From f3912910c1a92883671fce6b75a72ec7de865716 Mon Sep 17 00:00:00 2001
From: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
Date: Thu, 30 Sep 2021 08:18:19 +0200
Subject: Profile fixes and hardening

 * cheese
   - fix: dbus-user.own org.gnome.Cheese
   - fix: whitelist /usr/share/gstreamer-1.0
   - fix: include allow-python3.inc
   - hardening: include disable-shell.inc
   - hardening: include whitelist-run-common.inc and whitelist /run/udev/data
   - hardening: whitelist /usr/libexec/gstreamer-1.0/gst-plugin-scanner
   - hardening: noinput
   - hardening: nosound
   - hardening: seccomp.block-secondary
   - hardening: private-dev
 * geekbench (closes #4576)
   - fix: noblacklist /sbin and noblacklist /usr/sbin
   - fix: noblacklist, blacklist, mkdir, whitelist, read-write ${HOME}/.geekbench5
   - fix: comment/remove private-bin, private-lib, private-opt
 * inkscape
   - add quiet for cli usage
 * musixmatch (#4518)
   - allow chroot
 * pandoc
   - fix: include allow-bin-sh.inc
   - fix: drop private-bin
   - hardening: include whitelist-runuser-common.inc
   - hardening: seccomp.block-secondary
---
 etc/profile-a-l/cheese.profile | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'etc/profile-a-l/cheese.profile')

diff --git a/etc/profile-a-l/cheese.profile b/etc/profile-a-l/cheese.profile
index 53d221631..978d727f4 100644
--- a/etc/profile-a-l/cheese.profile
+++ b/etc/profile-a-l/cheese.profile
@@ -9,17 +9,24 @@ include globals.local
 noblacklist ${VIDEOS}
 noblacklist ${PICTURES}
 
+include allow-python3.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 whitelist ${VIDEOS}
 whitelist ${PICTURES}
+whitelist /run/udev/data
+whitelist /usr/libexec/gstreamer-1.0/gst-plugin-scanner
 whitelist /usr/share/gnome-video-effects
+whitelist /usr/share/gstreamer-1.0
 include whitelist-common.inc
+include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -30,21 +37,26 @@ machine-id
 net none
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
+nosound
 notv
 nou2f
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
 disable-mnt
 private-bin cheese
 private-cache
+private-dev
 private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0,ld.so.preload
 private-tmp
 
 dbus-user filter
+dbus-user.own org.gnome.Cheese
 dbus-user.talk ca.desrt.dconf
 dbus-system none
-- 
cgit v1.2.3-70-g09d2