diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/chromium-common.profile | 2 | ||||
-rw-r--r-- | etc/disable-common.inc | 10 | ||||
-rw-r--r-- | etc/disable-devel.inc | 49 | ||||
-rw-r--r-- | etc/disable-interpreters.inc | 2 | ||||
-rw-r--r-- | etc/disable-passwdmgr.inc | 2 | ||||
-rw-r--r-- | etc/disable-programs.inc | 8 | ||||
-rw-r--r-- | etc/firefox-common.profile | 2 | ||||
-rw-r--r-- | etc/firejail.config | 3 | ||||
-rw-r--r-- | etc/whitelist-common.inc | 10 |
9 files changed, 46 insertions, 42 deletions
diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile index e7062c5b8..13ed13058 100644 --- a/etc/chromium-common.profile +++ b/etc/chromium-common.profile | |||
@@ -27,7 +27,7 @@ nodbus | |||
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | notv | 29 | notv |
30 | nou2f | 30 | ?BROWSER_DISABLE_U2F: nou2f |
31 | shell none | 31 | shell none |
32 | 32 | ||
33 | disable-mnt | 33 | disable-mnt |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index d220f381b..74b653385 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -3,9 +3,9 @@ | |||
3 | include disable-common.local | 3 | include disable-common.local |
4 | 4 | ||
5 | # The following block breaks trash functionality in file managers | 5 | # The following block breaks trash functionality in file managers |
6 | #read-only ${HOME}/.local | 6 | #read-only ${HOME}/.local |
7 | #read-write ${HOME}/.local/share | 7 | #read-write ${HOME}/.local/share |
8 | blacklist ${HOME}/.local/share/Trash | 8 | blacklist ${HOME}/.local/share/Trash |
9 | 9 | ||
10 | # History files in $HOME and clipboard managers | 10 | # History files in $HOME and clipboard managers |
11 | blacklist-nolog ${HOME}/.*_history | 11 | blacklist-nolog ${HOME}/.*_history |
@@ -122,7 +122,7 @@ read-only ${HOME}/.local/share/kssl | |||
122 | blacklist /run/user/*/kdeinit5__* | 122 | blacklist /run/user/*/kdeinit5__* |
123 | # blacklist /run/user/*/ksocket-*/kdeinit4__* | 123 | # blacklist /run/user/*/ksocket-*/kdeinit4__* |
124 | # blacklist /tmp/ksocket-*/kdeinit4__* | 124 | # blacklist /tmp/ksocket-*/kdeinit4__* |
125 | # - causes issues when kdeinit4 gets killed; enable on KDE Plasma 4 | 125 | # causes issues when kdeinit4 gets killed; enable on KDE Plasma 4 |
126 | 126 | ||
127 | # gnome | 127 | # gnome |
128 | # contains extensions, last used times of applications, and notifications | 128 | # contains extensions, last used times of applications, and notifications |
@@ -133,7 +133,7 @@ blacklist ${HOME}/.config/systemd | |||
133 | blacklist ${HOME}/.local/share/systemd | 133 | blacklist ${HOME}/.local/share/systemd |
134 | blacklist /var/lib/systemd | 134 | blacklist /var/lib/systemd |
135 | # blacklist /var/run/systemd | 135 | # blacklist /var/run/systemd |
136 | # - creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf | 136 | # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf |
137 | 137 | ||
138 | # VirtualBox | 138 | # VirtualBox |
139 | blacklist ${HOME}/.VirtualBox | 139 | blacklist ${HOME}/.VirtualBox |
@@ -173,7 +173,7 @@ blacklist /var/lib/mysqld/mysql.sock | |||
173 | blacklist /var/lib/pacman | 173 | blacklist /var/lib/pacman |
174 | blacklist /var/lib/upower | 174 | blacklist /var/lib/upower |
175 | # blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for | 175 | # blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for |
176 | # every sandbox, unless --writeble-var-log switch is activated | 176 | # every sandbox, unless --writeble-var-log switch is activated |
177 | blacklist /var/mail | 177 | blacklist /var/mail |
178 | blacklist /var/opt | 178 | blacklist /var/opt |
179 | blacklist /var/run/acpid.socket | 179 | blacklist /var/run/acpid.socket |
diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 5c41692da..43ccb358b 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc | |||
@@ -4,8 +4,14 @@ include disable-devel.local | |||
4 | 4 | ||
5 | # development tools | 5 | # development tools |
6 | 6 | ||
7 | # clang/llvm | ||
8 | blacklist ${PATH}/clang* | ||
9 | blacklist ${PATH}/lldb* | ||
10 | blacklist ${PATH}/llvm* | ||
11 | # see issue #2106 - it disables hardware acceleration in Firefox on Radeon GPU | ||
12 | # blacklist /usr/lib/llvm* | ||
13 | |||
7 | # GCC | 14 | # GCC |
8 | #blacklist /usr/lib/gcc - seems to create problems on Gentoo | ||
9 | blacklist ${PATH}/as | 15 | blacklist ${PATH}/as |
10 | blacklist ${PATH}/cc | 16 | blacklist ${PATH}/cc |
11 | blacklist ${PATH}/c++* | 17 | blacklist ${PATH}/c++* |
@@ -21,40 +27,35 @@ blacklist ${PATH}/*-g++* | |||
21 | blacklist ${PATH}/*-gcc* | 27 | blacklist ${PATH}/*-gcc* |
22 | blacklist ${PATH}/*-g++* | 28 | blacklist ${PATH}/*-g++* |
23 | blacklist /usr/include | 29 | blacklist /usr/include |
30 | # seems to create problems on Gentoo | ||
31 | #blacklist /usr/lib/gcc | ||
24 | 32 | ||
25 | # clang/llvm | 33 | #Go |
26 | blacklist ${PATH}/clang* | 34 | blacklist ${PATH}/gccgo |
27 | blacklist ${PATH}/lldb* | 35 | blacklist ${PATH}/go |
28 | blacklist ${PATH}/llvm* | 36 | blacklist ${PATH}/gofmt |
29 | # see issue #2106 - it disables hardware acceleration in Firefox on Radeon GPU | ||
30 | # blacklist /usr/lib/llvm* | ||
31 | |||
32 | # tcc - Tiny C Compiler | ||
33 | blacklist ${PATH}/tcc | ||
34 | blacklist ${PATH}/x86_64-tcc | ||
35 | blacklist /usr/lib/tcc | ||
36 | |||
37 | # Valgrind | ||
38 | blacklist ${PATH}/valgrind* | ||
39 | blacklist /usr/lib/valgrind | ||
40 | 37 | ||
41 | # Java | 38 | # Java |
42 | blacklist ${PATH}/java | 39 | blacklist ${PATH}/java |
43 | blacklist ${PATH}/javac | 40 | blacklist ${PATH}/javac |
44 | blacklist /usr/lib/java | ||
45 | blacklist /etc/java | 41 | blacklist /etc/java |
42 | blacklist /usr/lib/java | ||
46 | blacklist /usr/share/java | 43 | blacklist /usr/share/java |
47 | 44 | ||
48 | #Go | 45 | #OpenSSL |
49 | blacklist ${PATH}/gccgo | 46 | blacklist ${PATH}/openssl |
50 | blacklist ${PATH}/go | 47 | blacklist ${PATH}/openssl-1.0 |
51 | blacklist ${PATH}/gofmt | ||
52 | 48 | ||
53 | #Rust | 49 | #Rust |
54 | blacklist ${PATH}/rust-gdb | 50 | blacklist ${PATH}/rust-gdb |
55 | blacklist ${PATH}/rust-lldb | 51 | blacklist ${PATH}/rust-lldb |
56 | blacklist ${PATH}/rustc | 52 | blacklist ${PATH}/rustc |
57 | 53 | ||
58 | #OpenSSL | 54 | # tcc - Tiny C Compiler |
59 | blacklist ${PATH}/openssl | 55 | blacklist ${PATH}/tcc |
60 | blacklist ${PATH}/openssl-1.0 | 56 | blacklist ${PATH}/x86_64-tcc |
57 | blacklist /usr/lib/tcc | ||
58 | |||
59 | # Valgrind | ||
60 | blacklist ${PATH}/valgrind* | ||
61 | blacklist /usr/lib/valgrind | ||
diff --git a/etc/disable-interpreters.inc b/etc/disable-interpreters.inc index 0d5f5737e..22f58bb85 100644 --- a/etc/disable-interpreters.inc +++ b/etc/disable-interpreters.inc | |||
@@ -4,8 +4,8 @@ include disable-interpreters.local | |||
4 | 4 | ||
5 | # Lua | 5 | # Lua |
6 | blacklist ${PATH}/lua* | 6 | blacklist ${PATH}/lua* |
7 | blacklist /usr/lib/lua | ||
8 | blacklist /usr/include/lua* | 7 | blacklist /usr/include/lua* |
8 | blacklist /usr/lib/lua | ||
9 | blacklist /usr/share/lua | 9 | blacklist /usr/share/lua |
10 | 10 | ||
11 | # Node.js | 11 | # Node.js |
diff --git a/etc/disable-passwdmgr.inc b/etc/disable-passwdmgr.inc index 72e1a66ee..316378cb8 100644 --- a/etc/disable-passwdmgr.inc +++ b/etc/disable-passwdmgr.inc | |||
@@ -8,6 +8,7 @@ blacklist ${HOME}/.config/keepass | |||
8 | blacklist ${HOME}/.config/keepassx | 8 | blacklist ${HOME}/.config/keepassx |
9 | blacklist ${HOME}/.config/keepassxc | 9 | blacklist ${HOME}/.config/keepassxc |
10 | blacklist ${HOME}/.config/Sinew Software Systems | 10 | blacklist ${HOME}/.config/Sinew Software Systems |
11 | blacklist ${HOME}/.fpm | ||
11 | blacklist ${HOME}/.keepass | 12 | blacklist ${HOME}/.keepass |
12 | blacklist ${HOME}/.keepassx | 13 | blacklist ${HOME}/.keepassx |
13 | blacklist ${HOME}/.keepassxc | 14 | blacklist ${HOME}/.keepassxc |
@@ -15,4 +16,3 @@ blacklist ${HOME}/.lastpass | |||
15 | blacklist ${HOME}/.local/share/KeePass | 16 | blacklist ${HOME}/.local/share/KeePass |
16 | blacklist ${HOME}/.local/share/keepass | 17 | blacklist ${HOME}/.local/share/keepass |
17 | blacklist ${HOME}/.password-store | 18 | blacklist ${HOME}/.password-store |
18 | blacklist ${HOME}/.fpm | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 9e94d8aa1..4ef0f2f53 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -2,10 +2,12 @@ | |||
2 | # Persistent customizations should go in a .local file. | 2 | # Persistent customizations should go in a .local file. |
3 | include disable-programs.local | 3 | include disable-programs.local |
4 | 4 | ||
5 | blacklist ${HOME}/Arduino | ||
5 | blacklist ${HOME}/Monero/wallets | 6 | blacklist ${HOME}/Monero/wallets |
6 | blacklist ${HOME}/Nextcloud/Notes | 7 | blacklist ${HOME}/Nextcloud/Notes |
7 | blacklist ${HOME}/Standard Notes Backups | 8 | blacklist ${HOME}/Standard Notes Backups |
8 | blacklist ${HOME}/snap | 9 | blacklist ${HOME}/snap |
10 | blacklist ${HOME}/wallet.dat | ||
9 | blacklist ${HOME}/.*coin | 11 | blacklist ${HOME}/.*coin |
10 | blacklist ${HOME}/.8pecxstudios | 12 | blacklist ${HOME}/.8pecxstudios |
11 | blacklist ${HOME}/.AndroidStudio* | 13 | blacklist ${HOME}/.AndroidStudio* |
@@ -35,9 +37,9 @@ blacklist ${HOME}/.anydesk | |||
35 | blacklist ${HOME}/.arduino15 | 37 | blacklist ${HOME}/.arduino15 |
36 | blacklist ${HOME}/.aria2 | 38 | blacklist ${HOME}/.aria2 |
37 | blacklist ${HOME}/.arm | 39 | blacklist ${HOME}/.arm |
40 | blacklist ${HOME}/.asunder_album_artist | ||
38 | blacklist ${HOME}/.asunder_album_genre | 41 | blacklist ${HOME}/.asunder_album_genre |
39 | blacklist ${HOME}/.asunder_album_title | 42 | blacklist ${HOME}/.asunder_album_title |
40 | blacklist ${HOME}/.asunder_album_artist | ||
41 | blacklist ${HOME}/.atom | 43 | blacklist ${HOME}/.atom |
42 | blacklist ${HOME}/.attic | 44 | blacklist ${HOME}/.attic |
43 | blacklist ${HOME}/.audacity-data | 45 | blacklist ${HOME}/.audacity-data |
@@ -315,9 +317,9 @@ blacklist ${HOME}/.kde/share/apps/khtml | |||
315 | blacklist ${HOME}/.kde/share/apps/konqsidebartng | 317 | blacklist ${HOME}/.kde/share/apps/konqsidebartng |
316 | blacklist ${HOME}/.kde/share/apps/konqueror | 318 | blacklist ${HOME}/.kde/share/apps/konqueror |
317 | blacklist ${HOME}/.kde/share/apps/kopete | 319 | blacklist ${HOME}/.kde/share/apps/kopete |
318 | blacklist ${HOME}/.kde/share/apps/okular | ||
319 | blacklist ${HOME}/.kde/share/apps/khtml | 320 | blacklist ${HOME}/.kde/share/apps/khtml |
320 | blacklist ${HOME}/.kde/share/apps/ktorrent | 321 | blacklist ${HOME}/.kde/share/apps/ktorrent |
322 | blacklist ${HOME}/.kde/share/apps/okular | ||
321 | blacklist ${HOME}/.kde/share/config/baloofilerc | 323 | blacklist ${HOME}/.kde/share/config/baloofilerc |
322 | blacklist ${HOME}/.kde/share/config/baloorc | 324 | blacklist ${HOME}/.kde/share/config/baloorc |
323 | blacklist ${HOME}/.kde/share/config/digikam | 325 | blacklist ${HOME}/.kde/share/config/digikam |
@@ -540,8 +542,6 @@ blacklist ${HOME}/.xmr-stak | |||
540 | blacklist ${HOME}/.xonotic | 542 | blacklist ${HOME}/.xonotic |
541 | blacklist ${HOME}/.xpdfrc | 543 | blacklist ${HOME}/.xpdfrc |
542 | blacklist ${HOME}/.zoom | 544 | blacklist ${HOME}/.zoom |
543 | blacklist ${HOME}/Arduino | ||
544 | blacklist ${HOME}/wallet.dat | ||
545 | blacklist /tmp/akonadi-* | 545 | blacklist /tmp/akonadi-* |
546 | blacklist /tmp/ssh-* | 546 | blacklist /tmp/ssh-* |
547 | 547 | ||
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile index 31b071fe1..722a398cb 100644 --- a/etc/firefox-common.profile +++ b/etc/firefox-common.profile | |||
@@ -37,7 +37,7 @@ nogroups | |||
37 | nonewprivs | 37 | nonewprivs |
38 | noroot | 38 | noroot |
39 | notv | 39 | notv |
40 | nou2f | 40 | ?BROWSER_DISABLE_U2F: nou2f |
41 | protocol unix,inet,inet6,netlink | 41 | protocol unix,inet,inet6,netlink |
42 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 42 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
43 | shell none | 43 | shell none |
diff --git a/etc/firejail.config b/etc/firejail.config index d7106e76c..00f2c1b5d 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -5,6 +5,9 @@ | |||
5 | # Enable AppArmor functionality, default enabled. | 5 | # Enable AppArmor functionality, default enabled. |
6 | # apparmor yes | 6 | # apparmor yes |
7 | 7 | ||
8 | # Disable U2F in browsers, default enabled. | ||
9 | # browser-disable-u2f yes | ||
10 | |||
8 | # Number of ARP probes sent when assigning an IP address for --net option, | 11 | # Number of ARP probes sent when assigning an IP address for --net option, |
9 | # default 2. This is a partial implementation of RFC 5227. A 0.5 seconds | 12 | # default 2. This is a partial implementation of RFC 5227. A 0.5 seconds |
10 | # timeout is implemented for each probe. Increase this number to 4 if your | 13 | # timeout is implemented for each probe. Increase this number to 4 if your |
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index 38ec5d85d..9c1b7b92c 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc | |||
@@ -20,6 +20,10 @@ whitelist ${HOME}/.local/share/icons | |||
20 | whitelist ${HOME}/.local/share/mime | 20 | whitelist ${HOME}/.local/share/mime |
21 | whitelist ${HOME}/.mime.types | 21 | whitelist ${HOME}/.mime.types |
22 | 22 | ||
23 | # dconf | ||
24 | mkdir ${HOME}/.config/dconf | ||
25 | whitelist ${HOME}/.config/dconf | ||
26 | |||
23 | # fonts | 27 | # fonts |
24 | whitelist ${HOME}/.cache/fontconfig | 28 | whitelist ${HOME}/.cache/fontconfig |
25 | whitelist ${HOME}/.config/fontconfig | 29 | whitelist ${HOME}/.config/fontconfig |
@@ -48,11 +52,8 @@ whitelist ${HOME}/.kde4/share/config/gtkrc-2.0 | |||
48 | whitelist ${HOME}/.local/share/themes | 52 | whitelist ${HOME}/.local/share/themes |
49 | whitelist ${HOME}/.themes | 53 | whitelist ${HOME}/.themes |
50 | 54 | ||
51 | # dconf | ||
52 | mkdir ${HOME}/.config/dconf | ||
53 | whitelist ${HOME}/.config/dconf | ||
54 | |||
55 | # qt/kde | 55 | # qt/kde |
56 | whitelist ${HOME}/.cache/kioexec/krun | ||
56 | whitelist ${HOME}/.config/Kvantum | 57 | whitelist ${HOME}/.config/Kvantum |
57 | whitelist ${HOME}/.config/Trolltech.conf | 58 | whitelist ${HOME}/.config/Trolltech.conf |
58 | whitelist ${HOME}/.config/kdeglobals | 59 | whitelist ${HOME}/.config/kdeglobals |
@@ -73,4 +74,3 @@ whitelist ${HOME}/.kde4/share/config/ksslcablacklist | |||
73 | whitelist ${HOME}/.kde4/share/config/oxygenrc | 74 | whitelist ${HOME}/.kde4/share/config/oxygenrc |
74 | whitelist ${HOME}/.kde4/share/icons | 75 | whitelist ${HOME}/.kde4/share/icons |
75 | whitelist ${HOME}/.local/share/qt5ct | 76 | whitelist ${HOME}/.local/share/qt5ct |
76 | whitelist ${HOME}/.cache/kioexec/krun | ||