From a9c1a56bc21c6f583292f0f543673730c5737c1b Mon Sep 17 00:00:00 2001
From: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
Date: Fri, 30 Apr 2021 10:34:38 +0200
Subject: Harden some game profiles

---
 etc/profile-a-l/etr.profile       |  1 +
 etc/profile-m-z/mrrescue.profile  |  6 ++++++
 etc/profile-m-z/neverball.profile | 16 ++++++++++++++--
 etc/profile-m-z/pingus.profile    |  4 ++++
 etc/profile-m-z/supertux2.profile |  3 +++
 5 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/etc/profile-a-l/etr.profile b/etc/profile-a-l/etr.profile
index f55d23778..6d31f3042 100644
--- a/etc/profile-a-l/etr.profile
+++ b/etc/profile-a-l/etr.profile
@@ -37,6 +37,7 @@ nou2f
 novideo
 protocol unix,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile
index f02a4f357..5b2164bae 100644
--- a/etc/profile-m-z/mrrescue.profile
+++ b/etc/profile-m-z/mrrescue.profile
@@ -8,18 +8,23 @@ include globals.local
 
 noblacklist ${HOME}/.local/share/love
 
+include allow-bin-sh.inc
+include allow-lua.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.local/share/love
 whitelist ${HOME}/.local/share/love
 whitelist /usr/share/mrrescue
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -35,6 +40,7 @@ nou2f
 novideo
 protocol unix,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/neverball.profile b/etc/profile-m-z/neverball.profile
index 84c634549..5c7c2b3da 100644
--- a/etc/profile-m-z/neverball.profile
+++ b/etc/profile-m-z/neverball.profile
@@ -14,13 +14,19 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.neverball
 whitelist ${HOME}/.neverball
+whitelist /usr/share/neverball
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 
 caps.drop all
-netfilter
+net none
 nodvd
 nogroups
 nonewprivs
@@ -28,12 +34,18 @@ noroot
 notv
 nou2f
 novideo
-protocol unix,netlink
+protocol unix
 seccomp
+seccomp.block-secondary
 shell none
+tracelog
 
 disable-mnt
 private-bin neverball
+private-cache
 private-dev
+private-etc alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,fonts,machine-id
 private-tmp
 
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile
index ebfd236aa..e3b20e59f 100644
--- a/etc/profile-m-z/pingus.profile
+++ b/etc/profile-m-z/pingus.profile
@@ -8,12 +8,15 @@ include globals.local
 
 noblacklist ${HOME}/.pingus
 
+include allow-bin-sh.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.pingus
@@ -36,6 +39,7 @@ nou2f
 novideo
 protocol unix,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile
index 9cc023765..d31f25c0d 100644
--- a/etc/profile-m-z/supertux2.profile
+++ b/etc/profile-m-z/supertux2.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.local/share/supertux2
@@ -42,6 +43,8 @@ tracelog
 
 disable-mnt
 # private-bin supertux2
+private-cache
+private-etc machine-id
 private-dev
 private-tmp
 
-- 
cgit v1.2.3-70-g09d2