From 096d0de5f8bb253d0c1035796464bc5982f06f81 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Mon, 16 Nov 2020 11:41:35 +0100 Subject: from my overrides - add seccomp.block-secondary to a lot profiles - add wruc to firefox-common and ignore it in TB and firefox-common-addons - harden dia, gnome-keyring, libreoffice, megaglest, pngquant, ghostwriter, rhythmbox, sqlitebrowser --- etc/inc/firefox-common-addons.inc | 2 ++ etc/profile-a-l/0ad.profile | 2 ++ etc/profile-a-l/baobab.profile | 1 + etc/profile-a-l/bijiben.profile | 1 + etc/profile-a-l/celluloid.profile | 1 + etc/profile-a-l/dconf-editor.profile | 1 + etc/profile-a-l/dia.profile | 13 +++++++++++-- etc/profile-a-l/eo-common.profile | 2 ++ etc/profile-a-l/evince.profile | 1 + etc/profile-a-l/ffmpeg.profile | 1 + etc/profile-a-l/file-roller.profile | 1 + etc/profile-a-l/firefox-common.profile | 1 + etc/profile-a-l/flameshot.profile | 1 + etc/profile-a-l/frogatto.profile | 1 + etc/profile-a-l/gapplication.profile | 1 + etc/profile-a-l/gedit.profile | 1 + etc/profile-a-l/gfeeds.profile | 1 + etc/profile-a-l/ghostwriter.profile | 2 ++ etc/profile-a-l/gitg.profile | 1 + etc/profile-a-l/gnome-calculator.profile | 1 + etc/profile-a-l/gnome-calendar.profile | 1 + etc/profile-a-l/gnome-characters.profile | 1 + etc/profile-a-l/gnome-contacts.profile | 1 + etc/profile-a-l/gnome-hexgl.profile | 1 + etc/profile-a-l/gnome-keyring.profile | 11 ++++++++--- etc/profile-a-l/gnome-latex.profile | 1 + etc/profile-a-l/gnome-maps.profile | 1 + etc/profile-a-l/gnome-passwordsafe.profile | 1 + etc/profile-a-l/gnome-photos.profile | 1 + etc/profile-a-l/gnome-screenshot.profile | 1 + etc/profile-a-l/gnome-sound-recorder.profile | 1 + etc/profile-a-l/gnome-weather.profile | 1 + etc/profile-a-l/gnome_games-common.profile | 1 + etc/profile-a-l/gucharmap.profile | 1 + etc/profile-a-l/keepassxc.profile | 1 + etc/profile-a-l/libreoffice.profile | 2 ++ etc/profile-m-z/megaglest.profile | 2 ++ etc/profile-m-z/meld.profile | 1 + etc/profile-m-z/menulibre.profile | 1 + etc/profile-m-z/minetest.profile | 1 + etc/profile-m-z/mpv.profile | 1 + etc/profile-m-z/patch.profile | 1 + etc/profile-m-z/pdftotext.profile | 2 ++ etc/profile-m-z/peek.profile | 1 + etc/profile-m-z/pngquant.profile | 3 +++ etc/profile-m-z/rhythmbox.profile | 2 ++ etc/profile-m-z/shellcheck.profile | 1 + etc/profile-m-z/sqlitebrowser.profile | 2 ++ etc/profile-m-z/strings.profile | 1 + etc/profile-m-z/supertux2.profile | 1 + etc/profile-m-z/supertuxkart.profile | 1 + etc/profile-m-z/thunderbird.profile | 2 ++ etc/profile-m-z/transmission-common.profile | 1 + etc/profile-m-z/vivaldi.profile | 2 ++ etc/profile-m-z/wget.profile | 1 + etc/profile-m-z/whois.profile | 1 + etc/profile-m-z/xournal.profile | 1 + etc/profile-m-z/yelp.profile | 1 + etc/profile-m-z/youtube-dl.profile | 1 + etc/templates/profile.template | 1 + 60 files changed, 90 insertions(+), 5 deletions(-) diff --git a/etc/inc/firefox-common-addons.inc b/etc/inc/firefox-common-addons.inc index 198941ac9..03f09fece 100644 --- a/etc/inc/firefox-common-addons.inc +++ b/etc/inc/firefox-common-addons.inc @@ -2,6 +2,8 @@ # Persistent customizations should go in a .local file. include firefox-common-addons.local +ignore include whitelist-runuser-common.inc + noblacklist ${HOME}/.config/kgetrc noblacklist ${HOME}/.config/okularpartrc noblacklist ${HOME}/.config/okularrc diff --git a/etc/profile-a-l/0ad.profile b/etc/profile-a-l/0ad.profile index 6869ea631..c4e820078 100644 --- a/etc/profile-a-l/0ad.profile +++ b/etc/profile-a-l/0ad.profile @@ -16,6 +16,7 @@ include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +include disable-xdg.inc mkdir ${HOME}/.cache/0ad mkdir ${HOME}/.config/0ad @@ -40,6 +41,7 @@ nou2f novideo protocol unix,inet,inet6 seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-a-l/baobab.profile b/etc/profile-a-l/baobab.profile index 3937e1966..4401c9dfd 100644 --- a/etc/profile-a-l/baobab.profile +++ b/etc/profile-a-l/baobab.profile @@ -30,6 +30,7 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile index c1c338536..dbde3e4de 100644 --- a/etc/profile-a-l/bijiben.profile +++ b/etc/profile-a-l/bijiben.profile @@ -41,6 +41,7 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile index 8bf086ab4..56709a466 100644 --- a/etc/profile-a-l/celluloid.profile +++ b/etc/profile-a-l/celluloid.profile @@ -46,6 +46,7 @@ noroot nou2f protocol unix,inet,inet6 seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile index d6541850d..b41a73916 100644 --- a/etc/profile-a-l/dconf-editor.profile +++ b/etc/profile-a-l/dconf-editor.profile @@ -35,6 +35,7 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-a-l/dia.profile b/etc/profile-a-l/dia.profile index 52bf1c7f8..e409eb044 100644 --- a/etc/profile-a-l/dia.profile +++ b/etc/profile-a-l/dia.profile @@ -9,16 +9,24 @@ include globals.local noblacklist ${HOME}/.dia noblacklist ${DOCUMENTS} +include allow-python2.inc +include allow-python3.inc + include disable-common.inc include disable-devel.inc include disable-exec.inc -include allow-python2.inc -include allow-python3.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc +#mkdir ${HOME}/.dia +#whitelist ${HOME}/.dia +#whitelist ${DOCUMENTS} +#include whitelist-common.inc +whitelist /usr/share/dia +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor @@ -36,6 +44,7 @@ novideo protocol unix seccomp shell none +tracelog disable-mnt #private-bin dia diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile index e8b49a395..e059f3b74 100644 --- a/etc/profile-a-l/eo-common.profile +++ b/etc/profile-a-l/eo-common.profile @@ -27,6 +27,7 @@ apparmor caps.drop all ipc-namespace machine-id +net none no3d nodvd nogroups @@ -38,6 +39,7 @@ nou2f novideo protocol unix,netlink seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile index 77a48f0ba..c0c16e929 100644 --- a/etc/profile-a-l/evince.profile +++ b/etc/profile-a-l/evince.profile @@ -41,6 +41,7 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-a-l/ffmpeg.profile b/etc/profile-a-l/ffmpeg.profile index fb5c9ee57..c6e9ba095 100644 --- a/etc/profile-a-l/ffmpeg.profile +++ b/etc/profile-a-l/ffmpeg.profile @@ -41,6 +41,7 @@ novideo protocol inet,inet6 # allow set_mempolicy, which is required to encode using libx265 seccomp !set_mempolicy +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile index 745b8b8e9..2a1eb2001 100644 --- a/etc/profile-a-l/file-roller.profile +++ b/etc/profile-a-l/file-roller.profile @@ -34,6 +34,7 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index 7c343c26d..fe0a27828 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile @@ -27,6 +27,7 @@ whitelist ${DOWNLOADS} whitelist ${HOME}/.pki whitelist ${HOME}/.local/share/pki include whitelist-common.inc +include whitelist-runuser-common.inc include whitelist-var-common.inc apparmor diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile index 357354e70..851a7c747 100644 --- a/etc/profile-a-l/flameshot.profile +++ b/etc/profile-a-l/flameshot.profile @@ -45,6 +45,7 @@ nou2f novideo protocol unix,inet,inet6 seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile index 653272499..23d259337 100644 --- a/etc/profile-a-l/frogatto.profile +++ b/etc/profile-a-l/frogatto.profile @@ -36,6 +36,7 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile index 74b468020..e339f6abb 100644 --- a/etc/profile-a-l/gapplication.profile +++ b/etc/profile-a-l/gapplication.profile @@ -38,6 +38,7 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog x11 none diff --git a/etc/profile-a-l/gedit.profile b/etc/profile-a-l/gedit.profile index 17b7ad563..30251fbe5 100644 --- a/etc/profile-a-l/gedit.profile +++ b/etc/profile-a-l/gedit.profile @@ -37,6 +37,7 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-a-l/gfeeds.profile b/etc/profile-a-l/gfeeds.profile index d97ab530b..b8d1b9608 100644 --- a/etc/profile-a-l/gfeeds.profile +++ b/etc/profile-a-l/gfeeds.profile @@ -49,6 +49,7 @@ nou2f novideo protocol unix,inet,inet6 seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile index 5bb410278..c15174815 100644 --- a/etc/profile-a-l/ghostwriter.profile +++ b/etc/profile-a-l/ghostwriter.profile @@ -26,6 +26,7 @@ whitelist /usr/share/texlive whitelist /usr/share/pandoc* include whitelist-runuser-common.inc include whitelist-usr-share-common.inc +include whitelist-var-common.inc apparmor caps.drop all @@ -41,6 +42,7 @@ nou2f novideo protocol unix,inet,inet6,netlink seccomp !chroot +seccomp.block-secondary shell none #tracelog -- breaks diff --git a/etc/profile-a-l/gitg.profile b/etc/profile-a-l/gitg.profile index 71b8e9b11..3d80c1ed2 100644 --- a/etc/profile-a-l/gitg.profile +++ b/etc/profile-a-l/gitg.profile @@ -45,6 +45,7 @@ nou2f novideo protocol unix,inet,inet6 seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-a-l/gnome-calculator.profile b/etc/profile-a-l/gnome-calculator.profile index ceb01f2a0..7780dfa65 100644 --- a/etc/profile-a-l/gnome-calculator.profile +++ b/etc/profile-a-l/gnome-calculator.profile @@ -38,6 +38,7 @@ nou2f novideo protocol unix,inet,inet6 seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile index 3e815234c..9927fb869 100644 --- a/etc/profile-a-l/gnome-calendar.profile +++ b/etc/profile-a-l/gnome-calendar.profile @@ -36,6 +36,7 @@ nou2f novideo protocol unix,inet,inet6 seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-a-l/gnome-characters.profile b/etc/profile-a-l/gnome-characters.profile index f4f3ae2d7..4d53a67dd 100644 --- a/etc/profile-a-l/gnome-characters.profile +++ b/etc/profile-a-l/gnome-characters.profile @@ -39,6 +39,7 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-a-l/gnome-contacts.profile b/etc/profile-a-l/gnome-contacts.profile index 7a38bdc8a..03b89e394 100644 --- a/etc/profile-a-l/gnome-contacts.profile +++ b/etc/profile-a-l/gnome-contacts.profile @@ -32,6 +32,7 @@ nou2f novideo protocol unix,inet,inet6,netlink seccomp +seccomp.block-secondary disable-mnt private-dev diff --git a/etc/profile-a-l/gnome-hexgl.profile b/etc/profile-a-l/gnome-hexgl.profile index 5ae7bbe01..bb5ef0eab 100644 --- a/etc/profile-a-l/gnome-hexgl.profile +++ b/etc/profile-a-l/gnome-hexgl.profile @@ -33,6 +33,7 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-a-l/gnome-keyring.profile b/etc/profile-a-l/gnome-keyring.profile index ecbb74158..a0b9ef04e 100644 --- a/etc/profile-a-l/gnome-keyring.profile +++ b/etc/profile-a-l/gnome-keyring.profile @@ -9,8 +9,6 @@ include globals.local noblacklist ${HOME}/.gnupg -whitelist ${HOME}/.gnupg -whitelist ${DOWNLOADS} include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -19,9 +17,15 @@ include disable-interpreters.inc include disable-programs.inc include disable-xdg.inc +mkdir ${HOME}/.gnupg +whitelist ${HOME}/.gnupg +whitelist ${DOWNLOADS} +whitelist ${RUNUSER}/gnupg +whitelist ${RUNUSER}/keyring whitelist /usr/share/gnupg whitelist /usr/share/gnupg2 include whitelist-common.inc +include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -41,6 +45,7 @@ nou2f novideo protocol unix,inet,inet6 seccomp +seccomp.block-secondary shell none tracelog @@ -52,6 +57,6 @@ private-dev private-tmp # dbus-user none -# dbus-system none +dbus-system none memory-deny-write-execute diff --git a/etc/profile-a-l/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile index 11d184bc6..87376da40 100644 --- a/etc/profile-a-l/gnome-latex.profile +++ b/etc/profile-a-l/gnome-latex.profile @@ -41,6 +41,7 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-a-l/gnome-maps.profile b/etc/profile-a-l/gnome-maps.profile index eb0030dda..23629df95 100644 --- a/etc/profile-a-l/gnome-maps.profile +++ b/etc/profile-a-l/gnome-maps.profile @@ -54,6 +54,7 @@ nou2f novideo protocol unix,inet,inet6 seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile index ed430b654..073de47b9 100644 --- a/etc/profile-a-l/gnome-passwordsafe.profile +++ b/etc/profile-a-l/gnome-passwordsafe.profile @@ -43,6 +43,7 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-a-l/gnome-photos.profile b/etc/profile-a-l/gnome-photos.profile index 2af406af9..65cc23b5f 100644 --- a/etc/profile-a-l/gnome-photos.profile +++ b/etc/profile-a-l/gnome-photos.profile @@ -33,6 +33,7 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-a-l/gnome-screenshot.profile b/etc/profile-a-l/gnome-screenshot.profile index 82fb1b658..2534eed5a 100644 --- a/etc/profile-a-l/gnome-screenshot.profile +++ b/etc/profile-a-l/gnome-screenshot.profile @@ -35,6 +35,7 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-a-l/gnome-sound-recorder.profile b/etc/profile-a-l/gnome-sound-recorder.profile index a64ec25a9..2e063ebfe 100644 --- a/etc/profile-a-l/gnome-sound-recorder.profile +++ b/etc/profile-a-l/gnome-sound-recorder.profile @@ -33,6 +33,7 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-a-l/gnome-weather.profile b/etc/profile-a-l/gnome-weather.profile index a181f1b9e..beed92a7d 100644 --- a/etc/profile-a-l/gnome-weather.profile +++ b/etc/profile-a-l/gnome-weather.profile @@ -37,6 +37,7 @@ nou2f novideo protocol unix,inet,inet6 seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-a-l/gnome_games-common.profile b/etc/profile-a-l/gnome_games-common.profile index c46fbc1d9..56ed7a436 100644 --- a/etc/profile-a-l/gnome_games-common.profile +++ b/etc/profile-a-l/gnome_games-common.profile @@ -34,6 +34,7 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-a-l/gucharmap.profile b/etc/profile-a-l/gucharmap.profile index c0254b5ec..3df42d209 100644 --- a/etc/profile-a-l/gucharmap.profile +++ b/etc/profile-a-l/gucharmap.profile @@ -35,6 +35,7 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile index 06447c3e6..58db056b2 100644 --- a/etc/profile-a-l/keepassxc.profile +++ b/etc/profile-a-l/keepassxc.profile @@ -55,6 +55,7 @@ nou2f novideo protocol unix,netlink seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile index f9c92f6f6..031f0e19f 100644 --- a/etc/profile-a-l/libreoffice.profile +++ b/etc/profile-a-l/libreoffice.profile @@ -43,6 +43,8 @@ shell none # comment tracelog when using the ubuntu 18.04/debian 10 apparmor profile tracelog +#private-bin libreoffice,sh,uname,dirname,grep,sed,basename,ls +private-cache private-dev private-tmp diff --git a/etc/profile-m-z/megaglest.profile b/etc/profile-m-z/megaglest.profile index 19f9edf05..37ac9e304 100644 --- a/etc/profile-m-z/megaglest.profile +++ b/etc/profile-m-z/megaglest.profile @@ -14,6 +14,7 @@ include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.megaglest @@ -37,6 +38,7 @@ nou2f novideo protocol unix,inet,inet6,netlink seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile index 385700648..6ceeb867f 100644 --- a/etc/profile-m-z/meld.profile +++ b/etc/profile-m-z/meld.profile @@ -62,6 +62,7 @@ nou2f novideo protocol unix,inet,inet6 seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile index 3468bc22d..c70090a25 100644 --- a/etc/profile-m-z/menulibre.profile +++ b/etc/profile-m-z/menulibre.profile @@ -44,6 +44,7 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-m-z/minetest.profile b/etc/profile-m-z/minetest.profile index a22d2c2e3..5678a781c 100644 --- a/etc/profile-m-z/minetest.profile +++ b/etc/profile-m-z/minetest.profile @@ -47,6 +47,7 @@ nou2f novideo protocol unix,inet,inet6 seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index 389b64535..ce3bfe421 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile @@ -67,6 +67,7 @@ noroot nou2f protocol unix,inet,inet6,netlink seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-m-z/patch.profile b/etc/profile-m-z/patch.profile index 8663fb453..6cbaa66ad 100644 --- a/etc/profile-m-z/patch.profile +++ b/etc/profile-m-z/patch.profile @@ -37,6 +37,7 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog x11 none diff --git a/etc/profile-m-z/pdftotext.profile b/etc/profile-m-z/pdftotext.profile index eee42424f..2a7d0cec1 100644 --- a/etc/profile-m-z/pdftotext.profile +++ b/etc/profile-m-z/pdftotext.profile @@ -13,6 +13,7 @@ noblacklist ${DOCUMENTS} include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -40,6 +41,7 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog x11 none diff --git a/etc/profile-m-z/peek.profile b/etc/profile-m-z/peek.profile index 28a7da404..710a533a9 100644 --- a/etc/profile-m-z/peek.profile +++ b/etc/profile-m-z/peek.profile @@ -41,6 +41,7 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-m-z/pngquant.profile b/etc/profile-m-z/pngquant.profile index 83905b108..3513e91cc 100644 --- a/etc/profile-m-z/pngquant.profile +++ b/etc/profile-m-z/pngquant.profile @@ -7,6 +7,8 @@ include pngquant.local # Persistent global definitions include globals.local +noblacklist ${PICTURES} + blacklist ${RUNUSER}/wayland-* include disable-common.inc @@ -16,6 +18,7 @@ include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc +include disable-xdg.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc diff --git a/etc/profile-m-z/rhythmbox.profile b/etc/profile-m-z/rhythmbox.profile index f906ec31d..e7f379509 100644 --- a/etc/profile-m-z/rhythmbox.profile +++ b/etc/profile-m-z/rhythmbox.profile @@ -45,10 +45,12 @@ nou2f novideo protocol unix,inet,inet6,netlink seccomp +seccomp.block-secondary shell none tracelog private-bin rhythmbox,rhythmbox-client +private-cache private-dev private-tmp diff --git a/etc/profile-m-z/shellcheck.profile b/etc/profile-m-z/shellcheck.profile index 6cd70c2ea..c67a88161 100644 --- a/etc/profile-m-z/shellcheck.profile +++ b/etc/profile-m-z/shellcheck.profile @@ -40,6 +40,7 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog x11 none diff --git a/etc/profile-m-z/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile index cdb20b4e0..110434736 100644 --- a/etc/profile-m-z/sqlitebrowser.profile +++ b/etc/profile-m-z/sqlitebrowser.profile @@ -18,6 +18,7 @@ include disable-programs.inc include disable-shell.inc include disable-xdg.inc +include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -35,6 +36,7 @@ nou2f novideo protocol unix,inet,inet6,netlink seccomp +seccomp.block-secondary shell none private-bin sqlitebrowser diff --git a/etc/profile-m-z/strings.profile b/etc/profile-m-z/strings.profile index 426b2dc1c..09ada1e25 100644 --- a/etc/profile-m-z/strings.profile +++ b/etc/profile-m-z/strings.profile @@ -38,6 +38,7 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog x11 none diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile index ceaae8fbf..9cc023765 100644 --- a/etc/profile-m-z/supertux2.profile +++ b/etc/profile-m-z/supertux2.profile @@ -36,6 +36,7 @@ nou2f novideo protocol unix,netlink seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile index 40b996794..ff99c234e 100644 --- a/etc/profile-m-z/supertuxkart.profile +++ b/etc/profile-m-z/supertuxkart.profile @@ -43,6 +43,7 @@ nou2f novideo protocol unix,inet,inet6 seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile index e3eb73730..2e7b69cec 100644 --- a/etc/profile-m-z/thunderbird.profile +++ b/etc/profile-m-z/thunderbird.profile @@ -6,6 +6,8 @@ include thunderbird.local # Persistent global definitions include globals.local +ignore whitelist-runuser-common.inc + # writable-run-user and dbus are needed by enigmail ignore dbus-user none ignore dbus-system none diff --git a/etc/profile-m-z/transmission-common.profile b/etc/profile-m-z/transmission-common.profile index 9d2e8e990..d601f0f15 100644 --- a/etc/profile-m-z/transmission-common.profile +++ b/etc/profile-m-z/transmission-common.profile @@ -39,6 +39,7 @@ nou2f novideo protocol unix,inet,inet6 seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-m-z/vivaldi.profile b/etc/profile-m-z/vivaldi.profile index 541942453..cd06b7f4c 100644 --- a/etc/profile-m-z/vivaldi.profile +++ b/etc/profile-m-z/vivaldi.profile @@ -29,6 +29,8 @@ whitelist ${HOME}/.config/vivaldi whitelist ${HOME}/.config/vivaldi-snapshot whitelist ${HOME}/.local/lib/vivaldi +#private-bin bash,cat,dirname,readlink,rm,vivaldi,vivaldi-stable,vivaldi-snapshot + # breaks vivaldi sync ignore dbus-user none ignore dbus-system none diff --git a/etc/profile-m-z/wget.profile b/etc/profile-m-z/wget.profile index cdb8f0b93..8a64d2d73 100644 --- a/etc/profile-m-z/wget.profile +++ b/etc/profile-m-z/wget.profile @@ -44,6 +44,7 @@ nou2f novideo protocol unix,inet,inet6 seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile index 2af1379e0..a9cecb18d 100644 --- a/etc/profile-m-z/whois.profile +++ b/etc/profile-m-z/whois.profile @@ -39,6 +39,7 @@ nou2f novideo protocol inet,inet6 seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-m-z/xournal.profile b/etc/profile-m-z/xournal.profile index b842b5307..0c6969e09 100644 --- a/etc/profile-m-z/xournal.profile +++ b/etc/profile-m-z/xournal.profile @@ -36,6 +36,7 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile index fd95ceb04..e198af8b2 100644 --- a/etc/profile-m-z/yelp.profile +++ b/etc/profile-m-z/yelp.profile @@ -41,6 +41,7 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-m-z/youtube-dl.profile b/etc/profile-m-z/youtube-dl.profile index db3535f78..d9dee6891 100644 --- a/etc/profile-m-z/youtube-dl.profile +++ b/etc/profile-m-z/youtube-dl.profile @@ -52,6 +52,7 @@ nou2f novideo protocol unix,inet,inet6 seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/templates/profile.template b/etc/templates/profile.template index d57306aee..3d37fc827 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template @@ -157,6 +157,7 @@ include globals.local #seccomp ##seccomp !chroot ##seccomp.drop SYSCALLS (see syscalls.txt) +#seccomp.block-secondary #shell none #tracelog # Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set -- cgit v1.2.3-54-g00ecf