misc profile fixups and hardening

etc/celluloid.profile

@@ -29,7 +29,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-# nodbus -- uses dconf
+# nodbus -- uses dconf, MPRIS
 nogroups
 nonewprivs
 noroot

etc/curl.profile

@@ -33,6 +33,7 @@ novideo
 protocol inet,inet6
 seccomp
 shell none
+tracelog
 
 # private-bin curl
 private-cache

etc/gimp.profile

@@ -21,6 +21,7 @@ noblacklist ${PICTURES}
 
 include disable-common.inc
 include disable-exec.inc
+include disable-devel.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc

etc/midori.profile

@@ -9,6 +9,7 @@ include globals.local
 # noexec ${HOME} breaks DRM binaries.
 ?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
 
+noblacklist ${HOME}/.cache/midori
 noblacklist ${HOME}/.config/midori
 noblacklist ${HOME}/.local/share/midori
 # noblacklist ${HOME}/.local/share/webkit
@@ -16,11 +17,17 @@ noblacklist ${HOME}/.local/share/midori
 noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
 
+noblacklist ${HOME}/.cache/gnome-mplayer
+noblacklist ${HOME}/.config/gnome-mplayer
+noblacklist ${HOME}/.lastpass
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+#include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.cache/midori
 mkdir ${HOME}/.config/midori

etc/pdftotext.profile

@@ -22,6 +22,7 @@ include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
+ipc-namespace
 machine-id
 net none
 no3d
@@ -41,6 +42,7 @@ tracelog
 x11 none
 
 private-bin pdftotext
+private-cache
 private-dev
 private-etc alternatives
 private-tmp

etc/shotcut.profile

@@ -29,6 +29,7 @@ nou2f
 protocol unix
 seccomp
 shell none
+tracelog
 
 #private-bin melt,nice,qmelt,shotcut
 private-cache