From d452e45a9196aa2f4d34706fcfb7907707a19ff9 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Wed, 8 Sep 2021 23:21:07 +0200 Subject: Add profiles for build-systems (/package-managers) Profiles: bunler, cargo (refactor), cmake (untested), make, meson, pip All redirect to build-systems-common.profile Other fixes: - blacklist ${HOME}/.bundle - blacklist ${HOME}/.cargo/* -> blacklist ${HOME}/.cargo - blacklist /usr/lib64/ruby --- etc/profile-a-l/cargo.profile | 61 +++++-------------------------------------- 1 file changed, 7 insertions(+), 54 deletions(-) (limited to 'etc/profile-a-l/cargo.profile') diff --git a/etc/profile-a-l/cargo.profile b/etc/profile-a-l/cargo.profile index ff46cd429..af188e7f9 100644 --- a/etc/profile-a-l/cargo.profile +++ b/etc/profile-a-l/cargo.profile @@ -7,66 +7,19 @@ include cargo.local # Persistent global definitions include globals.local -ignore noexec ${HOME} -ignore noexec /tmp - -blacklist /tmp/.X11-unix -blacklist ${RUNUSER} +ignore read-only ${HOME}/.cargo/bin noblacklist ${HOME}/.cargo/credentials noblacklist ${HOME}/.cargo/credentials.toml -# Allows files commonly used by IDEs -include allow-common-devel.inc - -# Allow ssh (blacklisted by disable-common.inc) -#include allow-ssh.inc - -include disable-common.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-programs.inc -include disable-xdg.inc - -#mkdir ${HOME}/.cargo -#whitelist ${HOME}/YOUR_CARGO_PROJECTS -#whitelist ${HOME}/.cargo -#whitelist ${HOME}/.rustup -#include whitelist-common.inc -whitelist /usr/share/pkgconfig -include whitelist-runuser-common.inc -include whitelist-usr-share-common.inc -include whitelist-var-common.inc +mkdir ${HOME}/.cargo +whitelist ${HOME}/.cargo +whitelist ${HOME}/.rustup -caps.drop all -ipc-namespace -machine-id -netfilter -no3d -nodvd -nogroups -noinput -nonewprivs -noroot -nosound -notv -nou2f -novideo -protocol unix,inet,inet6 -seccomp -seccomp.block-secondary -shell none -tracelog - -disable-mnt #private-bin cargo,rustc -private-cache -private-dev private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,magic,magic.mgc,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl -private-tmp - -dbus-user none -dbus-system none memory-deny-write-execute -read-write ${HOME}/.cargo/bin + +# Redirect +include build-systems-common.profile -- cgit v1.2.3-70-g09d2 From 2712dd7274a59727b3118982044c7c9426099232 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sat, 11 Sep 2021 14:38:18 +0200 Subject: build-systems-common: Make whitelist opt-in --- etc/profile-a-l/build-systems-common.profile | 5 +++-- etc/profile-a-l/bundle.profile | 5 +++-- etc/profile-a-l/cargo.profile | 5 ++--- etc/profile-m-z/pip.profile | 2 +- 4 files changed, 9 insertions(+), 8 deletions(-) (limited to 'etc/profile-a-l/cargo.profile') diff --git a/etc/profile-a-l/build-systems-common.profile b/etc/profile-a-l/build-systems-common.profile index 159593eb7..1b199d612 100644 --- a/etc/profile-a-l/build-systems-common.profile +++ b/etc/profile-a-l/build-systems-common.profile @@ -28,9 +28,10 @@ include disable-shell.inc include disable-X11.inc include disable-xdg.inc -whitelist ${HOME}/Projects +#whitelist ${HOME}/Projects +#include whitelist-common.inc + whitelist /usr/share/pkgconfig -include whitelist-common.inc include whitelist-run-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc diff --git a/etc/profile-a-l/bundle.profile b/etc/profile-a-l/bundle.profile index 269bfd130..a3a3e3cde 100644 --- a/etc/profile-a-l/bundle.profile +++ b/etc/profile-a-l/bundle.profile @@ -12,8 +12,9 @@ noblacklist ${HOME}/.bundle # Allow ruby (blacklisted by disable-interpreters.inc) include allow-ruby.inc -mkdir ${HOME}/.bundle -whitelist ${HOME}/.bundle +#whitelist ${HOME}/.bundle +#whitelist ${HOME}/.gem +#whitelist ${HOME}/.local/share/gem whitelist /usr/share/gems whitelist /usr/share/ruby whitelist /usr/share/rubygems diff --git a/etc/profile-a-l/cargo.profile b/etc/profile-a-l/cargo.profile index af188e7f9..4c8afd895 100644 --- a/etc/profile-a-l/cargo.profile +++ b/etc/profile-a-l/cargo.profile @@ -12,9 +12,8 @@ ignore read-only ${HOME}/.cargo/bin noblacklist ${HOME}/.cargo/credentials noblacklist ${HOME}/.cargo/credentials.toml -mkdir ${HOME}/.cargo -whitelist ${HOME}/.cargo -whitelist ${HOME}/.rustup +#whitelist ${HOME}/.cargo +#whitelist ${HOME}/.rustup #private-bin cargo,rustc private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,magic,magic.mgc,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl diff --git a/etc/profile-m-z/pip.profile b/etc/profile-m-z/pip.profile index 54d95e335..1f551b718 100644 --- a/etc/profile-m-z/pip.profile +++ b/etc/profile-m-z/pip.profile @@ -12,7 +12,7 @@ ignore read-only ${HOME}/.local/lib # Allow python3 (blacklisted by disable-interpreters.inc) include allow-python3.inc -whitelist ${HOME}/.local/lib/python* +#whitelist ${HOME}/.local/lib/python* private-bin pip,pip[0-9].[0-9],pip[0-9].[0-9],python3* -- cgit v1.2.3-70-g09d2