From 17590553045f40e8c7628608c8330b72412fd7f4 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Wed, 18 Oct 2023 22:47:07 +0000 Subject: profiles: exchange private-opt with a whitelist (#6021) * profiles: drop private-opt (existing whitelist) * profiles: replace private-opt with whitelist In most profiles. Kept private-opt for enpass (~85MB), mate-dictionary (<20MB), minecraft-launcher (~1.6MB) and ppsspp (~44MB). The only app I couldn't check: xmr-stak. * docs: note potential issues with private-opt --- etc/profile-a-l/bitwarden.profile | 2 +- etc/profile-a-l/discord-canary.profile | 3 ++- etc/profile-a-l/discord-ptb.profile | 3 ++- etc/profile-a-l/discord.profile | 3 ++- etc/profile-a-l/electron-mail.profile | 2 +- etc/profile-a-l/element-desktop.profile | 2 -- etc/profile-a-l/gitter.profile | 2 +- etc/profile-a-l/google-earth.profile | 2 +- etc/profile-a-l/linuxqq.profile | 2 +- 9 files changed, 11 insertions(+), 10 deletions(-) (limited to 'etc/profile-a-l') diff --git a/etc/profile-a-l/bitwarden.profile b/etc/profile-a-l/bitwarden.profile index 56bb871e7..1572ca572 100644 --- a/etc/profile-a-l/bitwarden.profile +++ b/etc/profile-a-l/bitwarden.profile @@ -17,6 +17,7 @@ include disable-shell.inc mkdir ${HOME}/.config/Bitwarden whitelist ${HOME}/.config/Bitwarden +whitelist /opt/Bitwarden machine-id no3d @@ -24,7 +25,6 @@ nosound ?HAS_APPIMAGE: ignore private-dev private-etc @tls-ca -private-opt Bitwarden # Redirect include electron-common.profile diff --git a/etc/profile-a-l/discord-canary.profile b/etc/profile-a-l/discord-canary.profile index 245b07b8d..b67729301 100644 --- a/etc/profile-a-l/discord-canary.profile +++ b/etc/profile-a-l/discord-canary.profile @@ -9,9 +9,10 @@ noblacklist ${HOME}/.config/discordcanary mkdir ${HOME}/.config/discordcanary whitelist ${HOME}/.config/discordcanary +whitelist /opt/DiscordCanary +whitelist /opt/discord-canary private-bin discord-canary,DiscordCanary -private-opt discord-canary,DiscordCanary # Redirect include discord-common.profile diff --git a/etc/profile-a-l/discord-ptb.profile b/etc/profile-a-l/discord-ptb.profile index 265bf5615..a657c52b5 100644 --- a/etc/profile-a-l/discord-ptb.profile +++ b/etc/profile-a-l/discord-ptb.profile @@ -9,9 +9,10 @@ noblacklist ${HOME}/.config/discordptb mkdir ${HOME}/.config/discordptb whitelist ${HOME}/.config/discordptb +whitelist /opt/DiscordPTB +whitelist /opt/discord private-bin discord-ptb,DiscordPTB -private-opt discord-ptb,DiscordPTB # Redirect include discord-common.profile diff --git a/etc/profile-a-l/discord.profile b/etc/profile-a-l/discord.profile index 02d1c65cd..a4fcae5b8 100644 --- a/etc/profile-a-l/discord.profile +++ b/etc/profile-a-l/discord.profile @@ -9,9 +9,10 @@ noblacklist ${HOME}/.config/discord mkdir ${HOME}/.config/discord whitelist ${HOME}/.config/discord +whitelist /opt/Discord +whitelist /opt/discord private-bin discord,Discord -private-opt discord,Discord # Redirect include discord-common.profile diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile index 766fe523b..544756877 100644 --- a/etc/profile-a-l/electron-mail.profile +++ b/etc/profile-a-l/electron-mail.profile @@ -18,6 +18,7 @@ include disable-shell.inc mkdir ${HOME}/.config/electron-mail whitelist ${HOME}/.config/electron-mail +whitelist /opt/ElectronMail # The lines below are needed to find the default Firefox profile name, to allow # opening links in an existing instance of Firefox (note that it still fails if @@ -29,7 +30,6 @@ machine-id nosound private-etc @tls-ca,@x11 -private-opt ElectronMail dbus-user filter dbus-user.talk org.freedesktop.Notifications diff --git a/etc/profile-a-l/element-desktop.profile b/etc/profile-a-l/element-desktop.profile index 7b4994a85..1af2884b6 100644 --- a/etc/profile-a-l/element-desktop.profile +++ b/etc/profile-a-l/element-desktop.profile @@ -15,8 +15,6 @@ mkdir ${HOME}/.config/Element whitelist ${HOME}/.config/Element whitelist /opt/Element -private-opt Element - dbus-user filter dbus-user.talk org.freedesktop.Notifications dbus-user.talk org.freedesktop.secrets diff --git a/etc/profile-a-l/gitter.profile b/etc/profile-a-l/gitter.profile index e3cf87c87..54f2923ba 100644 --- a/etc/profile-a-l/gitter.profile +++ b/etc/profile-a-l/gitter.profile @@ -18,6 +18,7 @@ mkdir ${HOME}/.config/Gitter whitelist ${DOWNLOADS} whitelist ${HOME}/.config/autostart whitelist ${HOME}/.config/Gitter +whitelist /opt/Gitter include whitelist-var-common.inc caps.drop all @@ -37,7 +38,6 @@ seccomp disable-mnt private-bin bash,env,gitter private-etc @tls-ca -private-opt Gitter private-dev private-tmp diff --git a/etc/profile-a-l/google-earth.profile b/etc/profile-a-l/google-earth.profile index 4af6ce36b..1087b3d6e 100644 --- a/etc/profile-a-l/google-earth.profile +++ b/etc/profile-a-l/google-earth.profile @@ -18,6 +18,7 @@ mkdir ${HOME}/.config/Google mkdir ${HOME}/.googleearth whitelist ${HOME}/.config/Google whitelist ${HOME}/.googleearth +whitelist /opt/google include whitelist-common.inc caps.drop all @@ -37,6 +38,5 @@ seccomp disable-mnt private-bin bash,dirname,google-earth,grep,ls,sed,sh private-dev -private-opt google restrict-namespaces diff --git a/etc/profile-a-l/linuxqq.profile b/etc/profile-a-l/linuxqq.profile index 6ca8b8103..e900c0914 100644 --- a/etc/profile-a-l/linuxqq.profile +++ b/etc/profile-a-l/linuxqq.profile @@ -17,6 +17,7 @@ mkdir ${HOME}/.config/QQ whitelist ${HOME}/.config/QQ whitelist ${HOME}/.mozilla/firefox/profiles.ini whitelist ${DESKTOP} +whitelist /opt/QQ ignore apparmor noprinters @@ -24,7 +25,6 @@ noprinters # If you don't need/want to save anything to disk you can add `private` to your linuxqq.local. #private private-etc @tls-ca,@x11,host.conf,os-release -private-opt QQ dbus-user filter dbus-user.talk org.freedesktop.Notifications -- cgit v1.2.3-70-g09d2