From df4b26977de4ce05d269caa8c3914f6f2f7ba8b8 Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Fri, 11 Mar 2022 15:39:17 +0100
Subject: harden songrec

as suggested by @rusty-snake

in addition blacklist/noblacklist/whitelist songrec application files
---
 etc/profile-m-z/songrec.profile | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

(limited to 'etc/profile-m-z')

diff --git a/etc/profile-m-z/songrec.profile b/etc/profile-m-z/songrec.profile
index d121f7845..f63a47c18 100644
--- a/etc/profile-m-z/songrec.profile
+++ b/etc/profile-m-z/songrec.profile
@@ -6,23 +6,34 @@ include songrec.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.local/share/SongRec
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
+include disable-xdg.inc
 
+nowhitelist ${PICTURES}
+
+mkdir ${HOME}/.local/share/SongRec
+whitelist ${HOME}/.local/share/SongRec
 include whitelist-common.inc
 include whitelist-player-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
 
 apparmor
 caps.drop all
 netfilter
 no3d
 nogroups
+noinput
 nonewprivs
 noroot
 notv
@@ -34,7 +45,8 @@ seccomp.block-secondary
 shell none
 
 disable-mnt
-private-bin songrec,ffmpeg
+private-bin ffmpeg,songrec
+private-cache
 private-dev
 private-tmp
 
-- 
cgit v1.2.3-70-g09d2