cache/psi |
36 | whitelist ${HOME}/.cache/Psi | 36 | whitelist ${HOME}/.cache/Psi |
37 | whitelist ${HOME}/.config/psi | 37 | whitelist ${HOME}/.config/psi |
38 | whitelist ${HOME}/.local/share/psi | 38 | whitelist ${HOME}/.local/share/psi |
39 | whitelist ${HOME}/.local/share/Psi | 39 | whitelist ${HOME}/.local/share/Psi |
40 | whitelist ${DOWNLOADS} | 40 | whitelist ${DOWNLOADS} |
41 | # Uncomment for GPG | 41 | # Add the next lines to your psi.local to enable GPG support. |
42 | # whitelist /usr/share/gnupg | 42 | #whitelist /usr/share/gnupg |
43 | # whitelist /usr/share/gnupg2 | 43 | #whitelist /usr/share/gnupg2 |
44 | whitelist /usr/share/psi | 44 | whitelist /usr/share/psi |
45 | # Uncomment for GPG | 45 | # Add the next lines to your psi.local to enable GPG support. |
46 | # whitelist ${RUNUSER}/gnupg | 46 | #whitelist ${RUNUSER}/gnupg |
47 | # whitelist ${RUNUSER}/keyring | 47 | #whitelist ${RUNUSER}/keyring |
48 | include whitelist-common.inc | 48 | include whitelist-common.inc |
49 | include whitelist-runuser-common.inc | 49 | include whitelist-runuser-common.inc |
50 | include whitelist-usr-share-common.inc | 50 | include whitelist-usr-share-common.inc |
@@ -63,11 +63,11 @@ nou2f | |||
63 | protocol unix,inet,inet6,netlink | 63 | protocol unix,inet,inet6,netlink |
64 | seccomp !chroot | 64 | seccomp !chroot |
65 | shell none | 65 | shell none |
66 | # breaks on Arch | 66 | #tracelog - breaks on Arch |
67 | # tracelog | ||
68 | 67 | ||
69 | disable-mnt | 68 | disable-mnt |
70 | # Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for GPG | 69 | # Add the next line to your psi.local to enable GPG support. |
70 | #private-bin gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet | ||
71 | private-bin getopt,psi | 71 | private-bin getopt,psi |
72 | private-cache | 72 | private-cache |
73 | private-dev | 73 | private-dev |
diff --git a/etc/profile-m-z/rsync-download_only.profile b/etc/profile-m-z/rsync-download_only.profile index 78159527a..4bce35d16 100644 --- a/etc/profile-m-z/rsync-download_only.profile +++ b/etc/profile-m-z/rsync-download_only.profile | |||
@@ -7,9 +7,8 @@ include rsync.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | # Warning: This profile is writte to use rsync as an client for downloading, | 10 | # WARNING: this profile is designed to use rsync as a client for downloading, |
11 | # it is not writen to use rsync as an daemon (rsync --daemon) or to create backups. | 11 | # not as a daemon (rsync --daemon) nor to create backups. |
12 | |||
13 | # Usage: firejail --profile=rsync-download_only rsync | 12 | # Usage: firejail --profile=rsync-download_only rsync |
14 | 13 | ||
15 | blacklist /tmp/.X11-unix | 14 | blacklist /tmp/.X11-unix |
@@ -24,7 +23,7 @@ include disable-programs.inc | |||
24 | include disable-shell.inc | 23 | include disable-shell.inc |
25 | include disable-xdg.inc | 24 | include disable-xdg.inc |
26 | 25 | ||
27 | # Uncomment or add to rsync.local to enable extra hardening | 26 | # Add the next line to your rsync-download_only.local to enable extra hardening. |
28 | #whitelist ${DOWNLOADS} | 27 | #whitelist ${DOWNLOADS} |
29 | include whitelist-var-common.inc | 28 | include whitelist-var-common.inc |
30 | 29 | ||
diff --git a/etc/profile-m-z/rtv.profile b/etc/profile-m-z/rtv.profile index 6f971b96b..970545ff6 100644 --- a/etc/profile-m-z/rtv.profile +++ b/etc/profile-m-z/rtv.profile | |||
@@ -16,10 +16,9 @@ noblacklist ${HOME}/.local/share/rtv | |||
16 | include allow-python2.inc | 16 | include allow-python2.inc |
17 | include allow-python3.inc | 17 | include allow-python3.inc |
18 | 18 | ||
19 | # You can configure rtv to open different type of links | 19 | # You can configure rtv to open different type of links in external applications. |
20 | # in external applications. Configuration here: | 20 | # Configuration: https://github.com/michael-lazar/rtv#viewing-media-links. |
21 | # https://github.com/michael-lazar/rtv#viewing-media-links | 21 | # Add the next line to your rtv.local to enable external application support. |
22 | # Uncomment or put in rtv.local for external application support | ||
23 | #include rtv-addons.profile | 22 | #include rtv-addons.profile |
24 | include disable-common.inc | 23 | include disable-common.inc |
25 | include disable-devel.inc | 24 | include disable-devel.inc |
diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile index 065409e78..2b82e5d06 100644 --- a/etc/profile-m-z/seahorse.profile +++ b/etc/profile-m-z/seahorse.profile | |||
@@ -22,7 +22,7 @@ include disable-programs.inc | |||
22 | include disable-xdg.inc | 22 | include disable-xdg.inc |
23 | 23 | ||
24 | # whitelisting in ${HOME} breaks file encryption feature of nautilus. | 24 | # whitelisting in ${HOME} breaks file encryption feature of nautilus. |
25 | # once #2882 is fixed this can be uncommented and nowhitelisted in seahorse-tool.profile | 25 | # Once #2882 is fixed this can be activated here and nowhitelisted in seahorse-tool.profile. |
26 | #mkdir ${HOME}/.gnupg | 26 | #mkdir ${HOME}/.gnupg |
27 | #mkdir ${HOME}/.ssh | 27 | #mkdir ${HOME}/.ssh |
28 | #whitelist ${HOME}/.gnupg | 28 | #whitelist ${HOME}/.gnupg |
diff --git a/etc/profile-m-z/servo.profile b/etc/profile-m-z/servo.profile index 65da5d0de..dc3fdaf34 100644 --- a/etc/profile-m-z/servo.profile +++ b/etc/profile-m-z/servo.profile | |||
@@ -17,7 +17,8 @@ include disable-passwdmgr.inc | |||
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | include disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | # Add a whitelist for the directory where servo is installed and uncomment the lines below. | 20 | # Add the next lines to your servo.local to turn this into a whitelisting profile. |
21 | # You will need to add a whitelist for the directory where servo is installed. | ||
21 | #whitelist ${DOWNLOADS} | 22 | #whitelist ${DOWNLOADS} |
22 | #include whitelist-common.inc | 23 | #include whitelist-common.inc |
23 | include whitelist-runuser-common.inc | 24 | include whitelist-runuser-common.inc |
diff --git a/etc/profile-m-z/spectacle.profile b/etc/profile-m-z/spectacle.profile index 73d2556ac..144763332 100644 --- a/etc/profile-m-z/spectacle.profile +++ b/etc/profile-m-z/spectacle.profile | |||
@@ -6,7 +6,7 @@ include spectacle.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Uncomment the following lines to use sharing services. | 9 | # Add the next lines to your spectacle.local to use sharing services. |
10 | #netfilter | 10 | #netfilter |
11 | #ignore net none | 11 | #ignore net none |
12 | #private-etc ca-certificates,crypto-policies,pki,resolv.conf,ssl | 12 | #private-etc ca-certificates,crypto-policies,pki,resolv.conf,ssl |
diff --git a/etc/profile-m-z/spectral.profile b/etc/profile-m-z/spectral.profile index 093661d8c..bf0f9f3a1 100644 --- a/etc/profile-m-z/spectral.profile +++ b/etc/profile-m-z/spectral.profile | |||
@@ -50,8 +50,9 @@ private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts, | |||
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
52 | dbus-user none | 52 | dbus-user none |
53 | # Comment the above line and uncomment below lines for notification popups | 53 | # Add the next lines to your spectral.local to enable notification support. |
54 | # dbus-user filter | 54 | #ignore dbus-user none |
55 | # dbus-user.talk org.freedesktop.Notifications | 55 | #dbus-user filter |
56 | # dbus-user.talk org.kde.StatusNotifierWatcher | 56 | #dbus-user.talk org.freedesktop.Notifications |
57 | #dbus-user.talk org.kde.StatusNotifierWatcher | ||
57 | dbus-system none | 58 | dbus-system none |
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile index 1b20f5d3d..6a0ed46e0 100644 --- a/etc/profile-m-z/supertuxkart.profile +++ b/etc/profile-m-z/supertuxkart.profile | |||
@@ -50,7 +50,7 @@ tracelog | |||
50 | disable-mnt | 50 | disable-mnt |
51 | private-bin supertuxkart | 51 | private-bin supertuxkart |
52 | private-cache | 52 | private-cache |
53 | # uncomment the following line if you do not need controller support | 53 | # Add the next line to your supertuxkart.local if you do not need controller support. |
54 | #private-dev | 54 | #private-dev |
55 | private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,machine-id,openal,pki,resolv.conf,ssl | 55 | private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,machine-id,openal,pki,resolv.conf,ssl |
56 | private-tmp | 56 | private-tmp |
diff --git a/etc/profile-m-z/sylpheed.profile b/etc/profile-m-z/sylpheed.profile index 50506d100..328812b04 100644 --- a/etc/profile-m-z/sylpheed.profile +++ b/etc/profile-m-z/sylpheed.profile | |||
@@ -19,7 +19,7 @@ dbus-user filter | |||
19 | dbus-user.talk ca.desrt.dconf | 19 | dbus-user.talk ca.desrt.dconf |
20 | dbus-user.talk org.freedesktop.secrets | 20 | dbus-user.talk org.freedesktop.secrets |
21 | dbus-user.talk org.gnome.keyring.SystemPrompter | 21 | dbus-user.talk org.gnome.keyring.SystemPrompter |
22 | # Uncomment below for notifications (or put them in your sylpheed.local) | 22 | # Add the next line to your sylpheed.local to enable notifications. |
23 | # dbus-user.talk org.freedesktop.Notifications | 23 | # dbus-user.talk org.freedesktop.Notifications |
24 | 24 | ||
25 | # Redirect | 25 | # Redirect |
diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile index 5cb5caf8d..3cbfe8d8b 100644 --- a/etc/profile-m-z/torbrowser-launcher.profile +++ b/etc/profile-m-z/torbrowser-launcher.profile | |||
@@ -37,7 +37,7 @@ include whitelist-var-common.inc | |||
37 | include whitelist-runuser-common.inc | 37 | include whitelist-runuser-common.inc |
38 | include whitelist-usr-share-common.inc | 38 | include whitelist-usr-share-common.inc |
39 | 39 | ||
40 | # Uncomment the line below or put 'apparmor' in your torbrowser-launcher.local. | 40 | # Add 'apparmor' to your torbrowser-launcher.local to enable AppArmor support. |
41 | # IMPORTANT: the relevant rule in /etc/apparmor.d/local/firejail-default will need | 41 | # IMPORTANT: the relevant rule in /etc/apparmor.d/local/firejail-default will need |
42 | # to be uncommented too for this to work as expected. | 42 | # to be uncommented too for this to work as expected. |
43 | #apparmor | 43 | #apparmor |
@@ -53,8 +53,7 @@ novideo | |||
53 | protocol unix,inet,inet6 | 53 | protocol unix,inet,inet6 |
54 | seccomp !chroot | 54 | seccomp !chroot |
55 | shell none | 55 | shell none |
56 | # tracelog may cause issues, see github issue #1930 | 56 | #tracelog - may cause issues, see #1930 |
57 | #tracelog | ||
58 | 57 | ||
59 | disable-mnt | 58 | disable-mnt |
60 | private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity | 59 | private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity |
diff --git a/etc/profile-m-z/vmware-view.profile b/etc/profile-m-z/vmware-view.profile index 0117af376..0cb6d34d2 100644 --- a/etc/profile-m-z/vmware-view.profile +++ b/etc/profile-m-z/vmware-view.profile | |||
@@ -37,9 +37,8 @@ nonewprivs | |||
37 | noroot | 37 | noroot |
38 | notv | 38 | notv |
39 | nou2f | 39 | nou2f |
40 | # Comment novideo (or add 'ignore novideo' to your vmware-view.local) if you need your webcam | 40 | # Add 'ignore novideo' to your vmware-view.local if you need your webcam. |
41 | novideo | 41 | novideo |
42 | # protocol produces a lot error messages but nothing seems to be broken | ||
43 | protocol unix,inet,inet6 | 42 | protocol unix,inet,inet6 |
44 | seccomp !iopl | 43 | seccomp !iopl |
45 | seccomp.block-secondary | 44 | seccomp.block-secondary |
@@ -50,8 +49,7 @@ disable-mnt | |||
50 | private-cache | 49 | private-cache |
51 | private-dev | 50 | private-dev |
52 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gai.conf,gconf,glvnd,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,magic,magic.mgc,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,proxychains.conf,pulse,resolv.conf,rpc,services,ssl,terminfo,vmware,vmware-tools,vmware-vix,X11,xdg | 51 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gai.conf,gconf,glvnd,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,magic,magic.mgc,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,proxychains.conf,pulse,resolv.conf,rpc,services,ssl,terminfo,vmware,vmware-tools,vmware-vix,X11,xdg |
53 | # Logs are "stored" in /tmp, comment (or add 'ignore private-tmp' to your vmware-view.local) | 52 | # Logs are kept in /tmp. Add 'ignore private-tmp' to your vmware-view.local if you need them without joining the sandbox. |
54 | # if you need them without joining the sandbox. | ||
55 | private-tmp | 53 | private-tmp |
56 | 54 | ||
57 | dbus-user none | 55 | dbus-user none |
diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile index d00e16fef..5241e27b3 100644 --- a/etc/profile-m-z/vmware.profile +++ b/etc/profile-m-z/vmware.profile | |||
@@ -21,7 +21,7 @@ mkdir ${HOME}/.cache/vmware | |||
21 | mkdir ${HOME}/.vmware | 21 | mkdir ${HOME}/.vmware |
22 | whitelist ${HOME}/.cache/vmware | 22 | whitelist ${HOME}/.cache/vmware |
23 | whitelist ${HOME}/.vmware | 23 | whitelist ${HOME}/.vmware |
24 | # Uncomment the following if you need to use "shared VM" | 24 | # Add the next lines to your vmware.local if you need to use "shared VM". |
25 | #whitelist /var/lib/vmware | 25 | #whitelist /var/lib/vmware |
26 | #writable-var | 26 | #writable-var |
27 | include whitelist-common.inc | 27 | include whitelist-common.inc |
@@ -37,6 +37,7 @@ shell none | |||
37 | tracelog | 37 | tracelog |
38 | 38 | ||
39 | #disable-mnt | 39 | #disable-mnt |
40 | # Add the next line to your vmware.local to enable private-bin. | ||
40 | #private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-* | 41 | #private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-* |
41 | private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix | 42 | private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix |
42 | dbus-user none | 43 | dbus-user none |
diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile index 0e172333a..a43835944 100644 --- a/etc/profile-m-z/w3m.profile +++ b/etc/profile-m-z/w3m.profile | |||
@@ -7,7 +7,7 @@ include w3m.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | # Uncomment or add to your w3m.local if you want to use w3m-img on a vconsole | 10 | # Add the next lines to your w3m.local if you want to use w3m-img on a vconsole. |
11 | #ignore nogroups | 11 | #ignore nogroups |
12 | #ignore private-dev | 12 | #ignore private-dev |
13 | #ignore private-etc | 13 | #ignore private-etc |
diff --git a/etc/profile-m-z/waterfox.profile b/etc/profile-m-z/waterfox.profile index c6c940fa3..18f1ca79a 100644 --- a/etc/profile-m-z/waterfox.profile +++ b/etc/profile-m-z/waterfox.profile | |||
@@ -13,14 +13,15 @@ mkdir ${HOME}/.waterfox | |||
13 | whitelist ${HOME}/.cache/waterfox | 13 | whitelist ${HOME}/.cache/waterfox |
14 | whitelist ${HOME}/.waterfox | 14 | whitelist ${HOME}/.waterfox |
15 | 15 | ||
16 | # Uncomment (or add to watefox.local) the following lines if you want to | 16 | # Add the next lines to your watefox.local if you want to use the migration wizard. |
17 | # use the migration wizard. | ||
18 | #noblacklist ${HOME}/.mozilla | 17 | #noblacklist ${HOME}/.mozilla |
19 | #whitelist ${HOME}/.mozilla | 18 | #whitelist ${HOME}/.mozilla |
20 | 19 | ||
21 | # waterfox requires a shell to launch on Arch. We can possibly remove sh though. | 20 | # waterfox requires a shell to launch on Arch. We can possibly remove sh though. |
21 | # Add the next line to your waterfox.local to enable private-bin. | ||
22 | #private-bin bash,dbus-launch,dbus-send,env,sh,waterfox,waterfox-classic,waterfox-current,which | 22 | #private-bin bash,dbus-launch,dbus-send,env,sh,waterfox,waterfox-classic,waterfox-current,which |
23 | # private-etc must first be enabled in firefox-common.profile | 23 | # Add the next line to your waterfox.local to enable private-etc. Note that private-etc must first be |
24 | # enabled in your firefox-common.local. | ||
24 | #private-etc waterfox | 25 | #private-etc waterfox |
25 | 26 | ||
26 | # Redirect | 27 | # Redirect |
diff --git a/etc/profile-m-z/wget.profile b/etc/profile-m-z/wget.profile index f67d28618..8a7042f59 100644 --- a/etc/profile-m-z/wget.profile +++ b/etc/profile-m-z/wget.profile | |||
@@ -21,7 +21,7 @@ include disable-interpreters.inc | |||
21 | include disable-passwdmgr.inc | 21 | include disable-passwdmgr.inc |
22 | include disable-programs.inc | 22 | include disable-programs.inc |
23 | include disable-shell.inc | 23 | include disable-shell.inc |
24 | # depending on workflow you can uncomment the below or put 'include disable-xdg.inc' in your wget.local | 24 | # Depending on workflow you can add the next line to your wget.local. |
25 | #include disable-xdg.inc | 25 | #include disable-xdg.inc |
26 | 26 | ||
27 | include whitelist-usr-share-common.inc | 27 | include whitelist-usr-share-common.inc |
@@ -50,7 +50,7 @@ tracelog | |||
50 | private-bin wget | 50 | private-bin wget |
51 | private-cache | 51 | private-cache |
52 | private-dev | 52 | private-dev |
53 | # depending on workflow you can uncomment the below or put this private-etc in your wget.local | 53 | # Depending on workflow you can add the next line to your wget.local. |
54 | #private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,wgetrc | 54 | #private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,wgetrc |
55 | #private-tmp | 55 | #private-tmp |
56 | 56 | ||
diff --git a/etc/profile-m-z/wine.profile b/etc/profile-m-z/wine.profile index 6ac74b9da..67427209f 100644 --- a/etc/profile-m-z/wine.profile +++ b/etc/profile-m-z/wine.profile | |||
@@ -24,8 +24,7 @@ include disable-programs.inc | |||
24 | # include whitelist-usr-share-common.inc | 24 | # include whitelist-usr-share-common.inc |
25 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
26 | 26 | ||
27 | # some applications don't need allow-debuggers, comment the next line | 27 | # Some applications don't need allow-debuggers. Add 'ignore allow-debuggers' to your wine.local if you want to override this. |
28 | # if it is not necessary (or put 'ignore allow-debuggers' in your wine.local) | ||
29 | allow-debuggers | 28 | allow-debuggers |
30 | caps.drop all | 29 | caps.drop all |
31 | # net none | 30 | # net none |
diff --git a/etc/profile-m-z/wps.profile b/etc/profile-m-z/wps.profile index 6e4a313e3..2b97d5b0a 100644 --- a/etc/profile-m-z/wps.profile +++ b/etc/profile-m-z/wps.profile | |||
@@ -23,7 +23,7 @@ include whitelist-var-common.inc | |||
23 | apparmor | 23 | apparmor |
24 | caps.drop all | 24 | caps.drop all |
25 | machine-id | 25 | machine-id |
26 | # Uncomment the next line (or add to wps.local) if you don't use network features. | 26 | # Add the next line to your wps.local if you don't use network features. |
27 | #net none | 27 | #net none |
28 | netfilter | 28 | netfilter |
29 | no3d | 29 | no3d |
@@ -36,7 +36,7 @@ notv | |||
36 | nou2f | 36 | nou2f |
37 | novideo | 37 | novideo |
38 | protocol unix,inet,inet6 | 38 | protocol unix,inet,inet6 |
39 | # seccomp cause some minor issues, if you can live with them enable it. | 39 | # seccomp causes some minor issues. Add the next line to your wps.local if you can live with those. |
40 | #seccomp | 40 | #seccomp |
41 | shell none | 41 | shell none |
42 | tracelog | 42 | tracelog |
diff --git a/etc/profile-m-z/yarn.profile b/etc/profile-m-z/yarn.profile index f20225050..360bd8442 100644 --- a/etc/profile-m-z/yarn.profile +++ b/etc/profile-m-z/yarn.profile | |||
@@ -13,7 +13,8 @@ noblacklist ${HOME}/.yarn-config | |||
13 | noblacklist ${HOME}/.yarncache | 13 | noblacklist ${HOME}/.yarncache |
14 | noblacklist ${HOME}/.yarnrc | 14 | noblacklist ${HOME}/.yarnrc |
15 | 15 | ||
16 | # If you want whitelisting, change ${HOME}/Projects below to your yarn projects directory and uncomment the lines below. | 16 | # If you want whitelisting, change ${HOME}/Projects below to your yarn projects directory and |
17 | # add the next lines to you yarn.local. | ||
17 | #mkdir ${HOME}/.yarn | 18 | #mkdir ${HOME}/.yarn |
18 | #mkdir ${HOME}/.yarn-config | 19 | #mkdir ${HOME}/.yarn-config |
19 | #mkdir ${HOME}/.yarncache | 20 | #mkdir ${HOME}/.yarncache |
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile index 479582b2a..a08a30b52 100644 --- a/etc/profile-m-z/yelp.profile +++ b/etc/profile-m-z/yelp.profile | |||
@@ -33,14 +33,14 @@ include whitelist-var-common.inc | |||
33 | 33 | ||
34 | apparmor | 34 | apparmor |
35 | caps.drop all | 35 | caps.drop all |
36 | # machine-id breaks sound - uncomment here or put it in your yelp.local if you don't need it | 36 | # machine-id breaks sound - add the next line to your yelp.local if you don't need sound support. |
37 | #machine-id | 37 | #machine-id |
38 | net none | 38 | net none |
39 | nodvd | 39 | nodvd |
40 | nogroups | 40 | nogroups |
41 | nonewprivs | 41 | nonewprivs |
42 | noroot | 42 | noroot |
43 | # nosound - uncomment here or put it in your yelp.local if you don't need it | 43 | # nosound - add the next line to your yelp.local if you don't need sound support. |
44 | #nosound | 44 | #nosound |
45 | notv | 45 | notv |
46 | nou2f | 46 | nou2f |
@@ -66,11 +66,11 @@ dbus-system none | |||
66 | # read-only ${HOME} breaks some features: | 66 | # read-only ${HOME} breaks some features: |
67 | # 1. yelp --editor-mode | 67 | # 1. yelp --editor-mode |
68 | # 2. saving the window geometry | 68 | # 2. saving the window geometry |
69 | # comment the line below or put 'ignore read-only ${HOME}' into your yelp.local if you need these features | 69 | # add 'ignore read-only ${HOME}' to your yelp.local if you need these features. |
70 | read-only ${HOME} | 70 | read-only ${HOME} |
71 | read-write ${HOME}/.cache | 71 | read-write ${HOME}/.cache |
72 | # 3. printing to PDF in ${DOCUMENTS} | 72 | # 3. printing to PDF in ${DOCUMENTS} |
73 | # additionally uncomment the lines below or put 'noblacklist ${DOCUMENTS}' and | 73 | # additionally add 'noblacklist ${DOCUMENTS}' and 'whitelist ${DOCUMENTS}' to |
74 | # 'whitelist ${DOCUMENTS}' into your yelp.local if you need printing to PDF support | 74 | # your yelp.local if you need PDF printing support. |
75 | #noblacklist ${DOCUMENTS} | 75 | #noblacklist ${DOCUMENTS} |
76 | #whitelist ${DOCUMENTS} | 76 | #whitelist ${DOCUMENTS} |
diff --git a/etc/profile-m-z/zoom.profile b/etc/profile-m-z/zoom.profile index e8cd64c93..ac615d861 100644 --- a/etc/profile-m-z/zoom.profile +++ b/etc/profile-m-z/zoom.profile | |||
@@ -6,14 +6,14 @@ include zoom.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Disabled until someone reported positive feedback | 9 | # Disabled until someone reports positive feedback. |
10 | ignore apparmor | 10 | ignore apparmor |
11 | ignore novideo | 11 | ignore novideo |
12 | ignore dbus-user none | 12 | ignore dbus-user none |
13 | ignore dbus-system none | 13 | ignore dbus-system none |
14 | 14 | ||
15 | # nogroups breaks webcam access on non-systemd systems (see #3711). | 15 | # nogroups breaks webcam access on non-systemd systems (see #3711). |
16 | # If you use such a system uncomment the line below or put 'ignore nogroups' in your zoom.local | 16 | # If you use such a system, add 'ignore nogroups' to your zoom.local. |
17 | #ignore nogroups | 17 | #ignore nogroups |
18 | 18 | ||
19 | noblacklist ${HOME}/.config/zoomus.conf | 19 | noblacklist ${HOME}/.config/zoomus.conf |