From 7e1a5834b1e062fd7e259b22e6bcb07290e89d66 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Thu, 23 Mar 2023 02:44:12 -0300 Subject: profiles: move read-only config entries to dc Command used to search for entries: $ git grep '^read-only ${HOME}/' -- 'etc/profile*' Note for gpg: ~/.gnupg/gpg.conf is apparently only managed by gpgconf(1) rather than through gpg(1) itself, in which case it does not need to be made read-write in gpg.profile. --- etc/inc/disable-common.inc | 10 ++++++++++ etc/profile-a-l/awesome.profile | 1 - etc/profile-a-l/cower.profile | 1 - etc/profile-m-z/makepkg.profile | 1 - etc/profile-m-z/openbox.profile | 2 -- etc/profile-m-z/steam.profile | 1 - 6 files changed, 10 insertions(+), 6 deletions(-) diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 18e94bb80..cf712a07e 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc @@ -69,6 +69,9 @@ blacklist ${HOME}/.xsessionrc blacklist /etc/X11/Xsession.d blacklist /etc/xdg/autostart read-only ${HOME}/.Xauthority +read-only ${HOME}/.config/awesome/autorun.sh +read-only ${HOME}/.config/openbox/autostart +read-only ${HOME}/.config/openbox/environment # Session manager # see #3358 @@ -338,6 +341,7 @@ read-only ${HOME}/.elinks read-only ${HOME}/.emacs read-only ${HOME}/.emacs.d read-only ${HOME}/.exrc +read-only ${HOME}/.gnupg/gpg.conf read-only ${HOME}/.gvimrc read-only ${HOME}/.homesick read-only ${HOME}/.iscreenrc @@ -370,6 +374,7 @@ read-only ${HOME}/dotfiles # System package managers and AUR helpers blacklist ${HOME}/.config/cower +read-only ${HOME}/.config/cower/config # Make directories commonly found in $PATH read-only read-only ${HOME}/.bin @@ -396,6 +401,11 @@ read-only ${HOME}/.config/user-dirs.dirs read-only ${HOME}/.config/user-dirs.locale read-only ${HOME}/.local/share/mime +# Configuration files that do not allow arbitrary command execution but that +# are intended to be modified manually (in a text editor and/or by a program +# dedicated to managing them) +read-only ${HOME}/.config/MangoHud + # Write-protection for thumbnailer dir read-only ${HOME}/.local/share/thumbnailers diff --git a/etc/profile-a-l/awesome.profile b/etc/profile-a-l/awesome.profile index d8c073c8d..910dd8a91 100644 --- a/etc/profile-a-l/awesome.profile +++ b/etc/profile-a-l/awesome.profile @@ -16,5 +16,4 @@ noroot protocol unix,inet,inet6 seccomp !chroot -read-only ${HOME}/.config/awesome/autorun.sh #restrict-namespaces diff --git a/etc/profile-a-l/cower.profile b/etc/profile-a-l/cower.profile index e896f3537..9b05b4416 100644 --- a/etc/profile-a-l/cower.profile +++ b/etc/profile-a-l/cower.profile @@ -45,5 +45,4 @@ private-dev private-tmp memory-deny-write-execute -read-only ${HOME}/.config/cower/config restrict-namespaces diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile index e9d245a6d..266d00395 100644 --- a/etc/profile-m-z/makepkg.profile +++ b/etc/profile-m-z/makepkg.profile @@ -19,7 +19,6 @@ blacklist ${RUNUSER}/wayland-* # Enable severely restricted access to ${HOME}/.gnupg noblacklist ${HOME}/.gnupg -read-only ${HOME}/.gnupg/gpg.conf read-only ${HOME}/.gnupg/trustdb.gpg read-only ${HOME}/.gnupg/pubring.kbx blacklist ${HOME}/.gnupg/random_seed diff --git a/etc/profile-m-z/openbox.profile b/etc/profile-m-z/openbox.profile index 2da867dec..9b566a42b 100644 --- a/etc/profile-m-z/openbox.profile +++ b/etc/profile-m-z/openbox.profile @@ -16,6 +16,4 @@ noroot protocol unix,inet,inet6 seccomp !chroot -read-only ${HOME}/.config/openbox/autostart -read-only ${HOME}/.config/openbox/environment #restrict-namespaces diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index a5b4d5d87..63d629a32 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile @@ -181,5 +181,4 @@ private-tmp #dbus-user none #dbus-system none -read-only ${HOME}/.config/MangoHud #restrict-namespaces -- cgit v1.2.3-70-g09d2