From 13cb318d40b2758aefb9dd360924313a54d8efbd Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Thu, 23 Mar 2023 02:02:19 -0300 Subject: mpv: move read-only entries to disable-common.inc Note: mpv itself does not modify anything in ~/.config/mpv as far as I know, in which case it does not need a read-write entry. Relates to #5706 #5707 #5710. --- etc/profile-m-z/mov-cli.profile | 2 -- 1 file changed, 2 deletions(-) (limited to 'etc/profile-m-z') diff --git a/etc/profile-m-z/mov-cli.profile b/etc/profile-m-z/mov-cli.profile index 8ad94b949..74d630e24 100644 --- a/etc/profile-m-z/mov-cli.profile +++ b/etc/profile-m-z/mov-cli.profile @@ -25,7 +25,5 @@ private-bin ffmpeg,fzf,mov-cli private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg private-tmp -read-only ${HOME}/.config/mpv - # Redirect include mpv.profile -- cgit v1.2.3-70-g09d2 From 35885d72566977c1a9686f9324b07ae2cdd1f702 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Thu, 23 Mar 2023 02:49:53 -0300 Subject: firefox: move read-only entries to disable-common.inc Instead of duplicating them on every profile that tries to allow opening links in Firefox. And make that path read-write on firefox.profile. --- etc/inc/disable-common.inc | 1 + etc/profile-a-l/electron-mail.profile | 1 - etc/profile-a-l/email-common.profile | 1 - etc/profile-a-l/firefox.profile | 3 +++ etc/profile-a-l/geary.profile | 1 - etc/profile-a-l/kube.profile | 1 - etc/profile-a-l/linuxqq.profile | 2 -- etc/profile-m-z/signal-desktop.profile | 1 - etc/profile-m-z/thunderbird.profile | 1 - etc/profile-m-z/trojita.profile | 1 - etc/profile-m-z/tutanota-desktop.profile | 1 - etc/profile-m-z/youtube-viewers-common.profile | 1 - etc/profile-m-z/zeal.profile | 1 - 13 files changed, 4 insertions(+), 12 deletions(-) (limited to 'etc/profile-m-z') diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 1b55a5dff..baa68c0c2 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc @@ -346,6 +346,7 @@ read-only ${HOME}/.local/share/cool-retro-term read-only ${HOME}/.local/share/nvim read-only ${HOME}/.local/state/nvim read-only ${HOME}/.mailcap +read-only ${HOME}/.mozilla/firefox/profiles.ini read-only ${HOME}/.msmtprc read-only ${HOME}/.mutt/muttrc read-only ${HOME}/.muttrc diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile index 9f4fabd68..766fe523b 100644 --- a/etc/profile-a-l/electron-mail.profile +++ b/etc/profile-a-l/electron-mail.profile @@ -24,7 +24,6 @@ whitelist ${HOME}/.config/electron-mail # there isn't a Firefox instance running with the default profile; see #5352) noblacklist ${HOME}/.mozilla whitelist ${HOME}/.mozilla/firefox/profiles.ini -read-only ${HOME}/.mozilla/firefox/profiles.ini machine-id nosound diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile index 0a44a62a3..7d5c859e9 100644 --- a/etc/profile-a-l/email-common.profile +++ b/etc/profile-a-l/email-common.profile @@ -85,6 +85,5 @@ dbus-user.talk org.gnome.seahorse.* dbus-user.talk org.mozilla.* dbus-system none -read-only ${HOME}/.mozilla/firefox/profiles.ini read-only ${HOME}/.signature restrict-namespaces diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index 0e1d30958..42d59157c 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile @@ -14,6 +14,9 @@ include globals.local # https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox # https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968 +# (Ignore entry from disable-common.inc) +ignore read-only ${HOME}/.mozilla/firefox/profiles.ini + noblacklist ${HOME}/.cache/mozilla noblacklist ${HOME}/.mozilla noblacklist ${RUNUSER}/*firefox* diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile index a19a20ba7..ba0837780 100644 --- a/etc/profile-a-l/geary.profile +++ b/etc/profile-a-l/geary.profile @@ -91,5 +91,4 @@ dbus-user.talk org.gnome.evolution.dataserver.Sources5 dbus-user.talk org.mozilla.* dbus-system none -read-only ${HOME}/.mozilla/firefox/profiles.ini restrict-namespaces diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile index 5183a9327..5cf30ed40 100644 --- a/etc/profile-a-l/kube.profile +++ b/etc/profile-a-l/kube.profile @@ -77,5 +77,4 @@ dbus-user.talk org.freedesktop.secrets dbus-user.talk org.freedesktop.Notifications dbus-system none -read-only ${HOME}/.mozilla/firefox/profiles.ini restrict-namespaces diff --git a/etc/profile-a-l/linuxqq.profile b/etc/profile-a-l/linuxqq.profile index 9157d910b..6ca8b8103 100644 --- a/etc/profile-a-l/linuxqq.profile +++ b/etc/profile-a-l/linuxqq.profile @@ -37,7 +37,5 @@ dbus-user.talk org.gnome.Mutter.IdleMonitor dbus-user.talk org.mozilla.* ignore dbus-user none -read-only ${HOME}/.mozilla/firefox/profiles.ini - # Redirect include electron-common.profile diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile index a26b41524..3e1899ef3 100644 --- a/etc/profile-m-z/signal-desktop.profile +++ b/etc/profile-m-z/signal-desktop.profile @@ -14,7 +14,6 @@ noblacklist ${HOME}/.config/Signal # These lines are needed to allow Firefox to open links noblacklist ${HOME}/.mozilla whitelist ${HOME}/.mozilla/firefox/profiles.ini -read-only ${HOME}/.mozilla/firefox/profiles.ini mkdir ${HOME}/.config/Signal whitelist ${HOME}/.config/Signal diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile index 1ac80bc9a..5df207e25 100644 --- a/etc/profile-m-z/thunderbird.profile +++ b/etc/profile-m-z/thunderbird.profile @@ -24,7 +24,6 @@ writable-run-user # These lines are needed to allow Firefox to load your profile when clicking a link in an email noblacklist ${HOME}/.mozilla whitelist ${HOME}/.mozilla/firefox/profiles.ini -read-only ${HOME}/.mozilla/firefox/profiles.ini noblacklist ${HOME}/.cache/thunderbird noblacklist ${HOME}/.gnupg diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile index 378c8a1b7..ba68ccb53 100644 --- a/etc/profile-m-z/trojita.profile +++ b/etc/profile-m-z/trojita.profile @@ -60,5 +60,4 @@ dbus-user filter dbus-user.talk org.freedesktop.secrets dbus-system none -read-only ${HOME}/.mozilla/firefox/profiles.ini restrict-namespaces diff --git a/etc/profile-m-z/tutanota-desktop.profile b/etc/profile-m-z/tutanota-desktop.profile index 4793e9dbb..55e4a4392 100644 --- a/etc/profile-m-z/tutanota-desktop.profile +++ b/etc/profile-m-z/tutanota-desktop.profile @@ -28,7 +28,6 @@ whitelist ${HOME}/.config/tutanota-desktop # there isn't a Firefox instance running with the default profile; see #5352) noblacklist ${HOME}/.mozilla whitelist ${HOME}/.mozilla/firefox/profiles.ini -read-only ${HOME}/.mozilla/firefox/profiles.ini machine-id nosound diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile index 9ef90eb92..d2b73ec4c 100644 --- a/etc/profile-m-z/youtube-viewers-common.profile +++ b/etc/profile-m-z/youtube-viewers-common.profile @@ -24,7 +24,6 @@ include allow-python3.inc # there isn't a Firefox instance running with the default profile; see #5352) noblacklist ${HOME}/.mozilla whitelist ${HOME}/.mozilla/firefox/profiles.ini -read-only ${HOME}/.mozilla/firefox/profiles.ini include disable-common.inc include disable-devel.inc diff --git a/etc/profile-m-z/zeal.profile b/etc/profile-m-z/zeal.profile index caf9eab63..09a1d37a3 100644 --- a/etc/profile-m-z/zeal.profile +++ b/etc/profile-m-z/zeal.profile @@ -23,7 +23,6 @@ include disable-xdg.inc # This also requires dbus-user filtering (see below). noblacklist ${HOME}/.mozilla whitelist ${HOME}/.mozilla/firefox/profiles.ini -read-only ${HOME}/.mozilla/firefox/profiles.ini mkdir ${HOME}/.cache/Zeal mkdir ${HOME}/.config/Zeal -- cgit v1.2.3-70-g09d2 From 7e1a5834b1e062fd7e259b22e6bcb07290e89d66 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Thu, 23 Mar 2023 02:44:12 -0300 Subject: profiles: move read-only config entries to dc Command used to search for entries: $ git grep '^read-only ${HOME}/' -- 'etc/profile*' Note for gpg: ~/.gnupg/gpg.conf is apparently only managed by gpgconf(1) rather than through gpg(1) itself, in which case it does not need to be made read-write in gpg.profile. --- etc/inc/disable-common.inc | 10 ++++++++++ etc/profile-a-l/awesome.profile | 1 - etc/profile-a-l/cower.profile | 1 - etc/profile-m-z/makepkg.profile | 1 - etc/profile-m-z/openbox.profile | 2 -- etc/profile-m-z/steam.profile | 1 - 6 files changed, 10 insertions(+), 6 deletions(-) (limited to 'etc/profile-m-z') diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 18e94bb80..cf712a07e 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc @@ -69,6 +69,9 @@ blacklist ${HOME}/.xsessionrc blacklist /etc/X11/Xsession.d blacklist /etc/xdg/autostart read-only ${HOME}/.Xauthority +read-only ${HOME}/.config/awesome/autorun.sh +read-only ${HOME}/.config/openbox/autostart +read-only ${HOME}/.config/openbox/environment # Session manager # see #3358 @@ -338,6 +341,7 @@ read-only ${HOME}/.elinks read-only ${HOME}/.emacs read-only ${HOME}/.emacs.d read-only ${HOME}/.exrc +read-only ${HOME}/.gnupg/gpg.conf read-only ${HOME}/.gvimrc read-only ${HOME}/.homesick read-only ${HOME}/.iscreenrc @@ -370,6 +374,7 @@ read-only ${HOME}/dotfiles # System package managers and AUR helpers blacklist ${HOME}/.config/cower +read-only ${HOME}/.config/cower/config # Make directories commonly found in $PATH read-only read-only ${HOME}/.bin @@ -396,6 +401,11 @@ read-only ${HOME}/.config/user-dirs.dirs read-only ${HOME}/.config/user-dirs.locale read-only ${HOME}/.local/share/mime +# Configuration files that do not allow arbitrary command execution but that +# are intended to be modified manually (in a text editor and/or by a program +# dedicated to managing them) +read-only ${HOME}/.config/MangoHud + # Write-protection for thumbnailer dir read-only ${HOME}/.local/share/thumbnailers diff --git a/etc/profile-a-l/awesome.profile b/etc/profile-a-l/awesome.profile index d8c073c8d..910dd8a91 100644 --- a/etc/profile-a-l/awesome.profile +++ b/etc/profile-a-l/awesome.profile @@ -16,5 +16,4 @@ noroot protocol unix,inet,inet6 seccomp !chroot -read-only ${HOME}/.config/awesome/autorun.sh #restrict-namespaces diff --git a/etc/profile-a-l/cower.profile b/etc/profile-a-l/cower.profile index e896f3537..9b05b4416 100644 --- a/etc/profile-a-l/cower.profile +++ b/etc/profile-a-l/cower.profile @@ -45,5 +45,4 @@ private-dev private-tmp memory-deny-write-execute -read-only ${HOME}/.config/cower/config restrict-namespaces diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile index e9d245a6d..266d00395 100644 --- a/etc/profile-m-z/makepkg.profile +++ b/etc/profile-m-z/makepkg.profile @@ -19,7 +19,6 @@ blacklist ${RUNUSER}/wayland-* # Enable severely restricted access to ${HOME}/.gnupg noblacklist ${HOME}/.gnupg -read-only ${HOME}/.gnupg/gpg.conf read-only ${HOME}/.gnupg/trustdb.gpg read-only ${HOME}/.gnupg/pubring.kbx blacklist ${HOME}/.gnupg/random_seed diff --git a/etc/profile-m-z/openbox.profile b/etc/profile-m-z/openbox.profile index 2da867dec..9b566a42b 100644 --- a/etc/profile-m-z/openbox.profile +++ b/etc/profile-m-z/openbox.profile @@ -16,6 +16,4 @@ noroot protocol unix,inet,inet6 seccomp !chroot -read-only ${HOME}/.config/openbox/autostart -read-only ${HOME}/.config/openbox/environment #restrict-namespaces diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index a5b4d5d87..63d629a32 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile @@ -181,5 +181,4 @@ private-tmp #dbus-user none #dbus-system none -read-only ${HOME}/.config/MangoHud #restrict-namespaces -- cgit v1.2.3-70-g09d2