From 0c73dbc88bc917e50962405d32cb6b3b0da182cd Mon Sep 17 00:00:00 2001
From: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
Date: Mon, 7 Sep 2020 07:55:47 +0000
Subject: New disable include: disable-write-mnt.inc (#3622)

* New disable include: disable-write-mnt.inc

It is for profiles which have a reasonable mnt access (we can not add
disable-mnt), but no edit function (e.g. any kind of viewer).

Added to
 - profile.template
 - default.profile
 - eo-common.profile

* Update default.profile
---
 etc/inc/disable-write-mnt.inc     | 8 ++++++++
 etc/profile-a-l/default.profile   | 1 +
 etc/profile-a-l/eo-common.profile | 1 +
 etc/templates/profile.template    | 1 +
 4 files changed, 11 insertions(+)
 create mode 100644 etc/inc/disable-write-mnt.inc

(limited to 'etc')

diff --git a/etc/inc/disable-write-mnt.inc b/etc/inc/disable-write-mnt.inc
new file mode 100644
index 000000000..3990cf760
--- /dev/null
+++ b/etc/inc/disable-write-mnt.inc
@@ -0,0 +1,8 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include disable-write-mnt.local
+
+read-only /mnt
+read-only /media
+read-only /run/mount
+read-only /run/media
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile
index 74314cf92..7eb7660dd 100644
--- a/etc/profile-a-l/default.profile
+++ b/etc/profile-a-l/default.profile
@@ -14,6 +14,7 @@ include disable-common.inc
 # include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+# include disable-write-mnt.inc
 # include disable-xdg.inc
 
 # include whitelist-common.inc
diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile
index 80c704c6b..e8b49a395 100644
--- a/etc/profile-a-l/eo-common.profile
+++ b/etc/profile-a-l/eo-common.profile
@@ -17,6 +17,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-write-mnt.inc
 
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 02d9fa076..d57306aee 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -110,6 +110,7 @@ include globals.local
 #include disable-passwdmgr.inc
 #include disable-programs.inc
 #include disable-shell.inc
+#include disable-write-mnt.inc
 #include disable-xdg.inc
 
 # This section often mirrors noblacklist section above. The idea is
-- 
cgit v1.2.3-70-g09d2