From f413040c5e4c052b4bc81706b9f12e5dcf0fa5b3 Mon Sep 17 00:00:00 2001 From: rusty-snake Date: Sun, 2 Jun 2019 17:36:19 +0200 Subject: many profile cleanups (2) --- etc/7z.profile | 21 ++++++++++++++++----- etc/atool.profile | 4 ++-- etc/bibletime.profile | 4 ++-- etc/cpio.profile | 4 ++-- etc/curl.profile | 4 ++-- etc/dnscrypt-proxy.profile | 4 ++-- etc/dnsmasq.profile | 4 ++-- etc/elinks.profile | 4 ++-- etc/exiftool.profile | 4 ++-- etc/franz.profile | 5 +++-- etc/git.profile | 4 ++-- etc/google-play-music-desktop-player.profile | 9 +++++---- etc/gpg-agent.profile | 4 ++-- etc/gpg.profile | 4 ++-- etc/links.profile | 4 ++-- etc/mutt.profile | 4 ++-- etc/natron.profile | 5 ++--- etc/nyx.profile | 7 +++++-- etc/server.profile | 4 ++-- etc/signal-desktop.profile | 5 +++-- etc/skypeforlinux.profile | 7 ++++--- etc/spotify.profile | 4 ++-- etc/ssh-agent.profile | 4 ++-- etc/tar.profile | 17 ++++++++++------- etc/terasology.profile | 5 +++-- etc/unbound.profile | 4 ++-- etc/unrar.profile | 21 ++++++++++++++++----- etc/unzip.profile | 28 ++++++++++++++++++++-------- etc/uudeview.profile | 21 ++++++++++++++++----- etc/viewnior.profile | 4 ++-- etc/w3m.profile | 4 ++-- etc/wget.profile | 4 ++-- etc/xiphos.profile | 6 ++++-- etc/xzdec.profile | 21 ++++++++++++++++----- 34 files changed, 163 insertions(+), 95 deletions(-) diff --git a/etc/7z.profile b/etc/7z.profile index 44ab377b3..ee2b493f8 100644 --- a/etc/7z.profile +++ b/etc/7z.profile @@ -4,23 +4,34 @@ quiet # Persistent local customizations include 7z.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local blacklist /tmp/.X11-unix -ignore noroot +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc + +caps.drop all +ipc-namespace +machine-id net none no3d nodbus nodvd +#nogroups +nonewprivs +#noroot nosound notv nou2f novideo +protocol unix +seccomp shell none tracelog private-dev - -include default.profile diff --git a/etc/atool.profile b/etc/atool.profile index 4ea3c02dc..3df32baac 100644 --- a/etc/atool.profile +++ b/etc/atool.profile @@ -7,11 +7,11 @@ include atool.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix - # Allow perl (blacklisted by disable-interpreters.inc) include allow-perl.inc +blacklist /tmp/.X11-unix + include disable-common.inc # include disable-devel.inc include disable-exec.inc diff --git a/etc/bibletime.profile b/etc/bibletime.profile index c41aafd47..4f1b05c88 100644 --- a/etc/bibletime.profile +++ b/etc/bibletime.profile @@ -6,12 +6,12 @@ include bibletime.local # Persistent global definitions include globals.local -blacklist ${HOME}/.bashrc - noblacklist ${HOME}/.bibletime noblacklist ${HOME}/.sword noblacklist ${HOME}/.local/share/bibletime +blacklist ${HOME}/.bashrc + include disable-common.inc include disable-devel.inc include disable-exec.inc diff --git a/etc/cpio.profile b/etc/cpio.profile index b6f7e7f9f..0bb45f5cd 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile @@ -7,11 +7,11 @@ include cpio.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix - noblacklist /sbin noblacklist /usr/sbin +blacklist /tmp/.X11-unix + include disable-common.inc # include disable-devel.inc include disable-exec.inc diff --git a/etc/curl.profile b/etc/curl.profile index 2703c6fe8..b8b91d278 100644 --- a/etc/curl.profile +++ b/etc/curl.profile @@ -7,10 +7,10 @@ include curl.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix - noblacklist ${HOME}/.curlrc +blacklist /tmp/.X11-unix + include disable-common.inc include disable-exec.inc include disable-passwdmgr.inc diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index 0dc0cc793..ffced747b 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile @@ -6,11 +6,11 @@ include dnscrypt-proxy.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix - noblacklist /sbin noblacklist /usr/sbin +blacklist /tmp/.X11-unix + include disable-common.inc include disable-devel.inc include disable-interpreters.inc diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index bb41b71d1..daf4795c3 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile @@ -6,11 +6,11 @@ include dnsmasq.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix - noblacklist /sbin noblacklist /usr/sbin +blacklist /tmp/.X11-unix + include disable-common.inc include disable-devel.inc include disable-interpreters.inc diff --git a/etc/elinks.profile b/etc/elinks.profile index 842a0db04..980fa7617 100644 --- a/etc/elinks.profile +++ b/etc/elinks.profile @@ -6,10 +6,10 @@ include elinks.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix - noblacklist ${HOME}/.elinks +blacklist /tmp/.X11-unix + include disable-common.inc include disable-devel.inc include disable-interpreters.inc diff --git a/etc/exiftool.profile b/etc/exiftool.profile index b33d73233..52e090b89 100644 --- a/etc/exiftool.profile +++ b/etc/exiftool.profile @@ -6,11 +6,11 @@ include exiftool.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix - # Allow perl (blacklisted by disable-interpreters.inc) include allow-perl.inc +blacklist /tmp/.X11-unix + include disable-common.inc include disable-devel.inc include disable-exec.inc diff --git a/etc/franz.profile b/etc/franz.profile index d6445ff8e..e917e5517 100644 --- a/etc/franz.profile +++ b/etc/franz.profile @@ -5,6 +5,8 @@ include franz.local # Persistent global definitions include globals.local +ignore noexec /tmp + noblacklist ${HOME}/.cache/Franz noblacklist ${HOME}/.config/Franz noblacklist ${HOME}/.pki @@ -12,6 +14,7 @@ noblacklist ${HOME}/.local/share/pki include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-programs.inc @@ -41,5 +44,3 @@ shell none disable-mnt private-dev private-tmp - -noexec ${HOME} diff --git a/etc/git.profile b/etc/git.profile index 0eb69faed..f7c812e65 100644 --- a/etc/git.profile +++ b/etc/git.profile @@ -7,8 +7,6 @@ include git.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix - noblacklist ${HOME}/.config/git noblacklist ${HOME}/.config/nano noblacklist ${HOME}/.emacs @@ -22,6 +20,8 @@ noblacklist ${HOME}/.ssh noblacklist ${HOME}/.vim noblacklist ${HOME}/.viminfo +blacklist /tmp/.X11-unix + include disable-common.inc include disable-exec.inc include disable-passwdmgr.inc diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile index 4932c9e42..daa385234 100644 --- a/etc/google-play-music-desktop-player.profile +++ b/etc/google-play-music-desktop-player.profile @@ -5,14 +5,19 @@ include google-play-music-desktop-player.local # Persistent global definitions include globals.local +# noexec /tmp breaks mpris support +ignore noexec /tmp + noblacklist ${HOME}/.config/Google Play Music Desktop Player include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +mkdir ${HOME}/.config/Google Play Music Desktop Player # whitelist ${HOME}/.config/pulse # whitelist ${HOME}/.pulse whitelist ${HOME}/.config/Google Play Music Desktop Player @@ -35,7 +40,3 @@ shell none disable-mnt private-dev private-tmp - -noexec ${HOME} -# noexec /tmp breaks mpris support -#noexec /tmp diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile index 7181837d5..61b485df5 100644 --- a/etc/gpg-agent.profile +++ b/etc/gpg-agent.profile @@ -6,10 +6,10 @@ include gpg-agent.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix - noblacklist ${HOME}/.gnupg +blacklist /tmp/.X11-unix + include disable-common.inc include disable-devel.inc include disable-interpreters.inc diff --git a/etc/gpg.profile b/etc/gpg.profile index 51662b59c..99ad1b888 100644 --- a/etc/gpg.profile +++ b/etc/gpg.profile @@ -6,10 +6,10 @@ include gpg.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix - noblacklist ${HOME}/.gnupg +blacklist /tmp/.X11-unix + include disable-common.inc include disable-devel.inc include disable-interpreters.inc diff --git a/etc/links.profile b/etc/links.profile index 99b445fe0..bd0b0cc92 100644 --- a/etc/links.profile +++ b/etc/links.profile @@ -6,10 +6,10 @@ include links.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix - noblacklist ${HOME}/.links +blacklist /tmp/.X11-unix + include disable-common.inc include disable-devel.inc include disable-exec.inc diff --git a/etc/mutt.profile b/etc/mutt.profile index cc3a323e0..419e17e95 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile @@ -6,8 +6,6 @@ include mutt.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix - noblacklist /var/mail noblacklist /var/spool/mail noblacklist ${HOME}/.Mail @@ -34,6 +32,8 @@ noblacklist ${HOME}/mail noblacklist ${HOME}/postponed noblacklist ${HOME}/sent +blacklist /tmp/.X11-unix + include disable-common.inc include disable-devel.inc include disable-interpreters.inc diff --git a/etc/natron.profile b/etc/natron.profile index 329f79f9b..7ad217b72 100644 --- a/etc/natron.profile +++ b/etc/natron.profile @@ -8,7 +8,6 @@ include globals.local noblacklist ${HOME}/.Natron noblacklist ${HOME}/.cache/INRIA/Natron noblacklist ${HOME}/.config/INRIA -noblacklist /opt/natron # Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc @@ -29,9 +28,9 @@ nogroups nonewprivs noroot notv -protocol unix,inet,inet6 +nou2f +protocol unix seccomp shell none private-bin natron,Natron,NatronRenderer - diff --git a/etc/nyx.profile b/etc/nyx.profile index f50014a4d..1ea33ac4d 100644 --- a/etc/nyx.profile +++ b/etc/nyx.profile @@ -11,8 +11,6 @@ include allow-python2.inc include allow-python3.inc noblacklist ${HOME}/.nyx -mkdir ${HOME}/.nyx -whitelist ${HOME}/.nyx include disable-common.inc include disable-devel.inc @@ -22,6 +20,11 @@ include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc +mkdir ${HOME}/.nyx +whitelist ${HOME}/.nyx +include whitelist-common.inc +include whitelist-var-common.inc + caps.drop all netfilter no3d diff --git a/etc/server.profile b/etc/server.profile index 686268a18..6e077ff84 100644 --- a/etc/server.profile +++ b/etc/server.profile @@ -9,12 +9,12 @@ include globals.local # it allows /sbin and /usr/sbin directories - this is where servers are installed # depending on your usage, you can enable some of the commands below: -blacklist /tmp/.X11-unix - noblacklist /sbin noblacklist /usr/sbin # noblacklist /var/opt +blacklist /tmp/.X11-unix + include disable-common.inc # include disable-devel.inc # include disable-exec.inc diff --git a/etc/signal-desktop.profile b/etc/signal-desktop.profile index 008cd218e..04696a918 100644 --- a/etc/signal-desktop.profile +++ b/etc/signal-desktop.profile @@ -5,10 +5,13 @@ include signal-desktop.local # Persistent global definitions include globals.local +ignore noexec /tmp + noblacklist ${HOME}/.config/Signal include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-programs.inc include disable-passwdmgr.inc @@ -34,5 +37,3 @@ shell none disable-mnt private-dev private-tmp - -noexec ${HOME} diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile index ad200be37..eae7dada0 100644 --- a/etc/skypeforlinux.profile +++ b/etc/skypeforlinux.profile @@ -5,10 +5,14 @@ include skypeforlinux.local # Persistent global definitions include globals.local +# breaks Skype +ignore noexec /tmp + noblacklist ${HOME}/.config/skypeforlinux include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -28,6 +32,3 @@ disable-mnt private-cache # private-dev - needs /dev/disk private-tmp - -noexec ${HOME} -# noexec /tmp - breaks Skype diff --git a/etc/spotify.profile b/etc/spotify.profile index 00c2aabe2..2d5c4a48f 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile @@ -5,12 +5,12 @@ include spotify.local # Persistent global definitions include globals.local -blacklist ${HOME}/.bashrc - noblacklist ${HOME}/.cache/spotify noblacklist ${HOME}/.config/spotify noblacklist ${HOME}/.local/share/spotify +blacklist ${HOME}/.bashrc + include disable-common.inc include disable-devel.inc include disable-exec.inc diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile index 8aafca8aa..9af747b62 100644 --- a/etc/ssh-agent.profile +++ b/etc/ssh-agent.profile @@ -6,12 +6,12 @@ include ssh-agent.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix - noblacklist /etc/ssh noblacklist /tmp/ssh-* noblacklist ${HOME}/.ssh +blacklist /tmp/.X11-unix + include disable-common.inc include disable-passwdmgr.inc include disable-programs.inc diff --git a/etc/tar.profile b/etc/tar.profile index 14fc00d21..b6a874217 100644 --- a/etc/tar.profile +++ b/etc/tar.profile @@ -5,17 +5,19 @@ quiet # Persistent local customizations include tar.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local blacklist /tmp/.X11-unix +include disable-common.inc +include disable-devel.inc include disable-exec.inc include disable-interpreters.inc - -ignore noroot +include disable-passwdmgr.inc +include disable-programs.inc apparmor +caps.drop all hostname tar ipc-namespace machine-id @@ -24,10 +26,14 @@ no3d nodbus nodvd nogroups +nonewprivs +#noroot nosound notv nou2f novideo +protocol unix +seccomp shell none tracelog @@ -39,8 +45,5 @@ private-etc alternatives,passwd,group,localtime private-lib libfakeroot memory-deny-write-execute - # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) writable-var - -include default.profile diff --git a/etc/terasology.profile b/etc/terasology.profile index b01b4fdb3..2a7212395 100644 --- a/etc/terasology.profile +++ b/etc/terasology.profile @@ -5,6 +5,8 @@ include terasology.local # Persistent global definitions include globals.local +ignore noexec /tmp + noblacklist ${HOME}/.java noblacklist ${HOME}/.local/share/terasology @@ -13,6 +15,7 @@ include allow-java.inc include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -43,5 +46,3 @@ disable-mnt private-dev private-etc alternatives,asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,java-8-openjdk,java-7-openjdk,pki,crypto-policies private-tmp - -noexec ${HOME} diff --git a/etc/unbound.profile b/etc/unbound.profile index 6e4b5ed1c..8e7a4a8a8 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile @@ -6,11 +6,11 @@ include unbound.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix - noblacklist /sbin noblacklist /usr/sbin +blacklist /tmp/.X11-unix + include disable-common.inc include disable-devel.inc include disable-interpreters.inc diff --git a/etc/unrar.profile b/etc/unrar.profile index 7fe37f061..5b55f30d2 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile @@ -5,21 +5,34 @@ quiet # Persistent local customizations include unrar.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local blacklist /tmp/.X11-unix +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc + +caps.drop all hostname unrar -ignore noroot +ipc-namespace +machine-id net none no3d nodbus nodvd +#nogroups +nonewprivs +#noroot nosound notv nou2f novideo +protocol unix +seccomp shell none tracelog @@ -27,5 +40,3 @@ private-bin unrar private-dev private-etc alternatives,passwd,group,localtime private-tmp - -include default.profile diff --git a/etc/unzip.profile b/etc/unzip.profile index be6b6c321..deda8fe64 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile @@ -5,29 +5,41 @@ quiet # Persistent local customizations include unzip.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local + +# GNOME Shell integration (chrome-gnome-shell) +noblacklist ${HOME}/.local/share/gnome-shell blacklist /tmp/.X11-unix +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc + +caps.drop all +ipc-namespace +machine-id hostname unzip -ignore noroot net none no3d nodbus nodvd +#nogroups +nonewprivs +noroot nosound notv nou2f novideo +protocol unix +seccomp shell none tracelog private-bin unzip +private-cache private-dev private-etc alternatives,passwd,group,localtime - -# GNOME Shell integration (chrome-gnome-shell) -noblacklist ${HOME}/.local/share/gnome-shell - -include default.profile diff --git a/etc/uudeview.profile b/etc/uudeview.profile index 859656fa5..9b7c4f5ba 100644 --- a/etc/uudeview.profile +++ b/etc/uudeview.profile @@ -5,18 +5,31 @@ quiet # Persistent local customizations include uudeview.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc + +caps.drop all +ipc-namespace +machine-id hostname uudeview -ignore noroot net none nodbus nodvd +#nogroups +nonewprivs +#noroot nosound notv nou2f novideo +protocol unix +seccomp shell none tracelog @@ -24,5 +37,3 @@ private-bin uudeview private-cache private-dev private-etc alternatives,ld.so.preload - -include default.profile diff --git a/etc/viewnior.profile b/etc/viewnior.profile index f9fb1cefe..943719e75 100644 --- a/etc/viewnior.profile +++ b/etc/viewnior.profile @@ -6,12 +6,12 @@ include viewnior.local # Persistent global definitions include globals.local -blacklist ${HOME}/.bashrc - noblacklist ${HOME}/.Steam noblacklist ${HOME}/.config/viewnior noblacklist ${HOME}/.steam +blacklist ${HOME}/.bashrc + include disable-common.inc include disable-devel.inc include disable-exec.inc diff --git a/etc/w3m.profile b/etc/w3m.profile index 143ac4f63..d577932e3 100644 --- a/etc/w3m.profile +++ b/etc/w3m.profile @@ -6,10 +6,10 @@ include w3m.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix - noblacklist ${HOME}/.w3m +blacklist /tmp/.X11-unix + include disable-common.inc include disable-devel.inc include disable-interpreters.inc diff --git a/etc/wget.profile b/etc/wget.profile index a7ef32e2c..ff10b2316 100644 --- a/etc/wget.profile +++ b/etc/wget.profile @@ -7,11 +7,11 @@ include wget.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix - noblacklist ${HOME}/.wget-hsts noblacklist ${HOME}/.wgetrc +blacklist /tmp/.X11-unix + include disable-common.inc include disable-exec.inc include disable-passwdmgr.inc diff --git a/etc/xiphos.profile b/etc/xiphos.profile index 33056395e..043e513bd 100644 --- a/etc/xiphos.profile +++ b/etc/xiphos.profile @@ -6,11 +6,11 @@ include xiphos.local # Persistent global definitions include globals.local -blacklist ${HOME}/.bashrc - noblacklist ${HOME}/.sword noblacklist ${HOME}/.xiphos +blacklist ${HOME}/.bashrc + include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -18,6 +18,8 @@ include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +mkdir ${HOME}/.sword +mkdir ${HOME}/.xiphos whitelist ${HOME}/.sword whitelist ${HOME}/.xiphos include whitelist-common.inc diff --git a/etc/xzdec.profile b/etc/xzdec.profile index a1f265c1e..3adaa557c 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile @@ -5,23 +5,34 @@ quiet # Persistent local customizations include xzdec.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local blacklist /tmp/.X11-unix -ignore noroot +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc + +caps.drop all +ipc-namespace +machine-id net none no3d nodbus nodvd +#nogroups +nonewprivs +#noroot nosound notv nou2f novideo +protocol unix +seccomp shell none tracelog private-dev - -include default.profile -- cgit v1.2.3-54-g00ecf