From 1a03225b4407f1cf88410573c8fc67031de511c1 Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Mon, 5 Nov 2018 18:32:22 -0500
Subject: Add new config option to disable U2F in browsers, enabled by default

---
 etc/chromium-common.profile | 2 +-
 etc/firefox-common.profile  | 2 +-
 etc/firejail.config         | 3 +++
 3 files changed, 5 insertions(+), 2 deletions(-)

(limited to 'etc')

diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile
index e7062c5b8..13ed13058 100644
--- a/etc/chromium-common.profile
+++ b/etc/chromium-common.profile
@@ -27,7 +27,7 @@ nodbus
 nodvd
 nogroups
 notv
-nou2f
+?BROWSER_DISABLE_U2F: nou2f
 shell none
 
 disable-mnt
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index 31b071fe1..722a398cb 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -37,7 +37,7 @@ nogroups
 nonewprivs
 noroot
 notv
-nou2f
+?BROWSER_DISABLE_U2F: nou2f
 protocol unix,inet,inet6,netlink
 seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 shell none
diff --git a/etc/firejail.config b/etc/firejail.config
index d7106e76c..00f2c1b5d 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -5,6 +5,9 @@
 # Enable AppArmor functionality, default enabled.
 # apparmor yes
 
+# Disable U2F in browsers, default enabled.
+# browser-disable-u2f yes
+
 # Number of ARP probes sent when assigning an IP address for --net option,
 # default 2. This is a partial implementation of RFC 5227. A 0.5 seconds
 # timeout is implemented for each probe. Increase this number to 4 if your
-- 
cgit v1.2.3-70-g09d2


From 507c30a70340eed773020f7eadcd577786ad6309 Mon Sep 17 00:00:00 2001
From: glitsj16 <glitsj16@users.noreply.github.com>
Date: Thu, 8 Nov 2018 01:18:28 +0000
Subject: Update whitelist-common.inc

---
 etc/whitelist-common.inc | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'etc')

diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc
index 38ec5d85d..9c1b7b92c 100644
--- a/etc/whitelist-common.inc
+++ b/etc/whitelist-common.inc
@@ -20,6 +20,10 @@ whitelist ${HOME}/.local/share/icons
 whitelist ${HOME}/.local/share/mime
 whitelist ${HOME}/.mime.types
 
+# dconf
+mkdir ${HOME}/.config/dconf
+whitelist ${HOME}/.config/dconf
+
 # fonts
 whitelist ${HOME}/.cache/fontconfig
 whitelist ${HOME}/.config/fontconfig
@@ -48,11 +52,8 @@ whitelist ${HOME}/.kde4/share/config/gtkrc-2.0
 whitelist ${HOME}/.local/share/themes
 whitelist ${HOME}/.themes
 
-# dconf
-mkdir ${HOME}/.config/dconf
-whitelist ${HOME}/.config/dconf
-
 # qt/kde
+whitelist ${HOME}/.cache/kioexec/krun
 whitelist ${HOME}/.config/Kvantum
 whitelist ${HOME}/.config/Trolltech.conf
 whitelist ${HOME}/.config/kdeglobals
@@ -73,4 +74,3 @@ whitelist ${HOME}/.kde4/share/config/ksslcablacklist
 whitelist ${HOME}/.kde4/share/config/oxygenrc
 whitelist ${HOME}/.kde4/share/icons
 whitelist ${HOME}/.local/share/qt5ct
-whitelist ${HOME}/.cache/kioexec/krun
-- 
cgit v1.2.3-70-g09d2


From aebd0f94cc2ae6cfb4b0a321ac8bea2ffa7e53d9 Mon Sep 17 00:00:00 2001
From: glitsj16 <glitsj16@users.noreply.github.com>
Date: Thu, 8 Nov 2018 01:30:57 +0000
Subject: Update disable-common.inc

---
 etc/disable-common.inc | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'etc')

diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index d220f381b..74b653385 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -3,9 +3,9 @@
 include disable-common.local
 
 # The following block breaks trash functionality in file managers
-#read-only  ${HOME}/.local
+#read-only ${HOME}/.local
 #read-write ${HOME}/.local/share
-blacklist   ${HOME}/.local/share/Trash
+blacklist ${HOME}/.local/share/Trash
 
 # History files in $HOME and clipboard managers
 blacklist-nolog ${HOME}/.*_history
@@ -122,7 +122,7 @@ read-only ${HOME}/.local/share/kssl
 blacklist /run/user/*/kdeinit5__*
 # blacklist /run/user/*/ksocket-*/kdeinit4__*
 # blacklist /tmp/ksocket-*/kdeinit4__*
-#  - causes issues when kdeinit4 gets killed; enable on KDE Plasma 4
+# causes issues when kdeinit4 gets killed; enable on KDE Plasma 4
 
 # gnome
 # contains extensions, last used times of applications, and notifications
@@ -133,7 +133,7 @@ blacklist ${HOME}/.config/systemd
 blacklist ${HOME}/.local/share/systemd
 blacklist /var/lib/systemd
 # blacklist /var/run/systemd
-#  - creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf
+# creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf
 
 # VirtualBox
 blacklist ${HOME}/.VirtualBox
@@ -173,7 +173,7 @@ blacklist /var/lib/mysqld/mysql.sock
 blacklist /var/lib/pacman
 blacklist /var/lib/upower
 # blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for
-#          every sandbox, unless --writeble-var-log switch is activated
+# every sandbox, unless --writeble-var-log switch is activated
 blacklist /var/mail
 blacklist /var/opt
 blacklist /var/run/acpid.socket
-- 
cgit v1.2.3-70-g09d2


From 654ba2487ff183f48699eb23b3c015a7601e27c9 Mon Sep 17 00:00:00 2001
From: glitsj16 <glitsj16@users.noreply.github.com>
Date: Thu, 8 Nov 2018 01:48:18 +0000
Subject: Update disable-passwdmgr.inc

---
 etc/disable-passwdmgr.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'etc')

diff --git a/etc/disable-passwdmgr.inc b/etc/disable-passwdmgr.inc
index 72e1a66ee..316378cb8 100644
--- a/etc/disable-passwdmgr.inc
+++ b/etc/disable-passwdmgr.inc
@@ -8,6 +8,7 @@ blacklist ${HOME}/.config/keepass
 blacklist ${HOME}/.config/keepassx
 blacklist ${HOME}/.config/keepassxc
 blacklist ${HOME}/.config/Sinew Software Systems
+blacklist ${HOME}/.fpm
 blacklist ${HOME}/.keepass
 blacklist ${HOME}/.keepassx
 blacklist ${HOME}/.keepassxc
@@ -15,4 +16,3 @@ blacklist ${HOME}/.lastpass
 blacklist ${HOME}/.local/share/KeePass
 blacklist ${HOME}/.local/share/keepass
 blacklist ${HOME}/.password-store
-blacklist ${HOME}/.fpm
-- 
cgit v1.2.3-70-g09d2


From d166ab46930841a76fabcc3e294e185887484bde Mon Sep 17 00:00:00 2001
From: glitsj16 <glitsj16@users.noreply.github.com>
Date: Thu, 8 Nov 2018 01:49:54 +0000
Subject: Update disable-devel.inc

---
 etc/disable-devel.inc | 49 +++++++++++++++++++++++++------------------------
 1 file changed, 25 insertions(+), 24 deletions(-)

(limited to 'etc')

diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc
index 5c41692da..43ccb358b 100644
--- a/etc/disable-devel.inc
+++ b/etc/disable-devel.inc
@@ -4,8 +4,14 @@ include disable-devel.local
 
 # development tools
 
+# clang/llvm
+blacklist ${PATH}/clang*
+blacklist ${PATH}/lldb*
+blacklist ${PATH}/llvm*
+# see issue #2106 - it disables hardware acceleration in Firefox on Radeon GPU
+# blacklist /usr/lib/llvm*
+
 # GCC
-#blacklist /usr/lib/gcc	- seems to create problems on Gentoo
 blacklist ${PATH}/as
 blacklist ${PATH}/cc
 blacklist ${PATH}/c++*
@@ -21,40 +27,35 @@ blacklist ${PATH}/*-g++*
 blacklist ${PATH}/*-gcc*
 blacklist ${PATH}/*-g++*
 blacklist /usr/include
+# seems to create problems on Gentoo
+#blacklist /usr/lib/gcc
 
-# clang/llvm
-blacklist ${PATH}/clang*
-blacklist ${PATH}/lldb*
-blacklist ${PATH}/llvm*
-# see issue #2106 - it disables hardware acceleration in Firefox on Radeon GPU
-# blacklist /usr/lib/llvm*
-
-# tcc - Tiny C Compiler
-blacklist ${PATH}/tcc
-blacklist ${PATH}/x86_64-tcc
-blacklist /usr/lib/tcc
-
-# Valgrind
-blacklist ${PATH}/valgrind*
-blacklist /usr/lib/valgrind
+#Go
+blacklist ${PATH}/gccgo
+blacklist ${PATH}/go
+blacklist ${PATH}/gofmt
 
 # Java
 blacklist ${PATH}/java
 blacklist ${PATH}/javac
-blacklist /usr/lib/java
 blacklist /etc/java
+blacklist /usr/lib/java
 blacklist /usr/share/java
 
-#Go
-blacklist ${PATH}/gccgo
-blacklist ${PATH}/go
-blacklist ${PATH}/gofmt
+#OpenSSL
+blacklist ${PATH}/openssl
+blacklist ${PATH}/openssl-1.0
 
 #Rust
 blacklist ${PATH}/rust-gdb
 blacklist ${PATH}/rust-lldb
 blacklist ${PATH}/rustc
 
-#OpenSSL
-blacklist ${PATH}/openssl
-blacklist ${PATH}/openssl-1.0
+# tcc - Tiny C Compiler
+blacklist ${PATH}/tcc
+blacklist ${PATH}/x86_64-tcc
+blacklist /usr/lib/tcc
+
+# Valgrind
+blacklist ${PATH}/valgrind*
+blacklist /usr/lib/valgrind
-- 
cgit v1.2.3-70-g09d2


From 312386b53b90f81bb54315eaeb07eefb37dba965 Mon Sep 17 00:00:00 2001
From: glitsj16 <glitsj16@users.noreply.github.com>
Date: Thu, 8 Nov 2018 01:52:25 +0000
Subject: Update disable-interpreters.inc

---
 etc/disable-interpreters.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'etc')

diff --git a/etc/disable-interpreters.inc b/etc/disable-interpreters.inc
index 0d5f5737e..22f58bb85 100644
--- a/etc/disable-interpreters.inc
+++ b/etc/disable-interpreters.inc
@@ -4,8 +4,8 @@ include disable-interpreters.local
 
 # Lua
 blacklist ${PATH}/lua*
-blacklist /usr/lib/lua
 blacklist /usr/include/lua*
+blacklist /usr/lib/lua
 blacklist /usr/share/lua
 
 # Node.js
-- 
cgit v1.2.3-70-g09d2


From e19e45eab4b0190f90af6e3486a5067249b64152 Mon Sep 17 00:00:00 2001
From: glitsj16 <glitsj16@users.noreply.github.com>
Date: Thu, 8 Nov 2018 02:03:47 +0000
Subject: Update disable-programs.inc

---
 etc/disable-programs.inc | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'etc')

diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 9e94d8aa1..4ef0f2f53 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -2,10 +2,12 @@
 # Persistent customizations should go in a .local file.
 include disable-programs.local
 
+blacklist ${HOME}/Arduino
 blacklist ${HOME}/Monero/wallets
 blacklist ${HOME}/Nextcloud/Notes
 blacklist ${HOME}/Standard Notes Backups
 blacklist ${HOME}/snap
+blacklist ${HOME}/wallet.dat
 blacklist ${HOME}/.*coin
 blacklist ${HOME}/.8pecxstudios
 blacklist ${HOME}/.AndroidStudio*
@@ -35,9 +37,9 @@ blacklist ${HOME}/.anydesk
 blacklist ${HOME}/.arduino15
 blacklist ${HOME}/.aria2
 blacklist ${HOME}/.arm
+blacklist ${HOME}/.asunder_album_artist
 blacklist ${HOME}/.asunder_album_genre
 blacklist ${HOME}/.asunder_album_title
-blacklist ${HOME}/.asunder_album_artist
 blacklist ${HOME}/.atom
 blacklist ${HOME}/.attic
 blacklist ${HOME}/.audacity-data
@@ -315,9 +317,9 @@ blacklist ${HOME}/.kde/share/apps/khtml
 blacklist ${HOME}/.kde/share/apps/konqsidebartng
 blacklist ${HOME}/.kde/share/apps/konqueror
 blacklist ${HOME}/.kde/share/apps/kopete
-blacklist ${HOME}/.kde/share/apps/okular
 blacklist ${HOME}/.kde/share/apps/khtml
 blacklist ${HOME}/.kde/share/apps/ktorrent
+blacklist ${HOME}/.kde/share/apps/okular
 blacklist ${HOME}/.kde/share/config/baloofilerc
 blacklist ${HOME}/.kde/share/config/baloorc
 blacklist ${HOME}/.kde/share/config/digikam
@@ -540,8 +542,6 @@ blacklist ${HOME}/.xmr-stak
 blacklist ${HOME}/.xonotic
 blacklist ${HOME}/.xpdfrc
 blacklist ${HOME}/.zoom
-blacklist ${HOME}/Arduino
-blacklist ${HOME}/wallet.dat
 blacklist /tmp/akonadi-*
 blacklist /tmp/ssh-*
 
-- 
cgit v1.2.3-70-g09d2