From 34f18791cf58afce78a03b91620f4e2a3f18a12a Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sat, 19 Dec 2020 23:49:56 +0000 Subject: archivers: limiting file system access (#3834) * limit file system access with comments in archiver-common.inc * note wording * Warn against overtightening file system access Be more explicit about things breaking when archiver profiles are too tight. Thanks for the suggestion by @rusty-snake in #3834. --- etc/inc/archiver-common.inc | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) (limited to 'etc/inc/archiver-common.inc') diff --git a/etc/inc/archiver-common.inc b/etc/inc/archiver-common.inc index 2c5e4d8bf..9812e3ebb 100644 --- a/etc/inc/archiver-common.inc +++ b/etc/inc/archiver-common.inc @@ -6,12 +6,21 @@ include archiver-common.local blacklist ${RUNUSER} -include disable-common.inc +# WARNING: +# Users can (un)restrict file access for **all** archivers by commenting/uncommenting the needed +# include file(s) here or by putting those into archiver-common.local. +# Another option is to do this **per archiver** in the relevant .local. +# Just beware that things tend to break when overtightening profiles. For example, because you only +# need to (un)compress files in ${DOWNLOADS}, other applications may need access to ${HOME}/.local/share. + +# Uncomment the next line (or put it into your archiver-common.local) if you don't need to compress files in disable-common.inc. +#include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc -include disable-programs.inc +# Uncomment the next line (or put it into your archiver-common.local) if you don't need to compress files in disable-programs.inc. +#include disable-programs.inc include disable-shell.inc apparmor -- cgit v1.2.3-54-g00ecf