From df6ea884f1d6d971f160cad98ede4047478e8f4e Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@protonmail.com>
Date: Tue, 14 Feb 2023 09:17:00 -0500
Subject: merges, disable sort.py in profile checks temporarely, two more
 private-etc profiles

---
 .github/workflows/profile-checks.yml | 4 ++--
 README                               | 3 +++
 etc/profile-a-l/dosbox.profile       | 1 +
 etc/profile-a-l/etr.profile          | 1 +
 src/include/etc_groups.h             | 3 ++-
 5 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml
index 66bba61f5..ad4f86b53 100644
--- a/.github/workflows/profile-checks.yml
+++ b/.github/workflows/profile-checks.yml
@@ -34,8 +34,8 @@ jobs:
           github.com:443
 
     - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
-    - name: sort.py
-      run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
+#   - name: sort.py
+#      run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
 # Currently broken (see #5610)
 #    - name: private-etc-always-required.sh
 #      run: ./ci/check/profiles/private-etc-always-required.sh etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
diff --git a/README b/README
index 13331d2f4..2d0ddb513 100644
--- a/README
+++ b/README
@@ -774,6 +774,8 @@ Neo00001 (https://github.com/Neo00001)
 	- update telegram profile
 	- add spectacle profile
 	- add kdiff3 profile
+netcarver (https://github.com/netcarver)
+	- prevent access to LUKS keyfile
 NetSysFire (https://github.com/NetSysFire)
 	- update weechat profile
 	- update megaglest profile
@@ -996,6 +998,7 @@ slowpeek (https://github.com/slowpeek)
 	- allow access to avahi-daemon in apparmor/firejail-default
 	- make appimage examples consistent with --appimage option short description
 	- blacklist google-drive-ocamlfuse config
+	- blacklist sendgmail config
 smitsohu (https://github.com/smitsohu)
 	- read-only kde4 services directory
 	- enhanced mediathekview profile
diff --git a/etc/profile-a-l/dosbox.profile b/etc/profile-a-l/dosbox.profile
index 1edbb7ca0..882709808 100644
--- a/etc/profile-a-l/dosbox.profile
+++ b/etc/profile-a-l/dosbox.profile
@@ -37,6 +37,7 @@ tracelog
 
 private-bin dosbox
 private-dev
+private-etc @games
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/etr.profile b/etc/profile-a-l/etr.profile
index 7d27f12c9..5b9892af3 100644
--- a/etc/profile-a-l/etr.profile
+++ b/etc/profile-a-l/etr.profile
@@ -49,6 +49,7 @@ private-bin etr
 private-cache
 private-dev
 # private-etc alternatives,drirc,machine-id,openal,passwd
+private-etc @games,@x11
 private-tmp
 
 dbus-user none
diff --git a/src/include/etc_groups.h b/src/include/etc_groups.h
index d1182a33d..dca767934 100644
--- a/src/include/etc_groups.h
+++ b/src/include/etc_groups.h
@@ -75,7 +75,8 @@ static char *etc_group_sound[] = {
 static char *etc_group_tls_ca[] = {
 	"ca-certificates",
 	"crypto-policies",
-	"gcrypt", // GNU crypto library (GPG)
+	"gcrypt", // GNU crypto library - contains hardware config for various encryption schemes
+		// and random number generators. The file is not installed by Debian.
 	"pki",
 	"ssl",
 	NULL
-- 
cgit v1.2.3-54-g00ecf