From aa2bdffc4b4d0437dd710a70546c87b8f882b100 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Tue, 12 Mar 2019 20:44:51 +0000 Subject: add disable-exec.inc to all profiles with apparmor (#2576) * add disable-exec.inc to all profiles with apparmor - #2385 #2505 * drop disable-exec.inc from generic electron.profile --- etc/akonadi_control.profile | 3 +-- etc/arch-audit.profile | 3 +-- etc/ark.profile | 3 +-- etc/artha.profile | 3 +-- etc/assogiate.profile | 3 +-- etc/asunder.profile | 3 +-- etc/atril.profile | 3 +-- etc/audacious.profile | 3 +-- etc/audacity.profile | 3 +-- etc/authenticator.profile | 3 +-- etc/celluloid.profile | 3 +-- etc/checkbashisms.profile | 3 +-- etc/chromium-common.profile | 8 ++++---- etc/clawsker.profile | 3 +-- etc/clipit.profile | 3 +-- etc/d-feet.profile | 3 +-- etc/dconf-editor.profile | 3 +-- etc/dconf.profile | 3 +-- etc/devhelp.profile | 3 +-- etc/devilspie.profile | 3 +-- etc/devilspie2.profile | 3 +-- etc/digikam.profile | 3 +-- etc/disable-exec.inc | 11 +++++++++++ etc/enchant.profile | 3 +-- etc/engrampa.profile | 3 +-- etc/eog.profile | 3 +-- etc/exiftool.profile | 3 +-- etc/ffmpeg.profile | 3 +-- etc/file-roller.profile | 3 +-- etc/file.profile | 3 +-- etc/firefox-common.profile | 8 ++++---- etc/font-manager.profile | 3 +-- etc/galculator.profile | 3 +-- etc/gcloud.profile | 9 ++++----- etc/gconf.profile | 3 +-- etc/gedit.profile | 3 +-- etc/geekbench.profile | 3 +-- etc/ghostwriter.profile | 3 +-- etc/gimp.profile | 10 +++++----- etc/git.profile | 3 +-- etc/gnome-calculator.profile | 3 +-- etc/gnome-clocks.profile | 3 +-- etc/gnome-keyring.profile | 3 +-- etc/gnome-logs.profile | 3 +-- etc/gnome-maps.profile | 3 +-- etc/gnome-schedule.profile | 3 +-- etc/gnome-system-log.profile | 3 +-- etc/gpicview.profile | 3 +-- etc/gucharmap.profile | 3 +-- etc/gwenview.profile | 3 +-- etc/handbrake.profile | 3 +-- etc/img2txt.profile | 3 +-- etc/inkscape.profile | 3 +-- etc/kate.profile | 6 +++--- etc/kcalc.profile | 3 +-- etc/kdenlive.profile | 6 +++--- etc/klavaro.profile | 3 +-- etc/kmail.profile | 3 +-- etc/kodi.profile | 8 ++++---- etc/krita.profile | 8 ++++---- etc/kwrite.profile | 3 +-- etc/libreoffice.profile | 3 +-- etc/masterpdfeditor.profile | 3 +-- etc/mediainfo.profile | 3 +-- etc/meld.profile | 3 +-- etc/mpsyt.profile | 3 +-- etc/mpv.profile | 1 + etc/mypaint.profile | 3 +-- etc/nano.profile | 3 +-- etc/netactview.profile | 3 +-- etc/ocenaudio.profile | 3 +-- etc/okular.profile | 3 +-- etc/openshot.profile | 3 +-- etc/pavucontrol.profile | 3 +-- etc/pluma.profile | 3 +-- etc/qbittorrent.profile | 3 +-- etc/redshift.profile | 3 +-- etc/regextester.profile | 3 +-- etc/rhythmbox.profile | 3 +-- etc/seahorse-tool.profile | 3 +-- etc/seahorse.profile | 1 + etc/simplescreenrecorder.profile | 3 +-- etc/smplayer.profile | 3 +-- etc/soundconverter.profile | 3 +-- etc/sqlitebrowser.profile | 3 +-- etc/standardnotes-desktop.profile | 3 +-- etc/subdownloader.profile | 3 +-- etc/supertuxkart.profile | 3 +-- etc/sysprof.profile | 3 +-- etc/totem.profile | 3 +-- etc/transgui.profile | 3 +-- etc/transmission-cli.profile | 3 +-- etc/transmission-daemon.profile | 3 +-- etc/transmission-gtk.profile | 3 +-- etc/transmission-qt.profile | 3 +-- etc/transmission-remote.profile | 3 +-- etc/transmission-show.profile | 3 +-- etc/viewnior.profile | 3 +-- etc/vlc.profile | 3 +-- etc/wireshark.profile | 3 +-- etc/xed.profile | 3 +-- etc/xfce4-mixer.profile | 3 +-- etc/xplayer.profile | 3 +-- etc/xreader.profile | 3 +-- etc/xviewer.profile | 3 +-- 105 files changed, 138 insertions(+), 220 deletions(-) create mode 100644 etc/disable-exec.inc (limited to 'etc') diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile index 4d40e6594..1c16f940e 100644 --- a/etc/akonadi_control.profile +++ b/etc/akonadi_control.profile @@ -22,6 +22,7 @@ noblacklist /usr/sbin include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -51,5 +52,3 @@ tracelog private-dev # private-tmp - breaks programs that depend on akonadi -noexec ${HOME} -noexec /tmp diff --git a/etc/arch-audit.profile b/etc/arch-audit.profile index e28733c63..e353326df 100644 --- a/etc/arch-audit.profile +++ b/etc/arch-audit.profile @@ -12,6 +12,7 @@ noblacklist /var/lib/pacman include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -44,5 +45,3 @@ private-dev private-tmp memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/ark.profile b/etc/ark.profile index b60674f95..9214e96ff 100644 --- a/etc/ark.profile +++ b/etc/ark.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/arkrc include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -39,5 +40,3 @@ private-bin ark,unrar,rar,unzip,zip,zipinfo,7z,p7zip,unar,lsar,lrzip,lzop,lz4,ba private-dev private-tmp -noexec ${HOME} -noexec /tmp diff --git a/etc/artha.profile b/etc/artha.profile index 2e4c9071f..8ef5124de 100644 --- a/etc/artha.profile +++ b/etc/artha.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.config/enchant include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -42,5 +43,3 @@ private-lib libnotify.so.* private-tmp memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/assogiate.profile b/etc/assogiate.profile index 1161c24fe..577a20093 100644 --- a/etc/assogiate.profile +++ b/etc/assogiate.profile @@ -10,6 +10,7 @@ noblacklist ${PICTURES} include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -45,5 +46,3 @@ private-lib gnome-vfs-2.0,libattr.so.*,libacl.so.*,libfam.so.* private-tmp memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/asunder.profile b/etc/asunder.profile index 3167dfe12..fa2479051 100644 --- a/etc/asunder.profile +++ b/etc/asunder.profile @@ -14,6 +14,7 @@ noblacklist ${MUSIC} include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -39,5 +40,3 @@ private-tmp # mdwe is disabled due to breaking hardware accelerated decoding # memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/atril.profile b/etc/atril.profile index aca945ba3..2f39af823 100644 --- a/etc/atril.profile +++ b/etc/atril.profile @@ -15,6 +15,7 @@ noblacklist ${DOCUMENTS} include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -49,5 +50,3 @@ private-tmp # webkit gtk killed by memory-deny-write-execute #memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/audacious.profile b/etc/audacious.profile index 590d3ffa3..4d0c93047 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile @@ -12,6 +12,7 @@ noblacklist ${MUSIC} include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -40,5 +41,3 @@ private-dev private-tmp memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/audacity.profile b/etc/audacity.profile index 4dd412359..200d3a387 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile @@ -12,6 +12,7 @@ noblacklist ${MUSIC} include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -41,5 +42,3 @@ private-dev private-tmp memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/authenticator.profile b/etc/authenticator.profile index 7f5090251..339b51239 100644 --- a/etc/authenticator.profile +++ b/etc/authenticator.profile @@ -14,6 +14,7 @@ noblacklist /usr/lib/python3* include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -43,5 +44,3 @@ private-etc alternatives,fonts,ld.so.cache private-tmp # memory-deny-write-execute - breaks on Arch -noexec ${HOME} -noexec /tmp diff --git a/etc/celluloid.profile b/etc/celluloid.profile index 1f61ff9f5..5604a16b9 100644 --- a/etc/celluloid.profile +++ b/etc/celluloid.profile @@ -21,6 +21,7 @@ noblacklist /usr/local/lib/python3* include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -47,5 +48,3 @@ private-etc alternatives,ca-certificates,ssl,pki,pkcs11,hosts,machine-id,localti private-dev private-tmp -noexec ${HOME} -noexec /tmp diff --git a/etc/checkbashisms.profile b/etc/checkbashisms.profile index fe2648792..5afbf2d56 100644 --- a/etc/checkbashisms.profile +++ b/etc/checkbashisms.profile @@ -18,6 +18,7 @@ noblacklist /usr/share/perl* include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -50,5 +51,3 @@ private-lib perl* private-tmp memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile index a182e5d20..3c7423316 100644 --- a/etc/chromium-common.profile +++ b/etc/chromium-common.profile @@ -6,11 +6,15 @@ include chromium-common.local # already included by caller profile #include globals.local +# noexec ${HOME} breaks DRM binaries. +ignore noexec ${HOME} + noblacklist ${HOME}/.pki noblacklist ${HOME}/.local/share/pki include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-programs.inc @@ -37,9 +41,5 @@ disable-mnt private-dev # private-tmp - problems with multiple browser sessions -# breaks DRM binaries -#noexec ${HOME} -noexec /tmp - # the file dialog needs to work without d-bus env NO_CHROME_KDE_FILE_DIALOG=1 diff --git a/etc/clawsker.profile b/etc/clawsker.profile index c0f417915..c519ecedb 100644 --- a/etc/clawsker.profile +++ b/etc/clawsker.profile @@ -17,6 +17,7 @@ noblacklist /usr/share/perl* include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -51,5 +52,3 @@ private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1 private-tmp # memory-deny-write-execute - breaks on Arch -noexec ${HOME} -noexec /tmp diff --git a/etc/clipit.profile b/etc/clipit.profile index 052d0464b..6e4d3fbaf 100644 --- a/etc/clipit.profile +++ b/etc/clipit.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.local/share/clipit include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -39,5 +40,3 @@ private-cache private-dev private-tmp -noexec ${HOME} -noexec /tmp diff --git a/etc/d-feet.profile b/etc/d-feet.profile index 05314fa18..92bd5e1a4 100644 --- a/etc/d-feet.profile +++ b/etc/d-feet.profile @@ -16,6 +16,7 @@ noblacklist /usr/lib/python3* include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -51,5 +52,3 @@ private-etc alternatives,dbus-1,fonts,machine-id private-tmp # memory-deny-write-execute - Breaks on Arch -noexec ${HOME} -noexec /tmp diff --git a/etc/dconf-editor.profile b/etc/dconf-editor.profile index 103a2ed93..1174a5bba 100644 --- a/etc/dconf-editor.profile +++ b/etc/dconf-editor.profile @@ -8,6 +8,7 @@ include globals.local include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -41,5 +42,3 @@ private-lib private-tmp # memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/dconf.profile b/etc/dconf.profile index d2376cc35..2c7c9f638 100644 --- a/etc/dconf.profile +++ b/etc/dconf.profile @@ -8,6 +8,7 @@ include globals.local include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -44,5 +45,3 @@ private-lib private-tmp memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/devhelp.profile b/etc/devhelp.profile index 897357fdf..4e618b7ea 100644 --- a/etc/devhelp.profile +++ b/etc/devhelp.profile @@ -9,6 +9,7 @@ include globals.local include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -41,7 +42,5 @@ private-etc alternatives,dconf,fonts,ld.so.cache,machine-id,ssl private-tmp # memory-deny-write-execute - Breaks on Arch -noexec ${HOME} -noexec /tmp read-only ${HOME} diff --git a/etc/devilspie.profile b/etc/devilspie.profile index ffab615d1..2d100c4b0 100644 --- a/etc/devilspie.profile +++ b/etc/devilspie.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.devilspie include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -44,7 +45,5 @@ private-lib gconv private-tmp memory-deny-write-execute -noexec ${HOME} -noexec /tmp read-only ${HOME} diff --git a/etc/devilspie2.profile b/etc/devilspie2.profile index b89bf122b..2f599366b 100644 --- a/etc/devilspie2.profile +++ b/etc/devilspie2.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/devilspie2 include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -44,7 +45,5 @@ private-lib gconv private-tmp memory-deny-write-execute -noexec ${HOME} -noexec /tmp read-only ${HOME} diff --git a/etc/digikam.profile b/etc/digikam.profile index cc0e98ba3..e9c89a1b9 100644 --- a/etc/digikam.profile +++ b/etc/digikam.profile @@ -14,6 +14,7 @@ noblacklist ${PICTURES} include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -40,5 +41,3 @@ shell none # private-etc alternatives,ca-certificates,ssl,pki,crypto-policies private-tmp -noexec ${HOME} -noexec /tmp diff --git a/etc/disable-exec.inc b/etc/disable-exec.inc new file mode 100644 index 000000000..c535af7d4 --- /dev/null +++ b/etc/disable-exec.inc @@ -0,0 +1,11 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include disable-exec.local + +noexec ${HOME} +noexec ${RUNUSER} +noexec /dev/shm +noexec /tmp +# /var/tmp is noexec by default +# just in case there is a keep-var-tmp option: +noexec /var/tmp diff --git a/etc/enchant.profile b/etc/enchant.profile index 7d304feb7..288d8799c 100644 --- a/etc/enchant.profile +++ b/etc/enchant.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/enchant include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -43,5 +44,3 @@ private-lib private-tmp memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/engrampa.profile b/etc/engrampa.profile index 670808de2..562e8f542 100644 --- a/etc/engrampa.profile +++ b/etc/engrampa.profile @@ -8,6 +8,7 @@ include globals.local include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -38,5 +39,3 @@ private-dev # private-tmp memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/eog.profile b/etc/eog.profile index 57931b794..f296cbcb4 100644 --- a/etc/eog.profile +++ b/etc/eog.profile @@ -13,6 +13,7 @@ noblacklist ${HOME}/.steam include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -47,5 +48,3 @@ private-lib eog,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.* private-tmp # memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/exiftool.profile b/etc/exiftool.profile index 1838ce273..62eff69ab 100644 --- a/etc/exiftool.profile +++ b/etc/exiftool.profile @@ -15,6 +15,7 @@ noblacklist /usr/share/perl* include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -46,5 +47,3 @@ private-etc alternatives private-tmp memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile index aa7a91928..a1c311e42 100644 --- a/etc/ffmpeg.profile +++ b/etc/ffmpeg.profile @@ -12,6 +12,7 @@ noblacklist ${VIDEOS} include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -48,5 +49,3 @@ private-etc alternatives,pki,pkcs11,hosts,ssl,ca-certificates,resolv.conf private-tmp # memory-deny-write-execute - it breaks old versions of ffmpeg -noexec ${HOME} -noexec /tmp diff --git a/etc/file-roller.profile b/etc/file-roller.profile index dbb3fa93c..ad52b0e97 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile @@ -8,6 +8,7 @@ include globals.local include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -41,5 +42,3 @@ private-dev # private-tmp # memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/file.profile b/etc/file.profile index e084e80c2..c304b4efe 100644 --- a/etc/file.profile +++ b/etc/file.profile @@ -10,6 +10,7 @@ include globals.local blacklist /tmp/.X11-unix include disable-common.inc +include disable-exec.inc include disable-passwdmgr.inc include disable-programs.inc @@ -41,5 +42,3 @@ private-etc alternatives,magic.mgc,magic,localtime private-lib libarchive.so.*,libfakeroot,libmagic.so.* memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile index 3089b7ce8..a2a34f33f 100644 --- a/etc/firefox-common.profile +++ b/etc/firefox-common.profile @@ -6,6 +6,9 @@ include firefox-common.local # already included by caller profile #include globals.local +# noexec ${HOME} breaks DRM binaries. +ignore noexec ${HOME} + # Uncomment the following line to allow access to common programs/addons/plugins. #include firefox-common-addons.inc @@ -14,6 +17,7 @@ noblacklist ${HOME}/.local/share/pki include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-programs.inc @@ -55,7 +59,3 @@ private-dev # private-etc below works fine on most distributions. There are some problems on CentOS. #private-etc alternatives,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies,ld.so.cache private-tmp - -# Breaks DRM binaries. -#noexec ${HOME} -noexec /tmp diff --git a/etc/font-manager.profile b/etc/font-manager.profile index 49c50da71..3b4a1e3a2 100644 --- a/etc/font-manager.profile +++ b/etc/font-manager.profile @@ -17,6 +17,7 @@ noblacklist /usr/lib/python3* include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -52,5 +53,3 @@ private-dev private-tmp #memory-deny-write-execute - Breaks on Arch -noexec ${HOME} -noexec /tmp diff --git a/etc/galculator.profile b/etc/galculator.profile index 203d0a455..92b400572 100644 --- a/etc/galculator.profile +++ b/etc/galculator.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/galculator include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -47,5 +48,3 @@ private-lib private-tmp memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/gcloud.profile b/etc/gcloud.profile index d9df8fd37..a08aebf2c 100644 --- a/etc/gcloud.profile +++ b/etc/gcloud.profile @@ -5,12 +5,16 @@ include gcloud.local # Persistent global definitions include globals.local +# noexec ${HOME} will break user-local installs of gcloud tooling +ignore noexec ${HOME} + noblacklist ${HOME}/.boto noblacklist ${HOME}/.config/gcloud noblacklist /var/run/docker.sock include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-programs.inc apparmor @@ -34,8 +38,3 @@ disable-mnt private-dev private-etc alternatives,ca-certificates,ssl,hosts,localtime,nsswitch.conf,resolv.conf,pki,crypto-policies,ld.so.cache private-tmp - -noexec /tmp - -# will break user-local installs of gcloud tooling -# noexec ${HOME} diff --git a/etc/gconf.profile b/etc/gconf.profile index 94af21833..4a2d433ef 100644 --- a/etc/gconf.profile +++ b/etc/gconf.profile @@ -16,6 +16,7 @@ noblacklist /usr/lib/python2* include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -53,5 +54,3 @@ private-lib libpython*,python2* private-tmp memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/gedit.profile b/etc/gedit.profile index a583c534f..6b99ec580 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile @@ -13,6 +13,7 @@ noblacklist ${HOME}/.python-history include disable-common.inc # include disable-devel.inc +include disable-exec.inc # include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -44,5 +45,3 @@ private-dev private-lib /usr/bin/gedit,libtinfo.so.*,libreadline.so.*,gedit,libgspell-1.so.*,gconv,aspell private-tmp -noexec ${HOME} -noexec /tmp diff --git a/etc/geekbench.profile b/etc/geekbench.profile index 425fb7bb5..764c68131 100644 --- a/etc/geekbench.profile +++ b/etc/geekbench.profile @@ -8,6 +8,7 @@ include globals.local include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -46,7 +47,5 @@ private-opt none private-tmp # memory-deny-write-execute - Breaks on Arch -noexec ${HOME} -noexec /tmp read-only ${HOME} diff --git a/etc/ghostwriter.profile b/etc/ghostwriter.profile index 615e6d01c..76011df19 100644 --- a/etc/ghostwriter.profile +++ b/etc/ghostwriter.profile @@ -12,6 +12,7 @@ noblacklist ${PICTURES} include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -53,5 +54,3 @@ private-etc alternatives,cups,crypto-policies,localtime,drirc,fonts,gtk-3.0,dcon #private-lib private-tmp -noexec ${HOME} -noexec /tmp diff --git a/etc/gimp.profile b/etc/gimp.profile index 9b14b1fe8..91001cd30 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile @@ -6,12 +6,17 @@ include gimp.local # Persistent global definitions include globals.local +# gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory +# if you are not using external plugins, you can disable ignore noexec statement below +ignore noexec ${HOME} + noblacklist ${HOME}/.config/GIMP noblacklist ${HOME}/.gimp* noblacklist ${DOCUMENTS} noblacklist ${PICTURES} include disable-common.inc +include disable-exec.inc include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -35,8 +40,3 @@ shell none private-dev private-tmp - -# gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory -# if you are not using external plugins, you can enable noexec statement below -# noexec ${HOME} -noexec /tmp diff --git a/etc/git.profile b/etc/git.profile index 575793f58..44e3474f8 100644 --- a/etc/git.profile +++ b/etc/git.profile @@ -21,6 +21,7 @@ noblacklist ${HOME}/.vim noblacklist ${HOME}/.viminfo include disable-common.inc +include disable-exec.inc include disable-passwdmgr.inc include disable-programs.inc @@ -46,5 +47,3 @@ private-cache private-dev memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index eb124a4e8..c9ad4831f 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile @@ -9,6 +9,7 @@ include globals.local include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-passwdmgr.inc include disable-interpreters.inc include disable-programs.inc @@ -45,5 +46,3 @@ private-dev private-tmp # memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile index 32a7ca918..cb73a9477 100644 --- a/etc/gnome-clocks.profile +++ b/etc/gnome-clocks.profile @@ -8,6 +8,7 @@ include globals.local include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -39,5 +40,3 @@ private-dev private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies,machine-id,hosts,pkcs11,localtime,gtk-3.0,dconf private-tmp -noexec ${HOME} -noexec /tmp diff --git a/etc/gnome-keyring.profile b/etc/gnome-keyring.profile index 88898a816..47d8ca2c0 100644 --- a/etc/gnome-keyring.profile +++ b/etc/gnome-keyring.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.gnupg include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-passwdmgr.inc include disable-interpreters.inc include disable-programs.inc @@ -47,5 +48,3 @@ private-dev private-tmp memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/gnome-logs.profile b/etc/gnome-logs.profile index 9ea4fb9f6..c7cbd8388 100644 --- a/etc/gnome-logs.profile +++ b/etc/gnome-logs.profile @@ -8,6 +8,7 @@ include globals.local include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -46,8 +47,6 @@ private-tmp writable-var-log memory-deny-write-execute -noexec ${HOME} -noexec /tmp # comment this if you export logs to a file in your ${HOME} read-only ${HOME} diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile index 6ce44e7ce..97de9c2be 100644 --- a/etc/gnome-maps.profile +++ b/etc/gnome-maps.profile @@ -13,6 +13,7 @@ noblacklist ${HOME}/.local/share/flatpak include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -43,5 +44,3 @@ private-dev # private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies private-tmp -noexec ${HOME} -noexec /tmp diff --git a/etc/gnome-schedule.profile b/etc/gnome-schedule.profile index 10ed8935a..bb11c64a8 100644 --- a/etc/gnome-schedule.profile +++ b/etc/gnome-schedule.profile @@ -43,6 +43,7 @@ noblacklist /usr/lib/python3* include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -73,5 +74,3 @@ private-dev # private-etc alternatives writable-var -noexec ${HOME} -noexec /tmp diff --git a/etc/gnome-system-log.profile b/etc/gnome-system-log.profile index 69b0fe75c..c6af31ede 100644 --- a/etc/gnome-system-log.profile +++ b/etc/gnome-system-log.profile @@ -10,6 +10,7 @@ noblacklist /var/log include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -49,8 +50,6 @@ private-tmp writable-var-log memory-deny-write-execute -noexec ${HOME} -noexec /tmp # uncomment this if you never export logs to a file in your ${HOME} #read-only ${HOME} diff --git a/etc/gpicview.profile b/etc/gpicview.profile index 4c66e3772..17371aec0 100644 --- a/etc/gpicview.profile +++ b/etc/gpicview.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/gpicview include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -43,5 +44,3 @@ private-lib private-tmp memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/gucharmap.profile b/etc/gucharmap.profile index ee514ac71..9507188fc 100644 --- a/etc/gucharmap.profile +++ b/etc/gucharmap.profile @@ -9,6 +9,7 @@ include globals.local include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -43,7 +44,5 @@ private-lib private-tmp memory-deny-write-execute -noexec ${HOME} -noexec /tmp read-only ${HOME} diff --git a/etc/gwenview.profile b/etc/gwenview.profile index 790e4920d..d4af3ed1a 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile @@ -19,6 +19,7 @@ noblacklist ${HOME}/.local/share/org.kde.gwenview include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -47,5 +48,3 @@ private-dev private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg # memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/handbrake.profile b/etc/handbrake.profile index a98f80bc7..324c629e3 100644 --- a/etc/handbrake.profile +++ b/etc/handbrake.profile @@ -12,6 +12,7 @@ noblacklist ${VIDEOS} include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -35,5 +36,3 @@ shell none private-dev private-tmp -noexec ${HOME} -noexec /tmp diff --git a/etc/img2txt.profile b/etc/img2txt.profile index 24fd29fbe..ade50048e 100644 --- a/etc/img2txt.profile +++ b/etc/img2txt.profile @@ -10,6 +10,7 @@ noblacklist ${PICTURES} include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -41,5 +42,3 @@ private-dev private-tmp memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/inkscape.profile b/etc/inkscape.profile index ba0a2c9f9..8e19d3a7c 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile @@ -20,6 +20,7 @@ noblacklist /usr/lib/python3* include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -50,5 +51,3 @@ private-dev private-tmp # memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/kate.profile b/etc/kate.profile index 4a78d718f..3035393c4 100644 --- a/etc/kate.profile +++ b/etc/kate.profile @@ -6,6 +6,8 @@ include kate.local # Persistent global definitions include globals.local +ignore noexec ${HOME} + noblacklist ${HOME}/.config/katemetainfos noblacklist ${HOME}/.config/katepartrc noblacklist ${HOME}/.config/katerc @@ -16,6 +18,7 @@ noblacklist ${HOME}/.local/share/kate include disable-common.inc # include disable-devel.inc +include disable-exec.inc # include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -45,7 +48,4 @@ private-dev # private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg private-tmp -# noexec ${HOME} -noexec /tmp - join-or-start kate diff --git a/etc/kcalc.profile b/etc/kcalc.profile index 8baefaa98..8c641802b 100644 --- a/etc/kcalc.profile +++ b/etc/kcalc.profile @@ -9,6 +9,7 @@ include globals.local include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -45,5 +46,3 @@ private-dev # private-lib - problems on Arch private-tmp -noexec ${HOME} -noexec /tmp diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile index f7b5c89b3..82c8c6793 100644 --- a/etc/kdenlive.profile +++ b/etc/kdenlive.profile @@ -6,12 +6,15 @@ include kdenlive.local # Persistent global definitions include globals.local +ignore noexec ${HOME} + noblacklist ${HOME}/.cache/kdenlive noblacklist ${HOME}/.config/kdenliverc noblacklist ${HOME}/.local/share/kdenlive include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -33,6 +36,3 @@ shell none private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper,mlt-melt private-dev # private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,xdg,X11 - -# noexec ${HOME} -noexec /tmp diff --git a/etc/klavaro.profile b/etc/klavaro.profile index 04b4a5ae5..5ad5e2699 100644 --- a/etc/klavaro.profile +++ b/etc/klavaro.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.local/share/klavaro include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -51,5 +52,3 @@ private-opt none private-srv none memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/kmail.profile b/etc/kmail.profile index 1f8403ef1..009b2c063 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile @@ -31,6 +31,7 @@ noblacklist /tmp/akonadi-* include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -58,5 +59,3 @@ writable-run-user private-dev # private-tmp - interrupts connection to akonadi, breaks opening of email attachments -noexec ${HOME} -noexec /tmp diff --git a/etc/kodi.profile b/etc/kodi.profile index 303310591..9925f131b 100644 --- a/etc/kodi.profile +++ b/etc/kodi.profile @@ -6,6 +6,9 @@ include kodi.local # Persistent global definitions include globals.local +# noexec ${HOME} breaks plugins +ignore noexec ${HOME} + noblacklist ${HOME}/.kodi noblacklist ${MUSIC} noblacklist ${PICTURES} @@ -19,6 +22,7 @@ noblacklist /usr/lib/python3* include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -40,7 +44,3 @@ tracelog private-dev private-tmp - -# breaks plugins -#noexec ${HOME} -noexec /tmp diff --git a/etc/krita.profile b/etc/krita.profile index 3313106a2..5d9c90440 100644 --- a/etc/krita.profile +++ b/etc/krita.profile @@ -6,6 +6,9 @@ include krita.local # Persistent global definitions include globals.local +# noexec ${HOME} may break krita, see issue #1953 +ignore noexec ${HOME} + noblacklist ${HOME}/.config/kritarc noblacklist ${HOME}/.local/share/krita noblacklist ${DOCUMENTS} @@ -19,6 +22,7 @@ noblacklist /usr/lib/python3* include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -45,7 +49,3 @@ shell none private-cache private-dev private-tmp - -# noexec ${HOME} may break krita, see issue #1953 -# noexec ${HOME} -noexec /tmp diff --git a/etc/kwrite.profile b/etc/kwrite.profile index bc4fba97d..9b0640eab 100644 --- a/etc/kwrite.profile +++ b/etc/kwrite.profile @@ -17,6 +17,7 @@ noblacklist ${DOCUMENTS} include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -47,7 +48,5 @@ private-dev private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg private-tmp -noexec ${HOME} -noexec /tmp join-or-start kwrite diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 0e6c86b80..6e77cd741 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile @@ -19,6 +19,7 @@ noblacklist /usr/share/java include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-passwdmgr.inc include disable-programs.inc @@ -49,7 +50,5 @@ tracelog private-dev private-tmp -noexec ${HOME} -noexec /tmp join-or-start libreoffice diff --git a/etc/masterpdfeditor.profile b/etc/masterpdfeditor.profile index 4bb46b5c9..ce6486115 100644 --- a/etc/masterpdfeditor.profile +++ b/etc/masterpdfeditor.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.masterpdfeditor include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -41,5 +42,3 @@ private-dev private-etc alternatives,fonts private-tmp -noexec ${HOME} -noexec /tmp diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile index 6bb393376..d2681f32d 100644 --- a/etc/mediainfo.profile +++ b/etc/mediainfo.profile @@ -10,6 +10,7 @@ blacklist /tmp/.X11-unix include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -41,5 +42,3 @@ private-etc alternatives private-tmp memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/meld.profile b/etc/meld.profile index af3f501e3..4e298e4e7 100644 --- a/etc/meld.profile +++ b/etc/meld.profile @@ -15,6 +15,7 @@ noblacklist /usr/share/python* include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -46,5 +47,3 @@ private-dev # private-etc fonts,alternatives private-tmp -noexec ${HOME} -noexec /tmp diff --git a/etc/mpsyt.profile b/etc/mpsyt.profile index f057bdd9e..0808c5a1a 100644 --- a/etc/mpsyt.profile +++ b/etc/mpsyt.profile @@ -24,6 +24,7 @@ noblacklist ${VIDEOS} include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -57,5 +58,3 @@ private-bin mpsyt,mplayer,mpv,youtube-dl,python*,env,ffmpeg private-dev private-tmp -noexec ${HOME} -noexec /tmp diff --git a/etc/mpv.profile b/etc/mpv.profile index cf113c1bb..c2ae9c6f9 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile @@ -21,6 +21,7 @@ noblacklist /usr/local/lib/python3* include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc diff --git a/etc/mypaint.profile b/etc/mypaint.profile index 21fd841cf..615bb60d1 100644 --- a/etc/mypaint.profile +++ b/etc/mypaint.profile @@ -15,6 +15,7 @@ noblacklist ${PICTURES} include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -44,5 +45,3 @@ private-dev private-etc alternatives,fonts,gtk-3.0,dconf private-tmp -noexec ${HOME} -noexec /tmp diff --git a/etc/nano.profile b/etc/nano.profile index ed172b37c..50e251d49 100644 --- a/etc/nano.profile +++ b/etc/nano.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.nanorc include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -43,5 +44,3 @@ private-dev private-etc alternatives,nanorc memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/netactview.profile b/etc/netactview.profile index 58235c31b..c91822a9d 100644 --- a/etc/netactview.profile +++ b/etc/netactview.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.netactview include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -47,5 +48,3 @@ private-lib private-tmp memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/ocenaudio.profile b/etc/ocenaudio.profile index be218e3a8..ceeb59384 100644 --- a/etc/ocenaudio.profile +++ b/etc/ocenaudio.profile @@ -12,6 +12,7 @@ noblacklist ${MUSIC} include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -47,5 +48,3 @@ private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse private-tmp # memory-deny-write-execute - breaks on Arch -noexec ${HOME} -noexec /tmp diff --git a/etc/okular.profile b/etc/okular.profile index 0192a1d3d..48e45ca3f 100644 --- a/etc/okular.profile +++ b/etc/okular.profile @@ -20,6 +20,7 @@ noblacklist ${DOCUMENTS} include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -52,7 +53,5 @@ private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients # memory-deny-write-execute -noexec ${HOME} -noexec /tmp join-or-start okular diff --git a/etc/openshot.profile b/etc/openshot.profile index e383ecf06..acd1fd658 100644 --- a/etc/openshot.profile +++ b/etc/openshot.profile @@ -17,6 +17,7 @@ noblacklist /usr/lib/python3* include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -40,5 +41,3 @@ shell none private-dev private-tmp -noexec ${HOME} -noexec /tmp diff --git a/etc/pavucontrol.profile b/etc/pavucontrol.profile index 6bda9e7d3..b3faca12c 100644 --- a/etc/pavucontrol.profile +++ b/etc/pavucontrol.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/pavucontrol.ini include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -43,5 +44,3 @@ private-lib private-tmp memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/pluma.profile b/etc/pluma.profile index a8b1e4cc6..25142bc18 100644 --- a/etc/pluma.profile +++ b/etc/pluma.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/pluma include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -42,7 +43,5 @@ private-lib pluma private-tmp memory-deny-write-execute -noexec ${HOME} -noexec /tmp join-or-start pluma diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 7b1f05574..156a48170 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile @@ -19,6 +19,7 @@ noblacklist /usr/lib/python3* include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -59,5 +60,3 @@ private-dev private-tmp # memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo -noexec ${HOME} -noexec /tmp diff --git a/etc/redshift.profile b/etc/redshift.profile index 351b54075..e60877172 100644 --- a/etc/redshift.profile +++ b/etc/redshift.profile @@ -12,6 +12,7 @@ noblacklist ${HOME}/.config/redshift.conf include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-passwdmgr.inc include disable-interpreters.inc include disable-programs.inc @@ -45,5 +46,3 @@ private-dev private-tmp memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/regextester.profile b/etc/regextester.profile index 19d6a89f4..c7c59bec2 100644 --- a/etc/regextester.profile +++ b/etc/regextester.profile @@ -8,6 +8,7 @@ include globals.local include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-passwdmgr.inc include disable-interpreters.inc include disable-programs.inc @@ -45,8 +46,6 @@ private-lib libgranite.so.* private-tmp memory-deny-write-execute -noexec ${HOME} -noexec /tmp # never write anything read-only ${HOME} diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 6b673a924..df874f378 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile @@ -12,6 +12,7 @@ noblacklist ${HOME}/.local/share/rhythmbox include disable-common.inc include disable-devel.inc # rhythmbox is using Python +include disable-exec.inc #include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -39,5 +40,3 @@ private-bin rhythmbox private-dev private-tmp -noexec ${HOME} -noexec /tmp diff --git a/etc/seahorse-tool.profile b/etc/seahorse-tool.profile index bbab69162..d61f860ad 100644 --- a/etc/seahorse-tool.profile +++ b/etc/seahorse-tool.profile @@ -11,6 +11,7 @@ include seahorse-tool.local mkdir ${HOME}/.config/dconf whitelist ${HOME}/.config/dconf +include disable-exec.inc include disable-xdg.inc include whitelist-var-common.inc @@ -21,8 +22,6 @@ disable-mnt private-tmp memory-deny-write-execute -noexec ${HOME} -noexec /tmp # Redirect include gpg.profile diff --git a/etc/seahorse.profile b/etc/seahorse.profile index 0bf3b89fd..a24c8c3f2 100644 --- a/etc/seahorse.profile +++ b/etc/seahorse.profile @@ -16,6 +16,7 @@ noblacklist /etc/ssh noblacklist /tmp/ssh-* noblacklist ${HOME}/.ssh +include disable-exec.inc include whitelist-var-common.inc apparmor diff --git a/etc/simplescreenrecorder.profile b/etc/simplescreenrecorder.profile index 47485fe4c..ead475e07 100644 --- a/etc/simplescreenrecorder.profile +++ b/etc/simplescreenrecorder.profile @@ -10,6 +10,7 @@ noblacklist ${VIDEOS} include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -34,5 +35,3 @@ private-dev private-tmp memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/smplayer.profile b/etc/smplayer.profile index 57ab2cde6..e347d23d6 100644 --- a/etc/smplayer.profile +++ b/etc/smplayer.profile @@ -13,6 +13,7 @@ noblacklist ${VIDEOS} include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -36,5 +37,3 @@ private-bin smplayer,smtube,mplayer,mpv private-dev private-tmp -noexec ${HOME} -noexec /tmp diff --git a/etc/soundconverter.profile b/etc/soundconverter.profile index c7667fbed..8b0b0d53b 100644 --- a/etc/soundconverter.profile +++ b/etc/soundconverter.profile @@ -16,6 +16,7 @@ noblacklist /usr/lib/python3* include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -44,5 +45,3 @@ private-cache private-dev private-tmp -noexec ${HOME} -noexec /tmp diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile index 8122079e1..4758871d3 100644 --- a/etc/sqlitebrowser.profile +++ b/etc/sqlitebrowser.profile @@ -11,6 +11,7 @@ noblacklist ${DOCUMENTS} include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -42,5 +43,3 @@ private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id, private-tmp memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/standardnotes-desktop.profile b/etc/standardnotes-desktop.profile index ba7248b73..5458120ef 100644 --- a/etc/standardnotes-desktop.profile +++ b/etc/standardnotes-desktop.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/Standard Notes include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -40,5 +41,3 @@ private-dev private-tmp private-etc alternatives,ca-certificates,fonts,host.conf,hostname,hosts,resolv.conf,ssl,pki,crypto-policies,xdg -noexec ${HOME} -noexec /tmp diff --git a/etc/subdownloader.profile b/etc/subdownloader.profile index 009cf65df..ee2d63240 100644 --- a/etc/subdownloader.profile +++ b/etc/subdownloader.profile @@ -17,6 +17,7 @@ noblacklist /usr/lib/python3* include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -42,5 +43,3 @@ private-etc alternatives,fonts private-tmp # memory-deny-write-execute - Breaks on Arch -noexec ${HOME} -noexec /tmp diff --git a/etc/supertuxkart.profile b/etc/supertuxkart.profile index 696ac4de0..60d80ecd4 100644 --- a/etc/supertuxkart.profile +++ b/etc/supertuxkart.profile @@ -12,6 +12,7 @@ noblacklist ${HOME}/.local/share/supertuxkart include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -51,5 +52,3 @@ private-tmp private-opt none private-srv none -noexec ${HOME} -noexec /tmp diff --git a/etc/sysprof.profile b/etc/sysprof.profile index eedf4c4b4..3cfea5c5e 100644 --- a/etc/sysprof.profile +++ b/etc/sysprof.profile @@ -8,6 +8,7 @@ include globals.local include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -43,5 +44,3 @@ private-etc alternatives,fonts,ld.so.cache,machine-id,ssl private-tmp # memory-deny-write-execute - Breaks GUI on Arch -noexec ${HOME} -noexec /tmp diff --git a/etc/totem.profile b/etc/totem.profile index fd473b03c..f541d3cc2 100644 --- a/etc/totem.profile +++ b/etc/totem.profile @@ -13,6 +13,7 @@ noblacklist ${VIDEOS} include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -39,5 +40,3 @@ private-dev # private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies private-tmp -noexec ${HOME} -noexec /tmp diff --git a/etc/transgui.profile b/etc/transgui.profile index 83191ab58..8043bfa01 100644 --- a/etc/transgui.profile +++ b/etc/transgui.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/transgui include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -48,5 +49,3 @@ private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2 private-tmp memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile index 65682df52..60732bcf2 100644 --- a/etc/transmission-cli.profile +++ b/etc/transmission-cli.profile @@ -12,6 +12,7 @@ noblacklist ${HOME}/.config/transmission include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -40,5 +41,3 @@ private-lib private-tmp memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/transmission-daemon.profile b/etc/transmission-daemon.profile index c101e18b5..c67200826 100644 --- a/etc/transmission-daemon.profile +++ b/etc/transmission-daemon.profile @@ -12,6 +12,7 @@ noblacklist ${HOME}/.config/transmission include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -41,5 +42,3 @@ private-lib private-tmp memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 6fd310a73..29df63573 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.config/transmission include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -47,5 +48,3 @@ private-tmp # Causes freeze during opening file dialog in Archlinux, see issue #1855 # memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index f35eb0036..9fda5245f 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.config/transmission include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -46,5 +47,3 @@ private-dev private-tmp # memory-deny-write-execute - problems on Qt 5.10.0, KDE Frameworks 5.41.0 -noexec ${HOME} -noexec /tmp diff --git a/etc/transmission-remote.profile b/etc/transmission-remote.profile index 7e6f67317..d9ba7be71 100644 --- a/etc/transmission-remote.profile +++ b/etc/transmission-remote.profile @@ -12,6 +12,7 @@ noblacklist ${HOME}/.config/transmission include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -40,5 +41,3 @@ private-lib private-tmp memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile index 691b8959e..58f7af47c 100644 --- a/etc/transmission-show.profile +++ b/etc/transmission-show.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.config/transmission include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -38,5 +39,3 @@ private-lib private-tmp memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/viewnior.profile b/etc/viewnior.profile index c958ef6cc..f9fb1cefe 100644 --- a/etc/viewnior.profile +++ b/etc/viewnior.profile @@ -14,6 +14,7 @@ noblacklist ${HOME}/.steam include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -44,5 +45,3 @@ private-tmp # memory-deny-write-executes breaks on Arch - see issue #1808 #memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/vlc.profile b/etc/vlc.profile index 370180b6b..64ac7a4f0 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile @@ -14,6 +14,7 @@ noblacklist ${VIDEOS} include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -39,5 +40,3 @@ private-tmp # mdwe is disabled due to breaking hardware accelerated decoding #memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/wireshark.profile b/etc/wireshark.profile index a08b97d05..9b9757cd5 100644 --- a/etc/wireshark.profile +++ b/etc/wireshark.profile @@ -18,6 +18,7 @@ noblacklist /usr/share/lua include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -48,5 +49,3 @@ private-dev # private-etc alternatives,fonts,group,hosts,machine-id,passwd,ca-certificates,ssl,pki,crypto-policies private-tmp -noexec ${HOME} -noexec /tmp diff --git a/etc/xed.profile b/etc/xed.profile index cd565f684..a268f2b6e 100644 --- a/etc/xed.profile +++ b/etc/xed.profile @@ -15,6 +15,7 @@ noblacklist /usr/lib/python3* include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -47,5 +48,3 @@ private-tmp # xed uses python plugins, memory-deny-write-execute breaks python # memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/xfce4-mixer.profile b/etc/xfce4-mixer.profile index 9c8c5c531..952625ef8 100644 --- a/etc/xfce4-mixer.profile +++ b/etc/xfce4-mixer.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -45,5 +46,3 @@ private-etc alternatives,asound.conf,fonts,pulse,machine-id private-tmp memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/xplayer.profile b/etc/xplayer.profile index 0df879d7c..0cfb840eb 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile @@ -18,6 +18,7 @@ noblacklist /usr/lib/python3* include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -43,5 +44,3 @@ private-dev # private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies private-tmp -noexec ${HOME} -noexec /tmp diff --git a/etc/xreader.profile b/etc/xreader.profile index e0a3ddee3..643c5a317 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile @@ -12,6 +12,7 @@ noblacklist ${DOCUMENTS} include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -42,5 +43,3 @@ private-etc alternatives,fonts,ld.so.cache private-tmp memory-deny-write-execute -noexec ${HOME} -noexec /tmp diff --git a/etc/xviewer.profile b/etc/xviewer.profile index c73630053..b483e9404 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile @@ -12,6 +12,7 @@ noblacklist ${HOME}/.steam include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -43,5 +44,3 @@ private-lib private-tmp memory-deny-write-execute -noexec ${HOME} -noexec /tmp -- cgit v1.2.3-54-g00ecf