5 files changed, 93 insertions, 4 deletions
diff --git a/etc/inc/disable-proc.inc b/etc/inc/disable-proc.inc
new file mode 100644
index 000000000..81a8883f3
--- /dev/null
+++ b/etc/inc/disable-proc.inc
@@ -0,0 +1,82 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include disable-proc.local
+blacklist /proc/acpi
+blacklist /proc/asound
+blacklist /proc/bootconfig
+blacklist /proc/buddyinfo
+blacklist /proc/cgroups
+blacklist /proc/cmdline
+blacklist /proc/config.gz
+blacklist /proc/consoles
+#blacklist /proc/cpuinfo
+blacklist /proc/crypto
+blacklist /proc/devices
+blacklist /proc/diskstats
+blacklist /proc/dma
+#blacklist /proc/driver
+blacklist /proc/dynamic_debug
+blacklist /proc/execdomains
+blacklist /proc/fb
+#blacklist /proc/filesystems
+blacklist /proc/fs
+blacklist /proc/i8k
+blacklist /proc/interrupts
+blacklist /proc/iomem
+blacklist /proc/ioports
+blacklist /proc/irq
+blacklist /proc/kallsyms
+blacklist /proc/kcore
+blacklist /proc/keys
+blacklist /proc/key-users
+blacklist /proc/kmsg
+blacklist /proc/kpagecgroup
+blacklist /proc/kpagecount
+blacklist /proc/kpageflags
+blacklist /proc/latency_stats
+#blacklist /proc/loadavg
+blacklist /proc/locks
+blacklist /proc/mdstat
+#blacklist /proc/meminfo
+blacklist /proc/misc
+#blacklist /proc/modules
+#blacklist /proc/mounts
+blacklist /proc/mtrr
+#blacklist /proc/net
+blacklist /proc/partitions
+blacklist /proc/pressure
+blacklist /proc/sched_debug
+blacklist /proc/schedstat
+blacklist /proc/scsi
+#blacklist /proc/self
+blacklist /proc/slabinfo
+blacklist /proc/softirqs
+blacklist /proc/spl
+#blacklist /proc/stat
+blacklist /proc/swaps
+#blacklist /proc/sys
+blacklist /proc/sysrq-trigger
+blacklist /proc/sysvipc
+#blacklist /proc/thread-self
+blacklist /proc/timer_list
+blacklist /proc/tty
+#blacklist /proc/uptime
+#blacklist /proc/version
+blacklist /proc/version_signature
+blacklist /proc/vmallocinfo
+#blacklist /proc/vmstat
+#blacklist /proc/zoneinfo
+blacklist /proc/sys/abi
+blacklist /proc/sys/crypto
+blacklist /proc/sys/debug
+blacklist /proc/sys/dev
+blacklist /proc/sys/fs
+blacklist /proc/sys/net
+blacklist /proc/sys/user
+blacklist /proc/sys/vm
+noblacklist /proc/sys/kernel/osrelease
+noblacklist /proc/sys/kernel/yama
+blacklist /proc/sys/*/*
diff --git a/etc/profile-a-l/jumpnbump-menu.profile b/etc/profile-a-l/jumpnbump-menu.profile
index 8d391b90f..59d762f55 100644
--- a/etc/profile-a-l/jumpnbump-menu.profile
+++ b/etc/profile-a-l/jumpnbump-menu.profile
@@ -10,7 +10,7 @@ include jumpnbump-menu.local
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
-private-bin jumpnbump-menu,python3*
+private-bin env,jumpnbump-menu,python3*
 # Redirect
 include jumpnbump.profile
diff --git a/etc/profile-m-z/tremulous.profile b/etc/profile-m-z/tremulous.profile
index 4e16df553..96541ae25 100644
--- a/etc/profile-m-z/tremulous.profile
+++ b/etc/profile-m-z/tremulous.profile
@@ -8,6 +8,9 @@ include globals.local
 noblacklist ${HOME}/.tremulous
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -41,7 +44,7 @@ shell none
 tracelog
 disable-mnt
-private-bin tremded,tremulous,tremulous-wrapper
+private-bin env,sh,tremded,tremulous,tremulous-wrapper
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/warsow.profile b/etc/profile-m-z/warsow.profile
index b57f9ba1d..2f818b733 100644
--- a/etc/profile-m-z/warsow.profile
+++ b/etc/profile-m-z/warsow.profile
@@ -11,6 +11,9 @@ ignore noexec ${HOME}
 noblacklist ${HOME}/.cache/warsow-2.1
 noblacklist ${HOME}/.local/share/warsow-2.1
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -39,13 +42,13 @@ noroot
 notv
 nou2f
 novideo
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
 shell none
 tracelog
 disable-mnt
-private-bin warsow
+private-bin basename,bash,dirname,sed,sh,uname,warsow
 private-cache
 private-dev
 private-tmp
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 7628313e0..44197b547 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -116,6 +116,7 @@ include globals.local
 #include disable-devel.inc
 #include disable-exec.inc
 #include disable-interpreters.inc
+#include disable-proc.inc
 #include disable-programs.inc
 #include disable-shell.inc
 #include disable-write-mnt.inc

diff --git a/etc/inc/disable-proc.inc b/etc/inc/disable-proc.inc new file mode 100644 index 000000000..81a8883f3 --- /dev/null +++ b/etc/inc/disable-proc.inc
@@ -0,0 +1,82 @@
		1	# This file is overwritten during software install.
		2	# Persistent customizations should go in a .local file.
		3	include disable-proc.local
		4
		5	blacklist /proc/acpi
		6	blacklist /proc/asound
		7	blacklist /proc/bootconfig
		8	blacklist /proc/buddyinfo
		9	blacklist /proc/cgroups
		10	blacklist /proc/cmdline
		11	blacklist /proc/config.gz
		12	blacklist /proc/consoles
		13	#blacklist /proc/cpuinfo
		14	blacklist /proc/crypto
		15	blacklist /proc/devices
		16	blacklist /proc/diskstats
		17	blacklist /proc/dma
		18	#blacklist /proc/driver
		19	blacklist /proc/dynamic_debug
		20	blacklist /proc/execdomains
		21	blacklist /proc/fb
		22	#blacklist /proc/filesystems
		23	blacklist /proc/fs
		24	blacklist /proc/i8k
		25	blacklist /proc/interrupts
		26	blacklist /proc/iomem
		27	blacklist /proc/ioports
		28	blacklist /proc/irq
		29	blacklist /proc/kallsyms
		30	blacklist /proc/kcore
		31	blacklist /proc/keys
		32	blacklist /proc/key-users
		33	blacklist /proc/kmsg
		34	blacklist /proc/kpagecgroup
		35	blacklist /proc/kpagecount
		36	blacklist /proc/kpageflags
		37	blacklist /proc/latency_stats
		38	#blacklist /proc/loadavg
		39	blacklist /proc/locks
		40	blacklist /proc/mdstat
		41	#blacklist /proc/meminfo
		42	blacklist /proc/misc
		43	#blacklist /proc/modules
		44	#blacklist /proc/mounts
		45	blacklist /proc/mtrr
		46	#blacklist /proc/net
		47	blacklist /proc/partitions
		48	blacklist /proc/pressure
		49	blacklist /proc/sched_debug
		50	blacklist /proc/schedstat
		51	blacklist /proc/scsi
		52	#blacklist /proc/self
		53	blacklist /proc/slabinfo
		54	blacklist /proc/softirqs
		55	blacklist /proc/spl
		56	#blacklist /proc/stat
		57	blacklist /proc/swaps
		58	#blacklist /proc/sys
		59	blacklist /proc/sysrq-trigger
		60	blacklist /proc/sysvipc
		61	#blacklist /proc/thread-self
		62	blacklist /proc/timer_list
		63	blacklist /proc/tty
		64	#blacklist /proc/uptime
		65	#blacklist /proc/version
		66	blacklist /proc/version_signature
		67	blacklist /proc/vmallocinfo
		68	#blacklist /proc/vmstat
		69	#blacklist /proc/zoneinfo
		70
		71	blacklist /proc/sys/abi
		72	blacklist /proc/sys/crypto
		73	blacklist /proc/sys/debug
		74	blacklist /proc/sys/dev
		75	blacklist /proc/sys/fs
		76	blacklist /proc/sys/net
		77	blacklist /proc/sys/user
		78	blacklist /proc/sys/vm
		79
		80	noblacklist /proc/sys/kernel/osrelease
		81	noblacklist /proc/sys/kernel/yama
		82	blacklist /proc/sys//


diff --git a/etc/profile-a-l/jumpnbump-menu.profile b/etc/profile-a-l/jumpnbump-menu.profile index 8d391b90f..59d762f55 100644 --- a/etc/profile-a-l/jumpnbump-menu.profile +++ b/etc/profile-a-l/jumpnbump-menu.profile
@@ -10,7 +10,7 @@ include jumpnbump-menu.local
10	# Allow python (blacklisted by disable-interpreters.inc)	10	# Allow python (blacklisted by disable-interpreters.inc)
11	include allow-python3.inc	11	include allow-python3.inc
12		12
13	private-bin jumpnbump-menu,python3*	13	private-bin env,jumpnbump-menu,python3*
14		14
15	# Redirect	15	# Redirect
16	include jumpnbump.profile	16	include jumpnbump.profile


diff --git a/etc/profile-m-z/tremulous.profile b/etc/profile-m-z/tremulous.profile index 4e16df553..96541ae25 100644 --- a/etc/profile-m-z/tremulous.profile +++ b/etc/profile-m-z/tremulous.profile
@@ -8,6 +8,9 @@ include globals.local
8		8
9	noblacklist ${HOME}/.tremulous	9	noblacklist ${HOME}/.tremulous
10		10
		11	# Allow /bin/sh (blacklisted by disable-shell.inc)
		12	include allow-bin-sh.inc
		13
11	include disable-common.inc	14	include disable-common.inc
12	include disable-devel.inc	15	include disable-devel.inc
13	include disable-exec.inc	16	include disable-exec.inc
@@ -41,7 +44,7 @@ shell none
41	tracelog	44	tracelog
42		45
43	disable-mnt	46	disable-mnt
44	private-bin tremded,tremulous,tremulous-wrapper	47	private-bin env,sh,tremded,tremulous,tremulous-wrapper
45	private-cache	48	private-cache
46	private-dev	49	private-dev
47	private-tmp	50	private-tmp


diff --git a/etc/profile-m-z/warsow.profile b/etc/profile-m-z/warsow.profile index b57f9ba1d..2f818b733 100644 --- a/etc/profile-m-z/warsow.profile +++ b/etc/profile-m-z/warsow.profile
@@ -11,6 +11,9 @@ ignore noexec ${HOME}
11	noblacklist ${HOME}/.cache/warsow-2.1	11	noblacklist ${HOME}/.cache/warsow-2.1
12	noblacklist ${HOME}/.local/share/warsow-2.1	12	noblacklist ${HOME}/.local/share/warsow-2.1
13		13
		14	# Allow /bin/sh (blacklisted by disable-shell.inc)
		15	include allow-bin-sh.inc
		16
14	include disable-common.inc	17	include disable-common.inc
15	include disable-devel.inc	18	include disable-devel.inc
16	include disable-exec.inc	19	include disable-exec.inc
@@ -39,13 +42,13 @@ noroot
39	notv	42	notv
40	nou2f	43	nou2f
41	novideo	44	novideo
42	protocol unix,inet,inet6	45	protocol unix,inet,inet6,netlink
43	seccomp	46	seccomp
44	shell none	47	shell none
45	tracelog	48	tracelog
46		49
47	disable-mnt	50	disable-mnt
48	private-bin warsow	51	private-bin basename,bash,dirname,sed,sh,uname,warsow
49	private-cache	52	private-cache
50	private-dev	53	private-dev
51	private-tmp	54	private-tmp


diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 7628313e0..44197b547 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template
@@ -116,6 +116,7 @@ include globals.local
116	#include disable-devel.inc	116	#include disable-devel.inc
117	#include disable-exec.inc	117	#include disable-exec.inc
118	#include disable-interpreters.inc	118	#include disable-interpreters.inc
		119	#include disable-proc.inc
119	#include disable-programs.inc	120	#include disable-programs.inc
120	#include disable-shell.inc	121	#include disable-shell.inc
121	#include disable-write-mnt.inc	122	#include disable-write-mnt.inc