Refactor archivers ii (#3827)

* harden 7z.profile * harden atool.profile * harden bsdtar.profile * harden cpio.profile * harden gzip.profile * harden tar.profile * harden unrar.profile * harden unzip.profile * harden xzdec.profile * harden zstd.profile
2026-05-21 06:45:29 -06:00 · 2020-12-15 20:06:10 +00:00 · 2020-12-15 20:06:10 +00:00 · 95ad89d24e
commit 95ad89d24e
parent 4a40e2a5f2
10 changed files with 8 additions and 20 deletions
--- a/etc/profile-a-l/7z.profile
+++ b/etc/profile-a-l/7z.profile
@ -7,8 +7,8 @@ include 7z.local
 # Persistent global definitions
 include globals.local

-ignore include disable-shell.inc
-ignore nogroups
+noblacklist ${PATH}/bash
+noblacklist ${PATH}/sh
 include archiver-common.inc

-#private-bin 7z,7z*,p7zip
+private-bin 7z,7z*,bash,p7zip,sh
--- a/etc/profile-a-l/atool.profile
+++ b/etc/profile-a-l/atool.profile
@ -9,13 +9,10 @@ include globals.local

 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
-ignore include disable-devel.inc
-ignore include disable-shell.inc
 include archiver-common.inc

 noroot

-# private-bin atool,perl
 # without login.defs atool complains and uses UID/GID 1000 by default
 private-etc alternatives,group,login.defs,passwd
 private-tmp
--- a/etc/profile-a-l/bsdtar.profile
+++ b/etc/profile-a-l/bsdtar.profile
@ -6,8 +6,6 @@ include bsdtar.local
 # Persistent global definitions
 include globals.local

-ignore include disable-devel.inc
-ignore include disable-shell.inc
 include archiver-common.inc

 # support compressed archives
--- a/etc/profile-a-l/cpio.profile
+++ b/etc/profile-a-l/cpio.profile
@ -10,7 +10,4 @@ include globals.local
 noblacklist /sbin
 noblacklist /usr/sbin

-ignore include disable-devel.inc
-ignore include disable-interpreters.inc
-ignore include disable-shell.inc
 include archiver-common.inc
--- a/etc/profile-a-l/gzip.profile
+++ b/etc/profile-a-l/gzip.profile
@ -10,5 +10,6 @@ include globals.local
 # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only.
 noblacklist /var/lib/pacman

-ignore include disable-shell.inc
 include archiver-common.inc
+
+private-bin gunzip,gzexe,gzip,uncompress,zcat,zcmp,zdiff,zegrep,zfgrep,zforce,zgrep,zless,zmore,znew
--- a/etc/profile-m-z/tar.profile
+++ b/etc/profile-m-z/tar.profile
@ -10,12 +10,13 @@ include globals.local
 # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only.
 noblacklist /var/lib/pacman

-ignore include disable-shell.inc
+noblacklist ${PATH}/bash
+noblacklist ${PATH}/sh
 include archiver-common.inc

 # support compressed archives
 private-bin awk,bash,bzip2,compress,firejail,grep,gtar,gzip,lbzip2,lzip,lzma,lzop,sh,tar,xz
 private-etc alternatives,group,localtime,login.defs,passwd
-private-lib libfakeroot
+private-lib libfakeroot,liblzma.so.*,libreadline.so.*
 # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
 writable-var
--- a/etc/profile-m-z/unrar.profile
+++ b/etc/profile-m-z/unrar.profile
@ -7,8 +7,6 @@ include unrar.local
 # Persistent global definitions
 include globals.local

-ignore nogroups
-ignore private-cache
 include archiver-common.inc

 private-bin unrar
--- a/etc/profile-m-z/unzip.profile
+++ b/etc/profile-m-z/unzip.profile
@ -10,7 +10,6 @@ include globals.local
 # GNOME Shell integration (chrome-gnome-shell)
 noblacklist ${HOME}/.local/share/gnome-shell

-ignore nogroups
 noroot
 include archiver-common.inc

--- a/etc/profile-m-z/xzdec.profile
+++ b/etc/profile-m-z/xzdec.profile
@ -7,6 +7,4 @@ include xzdec.local
 # Persistent global definitions
 include globals.local

-ignore include disable-shell.inc
-ignore nogroups
 include archiver-common.inc
--- a/etc/profile-m-z/zstd.profile
+++ b/etc/profile-m-z/zstd.profile
@ -7,5 +7,4 @@ include zstd.local
 # Persistent global definitions
 include globals.local

-ignore include disable-shell.inc
 include archiver-common.inc