diff options
Diffstat (limited to 'etc')
115 files changed, 127 insertions, 175 deletions
diff --git a/etc/QMediathekView.profile b/etc/QMediathekView.profile index ae863b73d..ece681c35 100644 --- a/etc/QMediathekView.profile +++ b/etc/QMediathekView.profile | |||
@@ -48,8 +48,6 @@ disable-mnt | |||
48 | private-bin mplayer,mpv,QMediathekView,smplayer,totem,vlc,xplayer | 48 | private-bin mplayer,mpv,QMediathekView,smplayer,totem,vlc,xplayer |
49 | private-cache | 49 | private-cache |
50 | private-dev | 50 | private-dev |
51 | # private-etc alternatives | ||
52 | # private-lib | ||
53 | private-tmp | 51 | private-tmp |
54 | 52 | ||
55 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 53 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile index 230a88472..5ef75022b 100644 --- a/etc/Xephyr.profile +++ b/etc/Xephyr.profile | |||
@@ -34,8 +34,8 @@ shell none | |||
34 | disable-mnt | 34 | disable-mnt |
35 | # using a private home directory | 35 | # using a private home directory |
36 | private | 36 | private |
37 | # private-bin Xephyr,sh,xkbcomp | 37 | # private-bin sh,Xephyr,xkbcomp |
38 | # private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls | 38 | # private-bin bash,cat,ls,sh,strace,Xephyr,xkbcomp |
39 | private-dev | 39 | private-dev |
40 | # private-etc alternatives,ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname | 40 | # private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf |
41 | #private-tmp | 41 | #private-tmp |
diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile index 259077d86..3ecda698e 100644 --- a/etc/Xvfb.profile +++ b/etc/Xvfb.profile | |||
@@ -37,8 +37,8 @@ shell none | |||
37 | disable-mnt | 37 | disable-mnt |
38 | # using a private home directory | 38 | # using a private home directory |
39 | private | 39 | private |
40 | # private-bin Xvfb,sh,xkbcomp | 40 | # private-bin sh,xkbcomp,Xvfb |
41 | # private-bin Xvfb,sh,xkbcomp,strace,bash,cat,ls | 41 | # private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb |
42 | private-dev | 42 | private-dev |
43 | private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf | 43 | private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf |
44 | private-tmp | 44 | private-tmp |
diff --git a/etc/allow-java.inc b/etc/allow-java.inc index c6ab3b2eb..5204d2dea 100644 --- a/etc/allow-java.inc +++ b/etc/allow-java.inc | |||
@@ -1,3 +1,5 @@ | |||
1 | noblacklist ${HOME}/.java | ||
2 | |||
1 | noblacklist ${PATH}/java | 3 | noblacklist ${PATH}/java |
2 | noblacklist /usr/lib/java | 4 | noblacklist /usr/lib/java |
3 | noblacklist /etc/java | 5 | noblacklist /etc/java |
diff --git a/etc/amarok.profile b/etc/amarok.profile index 6cec3befc..0b974e9ac 100644 --- a/etc/amarok.profile +++ b/etc/amarok.profile | |||
@@ -31,5 +31,5 @@ shell none | |||
31 | 31 | ||
32 | # private-bin amarok | 32 | # private-bin amarok |
33 | private-dev | 33 | private-dev |
34 | # private-etc alternatives,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies | 34 | # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,ssl |
35 | private-tmp | 35 | private-tmp |
diff --git a/etc/aosp.profile b/etc/aosp.profile index bdfefa923..701bf4733 100644 --- a/etc/aosp.profile +++ b/etc/aosp.profile | |||
@@ -5,7 +5,6 @@ include aosp.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | |||
9 | noblacklist ${HOME}/.android | 8 | noblacklist ${HOME}/.android |
10 | noblacklist ${HOME}/.bash_history | 9 | noblacklist ${HOME}/.bash_history |
11 | noblacklist ${HOME}/.config/git | 10 | noblacklist ${HOME}/.config/git |
diff --git a/etc/arch-audit.profile b/etc/arch-audit.profile index e353326df..2f08fa169 100644 --- a/etc/arch-audit.profile +++ b/etc/arch-audit.profile | |||
@@ -7,7 +7,6 @@ include arch-audit.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | |||
11 | noblacklist /var/lib/pacman | 10 | noblacklist /var/lib/pacman |
12 | 11 | ||
13 | include disable-common.inc | 12 | include disable-common.inc |
diff --git a/etc/archaudit-report.profile b/etc/archaudit-report.profile index bfd110bf2..19c37f90e 100644 --- a/etc/archaudit-report.profile +++ b/etc/archaudit-report.profile | |||
@@ -6,7 +6,6 @@ include archaudit-report.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | |||
10 | noblacklist /var/lib/pacman | 9 | noblacklist /var/lib/pacman |
11 | 10 | ||
12 | include disable-common.inc | 11 | include disable-common.inc |
@@ -17,8 +16,6 @@ include disable-passwdmgr.inc | |||
17 | include disable-programs.inc | 16 | include disable-programs.inc |
18 | include disable-xdg.inc | 17 | include disable-xdg.inc |
19 | 18 | ||
20 | include whitelist-common.inc | ||
21 | |||
22 | caps.drop all | 19 | caps.drop all |
23 | ipc-namespace | 20 | ipc-namespace |
24 | netfilter | 21 | netfilter |
diff --git a/etc/ardour5.profile b/etc/ardour5.profile index 211a32e22..5ebeafa76 100644 --- a/etc/ardour5.profile +++ b/etc/ardour5.profile | |||
@@ -34,9 +34,9 @@ protocol unix | |||
34 | seccomp | 34 | seccomp |
35 | shell none | 35 | shell none |
36 | 36 | ||
37 | #private-bin sh,ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm | 37 | #private-bin ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,ldd,nm,sed,sh |
38 | private-cache | 38 | private-cache |
39 | private-dev | 39 | private-dev |
40 | #private-etc alternatives,pulse,X11,alternatives,ardour4,ardour5,fonts,machine-id,asound.conf | 40 | #private-etc alternatives,ardour4,ardour5,asound.conf,fonts,machine-id,pulse,X11 |
41 | private-tmp | 41 | private-tmp |
42 | 42 | ||
diff --git a/etc/arduino.profile b/etc/arduino.profile index 26bd3d0a7..fd1ca9a09 100644 --- a/etc/arduino.profile +++ b/etc/arduino.profile | |||
@@ -7,7 +7,6 @@ include arduino.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.arduino15 | 9 | noblacklist ${HOME}/.arduino15 |
10 | noblacklist ${HOME}/.java | ||
11 | noblacklist ${HOME}/Arduino | 10 | noblacklist ${HOME}/Arduino |
12 | noblacklist ${DOCUMENTS} | 11 | noblacklist ${DOCUMENTS} |
13 | 12 | ||
diff --git a/etc/aria2c.profile b/etc/aria2c.profile index b952ac8a6..3b9dfc365 100644 --- a/etc/aria2c.profile +++ b/etc/aria2c.profile | |||
@@ -38,7 +38,7 @@ private-bin aria2c,gzip | |||
38 | # Uncomment the next line (or put 'private-cache' in your aria2c.local) if you don't use Lutris/winetricks (see issue #2772) | 38 | # Uncomment the next line (or put 'private-cache' in your aria2c.local) if you don't use Lutris/winetricks (see issue #2772) |
39 | #private-cache | 39 | #private-cache |
40 | private-dev | 40 | private-dev |
41 | private-etc alternatives,ca-certificates,resolv.conf,ssl | 41 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl |
42 | private-lib libreadline.so.* | 42 | private-lib libreadline.so.* |
43 | private-tmp | 43 | private-tmp |
44 | 44 | ||
diff --git a/etc/ark.profile b/etc/ark.profile index ee0899b1d..7f74a4d49 100644 --- a/etc/ark.profile +++ b/etc/ark.profile | |||
@@ -35,7 +35,7 @@ seccomp | |||
35 | shell none | 35 | shell none |
36 | 36 | ||
37 | private-bin 7z,ark,bash,lrzip,lsar,lz4,lzop,p7zip,rar,sh,tclsh,unar,unrar,unzip,zip,zipinfo | 37 | private-bin 7z,ark,bash,lrzip,lsar,lz4,lzop,p7zip,rar,sh,tclsh,unar,unrar,unzip,zip,zipinfo |
38 | #private-etc alternatives,smb.conf,samba,mtab,fonts,drirc,kde5rc,passwd,group,xdg | 38 | #private-etc alternatives,drirc,fonts,group,kde5rc,mtab,passwd,samba,smb.conf,xdg |
39 | 39 | ||
40 | private-dev | 40 | private-dev |
41 | private-tmp | 41 | private-tmp |
diff --git a/etc/assogiate.profile b/etc/assogiate.profile index 02a4798f4..074d82955 100644 --- a/etc/assogiate.profile +++ b/etc/assogiate.profile | |||
@@ -43,7 +43,7 @@ disable-mnt | |||
43 | private-bin assogiate,gtk-update-icon-cache,update-mime-database | 43 | private-bin assogiate,gtk-update-icon-cache,update-mime-database |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-lib gnome-vfs-2.0,libattr.so.*,libacl.so.*,libfam.so.* | 46 | private-lib gnome-vfs-2.0,libacl.so.*,libattr.so.*,libfam.so.* |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | memory-deny-write-execute | 49 | memory-deny-write-execute |
diff --git a/etc/asunder.profile b/etc/asunder.profile index fa2479051..fc10739aa 100644 --- a/etc/asunder.profile +++ b/etc/asunder.profile | |||
@@ -34,7 +34,6 @@ protocol unix,inet,inet6 | |||
34 | seccomp | 34 | seccomp |
35 | shell none | 35 | shell none |
36 | 36 | ||
37 | #private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc | ||
38 | private-dev | 37 | private-dev |
39 | private-tmp | 38 | private-tmp |
40 | 39 | ||
diff --git a/etc/bitcoin-qt.profile b/etc/bitcoin-qt.profile index 8aae5d668..ac1e21ba7 100644 --- a/etc/bitcoin-qt.profile +++ b/etc/bitcoin-qt.profile | |||
@@ -43,7 +43,7 @@ tracelog | |||
43 | private-bin bitcoin-qt | 43 | private-bin bitcoin-qt |
44 | private-dev | 44 | private-dev |
45 | # Causes problem with loading of libGL.so | 45 | # Causes problem with loading of libGL.so |
46 | #private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies | 46 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | memory-deny-write-execute | 49 | memory-deny-write-execute |
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index 287e5f52e..62eeb88f3 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile | |||
@@ -6,12 +6,15 @@ include bitlbee.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | ignore noexec ${HOME} | ||
10 | |||
9 | noblacklist /sbin | 11 | noblacklist /sbin |
10 | noblacklist /usr/sbin | 12 | noblacklist /usr/sbin |
11 | # noblacklist /var/log | 13 | # noblacklist /var/log |
12 | 14 | ||
13 | include disable-common.inc | 15 | include disable-common.inc |
14 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 20 | include disable-programs.inc |
@@ -34,5 +37,4 @@ private-cache | |||
34 | private-dev | 37 | private-dev |
35 | private-tmp | 38 | private-tmp |
36 | 39 | ||
37 | noexec /tmp | ||
38 | read-write /var/lib/bitlbee | 40 | read-write /var/lib/bitlbee |
diff --git a/etc/bless.profile b/etc/bless.profile index d4ac80db1..35235962e 100644 --- a/etc/bless.profile +++ b/etc/bless.profile | |||
@@ -33,7 +33,7 @@ protocol unix | |||
33 | seccomp | 33 | seccomp |
34 | shell none | 34 | shell none |
35 | 35 | ||
36 | # private-bin bless,sh,bash,mono | 36 | # private-bin bash,bless,mono,sh |
37 | private-cache | 37 | private-cache |
38 | private-dev | 38 | private-dev |
39 | private-etc alternatives,fonts,mono | 39 | private-etc alternatives,fonts,mono |
diff --git a/etc/brasero.profile b/etc/brasero.profile index aa838380a..058253308 100644 --- a/etc/brasero.profile +++ b/etc/brasero.profile | |||
@@ -31,7 +31,6 @@ tracelog | |||
31 | # private-bin brasero | 31 | # private-bin brasero |
32 | private-cache | 32 | private-cache |
33 | # private-dev | 33 | # private-dev |
34 | # private-etc alternatives,fonts | ||
35 | # private-tmp | 34 | # private-tmp |
36 | 35 | ||
37 | memory-deny-write-execute | 36 | memory-deny-write-execute |
diff --git a/etc/caja.profile b/etc/caja.profile index 2a95649af..c5cef7b27 100644 --- a/etc/caja.profile +++ b/etc/caja.profile | |||
@@ -39,5 +39,4 @@ tracelog | |||
39 | # caja needs to be able to start arbitrary applications so we cannot blacklist their files | 39 | # caja needs to be able to start arbitrary applications so we cannot blacklist their files |
40 | # private-bin caja | 40 | # private-bin caja |
41 | # private-dev | 41 | # private-dev |
42 | # private-etc alternatives,fonts | ||
43 | # private-tmp | 42 | # private-tmp |
diff --git a/etc/cantata.profile b/etc/cantata.profile index 19abbfea2..c44d56b90 100644 --- a/etc/cantata.profile +++ b/etc/cantata.profile | |||
@@ -34,6 +34,6 @@ protocol unix,inet,inet6,netlink | |||
34 | seccomp | 34 | seccomp |
35 | shell none | 35 | shell none |
36 | 36 | ||
37 | # private-etc samba,gcrypt,drirc,fonts,mpd.conf,kde5rc,passwd,xdg,hosts,ssl | 37 | # private-etc drirc,fonts,gcrypt,hosts,kde5rc,mpd.conf,passwd,samba,ssl,xdg |
38 | private-bin cantata,mpd,perl | 38 | private-bin cantata,mpd,perl |
39 | private-dev | 39 | private-dev |
diff --git a/etc/catfish.profile b/etc/catfish.profile index f615b5323..c6c2d7e8a 100644 --- a/etc/catfish.profile +++ b/etc/catfish.profile | |||
@@ -15,11 +15,11 @@ noblacklist ${HOME}/.config/catfish | |||
15 | include allow-python2.inc | 15 | include allow-python2.inc |
16 | include allow-python3.inc | 16 | include allow-python3.inc |
17 | 17 | ||
18 | include disable-common.inc | 18 | # include disable-common.inc |
19 | # include disable-devel.inc | 19 | # include disable-devel.inc |
20 | include disable-interpreters.inc | 20 | include disable-interpreters.inc |
21 | include disable-passwdmgr.inc | 21 | include disable-passwdmgr.inc |
22 | include disable-programs.inc | 22 | # include disable-programs.inc |
23 | 23 | ||
24 | whitelist /var/lib/mlocate | 24 | whitelist /var/lib/mlocate |
25 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile index 63983d93b..ba6f9d88c 100644 --- a/etc/chromium-common.profile +++ b/etc/chromium-common.profile | |||
@@ -27,10 +27,9 @@ include whitelist-common.inc | |||
27 | include whitelist-var-common.inc | 27 | include whitelist-var-common.inc |
28 | 28 | ||
29 | apparmor | 29 | apparmor |
30 | caps.keep sys_chroot,sys_admin | 30 | caps.keep sys_admin,sys_chroot |
31 | netfilter | 31 | netfilter |
32 | # Breaks Gnome connector - disable if you use that | 32 | # nodbus - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector |
33 | nodbus | ||
34 | nodvd | 33 | nodvd |
35 | nogroups | 34 | nogroups |
36 | notv | 35 | notv |
@@ -42,4 +41,4 @@ private-dev | |||
42 | # private-tmp - problems with multiple browser sessions | 41 | # private-tmp - problems with multiple browser sessions |
43 | 42 | ||
44 | # the file dialog needs to work without d-bus | 43 | # the file dialog needs to work without d-bus |
45 | env NO_CHROME_KDE_FILE_DIALOG=1 | 44 | ?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1 |
diff --git a/etc/curl.profile b/etc/curl.profile index b8b91d278..76beee46a 100644 --- a/etc/curl.profile +++ b/etc/curl.profile | |||
@@ -34,5 +34,5 @@ shell none | |||
34 | # private-bin curl | 34 | # private-bin curl |
35 | private-cache | 35 | private-cache |
36 | private-dev | 36 | private-dev |
37 | # private-etc alternatives,resolv.conf,ca-certificates,ssl,pki,crypto-policies | 37 | # private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl |
38 | private-tmp | 38 | private-tmp |
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile index fcb448b30..d1fff0004 100644 --- a/etc/cyberfox.profile +++ b/etc/cyberfox.profile | |||
@@ -13,7 +13,7 @@ mkdir ${HOME}/.cache/8pecxstudios | |||
13 | whitelist ${HOME}/.8pecxstudios | 13 | whitelist ${HOME}/.8pecxstudios |
14 | whitelist ${HOME}/.cache/8pecxstudios | 14 | whitelist ${HOME}/.cache/8pecxstudios |
15 | 15 | ||
16 | # private-bin cyberfox,which,sh,dbus-launch,dbus-send,env | 16 | # private-bin cyberfox,dbus-launch,dbus-send,env,sh,which |
17 | # private-etc must first be enabled in firefox-common.profile | 17 | # private-etc must first be enabled in firefox-common.profile |
18 | #private-etc cyberfox | 18 | #private-etc cyberfox |
19 | 19 | ||
diff --git a/etc/dig.profile b/etc/dig.profile index 9bc4ee0ca..6f2c1f755 100644 --- a/etc/dig.profile +++ b/etc/dig.profile | |||
@@ -17,7 +17,7 @@ include disable-passwdmgr.inc | |||
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | include disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | mkfile ${HOME}/.digrc | 20 | #mkfile ${HOME}/.digrc -- see #903 |
21 | whitelist ${HOME}/.digrc | 21 | whitelist ${HOME}/.digrc |
22 | include whitelist-common.inc | 22 | include whitelist-common.inc |
23 | include whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
@@ -45,7 +45,6 @@ private | |||
45 | private-bin bash,dig,sh | 45 | private-bin bash,dig,sh |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | # private-etc alternatives,resolv.conf | ||
49 | private-lib | 48 | private-lib |
50 | private-tmp | 49 | private-tmp |
51 | 50 | ||
diff --git a/etc/digikam.profile b/etc/digikam.profile index e9c89a1b9..1b80981f7 100644 --- a/etc/digikam.profile +++ b/etc/digikam.profile | |||
@@ -33,11 +33,8 @@ noroot | |||
33 | notv | 33 | notv |
34 | protocol unix,inet,inet6,netlink | 34 | protocol unix,inet,inet6,netlink |
35 | seccomp | 35 | seccomp |
36 | # seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group | ||
37 | shell none | 36 | shell none |
38 | 37 | ||
39 | # private-bin program | ||
40 | # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device | 38 | # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device |
41 | # private-etc alternatives,ca-certificates,ssl,pki,crypto-policies | 39 | # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl |
42 | private-tmp | 40 | private-tmp |
43 | |||
diff --git a/etc/dino.profile b/etc/dino.profile index 2db395e02..f7b220936 100644 --- a/etc/dino.profile +++ b/etc/dino.profile | |||
@@ -37,6 +37,6 @@ shell none | |||
37 | disable-mnt | 37 | disable-mnt |
38 | private-bin dino | 38 | private-bin dino |
39 | private-dev | 39 | private-dev |
40 | # private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies # breaks server connection | 40 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl -- breaks server connection |
41 | private-tmp | 41 | private-tmp |
42 | 42 | ||
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index ffced747b..ae248f2e8 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile | |||
@@ -26,7 +26,7 @@ nosound | |||
26 | notv | 26 | notv |
27 | nou2f | 27 | nou2f |
28 | novideo | 28 | novideo |
29 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 29 | seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice |
30 | 30 | ||
31 | disable-mnt | 31 | disable-mnt |
32 | private | 32 | private |
diff --git a/etc/elinks.profile b/etc/elinks.profile index 980fa7617..94f4179c7 100644 --- a/etc/elinks.profile +++ b/etc/elinks.profile | |||
@@ -36,5 +36,5 @@ tracelog | |||
36 | # private-bin elinks | 36 | # private-bin elinks |
37 | private-cache | 37 | private-cache |
38 | private-dev | 38 | private-dev |
39 | # private-etc alternatives,ca-certificates,ssl,pki,crypto-policies | 39 | # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl |
40 | private-tmp | 40 | private-tmp |
diff --git a/etc/engrampa.profile b/etc/engrampa.profile index 562e8f542..aaf3e3382 100644 --- a/etc/engrampa.profile +++ b/etc/engrampa.profile | |||
@@ -35,7 +35,6 @@ tracelog | |||
35 | 35 | ||
36 | # private-bin engrampa | 36 | # private-bin engrampa |
37 | private-dev | 37 | private-dev |
38 | # private-etc alternatives,fonts | ||
39 | # private-tmp | 38 | # private-tmp |
40 | 39 | ||
41 | memory-deny-write-execute | 40 | memory-deny-write-execute |
diff --git a/etc/evince.profile b/etc/evince.profile index 1a429d673..c1fbc7a4f 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -43,7 +43,7 @@ private-bin evince,evince-previewer,evince-thumbnailer | |||
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc alternatives,fonts,group,machine-id,passwd | 45 | private-etc alternatives,fonts,group,machine-id,passwd |
46 | private-lib evince,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*,gconv | 46 | private-lib evince,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.* |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | # memory-deny-write-execute - might break application (https://github.com/netblue30/firejail/issues/1803) | 49 | # memory-deny-write-execute - might break application (https://github.com/netblue30/firejail/issues/1803) |
diff --git a/etc/feh-network.inc b/etc/feh-network.inc index f3876475e..e94e7205c 100644 --- a/etc/feh-network.inc +++ b/etc/feh-network.inc | |||
@@ -1,4 +1,4 @@ | |||
1 | ignore net none | 1 | ignore net none |
2 | netfilter | 2 | netfilter |
3 | protocol unix,inet,inet6 | 3 | protocol unix,inet,inet6 |
4 | private-etc resolv.conf,ca-certificates,ssl,pki,hosts,crypto-policies | 4 | private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl |
diff --git a/etc/fetchmail.profile b/etc/fetchmail.profile index 46d0bd08e..d64fe830f 100644 --- a/etc/fetchmail.profile +++ b/etc/fetchmail.profile | |||
@@ -30,5 +30,5 @@ protocol unix,inet,inet6 | |||
30 | seccomp | 30 | seccomp |
31 | shell none | 31 | shell none |
32 | 32 | ||
33 | #private-bin fetchmail,procmail,bash,chmod | 33 | #private-bin bash,chmod,fetchmail,procmail |
34 | private-dev | 34 | private-dev |
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile index 9c1c5b7de..0771bf6a5 100644 --- a/etc/ffmpeg.profile +++ b/etc/ffmpeg.profile | |||
@@ -36,7 +36,6 @@ nou2f | |||
36 | novideo | 36 | novideo |
37 | protocol inet,inet6 | 37 | protocol inet,inet6 |
38 | seccomp | 38 | seccomp |
39 | # seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom | ||
40 | shell none | 39 | shell none |
41 | tracelog | 40 | tracelog |
42 | 41 | ||
diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 95accdd36..59d2f3ec8 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile | |||
@@ -39,7 +39,6 @@ tracelog | |||
39 | 39 | ||
40 | # private-bin file-roller | 40 | # private-bin file-roller |
41 | private-dev | 41 | private-dev |
42 | # private-etc alternatives,fonts | ||
43 | # private-tmp | 42 | # private-tmp |
44 | 43 | ||
45 | # memory-deny-write-execute | 44 | # memory-deny-write-execute |
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile index bccbb3412..961b338e7 100644 --- a/etc/firefox-common.profile +++ b/etc/firefox-common.profile | |||
@@ -34,11 +34,8 @@ caps.drop all | |||
34 | # machine-id breaks pulse audio; it should work fine in setups where sound is not required. | 34 | # machine-id breaks pulse audio; it should work fine in setups where sound is not required. |
35 | #machine-id | 35 | #machine-id |
36 | netfilter | 36 | netfilter |
37 | # Breaks Gnome connector and KDE Connect. | 37 | # nodbus breaks various desktop integration features |
38 | # Also seems to break Ubuntu titlebar menu. | 38 | # among other things global menus, Gnome connector, KDE connect and power management on KDE Plasma |
39 | # Also breaks enigmail apparently? | ||
40 | # During a stream on Plasma it prevents the mechanism to temporarily bypass the power management, i.e. to keep the screen on. | ||
41 | # Therefore disable if you use that. | ||
42 | nodbus | 39 | nodbus |
43 | nodvd | 40 | nodvd |
44 | nogroups | 41 | nogroups |
@@ -57,5 +54,5 @@ shell none | |||
57 | disable-mnt | 54 | disable-mnt |
58 | private-dev | 55 | private-dev |
59 | # private-etc below works fine on most distributions. There are some problems on CentOS. | 56 | # private-etc below works fine on most distributions. There are some problems on CentOS. |
60 | #private-etc alternatives,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies,ld.so.cache | 57 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
61 | private-tmp | 58 | private-tmp |
diff --git a/etc/firefox.profile b/etc/firefox.profile index 830bbc6a7..84c647cb9 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -15,7 +15,7 @@ whitelist ${HOME}/.cache/mozilla/firefox | |||
15 | whitelist ${HOME}/.mozilla | 15 | whitelist ${HOME}/.mozilla |
16 | 16 | ||
17 | # firefox requires a shell to launch on Arch. | 17 | # firefox requires a shell to launch on Arch. |
18 | #private-bin firefox,which,sh,dbus-launch,dbus-send,env,bash | 18 | #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which |
19 | # private-etc must first be enabled in firefox-common.profile | 19 | # private-etc must first be enabled in firefox-common.profile |
20 | #private-etc firefox | 20 | #private-etc firefox |
21 | 21 | ||
diff --git a/etc/freecol.profile b/etc/freecol.profile index 2d2853c9c..baeb4c528 100644 --- a/etc/freecol.profile +++ b/etc/freecol.profile | |||
@@ -7,7 +7,6 @@ include freecol.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.freecol | 9 | noblacklist ${HOME}/.freecol |
10 | noblacklist ${HOME}/.java | ||
11 | noblacklist ${HOME}/.cache/freecol | 10 | noblacklist ${HOME}/.cache/freecol |
12 | noblacklist ${HOME}/.config/freecol | 11 | noblacklist ${HOME}/.config/freecol |
13 | noblacklist ${HOME}/.local/share/freecol | 12 | noblacklist ${HOME}/.local/share/freecol |
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile index 9596bc610..3931aa64a 100644 --- a/etc/frozen-bubble.profile +++ b/etc/frozen-bubble.profile | |||
@@ -38,5 +38,4 @@ shell none | |||
38 | disable-mnt | 38 | disable-mnt |
39 | # private-bin frozen-bubble | 39 | # private-bin frozen-bubble |
40 | private-dev | 40 | private-dev |
41 | # private-etc alternatives | ||
42 | private-tmp | 41 | private-tmp |
diff --git a/etc/gedit.profile b/etc/gedit.profile index ca2cf6e92..8232bbae4 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile | |||
@@ -44,7 +44,6 @@ tracelog | |||
44 | 44 | ||
45 | # private-bin gedit | 45 | # private-bin gedit |
46 | private-dev | 46 | private-dev |
47 | # private-etc alternatives,fonts | 47 | private-lib aspell,gconv,gedit,libgspell-1.so.*,libreadline.so.*,libtinfo.so.* |
48 | private-lib /usr/bin/gedit,libtinfo.so.*,libreadline.so.*,gedit,libgspell-1.so.*,gconv,aspell | ||
49 | private-tmp | 48 | private-tmp |
50 | 49 | ||
diff --git a/etc/geeqie.profile b/etc/geeqie.profile index adfc3ef1c..8810ca161 100644 --- a/etc/geeqie.profile +++ b/etc/geeqie.profile | |||
@@ -31,4 +31,3 @@ shell none | |||
31 | 31 | ||
32 | # private-bin geeqie | 32 | # private-bin geeqie |
33 | private-dev | 33 | private-dev |
34 | # private-etc alternatives,X11 | ||
diff --git a/etc/github-desktop.profile b/etc/github-desktop.profile index 4a969f9ad..b25b138ad 100644 --- a/etc/github-desktop.profile +++ b/etc/github-desktop.profile | |||
@@ -42,7 +42,6 @@ disable-mnt | |||
42 | private-cache | 42 | private-cache |
43 | ?HAS_APPIMAGE: ignore private-dev | 43 | ?HAS_APPIMAGE: ignore private-dev |
44 | private-dev | 44 | private-dev |
45 | # private-etc alternatives | ||
46 | # private-lib | 45 | # private-lib |
47 | private-tmp | 46 | private-tmp |
48 | 47 | ||
diff --git a/etc/gjs.profile b/etc/gjs.profile index f119e5b34..17b0aa5cf 100644 --- a/etc/gjs.profile +++ b/etc/gjs.profile | |||
@@ -32,7 +32,7 @@ seccomp | |||
32 | shell none | 32 | shell none |
33 | tracelog | 33 | tracelog |
34 | 34 | ||
35 | # private-bin gjs,gnome-books,gnome-documents,gnome-photos,gnome-maps,gnome-weather | 35 | # private-bin gjs,gnome-books,gnome-documents,gnome-maps,gnome-photos,gnome-weather |
36 | private-dev | 36 | private-dev |
37 | # private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies | 37 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl |
38 | private-tmp | 38 | private-tmp |
diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile index 184751132..25cd94f0c 100644 --- a/etc/gnome-books.profile +++ b/etc/gnome-books.profile | |||
@@ -36,8 +36,7 @@ seccomp | |||
36 | shell none | 36 | shell none |
37 | tracelog | 37 | tracelog |
38 | 38 | ||
39 | # private-bin gjs gnome-books | 39 | # private-bin gjs,gnome-books |
40 | private-dev | 40 | private-dev |
41 | # private-etc alternatives,fonts | ||
42 | private-tmp | 41 | private-tmp |
43 | 42 | ||
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile index 97de9c2be..be8e809ce 100644 --- a/etc/gnome-maps.profile +++ b/etc/gnome-maps.profile | |||
@@ -10,6 +10,7 @@ include globals.local | |||
10 | 10 | ||
11 | noblacklist ${HOME}/.cache/champlain | 11 | noblacklist ${HOME}/.cache/champlain |
12 | noblacklist ${HOME}/.local/share/flatpak | 12 | noblacklist ${HOME}/.local/share/flatpak |
13 | noblacklist ${HOME}/.local/share/maps-places.json | ||
13 | 14 | ||
14 | include disable-common.inc | 15 | include disable-common.inc |
15 | include disable-devel.inc | 16 | include disable-devel.inc |
@@ -19,6 +20,13 @@ include disable-passwdmgr.inc | |||
19 | include disable-programs.inc | 20 | include disable-programs.inc |
20 | include disable-xdg.inc | 21 | include disable-xdg.inc |
21 | 22 | ||
23 | mkdir ${HOME}/.cache/champlain | ||
24 | mkfile ${HOME}/.local/share/maps-places.json | ||
25 | whitelist ${HOME}/.cache/champlain | ||
26 | whitelist ${HOME}/.local/share/maps-places.json | ||
27 | whitelist ${DOWNLOADS} | ||
28 | whitelist ${PICTURES} | ||
29 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | 30 | include whitelist-var-common.inc |
23 | 31 | ||
24 | apparmor | 32 | apparmor |
@@ -39,8 +47,9 @@ shell none | |||
39 | tracelog | 47 | tracelog |
40 | 48 | ||
41 | disable-mnt | 49 | disable-mnt |
42 | # private-bin gjs gnome-maps | 50 | private-bin gjs,gnome-maps |
51 | # private-cache -- gnome-maps cache all maps/satelite-images | ||
43 | private-dev | 52 | private-dev |
44 | # private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies | 53 | private-etc alternatives,ca-certificates,clutter-1.0,crypto-policies,dconf,drirc,fonts,gconf,gcrypt,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pango,pkcs11,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg |
45 | private-tmp | 54 | private-tmp |
46 | 55 | ||
diff --git a/etc/gnome-nettool.profile b/etc/gnome-nettool.profile index 3f28b7efe..001274372 100644 --- a/etc/gnome-nettool.profile +++ b/etc/gnome-nettool.profile | |||
@@ -14,7 +14,7 @@ include disable-passwdmgr.inc | |||
14 | include disable-programs.inc | 14 | include disable-programs.inc |
15 | include disable-xdg.inc | 15 | include disable-xdg.inc |
16 | 16 | ||
17 | include whitelist-common.inc | 17 | #include whitelist-common.inc -- see #903 |
18 | include whitelist-var-common.inc | 18 | include whitelist-var-common.inc |
19 | 19 | ||
20 | caps.keep net_raw | 20 | caps.keep net_raw |
@@ -39,6 +39,6 @@ disable-mnt | |||
39 | private | 39 | private |
40 | private-cache | 40 | private-cache |
41 | private-dev | 41 | private-dev |
42 | private-lib libgtk-3.so.*,libgtop*,libbind9.so.*,libcrypto.so.*,libdns.so.*,libirs.so.*,liblua.so.*,libssh2.so.*,libssl.so.* | 42 | private-lib libbind9.so.*,libcrypto.so.*,libdns.so.*,libgtk-3.so.*,libgtop*,libirs.so.*,liblua.so.*,libssh2.so.*,libssl.so.* |
43 | private-tmp | 43 | private-tmp |
44 | 44 | ||
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile index 4e5a3b109..3bbad67bb 100644 --- a/etc/gnome-photos.profile +++ b/etc/gnome-photos.profile | |||
@@ -33,8 +33,7 @@ seccomp | |||
33 | shell none | 33 | shell none |
34 | tracelog | 34 | tracelog |
35 | 35 | ||
36 | # private-bin gjs gnome-photos | 36 | # private-bin gjs,gnome-photos |
37 | private-dev | 37 | private-dev |
38 | # private-etc alternatives,fonts | ||
39 | private-tmp | 38 | private-tmp |
40 | 39 | ||
diff --git a/etc/gnome-schedule.profile b/etc/gnome-schedule.profile index 08256f3a5..0fca08505 100644 --- a/etc/gnome-schedule.profile +++ b/etc/gnome-schedule.profile | |||
@@ -69,6 +69,5 @@ tracelog | |||
69 | disable-mnt | 69 | disable-mnt |
70 | private-cache | 70 | private-cache |
71 | private-dev | 71 | private-dev |
72 | # private-etc alternatives | ||
73 | writable-var | 72 | writable-var |
74 | 73 | ||
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile index ef7255130..a43db7e2f 100644 --- a/etc/gnome-weather.profile +++ b/etc/gnome-weather.profile | |||
@@ -37,8 +37,8 @@ shell none | |||
37 | tracelog | 37 | tracelog |
38 | 38 | ||
39 | disable-mnt | 39 | disable-mnt |
40 | # private-bin gjs gnome-weather | 40 | # private-bin gjs,gnome-weather |
41 | private-dev | 41 | private-dev |
42 | # private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies | 42 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl |
43 | private-tmp | 43 | private-tmp |
44 | 44 | ||
diff --git a/etc/goobox.profile b/etc/goobox.profile index be332665e..c932ad528 100644 --- a/etc/goobox.profile +++ b/etc/goobox.profile | |||
@@ -31,5 +31,5 @@ tracelog | |||
31 | 31 | ||
32 | # private-bin goobox | 32 | # private-bin goobox |
33 | private-dev | 33 | private-dev |
34 | # private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies | 34 | # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl |
35 | # private-tmp | 35 | # private-tmp |
diff --git a/etc/highlight.profile b/etc/highlight.profile index 243643aea..cae8e29d7 100644 --- a/etc/highlight.profile +++ b/etc/highlight.profile | |||
@@ -34,5 +34,4 @@ tracelog | |||
34 | private-bin highlight | 34 | private-bin highlight |
35 | private-cache | 35 | private-cache |
36 | private-dev | 36 | private-dev |
37 | # private-etc alternatives | ||
38 | private-tmp | 37 | private-tmp |
diff --git a/etc/img2txt.profile b/etc/img2txt.profile index ade50048e..a36af8abf 100644 --- a/etc/img2txt.profile +++ b/etc/img2txt.profile | |||
@@ -38,7 +38,6 @@ tracelog | |||
38 | # private-bin img2txt | 38 | # private-bin img2txt |
39 | private-cache | 39 | private-cache |
40 | private-dev | 40 | private-dev |
41 | # private-etc alternatives | ||
42 | private-tmp | 41 | private-tmp |
43 | 42 | ||
44 | memory-deny-write-execute | 43 | memory-deny-write-execute |
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index 74fadb4a9..5b7275718 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile | |||
@@ -6,7 +6,6 @@ include jd-gui.local | |||
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/jd-gui.cfg | 8 | noblacklist ${HOME}/.config/jd-gui.cfg |
9 | noblacklist ${HOME}/.java | ||
10 | 9 | ||
11 | # Allow java (blacklisted by disable-devel.inc) | 10 | # Allow java (blacklisted by disable-devel.inc) |
12 | include allow-java.inc | 11 | include allow-java.inc |
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile index 710c86e9a..361109127 100644 --- a/etc/kdenlive.profile +++ b/etc/kdenlive.profile | |||
@@ -35,4 +35,4 @@ shell none | |||
35 | 35 | ||
36 | private-bin dbus-launch,dvdauthor,ffmpeg,ffplay,ffprobe,genisoimage,kdeinit4,kdeinit4_shutdown,kdeinit4_wrapper,kdeinit5,kdeinit5_shutdown,kdeinit5_wrapper,kdenlive,kdenlive_render,kshell4,kshell5,melt,mlt-melt,vlc,xine | 36 | private-bin dbus-launch,dvdauthor,ffmpeg,ffplay,ffprobe,genisoimage,kdeinit4,kdeinit4_shutdown,kdeinit4_wrapper,kdeinit5,kdeinit5_shutdown,kdeinit5_wrapper,kdenlive,kdenlive_render,kshell4,kshell5,melt,mlt-melt,vlc,xine |
37 | private-dev | 37 | private-dev |
38 | # private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,xdg,X11 | 38 | # private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,X11,xdg |
diff --git a/etc/kmail.profile b/etc/kmail.profile index 009b2c063..0b602c79a 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile | |||
@@ -53,9 +53,8 @@ protocol unix,inet,inet6,netlink | |||
53 | # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls | 53 | # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls |
54 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 54 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
55 | # tracelog | 55 | # tracelog |
56 | # writable-run-user is needed for signing and encrypting emails | ||
57 | writable-run-user | ||
58 | 56 | ||
59 | private-dev | 57 | private-dev |
60 | # private-tmp - interrupts connection to akonadi, breaks opening of email attachments | 58 | # private-tmp - interrupts connection to akonadi, breaks opening of email attachments |
61 | 59 | # writable-run-user is needed for signing and encrypting emails | |
60 | writable-run-user | ||
diff --git a/etc/kopete.profile b/etc/kopete.profile index 5e931ddac..e0bdce059 100644 --- a/etc/kopete.profile +++ b/etc/kopete.profile | |||
@@ -31,8 +31,8 @@ notv | |||
31 | nou2f | 31 | nou2f |
32 | protocol unix,inet,inet6,netlink | 32 | protocol unix,inet,inet6,netlink |
33 | seccomp | 33 | seccomp |
34 | writable-var | ||
35 | 34 | ||
36 | private-dev | 35 | private-dev |
37 | private-tmp | 36 | private-tmp |
37 | writable-var | ||
38 | 38 | ||
diff --git a/etc/less.profile b/etc/less.profile index bc85e5ad5..897d38b9d 100644 --- a/etc/less.profile +++ b/etc/less.profile | |||
@@ -34,7 +34,6 @@ protocol unix | |||
34 | seccomp | 34 | seccomp |
35 | shell none | 35 | shell none |
36 | tracelog | 36 | tracelog |
37 | writable-var-log | ||
38 | 37 | ||
39 | # The user can have a custom coloring script configured in ${HOME}/.lessfilter. | 38 | # The user can have a custom coloring script configured in ${HOME}/.lessfilter. |
40 | # Enable private-bin and private-lib if you are not using any filter. | 39 | # Enable private-bin and private-lib if you are not using any filter. |
@@ -42,5 +41,6 @@ writable-var-log | |||
42 | # private-lib | 41 | # private-lib |
43 | private-cache | 42 | private-cache |
44 | private-dev | 43 | private-dev |
44 | writable-var-log | ||
45 | 45 | ||
46 | memory-deny-write-execute | 46 | memory-deny-write-execute |
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 05dfd4ca6..b8a6201b2 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile | |||
@@ -6,7 +6,6 @@ include libreoffice.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.java | ||
10 | noblacklist /usr/local/sbin | 9 | noblacklist /usr/local/sbin |
11 | noblacklist ${HOME}/.config/libreoffice | 10 | noblacklist ${HOME}/.config/libreoffice |
12 | 11 | ||
diff --git a/etc/lynx.profile b/etc/lynx.profile index 2f043c9b9..063285316 100644 --- a/etc/lynx.profile +++ b/etc/lynx.profile | |||
@@ -34,5 +34,5 @@ tracelog | |||
34 | # private-bin lynx | 34 | # private-bin lynx |
35 | private-cache | 35 | private-cache |
36 | private-dev | 36 | private-dev |
37 | # private-etc alternatives,ca-certificates,ssl,pki,crypto-policies | 37 | # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl |
38 | private-tmp | 38 | private-tmp |
diff --git a/etc/mediathekview.profile b/etc/mediathekview.profile index 4ebb5429a..95cd673c6 100644 --- a/etc/mediathekview.profile +++ b/etc/mediathekview.profile | |||
@@ -11,7 +11,6 @@ noblacklist ${HOME}/.config/smplayer | |||
11 | noblacklist ${HOME}/.config/totem | 11 | noblacklist ${HOME}/.config/totem |
12 | noblacklist ${HOME}/.config/vlc | 12 | noblacklist ${HOME}/.config/vlc |
13 | noblacklist ${HOME}/.config/xplayer | 13 | noblacklist ${HOME}/.config/xplayer |
14 | noblacklist ${HOME}/.java | ||
15 | noblacklist ${HOME}/.local/share/totem | 14 | noblacklist ${HOME}/.local/share/totem |
16 | noblacklist ${HOME}/.local/share/xplayer | 15 | noblacklist ${HOME}/.local/share/xplayer |
17 | noblacklist ${HOME}/.mediathek3 | 16 | noblacklist ${HOME}/.mediathek3 |
diff --git a/etc/minetest.profile b/etc/minetest.profile index b3e692446..0439a1ccc 100644 --- a/etc/minetest.profile +++ b/etc/minetest.profile | |||
@@ -6,6 +6,7 @@ include minetest.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/minetest | ||
9 | noblacklist ${HOME}/.minetest | 10 | noblacklist ${HOME}/.minetest |
10 | 11 | ||
11 | include disable-common.inc | 12 | include disable-common.inc |
@@ -16,7 +17,9 @@ include disable-passwdmgr.inc | |||
16 | include disable-programs.inc | 17 | include disable-programs.inc |
17 | include disable-xdg.inc | 18 | include disable-xdg.inc |
18 | 19 | ||
20 | mkdir ${HOME}/.cache/minetest | ||
19 | mkdir ${HOME}/.minetest | 21 | mkdir ${HOME}/.minetest |
22 | whitelist ${HOME}/.cache/minetest | ||
20 | whitelist ${HOME}/.minetest | 23 | whitelist ${HOME}/.minetest |
21 | include whitelist-common.inc | 24 | include whitelist-common.inc |
22 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
@@ -42,5 +45,5 @@ private-bin minetest | |||
42 | private-cache | 45 | private-cache |
43 | private-dev | 46 | private-dev |
44 | # private-etc needs to be updated, see #1702 | 47 | # private-etc needs to be updated, see #1702 |
45 | #private-etc alternatives,asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id | 48 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl |
46 | private-tmp | 49 | private-tmp |
diff --git a/etc/mpd.profile b/etc/mpd.profile index 0a98de7c4..0b5ebf705 100644 --- a/etc/mpd.profile +++ b/etc/mpd.profile | |||
@@ -34,7 +34,7 @@ protocol unix,inet,inet6 | |||
34 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice | 34 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice |
35 | shell none | 35 | shell none |
36 | 36 | ||
37 | #private-bin mpd,bash | 37 | #private-bin bash,mpd |
38 | private-cache | 38 | private-cache |
39 | private-dev | 39 | private-dev |
40 | private-tmp | 40 | private-tmp |
diff --git a/etc/multimc5.profile b/etc/multimc5.profile index 98edf273e..475307418 100644 --- a/etc/multimc5.profile +++ b/etc/multimc5.profile | |||
@@ -5,7 +5,6 @@ include multimc5.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.java | ||
9 | noblacklist ${HOME}/.local/share/multimc | 8 | noblacklist ${HOME}/.local/share/multimc |
10 | noblacklist ${HOME}/.local/share/multimc5 | 9 | noblacklist ${HOME}/.local/share/multimc5 |
11 | noblacklist ${HOME}/.multimc5 | 10 | noblacklist ${HOME}/.multimc5 |
@@ -43,7 +42,7 @@ shell none | |||
43 | 42 | ||
44 | disable-mnt | 43 | disable-mnt |
45 | # private-bin works, but causes weirdness | 44 | # private-bin works, but causes weirdness |
46 | # private-bin multimc5,bash,mkdir,which,zenity,kdialog,ldd,chmod,valgrind,apt-file,pkgfile,dnf,yum,zypper,pfl,java,grep,sort,awk,readlink,dirname | 45 | # private-bin apt-file,awk,bash,chmod,dirname,dnf,grep,java,kdialog,ldd,mkdir,multimc5,pfl,pkgfile,readlink,sort,valgrind,which,yum,zenity,zypper |
47 | private-dev | 46 | private-dev |
48 | private-tmp | 47 | private-tmp |
49 | 48 | ||
diff --git a/etc/mupdf.profile b/etc/mupdf.profile index 1d5953ff7..673c9fd0b 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile | |||
@@ -36,7 +36,7 @@ seccomp | |||
36 | shell none | 36 | shell none |
37 | tracelog | 37 | tracelog |
38 | 38 | ||
39 | # private-bin mupdf,sh,tempfile,rm | 39 | # private-bin mupdf,rm,sh,tempfile |
40 | private-dev | 40 | private-dev |
41 | private-etc alternatives,fonts | 41 | private-etc alternatives,fonts |
42 | private-tmp | 42 | private-tmp |
diff --git a/etc/mutt.profile b/etc/mutt.profile index 419e17e95..c424dbb85 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile | |||
@@ -54,6 +54,6 @@ novideo | |||
54 | protocol unix,inet,inet6 | 54 | protocol unix,inet,inet6 |
55 | seccomp | 55 | seccomp |
56 | shell none | 56 | shell none |
57 | writable-run-user | ||
58 | 57 | ||
59 | private-dev | 58 | private-dev |
59 | writable-run-user | ||
diff --git a/etc/nautilus.profile b/etc/nautilus.profile index b81313b6a..d6d08679b 100644 --- a/etc/nautilus.profile +++ b/etc/nautilus.profile | |||
@@ -40,5 +40,4 @@ tracelog | |||
40 | # nautilus needs to be able to start arbitrary applications so we cannot blacklist their files | 40 | # nautilus needs to be able to start arbitrary applications so we cannot blacklist their files |
41 | # private-bin nautilus | 41 | # private-bin nautilus |
42 | # private-dev | 42 | # private-dev |
43 | # private-etc alternatives,fonts | ||
44 | # private-tmp | 43 | # private-tmp |
diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile index bff42fb19..d80b3d351 100644 --- a/etc/open-invaders.profile +++ b/etc/open-invaders.profile | |||
@@ -33,5 +33,4 @@ shell none | |||
33 | 33 | ||
34 | # private-bin open-invaders | 34 | # private-bin open-invaders |
35 | private-dev | 35 | private-dev |
36 | # private-etc alternatives | ||
37 | private-tmp | 36 | private-tmp |
diff --git a/etc/openarena.profile b/etc/openarena.profile index f36d3270f..c83e78e2c 100644 --- a/etc/openarena.profile +++ b/etc/openarena.profile | |||
@@ -21,16 +21,12 @@ include whitelist-var-common.inc | |||
21 | apparmor | 21 | apparmor |
22 | caps.drop all | 22 | caps.drop all |
23 | # ipc-namespace | 23 | # ipc-namespace |
24 | # machine-id | ||
25 | # net none | ||
26 | # netfilter | 24 | # netfilter |
27 | # no3d | ||
28 | # nodbus | 25 | # nodbus |
29 | # nodvd | 26 | # nodvd |
30 | # nogroups | 27 | # nogroups |
31 | nonewprivs | 28 | nonewprivs |
32 | noroot | 29 | noroot |
33 | # nosound | ||
34 | notv | 30 | notv |
35 | # nou2f | 31 | # nou2f |
36 | novideo | 32 | novideo |
@@ -40,12 +36,8 @@ shell none | |||
40 | # tracelog | 36 | # tracelog |
41 | 37 | ||
42 | # disable-mnt | 38 | # disable-mnt |
43 | # private | ||
44 | # private-bin openarena | 39 | # private-bin openarena |
45 | private-cache | 40 | private-cache |
46 | private-dev | 41 | private-dev |
47 | # private-etc machine-id,xdg,openal,udev,drirc,passwd,selinux | 42 | # private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg |
48 | # private-lib | ||
49 | private-tmp | 43 | private-tmp |
50 | |||
51 | # memory-deny-write-execute | ||
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile index adff2af3e..48f424190 100644 --- a/etc/pdfsam.profile +++ b/etc/pdfsam.profile | |||
@@ -6,7 +6,6 @@ include pdfsam.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.java | ||
10 | noblacklist ${DOCUMENTS} | 9 | noblacklist ${DOCUMENTS} |
11 | 10 | ||
12 | # Allow java (blacklisted by disable-devel.inc) | 11 | # Allow java (blacklisted by disable-devel.inc) |
diff --git a/etc/peek.profile b/etc/peek.profile index fd836560e..8cbff0c64 100644 --- a/etc/peek.profile +++ b/etc/peek.profile | |||
@@ -34,7 +34,7 @@ seccomp | |||
34 | shell none | 34 | shell none |
35 | 35 | ||
36 | # private-bin breaks gif mode, mp4 and webm mode work fine however | 36 | # private-bin breaks gif mode, mp4 and webm mode work fine however |
37 | # private-bin peek,convert,ffmpeg | 37 | # private-bin convert,ffmpeg,peek |
38 | private-dev | 38 | private-dev |
39 | private-tmp | 39 | private-tmp |
40 | 40 | ||
diff --git a/etc/ping.profile b/etc/ping.profile index 66574bab5..00ac45c5a 100644 --- a/etc/ping.profile +++ b/etc/ping.profile | |||
@@ -30,10 +30,8 @@ nosound | |||
30 | notv | 30 | notv |
31 | nou2f | 31 | nou2f |
32 | novideo | 32 | novideo |
33 | |||
34 | # protocol command is built using seccomp; nonewprivs will kill it | 33 | # protocol command is built using seccomp; nonewprivs will kill it |
35 | #protocol unix,inet,inet6,netlink,packet | 34 | #protocol unix,inet,inet6,netlink,packet |
36 | |||
37 | # killed by no-new-privs | 35 | # killed by no-new-privs |
38 | #seccomp | 36 | #seccomp |
39 | 37 | ||
@@ -42,7 +40,7 @@ private | |||
42 | #private-bin has mammoth problems with execvp: "No such file or directory" | 40 | #private-bin has mammoth problems with execvp: "No such file or directory" |
43 | private-dev | 41 | private-dev |
44 | # /etc/hosts is required in private-etc; however, just adding it to the list doesn't solve the problem! | 42 | # /etc/hosts is required in private-etc; however, just adding it to the list doesn't solve the problem! |
45 | #private-etc resolv.conf,hosts,ca-certificates,ssl,pki,crypto-policies | 43 | #private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl |
46 | private-tmp | 44 | private-tmp |
47 | 45 | ||
48 | # memory-deny-write-execute is built using seccomp; nonewprivs will kill it | 46 | # memory-deny-write-execute is built using seccomp; nonewprivs will kill it |
diff --git a/etc/pingus.profile b/etc/pingus.profile index 6b664248f..782ee200d 100644 --- a/etc/pingus.profile +++ b/etc/pingus.profile | |||
@@ -33,5 +33,4 @@ shell none | |||
33 | 33 | ||
34 | # private-bin pingus | 34 | # private-bin pingus |
35 | private-dev | 35 | private-dev |
36 | # private-etc alternatives | ||
37 | private-tmp | 36 | private-tmp |
diff --git a/etc/pluma.profile b/etc/pluma.profile index 47626753a..91e6edc65 100644 --- a/etc/pluma.profile +++ b/etc/pluma.profile | |||
@@ -39,7 +39,6 @@ tracelog | |||
39 | 39 | ||
40 | private-bin pluma | 40 | private-bin pluma |
41 | private-dev | 41 | private-dev |
42 | # private-etc alternatives,fonts | ||
43 | private-lib pluma | 42 | private-lib pluma |
44 | private-tmp | 43 | private-tmp |
45 | 44 | ||
diff --git a/etc/pycharm-community.profile b/etc/pycharm-community.profile index 0531aee4a..e35d70c46 100644 --- a/etc/pycharm-community.profile +++ b/etc/pycharm-community.profile | |||
@@ -8,7 +8,6 @@ include globals.local | |||
8 | noblacklist ${HOME}/.PyCharmCE* | 8 | noblacklist ${HOME}/.PyCharmCE* |
9 | noblacklist ${HOME}/.python-history | 9 | noblacklist ${HOME}/.python-history |
10 | noblacklist ${HOME}/.pythonrc.py | 10 | noblacklist ${HOME}/.pythonrc.py |
11 | noblacklist ${HOME}/.java | ||
12 | 11 | ||
13 | # Allow java (blacklisted by disable-devel.inc) | 12 | # Allow java (blacklisted by disable-devel.inc) |
14 | include allow-java.inc | 13 | include allow-java.inc |
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index d5198ef61..fe9caec77 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
@@ -53,8 +53,7 @@ shell none | |||
53 | 53 | ||
54 | private-bin python*,qbittorrent | 54 | private-bin python*,qbittorrent |
55 | private-dev | 55 | private-dev |
56 | # private-etc alternatives,X11,fonts,xdg,resolv.conf,ca-certificates,ssl,pki,crypto-policies | 56 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl,X11,xdg |
57 | # private-lib - problems on Arch | ||
58 | private-tmp | 57 | private-tmp |
59 | 58 | ||
60 | # memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo | 59 | # memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo |
diff --git a/etc/qgis.profile b/etc/qgis.profile index 15ef4c22a..80a10efce 100644 --- a/etc/qgis.profile +++ b/etc/qgis.profile | |||
@@ -45,7 +45,7 @@ notv | |||
45 | nou2f | 45 | nou2f |
46 | novideo | 46 | novideo |
47 | # blacklisting of mbind system calls breaks old version | 47 | # blacklisting of mbind system calls breaks old version |
48 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,set_mempolicy,migrate_pages,move_pages,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,vmsplice,umount,userfaultfd,mincore | 48 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,migrate_pages,mincore,move_pages,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,set_mempolicy,syslog,umount,userfaultfd,vmsplice |
49 | protocol unix,inet,inet6,netlink | 49 | protocol unix,inet,inet6,netlink |
50 | shell none | 50 | shell none |
51 | tracelog | 51 | tracelog |
diff --git a/etc/quiterss.profile b/etc/quiterss.profile index e2a3c9c23..ca1abcdc9 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile | |||
@@ -50,5 +50,5 @@ tracelog | |||
50 | disable-mnt | 50 | disable-mnt |
51 | private-bin quiterss | 51 | private-bin quiterss |
52 | private-dev | 52 | private-dev |
53 | # private-etc alternatives,X11,ssl,pki,ca-certificates,crypto-policies | 53 | # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl,X11 |
54 | 54 | ||
diff --git a/etc/remmina.profile b/etc/remmina.profile index a77f2d8aa..e85ceca13 100644 --- a/etc/remmina.profile +++ b/etc/remmina.profile | |||
@@ -31,7 +31,6 @@ nou2f | |||
31 | novideo | 31 | novideo |
32 | protocol unix,inet,inet6 | 32 | protocol unix,inet,inet6 |
33 | seccomp | 33 | seccomp |
34 | # seccomp.keep access,arch_prctl,brk,chmod,clock_getres,clock_gettime,clone,close,connect,dup3,eventfd2,execve,fadvise64,fallocate,fcntl,flock,fstat,fstatfs,fsync,ftruncate,futex,getdents,getegid,geteuid,getgid,getpeername,getpid,getrandom,getresgid,getresuid,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,memfd_create,mmap,mprotect,mremap,munmap,nanosleep,open,openat,pipe,pipe2,poll,prctl,prlimit64,pwrite64,read,readlink,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,sendmmsg,sendmsg,sendto,set_robust_list,setsockopt,set_tid_address,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,tgkill,uname,utimensat,write,writev | ||
35 | shell none | 34 | shell none |
36 | 35 | ||
37 | private-cache | 36 | private-cache |
diff --git a/etc/rhythmbox-client.profile b/etc/rhythmbox-client.profile new file mode 100644 index 000000000..29e65d716 --- /dev/null +++ b/etc/rhythmbox-client.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for rhythmbox-client | ||
2 | # Description: controls a running instance of rhythmbox | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include rhythmbox-client.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include rhythmbox.profile | ||
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 1c9f0e4d1..9bcbdb561 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile | |||
@@ -26,7 +26,6 @@ include whitelist-var-common.inc | |||
26 | # apparmor - makes settings immutable | 26 | # apparmor - makes settings immutable |
27 | caps.drop all | 27 | caps.drop all |
28 | netfilter | 28 | netfilter |
29 | # no3d | ||
30 | # nodbus - makes settings immutable | 29 | # nodbus - makes settings immutable |
31 | nogroups | 30 | nogroups |
32 | nonewprivs | 31 | nonewprivs |
@@ -39,7 +38,6 @@ seccomp | |||
39 | shell none | 38 | shell none |
40 | tracelog | 39 | tracelog |
41 | 40 | ||
42 | private-bin rhythmbox | 41 | private-bin rhythmbox,rhythmbox-client |
43 | private-dev | 42 | private-dev |
44 | private-tmp | 43 | private-tmp |
45 | |||
diff --git a/etc/ricochet.profile b/etc/ricochet.profile index fc770d62d..1b8fbbc97 100644 --- a/etc/ricochet.profile +++ b/etc/ricochet.profile | |||
@@ -37,5 +37,5 @@ shell none | |||
37 | disable-mnt | 37 | disable-mnt |
38 | private-bin ricochet,tor | 38 | private-bin ricochet,tor |
39 | private-dev | 39 | private-dev |
40 | #private-etc alternatives,fonts,tor,X11,alternatives,ca-certificates,ssl,pki,crypto-policies | 40 | #private-etc alternatives,alternatives,ca-certificates,crypto-policies,fonts,pki,ssl,tor,X11 |
41 | 41 | ||
diff --git a/etc/scribus.profile b/etc/scribus.profile index c50e0861c..e20cd1b5a 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile | |||
@@ -56,7 +56,7 @@ seccomp | |||
56 | shell none | 56 | shell none |
57 | tracelog | 57 | tracelog |
58 | 58 | ||
59 | # private-bin scribus,gs,gimp* | 59 | # private-bin gimp*,gs,scribus |
60 | private-dev | 60 | private-dev |
61 | private-tmp | 61 | private-tmp |
62 | 62 | ||
diff --git a/etc/seahorse.profile b/etc/seahorse.profile index be63f9382..a7c95c073 100644 --- a/etc/seahorse.profile +++ b/etc/seahorse.profile | |||
@@ -50,6 +50,5 @@ tracelog | |||
50 | disable-mnt | 50 | disable-mnt |
51 | private-cache | 51 | private-cache |
52 | private-dev | 52 | private-dev |
53 | private-etc ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,hostname,host.conf,hosts,ld.so.preload,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssh,ssl,X11 | 53 | private-etc ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssh,ssl,X11 |
54 | |||
55 | writable-run-user | 54 | writable-run-user |
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile index ca74efe68..807effbeb 100644 --- a/etc/seamonkey.profile +++ b/etc/seamonkey.profile | |||
@@ -52,4 +52,4 @@ seccomp | |||
52 | tracelog | 52 | tracelog |
53 | 53 | ||
54 | disable-mnt | 54 | disable-mnt |
55 | # private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies | 55 | # private-etc adobe,alternatives,asound.conf,ca-certificates,crypto-policies,firefox,fonts,group,gtk-2.0,hostname,hosts,iceweasel,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl |
diff --git a/etc/shotcut.profile b/etc/shotcut.profile index 264566dcd..e6c48561f 100644 --- a/etc/shotcut.profile +++ b/etc/shotcut.profile | |||
@@ -5,10 +5,13 @@ include shotcut.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | ignore noexec ${HOME} | ||
9 | |||
8 | noblacklist ${HOME}/.config/Meltytech | 10 | noblacklist ${HOME}/.config/Meltytech |
9 | 11 | ||
10 | include disable-common.inc | 12 | include disable-common.inc |
11 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
13 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 17 | include disable-programs.inc |
@@ -26,9 +29,6 @@ protocol unix | |||
26 | seccomp | 29 | seccomp |
27 | shell none | 30 | shell none |
28 | 31 | ||
29 | #private-bin shotcut,melt,qmelt,nice | 32 | #private-bin melt,nice,qmelt,shotcut |
30 | private-cache | 33 | private-cache |
31 | private-dev | 34 | private-dev |
32 | |||
33 | #noexec ${HOME} | ||
34 | noexec /tmp | ||
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile index 4ad841880..64441483d 100644 --- a/etc/simple-scan.profile +++ b/etc/simple-scan.profile | |||
@@ -33,5 +33,5 @@ tracelog | |||
33 | 33 | ||
34 | # private-bin simple-scan | 34 | # private-bin simple-scan |
35 | # private-dev | 35 | # private-dev |
36 | # private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies | 36 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl |
37 | # private-tmp | 37 | # private-tmp |
diff --git a/etc/simplescreenrecorder.profile b/etc/simplescreenrecorder.profile index ead475e07..a3caedf88 100644 --- a/etc/simplescreenrecorder.profile +++ b/etc/simplescreenrecorder.profile | |||
@@ -31,7 +31,6 @@ tracelog | |||
31 | 31 | ||
32 | private-cache | 32 | private-cache |
33 | private-dev | 33 | private-dev |
34 | # private-etc alternatives | ||
35 | private-tmp | 34 | private-tmp |
36 | 35 | ||
37 | memory-deny-write-execute | 36 | memory-deny-write-execute |
diff --git a/etc/simutrans.profile b/etc/simutrans.profile index c07b1c145..7febcde46 100644 --- a/etc/simutrans.profile +++ b/etc/simutrans.profile | |||
@@ -33,5 +33,4 @@ shell none | |||
33 | 33 | ||
34 | # private-bin simutrans | 34 | # private-bin simutrans |
35 | private-dev | 35 | private-dev |
36 | # private-etc alternatives | ||
37 | private-tmp | 36 | private-tmp |
diff --git a/etc/skanlite.profile b/etc/skanlite.profile index 76b050d18..c10be717b 100644 --- a/etc/skanlite.profile +++ b/etc/skanlite.profile | |||
@@ -16,7 +16,6 @@ include disable-programs.inc | |||
16 | include disable-xdg.inc | 16 | include disable-xdg.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | # net none | ||
20 | netfilter | 19 | netfilter |
21 | # nodbus | 20 | # nodbus |
22 | nodvd | 21 | nodvd |
@@ -31,6 +30,6 @@ protocol unix,inet,inet6,netlink | |||
31 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 30 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
32 | shell none | 31 | shell none |
33 | 32 | ||
34 | # private-bin skanlite,kbuildsycoca4,kdeinit4 | 33 | # private-bin kbuildsycoca4,kdeinit4,skanlite |
35 | # private-dev | 34 | # private-dev |
36 | # private-tmp | 35 | # private-tmp |
diff --git a/etc/skype.profile b/etc/skype.profile index 55057c546..5fab8bdc7 100644 --- a/etc/skype.profile +++ b/etc/skype.profile | |||
@@ -28,7 +28,7 @@ seccomp | |||
28 | shell none | 28 | shell none |
29 | 29 | ||
30 | disable-mnt | 30 | disable-mnt |
31 | #private-bin skype,bash | 31 | #private-bin bash,skype |
32 | private-cache | 32 | private-cache |
33 | private-dev | 33 | private-dev |
34 | private-tmp | 34 | private-tmp |
diff --git a/etc/ssh.profile b/etc/ssh.profile index 17d286b18..ce0e54a0d 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile | |||
@@ -37,6 +37,6 @@ tracelog | |||
37 | private-cache | 37 | private-cache |
38 | private-dev | 38 | private-dev |
39 | # private-tmp # Breaks when exiting | 39 | # private-tmp # Breaks when exiting |
40 | writable-run-user | ||
40 | 41 | ||
41 | memory-deny-write-execute | 42 | memory-deny-write-execute |
42 | writable-run-user | ||
diff --git a/etc/steam.profile b/etc/steam.profile index df7bfba85..b6b340980 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -6,7 +6,6 @@ include steam.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.java | ||
10 | noblacklist ${HOME}/.killingfloor | 9 | noblacklist ${HOME}/.killingfloor |
11 | noblacklist ${HOME}/.local/share/3909/PapersPlease | 10 | noblacklist ${HOME}/.local/share/3909/PapersPlease |
12 | noblacklist ${HOME}/.local/share/aspyr-media | 11 | noblacklist ${HOME}/.local/share/aspyr-media |
@@ -60,7 +59,7 @@ shell none | |||
60 | #tracelog | 59 | #tracelog |
61 | 60 | ||
62 | # private-bin is disabled while in testing, but has been tested working with multiple games | 61 | # private-bin is disabled while in testing, but has been tested working with multiple games |
63 | #private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lspci,lsof,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity | 62 | #private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lsof,lspci,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity |
64 | # extra programs are available which might be needed for select games | 63 | # extra programs are available which might be needed for select games |
65 | #private-bin java,java-config,mono | 64 | #private-bin java,java-config,mono |
66 | # picture viewers are needed for viewing screenshots | 65 | # picture viewers are needed for viewing screenshots |
diff --git a/etc/supertux2.profile b/etc/supertux2.profile index 793e4126c..287a078b3 100644 --- a/etc/supertux2.profile +++ b/etc/supertux2.profile | |||
@@ -34,5 +34,4 @@ shell none | |||
34 | disable-mnt | 34 | disable-mnt |
35 | # private-bin supertux2 | 35 | # private-bin supertux2 |
36 | private-dev | 36 | private-dev |
37 | # private-etc alternatives | ||
38 | private-tmp | 37 | private-tmp |
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index 33086a99d..30b0ad762 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile | |||
@@ -31,7 +31,7 @@ protocol unix | |||
31 | seccomp | 31 | seccomp |
32 | shell none | 32 | shell none |
33 | 33 | ||
34 | #private-bin synfigstudio,synfig,ffmpeg | 34 | #private-bin ffmpeg,synfig,synfigstudio |
35 | private-cache | 35 | private-cache |
36 | private-dev | 36 | private-dev |
37 | private-tmp | 37 | private-tmp |
diff --git a/etc/tar.profile b/etc/tar.profile index 71f7414bc..7e1fa8b92 100644 --- a/etc/tar.profile +++ b/etc/tar.profile | |||
@@ -43,7 +43,7 @@ private-cache | |||
43 | private-dev | 43 | private-dev |
44 | private-etc alternatives,group,localtime,passwd | 44 | private-etc alternatives,group,localtime,passwd |
45 | private-lib libfakeroot | 45 | private-lib libfakeroot |
46 | |||
47 | memory-deny-write-execute | ||
48 | # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) | 46 | # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) |
49 | writable-var | 47 | writable-var |
48 | |||
49 | memory-deny-write-execute | ||
diff --git a/etc/tcpdump.profile b/etc/tcpdump.profile index 7713ac6c0..3c46dfdcb 100644 --- a/etc/tcpdump.profile +++ b/etc/tcpdump.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist /sbin | 9 | noblacklist /sbin |
10 | noblacklist /usr/sbin | 10 | noblacklist /usr/sbin |
11 | |||
11 | include disable-common.inc | 12 | include disable-common.inc |
12 | include disable-devel.inc | 13 | include disable-devel.inc |
13 | include disable-exec.inc | 14 | include disable-exec.inc |
@@ -15,6 +16,7 @@ include disable-interpreters.inc | |||
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
17 | include disable-xdg.inc | 18 | include disable-xdg.inc |
19 | |||
18 | include whitelist-common.inc | 20 | include whitelist-common.inc |
19 | 21 | ||
20 | caps.keep net_raw | 22 | caps.keep net_raw |
@@ -30,7 +32,6 @@ nosound | |||
30 | notv | 32 | notv |
31 | nou2f | 33 | nou2f |
32 | novideo | 34 | novideo |
33 | |||
34 | protocol unix,inet,inet6,netlink,packet | 35 | protocol unix,inet,inet6,netlink,packet |
35 | seccomp | 36 | seccomp |
36 | 37 | ||
@@ -38,7 +39,6 @@ disable-mnt | |||
38 | #private | 39 | #private |
39 | #private-bin tcpdump | 40 | #private-bin tcpdump |
40 | private-dev | 41 | private-dev |
41 | #private-etc | ||
42 | private-tmp | 42 | private-tmp |
43 | 43 | ||
44 | memory-deny-write-execute | 44 | memory-deny-write-execute |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 9ca711719..0ccb3fae0 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -30,8 +30,8 @@ | |||
30 | # MKDIRS | 30 | # MKDIRS |
31 | # WHITELISTS | 31 | # WHITELISTS |
32 | # WHITELIST INCLUDES | 32 | # WHITELIST INCLUDES |
33 | # OPTIONS (no*) | 33 | # OPTIONS (caps*, net*, no*, protocol, seccomp, shell none, tracelog) |
34 | # PRIVATE OPTIONS (disable-mnt, private-*) | 34 | # PRIVATE OPTIONS (disable-mnt, private-*, writable-*) |
35 | # SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start) | 35 | # SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start) |
36 | # REDIRECT INCLUDES | 36 | # REDIRECT INCLUDES |
37 | # | 37 | # |
@@ -98,7 +98,7 @@ | |||
98 | # in PROFILE.local but still be protected by BLACKLISTS section | 98 | # in PROFILE.local but still be protected by BLACKLISTS section |
99 | # (further explanation at https://github.com/netblue30/firejail/issues/1569) | 99 | # (further explanation at https://github.com/netblue30/firejail/issues/1569) |
100 | #mkdir PATH | 100 | #mkdir PATH |
101 | #mkfile PATH | 101 | ##mkfile PATH |
102 | #whitelist PATH | 102 | #whitelist PATH |
103 | #include whitelist-common.inc | 103 | #include whitelist-common.inc |
104 | #include whitelist-var-common.inc | 104 | #include whitelist-var-common.inc |
@@ -136,7 +136,7 @@ | |||
136 | # private-etc templates (see also #1734, #2093) | 136 | # private-etc templates (see also #1734, #2093) |
137 | # Common: ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,locale,locale.alias,locale.conf,localtime,alternatives,mime.types,xdg | 137 | # Common: ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,locale,locale.alias,locale.conf,localtime,alternatives,mime.types,xdg |
138 | # Extra: magic,magic.mgc,passwd,group | 138 | # Extra: magic,magic.mgc,passwd,group |
139 | # Networking: ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv,conf,hosts,host.conf,hostname,protocols,services,rpc | 139 | # Networking: ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf,hosts,host.conf,hostname,protocols,services,rpc |
140 | # Extra: proxychains.conf,gai.conf | 140 | # Extra: proxychains.conf,gai.conf |
141 | # Sound: alsa,asound.conf,pulse,machine-id | 141 | # Sound: alsa,asound.conf,pulse,machine-id |
142 | # GUI: fonts,pango,X11 | 142 | # GUI: fonts,pango,X11 |
diff --git a/etc/terasology.profile b/etc/terasology.profile index 7b273c23d..9a8426435 100644 --- a/etc/terasology.profile +++ b/etc/terasology.profile | |||
@@ -7,7 +7,6 @@ include globals.local | |||
7 | 7 | ||
8 | ignore noexec /tmp | 8 | ignore noexec /tmp |
9 | 9 | ||
10 | noblacklist ${HOME}/.java | ||
11 | noblacklist ${HOME}/.local/share/terasology | 10 | noblacklist ${HOME}/.local/share/terasology |
12 | 11 | ||
13 | # Allow java (blacklisted by disable-devel.inc) | 12 | # Allow java (blacklisted by disable-devel.inc) |
diff --git a/etc/tor.profile b/etc/tor.profile index 4aebe0a1e..13d071635 100644 --- a/etc/tor.profile +++ b/etc/tor.profile | |||
@@ -25,7 +25,7 @@ include disable-passwdmgr.inc | |||
25 | include disable-programs.inc | 25 | include disable-programs.inc |
26 | include disable-xdg.inc | 26 | include disable-xdg.inc |
27 | 27 | ||
28 | caps.keep setuid,setgid,net_bind_service,dac_read_search | 28 | caps.keep dac_read_search,net_bind_service,setgid,setuid |
29 | ipc-namespace | 29 | ipc-namespace |
30 | machine-id | 30 | machine-id |
31 | netfilter | 31 | netfilter |
@@ -40,7 +40,6 @@ novideo | |||
40 | protocol unix,inet,inet6 | 40 | protocol unix,inet,inet6 |
41 | seccomp | 41 | seccomp |
42 | shell none | 42 | shell none |
43 | writable-var | ||
44 | 43 | ||
45 | disable-mnt | 44 | disable-mnt |
46 | private | 45 | private |
@@ -49,4 +48,4 @@ private-cache | |||
49 | private-dev | 48 | private-dev |
50 | private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor | 49 | private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor |
51 | private-tmp | 50 | private-tmp |
52 | 51 | writable-var | |
diff --git a/etc/totem.profile b/etc/totem.profile index 9e6684824..5b74709e3 100644 --- a/etc/totem.profile +++ b/etc/totem.profile | |||
@@ -40,6 +40,6 @@ private-bin totem | |||
40 | # totem needs access to ~/.cache/tracker or it exits | 40 | # totem needs access to ~/.cache/tracker or it exits |
41 | #private-cache | 41 | #private-cache |
42 | private-dev | 42 | private-dev |
43 | # private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies | 43 | # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl |
44 | private-tmp | 44 | private-tmp |
45 | 45 | ||
diff --git a/etc/tracker.profile b/etc/tracker.profile index c1779ae3e..6e107d99e 100644 --- a/etc/tracker.profile +++ b/etc/tracker.profile | |||
@@ -33,5 +33,4 @@ tracelog | |||
33 | 33 | ||
34 | # private-bin tracker | 34 | # private-bin tracker |
35 | # private-dev | 35 | # private-dev |
36 | # private-etc alternatives,fonts | ||
37 | # private-tmp | 36 | # private-tmp |
diff --git a/etc/tshark.profile b/etc/tshark.profile index 52ee228a3..ea85f4e8a 100644 --- a/etc/tshark.profile +++ b/etc/tshark.profile | |||
@@ -13,6 +13,7 @@ include disable-interpreters.inc | |||
13 | include disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 14 | include disable-programs.inc |
15 | include disable-xdg.inc | 15 | include disable-xdg.inc |
16 | |||
16 | include whitelist-common.inc | 17 | include whitelist-common.inc |
17 | 18 | ||
18 | #caps.keep net_raw | 19 | #caps.keep net_raw |
@@ -29,7 +30,6 @@ nosound | |||
29 | notv | 30 | notv |
30 | nou2f | 31 | nou2f |
31 | novideo | 32 | novideo |
32 | |||
33 | #protocol unix,inet,inet6,netlink,packet | 33 | #protocol unix,inet,inet6,netlink,packet |
34 | #seccomp | 34 | #seccomp |
35 | 35 | ||
@@ -38,7 +38,4 @@ disable-mnt | |||
38 | private-cache | 38 | private-cache |
39 | #private-bin tshark | 39 | #private-bin tshark |
40 | private-dev | 40 | private-dev |
41 | #private-etc | ||
42 | private-tmp | 41 | private-tmp |
43 | |||
44 | # memory-deny-write-execute | ||
diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile index 3111a1e22..ae868a022 100644 --- a/etc/tuxguitar.profile +++ b/etc/tuxguitar.profile | |||
@@ -6,7 +6,6 @@ include tuxguitar.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.java | ||
10 | noblacklist ${HOME}/.tuxguitar* | 9 | noblacklist ${HOME}/.tuxguitar* |
11 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
12 | noblacklist ${MUSIC} | 11 | noblacklist ${MUSIC} |
diff --git a/etc/unbound.profile b/etc/unbound.profile index 8e7a4a8a8..e152ee7ea 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile | |||
@@ -29,12 +29,12 @@ nosound | |||
29 | notv | 29 | notv |
30 | nou2f | 30 | nou2f |
31 | novideo | 31 | novideo |
32 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 32 | seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice |
33 | writable-var | ||
34 | 33 | ||
35 | disable-mnt | 34 | disable-mnt |
36 | private | 35 | private |
37 | private-dev | 36 | private-dev |
37 | writable-var | ||
38 | 38 | ||
39 | # mdwe can break modules/plugins | 39 | # mdwe can break modules/plugins |
40 | memory-deny-write-execute | 40 | memory-deny-write-execute |
diff --git a/etc/unknown-horizons.profile b/etc/unknown-horizons.profile index 36d1319d1..b62d3111d 100644 --- a/etc/unknown-horizons.profile +++ b/etc/unknown-horizons.profile | |||
@@ -23,11 +23,11 @@ nonewprivs | |||
23 | noroot | 23 | noroot |
24 | notv | 24 | notv |
25 | nou2f | 25 | nou2f |
26 | protocol unix,netlink,inet,inet6 | 26 | protocol unix,inet,inet6,netlink |
27 | seccomp | 27 | seccomp |
28 | shell none | 28 | shell none |
29 | 29 | ||
30 | # private-bin unknown-horizons | 30 | # private-bin unknown-horizons |
31 | private-dev | 31 | private-dev |
32 | # private-etc alternatives,ca-certificates,ssl,pki,crypto-policies | 32 | # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl |
33 | private-tmp | 33 | private-tmp |
diff --git a/etc/waterfox.profile b/etc/waterfox.profile index 3dc21958d..b8ee67ae0 100644 --- a/etc/waterfox.profile +++ b/etc/waterfox.profile | |||
@@ -20,7 +20,7 @@ whitelist ${HOME}/.mozilla | |||
20 | whitelist ${HOME}/.waterfox | 20 | whitelist ${HOME}/.waterfox |
21 | 21 | ||
22 | # waterfox requires a shell to launch on Arch. We can possibly remove sh though. | 22 | # waterfox requires a shell to launch on Arch. We can possibly remove sh though. |
23 | #private-bin waterfox,which,sh,dbus-launch,dbus-send,env,bash | 23 | #private-bin bash,dbus-launch,dbus-send,env,sh,waterfox,which |
24 | # private-etc must first be enabled in firefox-common.profile | 24 | # private-etc must first be enabled in firefox-common.profile |
25 | #private-etc waterfox | 25 | #private-etc waterfox |
26 | 26 | ||
diff --git a/etc/webstorm.profile b/etc/webstorm.profile index b97ea8d2f..e820bae00 100644 --- a/etc/webstorm.profile +++ b/etc/webstorm.profile | |||
@@ -11,7 +11,6 @@ noblacklist ${HOME}/.config/git | |||
11 | noblacklist ${HOME}/.gitconfig | 11 | noblacklist ${HOME}/.gitconfig |
12 | noblacklist ${HOME}/.git-credentials | 12 | noblacklist ${HOME}/.git-credentials |
13 | noblacklist ${HOME}/.gradle | 13 | noblacklist ${HOME}/.gradle |
14 | noblacklist ${HOME}/.java | ||
15 | noblacklist ${HOME}/.local/share/JetBrains | 14 | noblacklist ${HOME}/.local/share/JetBrains |
16 | noblacklist ${HOME}/.ssh | 15 | noblacklist ${HOME}/.ssh |
17 | noblacklist ${HOME}/.tooling | 16 | noblacklist ${HOME}/.tooling |
diff --git a/etc/wget.profile b/etc/wget.profile index ff10b2316..2d5c0c4d6 100644 --- a/etc/wget.profile +++ b/etc/wget.profile | |||
@@ -36,6 +36,6 @@ shell none | |||
36 | 36 | ||
37 | # private-bin wget | 37 | # private-bin wget |
38 | private-dev | 38 | private-dev |
39 | # private-etc alternatives,resolv.conf,ca-certificates,ssl,pki,crypto-policies | 39 | # private-etc alternatives,ca-certificates,crypto-policie,pki,resolv.conf,ssl |
40 | # private-tmp | 40 | # private-tmp |
41 | 41 | ||
diff --git a/etc/wireshark.profile b/etc/wireshark.profile index b44eae128..58ff93750 100644 --- a/etc/wireshark.profile +++ b/etc/wireshark.profile | |||
@@ -43,6 +43,6 @@ tracelog | |||
43 | 43 | ||
44 | # private-bin wireshark | 44 | # private-bin wireshark |
45 | private-dev | 45 | private-dev |
46 | # private-etc alternatives,fonts,group,hosts,machine-id,passwd,ca-certificates,ssl,pki,crypto-policies | 46 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,ssl |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
diff --git a/etc/xed.profile b/etc/xed.profile index 9a7806b19..2ee299b9a 100644 --- a/etc/xed.profile +++ b/etc/xed.profile | |||
@@ -42,7 +42,6 @@ tracelog | |||
42 | 42 | ||
43 | private-bin xed | 43 | private-bin xed |
44 | private-dev | 44 | private-dev |
45 | # private-etc alternatives,fonts | ||
46 | private-tmp | 45 | private-tmp |
47 | 46 | ||
48 | # xed uses python plugins, memory-deny-write-execute breaks python | 47 | # xed uses python plugins, memory-deny-write-execute breaks python |
diff --git a/etc/xfburn.profile b/etc/xfburn.profile index 1cb7f568a..cd9561e74 100644 --- a/etc/xfburn.profile +++ b/etc/xfburn.profile | |||
@@ -29,5 +29,4 @@ tracelog | |||
29 | 29 | ||
30 | # private-bin xfburn | 30 | # private-bin xfburn |
31 | # private-dev | 31 | # private-dev |
32 | # private-etc alternatives,fonts | ||
33 | # private-tmp | 32 | # private-tmp |
diff --git a/etc/xplayer.profile b/etc/xplayer.profile index 5f4e3bf4c..325ce7627 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile | |||
@@ -39,6 +39,6 @@ tracelog | |||
39 | 39 | ||
40 | private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer | 40 | private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer |
41 | private-dev | 41 | private-dev |
42 | # private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies | 42 | # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl |
43 | private-tmp | 43 | private-tmp |
44 | 44 | ||
diff --git a/etc/xpra.profile b/etc/xpra.profile index dc8d7a665..6f66b9300 100644 --- a/etc/xpra.profile +++ b/etc/xpra.profile | |||
@@ -47,7 +47,7 @@ disable-mnt | |||
47 | # private home directory doesn't work on some distros, so we go for a regular home | 47 | # private home directory doesn't work on some distros, so we go for a regular home |
48 | # private | 48 | # private |
49 | # older Xpra versions also use Xvfb | 49 | # older Xpra versions also use Xvfb |
50 | # private-bin xpra,python*,Xvfb,Xorg,sh,xkbcomp,xauth,dbus-launch,pactl,ldconfig,which,strace,bash,cat,ls | 50 | # private-bin bash,cat,dbus-launch,ldconfig,ls,pactl,python*,sh,strace,which,xauth,xkbcomp,Xorg,xpra,Xvfb |
51 | private-dev | 51 | private-dev |
52 | # private-etc alternatives,ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname,machine-id,xpra,X11 | 52 | # private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,nsswitch.conf,resolv.conf,X11,xpra |
53 | private-tmp | 53 | private-tmp |
diff --git a/etc/xviewer.profile b/etc/xviewer.profile index b483e9404..b09bf8ab1 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile | |||
@@ -39,7 +39,6 @@ tracelog | |||
39 | 39 | ||
40 | private-bin xviewer | 40 | private-bin xviewer |
41 | private-dev | 41 | private-dev |
42 | #private-etc alternatives,fonts | ||
43 | private-lib | 42 | private-lib |
44 | private-tmp | 43 | private-tmp |
45 | 44 | ||
diff --git a/etc/zaproxy.profile b/etc/zaproxy.profile index 0598ea18d..6228ff3bd 100644 --- a/etc/zaproxy.profile +++ b/etc/zaproxy.profile | |||
@@ -6,7 +6,6 @@ include zaproxy.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.java | ||
10 | noblacklist ${HOME}/.ZAP | 9 | noblacklist ${HOME}/.ZAP |
11 | 10 | ||
12 | # Allow java (blacklisted by disable-devel.inc) | 11 | # Allow java (blacklisted by disable-devel.inc) |