path: root/etc/inc/disable-common.inc

# This file is overwritten during software install.
# Persistent customizations should go in a .local file.
include disable-common.local

# The following block breaks trash functionality in file managers
#read-only ${HOME}/.local
#read-write ${HOME}/.local/share
deny  ${HOME}/.local/share/Trash

# History files in $HOME and clipboard managers
deny-nolog  ${HOME}/.*_history
deny-nolog  ${HOME}/.adobe
deny-nolog  ${HOME}/.cache/greenclip*
deny-nolog  ${HOME}/.histfile
deny-nolog  ${HOME}/.history
deny-nolog  ${HOME}/.kde/share/apps/klipper
deny-nolog  ${HOME}/.kde4/share/apps/klipper
deny-nolog  ${HOME}/.local/share/fish/fish_history
deny-nolog  ${HOME}/.local/share/klipper
deny-nolog  ${HOME}/.macromedia
deny-nolog  ${HOME}/.mupdf.history
deny-nolog  ${HOME}/.python-history
deny-nolog  ${HOME}/.python_history
deny-nolog  ${HOME}/.pythonhist
deny-nolog  ${HOME}/.lesshst
deny-nolog  ${HOME}/.viminfo
deny-nolog  /tmp/clipmenu*

# X11 session autostart
# blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs
deny  ${HOME}/.Xsession
deny  ${HOME}/.blackbox
deny  ${HOME}/.config/autostart
deny  ${HOME}/.config/autostart-scripts
deny  ${HOME}/.config/awesome
deny  ${HOME}/.config/i3
deny  ${HOME}/.config/sway
deny  ${HOME}/.config/lxsession/LXDE/autostart
deny  ${HOME}/.config/openbox
deny  ${HOME}/.config/plasma-workspace
deny  ${HOME}/.config/startupconfig
deny  ${HOME}/.config/startupconfigkeys
deny  ${HOME}/.fluxbox
deny  ${HOME}/.gnomerc
deny  ${HOME}/.kde/Autostart
deny  ${HOME}/.kde/env
deny  ${HOME}/.kde/share/autostart
deny  ${HOME}/.kde/share/config/startupconfig
deny  ${HOME}/.kde/share/config/startupconfigkeys
deny  ${HOME}/.kde/shutdown
deny  ${HOME}/.kde4/env
deny  ${HOME}/.kde4/Autostart
deny  ${HOME}/.kde4/share/autostart
deny  ${HOME}/.kde4/shutdown
deny  ${HOME}/.kde4/share/config/startupconfig
deny  ${HOME}/.kde4/share/config/startupconfigkeys
deny  ${HOME}/.local/share/autostart
deny  ${HOME}/.xinitrc
deny  ${HOME}/.xprofile
deny  ${HOME}/.xserverrc
deny  ${HOME}/.xsession
deny  ${HOME}/.xsessionrc
deny  /etc/X11/Xsession.d
deny  /etc/xdg/autostart
read-only ${HOME}/.Xauthority

# Session manager
# see #3358
#?HAS_X11: blacklist ${HOME}/.ICEauthority
#?HAS_X11: blacklist /tmp/.ICE-unix

# KDE config
deny  ${HOME}/.cache/konsole
deny  ${HOME}/.config/khotkeysrc
deny  ${HOME}/.config/krunnerrc
deny  ${HOME}/.config/kscreenlockerrc
deny  ${HOME}/.config/ksslcertificatemanager
deny  ${HOME}/.config/kwalletrc
deny  ${HOME}/.config/kwinrc
deny  ${HOME}/.config/kwinrulesrc
deny  ${HOME}/.config/plasma-locale-settings.sh
deny  ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc
deny  ${HOME}/.config/plasmashellrc
deny  ${HOME}/.config/plasmavaultrc
deny  ${HOME}/.kde/share/apps/kwin
deny  ${HOME}/.kde/share/apps/plasma
deny  ${HOME}/.kde/share/apps/solid
deny  ${HOME}/.kde/share/config/khotkeysrc
deny  ${HOME}/.kde/share/config/krunnerrc
deny  ${HOME}/.kde/share/config/kscreensaverrc
deny  ${HOME}/.kde/share/config/ksslcertificatemanager
deny  ${HOME}/.kde/share/config/kwalletrc
deny  ${HOME}/.kde/share/config/kwinrc
deny  ${HOME}/.kde/share/config/kwinrulesrc
deny  ${HOME}/.kde/share/config/plasma-desktop-appletsrc
deny  ${HOME}/.kde4/share/apps/kwin
deny  ${HOME}/.kde4/share/apps/plasma
deny  ${HOME}/.kde4/share/apps/solid
deny  ${HOME}/.kde4/share/config/khotkeysrc
deny  ${HOME}/.kde4/share/config/krunnerrc
deny  ${HOME}/.kde4/share/config/kscreensaverrc
deny  ${HOME}/.kde4/share/config/ksslcertificatemanager
deny  ${HOME}/.kde4/share/config/kwalletrc
deny  ${HOME}/.kde4/share/config/kwinrc
deny  ${HOME}/.kde4/share/config/kwinrulesrc
deny  ${HOME}/.kde4/share/config/plasma-desktop-appletsrc
deny  ${HOME}/.local/share/kglobalaccel
deny  ${HOME}/.local/share/kwin
deny  ${HOME}/.local/share/plasma
deny  ${HOME}/.local/share/plasmashell
deny  ${HOME}/.local/share/solid
deny  /tmp/konsole-*.history
read-only ${HOME}/.cache/ksycoca5_*
read-only ${HOME}/.config/*notifyrc
read-only ${HOME}/.config/kdeglobals
read-only ${HOME}/.config/kio_httprc
read-only ${HOME}/.config/kiorc
read-only ${HOME}/.config/kioslaverc
read-only ${HOME}/.config/ksslcablacklist
read-only ${HOME}/.kde/share/apps/konsole
read-only ${HOME}/.kde/share/apps/kssl
read-only ${HOME}/.kde/share/config/*notifyrc
read-only ${HOME}/.kde/share/config/kdeglobals
read-only ${HOME}/.kde/share/config/kio_httprc
read-only ${HOME}/.kde/share/config/kioslaverc
read-only ${HOME}/.kde/share/config/ksslcablacklist
read-only ${HOME}/.kde/share/kde4/services
read-only ${HOME}/.kde4/share/apps/konsole
read-only ${HOME}/.kde4/share/apps/kssl
read-only ${HOME}/.kde4/share/config/*notifyrc
read-only ${HOME}/.kde4/share/config/kdeglobals
read-only ${HOME}/.kde4/share/config/kio_httprc
read-only ${HOME}/.kde4/share/config/kioslaverc
read-only ${HOME}/.kde4/share/config/ksslcablacklist
read-only ${HOME}/.kde4/share/kde4/services
read-only ${HOME}/.local/share/konsole
read-only ${HOME}/.local/share/kservices5
read-only ${HOME}/.local/share/kssl

# KDE sockets
deny  ${RUNUSER}/*.slave-socket
deny  ${RUNUSER}/kdeinit5__*
deny  ${RUNUSER}/kdesud_*
# see #3358
#?HAS_NODBUS: blacklist ${RUNUSER}/ksocket-*
#?HAS_NODBUS: blacklist /tmp/ksocket-*

# gnome
# contains extensions, last used times of applications, and notifications
deny  ${HOME}/.local/share/gnome-shell
# contains recently used files and serials of static/removable storage
deny  ${HOME}/.local/share/gvfs-metadata
# no direct modification of dconf database
read-only ${HOME}/.config/dconf
deny  ${RUNUSER}/gnome-session-leader-fifo
deny  ${RUNUSER}/gnome-shell
deny  ${RUNUSER}/gsconnect

# systemd
deny  ${HOME}/.config/systemd
deny  ${HOME}/.local/share/systemd
deny  /var/lib/systemd
deny  ${PATH}/systemd-run
deny  ${RUNUSER}/systemd
deny  ${PATH}/systemctl
deny  /etc/systemd/system
deny  /etc/systemd/network
# creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf
#blacklist /var/run/systemd

# openrc
deny  /etc/runlevels/
deny  /etc/init.d/
deny  /etc/rc.conf

# VirtualBox
deny  ${HOME}/.VirtualBox
deny  ${HOME}/.config/VirtualBox
deny  ${HOME}/VirtualBox VMs

# GNOME Boxes
deny  ${HOME}/.config/gnome-boxes
deny  ${HOME}/.local/share/gnome-boxes

# libvirt
deny  ${HOME}/.cache/libvirt
deny  ${HOME}/.config/libvirt
deny  ${RUNUSER}/libvirt
deny  /var/cache/libvirt
deny  /var/lib/libvirt
deny  /var/log/libvirt

# OCI-Containers / Podman
deny  ${RUNUSER}/containers
deny  ${RUNUSER}/crun
deny  ${RUNUSER}/libpod
deny  ${RUNUSER}/runc
deny  ${RUNUSER}/toolbox

# VeraCrypt
deny  ${HOME}/.VeraCrypt
deny  ${PATH}/veracrypt
deny  ${PATH}/veracrypt-uninstall.sh
deny  /usr/share/applications/veracrypt.*
deny  /usr/share/pixmaps/veracrypt.*
deny  /usr/share/veracrypt

# TrueCrypt
deny  ${HOME}/.TrueCrypt
deny  ${PATH}/truecrypt
deny  ${PATH}/truecrypt-uninstall.sh
deny  /usr/share/applications/truecrypt.*
deny  /usr/share/pixmaps/truecrypt.*
deny  /usr/share/truecrypt

# zuluCrypt
deny  ${HOME}/.zuluCrypt
deny  ${HOME}/.zuluCrypt-socket
deny  ${PATH}/zuluCrypt-cli
deny  ${PATH}/zuluMount-cli

# var
deny  /var/cache/apt
deny  /var/cache/pacman
deny  /var/lib/apt
deny  /var/lib/clamav
deny  /var/lib/dkms
deny  /var/lib/mysql/mysql.sock
deny  /var/lib/mysqld/mysql.sock
deny  /var/lib/pacman
deny  /var/lib/upower
# blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for
# every sandbox, unless --writable-var-log switch is activated
deny  /var/mail
deny  /var/opt
deny  /var/run/acpid.socket
deny  /var/run/docker.sock
deny  /var/run/minissdpd.sock
deny  /var/run/mysql/mysqld.sock
deny  /var/run/mysqld/mysqld.sock
deny  /var/run/rpcbind.sock
deny  /var/run/screens
deny  /var/spool/anacron
deny  /var/spool/cron
deny  /var/spool/mail

# etc
deny  /etc/anacrontab
deny  /etc/cron*
deny  /etc/profile.d
deny  /etc/rc.local
# rc1.d, rc2.d, ...
deny  /etc/rc?.d
deny  /etc/kernel*
deny  /etc/grub*
deny  /etc/dkms
deny  /etc/apparmor*
deny  /etc/selinux
deny  /etc/modules*
deny  /etc/logrotate*
deny  /etc/adduser.conf

# hide config for various intrusion detection systems
deny  /etc/rkhunter.conf
deny  /var/lib/rkhunter
deny  /etc/chkrootkit.conf
deny  /etc/lynis
deny  /etc/aide
deny  /etc/logcheck
deny  /etc/tripwire
deny  /etc/snort
deny  /etc/fail2ban.conf
deny  /etc/suricata

# Startup files
read-only ${HOME}/.antigen
read-only ${HOME}/.bash_aliases
read-only ${HOME}/.bash_login
read-only ${HOME}/.bash_logout
read-only ${HOME}/.bash_profile
read-only ${HOME}/.bashrc
read-only ${HOME}/.config/environment.d
read-only ${HOME}/.config/fish
read-only ${HOME}/.csh_files
read-only ${HOME}/.cshrc
read-only ${HOME}/.forward
read-only ${HOME}/.kshrc
read-only ${HOME}/.local/share/fish
read-only ${HOME}/.login
read-only ${HOME}/.logout
read-only ${HOME}/.mkshrc
read-only ${HOME}/.oh-my-zsh
read-only ${HOME}/.pam_environment
read-only ${HOME}/.pgpkey
read-only ${HOME}/.plan
read-only ${HOME}/.profile
read-only ${HOME}/.project
read-only ${HOME}/.tcshrc
read-only ${HOME}/.zfunc
read-only ${HOME}/.zlogin
read-only ${HOME}/.zlogout
read-only ${HOME}/.zprofile
read-only ${HOME}/.zsh.d
read-only ${HOME}/.zsh_files
read-only ${HOME}/.zshenv
read-only ${HOME}/.zshrc
read-only ${HOME}/.zshrc.local

# Remote access
deny  ${HOME}/.rhosts
deny  ${HOME}/.shosts
deny  ${HOME}/.ssh/authorized_keys
deny  ${HOME}/.ssh/authorized_keys2
deny  ${HOME}/.ssh/environment
deny  ${HOME}/.ssh/rc
deny  /etc/hosts.equiv
read-only ${HOME}/.ssh/config
read-only ${HOME}/.ssh/config.d

# Initialization files that allow arbitrary command execution
read-only ${HOME}/.caffrc
read-only ${HOME}/.cargo/env
read-only ${HOME}/.dotfiles
read-only ${HOME}/.emacs
read-only ${HOME}/.emacs.d
read-only ${HOME}/.exrc
read-only ${HOME}/.gvimrc
read-only ${HOME}/.homesick
read-only ${HOME}/.iscreenrc
read-only ${HOME}/.local/lib
read-only ${HOME}/.local/share/cool-retro-term
read-only ${HOME}/.mailcap
read-only ${HOME}/.msmtprc
read-only ${HOME}/.mutt/muttrc
read-only ${HOME}/.muttrc
read-only ${HOME}/.nano
read-only ${HOME}/.npmrc
read-only ${HOME}/.pythonrc.py
read-only ${HOME}/.reportbugrc
read-only ${HOME}/.tmux.conf
read-only ${HOME}/.vim
read-only ${HOME}/.viminfo
read-only ${HOME}/.vimrc
read-only ${HOME}/.xmonad
read-only ${HOME}/.xscreensaver
read-only ${HOME}/.yarnrc
read-only ${HOME}/_exrc
read-only ${HOME}/_gvimrc
read-only ${HOME}/_vimrc
read-only ${HOME}/dotfiles

# Make directories commonly found in $PATH read-only
read-only ${HOME}/.gem
read-only ${HOME}/.luarocks
read-only ${HOME}/.npm-packages
read-only ${HOME}/.nvm
read-only ${HOME}/bin
read-only ${HOME}/.bin
read-only ${HOME}/.local/bin
read-only ${HOME}/.cargo/bin
read-only ${HOME}/.rustup

# Write-protection for desktop entries
read-only ${HOME}/.config/menus
read-only ${HOME}/.gnome/apps
read-only ${HOME}/.local/share/applications

read-only ${HOME}/.config/mimeapps.list
read-only ${HOME}/.config/user-dirs.dirs
read-only ${HOME}/.config/user-dirs.locale
read-only ${HOME}/.local/share/mime

# Write-protection for thumbnailer dir
read-only ${HOME}/.local/share/thumbnailers

# prevent access to ssh-agent
deny  /tmp/ssh-*

# top secret
deny  ${HOME}/*.kdb
deny  ${HOME}/*.kdbx
deny  ${HOME}/*.key
deny  ${HOME}/.Private
deny  ${HOME}/.caff
deny  ${HOME}/.cargo/credentials
deny  ${HOME}/.cargo/credentials.toml
deny  ${HOME}/.cert
deny  ${HOME}/.config/keybase
deny  ${HOME}/.davfs2/secrets
deny  ${HOME}/.ecryptfs
deny  ${HOME}/.fetchmailrc
deny  ${HOME}/.fscrypt
deny  ${HOME}/.git-credential-cache
deny  ${HOME}/.git-credentials
deny  ${HOME}/.gnome2/keyrings
deny  ${HOME}/.gnupg
deny  ${HOME}/.config/hub
deny  ${HOME}/.kde/share/apps/kwallet
deny  ${HOME}/.kde4/share/apps/kwallet
deny  ${HOME}/.local/share/keyrings
deny  ${HOME}/.local/share/kwalletd
deny  ${HOME}/.local/share/plasma-vault
deny  ${HOME}/.msmtprc
deny  ${HOME}/.mutt
deny  ${HOME}/.muttrc
deny  ${HOME}/.netrc
deny  ${HOME}/.nyx
deny  ${HOME}/.pki
deny  ${HOME}/.local/share/pki
deny  ${HOME}/.smbcredentials
deny  ${HOME}/.ssh
deny  ${HOME}/.vaults
deny  /.fscrypt
deny  /etc/davfs2/secrets
deny  /etc/group+
deny  /etc/group-
deny  /etc/gshadow
deny  /etc/gshadow+
deny  /etc/gshadow-
deny  /etc/passwd+
deny  /etc/passwd-
deny  /etc/shadow
deny  /etc/shadow+
deny  /etc/shadow-
deny  /etc/ssh
deny  /etc/ssh/*
deny  /home/.ecryptfs
deny  /home/.fscrypt
deny  /var/backup

# cloud provider configuration
deny  ${HOME}/.aws
deny  ${HOME}/.boto
deny  ${HOME}/.config/gcloud
deny  ${HOME}/.kube
deny  ${HOME}/.passwd-s3fs
deny  ${HOME}/.s3cmd
deny  /etc/boto.cfg

# system directories
deny  /sbin
deny  /usr/local/sbin
deny  /usr/sbin

# system management
deny  ${PATH}/at
deny  ${PATH}/busybox
deny  ${PATH}/chage
deny  ${PATH}/chfn
deny  ${PATH}/chsh
deny  ${PATH}/crontab
deny  ${PATH}/evtest
deny  ${PATH}/expiry
deny  ${PATH}/fusermount
deny  ${PATH}/gksu
deny  ${PATH}/gksudo
deny  ${PATH}/gpasswd
deny  ${PATH}/kdesudo
deny  ${PATH}/ksu
deny  ${PATH}/mount
deny  ${PATH}/mount.ecryptfs_private
deny  ${PATH}/nc
deny  ${PATH}/ncat
deny  ${PATH}/nmap
deny  ${PATH}/newgidmap
deny  ${PATH}/newgrp
deny  ${PATH}/newuidmap
deny  ${PATH}/ntfs-3g
deny  ${PATH}/pkexec
deny  ${PATH}/procmail
deny  ${PATH}/sg
deny  ${PATH}/strace
deny  ${PATH}/su
deny  ${PATH}/sudo
deny  ${PATH}/tcpdump
deny  ${PATH}/umount
deny  ${PATH}/unix_chkpwd
deny  ${PATH}/xev
deny  ${PATH}/xinput

# other SUID binaries
deny  /usr/lib/virtualbox
deny  /usr/lib64/virtualbox

# prevent lxterminal connecting to an existing lxterminal session
deny  /tmp/.lxterminal-socket*
# prevent tmux connecting to an existing session
deny  /tmp/tmux-*

# disable terminals running as server resulting in sandbox escape
deny  ${PATH}/lxterminal
deny  ${PATH}/gnome-terminal
deny  ${PATH}/gnome-terminal.wrapper
deny  ${PATH}/lilyterm
deny  ${PATH}/mate-terminal
deny  ${PATH}/mate-terminal.wrapper
deny  ${PATH}/pantheon-terminal
deny  ${PATH}/roxterm
deny  ${PATH}/roxterm-config
deny  ${PATH}/terminix
deny  ${PATH}/tilix
deny  ${PATH}/urxvtc
deny  ${PATH}/urxvtcd
deny  ${PATH}/xfce4-terminal
deny  ${PATH}/xfce4-terminal.wrapper
# blacklist ${PATH}/konsole
# konsole doesn't seem to have this problem - last tested on Ubuntu 16.04

# kernel files
deny  /initrd*
deny  /vmlinuz*

# snapshot files
deny  /.snapshots

# flatpak
deny  ${HOME}/.cache/flatpak
deny  ${HOME}/.config/flatpak
nodeny  ${HOME}/.local/share/flatpak/exports
read-only ${HOME}/.local/share/flatpak/exports
deny  ${HOME}/.local/share/flatpak/*
deny  ${HOME}/.var
deny  ${RUNUSER}/app
deny  ${RUNUSER}/doc
deny  ${RUNUSER}/.dbus-proxy
deny  ${RUNUSER}/.flatpak
deny  ${RUNUSER}/.flatpak-cache
deny  ${RUNUSER}/.flatpak-helper
deny  /usr/share/flatpak
nodeny  /var/lib/flatpak/exports
deny  /var/lib/flatpak/*
# most of the time bwrap is SUID binary
deny  ${PATH}/bwrap

# snap
deny  ${RUNUSER}/snapd-session-agent.socket

# mail directories used by mutt
deny  ${HOME}/.Mail
deny  ${HOME}/.mail
deny  ${HOME}/.signature
deny  ${HOME}/Mail
deny  ${HOME}/mail
deny  ${HOME}/postponed
deny  ${HOME}/sent

# kernel configuration
deny  /proc/config.gz

# prevent DNS malware attempting to communicate with the server
# using regular DNS tools
deny  ${PATH}/dig
deny  ${PATH}/dlint
deny  ${PATH}/dns2tcp
deny  ${PATH}/dnssec-*
deny  ${PATH}/dnswalk
deny  ${PATH}/drill
deny  ${PATH}/host
deny  ${PATH}/iodine
deny  ${PATH}/kdig
deny  ${PATH}/khost
deny  ${PATH}/knsupdate
deny  ${PATH}/ldns-*
deny  ${PATH}/ldnsd
deny  ${PATH}/nslookup
deny  ${PATH}/resolvectl
deny  ${PATH}/unbound-host

# rest of ${RUNUSER}
deny  ${RUNUSER}/*.lock
deny  ${RUNUSER}/inaccessible
deny  ${RUNUSER}/pk-debconf-socket
deny  ${RUNUSER}/update-notifier.pid