aboutsummaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
Diffstat (limited to 'etc')
-rw-r--r--etc/inc/disable-common.inc16
-rw-r--r--etc/inc/disable-programs.inc1
-rw-r--r--etc/inc/whitelist-common.inc5
-rw-r--r--etc/profile-a-l/ani-cli.profile2
-rw-r--r--etc/profile-a-l/awesome.profile1
-rw-r--r--etc/profile-a-l/cower.profile1
-rw-r--r--etc/profile-a-l/electron-mail.profile1
-rw-r--r--etc/profile-a-l/email-common.profile1
-rw-r--r--etc/profile-a-l/firefox.profile3
-rw-r--r--etc/profile-a-l/geary.profile1
-rw-r--r--etc/profile-a-l/kube.profile1
-rw-r--r--etc/profile-a-l/linuxqq.profile2
-rw-r--r--etc/profile-a-l/lobster.profile2
-rw-r--r--etc/profile-m-z/makepkg.profile1
-rw-r--r--etc/profile-m-z/mov-cli.profile2
-rw-r--r--etc/profile-m-z/openbox.profile2
-rw-r--r--etc/profile-m-z/signal-desktop.profile1
-rw-r--r--etc/profile-m-z/standardnotes-desktop.profile4
-rw-r--r--etc/profile-m-z/steam.profile1
-rw-r--r--etc/profile-m-z/thunderbird.profile1
-rw-r--r--etc/profile-m-z/trojita.profile1
-rw-r--r--etc/profile-m-z/tutanota-desktop.profile1
-rw-r--r--etc/profile-m-z/youtube-viewers-common.profile1
-rw-r--r--etc/profile-m-z/zeal.profile1
-rw-r--r--etc/templates/profile.template2
25 files changed, 26 insertions, 29 deletions
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 5f4233363..4277100ce 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -69,6 +69,9 @@ blacklist ${HOME}/.xsessionrc
69blacklist /etc/X11/Xsession.d 69blacklist /etc/X11/Xsession.d
70blacklist /etc/xdg/autostart 70blacklist /etc/xdg/autostart
71read-only ${HOME}/.Xauthority 71read-only ${HOME}/.Xauthority
72read-only ${HOME}/.config/awesome/autorun.sh
73read-only ${HOME}/.config/openbox/autostart
74read-only ${HOME}/.config/openbox/environment
72 75
73# Session manager 76# Session manager
74# see #3358 77# see #3358
@@ -123,6 +126,7 @@ read-only ${HOME}/.config/kio_httprc
123read-only ${HOME}/.config/kiorc 126read-only ${HOME}/.config/kiorc
124read-only ${HOME}/.config/kioslaverc 127read-only ${HOME}/.config/kioslaverc
125read-only ${HOME}/.config/ksslcablacklist 128read-only ${HOME}/.config/ksslcablacklist
129read-only ${HOME}/.config/lxqt
126read-only ${HOME}/.kde/share/apps/konsole 130read-only ${HOME}/.kde/share/apps/konsole
127read-only ${HOME}/.kde/share/apps/kssl 131read-only ${HOME}/.kde/share/apps/kssl
128read-only ${HOME}/.kde/share/config/*notifyrc 132read-only ${HOME}/.kde/share/config/*notifyrc
@@ -329,6 +333,7 @@ read-only ${HOME}/.ssh/config.d
329# Initialization files that allow arbitrary command execution 333# Initialization files that allow arbitrary command execution
330read-only ${HOME}/.caffrc 334read-only ${HOME}/.caffrc
331read-only ${HOME}/.cargo/env 335read-only ${HOME}/.cargo/env
336read-only ${HOME}/.config/mpv
332read-only ${HOME}/.config/nano 337read-only ${HOME}/.config/nano
333read-only ${HOME}/.config/nvim 338read-only ${HOME}/.config/nvim
334read-only ${HOME}/.config/pkcs11 339read-only ${HOME}/.config/pkcs11
@@ -337,6 +342,7 @@ read-only ${HOME}/.elinks
337read-only ${HOME}/.emacs 342read-only ${HOME}/.emacs
338read-only ${HOME}/.emacs.d 343read-only ${HOME}/.emacs.d
339read-only ${HOME}/.exrc 344read-only ${HOME}/.exrc
345read-only ${HOME}/.gnupg/gpg.conf
340read-only ${HOME}/.gvimrc 346read-only ${HOME}/.gvimrc
341read-only ${HOME}/.homesick 347read-only ${HOME}/.homesick
342read-only ${HOME}/.iscreenrc 348read-only ${HOME}/.iscreenrc
@@ -345,6 +351,7 @@ read-only ${HOME}/.local/share/cool-retro-term
345read-only ${HOME}/.local/share/nvim 351read-only ${HOME}/.local/share/nvim
346read-only ${HOME}/.local/state/nvim 352read-only ${HOME}/.local/state/nvim
347read-only ${HOME}/.mailcap 353read-only ${HOME}/.mailcap
354read-only ${HOME}/.mozilla/firefox/profiles.ini
348read-only ${HOME}/.msmtprc 355read-only ${HOME}/.msmtprc
349read-only ${HOME}/.mutt/muttrc 356read-only ${HOME}/.mutt/muttrc
350read-only ${HOME}/.muttrc 357read-only ${HOME}/.muttrc
@@ -366,6 +373,10 @@ read-only ${HOME}/_gvimrc
366read-only ${HOME}/_vimrc 373read-only ${HOME}/_vimrc
367read-only ${HOME}/dotfiles 374read-only ${HOME}/dotfiles
368 375
376# System package managers and AUR helpers
377blacklist ${HOME}/.config/cower
378read-only ${HOME}/.config/cower/config
379
369# Make directories commonly found in $PATH read-only 380# Make directories commonly found in $PATH read-only
370read-only ${HOME}/.bin 381read-only ${HOME}/.bin
371read-only ${HOME}/.cargo/bin 382read-only ${HOME}/.cargo/bin
@@ -391,6 +402,11 @@ read-only ${HOME}/.config/user-dirs.dirs
391read-only ${HOME}/.config/user-dirs.locale 402read-only ${HOME}/.config/user-dirs.locale
392read-only ${HOME}/.local/share/mime 403read-only ${HOME}/.local/share/mime
393 404
405# Configuration files that do not allow arbitrary command execution but that
406# are intended to be modified manually (in a text editor and/or by a program
407# dedicated to managing them)
408read-only ${HOME}/.config/MangoHud
409
394# Write-protection for thumbnailer dir 410# Write-protection for thumbnailer dir
395read-only ${HOME}/.local/share/thumbnailers 411read-only ${HOME}/.local/share/thumbnailers
396 412
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index c7e2f2ca9..211111aaa 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -402,7 +402,6 @@ blacklist ${HOME}/.config/cmus
402blacklist ${HOME}/.config/cointop 402blacklist ${HOME}/.config/cointop
403blacklist ${HOME}/.config/com.github.bleakgrey.tootle 403blacklist ${HOME}/.config/com.github.bleakgrey.tootle
404blacklist ${HOME}/.config/corebird 404blacklist ${HOME}/.config/corebird
405blacklist ${HOME}/.config/cower
406blacklist ${HOME}/.config/coyim 405blacklist ${HOME}/.config/coyim
407blacklist ${HOME}/.config/d-feet 406blacklist ${HOME}/.config/d-feet
408blacklist ${HOME}/.config/darktable 407blacklist ${HOME}/.config/darktable
diff --git a/etc/inc/whitelist-common.inc b/etc/inc/whitelist-common.inc
index c9f21b2dc..cae059f89 100644
--- a/etc/inc/whitelist-common.inc
+++ b/etc/inc/whitelist-common.inc
@@ -10,16 +10,12 @@ whitelist ${HOME}/.asoundrc
10whitelist ${HOME}/.config/ibus 10whitelist ${HOME}/.config/ibus
11whitelist ${HOME}/.config/mimeapps.list 11whitelist ${HOME}/.config/mimeapps.list
12whitelist ${HOME}/.config/pkcs11 12whitelist ${HOME}/.config/pkcs11
13read-only ${HOME}/.config/pkcs11
14whitelist ${HOME}/.config/user-dirs.dirs 13whitelist ${HOME}/.config/user-dirs.dirs
15read-only ${HOME}/.config/user-dirs.dirs
16whitelist ${HOME}/.config/user-dirs.locale 14whitelist ${HOME}/.config/user-dirs.locale
17read-only ${HOME}/.config/user-dirs.locale
18whitelist ${HOME}/.drirc 15whitelist ${HOME}/.drirc
19whitelist ${HOME}/.icons 16whitelist ${HOME}/.icons
20?HAS_APPIMAGE: whitelist ${HOME}/.local/share/appimagekit 17?HAS_APPIMAGE: whitelist ${HOME}/.local/share/appimagekit
21whitelist ${HOME}/.local/share/applications 18whitelist ${HOME}/.local/share/applications
22read-only ${HOME}/.local/share/applications
23whitelist ${HOME}/.local/share/icons 19whitelist ${HOME}/.local/share/icons
24whitelist ${HOME}/.local/share/mime 20whitelist ${HOME}/.local/share/mime
25whitelist ${HOME}/.mime.types 21whitelist ${HOME}/.mime.types
@@ -68,6 +64,7 @@ whitelist ${HOME}/.config/kdeglobals
68whitelist ${HOME}/.config/kio_httprc 64whitelist ${HOME}/.config/kio_httprc
69whitelist ${HOME}/.config/kioslaverc 65whitelist ${HOME}/.config/kioslaverc
70whitelist ${HOME}/.config/ksslcablacklist 66whitelist ${HOME}/.config/ksslcablacklist
67whitelist ${HOME}/.config/lxqt
71whitelist ${HOME}/.config/qt5ct 68whitelist ${HOME}/.config/qt5ct
72whitelist ${HOME}/.config/qt6ct 69whitelist ${HOME}/.config/qt6ct
73whitelist ${HOME}/.config/qtcurve 70whitelist ${HOME}/.config/qtcurve
diff --git a/etc/profile-a-l/ani-cli.profile b/etc/profile-a-l/ani-cli.profile
index 231b5bca0..f05653719 100644
--- a/etc/profile-a-l/ani-cli.profile
+++ b/etc/profile-a-l/ani-cli.profile
@@ -35,7 +35,5 @@ private-bin ani-cli,aria2c,cat,cp,curl,cut,ffmpeg,fzf,grep,head,mkdir,mv,nl,nohu
35private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg 35private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
36private-tmp 36private-tmp
37 37
38read-only ${HOME}/.config/mpv
39
40# Redirect 38# Redirect
41include mpv.profile 39include mpv.profile
diff --git a/etc/profile-a-l/awesome.profile b/etc/profile-a-l/awesome.profile
index d8c073c8d..910dd8a91 100644
--- a/etc/profile-a-l/awesome.profile
+++ b/etc/profile-a-l/awesome.profile
@@ -16,5 +16,4 @@ noroot
16protocol unix,inet,inet6 16protocol unix,inet,inet6
17seccomp !chroot 17seccomp !chroot
18 18
19read-only ${HOME}/.config/awesome/autorun.sh
20#restrict-namespaces 19#restrict-namespaces
diff --git a/etc/profile-a-l/cower.profile b/etc/profile-a-l/cower.profile
index e896f3537..9b05b4416 100644
--- a/etc/profile-a-l/cower.profile
+++ b/etc/profile-a-l/cower.profile
@@ -45,5 +45,4 @@ private-dev
45private-tmp 45private-tmp
46 46
47memory-deny-write-execute 47memory-deny-write-execute
48read-only ${HOME}/.config/cower/config
49restrict-namespaces 48restrict-namespaces
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile
index 9f4fabd68..766fe523b 100644
--- a/etc/profile-a-l/electron-mail.profile
+++ b/etc/profile-a-l/electron-mail.profile
@@ -24,7 +24,6 @@ whitelist ${HOME}/.config/electron-mail
24# there isn't a Firefox instance running with the default profile; see #5352) 24# there isn't a Firefox instance running with the default profile; see #5352)
25noblacklist ${HOME}/.mozilla 25noblacklist ${HOME}/.mozilla
26whitelist ${HOME}/.mozilla/firefox/profiles.ini 26whitelist ${HOME}/.mozilla/firefox/profiles.ini
27read-only ${HOME}/.mozilla/firefox/profiles.ini
28 27
29machine-id 28machine-id
30nosound 29nosound
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
index 0a44a62a3..7d5c859e9 100644
--- a/etc/profile-a-l/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -85,6 +85,5 @@ dbus-user.talk org.gnome.seahorse.*
85dbus-user.talk org.mozilla.* 85dbus-user.talk org.mozilla.*
86dbus-system none 86dbus-system none
87 87
88read-only ${HOME}/.mozilla/firefox/profiles.ini
89read-only ${HOME}/.signature 88read-only ${HOME}/.signature
90restrict-namespaces 89restrict-namespaces
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index 0e1d30958..42d59157c 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -14,6 +14,9 @@ include globals.local
14# https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox 14# https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox
15# https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968 15# https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968
16 16
17# (Ignore entry from disable-common.inc)
18ignore read-only ${HOME}/.mozilla/firefox/profiles.ini
19
17noblacklist ${HOME}/.cache/mozilla 20noblacklist ${HOME}/.cache/mozilla
18noblacklist ${HOME}/.mozilla 21noblacklist ${HOME}/.mozilla
19noblacklist ${RUNUSER}/*firefox* 22noblacklist ${RUNUSER}/*firefox*
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile
index a19a20ba7..ba0837780 100644
--- a/etc/profile-a-l/geary.profile
+++ b/etc/profile-a-l/geary.profile
@@ -91,5 +91,4 @@ dbus-user.talk org.gnome.evolution.dataserver.Sources5
91dbus-user.talk org.mozilla.* 91dbus-user.talk org.mozilla.*
92dbus-system none 92dbus-system none
93 93
94read-only ${HOME}/.mozilla/firefox/profiles.ini
95restrict-namespaces 94restrict-namespaces
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile
index 5183a9327..5cf30ed40 100644
--- a/etc/profile-a-l/kube.profile
+++ b/etc/profile-a-l/kube.profile
@@ -77,5 +77,4 @@ dbus-user.talk org.freedesktop.secrets
77dbus-user.talk org.freedesktop.Notifications 77dbus-user.talk org.freedesktop.Notifications
78dbus-system none 78dbus-system none
79 79
80read-only ${HOME}/.mozilla/firefox/profiles.ini
81restrict-namespaces 80restrict-namespaces
diff --git a/etc/profile-a-l/linuxqq.profile b/etc/profile-a-l/linuxqq.profile
index 9157d910b..6ca8b8103 100644
--- a/etc/profile-a-l/linuxqq.profile
+++ b/etc/profile-a-l/linuxqq.profile
@@ -37,7 +37,5 @@ dbus-user.talk org.gnome.Mutter.IdleMonitor
37dbus-user.talk org.mozilla.* 37dbus-user.talk org.mozilla.*
38ignore dbus-user none 38ignore dbus-user none
39 39
40read-only ${HOME}/.mozilla/firefox/profiles.ini
41
42# Redirect 40# Redirect
43include electron-common.profile 41include electron-common.profile
diff --git a/etc/profile-a-l/lobster.profile b/etc/profile-a-l/lobster.profile
index 01928c775..2b0fc5275 100644
--- a/etc/profile-a-l/lobster.profile
+++ b/etc/profile-a-l/lobster.profile
@@ -35,7 +35,5 @@ private-bin curl,cut,fzf,grep,head,lobster,mv,patch,rm,sed,sh,tail,tput,tr,uname
35private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg 35private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
36private-tmp 36private-tmp
37 37
38read-only ${HOME}/.config/mpv
39
40# Redirect 38# Redirect
41include mpv.profile 39include mpv.profile
diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile
index e9d245a6d..266d00395 100644
--- a/etc/profile-m-z/makepkg.profile
+++ b/etc/profile-m-z/makepkg.profile
@@ -19,7 +19,6 @@ blacklist ${RUNUSER}/wayland-*
19 19
20# Enable severely restricted access to ${HOME}/.gnupg 20# Enable severely restricted access to ${HOME}/.gnupg
21noblacklist ${HOME}/.gnupg 21noblacklist ${HOME}/.gnupg
22read-only ${HOME}/.gnupg/gpg.conf
23read-only ${HOME}/.gnupg/trustdb.gpg 22read-only ${HOME}/.gnupg/trustdb.gpg
24read-only ${HOME}/.gnupg/pubring.kbx 23read-only ${HOME}/.gnupg/pubring.kbx
25blacklist ${HOME}/.gnupg/random_seed 24blacklist ${HOME}/.gnupg/random_seed
diff --git a/etc/profile-m-z/mov-cli.profile b/etc/profile-m-z/mov-cli.profile
index 8ad94b949..74d630e24 100644
--- a/etc/profile-m-z/mov-cli.profile
+++ b/etc/profile-m-z/mov-cli.profile
@@ -25,7 +25,5 @@ private-bin ffmpeg,fzf,mov-cli
25private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg 25private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
26private-tmp 26private-tmp
27 27
28read-only ${HOME}/.config/mpv
29
30# Redirect 28# Redirect
31include mpv.profile 29include mpv.profile
diff --git a/etc/profile-m-z/openbox.profile b/etc/profile-m-z/openbox.profile
index 2da867dec..9b566a42b 100644
--- a/etc/profile-m-z/openbox.profile
+++ b/etc/profile-m-z/openbox.profile
@@ -16,6 +16,4 @@ noroot
16protocol unix,inet,inet6 16protocol unix,inet,inet6
17seccomp !chroot 17seccomp !chroot
18 18
19read-only ${HOME}/.config/openbox/autostart
20read-only ${HOME}/.config/openbox/environment
21#restrict-namespaces 19#restrict-namespaces
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile
index a26b41524..3e1899ef3 100644
--- a/etc/profile-m-z/signal-desktop.profile
+++ b/etc/profile-m-z/signal-desktop.profile
@@ -14,7 +14,6 @@ noblacklist ${HOME}/.config/Signal
14# These lines are needed to allow Firefox to open links 14# These lines are needed to allow Firefox to open links
15noblacklist ${HOME}/.mozilla 15noblacklist ${HOME}/.mozilla
16whitelist ${HOME}/.mozilla/firefox/profiles.ini 16whitelist ${HOME}/.mozilla/firefox/profiles.ini
17read-only ${HOME}/.mozilla/firefox/profiles.ini
18 17
19mkdir ${HOME}/.config/Signal 18mkdir ${HOME}/.config/Signal
20whitelist ${HOME}/.config/Signal 19whitelist ${HOME}/.config/Signal
diff --git a/etc/profile-m-z/standardnotes-desktop.profile b/etc/profile-m-z/standardnotes-desktop.profile
index 95dc35741..3fe0963a9 100644
--- a/etc/profile-m-z/standardnotes-desktop.profile
+++ b/etc/profile-m-z/standardnotes-desktop.profile
@@ -18,6 +18,10 @@ mkdir ${HOME}/Standard Notes Backups
18mkdir ${HOME}/.config/Standard Notes 18mkdir ${HOME}/.config/Standard Notes
19whitelist ${HOME}/Standard Notes Backups 19whitelist ${HOME}/Standard Notes Backups
20whitelist ${HOME}/.config/Standard Notes 20whitelist ${HOME}/.config/Standard Notes
21include whitelist-common.inc
22include whitelist-run-common.inc
23include whitelist-runuser-common.inc
24include whitelist-usr-share-common.inc
21include whitelist-var-common.inc 25include whitelist-var-common.inc
22 26
23apparmor 27apparmor
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index a5b4d5d87..63d629a32 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -181,5 +181,4 @@ private-tmp
181#dbus-user none 181#dbus-user none
182#dbus-system none 182#dbus-system none
183 183
184read-only ${HOME}/.config/MangoHud
185#restrict-namespaces 184#restrict-namespaces
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile
index 1ac80bc9a..5df207e25 100644
--- a/etc/profile-m-z/thunderbird.profile
+++ b/etc/profile-m-z/thunderbird.profile
@@ -24,7 +24,6 @@ writable-run-user
24# These lines are needed to allow Firefox to load your profile when clicking a link in an email 24# These lines are needed to allow Firefox to load your profile when clicking a link in an email
25noblacklist ${HOME}/.mozilla 25noblacklist ${HOME}/.mozilla
26whitelist ${HOME}/.mozilla/firefox/profiles.ini 26whitelist ${HOME}/.mozilla/firefox/profiles.ini
27read-only ${HOME}/.mozilla/firefox/profiles.ini
28 27
29noblacklist ${HOME}/.cache/thunderbird 28noblacklist ${HOME}/.cache/thunderbird
30noblacklist ${HOME}/.gnupg 29noblacklist ${HOME}/.gnupg
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile
index 378c8a1b7..ba68ccb53 100644
--- a/etc/profile-m-z/trojita.profile
+++ b/etc/profile-m-z/trojita.profile
@@ -60,5 +60,4 @@ dbus-user filter
60dbus-user.talk org.freedesktop.secrets 60dbus-user.talk org.freedesktop.secrets
61dbus-system none 61dbus-system none
62 62
63read-only ${HOME}/.mozilla/firefox/profiles.ini
64restrict-namespaces 63restrict-namespaces
diff --git a/etc/profile-m-z/tutanota-desktop.profile b/etc/profile-m-z/tutanota-desktop.profile
index 4793e9dbb..55e4a4392 100644
--- a/etc/profile-m-z/tutanota-desktop.profile
+++ b/etc/profile-m-z/tutanota-desktop.profile
@@ -28,7 +28,6 @@ whitelist ${HOME}/.config/tutanota-desktop
28# there isn't a Firefox instance running with the default profile; see #5352) 28# there isn't a Firefox instance running with the default profile; see #5352)
29noblacklist ${HOME}/.mozilla 29noblacklist ${HOME}/.mozilla
30whitelist ${HOME}/.mozilla/firefox/profiles.ini 30whitelist ${HOME}/.mozilla/firefox/profiles.ini
31read-only ${HOME}/.mozilla/firefox/profiles.ini
32 31
33machine-id 32machine-id
34nosound 33nosound
diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile
index 9ef90eb92..d2b73ec4c 100644
--- a/etc/profile-m-z/youtube-viewers-common.profile
+++ b/etc/profile-m-z/youtube-viewers-common.profile
@@ -24,7 +24,6 @@ include allow-python3.inc
24# there isn't a Firefox instance running with the default profile; see #5352) 24# there isn't a Firefox instance running with the default profile; see #5352)
25noblacklist ${HOME}/.mozilla 25noblacklist ${HOME}/.mozilla
26whitelist ${HOME}/.mozilla/firefox/profiles.ini 26whitelist ${HOME}/.mozilla/firefox/profiles.ini
27read-only ${HOME}/.mozilla/firefox/profiles.ini
28 27
29include disable-common.inc 28include disable-common.inc
30include disable-devel.inc 29include disable-devel.inc
diff --git a/etc/profile-m-z/zeal.profile b/etc/profile-m-z/zeal.profile
index caf9eab63..09a1d37a3 100644
--- a/etc/profile-m-z/zeal.profile
+++ b/etc/profile-m-z/zeal.profile
@@ -23,7 +23,6 @@ include disable-xdg.inc
23# This also requires dbus-user filtering (see below). 23# This also requires dbus-user filtering (see below).
24noblacklist ${HOME}/.mozilla 24noblacklist ${HOME}/.mozilla
25whitelist ${HOME}/.mozilla/firefox/profiles.ini 25whitelist ${HOME}/.mozilla/firefox/profiles.ini
26read-only ${HOME}/.mozilla/firefox/profiles.ini
27 26
28mkdir ${HOME}/.cache/Zeal 27mkdir ${HOME}/.cache/Zeal
29mkdir ${HOME}/.config/Zeal 28mkdir ${HOME}/.config/Zeal
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index fd328f36c..b88566f54 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -221,6 +221,8 @@ include globals.local
221#dbus-user.talk org.freedesktop.Notifications 221#dbus-user.talk org.freedesktop.Notifications
222#dbus-system none 222#dbus-system none
223 223
224# Note: read-only entries should usually go in disable-common.inc (especially
225# entries for configuration files that allow arbitrary command execution).
224##deterministic-shutdown 226##deterministic-shutdown
225##env VAR=VALUE 227##env VAR=VALUE
226##join-or-start NAME 228##join-or-start NAME
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-18 15:52:51 +0000