41 files changed, 18 insertions, 65 deletions

diff --git a/etc/QMediathekView.profile b/etc/QMediathekView.profile
index ae863b73d..ece681c35 100644
--- a/etc/QMediathekView.profile
+++ b/etc/QMediathekView.profile
@@ -48,8 +48,6 @@ disable-mnt
 private-bin mplayer,mpv,QMediathekView,smplayer,totem,vlc,xplayer
 private-cache
 private-dev
-# private-etc alternatives
-# private-lib
 private-tmp
 
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/amarok.profile b/etc/amarok.profile
index 6cec3befc..0b974e9ac 100644
--- a/etc/amarok.profile
+++ b/etc/amarok.profile
@@ -31,5 +31,5 @@ shell none
 
 # private-bin amarok
 private-dev
-# private-etc alternatives,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,ssl
 private-tmp
diff --git a/etc/arch-audit.profile b/etc/arch-audit.profile
index e353326df..2f08fa169 100644
--- a/etc/arch-audit.profile
+++ b/etc/arch-audit.profile
@@ -7,7 +7,6 @@ include arch-audit.local
 # Persistent global definitions
 include globals.local
 
-
 noblacklist /var/lib/pacman
 
 include disable-common.inc
diff --git a/etc/archaudit-report.profile b/etc/archaudit-report.profile
index bfd110bf2..19c37f90e 100644
--- a/etc/archaudit-report.profile
+++ b/etc/archaudit-report.profile
@@ -6,7 +6,6 @@ include archaudit-report.local
 # Persistent global definitions
 include globals.local
 
-
 noblacklist /var/lib/pacman
 
 include disable-common.inc
@@ -17,8 +16,6 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-include whitelist-common.inc
-
 caps.drop all
 ipc-namespace
 netfilter
diff --git a/etc/asunder.profile b/etc/asunder.profile
index fa2479051..fc10739aa 100644
--- a/etc/asunder.profile
+++ b/etc/asunder.profile
@@ -34,7 +34,6 @@ protocol unix,inet,inet6
 seccomp
 shell none
 
-#private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
 private-dev
 private-tmp
 
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile
index 287e5f52e..62eeb88f3 100644
--- a/etc/bitlbee.profile
+++ b/etc/bitlbee.profile
@@ -6,12 +6,15 @@ include bitlbee.local
 # Persistent global definitions
 include globals.local
 
+ignore noexec ${HOME}
+
 noblacklist /sbin
 noblacklist /usr/sbin
 # noblacklist /var/log
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -34,5 +37,4 @@ private-cache
 private-dev
 private-tmp
 
-noexec /tmp
 read-write /var/lib/bitlbee
diff --git a/etc/brasero.profile b/etc/brasero.profile
index aa838380a..058253308 100644
--- a/etc/brasero.profile
+++ b/etc/brasero.profile
@@ -31,7 +31,6 @@ tracelog
 # private-bin brasero
 private-cache
 # private-dev
-# private-etc alternatives,fonts
 # private-tmp
 
 memory-deny-write-execute
diff --git a/etc/caja.profile b/etc/caja.profile
index 2a95649af..c5cef7b27 100644
--- a/etc/caja.profile
+++ b/etc/caja.profile
@@ -39,5 +39,4 @@ tracelog
 # caja needs to be able to start arbitrary applications so we cannot blacklist their files
 # private-bin caja
 # private-dev
-# private-etc alternatives,fonts
 # private-tmp
diff --git a/etc/catfish.profile b/etc/catfish.profile
index f615b5323..c6c2d7e8a 100644
--- a/etc/catfish.profile
+++ b/etc/catfish.profile
@@ -15,11 +15,11 @@ noblacklist ${HOME}/.config/catfish
 include allow-python2.inc
 include allow-python3.inc
 
-include disable-common.inc
+# include disable-common.inc
 # include disable-devel.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
-include disable-programs.inc
+# include disable-programs.inc
 
 whitelist /var/lib/mlocate
 include whitelist-var-common.inc
diff --git a/etc/dig.profile b/etc/dig.profile
index 9bc4ee0ca..6f2c1f755 100644
--- a/etc/dig.profile
+++ b/etc/dig.profile
@@ -17,7 +17,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-mkfile ${HOME}/.digrc
+#mkfile ${HOME}/.digrc -- see #903
 whitelist ${HOME}/.digrc
 include whitelist-common.inc
 include whitelist-var-common.inc
@@ -45,7 +45,6 @@ private
 private-bin bash,dig,sh
 private-cache
 private-dev
-# private-etc alternatives,resolv.conf
 private-lib
 private-tmp
 
diff --git a/etc/digikam.profile b/etc/digikam.profile
index e9c89a1b9..1b80981f7 100644
--- a/etc/digikam.profile
+++ b/etc/digikam.profile
@@ -33,11 +33,8 @@ noroot
 notv
 protocol unix,inet,inet6,netlink
 seccomp
-# seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group
 shell none
 
-# private-bin program
 # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device
-# private-etc alternatives,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
 private-tmp
-
diff --git a/etc/engrampa.profile b/etc/engrampa.profile
index 562e8f542..aaf3e3382 100644
--- a/etc/engrampa.profile
+++ b/etc/engrampa.profile
@@ -35,7 +35,6 @@ tracelog
 
 # private-bin engrampa
 private-dev
-# private-etc alternatives,fonts
 # private-tmp
 
 memory-deny-write-execute
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile
index 9c1c5b7de..0771bf6a5 100644
--- a/etc/ffmpeg.profile
+++ b/etc/ffmpeg.profile
@@ -36,7 +36,6 @@ nou2f
 novideo
 protocol inet,inet6
 seccomp
-# seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom
 shell none
 tracelog
 
diff --git a/etc/file-roller.profile b/etc/file-roller.profile
index 95accdd36..59d2f3ec8 100644
--- a/etc/file-roller.profile
+++ b/etc/file-roller.profile
@@ -39,7 +39,6 @@ tracelog
 
 # private-bin file-roller
 private-dev
-# private-etc alternatives,fonts
 # private-tmp
 
 # memory-deny-write-execute
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile
index 9596bc610..3931aa64a 100644
--- a/etc/frozen-bubble.profile
+++ b/etc/frozen-bubble.profile
@@ -38,5 +38,4 @@ shell none
 disable-mnt
 # private-bin frozen-bubble
 private-dev
-# private-etc alternatives
 private-tmp
diff --git a/etc/gedit.profile b/etc/gedit.profile
index 551e30659..8232bbae4 100644
--- a/etc/gedit.profile
+++ b/etc/gedit.profile
@@ -44,7 +44,6 @@ tracelog
 
 # private-bin gedit
 private-dev
-# private-etc alternatives,fonts
 private-lib aspell,gconv,gedit,libgspell-1.so.*,libreadline.so.*,libtinfo.so.*
 private-tmp
 
diff --git a/etc/geeqie.profile b/etc/geeqie.profile
index adfc3ef1c..8810ca161 100644
--- a/etc/geeqie.profile
+++ b/etc/geeqie.profile
@@ -31,4 +31,3 @@ shell none
 
 # private-bin geeqie
 private-dev
-# private-etc alternatives,X11
diff --git a/etc/github-desktop.profile b/etc/github-desktop.profile
index 4a969f9ad..b25b138ad 100644
--- a/etc/github-desktop.profile
+++ b/etc/github-desktop.profile
@@ -42,7 +42,6 @@ disable-mnt
 private-cache
 ?HAS_APPIMAGE: ignore private-dev
 private-dev
-# private-etc alternatives
 # private-lib
 private-tmp
 
diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile
index 184751132..25cd94f0c 100644
--- a/etc/gnome-books.profile
+++ b/etc/gnome-books.profile
@@ -36,8 +36,7 @@ seccomp
 shell none
 tracelog
 
-# private-bin gjs gnome-books
+# private-bin gjs,gnome-books
 private-dev
-# private-etc alternatives,fonts
 private-tmp
 
diff --git a/etc/gnome-nettool.profile b/etc/gnome-nettool.profile
index 9d4088eed..001274372 100644
--- a/etc/gnome-nettool.profile
+++ b/etc/gnome-nettool.profile
@@ -14,7 +14,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-include whitelist-common.inc
+#include whitelist-common.inc -- see #903
 include whitelist-var-common.inc
 
 caps.keep net_raw
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile
index 4e5a3b109..3bbad67bb 100644
--- a/etc/gnome-photos.profile
+++ b/etc/gnome-photos.profile
@@ -33,8 +33,7 @@ seccomp
 shell none
 tracelog
 
-# private-bin gjs gnome-photos
+# private-bin gjs,gnome-photos
 private-dev
-# private-etc alternatives,fonts
 private-tmp
 
diff --git a/etc/gnome-schedule.profile b/etc/gnome-schedule.profile
index 08256f3a5..0fca08505 100644
--- a/etc/gnome-schedule.profile
+++ b/etc/gnome-schedule.profile
@@ -69,6 +69,5 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-# private-etc alternatives
 writable-var
 
diff --git a/etc/highlight.profile b/etc/highlight.profile
index 243643aea..cae8e29d7 100644
--- a/etc/highlight.profile
+++ b/etc/highlight.profile
@@ -34,5 +34,4 @@ tracelog
 private-bin highlight
 private-cache
 private-dev
-# private-etc alternatives
 private-tmp
diff --git a/etc/img2txt.profile b/etc/img2txt.profile
index ade50048e..a36af8abf 100644
--- a/etc/img2txt.profile
+++ b/etc/img2txt.profile
@@ -38,7 +38,6 @@ tracelog
 # private-bin img2txt
 private-cache
 private-dev
-# private-etc alternatives
 private-tmp
 
 memory-deny-write-execute
diff --git a/etc/nautilus.profile b/etc/nautilus.profile
index b81313b6a..d6d08679b 100644
--- a/etc/nautilus.profile
+++ b/etc/nautilus.profile
@@ -40,5 +40,4 @@ tracelog
 # nautilus needs to be able to start arbitrary applications so we cannot blacklist their files
 # private-bin nautilus
 # private-dev
-# private-etc alternatives,fonts
 # private-tmp
diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile
index bff42fb19..d80b3d351 100644
--- a/etc/open-invaders.profile
+++ b/etc/open-invaders.profile
@@ -33,5 +33,4 @@ shell none
 
 # private-bin open-invaders
 private-dev
-# private-etc alternatives
 private-tmp
diff --git a/etc/openarena.profile b/etc/openarena.profile
index f36d3270f..c83e78e2c 100644
--- a/etc/openarena.profile
+++ b/etc/openarena.profile
@@ -21,16 +21,12 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 # ipc-namespace
-# machine-id
-# net none
 # netfilter
-# no3d
 # nodbus
 # nodvd
 # nogroups
 nonewprivs
 noroot
-# nosound
 notv
 # nou2f
 novideo
@@ -40,12 +36,8 @@ shell none
 # tracelog
 
 # disable-mnt
-# private
 # private-bin openarena
 private-cache
 private-dev
-# private-etc machine-id,xdg,openal,udev,drirc,passwd,selinux
-# private-lib
+# private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg
 private-tmp
-
-# memory-deny-write-execute
diff --git a/etc/ping.profile b/etc/ping.profile
index 66574bab5..00ac45c5a 100644
--- a/etc/ping.profile
+++ b/etc/ping.profile
@@ -30,10 +30,8 @@ nosound
 notv
 nou2f
 novideo
-
 # protocol command is built using seccomp; nonewprivs will kill it
 #protocol unix,inet,inet6,netlink,packet
-
 # killed by no-new-privs
 #seccomp
 
@@ -42,7 +40,7 @@ private
 #private-bin has mammoth problems with execvp: "No such file or directory"
 private-dev
 # /etc/hosts is required in private-etc; however, just adding it to the list doesn't solve the problem!
-#private-etc resolv.conf,hosts,ca-certificates,ssl,pki,crypto-policies
+#private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl
 private-tmp
 
 # memory-deny-write-execute is built using seccomp; nonewprivs will kill it
diff --git a/etc/pingus.profile b/etc/pingus.profile
index 6b664248f..782ee200d 100644
--- a/etc/pingus.profile
+++ b/etc/pingus.profile
@@ -33,5 +33,4 @@ shell none
 
 # private-bin pingus
 private-dev
-# private-etc alternatives
 private-tmp
diff --git a/etc/pluma.profile b/etc/pluma.profile
index 47626753a..91e6edc65 100644
--- a/etc/pluma.profile
+++ b/etc/pluma.profile
@@ -39,7 +39,6 @@ tracelog
 
 private-bin pluma
 private-dev
-# private-etc alternatives,fonts
 private-lib pluma
 private-tmp
 
diff --git a/etc/remmina.profile b/etc/remmina.profile
index a77f2d8aa..e85ceca13 100644
--- a/etc/remmina.profile
+++ b/etc/remmina.profile
@@ -31,7 +31,6 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
-# seccomp.keep access,arch_prctl,brk,chmod,clock_getres,clock_gettime,clone,close,connect,dup3,eventfd2,execve,fadvise64,fallocate,fcntl,flock,fstat,fstatfs,fsync,ftruncate,futex,getdents,getegid,geteuid,getgid,getpeername,getpid,getrandom,getresgid,getresuid,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,memfd_create,mmap,mprotect,mremap,munmap,nanosleep,open,openat,pipe,pipe2,poll,prctl,prlimit64,pwrite64,read,readlink,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,sendmmsg,sendmsg,sendto,set_robust_list,setsockopt,set_tid_address,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,tgkill,uname,utimensat,write,writev
 shell none
 
 private-cache
diff --git a/etc/shotcut.profile b/etc/shotcut.profile
index 264566dcd..e6c48561f 100644
--- a/etc/shotcut.profile
+++ b/etc/shotcut.profile
@@ -5,10 +5,13 @@ include shotcut.local
 # Persistent global definitions
 include globals.local
 
+ignore noexec ${HOME}
+
 noblacklist ${HOME}/.config/Meltytech
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -26,9 +29,6 @@ protocol unix
 seccomp
 shell none
 
-#private-bin shotcut,melt,qmelt,nice
+#private-bin melt,nice,qmelt,shotcut
 private-cache
 private-dev
-
-#noexec ${HOME}
-noexec /tmp
diff --git a/etc/simplescreenrecorder.profile b/etc/simplescreenrecorder.profile
index ead475e07..a3caedf88 100644
--- a/etc/simplescreenrecorder.profile
+++ b/etc/simplescreenrecorder.profile
@@ -31,7 +31,6 @@ tracelog
 
 private-cache
 private-dev
-# private-etc alternatives
 private-tmp
 
 memory-deny-write-execute
diff --git a/etc/simutrans.profile b/etc/simutrans.profile
index c07b1c145..7febcde46 100644
--- a/etc/simutrans.profile
+++ b/etc/simutrans.profile
@@ -33,5 +33,4 @@ shell none
 
 # private-bin simutrans
 private-dev
-# private-etc alternatives
 private-tmp
diff --git a/etc/skanlite.profile b/etc/skanlite.profile
index 76b050d18..c10be717b 100644
--- a/etc/skanlite.profile
+++ b/etc/skanlite.profile
@@ -16,7 +16,6 @@ include disable-programs.inc
 include disable-xdg.inc
 
 caps.drop all
-# net none
 netfilter
 # nodbus
 nodvd
@@ -31,6 +30,6 @@ protocol unix,inet,inet6,netlink
 seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 shell none
 
-# private-bin skanlite,kbuildsycoca4,kdeinit4
+# private-bin kbuildsycoca4,kdeinit4,skanlite
 # private-dev
 # private-tmp
diff --git a/etc/supertux2.profile b/etc/supertux2.profile
index 793e4126c..287a078b3 100644
--- a/etc/supertux2.profile
+++ b/etc/supertux2.profile
@@ -34,5 +34,4 @@ shell none
 disable-mnt
 # private-bin supertux2
 private-dev
-# private-etc alternatives
 private-tmp
diff --git a/etc/tor.profile b/etc/tor.profile
index 8d6622241..e896b609a 100644
--- a/etc/tor.profile
+++ b/etc/tor.profile
@@ -49,4 +49,3 @@ private-cache
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor
 private-tmp
-
diff --git a/etc/tracker.profile b/etc/tracker.profile
index c1779ae3e..6e107d99e 100644
--- a/etc/tracker.profile
+++ b/etc/tracker.profile
@@ -33,5 +33,4 @@ tracelog
 
 # private-bin tracker
 # private-dev
-# private-etc alternatives,fonts
 # private-tmp
diff --git a/etc/xed.profile b/etc/xed.profile
index 9a7806b19..2ee299b9a 100644
--- a/etc/xed.profile
+++ b/etc/xed.profile
@@ -42,7 +42,6 @@ tracelog
 
 private-bin xed
 private-dev
-# private-etc alternatives,fonts
 private-tmp
 
 # xed uses python plugins, memory-deny-write-execute breaks python
diff --git a/etc/xfburn.profile b/etc/xfburn.profile
index 1cb7f568a..cd9561e74 100644
--- a/etc/xfburn.profile
+++ b/etc/xfburn.profile
@@ -29,5 +29,4 @@ tracelog
 
 # private-bin xfburn
 # private-dev
-# private-etc alternatives,fonts
 # private-tmp
diff --git a/etc/xviewer.profile b/etc/xviewer.profile
index b483e9404..b09bf8ab1 100644
--- a/etc/xviewer.profile
+++ b/etc/xviewer.profile
@@ -39,7 +39,6 @@ tracelog
 
 private-bin xviewer
 private-dev
-#private-etc alternatives,fonts
 private-lib
 private-tmp