5 files changed, 57 insertions, 1 deletions
diff --git a/etc/inc/landlock-common.inc b/etc/inc/landlock-common.inc
new file mode 100644
index 000000000..ebe9f98dc
--- /dev/null
+++ b/etc/inc/landlock-common.inc
@@ -0,0 +1,39 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include landlock-common.local
+landlock.read /          # whole system read
+landlock.read /proc
+landlock.special /       # sockets etc.
+# write access
+landlock.write ${HOME}
+landlock.write ${RUNUSER}
+landlock.write /dev
+landlock.write /proc
+landlock.write /run/shm
+landlock.write /tmp
+# exec access
+## misc
+landlock.execute /opt
+landlock.execute /run/firejail # appimage and various firejail features
+## bin
+landlock.execute /bin
+landlock.execute /sbin
+landlock.execute /usr/bin
+landlock.execute /usr/sbin
+landlock.execute /usr/games
+landlock.execute /usr/local/bin
+landlock.execute /usr/local/sbin
+landlock.execute /usr/local/games
+## lib
+landlock.execute /lib
+landlock.execute /lib32
+landlock.execute /libx32
+landlock.execute /lib64
+landlock.execute /usr/lib
+landlock.execute /usr/lib32
+landlock.execute /usr/libx32
+landlock.execute /usr/lib64
+landlock.execute /usr/local/lib
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile
index c071da4b7..b0ae2d49f 100644
--- a/etc/profile-a-l/default.profile
+++ b/etc/profile-a-l/default.profile
@@ -22,6 +22,8 @@ include disable-programs.inc
 #include whitelist-usr-share-common.inc
 #include whitelist-var-common.inc
+include landlock-common.inc
 #apparmor
 caps.drop all
 #ipc-namespace
diff --git a/etc/profile-m-z/minecraft-launcher.profile b/etc/profile-m-z/minecraft-launcher.profile
index 4f2c89b27..15adbcb36 100644
--- a/etc/profile-m-z/minecraft-launcher.profile
+++ b/etc/profile-m-z/minecraft-launcher.profile
@@ -25,6 +25,8 @@ include disable-xdg.inc
 mkdir ${HOME}/.minecraft
 whitelist ${HOME}/.minecraft
+# Needs keyring access in order to save logins
+whitelist ${RUNUSER}/keyring
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
@@ -54,7 +56,10 @@ private-etc @tls-ca,@x11,host.conf,java*,mime.types,services,timezone
 private-opt minecraft-launcher
 private-tmp
-dbus-user none
+dbus-user filter
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.gnome.keyring.*
+dbus-user.talk org.gnome.seahorse.*
 dbus-system none
 restrict-namespaces
diff --git a/etc/profile-m-z/obs.profile b/etc/profile-m-z/obs.profile
index 82e7a4137..dbcc07809 100644
--- a/etc/profile-m-z/obs.profile
+++ b/etc/profile-m-z/obs.profile
@@ -10,6 +10,9 @@ noblacklist ${MUSIC}
 noblacklist ${PICTURES}
 noblacklist ${VIDEOS}
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 6299d42cd..8882c9012 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -137,6 +137,13 @@ include globals.local
 #include whitelist-usr-share-common.inc
 #include whitelist-var-common.inc
+# Landlock commands
+##landlock.read PATH
+##landlock.write PATH
+##landlock.special PATH
+##landlock.execute PATH
+#include landlock-common.inc
 ##allusers
 #apparmor
 #caps.drop all

diff --git a/etc/inc/landlock-common.inc b/etc/inc/landlock-common.inc new file mode 100644 index 000000000..ebe9f98dc --- /dev/null +++ b/etc/inc/landlock-common.inc
@@ -0,0 +1,39 @@
		1	# This file is overwritten during software install.
		2	# Persistent customizations should go in a .local file.
		3	include landlock-common.local
		4
		5	landlock.read / # whole system read
		6	landlock.read /proc
		7	landlock.special / # sockets etc.
		8
		9	# write access
		10	landlock.write ${HOME}
		11	landlock.write ${RUNUSER}
		12	landlock.write /dev
		13	landlock.write /proc
		14	landlock.write /run/shm
		15	landlock.write /tmp
		16
		17	# exec access
		18	## misc
		19	landlock.execute /opt
		20	landlock.execute /run/firejail # appimage and various firejail features
		21	## bin
		22	landlock.execute /bin
		23	landlock.execute /sbin
		24	landlock.execute /usr/bin
		25	landlock.execute /usr/sbin
		26	landlock.execute /usr/games
		27	landlock.execute /usr/local/bin
		28	landlock.execute /usr/local/sbin
		29	landlock.execute /usr/local/games
		30	## lib
		31	landlock.execute /lib
		32	landlock.execute /lib32
		33	landlock.execute /libx32
		34	landlock.execute /lib64
		35	landlock.execute /usr/lib
		36	landlock.execute /usr/lib32
		37	landlock.execute /usr/libx32
		38	landlock.execute /usr/lib64
		39	landlock.execute /usr/local/lib


diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile index c071da4b7..b0ae2d49f 100644 --- a/etc/profile-a-l/default.profile +++ b/etc/profile-a-l/default.profile
@@ -22,6 +22,8 @@ include disable-programs.inc
22	#include whitelist-usr-share-common.inc	22	#include whitelist-usr-share-common.inc
23	#include whitelist-var-common.inc	23	#include whitelist-var-common.inc
24		24
		25	include landlock-common.inc
		26
25	#apparmor	27	#apparmor
26	caps.drop all	28	caps.drop all
27	#ipc-namespace	29	#ipc-namespace


diff --git a/etc/profile-m-z/minecraft-launcher.profile b/etc/profile-m-z/minecraft-launcher.profile index 4f2c89b27..15adbcb36 100644 --- a/etc/profile-m-z/minecraft-launcher.profile +++ b/etc/profile-m-z/minecraft-launcher.profile
@@ -25,6 +25,8 @@ include disable-xdg.inc
25		25
26	mkdir ${HOME}/.minecraft	26	mkdir ${HOME}/.minecraft
27	whitelist ${HOME}/.minecraft	27	whitelist ${HOME}/.minecraft
		28	# Needs keyring access in order to save logins
		29	whitelist ${RUNUSER}/keyring
28	include whitelist-common.inc	30	include whitelist-common.inc
29	include whitelist-runuser-common.inc	31	include whitelist-runuser-common.inc
30	include whitelist-usr-share-common.inc	32	include whitelist-usr-share-common.inc
@@ -54,7 +56,10 @@ private-etc @tls-ca,@x11,host.conf,java*,mime.types,services,timezone
54	private-opt minecraft-launcher	56	private-opt minecraft-launcher
55	private-tmp	57	private-tmp
56		58
57	dbus-user none	59	dbus-user filter
		60	dbus-user.talk org.freedesktop.secrets
		61	dbus-user.talk org.gnome.keyring.*
		62	dbus-user.talk org.gnome.seahorse.*
58	dbus-system none	63	dbus-system none
59		64
60	restrict-namespaces	65	restrict-namespaces


diff --git a/etc/profile-m-z/obs.profile b/etc/profile-m-z/obs.profile index 82e7a4137..dbcc07809 100644 --- a/etc/profile-m-z/obs.profile +++ b/etc/profile-m-z/obs.profile
@@ -10,6 +10,9 @@ noblacklist ${MUSIC}
10	noblacklist ${PICTURES}	10	noblacklist ${PICTURES}
11	noblacklist ${VIDEOS}	11	noblacklist ${VIDEOS}
12		12
		13	# Allow lua (blacklisted by disable-interpreters.inc)
		14	include allow-lua.inc
		15
13	# Allow python (blacklisted by disable-interpreters.inc)	16	# Allow python (blacklisted by disable-interpreters.inc)
14	include allow-python2.inc	17	include allow-python2.inc
15	include allow-python3.inc	18	include allow-python3.inc


diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 6299d42cd..8882c9012 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template
@@ -137,6 +137,13 @@ include globals.local
137	#include whitelist-usr-share-common.inc	137	#include whitelist-usr-share-common.inc
138	#include whitelist-var-common.inc	138	#include whitelist-var-common.inc
139		139
		140	# Landlock commands
		141	##landlock.read PATH
		142	##landlock.write PATH
		143	##landlock.special PATH
		144	##landlock.execute PATH
		145	#include landlock-common.inc
		146
140	##allusers	147	##allusers
141	#apparmor	148	#apparmor
142	#caps.drop all	149	#caps.drop all