From 2531759b80fbfcfbe296bd4bab329c61b7757c92 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@protonmail.com>
Date: Fri, 24 Feb 2023 20:37:35 -0500
Subject: more private-etc

---
 etc/profile-a-l/audacity.profile  |  2 +-
 etc/profile-a-l/gimp.profile      |  2 +-
 etc/profile-a-l/iagno.profile     | 10 +++++++++-
 etc/profile-m-z/rhythmbox.profile |  1 +
 etc/profile-m-z/totem.profile     |  2 +-
 src/include/etc_groups.h          |  8 +++++---
 test/sysutils/less.exp            | 20 +++++++++++---------
 test/sysutils/man.exp             | 13 ++++++++++---
 test/sysutils/sysutils.sh         |  8 --------
 test/sysutils/xzdec.exp           | 29 -----------------------------
 10 files changed, 39 insertions(+), 56 deletions(-)
 delete mode 100755 test/sysutils/xzdec.exp

diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile
index 392b189f8..c2a482b61 100644
--- a/etc/profile-a-l/audacity.profile
+++ b/etc/profile-a-l/audacity.profile
@@ -50,7 +50,7 @@ tracelog
 
 private-bin audacity
 private-dev
-private-etc @tls-ca,@x11
+private-etc @x11
 private-tmp
 
 # problems on Fedora 27
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile
index 717519112..6f350f8ac 100644
--- a/etc/profile-a-l/gimp.profile
+++ b/etc/profile-a-l/gimp.profile
@@ -59,7 +59,7 @@ seccomp !mbind
 tracelog
 
 private-dev
-private-etc @tls-ca,@x11,python*
+private-etc @x11,python*
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/iagno.profile b/etc/profile-a-l/iagno.profile
index e16f3f1d5..82cba7887 100644
--- a/etc/profile-a-l/iagno.profile
+++ b/etc/profile-a-l/iagno.profile
@@ -13,6 +13,13 @@ include disable-interpreters.inc
 include disable-programs.inc
 include disable-shell.inc
 
+whitelist ${HOME}/.local/share/glib-2.0/schemas
+include whitelist-common.inc
+
+include whitelist-runuser-common.inc
+whitelist /usr/share/iagno
+whitelist /usr/share/gdm
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
@@ -28,11 +35,12 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 
 disable-mnt
-private
 private-bin iagno
 private-dev
+private-etc @x11,gconf
 private-tmp
 
 # dbus-user none
diff --git a/etc/profile-m-z/rhythmbox.profile b/etc/profile-m-z/rhythmbox.profile
index dccd93429..77c032a53 100644
--- a/etc/profile-m-z/rhythmbox.profile
+++ b/etc/profile-m-z/rhythmbox.profile
@@ -51,6 +51,7 @@ tracelog
 private-bin rhythmbox,rhythmbox-client
 private-cache
 private-dev
+private-etc @tls-ca,@x11,python*
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile
index e21d37040..a4cb49171 100644
--- a/etc/profile-m-z/totem.profile
+++ b/etc/profile-m-z/totem.profile
@@ -51,7 +51,7 @@ private-bin totem
 # totem needs access to ~/.cache/tracker or it exits
 #private-cache
 private-dev
-# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
+private-etc @tls-ca,@x11,python*
 private-tmp
 
 # makes settings immutable
diff --git a/src/include/etc_groups.h b/src/include/etc_groups.h
index 0ed5d4e32..9e24256c0 100644
--- a/src/include/etc_groups.h
+++ b/src/include/etc_groups.h
@@ -28,6 +28,10 @@
 static char *etc_list[ETC_MAX + 1] = { // plus 1 for ending NULL pointer
 	"alternatives",
 	"fonts",
+	"gcrypt", 	// GNU crypto library - it contains configuration for specialized encryption
+		// and random number generators hardware.
+		// The directory is not installed in Debian. On Fedora it is an empty directory.
+		// The defaults in glibc cover the regular PC.
 	"group",
 	"ld.so.cache",
 	"ld.so.conf",
@@ -49,7 +53,6 @@ static char *etc_group_games[] = {
 	"openal", // 3D sound
 	"timidity", // MIDI
 	"timidity.cfg",
-	"vulkan", // next generation OpenGL stack
 	NULL
 };
 
@@ -75,8 +78,6 @@ static char *etc_group_sound[] = {
 static char *etc_group_tls_ca[] = {
 	"ca-certificates",
 	"crypto-policies",
-	"gcrypt", // GNU crypto library - contains hardware config for various encryption schemes
-		// and random number generators. The file is not installed by Debian.
 	"pki",
 	"ssl",
 	NULL
@@ -95,6 +96,7 @@ static char *etc_group_x11[] = {
 	"nvidia", // 3D
 	"pango", // text rendering/internationalization
 	"Trolltech.conf", // old QT config file
+	"vulkan", // next generation OpenGL stack
 	"X11",
 	"xdg",
 	NULL
diff --git a/test/sysutils/less.exp b/test/sysutils/less.exp
index 9e19af83a..182e259e1 100755
--- a/test/sysutils/less.exp
+++ b/test/sysutils/less.exp
@@ -7,17 +7,19 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail less sysutils.sh\r"
+send -- "rm -f /tmp/tt\r"
+after 500
+
+send -- "firejail less sysutils.sh > /tmp/t\r"
+sleep 1
+
+send -- "cat /tmp/t | grep Authors\r"
 expect {
-	timeout {puts "TESTING ERROR 1\n";exit}
-	"(press RETURN)" {puts "TESTING SKIP: terminal is not fully functional - 1.1\n";exit}
-	"Press RETURN to continue" {puts "TESTING SKIP: terminal is not fully functional - 1.2\n";exit}
+	timeout {puts "TESTING ERROR 0\n";exit}
 	"Firejail Authors"
 }
-expect {
-	timeout {puts "TESTING ERROR 2\n";exit}
-	"MALLOC_CHECK"
-}
-
 after 100
+
+send -- "rm -f /tmp/t\r"
+after 500
 puts "\nall done\n"
diff --git a/test/sysutils/man.exp b/test/sysutils/man.exp
index f4fc5aa2c..0386b2e92 100755
--- a/test/sysutils/man.exp
+++ b/test/sysutils/man.exp
@@ -7,12 +7,19 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail man firejail\r"
+send -- "rm -f /tmp/t\r"
+after 500
+
+send -- "firejail man firejail > /tmp/t\r"
+sleep 1
+
+send -- "cat /tmp/t\r"
 expect {
 	timeout {puts "TESTING ERROR 0\n";exit}
-	"(press RETURN)" {puts "TESTING SKIP: terminal is not fully functional - 1.1\n";exit}
-	"Press RETURN to continue" {puts "TESTING SKIP: terminal is not fully functional - 1.2\n";exit}
 	"NAME"
 }
 after 100
+
+send -- "rm -f /tmp/t\r"
+after 500
 puts "\nall done\n"
diff --git a/test/sysutils/sysutils.sh b/test/sysutils/sysutils.sh
index 34acca07d..231f5afa8 100755
--- a/test/sysutils/sysutils.sh
+++ b/test/sysutils/sysutils.sh
@@ -47,14 +47,6 @@ else
 	echo "TESTING SKIP: gzip not found"
 fi
 
-if command -v xzdec
-then
-	echo "TESTING: xzdec"
-	./xzdec.exp
-else
-	echo "TESTING SKIP: xzdec not found"
-fi
-
 if command -v xz
 then
 	echo "TESTING: xz"
diff --git a/test/sysutils/xzdec.exp b/test/sysutils/xzdec.exp
deleted file mode 100755
index 62cc1c225..000000000
--- a/test/sysutils/xzdec.exp
+++ /dev/null
@@ -1,29 +0,0 @@
-#!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2023 Firejail Authors
-# License GPL v2
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-send -- "/usr/bin/xz -c /usr/bin/firejail > firejail_t3\r"
-sleep 1
-
-send -- "/usr/bin/xzdec -c firejail_t3 > firejail_t1\r"
-sleep 1
-
-send -- "firejail /usr/bin/xzdec -c firejail_t3 > firejail_t2\r"
-sleep 1
-
-send -- "diff -s firejail_t1 firejail_t2\r"
-expect {
-	timeout {puts "TESTING ERROR 1\n";exit}
-	"firejail_t1 and firejail_t2 are identical"
-}
-
-send -- "rm firejail_t*\r"
-sleep 1
-
-
-puts "\nall done\n"
-- 
cgit v1.2.3-54-g00ecf