From deb6c12454191b7aeff3d259612a00427d1aa6a1 Mon Sep 17 00:00:00 2001
From: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
Date: Thu, 9 Jul 2020 10:49:17 +0000
Subject: hardening some profiles (#3505)

* hardening some profiles

 - harden and fix flameshot
 - wruc: frogatto, ghostwriter
 - harden gnome-latex
 - add whitelist opt-in note to keepassxc
 - add comment to minetest
 - harden openarena, tremulous, xonotic
 - add profile for xonotic-sdl-wrapper

* followup
---
 etc/profile-m-z/xonotic.profile | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

(limited to 'etc/profile-m-z/xonotic.profile')

diff --git a/etc/profile-m-z/xonotic.profile b/etc/profile-m-z/xonotic.profile
index 949988c3b..aa8cc7d0e 100644
--- a/etc/profile-m-z/xonotic.profile
+++ b/etc/profile-m-z/xonotic.profile
@@ -14,12 +14,17 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.xonotic
 whitelist ${HOME}/.xonotic
+whitelist /usr/share/xonotic
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 nodvd
@@ -32,12 +37,17 @@ novideo
 protocol unix,inet,inet6
 seccomp
 shell none
+tracelog
 
 disable-mnt
-private-bin bash,blind-id,darkplaces-glx,darkplaces-sdl,dirname,grep,ldd,netstat,ps,readlink,sh,uname,xonotic,xonotic-glx,xonotic-linux32-dedicated,xonotic-linux32-glx,xonotic-linux32-sdl,xonotic-linux64-dedicated,xonotic-linux64-glx,xonotic-linux64-sdl,xonotic-sdl
+private-cache
+private-bin basename,bash,blind-id,cut,darkplaces-glx,darkplaces-sdl,dirname,glxinfo,grep,head,ldd,netstat,ps,readlink,sed,sh,uname,xonotic,xonotic-glx,xonotic-linux32-dedicated,xonotic-linux32-glx,xonotic-linux32-sdl,xonotic-linux64-dedicated,xonotic-linux64-glx,xonotic-linux64-sdl,xonotic-sdl,xonotic-sdl-wrapper,zenity
 private-dev
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl
 private-tmp
 
 dbus-user none
 dbus-system none
+
+read-only ${HOME}
+read-write ${HOME}/.xonotic
-- 
cgit v1.2.3-54-g00ecf