From 4fa0bb7cd6f228ade683a400f582a00ee180a5a3 Mon Sep 17 00:00:00 2001
From: glitsj16 <glitsj16@users.noreply.github.com>
Date: Tue, 7 May 2024 19:10:43 +0000
Subject: profiles: hexchat: allow lua/downloads and harden (#6331)

* profiles: hexchat: hardenings

* profiles: hexchat: allow lua/downloads and harden

Allow more paths and add some extra options to harden the profile.

We allow Perl but keep it out of private-bin. Do the same for Lua and
clarify in the private-bin comment how to enable these interpreters.

Consulted resources:

- https://github.com/hexchat/hexchat/
- https://hexchat.readthedocs.io/
---
 etc/profile-a-l/hexchat.profile | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

(limited to 'etc')

diff --git a/etc/profile-a-l/hexchat.profile b/etc/profile-a-l/hexchat.profile
index def7bf25f..ba5a5fbac 100644
--- a/etc/profile-a-l/hexchat.profile
+++ b/etc/profile-a-l/hexchat.profile
@@ -11,6 +11,9 @@ noblacklist ${HOME}/.config/hexchat
 # Allow /bin/sh (blacklisted by disable-shell.inc)
 include allow-bin-sh.inc
 
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
 
@@ -18,17 +21,24 @@ include allow-perl.inc
 include allow-python2.inc
 include allow-python3.inc
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+include disable-proc.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/hexchat
+whitelist ${DOWNLOADS}
 whitelist ${HOME}/.config/hexchat
 include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
@@ -45,14 +55,20 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 tracelog
 
 disable-mnt
-# debug note: private-bin requires perl, python, etc on some systems
+# If you need Lua and/or Perl support, add the relevant binaries from
+# allow-lua.inc/allow-perl.inc to private-bin in your hexchat.local.
 private-bin hexchat,python*,sh
 private-dev
 #private-lib # python problems
 private-tmp
 
+dbus-user filter
+dbus-user.own org.hexchat.service
+dbus-system none
+
 #memory-deny-write-execute # breaks python
 restrict-namespaces
-- 
cgit v1.2.3-54-g00ecf