From 105dce9bba1136484251daf645e578d64366bbed Mon Sep 17 00:00:00 2001
From: rusty-snake <print_hello_world+Public@protonmail.com>
Date: Wed, 8 Jan 2020 14:46:03 +0100
Subject: misc profile fixups and hardening

---
 etc/celluloid.profile | 2 +-
 etc/curl.profile      | 1 +
 etc/gimp.profile      | 1 +
 etc/midori.profile    | 7 +++++++
 etc/pdftotext.profile | 2 ++
 etc/shotcut.profile   | 1 +
 6 files changed, 13 insertions(+), 1 deletion(-)

(limited to 'etc')

diff --git a/etc/celluloid.profile b/etc/celluloid.profile
index ab68c7f13..5a3bf0008 100644
--- a/etc/celluloid.profile
+++ b/etc/celluloid.profile
@@ -29,7 +29,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-# nodbus -- uses dconf
+# nodbus -- uses dconf, MPRIS
 nogroups
 nonewprivs
 noroot
diff --git a/etc/curl.profile b/etc/curl.profile
index 2624e5545..679f5a152 100644
--- a/etc/curl.profile
+++ b/etc/curl.profile
@@ -33,6 +33,7 @@ novideo
 protocol inet,inet6
 seccomp
 shell none
+tracelog
 
 # private-bin curl
 private-cache
diff --git a/etc/gimp.profile b/etc/gimp.profile
index 5c0631eb2..94035bc02 100644
--- a/etc/gimp.profile
+++ b/etc/gimp.profile
@@ -21,6 +21,7 @@ noblacklist ${PICTURES}
 
 include disable-common.inc
 include disable-exec.inc
+include disable-devel.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
diff --git a/etc/midori.profile b/etc/midori.profile
index ffae4919f..e11e2acaa 100644
--- a/etc/midori.profile
+++ b/etc/midori.profile
@@ -9,6 +9,7 @@ include globals.local
 # noexec ${HOME} breaks DRM binaries.
 ?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
 
+noblacklist ${HOME}/.cache/midori
 noblacklist ${HOME}/.config/midori
 noblacklist ${HOME}/.local/share/midori
 # noblacklist ${HOME}/.local/share/webkit
@@ -16,11 +17,17 @@ noblacklist ${HOME}/.local/share/midori
 noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
 
+noblacklist ${HOME}/.cache/gnome-mplayer
+noblacklist ${HOME}/.config/gnome-mplayer
+noblacklist ${HOME}/.lastpass
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+#include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.cache/midori
 mkdir ${HOME}/.config/midori
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile
index e9572d914..f8448f514 100644
--- a/etc/pdftotext.profile
+++ b/etc/pdftotext.profile
@@ -22,6 +22,7 @@ include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
+ipc-namespace
 machine-id
 net none
 no3d
@@ -41,6 +42,7 @@ tracelog
 x11 none
 
 private-bin pdftotext
+private-cache
 private-dev
 private-etc alternatives
 private-tmp
diff --git a/etc/shotcut.profile b/etc/shotcut.profile
index 5b3c5439d..072cc2c0d 100644
--- a/etc/shotcut.profile
+++ b/etc/shotcut.profile
@@ -29,6 +29,7 @@ nou2f
 protocol unix
 seccomp
 shell none
+tracelog
 
 #private-bin melt,nice,qmelt,shotcut
 private-cache
-- 
cgit v1.2.3-70-g09d2