From 096d0de5f8bb253d0c1035796464bc5982f06f81 Mon Sep 17 00:00:00 2001
From: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
Date: Mon, 16 Nov 2020 11:41:35 +0100
Subject: from my overrides

 - add seccomp.block-secondary to a lot profiles
 - add wruc to firefox-common and ignore it in TB and
   firefox-common-addons
 - harden dia, gnome-keyring, libreoffice, megaglest, pngquant,
   ghostwriter, rhythmbox, sqlitebrowser
---
 etc/profile-m-z/megaglest.profile           | 2 ++
 etc/profile-m-z/meld.profile                | 1 +
 etc/profile-m-z/menulibre.profile           | 1 +
 etc/profile-m-z/minetest.profile            | 1 +
 etc/profile-m-z/mpv.profile                 | 1 +
 etc/profile-m-z/patch.profile               | 1 +
 etc/profile-m-z/pdftotext.profile           | 2 ++
 etc/profile-m-z/peek.profile                | 1 +
 etc/profile-m-z/pngquant.profile            | 3 +++
 etc/profile-m-z/rhythmbox.profile           | 2 ++
 etc/profile-m-z/shellcheck.profile          | 1 +
 etc/profile-m-z/sqlitebrowser.profile       | 2 ++
 etc/profile-m-z/strings.profile             | 1 +
 etc/profile-m-z/supertux2.profile           | 1 +
 etc/profile-m-z/supertuxkart.profile        | 1 +
 etc/profile-m-z/thunderbird.profile         | 2 ++
 etc/profile-m-z/transmission-common.profile | 1 +
 etc/profile-m-z/vivaldi.profile             | 2 ++
 etc/profile-m-z/wget.profile                | 1 +
 etc/profile-m-z/whois.profile               | 1 +
 etc/profile-m-z/xournal.profile             | 1 +
 etc/profile-m-z/yelp.profile                | 1 +
 etc/profile-m-z/youtube-dl.profile          | 1 +
 23 files changed, 31 insertions(+)

(limited to 'etc/profile-m-z')

diff --git a/etc/profile-m-z/megaglest.profile b/etc/profile-m-z/megaglest.profile
index 19f9edf05..37ac9e304 100644
--- a/etc/profile-m-z/megaglest.profile
+++ b/etc/profile-m-z/megaglest.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.megaglest
@@ -37,6 +38,7 @@ nou2f
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile
index 385700648..6ceeb867f 100644
--- a/etc/profile-m-z/meld.profile
+++ b/etc/profile-m-z/meld.profile
@@ -62,6 +62,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile
index 3468bc22d..c70090a25 100644
--- a/etc/profile-m-z/menulibre.profile
+++ b/etc/profile-m-z/menulibre.profile
@@ -44,6 +44,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/minetest.profile b/etc/profile-m-z/minetest.profile
index a22d2c2e3..5678a781c 100644
--- a/etc/profile-m-z/minetest.profile
+++ b/etc/profile-m-z/minetest.profile
@@ -47,6 +47,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index 389b64535..ce3bfe421 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -67,6 +67,7 @@ noroot
 nou2f
 protocol unix,inet,inet6,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/patch.profile b/etc/profile-m-z/patch.profile
index 8663fb453..6cbaa66ad 100644
--- a/etc/profile-m-z/patch.profile
+++ b/etc/profile-m-z/patch.profile
@@ -37,6 +37,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 x11 none
diff --git a/etc/profile-m-z/pdftotext.profile b/etc/profile-m-z/pdftotext.profile
index eee42424f..2a7d0cec1 100644
--- a/etc/profile-m-z/pdftotext.profile
+++ b/etc/profile-m-z/pdftotext.profile
@@ -13,6 +13,7 @@ noblacklist ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -40,6 +41,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 x11 none
diff --git a/etc/profile-m-z/peek.profile b/etc/profile-m-z/peek.profile
index 28a7da404..710a533a9 100644
--- a/etc/profile-m-z/peek.profile
+++ b/etc/profile-m-z/peek.profile
@@ -41,6 +41,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/pngquant.profile b/etc/profile-m-z/pngquant.profile
index 83905b108..3513e91cc 100644
--- a/etc/profile-m-z/pngquant.profile
+++ b/etc/profile-m-z/pngquant.profile
@@ -7,6 +7,8 @@ include pngquant.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${PICTURES}
+
 blacklist ${RUNUSER}/wayland-*
 
 include disable-common.inc
@@ -16,6 +18,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
+include disable-xdg.inc
 
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/rhythmbox.profile b/etc/profile-m-z/rhythmbox.profile
index f906ec31d..e7f379509 100644
--- a/etc/profile-m-z/rhythmbox.profile
+++ b/etc/profile-m-z/rhythmbox.profile
@@ -45,10 +45,12 @@ nou2f
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
 private-bin rhythmbox,rhythmbox-client
+private-cache
 private-dev
 private-tmp
 
diff --git a/etc/profile-m-z/shellcheck.profile b/etc/profile-m-z/shellcheck.profile
index 6cd70c2ea..c67a88161 100644
--- a/etc/profile-m-z/shellcheck.profile
+++ b/etc/profile-m-z/shellcheck.profile
@@ -40,6 +40,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 x11 none
diff --git a/etc/profile-m-z/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile
index cdb20b4e0..110434736 100644
--- a/etc/profile-m-z/sqlitebrowser.profile
+++ b/etc/profile-m-z/sqlitebrowser.profile
@@ -18,6 +18,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -35,6 +36,7 @@ nou2f
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
+seccomp.block-secondary
 shell none
 
 private-bin sqlitebrowser
diff --git a/etc/profile-m-z/strings.profile b/etc/profile-m-z/strings.profile
index 426b2dc1c..09ada1e25 100644
--- a/etc/profile-m-z/strings.profile
+++ b/etc/profile-m-z/strings.profile
@@ -38,6 +38,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 x11 none
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile
index ceaae8fbf..9cc023765 100644
--- a/etc/profile-m-z/supertux2.profile
+++ b/etc/profile-m-z/supertux2.profile
@@ -36,6 +36,7 @@ nou2f
 novideo
 protocol unix,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile
index 40b996794..ff99c234e 100644
--- a/etc/profile-m-z/supertuxkart.profile
+++ b/etc/profile-m-z/supertuxkart.profile
@@ -43,6 +43,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile
index e3eb73730..2e7b69cec 100644
--- a/etc/profile-m-z/thunderbird.profile
+++ b/etc/profile-m-z/thunderbird.profile
@@ -6,6 +6,8 @@ include thunderbird.local
 # Persistent global definitions
 include globals.local
 
+ignore whitelist-runuser-common.inc
+
 # writable-run-user and dbus are needed by enigmail
 ignore dbus-user none
 ignore dbus-system none
diff --git a/etc/profile-m-z/transmission-common.profile b/etc/profile-m-z/transmission-common.profile
index 9d2e8e990..d601f0f15 100644
--- a/etc/profile-m-z/transmission-common.profile
+++ b/etc/profile-m-z/transmission-common.profile
@@ -39,6 +39,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/vivaldi.profile b/etc/profile-m-z/vivaldi.profile
index 541942453..cd06b7f4c 100644
--- a/etc/profile-m-z/vivaldi.profile
+++ b/etc/profile-m-z/vivaldi.profile
@@ -29,6 +29,8 @@ whitelist ${HOME}/.config/vivaldi
 whitelist ${HOME}/.config/vivaldi-snapshot
 whitelist ${HOME}/.local/lib/vivaldi
 
+#private-bin bash,cat,dirname,readlink,rm,vivaldi,vivaldi-stable,vivaldi-snapshot
+
 # breaks vivaldi sync
 ignore dbus-user none
 ignore dbus-system none
diff --git a/etc/profile-m-z/wget.profile b/etc/profile-m-z/wget.profile
index cdb8f0b93..8a64d2d73 100644
--- a/etc/profile-m-z/wget.profile
+++ b/etc/profile-m-z/wget.profile
@@ -44,6 +44,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile
index 2af1379e0..a9cecb18d 100644
--- a/etc/profile-m-z/whois.profile
+++ b/etc/profile-m-z/whois.profile
@@ -39,6 +39,7 @@ nou2f
 novideo
 protocol inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/xournal.profile b/etc/profile-m-z/xournal.profile
index b842b5307..0c6969e09 100644
--- a/etc/profile-m-z/xournal.profile
+++ b/etc/profile-m-z/xournal.profile
@@ -36,6 +36,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile
index fd95ceb04..e198af8b2 100644
--- a/etc/profile-m-z/yelp.profile
+++ b/etc/profile-m-z/yelp.profile
@@ -41,6 +41,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/youtube-dl.profile b/etc/profile-m-z/youtube-dl.profile
index db3535f78..d9dee6891 100644
--- a/etc/profile-m-z/youtube-dl.profile
+++ b/etc/profile-m-z/youtube-dl.profile
@@ -52,6 +52,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
-- 
cgit v1.2.3-70-g09d2