github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

Revert "move whitelist/blacklist to allow/deny"

Browse source 
This reverts commit fe0f975f44.

Note: This only reverts the changes from etc.

The 4 aliases introduced on commit 45f2ba544 are mere, well, aliases.
That is, they fail to address the different usability problems discussed
on [#3447][3447] and in fact only make things more confusing (as has
already been mentioned on [this][4379] and later comments).  The main
reason is that the aliases do not meaningfully map to the original
commands.  For example, the commands from each pair below seem like they
would do the exact same thing:

* `allow` and `nodeny`
* `deny` and `noallow`

Additionally, if these aliases are not the final commands, but only a
test/work-in-progress, then keeping the wide-scale search/replace
changes made on commit fe0f975f4 would only serve to cause confusion, as
users of firejail-git, contributors and downstream projects might start
changing the commands used on their profiles, only to later have to
change them again, potentially to completely different commands.

The sooner this is undone the better, as (besides the above reasons) the
more profile changes there are between the original commit and the
revert, the harder it is to e.g.: `git diff` versions of files across
the following revision ranges: before the commit, after the commit but
before the revert and after the revert.  Note: This is still the case
even if a commit is [ignored by `git blame`][4390].

So let us revert fe0f975f4 and only reapply similar large-scale changes
once we have discussed and settled on better commands.

How the revert was applied: Despite using the auto-generated message
from `git revert`, to ensure correctness and to avoid conflicts the
changes were reverted in different steps: Firstly, revert the files
which can be safely reverted directly ("filestorevert"):

    # Find out which files have been changed on fe0f975f44, but have not
    # been changed afterwards and list them on "filestorevert"
    git show --pretty='' --name-only fe0f975f44 -- etc | LC_ALL=C sort >allfiles
    git diff --name-only fe0f975f44..master -- etc | LC_ALL=C sort >filestoignore
    comm -2 -3 allfiles filestoignore >filestorevert

    # Note: There are 3 extra files on filestoignore because they were
    # added after commit fe0f975f44
    wc -l allfiles filestoignore filestorevert | head -n 3
    #   797 allfiles
    #     8 filestoignore
    #   792 filestorevert

    # Automatically revert files in "filestorevert"
    # See https://stackoverflow.com/a/23401018/10095231
    tr '\n' '\000' <filestorevert | xargs -0 git show fe0f975f44 -- |
    git apply --reverse

    printf 'Total files reverted:\n'
    git diff --name-only | wc -l
    # 792

Secondly, do some search/replace on the rest:

    tr '\n' '\000' <filestoignore | xargs -0 sed -i.bak \
      -e 's/allow  /whitelist /' -e 's/noallow  /nowhitelist /' \
      -e 's/deny  /blacklist /' -e 's/nodeny  /noblacklist /' \
      -e 's/deny-nolog  /blacklist-nolog /'

    find etc -name '*.bak' -print0 | xargs -0 rm

Thirdly, verify the result.  The following command shows the difference
between all the changes in etc from before fe0f975f44 and this commit
(inclusive):

    git diff fe0f975f44~1 -- etc

From the output, it looks like all alias changes are fully reverted and
that the other changes to etc (from after fe0f975f44) remain, so the
revert seems to be done correctly.

[3447]: https://github.com/netblue30/firejail/issues/3447
[4379]: https://github.com/netblue30/firejail/issues/4379#issuecomment-876460222
[4390]: https://github.com/netblue30/firejail/issues/4390
This commit is contained in:
Kelvin M. Klann 2021-07-18 20:39:14 -03:00
parent 42a03511d0
commit f43382f1e9
798 changed files with 5083 additions and 5083 deletions
Download patch file Download diff file Expand all files Collapse all files

6
etc/inc/allow-bin-sh.inc
View file

@ -2,6 +2,6 @@
# Persistent customizations should go in a .local file.
include allow-bin-sh.local
nodeny ${PATH}/bash
nodeny ${PATH}/dash
nodeny ${PATH}/sh
noblacklist ${PATH}/bash
noblacklist ${PATH}/dash
noblacklist ${PATH}/sh

36
etc/inc/allow-common-devel.inc
View file

@ -3,29 +3,29 @@
include allow-common-devel.local
# Git
nodeny ${HOME}/.config/git
nodeny ${HOME}/.gitconfig
nodeny ${HOME}/.git-credentials
noblacklist ${HOME}/.config/git
noblacklist ${HOME}/.gitconfig
noblacklist ${HOME}/.git-credentials
# Java
nodeny ${HOME}/.gradle
nodeny ${HOME}/.java
noblacklist ${HOME}/.gradle
noblacklist ${HOME}/.java
# Node.js
nodeny ${HOME}/.node-gyp
nodeny ${HOME}/.npm
nodeny ${HOME}/.npmrc
nodeny ${HOME}/.nvm
nodeny ${HOME}/.yarn
nodeny ${HOME}/.yarn-config
nodeny ${HOME}/.yarncache
nodeny ${HOME}/.yarnrc
noblacklist ${HOME}/.node-gyp
noblacklist ${HOME}/.npm
noblacklist ${HOME}/.npmrc
noblacklist ${HOME}/.nvm
noblacklist ${HOME}/.yarn
noblacklist ${HOME}/.yarn-config
noblacklist ${HOME}/.yarncache
noblacklist ${HOME}/.yarnrc
# Python
nodeny ${HOME}/.pylint.d
nodeny ${HOME}/.python-history
nodeny ${HOME}/.python_history
nodeny ${HOME}/.pythonhist
noblacklist ${HOME}/.pylint.d
noblacklist ${HOME}/.python-history
noblacklist ${HOME}/.python_history
noblacklist ${HOME}/.pythonhist
# Rust
nodeny ${HOME}/.cargo/*
noblacklist ${HOME}/.cargo/*

16
etc/inc/allow-gjs.inc
View file

@ -2,11 +2,11 @@
# Persistent customizations should go in a .local file.
include allow-gjs.local
nodeny ${PATH}/gjs
nodeny ${PATH}/gjs-console
nodeny /usr/lib/gjs
nodeny /usr/lib/libgjs*
nodeny /usr/lib/libmozjs-*
nodeny /usr/lib64/gjs
nodeny /usr/lib64/libgjs*
nodeny /usr/lib64/libmozjs-*
noblacklist ${PATH}/gjs
noblacklist ${PATH}/gjs-console
noblacklist /usr/lib/gjs
noblacklist /usr/lib/libgjs*
noblacklist /usr/lib/libmozjs-*
noblacklist /usr/lib64/gjs
noblacklist /usr/lib64/libgjs*
noblacklist /usr/lib64/libmozjs-*

10
etc/inc/allow-java.inc
View file

@ -2,8 +2,8 @@
# Persistent customizations should go in a .local file.
include allow-java.local
nodeny ${HOME}/.java
nodeny ${PATH}/java
nodeny /etc/java
nodeny /usr/lib/java
nodeny /usr/share/java
noblacklist ${HOME}/.java
noblacklist ${PATH}/java
noblacklist /etc/java
noblacklist /usr/lib/java
noblacklist /usr/share/java

16
etc/inc/allow-lua.inc
View file

@ -2,11 +2,11 @@
# Persistent customizations should go in a .local file.
include allow-lua.local
nodeny ${PATH}/lua*
nodeny /usr/include
nodeny /usr/lib/liblua*
nodeny /usr/lib/lua
nodeny /usr/lib64/liblua*
nodeny /usr/lib64/lua
nodeny /usr/share/lua
nodeny /usr/share/lua*
noblacklist ${PATH}/lua*
noblacklist /usr/include
noblacklist /usr/lib/liblua*
noblacklist /usr/lib/lua
noblacklist /usr/lib64/liblua*
noblacklist /usr/lib64/lua
noblacklist /usr/share/lua
noblacklist /usr/share/lua*

4
etc/inc/allow-nodejs.inc
View file

@ -2,8 +2,8 @@
# Persistent customizations should go in a .local file.
include allow-nodejs.local
nodeny ${PATH}/node
nodeny /usr/include/node
noblacklist ${PATH}/node
noblacklist /usr/include/node
# Allow python for node-gyp (blacklisted by disable-interpreters.inc)
include allow-python2.inc

4
etc/inc/allow-opengl-game.inc
View file

@ -2,6 +2,6 @@
# Persistent customizations should go in a .local file.
include allow-opengl-game.local
nodeny ${PATH}/bash
allow /usr/share/opengl-games-utils/opengl-game-functions.sh
noblacklist ${PATH}/bash
whitelist /usr/share/opengl-games-utils/opengl-game-functions.sh
private-bin basename,bash,cut,glxinfo,grep,head,sed,zenity

16
etc/inc/allow-perl.inc
View file

@ -2,11 +2,11 @@
# Persistent customizations should go in a .local file.
include allow-perl.local
nodeny ${PATH}/core_perl
nodeny ${PATH}/cpan*
nodeny ${PATH}/perl
nodeny ${PATH}/site_perl
nodeny ${PATH}/vendor_perl
nodeny /usr/lib/perl*
nodeny /usr/lib64/perl*
nodeny /usr/share/perl*
noblacklist ${PATH}/core_perl
noblacklist ${PATH}/cpan*
noblacklist ${PATH}/perl
noblacklist ${PATH}/site_perl
noblacklist ${PATH}/vendor_perl
noblacklist /usr/lib/perl*
noblacklist /usr/lib64/perl*
noblacklist /usr/share/perl*

6
etc/inc/allow-php.inc
View file

@ -2,6 +2,6 @@
# Persistent customizations should go in a .local file.
include allow-php.local
nodeny ${PATH}/php*
nodeny /usr/lib/php*
nodeny /usr/share/php*
noblacklist ${PATH}/php*
noblacklist /usr/lib/php*
noblacklist /usr/share/php*

10
etc/inc/allow-python2.inc
View file

@ -2,8 +2,8 @@
# Persistent customizations should go in a .local file.
include allow-python2.local
nodeny ${PATH}/python2*
nodeny /usr/include/python2*
nodeny /usr/lib/python2*
nodeny /usr/local/lib/python2*
nodeny /usr/share/python2*
noblacklist ${PATH}/python2*
noblacklist /usr/include/python2*
noblacklist /usr/lib/python2*
noblacklist /usr/local/lib/python2*
noblacklist /usr/share/python2*

12
etc/inc/allow-python3.inc
View file

@ -2,9 +2,9 @@
# Persistent customizations should go in a .local file.
include allow-python3.local
nodeny ${PATH}/python3*
nodeny /usr/include/python3*
nodeny /usr/lib/python3*
nodeny /usr/lib64/python3*
nodeny /usr/local/lib/python3*
nodeny /usr/share/python3*
noblacklist ${PATH}/python3*
noblacklist /usr/include/python3*
noblacklist /usr/lib/python3*
noblacklist /usr/lib64/python3*
noblacklist /usr/local/lib/python3*
noblacklist /usr/share/python3*

4
etc/inc/allow-ruby.inc
View file

@ -2,5 +2,5 @@
# Persistent customizations should go in a .local file.
include allow-ruby.local
nodeny ${PATH}/ruby
nodeny /usr/lib/ruby
noblacklist ${PATH}/ruby
noblacklist /usr/lib/ruby

8
etc/inc/allow-ssh.inc
View file

@ -2,7 +2,7 @@
# Persistent customizations should go in a .local file.
include allow-ssh.local
nodeny ${HOME}/.ssh
nodeny /etc/ssh
nodeny /etc/ssh/ssh_config
nodeny /tmp/ssh-*
noblacklist ${HOME}/.ssh
noblacklist /etc/ssh
noblacklist /etc/ssh/ssh_config
noblacklist /tmp/ssh-*

710
etc/inc/disable-common.inc
View file

@ -5,63 +5,63 @@ include disable-common.local
# The following block breaks trash functionality in file managers
#read-only ${HOME}/.local
#read-write ${HOME}/.local/share
deny ${HOME}/.local/share/Trash
blacklist ${HOME}/.local/share/Trash
# History files in $HOME and clipboard managers
deny-nolog ${HOME}/.*_history
deny-nolog ${HOME}/.adobe
deny-nolog ${HOME}/.cache/greenclip*
deny-nolog ${HOME}/.histfile
deny-nolog ${HOME}/.history
deny-nolog ${HOME}/.kde/share/apps/klipper
deny-nolog ${HOME}/.kde4/share/apps/klipper
deny-nolog ${HOME}/.local/share/fish/fish_history
deny-nolog ${HOME}/.local/share/klipper
deny-nolog ${HOME}/.macromedia
deny-nolog ${HOME}/.mupdf.history
deny-nolog ${HOME}/.python-history
deny-nolog ${HOME}/.python_history
deny-nolog ${HOME}/.pythonhist
deny-nolog ${HOME}/.lesshst
deny-nolog ${HOME}/.viminfo
deny-nolog /tmp/clipmenu*
blacklist-nolog ${HOME}/.*_history
blacklist-nolog ${HOME}/.adobe
blacklist-nolog ${HOME}/.cache/greenclip*
blacklist-nolog ${HOME}/.histfile
blacklist-nolog ${HOME}/.history
blacklist-nolog ${HOME}/.kde/share/apps/klipper
blacklist-nolog ${HOME}/.kde4/share/apps/klipper
blacklist-nolog ${HOME}/.local/share/fish/fish_history
blacklist-nolog ${HOME}/.local/share/klipper
blacklist-nolog ${HOME}/.macromedia
blacklist-nolog ${HOME}/.mupdf.history
blacklist-nolog ${HOME}/.python-history
blacklist-nolog ${HOME}/.python_history
blacklist-nolog ${HOME}/.pythonhist
blacklist-nolog ${HOME}/.lesshst
blacklist-nolog ${HOME}/.viminfo
blacklist-nolog /tmp/clipmenu*
# X11 session autostart
# blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs
deny ${HOME}/.Xsession
deny ${HOME}/.blackbox
deny ${HOME}/.config/autostart
deny ${HOME}/.config/autostart-scripts
deny ${HOME}/.config/awesome
deny ${HOME}/.config/i3
deny ${HOME}/.config/sway
deny ${HOME}/.config/lxsession/LXDE/autostart
deny ${HOME}/.config/openbox
deny ${HOME}/.config/plasma-workspace
deny ${HOME}/.config/startupconfig
deny ${HOME}/.config/startupconfigkeys
deny ${HOME}/.fluxbox
deny ${HOME}/.gnomerc
deny ${HOME}/.kde/Autostart
deny ${HOME}/.kde/env
deny ${HOME}/.kde/share/autostart
deny ${HOME}/.kde/share/config/startupconfig
deny ${HOME}/.kde/share/config/startupconfigkeys
deny ${HOME}/.kde/shutdown
deny ${HOME}/.kde4/env
deny ${HOME}/.kde4/Autostart
deny ${HOME}/.kde4/share/autostart
deny ${HOME}/.kde4/shutdown
deny ${HOME}/.kde4/share/config/startupconfig
deny ${HOME}/.kde4/share/config/startupconfigkeys
deny ${HOME}/.local/share/autostart
deny ${HOME}/.xinitrc
deny ${HOME}/.xprofile
deny ${HOME}/.xserverrc
deny ${HOME}/.xsession
deny ${HOME}/.xsessionrc
deny /etc/X11/Xsession.d
deny /etc/xdg/autostart
blacklist ${HOME}/.Xsession
blacklist ${HOME}/.blackbox
blacklist ${HOME}/.config/autostart
blacklist ${HOME}/.config/autostart-scripts
blacklist ${HOME}/.config/awesome
blacklist ${HOME}/.config/i3
blacklist ${HOME}/.config/sway
blacklist ${HOME}/.config/lxsession/LXDE/autostart
blacklist ${HOME}/.config/openbox
blacklist ${HOME}/.config/plasma-workspace
blacklist ${HOME}/.config/startupconfig
blacklist ${HOME}/.config/startupconfigkeys
blacklist ${HOME}/.fluxbox
blacklist ${HOME}/.gnomerc
blacklist ${HOME}/.kde/Autostart
blacklist ${HOME}/.kde/env
blacklist ${HOME}/.kde/share/autostart
blacklist ${HOME}/.kde/share/config/startupconfig
blacklist ${HOME}/.kde/share/config/startupconfigkeys
blacklist ${HOME}/.kde/shutdown
blacklist ${HOME}/.kde4/env
blacklist ${HOME}/.kde4/Autostart
blacklist ${HOME}/.kde4/share/autostart
blacklist ${HOME}/.kde4/shutdown
blacklist ${HOME}/.kde4/share/config/startupconfig
blacklist ${HOME}/.kde4/share/config/startupconfigkeys
blacklist ${HOME}/.local/share/autostart
blacklist ${HOME}/.xinitrc
blacklist ${HOME}/.xprofile
blacklist ${HOME}/.xserverrc
blacklist ${HOME}/.xsession
blacklist ${HOME}/.xsessionrc
blacklist /etc/X11/Xsession.d
blacklist /etc/xdg/autostart
read-only ${HOME}/.Xauthority
# Session manager
@ -70,46 +70,46 @@ read-only ${HOME}/.Xauthority
#?HAS_X11: blacklist /tmp/.ICE-unix
# KDE config
deny ${HOME}/.cache/konsole
deny ${HOME}/.config/khotkeysrc
deny ${HOME}/.config/krunnerrc
deny ${HOME}/.config/kscreenlockerrc
deny ${HOME}/.config/ksslcertificatemanager
deny ${HOME}/.config/kwalletrc
deny ${HOME}/.config/kwinrc
deny ${HOME}/.config/kwinrulesrc
deny ${HOME}/.config/plasma-locale-settings.sh
deny ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc
deny ${HOME}/.config/plasmashellrc
deny ${HOME}/.config/plasmavaultrc
deny ${HOME}/.kde/share/apps/kwin
deny ${HOME}/.kde/share/apps/plasma
deny ${HOME}/.kde/share/apps/solid
deny ${HOME}/.kde/share/config/khotkeysrc
deny ${HOME}/.kde/share/config/krunnerrc
deny ${HOME}/.kde/share/config/kscreensaverrc
deny ${HOME}/.kde/share/config/ksslcertificatemanager
deny ${HOME}/.kde/share/config/kwalletrc
deny ${HOME}/.kde/share/config/kwinrc
deny ${HOME}/.kde/share/config/kwinrulesrc
deny ${HOME}/.kde/share/config/plasma-desktop-appletsrc
deny ${HOME}/.kde4/share/apps/kwin
deny ${HOME}/.kde4/share/apps/plasma
deny ${HOME}/.kde4/share/apps/solid
deny ${HOME}/.kde4/share/config/khotkeysrc
deny ${HOME}/.kde4/share/config/krunnerrc
deny ${HOME}/.kde4/share/config/kscreensaverrc
deny ${HOME}/.kde4/share/config/ksslcertificatemanager
deny ${HOME}/.kde4/share/config/kwalletrc
deny ${HOME}/.kde4/share/config/kwinrc
deny ${HOME}/.kde4/share/config/kwinrulesrc
deny ${HOME}/.kde4/share/config/plasma-desktop-appletsrc
deny ${HOME}/.local/share/kglobalaccel
deny ${HOME}/.local/share/kwin
deny ${HOME}/.local/share/plasma
deny ${HOME}/.local/share/plasmashell
deny ${HOME}/.local/share/solid
deny /tmp/konsole-*.history
blacklist ${HOME}/.cache/konsole
blacklist ${HOME}/.config/khotkeysrc
blacklist ${HOME}/.config/krunnerrc
blacklist ${HOME}/.config/kscreenlockerrc
blacklist ${HOME}/.config/ksslcertificatemanager
blacklist ${HOME}/.config/kwalletrc
blacklist ${HOME}/.config/kwinrc
blacklist ${HOME}/.config/kwinrulesrc
blacklist ${HOME}/.config/plasma-locale-settings.sh
blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc
blacklist ${HOME}/.config/plasmashellrc
blacklist ${HOME}/.config/plasmavaultrc
blacklist ${HOME}/.kde/share/apps/kwin
blacklist ${HOME}/.kde/share/apps/plasma
blacklist ${HOME}/.kde/share/apps/solid
blacklist ${HOME}/.kde/share/config/khotkeysrc
blacklist ${HOME}/.kde/share/config/krunnerrc
blacklist ${HOME}/.kde/share/config/kscreensaverrc
blacklist ${HOME}/.kde/share/config/ksslcertificatemanager
blacklist ${HOME}/.kde/share/config/kwalletrc
blacklist ${HOME}/.kde/share/config/kwinrc
blacklist ${HOME}/.kde/share/config/kwinrulesrc
blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc
blacklist ${HOME}/.kde4/share/apps/kwin
blacklist ${HOME}/.kde4/share/apps/plasma
blacklist ${HOME}/.kde4/share/apps/solid
blacklist ${HOME}/.kde4/share/config/khotkeysrc
blacklist ${HOME}/.kde4/share/config/krunnerrc
blacklist ${HOME}/.kde4/share/config/kscreensaverrc
blacklist ${HOME}/.kde4/share/config/ksslcertificatemanager
blacklist ${HOME}/.kde4/share/config/kwalletrc
blacklist ${HOME}/.kde4/share/config/kwinrc
blacklist ${HOME}/.kde4/share/config/kwinrulesrc
blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc
blacklist ${HOME}/.local/share/kglobalaccel
blacklist ${HOME}/.local/share/kwin
blacklist ${HOME}/.local/share/plasma
blacklist ${HOME}/.local/share/plasmashell
blacklist ${HOME}/.local/share/solid
blacklist /tmp/konsole-*.history
read-only ${HOME}/.cache/ksycoca5_*
read-only ${HOME}/.config/*notifyrc
read-only ${HOME}/.config/kdeglobals
@ -138,139 +138,139 @@ read-only ${HOME}/.local/share/kservices5
read-only ${HOME}/.local/share/kssl
# KDE sockets
deny ${RUNUSER}/*.slave-socket
deny ${RUNUSER}/kdeinit5__*
deny ${RUNUSER}/kdesud_*
blacklist ${RUNUSER}/*.slave-socket
blacklist ${RUNUSER}/kdeinit5__*
blacklist ${RUNUSER}/kdesud_*
# see #3358
#?HAS_NODBUS: blacklist ${RUNUSER}/ksocket-*
#?HAS_NODBUS: blacklist /tmp/ksocket-*
# gnome
# contains extensions, last used times of applications, and notifications
deny ${HOME}/.local/share/gnome-shell
blacklist ${HOME}/.local/share/gnome-shell
# contains recently used files and serials of static/removable storage
deny ${HOME}/.local/share/gvfs-metadata
blacklist ${HOME}/.local/share/gvfs-metadata
# no direct modification of dconf database
read-only ${HOME}/.config/dconf
deny ${RUNUSER}/gnome-session-leader-fifo
deny ${RUNUSER}/gnome-shell
deny ${RUNUSER}/gsconnect
blacklist ${RUNUSER}/gnome-session-leader-fifo
blacklist ${RUNUSER}/gnome-shell
blacklist ${RUNUSER}/gsconnect
# systemd
deny ${HOME}/.config/systemd
deny ${HOME}/.local/share/systemd
deny /var/lib/systemd
deny ${PATH}/systemd-run
deny ${RUNUSER}/systemd
deny ${PATH}/systemctl
deny /etc/systemd/system
deny /etc/systemd/network
blacklist ${HOME}/.config/systemd
blacklist ${HOME}/.local/share/systemd
blacklist /var/lib/systemd
blacklist ${PATH}/systemd-run
blacklist ${RUNUSER}/systemd
blacklist ${PATH}/systemctl
blacklist /etc/systemd/system
blacklist /etc/systemd/network
# creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf
#blacklist /var/run/systemd
# openrc
deny /etc/runlevels/
deny /etc/init.d/
deny /etc/rc.conf
blacklist /etc/runlevels/
blacklist /etc/init.d/
blacklist /etc/rc.conf
# VirtualBox
deny ${HOME}/.VirtualBox
deny ${HOME}/.config/VirtualBox
deny ${HOME}/VirtualBox VMs
blacklist ${HOME}/.VirtualBox
blacklist ${HOME}/.config/VirtualBox
blacklist ${HOME}/VirtualBox VMs
# GNOME Boxes
deny ${HOME}/.config/gnome-boxes
deny ${HOME}/.local/share/gnome-boxes
blacklist ${HOME}/.config/gnome-boxes
blacklist ${HOME}/.local/share/gnome-boxes
# libvirt
deny ${HOME}/.cache/libvirt
deny ${HOME}/.config/libvirt
deny ${RUNUSER}/libvirt
deny /var/cache/libvirt
deny /var/lib/libvirt
deny /var/log/libvirt
blacklist ${HOME}/.cache/libvirt
blacklist ${HOME}/.config/libvirt
blacklist ${RUNUSER}/libvirt
blacklist /var/cache/libvirt
blacklist /var/lib/libvirt
blacklist /var/log/libvirt
# OCI-Containers / Podman
deny ${RUNUSER}/containers
deny ${RUNUSER}/crun
deny ${RUNUSER}/libpod
deny ${RUNUSER}/runc
deny ${RUNUSER}/toolbox
blacklist ${RUNUSER}/containers
blacklist ${RUNUSER}/crun
blacklist ${RUNUSER}/libpod
blacklist ${RUNUSER}/runc
blacklist ${RUNUSER}/toolbox
# VeraCrypt
deny ${HOME}/.VeraCrypt
deny ${PATH}/veracrypt
deny ${PATH}/veracrypt-uninstall.sh
deny /usr/share/applications/veracrypt.*
deny /usr/share/pixmaps/veracrypt.*
deny /usr/share/veracrypt
blacklist ${HOME}/.VeraCrypt
blacklist ${PATH}/veracrypt
blacklist ${PATH}/veracrypt-uninstall.sh
blacklist /usr/share/applications/veracrypt.*
blacklist /usr/share/pixmaps/veracrypt.*
blacklist /usr/share/veracrypt
# TrueCrypt
deny ${HOME}/.TrueCrypt
deny ${PATH}/truecrypt
deny ${PATH}/truecrypt-uninstall.sh
deny /usr/share/applications/truecrypt.*
deny /usr/share/pixmaps/truecrypt.*
deny /usr/share/truecrypt
blacklist ${HOME}/.TrueCrypt
blacklist ${PATH}/truecrypt
blacklist ${PATH}/truecrypt-uninstall.sh
blacklist /usr/share/applications/truecrypt.*
blacklist /usr/share/pixmaps/truecrypt.*
blacklist /usr/share/truecrypt
# zuluCrypt
deny ${HOME}/.zuluCrypt
deny ${HOME}/.zuluCrypt-socket
deny ${PATH}/zuluCrypt-cli
deny ${PATH}/zuluMount-cli
blacklist ${HOME}/.zuluCrypt
blacklist ${HOME}/.zuluCrypt-socket
blacklist ${PATH}/zuluCrypt-cli
blacklist ${PATH}/zuluMount-cli
# var
deny /var/cache/apt
deny /var/cache/pacman
deny /var/lib/apt
deny /var/lib/clamav
deny /var/lib/dkms
deny /var/lib/mysql/mysql.sock
deny /var/lib/mysqld/mysql.sock
deny /var/lib/pacman
deny /var/lib/upower
blacklist /var/cache/apt
blacklist /var/cache/pacman
blacklist /var/lib/apt
blacklist /var/lib/clamav
blacklist /var/lib/dkms
blacklist /var/lib/mysql/mysql.sock
blacklist /var/lib/mysqld/mysql.sock
blacklist /var/lib/pacman
blacklist /var/lib/upower
# blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for
# every sandbox, unless --writable-var-log switch is activated
deny /var/mail
deny /var/opt
deny /var/run/acpid.socket
deny /var/run/docker.sock
deny /var/run/minissdpd.sock
deny /var/run/mysql/mysqld.sock
deny /var/run/mysqld/mysqld.sock
deny /var/run/rpcbind.sock
deny /var/run/screens
deny /var/spool/anacron
deny /var/spool/cron
deny /var/spool/mail
blacklist /var/mail
blacklist /var/opt
blacklist /var/run/acpid.socket
blacklist /var/run/docker.sock
blacklist /var/run/minissdpd.sock
blacklist /var/run/mysql/mysqld.sock
blacklist /var/run/mysqld/mysqld.sock
blacklist /var/run/rpcbind.sock
blacklist /var/run/screens
blacklist /var/spool/anacron
blacklist /var/spool/cron
blacklist /var/spool/mail
# etc
deny /etc/anacrontab
deny /etc/cron*
deny /etc/profile.d
deny /etc/rc.local
blacklist /etc/anacrontab
blacklist /etc/cron*
blacklist /etc/profile.d
blacklist /etc/rc.local
# rc1.d, rc2.d, ...
deny /etc/rc?.d
deny /etc/kernel*
deny /etc/grub*
deny /etc/dkms
deny /etc/apparmor*
deny /etc/selinux
deny /etc/modules*
deny /etc/logrotate*
deny /etc/adduser.conf
blacklist /etc/rc?.d
blacklist /etc/kernel*
blacklist /etc/grub*
blacklist /etc/dkms
blacklist /etc/apparmor*
blacklist /etc/selinux
blacklist /etc/modules*
blacklist /etc/logrotate*
blacklist /etc/adduser.conf
# hide config for various intrusion detection systems
deny /etc/rkhunter.conf
deny /var/lib/rkhunter
deny /etc/chkrootkit.conf
deny /etc/lynis
deny /etc/aide
deny /etc/logcheck
deny /etc/tripwire
deny /etc/snort
deny /etc/fail2ban.conf
deny /etc/suricata
blacklist /etc/rkhunter.conf
blacklist /var/lib/rkhunter
blacklist /etc/chkrootkit.conf
blacklist /etc/lynis
blacklist /etc/aide
blacklist /etc/logcheck
blacklist /etc/tripwire
blacklist /etc/snort
blacklist /etc/fail2ban.conf
blacklist /etc/suricata
# Startup files
read-only ${HOME}/.antigen
@ -307,13 +307,13 @@ read-only ${HOME}/.zshrc
read-only ${HOME}/.zshrc.local
# Remote access
deny ${HOME}/.rhosts
deny ${HOME}/.shosts
deny ${HOME}/.ssh/authorized_keys
deny ${HOME}/.ssh/authorized_keys2
deny ${HOME}/.ssh/environment
deny ${HOME}/.ssh/rc
deny /etc/hosts.equiv
blacklist ${HOME}/.rhosts
blacklist ${HOME}/.shosts
blacklist ${HOME}/.ssh/authorized_keys
blacklist ${HOME}/.ssh/authorized_keys2
blacklist ${HOME}/.ssh/environment
blacklist ${HOME}/.ssh/rc
blacklist /etc/hosts.equiv
read-only ${HOME}/.ssh/config
read-only ${HOME}/.ssh/config.d
@ -374,200 +374,200 @@ read-only ${HOME}/.local/share/mime
read-only ${HOME}/.local/share/thumbnailers
# prevent access to ssh-agent
deny /tmp/ssh-*
blacklist /tmp/ssh-*
# top secret
deny ${HOME}/*.kdb
deny ${HOME}/*.kdbx
deny ${HOME}/*.key
deny ${HOME}/.Private
deny ${HOME}/.caff
deny ${HOME}/.cargo/credentials
deny ${HOME}/.cargo/credentials.toml
deny ${HOME}/.cert
deny ${HOME}/.config/keybase
deny ${HOME}/.davfs2/secrets
deny ${HOME}/.ecryptfs
deny ${HOME}/.fetchmailrc
deny ${HOME}/.fscrypt
deny ${HOME}/.git-credential-cache
deny ${HOME}/.git-credentials
deny ${HOME}/.gnome2/keyrings
deny ${HOME}/.gnupg
deny ${HOME}/.config/hub
deny ${HOME}/.kde/share/apps/kwallet
deny ${HOME}/.kde4/share/apps/kwallet
deny ${HOME}/.local/share/keyrings
deny ${HOME}/.local/share/kwalletd
deny ${HOME}/.local/share/plasma-vault
deny ${HOME}/.msmtprc
deny ${HOME}/.mutt
deny ${HOME}/.muttrc
deny ${HOME}/.netrc
deny ${HOME}/.nyx
deny ${HOME}/.pki
deny ${HOME}/.local/share/pki
deny ${HOME}/.smbcredentials
deny ${HOME}/.ssh
deny ${HOME}/.vaults
deny /.fscrypt
deny /etc/davfs2/secrets
deny /etc/group+
deny /etc/group-
deny /etc/gshadow
deny /etc/gshadow+
deny /etc/gshadow-
deny /etc/passwd+
deny /etc/passwd-
deny /etc/shadow
deny /etc/shadow+
deny /etc/shadow-
deny /etc/ssh
deny /etc/ssh/*
deny /home/.ecryptfs
deny /home/.fscrypt
deny /var/backup
blacklist ${HOME}/*.kdb
blacklist ${HOME}/*.kdbx
blacklist ${HOME}/*.key
blacklist ${HOME}/.Private
blacklist ${HOME}/.caff
blacklist ${HOME}/.cargo/credentials
blacklist ${HOME}/.cargo/credentials.toml
blacklist ${HOME}/.cert
blacklist ${HOME}/.config/keybase
blacklist ${HOME}/.davfs2/secrets
blacklist ${HOME}/.ecryptfs
blacklist ${HOME}/.fetchmailrc
blacklist ${HOME}/.fscrypt
blacklist ${HOME}/.git-credential-cache
blacklist ${HOME}/.git-credentials
blacklist ${HOME}/.gnome2/keyrings
blacklist ${HOME}/.gnupg
blacklist ${HOME}/.config/hub
blacklist ${HOME}/.kde/share/apps/kwallet
blacklist ${HOME}/.kde4/share/apps/kwallet
blacklist ${HOME}/.local/share/keyrings
blacklist ${HOME}/.local/share/kwalletd
blacklist ${HOME}/.local/share/plasma-vault
blacklist ${HOME}/.msmtprc
blacklist ${HOME}/.mutt
blacklist ${HOME}/.muttrc
blacklist ${HOME}/.netrc
blacklist ${HOME}/.nyx
blacklist ${HOME}/.pki
blacklist ${HOME}/.local/share/pki
blacklist ${HOME}/.smbcredentials
blacklist ${HOME}/.ssh
blacklist ${HOME}/.vaults
blacklist /.fscrypt
blacklist /etc/davfs2/secrets
blacklist /etc/group+
blacklist /etc/group-
blacklist /etc/gshadow
blacklist /etc/gshadow+
blacklist /etc/gshadow-
blacklist /etc/passwd+
blacklist /etc/passwd-
blacklist /etc/shadow
blacklist /etc/shadow+
blacklist /etc/shadow-
blacklist /etc/ssh
blacklist /etc/ssh/*
blacklist /home/.ecryptfs
blacklist /home/.fscrypt
blacklist /var/backup
# cloud provider configuration
deny ${HOME}/.aws
deny ${HOME}/.boto
deny ${HOME}/.config/gcloud
deny ${HOME}/.kube
deny ${HOME}/.passwd-s3fs
deny ${HOME}/.s3cmd
deny /etc/boto.cfg
blacklist ${HOME}/.aws
blacklist ${HOME}/.boto
blacklist ${HOME}/.config/gcloud
blacklist ${HOME}/.kube
blacklist ${HOME}/.passwd-s3fs
blacklist ${HOME}/.s3cmd
blacklist /etc/boto.cfg
# system directories
deny /sbin
deny /usr/local/sbin
deny /usr/sbin
blacklist /sbin
blacklist /usr/local/sbin
blacklist /usr/sbin
# system management
deny ${PATH}/at
deny ${PATH}/busybox
deny ${PATH}/chage
deny ${PATH}/chfn
deny ${PATH}/chsh
deny ${PATH}/crontab
deny ${PATH}/evtest
deny ${PATH}/expiry
deny ${PATH}/fusermount
deny ${PATH}/gksu
deny ${PATH}/gksudo
deny ${PATH}/gpasswd
deny ${PATH}/kdesudo
deny ${PATH}/ksu
deny ${PATH}/mount
deny ${PATH}/mount.ecryptfs_private
deny ${PATH}/nc
deny ${PATH}/ncat
deny ${PATH}/nmap
deny ${PATH}/newgidmap
deny ${PATH}/newgrp
deny ${PATH}/newuidmap
deny ${PATH}/ntfs-3g
deny ${PATH}/pkexec
deny ${PATH}/procmail
deny ${PATH}/sg
deny ${PATH}/strace
deny ${PATH}/su
deny ${PATH}/sudo
deny ${PATH}/tcpdump
deny ${PATH}/umount
deny ${PATH}/unix_chkpwd
deny ${PATH}/xev
deny ${PATH}/xinput
blacklist ${PATH}/at
blacklist ${PATH}/busybox
blacklist ${PATH}/chage
blacklist ${PATH}/chfn
blacklist ${PATH}/chsh
blacklist ${PATH}/crontab
blacklist ${PATH}/evtest
blacklist ${PATH}/expiry
blacklist ${PATH}/fusermount
blacklist ${PATH}/gksu
blacklist ${PATH}/gksudo
blacklist ${PATH}/gpasswd
blacklist ${PATH}/kdesudo
blacklist ${PATH}/ksu
blacklist ${PATH}/mount
blacklist ${PATH}/mount.ecryptfs_private
blacklist ${PATH}/nc
blacklist ${PATH}/ncat
blacklist ${PATH}/nmap
blacklist ${PATH}/newgidmap
blacklist ${PATH}/newgrp
blacklist ${PATH}/newuidmap
blacklist ${PATH}/ntfs-3g
blacklist ${PATH}/pkexec
blacklist ${PATH}/procmail
blacklist ${PATH}/sg
blacklist ${PATH}/strace
blacklist ${PATH}/su
blacklist ${PATH}/sudo
blacklist ${PATH}/tcpdump
blacklist ${PATH}/umount
blacklist ${PATH}/unix_chkpwd
blacklist ${PATH}/xev
blacklist ${PATH}/xinput
# other SUID binaries
deny /usr/lib/virtualbox
deny /usr/lib64/virtualbox
blacklist /usr/lib/virtualbox
blacklist /usr/lib64/virtualbox
# prevent lxterminal connecting to an existing lxterminal session
deny /tmp/.lxterminal-socket*
blacklist /tmp/.lxterminal-socket*
# prevent tmux connecting to an existing session
deny /tmp/tmux-*
blacklist /tmp/tmux-*
# disable terminals running as server resulting in sandbox escape
deny ${PATH}/lxterminal
deny ${PATH}/gnome-terminal
deny ${PATH}/gnome-terminal.wrapper
deny ${PATH}/lilyterm
deny ${PATH}/mate-terminal
deny ${PATH}/mate-terminal.wrapper
deny ${PATH}/pantheon-terminal
deny ${PATH}/roxterm
deny ${PATH}/roxterm-config
deny ${PATH}/terminix
deny ${PATH}/tilix
deny ${PATH}/urxvtc
deny ${PATH}/urxvtcd
deny ${PATH}/xfce4-terminal
deny ${PATH}/xfce4-terminal.wrapper
blacklist ${PATH}/lxterminal
blacklist ${PATH}/gnome-terminal
blacklist ${PATH}/gnome-terminal.wrapper
blacklist ${PATH}/lilyterm
blacklist ${PATH}/mate-terminal
blacklist ${PATH}/mate-terminal.wrapper
blacklist ${PATH}/pantheon-terminal
blacklist ${PATH}/roxterm
blacklist ${PATH}/roxterm-config
blacklist ${PATH}/terminix
blacklist ${PATH}/tilix
blacklist ${PATH}/urxvtc
blacklist ${PATH}/urxvtcd
blacklist ${PATH}/xfce4-terminal
blacklist ${PATH}/xfce4-terminal.wrapper
# blacklist ${PATH}/konsole
# konsole doesn't seem to have this problem - last tested on Ubuntu 16.04
# kernel files
deny /initrd*
deny /vmlinuz*
blacklist /initrd*
blacklist /vmlinuz*
# snapshot files
deny /.snapshots
blacklist /.snapshots
# flatpak
deny ${HOME}/.cache/flatpak
deny ${HOME}/.config/flatpak
nodeny ${HOME}/.local/share/flatpak/exports
blacklist ${HOME}/.cache/flatpak
blacklist ${HOME}/.config/flatpak
noblacklist ${HOME}/.local/share/flatpak/exports
read-only ${HOME}/.local/share/flatpak/exports
deny ${HOME}/.local/share/flatpak/*
deny ${HOME}/.var
deny ${RUNUSER}/app
deny ${RUNUSER}/doc
deny ${RUNUSER}/.dbus-proxy
deny ${RUNUSER}/.flatpak
deny ${RUNUSER}/.flatpak-cache
deny ${RUNUSER}/.flatpak-helper
deny /usr/share/flatpak
nodeny /var/lib/flatpak/exports
deny /var/lib/flatpak/*
blacklist ${HOME}/.local/share/flatpak/*
blacklist ${HOME}/.var
blacklist ${RUNUSER}/app
blacklist ${RUNUSER}/doc
blacklist ${RUNUSER}/.dbus-proxy
blacklist ${RUNUSER}/.flatpak
blacklist ${RUNUSER}/.flatpak-cache
blacklist ${RUNUSER}/.flatpak-helper
blacklist /usr/share/flatpak
noblacklist /var/lib/flatpak/exports
blacklist /var/lib/flatpak/*
# most of the time bwrap is SUID binary
deny ${PATH}/bwrap
blacklist ${PATH}/bwrap
# snap
deny ${RUNUSER}/snapd-session-agent.socket
blacklist ${RUNUSER}/snapd-session-agent.socket
# mail directories used by mutt
deny ${HOME}/.Mail
deny ${HOME}/.mail
deny ${HOME}/.signature
deny ${HOME}/Mail
deny ${HOME}/mail
deny ${HOME}/postponed
deny ${HOME}/sent
blacklist ${HOME}/.Mail
blacklist ${HOME}/.mail
blacklist ${HOME}/.signature
blacklist ${HOME}/Mail
blacklist ${HOME}/mail
blacklist ${HOME}/postponed
blacklist ${HOME}/sent
# kernel configuration
deny /proc/config.gz
blacklist /proc/config.gz
# prevent DNS malware attempting to communicate with the server
# using regular DNS tools
deny ${PATH}/dig
deny ${PATH}/dlint
deny ${PATH}/dns2tcp
deny ${PATH}/dnssec-*
deny ${PATH}/dnswalk
deny ${PATH}/drill
deny ${PATH}/host
deny ${PATH}/iodine
deny ${PATH}/kdig
deny ${PATH}/khost
deny ${PATH}/knsupdate
deny ${PATH}/ldns-*
deny ${PATH}/ldnsd
deny ${PATH}/nslookup
deny ${PATH}/resolvectl
deny ${PATH}/unbound-host
blacklist ${PATH}/dig
blacklist ${PATH}/dlint
blacklist ${PATH}/dns2tcp
blacklist ${PATH}/dnssec-*
blacklist ${PATH}/dnswalk
blacklist ${PATH}/drill
blacklist ${PATH}/host
blacklist ${PATH}/iodine
blacklist ${PATH}/kdig
blacklist ${PATH}/khost
blacklist ${PATH}/knsupdate
blacklist ${PATH}/ldns-*
blacklist ${PATH}/ldnsd
blacklist ${PATH}/nslookup
blacklist ${PATH}/resolvectl
blacklist ${PATH}/unbound-host
# rest of ${RUNUSER}
deny ${RUNUSER}/*.lock
deny ${RUNUSER}/inaccessible
deny ${RUNUSER}/pk-debconf-socket
deny ${RUNUSER}/update-notifier.pid
blacklist ${RUNUSER}/*.lock
blacklist ${RUNUSER}/inaccessible
blacklist ${RUNUSER}/pk-debconf-socket
blacklist ${RUNUSER}/update-notifier.pid

80
etc/inc/disable-devel.inc
View file

@ -5,65 +5,65 @@ include disable-devel.local
# development tools
# clang/llvm
deny ${PATH}/clang*
deny ${PATH}/lldb*
deny ${PATH}/llvm*
blacklist ${PATH}/clang*
blacklist ${PATH}/lldb*
blacklist ${PATH}/llvm*
# see issue #2106 - it disables hardware acceleration in Firefox on Radeon GPU
# blacklist /usr/lib/llvm*
# GCC
deny ${PATH}/as
deny ${PATH}/cc
deny ${PATH}/c++*
deny ${PATH}/c8*
deny ${PATH}/c9*
deny ${PATH}/cpp*
deny ${PATH}/g++*
deny ${PATH}/gcc*
deny ${PATH}/gdb
deny ${PATH}/ld
deny ${PATH}/*-gcc*
deny ${PATH}/*-g++*
deny ${PATH}/*-gcc*
deny ${PATH}/*-g++*
blacklist ${PATH}/as
blacklist ${PATH}/cc
blacklist ${PATH}/c++*
blacklist ${PATH}/c8*
blacklist ${PATH}/c9*
blacklist ${PATH}/cpp*
blacklist ${PATH}/g++*
blacklist ${PATH}/gcc*
blacklist ${PATH}/gdb
blacklist ${PATH}/ld
blacklist ${PATH}/*-gcc*
blacklist ${PATH}/*-g++*
blacklist ${PATH}/*-gcc*
blacklist ${PATH}/*-g++*
# seems to create problems on Gentoo
#blacklist /usr/lib/gcc
#Go
deny ${PATH}/gccgo
deny ${PATH}/go
deny ${PATH}/gofmt
blacklist ${PATH}/gccgo
blacklist ${PATH}/go
blacklist ${PATH}/gofmt
# Java
deny ${PATH}/java
deny ${PATH}/javac
deny /etc/java
deny /usr/lib/java
deny /usr/share/java
blacklist ${PATH}/java
blacklist ${PATH}/javac
blacklist /etc/java
blacklist /usr/lib/java
blacklist /usr/share/java
#OpenSSL
deny ${PATH}/openssl
deny ${PATH}/openssl-1.0
blacklist ${PATH}/openssl
blacklist ${PATH}/openssl-1.0
#Rust
deny ${PATH}/rust-gdb
deny ${PATH}/rust-lldb
deny ${PATH}/rustc
deny ${HOME}/.rustup
blacklist ${PATH}/rust-gdb
blacklist ${PATH}/rust-lldb
blacklist ${PATH}/rustc
blacklist ${HOME}/.rustup
# tcc - Tiny C Compiler
deny ${PATH}/tcc
deny ${PATH}/x86_64-tcc
deny /usr/lib/tcc
blacklist ${PATH}/tcc
blacklist ${PATH}/x86_64-tcc
blacklist /usr/lib/tcc
# Valgrind
deny ${PATH}/valgrind*
deny /usr/lib/valgrind
blacklist ${PATH}/valgrind*
blacklist /usr/lib/valgrind
# Source-Code
deny /usr/src
deny /usr/local/src
deny /usr/include
deny /usr/local/include
blacklist /usr/src
blacklist /usr/local/src
blacklist /usr/include
blacklist /usr/local/include

84
etc/inc/disable-interpreters.inc
View file

@ -3,66 +3,66 @@
include disable-interpreters.local
# gjs
deny ${PATH}/gjs
deny ${PATH}/gjs-console
deny /usr/lib/gjs
deny /usr/lib/libgjs*
deny /usr/lib64/gjs
deny /usr/lib64/libgjs*
blacklist ${PATH}/gjs
blacklist ${PATH}/gjs-console
blacklist /usr/lib/gjs
blacklist /usr/lib/libgjs*
blacklist /usr/lib64/gjs
blacklist /usr/lib64/libgjs*
# Lua
deny ${PATH}/lua*
deny /usr/include/lua*
deny /usr/lib/liblua*
deny /usr/lib/lua
deny /usr/lib64/liblua*
deny /usr/lib64/lua
deny /usr/share/lua*
blacklist ${PATH}/lua*
blacklist /usr/include/lua*
blacklist /usr/lib/liblua*
blacklist /usr/lib/lua
blacklist /usr/lib64/liblua*
blacklist /usr/lib64/lua
blacklist /usr/share/lua*
# mozjs
deny /usr/lib/libmozjs-*
deny /usr/lib64/libmozjs-*
blacklist /usr/lib/libmozjs-*
blacklist /usr/lib64/libmozjs-*
# Node.js
deny ${PATH}/node
deny /usr/include/node
blacklist ${PATH}/node
blacklist /usr/include/node
# nvm
deny ${HOME}/.nvm
blacklist ${HOME}/.nvm
# Perl
deny ${PATH}/core_perl
deny ${PATH}/cpan*
deny ${PATH}/perl
deny ${PATH}/site_perl
deny ${PATH}/vendor_perl
deny /usr/lib/perl*
deny /usr/lib64/perl*
deny /usr/share/perl*
blacklist ${PATH}/core_perl
blacklist ${PATH}/cpan*
blacklist ${PATH}/perl
blacklist ${PATH}/site_perl
blacklist ${PATH}/vendor_perl
blacklist /usr/lib/perl*
blacklist /usr/lib64/perl*
blacklist /usr/share/perl*
# PHP
deny ${PATH}/php*
deny /usr/lib/php*
deny /usr/share/php*
blacklist ${PATH}/php*
blacklist /usr/lib/php*
blacklist /usr/share/php*
# Ruby
deny ${PATH}/ruby
deny /usr/lib/ruby
blacklist ${PATH}/ruby
blacklist /usr/lib/ruby
# Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus
# Python 2
deny ${PATH}/python2*
deny /usr/include/python2*
deny /usr/lib/python2*
deny /usr/local/lib/python2*
deny /usr/share/python2*
blacklist ${PATH}/python2*
blacklist /usr/include/python2*
blacklist /usr/lib/python2*
blacklist /usr/local/lib/python2*
blacklist /usr/share/python2*
# You will want to add noblacklist for python3 stuff in the firefox and/or chromium profiles if you use the Gnome connector (see Issue #2026)
# Python 3
deny ${PATH}/python3*
deny /usr/include/python3*
deny /usr/lib/python3*
deny /usr/lib64/python3*
deny /usr/local/lib/python3*
deny /usr/share/python3*
blacklist ${PATH}/python3*
blacklist /usr/include/python3*
blacklist /usr/lib/python3*
blacklist /usr/lib64/python3*
blacklist /usr/local/lib/python3*
blacklist /usr/share/python3*

30
etc/inc/disable-passwdmgr.inc
View file

@ -2,18 +2,18 @@
# Persistent customizations should go in a .local file.
include disable-passwdmgr.local
deny ${HOME}/.config/Bitwarden
deny ${HOME}/.config/KeePass
deny ${HOME}/.config/keepass
deny ${HOME}/.config/keepassx
deny ${HOME}/.config/keepassxc
deny ${HOME}/.config/KeePassXCrc
deny ${HOME}/.config/Sinew Software Systems
deny ${HOME}/.fpm
deny ${HOME}/.keepass
deny ${HOME}/.keepassx
deny ${HOME}/.keepassxc
deny ${HOME}/.lastpass
deny ${HOME}/.local/share/KeePass
deny ${HOME}/.local/share/keepass
deny ${HOME}/.password-store
blacklist ${HOME}/.config/Bitwarden
blacklist ${HOME}/.config/KeePass
blacklist ${HOME}/.config/keepass
blacklist ${HOME}/.config/keepassx
blacklist ${HOME}/.config/keepassxc
blacklist ${HOME}/.config/KeePassXCrc
blacklist ${HOME}/.config/Sinew Software Systems
blacklist ${HOME}/.fpm
blacklist ${HOME}/.keepass
blacklist ${HOME}/.keepassx
blacklist ${HOME}/.keepassxc
blacklist ${HOME}/.lastpass
blacklist ${HOME}/.local/share/KeePass
blacklist ${HOME}/.local/share/keepass
blacklist ${HOME}/.password-store

2184
etc/inc/disable-programs.inc
View file

File diff suppressed because it is too large Load diff

22
etc/inc/disable-shell.inc
View file

@ -2,14 +2,14 @@
# Persistent customizations should go in a .local file.
include disable-shell.local
deny ${PATH}/bash
deny ${PATH}/csh
deny ${PATH}/dash
deny ${PATH}/fish
deny ${PATH}/ksh
deny ${PATH}/mksh
deny ${PATH}/oksh
deny ${PATH}/sh
deny ${PATH}/tclsh
deny ${PATH}/tcsh
deny ${PATH}/zsh
blacklist ${PATH}/bash
blacklist ${PATH}/csh
blacklist ${PATH}/dash
blacklist ${PATH}/fish
blacklist ${PATH}/ksh
blacklist ${PATH}/mksh
blacklist ${PATH}/oksh
blacklist ${PATH}/sh
blacklist ${PATH}/tclsh
blacklist ${PATH}/tcsh
blacklist ${PATH}/zsh

8
etc/inc/disable-xdg.inc
View file

@ -2,10 +2,10 @@
# Persistent customizations should go in a .local file.
include disable-xdg.local
deny ${DOCUMENTS}
deny ${MUSIC}
deny ${PICTURES}
deny ${VIDEOS}
blacklist ${DOCUMENTS}
blacklist ${MUSIC}
blacklist ${PICTURES}
blacklist ${VIDEOS}
# The following should be considered catch-all directories
#blacklist ${DESKTOP}

46
etc/inc/whitelist-1793-workaround.inc
View file

@ -3,27 +3,27 @@
include whitelist-1793-workaround.local
# This works around bug 1793, and allows whitelisting to be used for some KDE applications.
nodeny ${HOME}/.config/ibus
nodeny ${HOME}/.config/mimeapps.list
nodeny ${HOME}/.config/pkcs11
nodeny ${HOME}/.config/user-dirs.dirs
nodeny ${HOME}/.config/user-dirs.locale
nodeny ${HOME}/.config/dconf
nodeny ${HOME}/.config/fontconfig
nodeny ${HOME}/.config/gtk-2.0
nodeny ${HOME}/.config/gtk-3.0
nodeny ${HOME}/.config/gtk-4.0
nodeny ${HOME}/.config/gtkrc
nodeny ${HOME}/.config/gtkrc-2.0
nodeny ${HOME}/.config/Kvantum
nodeny ${HOME}/.config/Trolltech.conf
nodeny ${HOME}/.config/QtProject.conf
nodeny ${HOME}/.config/kdeglobals
nodeny ${HOME}/.config/kio_httprc
nodeny ${HOME}/.config/kioslaverc
nodeny ${HOME}/.config/ksslcablacklist
nodeny ${HOME}/.config/qt5ct
nodeny ${HOME}/.config/qtcurve
noblacklist ${HOME}/.config/ibus
noblacklist ${HOME}/.config/mimeapps.list
noblacklist ${HOME}/.config/pkcs11
noblacklist ${HOME}/.config/user-dirs.dirs
noblacklist ${HOME}/.config/user-dirs.locale
noblacklist ${HOME}/.config/dconf
noblacklist ${HOME}/.config/fontconfig
noblacklist ${HOME}/.config/gtk-2.0
noblacklist ${HOME}/.config/gtk-3.0
noblacklist ${HOME}/.config/gtk-4.0
noblacklist ${HOME}/.config/gtkrc
noblacklist ${HOME}/.config/gtkrc-2.0
noblacklist ${HOME}/.config/Kvantum
noblacklist ${HOME}/.config/Trolltech.conf
noblacklist ${HOME}/.config/QtProject.conf
noblacklist ${HOME}/.config/kdeglobals
noblacklist ${HOME}/.config/kio_httprc
noblacklist ${HOME}/.config/kioslaverc
noblacklist ${HOME}/.config/ksslcablacklist
noblacklist ${HOME}/.config/qt5ct
noblacklist ${HOME}/.config/qtcurve
deny ${HOME}/.config/*
allow ${HOME}/.config
blacklist ${HOME}/.config/*
whitelist ${HOME}/.config

130
etc/inc/whitelist-common.inc
View file

@ -4,82 +4,82 @@ include whitelist-common.local
# common whitelist for all profiles
allow ${HOME}/.XCompose
allow ${HOME}/.alsaequal.bin
allow ${HOME}/.asoundrc
allow ${HOME}/.config/ibus
allow ${HOME}/.config/mimeapps.list
allow ${HOME}/.config/pkcs11
whitelist ${HOME}/.XCompose
whitelist ${HOME}/.alsaequal.bin
whitelist ${HOME}/.asoundrc
whitelist ${HOME}/.config/ibus
whitelist ${HOME}/.config/mimeapps.list
whitelist ${HOME}/.config/pkcs11
read-only ${HOME}/.config/pkcs11
allow ${HOME}/.config/user-dirs.dirs
whitelist ${HOME}/.config/user-dirs.dirs
read-only ${HOME}/.config/user-dirs.dirs
allow ${HOME}/.config/user-dirs.locale
whitelist ${HOME}/.config/user-dirs.locale
read-only ${HOME}/.config/user-dirs.locale
allow ${HOME}/.drirc
allow ${HOME}/.icons
whitelist ${HOME}/.drirc
whitelist ${HOME}/.icons
?HAS_APPIMAGE: whitelist ${HOME}/.local/share/appimagekit
allow ${HOME}/.local/share/applications
whitelist ${HOME}/.local/share/applications
read-only ${HOME}/.local/share/applications
allow ${HOME}/.local/share/icons
allow ${HOME}/.local/share/mime
allow ${HOME}/.mime.types
allow ${HOME}/.sndio/cookie
allow ${HOME}/.uim.d
whitelist ${HOME}/.local/share/icons
whitelist ${HOME}/.local/share/mime
whitelist ${HOME}/.mime.types
whitelist ${HOME}/.sndio/cookie
whitelist ${HOME}/.uim.d
# dconf
mkdir ${HOME}/.config/dconf
allow ${HOME}/.config/dconf
whitelist ${HOME}/.config/dconf
# fonts
allow ${HOME}/.cache/fontconfig
allow ${HOME}/.config/fontconfig
allow ${HOME}/.fontconfig
allow ${HOME}/.fonts
allow ${HOME}/.fonts.conf
allow ${HOME}/.fonts.conf.d
allow ${HOME}/.fonts.d
allow ${HOME}/.local/share/fonts
allow ${HOME}/.pangorc
whitelist ${HOME}/.cache/fontconfig
whitelist ${HOME}/.config/fontconfig
whitelist ${HOME}/.fontconfig
whitelist ${HOME}/.fonts
whitelist ${HOME}/.fonts.conf
whitelist ${HOME}/.fonts.conf.d
whitelist ${HOME}/.fonts.d
whitelist ${HOME}/.local/share/fonts
whitelist ${HOME}/.pangorc
# gtk
allow ${HOME}/.config/gtk-2.0
allow ${HOME}/.config/gtk-3.0
allow ${HOME}/.config/gtk-4.0
allow ${HOME}/.config/gtkrc
allow ${HOME}/.config/gtkrc-2.0
allow ${HOME}/.gnome2
allow ${HOME}/.gnome2-private
allow ${HOME}/.gtk-2.0
allow ${HOME}/.gtkrc
allow ${HOME}/.gtkrc-2.0
allow ${HOME}/.kde/share/config/gtkrc
allow ${HOME}/.kde/share/config/gtkrc-2.0
allow ${HOME}/.kde4/share/config/gtkrc
allow ${HOME}/.kde4/share/config/gtkrc-2.0
allow ${HOME}/.local/share/themes
allow ${HOME}/.themes
whitelist ${HOME}/.config/gtk-2.0
whitelist ${HOME}/.config/gtk-3.0
whitelist ${HOME}/.config/gtk-4.0
whitelist ${HOME}/.config/gtkrc
whitelist ${HOME}/.config/gtkrc-2.0
whitelist ${HOME}/.gnome2
whitelist ${HOME}/.gnome2-private
whitelist ${HOME}/.gtk-2.0
whitelist ${HOME}/.gtkrc
whitelist ${HOME}/.gtkrc-2.0
whitelist ${HOME}/.kde/share/config/gtkrc
whitelist ${HOME}/.kde/share/config/gtkrc-2.0
whitelist ${HOME}/.kde4/share/config/gtkrc
whitelist ${HOME}/.kde4/share/config/gtkrc-2.0
whitelist ${HOME}/.local/share/themes
whitelist ${HOME}/.themes
# qt/kde
allow ${HOME}/.cache/kioexec/krun
allow ${HOME}/.config/Kvantum
allow ${HOME}/.config/Trolltech.conf
allow ${HOME}/.config/QtProject.conf
allow ${HOME}/.config/kdeglobals
allow ${HOME}/.config/kio_httprc
allow ${HOME}/.config/kioslaverc
allow ${HOME}/.config/ksslcablacklist
allow ${HOME}/.config/qt5ct
allow ${HOME}/.config/qtcurve
allow ${HOME}/.kde/share/config/kdeglobals
allow ${HOME}/.kde/share/config/kio_httprc
allow ${HOME}/.kde/share/config/kioslaverc
allow ${HOME}/.kde/share/config/ksslcablacklist
allow ${HOME}/.kde/share/config/oxygenrc
allow ${HOME}/.kde/share/icons
allow ${HOME}/.kde4/share/config/kdeglobals
allow ${HOME}/.kde4/share/config/kio_httprc
allow ${HOME}/.kde4/share/config/kioslaverc
allow ${HOME}/.kde4/share/config/ksslcablacklist
allow ${HOME}/.kde4/share/config/oxygenrc
allow ${HOME}/.kde4/share/icons
allow ${HOME}/.local/share/qt5ct
whitelist ${HOME}/.cache/kioexec/krun
whitelist ${HOME}/.config/Kvantum
whitelist ${HOME}/.config/Trolltech.conf
whitelist ${HOME}/.config/QtProject.conf
whitelist ${HOME}/.config/kdeglobals
whitelist ${HOME}/.config/kio_httprc
whitelist ${HOME}/.config/kioslaverc
whitelist ${HOME}/.config/ksslcablacklist
whitelist ${HOME}/.config/qt5ct
whitelist ${HOME}/.config/qtcurve
whitelist ${HOME}/.kde/share/config/kdeglobals
whitelist ${HOME}/.kde/share/config/kio_httprc
whitelist ${HOME}/.kde/share/config/kioslaverc
whitelist ${HOME}/.kde/share/config/ksslcablacklist
whitelist ${HOME}/.kde/share/config/oxygenrc
whitelist ${HOME}/.kde/share/icons
whitelist ${HOME}/.kde4/share/config/kdeglobals
whitelist ${HOME}/.kde4/share/config/kio_httprc
whitelist ${HOME}/.kde4/share/config/kioslaverc
whitelist ${HOME}/.kde4/share/config/ksslcablacklist
whitelist ${HOME}/.kde4/share/config/oxygenrc
whitelist ${HOME}/.kde4/share/icons
whitelist ${HOME}/.local/share/qt5ct

10
etc/inc/whitelist-player-common.inc
View file

@ -4,8 +4,8 @@ include whitelist-player-common.local
# common whitelist for all media players
allow ${DESKTOP}
allow ${DOWNLOADS}
allow ${MUSIC}
allow ${PICTURES}
allow ${VIDEOS}
whitelist ${DESKTOP}
whitelist ${DOWNLOADS}
whitelist ${MUSIC}
whitelist ${PICTURES}
whitelist ${VIDEOS}

20
etc/inc/whitelist-runuser-common.inc
View file

@ -4,13 +4,13 @@ include whitelist-runuser-common.local
# common ${RUNUSER} (=/run/user/$UID) whitelist for all profiles
allow ${RUNUSER}/bus
allow ${RUNUSER}/dconf
allow ${RUNUSER}/gdm/Xauthority
allow ${RUNUSER}/ICEauthority
allow ${RUNUSER}/.mutter-Xwaylandauth.*
allow ${RUNUSER}/pulse/native
allow ${RUNUSER}/wayland-0
allow ${RUNUSER}/wayland-1
allow ${RUNUSER}/xauth_*
allow ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]
whitelist ${RUNUSER}/bus
whitelist ${RUNUSER}/dconf
whitelist ${RUNUSER}/gdm/Xauthority
whitelist ${RUNUSER}/ICEauthority
whitelist ${RUNUSER}/.mutter-Xwaylandauth.*
whitelist ${RUNUSER}/pulse/native
whitelist ${RUNUSER}/wayland-0
whitelist ${RUNUSER}/wayland-1
whitelist ${RUNUSER}/xauth_*
whitelist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]

126
etc/inc/whitelist-usr-share-common.inc
View file

@ -4,66 +4,66 @@ include whitelist-usr-share-common.local
# common /usr/share whitelist for all profiles
allow /usr/share/alsa
allow /usr/share/applications
allow /usr/share/ca-certificates
allow /usr/share/crypto-policies
allow /usr/share/cursors
allow /usr/share/dconf
allow /usr/share/distro-info
allow /usr/share/drirc.d
allow /usr/share/enchant
allow /usr/share/enchant-2
allow /usr/share/file
allow /usr/share/fontconfig
allow /usr/share/fonts
allow /usr/share/fonts-config
allow /usr/share/gir-1.0
allow /usr/share/gjs-1.0
allow /usr/share/glib-2.0
allow /usr/share/glvnd
allow /usr/share/gtk-2.0
allow /usr/share/gtk-3.0
allow /usr/share/gtk-engines
allow /usr/share/gtksourceview-3.0
allow /usr/share/gtksourceview-4
allow /usr/share/hunspell
allow /usr/share/hwdata
allow /usr/share/icons
allow /usr/share/icu
allow /usr/share/knotifications5
allow /usr/share/kservices5
allow /usr/share/Kvantum
allow /usr/share/kxmlgui5
allow /usr/share/libdrm
allow /usr/share/libthai
allow /usr/share/locale
allow /usr/share/mime
allow /usr/share/misc
allow /usr/share/Modules
allow /usr/share/myspell
allow /usr/share/p11-kit
allow /usr/share/perl
allow /usr/share/perl5
allow /usr/share/pixmaps
allow /usr/share/pki
allow /usr/share/plasma
allow /usr/share/publicsuffix
allow /usr/share/qt
allow /usr/share/qt4
allow /usr/share/qt5
allow /usr/share/qt5ct
allow /usr/share/sounds
allow /usr/share/tcl8.6
allow /usr/share/tcltk
allow /usr/share/terminfo
allow /usr/share/texlive
allow /usr/share/texmf
allow /usr/share/themes
allow /usr/share/thumbnail.so
allow /usr/share/uim
allow /usr/share/vulkan
allow /usr/share/X11
allow /usr/share/xml
allow /usr/share/zenity
allow /usr/share/zoneinfo
whitelist /usr/share/alsa
whitelist /usr/share/applications
whitelist /usr/share/ca-certificates
whitelist /usr/share/crypto-policies
whitelist /usr/share/cursors
whitelist /usr/share/dconf
whitelist /usr/share/distro-info
whitelist /usr/share/drirc.d
whitelist /usr/share/enchant
whitelist /usr/share/enchant-2
whitelist /usr/share/file
whitelist /usr/share/fontconfig
whitelist /usr/share/fonts
whitelist /usr/share/fonts-config
whitelist /usr/share/gir-1.0
whitelist /usr/share/gjs-1.0
whitelist /usr/share/glib-2.0
whitelist /usr/share/glvnd
whitelist /usr/share/gtk-2.0
whitelist /usr/share/gtk-3.0
whitelist /usr/share/gtk-engines
whitelist /usr/share/gtksourceview-3.0
whitelist /usr/share/gtksourceview-4
whitelist /usr/share/hunspell
whitelist /usr/share/hwdata
whitelist /usr/share/icons
whitelist /usr/share/icu
whitelist /usr/share/knotifications5
whitelist /usr/share/kservices5
whitelist /usr/share/Kvantum
whitelist /usr/share/kxmlgui5
whitelist /usr/share/libdrm
whitelist /usr/share/libthai
whitelist /usr/share/locale
whitelist /usr/share/mime
whitelist /usr/share/misc
whitelist /usr/share/Modules
whitelist /usr/share/myspell
whitelist /usr/share/p11-kit
whitelist /usr/share/perl
whitelist /usr/share/perl5
whitelist /usr/share/pixmaps
whitelist /usr/share/pki
whitelist /usr/share/plasma
whitelist /usr/share/publicsuffix
whitelist /usr/share/qt
whitelist /usr/share/qt4
whitelist /usr/share/qt5
whitelist /usr/share/qt5ct
whitelist /usr/share/sounds
whitelist /usr/share/tcl8.6
whitelist /usr/share/tcltk
whitelist /usr/share/terminfo
whitelist /usr/share/texlive
whitelist /usr/share/texmf
whitelist /usr/share/themes
whitelist /usr/share/thumbnail.so
whitelist /usr/share/uim
whitelist /usr/share/vulkan
whitelist /usr/share/X11
whitelist /usr/share/xml
whitelist /usr/share/zenity
whitelist /usr/share/zoneinfo

18
etc/inc/whitelist-var-common.inc
View file

@ -4,12 +4,12 @@ include whitelist-var-common.local
# common /var whitelist for all profiles
allow /var/lib/aspell
allow /var/lib/ca-certificates
allow /var/lib/dbus
allow /var/lib/menu-xdg
allow /var/lib/uim
allow /var/cache/fontconfig
allow /var/tmp
allow /var/run
allow /var/lock
whitelist /var/lib/aspell
whitelist /var/lib/ca-certificates
whitelist /var/lib/dbus
whitelist /var/lib/menu-xdg
whitelist /var/lib/uim
whitelist /var/cache/fontconfig
whitelist /var/tmp
whitelist /var/run
whitelist /var/lock

18
etc/profile-a-l/0ad.profile
View file

@ -6,11 +6,11 @@ include 0ad.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.cache/0ad
nodeny ${HOME}/.config/0ad
nodeny ${HOME}/.local/share/0ad
noblacklist ${HOME}/.cache/0ad
noblacklist ${HOME}/.config/0ad
noblacklist ${HOME}/.local/share/0ad
deny /usr/libexec
blacklist /usr/libexec
include disable-common.inc
include disable-devel.inc
@ -23,11 +23,11 @@ include disable-xdg.inc
mkdir ${HOME}/.cache/0ad
mkdir ${HOME}/.config/0ad
mkdir ${HOME}/.local/share/0ad
allow ${HOME}/.cache/0ad
allow ${HOME}/.config/0ad
allow ${HOME}/.local/share/0ad
allow /usr/share/0ad
allow /usr/share/games
whitelist ${HOME}/.cache/0ad
whitelist ${HOME}/.config/0ad
whitelist ${HOME}/.local/share/0ad
whitelist /usr/share/0ad
whitelist /usr/share/games
include whitelist-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

8
etc/profile-a-l/2048-qt.profile
View file

@ -6,8 +6,8 @@ include 2048-qt.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.config/2048-qt
nodeny ${HOME}/.config/xiaoyong
noblacklist ${HOME}/.config/2048-qt
noblacklist ${HOME}/.config/xiaoyong
include disable-common.inc
include disable-devel.inc
@ -18,8 +18,8 @@ include disable-programs.inc
mkdir ${HOME}/.config/2048-qt
mkdir ${HOME}/.config/xiaoyong
allow ${HOME}/.config/2048-qt
allow ${HOME}/.config/xiaoyong
whitelist ${HOME}/.config/2048-qt
whitelist ${HOME}/.config/xiaoyong
include whitelist-common.inc
include whitelist-var-common.inc

2
etc/profile-a-l/Cryptocat.profile
View file

@ -5,7 +5,7 @@ include Cryptocat.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.config/Cryptocat
noblacklist ${HOME}/.config/Cryptocat
include disable-common.inc
include disable-devel.inc

4
etc/profile-a-l/Discord.profile
View file

@ -5,10 +5,10 @@ include Discord.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.config/discord
noblacklist ${HOME}/.config/discord
mkdir ${HOME}/.config/discord
allow ${HOME}/.config/discord
whitelist ${HOME}/.config/discord
private-bin Discord
private-opt Discord

4
etc/profile-a-l/DiscordCanary.profile
View file

@ -5,10 +5,10 @@ include DiscordCanary.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.config/discordcanary
noblacklist ${HOME}/.config/discordcanary
mkdir ${HOME}/.config/discordcanary
allow ${HOME}/.config/discordcanary
whitelist ${HOME}/.config/discordcanary
private-bin DiscordCanary
private-opt DiscordCanary

4
etc/profile-a-l/Fritzing.profile
View file

@ -6,8 +6,8 @@ include Fritzing.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.config/Fritzing
nodeny ${DOCUMENTS}
noblacklist ${HOME}/.config/Fritzing
noblacklist ${DOCUMENTS}
include disable-common.inc
include disable-devel.inc

6
etc/profile-a-l/JDownloader.profile
View file

@ -5,7 +5,7 @@ include JDownloader.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.jd
noblacklist ${HOME}/.jd
# Allow java (blacklisted by disable-devel.inc)
include allow-java.inc
@ -19,8 +19,8 @@ include disable-programs.inc
include disable-xdg.inc
mkdir ${HOME}/.jd
allow ${HOME}/.jd
allow ${DOWNLOADS}
whitelist ${HOME}/.jd
whitelist ${DOWNLOADS}
include whitelist-common.inc
include whitelist-var-common.inc

4
etc/profile-a-l/abiword.profile
View file

@ -6,7 +6,7 @@ include abiword.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.config/abiword
noblacklist ${HOME}/.config/abiword
include disable-common.inc
include disable-devel.inc
@ -16,7 +16,7 @@ include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
allow /usr/share/abiword-3.0
whitelist /usr/share/abiword-3.0
include whitelist-usr-share-common.inc
include whitelist-runuser-common.inc
include whitelist-var-common.inc

8
etc/profile-a-l/abrowser.profile
View file

@ -5,13 +5,13 @@ include abrowser.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.cache/mozilla
nodeny ${HOME}/.mozilla
noblacklist ${HOME}/.cache/mozilla
noblacklist ${HOME}/.mozilla
mkdir ${HOME}/.cache/mozilla/abrowser
mkdir ${HOME}/.mozilla
allow ${HOME}/.cache/mozilla/abrowser
allow ${HOME}/.mozilla
whitelist ${HOME}/.cache/mozilla/abrowser
whitelist ${HOME}/.mozilla
# private-etc must first be enabled in firefox-common.profile
#private-etc abrowser

6
etc/profile-a-l/agetpkg.profile
View file

@ -7,8 +7,8 @@ include agetpkg.local
# Persistent global definitions
include globals.local
deny /tmp/.X11-unix
deny ${RUNUSER}/wayland-*
blacklist /tmp/.X11-unix
blacklist ${RUNUSER}/wayland-*
# Allow python (blacklisted by disable-interpreters.inc)
#include allow-python2.inc
@ -23,7 +23,7 @@ include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
allow ${DOWNLOADS}
whitelist ${DOWNLOADS}
include whitelist-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

32
etc/profile-a-l/akonadi_control.profile
View file

@ -4,22 +4,22 @@ include akonadi_control.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.cache/akonadi*
nodeny ${HOME}/.config/akonadi*
nodeny ${HOME}/.config/baloorc
nodeny ${HOME}/.config/emaildefaults
nodeny ${HOME}/.config/emailidentities
nodeny ${HOME}/.config/kmail2rc
nodeny ${HOME}/.config/mailtransports
nodeny ${HOME}/.config/specialmailcollectionsrc
nodeny ${HOME}/.local/share/akonadi*
nodeny ${HOME}/.local/share/apps/korganizer
nodeny ${HOME}/.local/share/contacts
nodeny ${HOME}/.local/share/local-mail
nodeny ${HOME}/.local/share/notes
nodeny /sbin
nodeny /tmp/akonadi-*
nodeny /usr/sbin
noblacklist ${HOME}/.cache/akonadi*
noblacklist ${HOME}/.config/akonadi*
noblacklist ${HOME}/.config/baloorc
noblacklist ${HOME}/.config/emaildefaults
noblacklist ${HOME}/.config/emailidentities
noblacklist ${HOME}/.config/kmail2rc
noblacklist ${HOME}/.config/mailtransports
noblacklist ${HOME}/.config/specialmailcollectionsrc
noblacklist ${HOME}/.local/share/akonadi*
noblacklist ${HOME}/.local/share/apps/korganizer
noblacklist ${HOME}/.local/share/contacts
noblacklist ${HOME}/.local/share/local-mail
noblacklist ${HOME}/.local/share/notes
noblacklist /sbin
noblacklist /tmp/akonadi-*
noblacklist /usr/sbin
include disable-common.inc
include disable-devel.inc

14
etc/profile-a-l/akregator.profile
View file

@ -6,9 +6,9 @@ include akregator.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.config/akregatorrc
nodeny ${HOME}/.local/share/akregator
nodeny ${HOME}/.local/share/kxmlgui5/akregator
noblacklist ${HOME}/.config/akregatorrc
noblacklist ${HOME}/.local/share/akregator
noblacklist ${HOME}/.local/share/kxmlgui5/akregator
include disable-common.inc
include disable-devel.inc
@ -21,10 +21,10 @@ include disable-shell.inc
mkfile ${HOME}/.config/akregatorrc
mkdir ${HOME}/.local/share/akregator
mkdir ${HOME}/.local/share/kxmlgui5/akregator
allow ${HOME}/.config/akregatorrc
allow ${HOME}/.local/share/akregator
allow ${HOME}/.local/share/kssl
allow ${HOME}/.local/share/kxmlgui5/akregator
whitelist ${HOME}/.config/akregatorrc
whitelist ${HOME}/.local/share/akregator
whitelist ${HOME}/.local/share/kssl
whitelist ${HOME}/.local/share/kxmlgui5/akregator
include whitelist-common.inc
include whitelist-var-common.inc

14
etc/profile-a-l/alacarte.profile
View file

@ -19,13 +19,13 @@ include disable-passwdmgr.inc
include disable-xdg.inc
# Whitelist your system icon directory,varies by distro
allow /usr/share/alacarte
allow /usr/share/app-info
allow /usr/share/desktop-directories
allow /usr/share/icons
allow /var/lib/app-info/icons
allow /var/lib/flatpak/exports/share/applications
allow /var/lib/flatpak/exports/share/icons
whitelist /usr/share/alacarte
whitelist /usr/share/app-info
whitelist /usr/share/desktop-directories
whitelist /usr/share/icons
whitelist /var/lib/app-info/icons
whitelist /var/lib/flatpak/exports/share/applications
whitelist /var/lib/flatpak/exports/share/icons
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

6
etc/profile-a-l/alienarena.profile
View file

@ -6,7 +6,7 @@ include alienarena.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.local/share/cor-games
noblacklist ${HOME}/.local/share/cor-games
include disable-common.inc
include disable-devel.inc
@ -18,8 +18,8 @@ include disable-shell.inc
include disable-xdg.inc
mkdir ${HOME}/.local/share/cor-games
allow ${HOME}/.local/share/cor-games
allow /usr/share/alienarena
whitelist ${HOME}/.local/share/cor-games
whitelist /usr/share/alienarena
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc

46
etc/profile-a-l/alpine.profile
View file

@ -10,28 +10,28 @@ include globals.local
# Workaround for bug https://github.com/netblue30/firejail/issues/2747
# firejail --private-bin=sh --include='${CFG}/allow-bin-sh.inc' --profile=alpine sh -c '(alpine)'
nodeny /var/mail
nodeny /var/spool/mail
nodeny ${DOCUMENTS}
nodeny ${HOME}/.addressbook
nodeny ${HOME}/.alpine-smime
nodeny ${HOME}/.mailcap
nodeny ${HOME}/.mh_profile
nodeny ${HOME}/.mime.types
nodeny ${HOME}/.newsrc
nodeny ${HOME}/.pine-crash
nodeny ${HOME}/.pine-debug1
nodeny ${HOME}/.pine-debug2
nodeny ${HOME}/.pine-debug3
nodeny ${HOME}/.pine-debug4
nodeny ${HOME}/.pine-interrupted-mail
nodeny ${HOME}/.pinerc
nodeny ${HOME}/.pinercex
nodeny ${HOME}/.signature
nodeny ${HOME}/mail
noblacklist /var/mail
noblacklist /var/spool/mail
noblacklist ${DOCUMENTS}
noblacklist ${HOME}/.addressbook
noblacklist ${HOME}/.alpine-smime
noblacklist ${HOME}/.mailcap
noblacklist ${HOME}/.mh_profile
noblacklist ${HOME}/.mime.types
noblacklist ${HOME}/.newsrc
noblacklist ${HOME}/.pine-crash
noblacklist ${HOME}/.pine-debug1
noblacklist ${HOME}/.pine-debug2
noblacklist ${HOME}/.pine-debug3
noblacklist ${HOME}/.pine-debug4
noblacklist ${HOME}/.pine-interrupted-mail
noblacklist ${HOME}/.pinerc
noblacklist ${HOME}/.pinercex
noblacklist ${HOME}/.signature
noblacklist ${HOME}/mail
deny /tmp/.X11-unix
deny ${RUNUSER}/wayland-*
blacklist /tmp/.X11-unix
blacklist ${RUNUSER}/wayland-*
include disable-common.inc
include disable-devel.inc
@ -60,8 +60,8 @@ include disable-xdg.inc
#whitelist ${HOME}/.pine-debug4
#whitelist ${HOME}/.signature
#whitelist ${HOME}/mail
allow /var/mail
allow /var/spool/mail
whitelist /var/mail
whitelist /var/spool/mail
#include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc

2
etc/profile-a-l/amarok.profile
View file

@ -6,7 +6,7 @@ include amarok.local
# Persistent global definitions
include globals.local
nodeny ${MUSIC}
noblacklist ${MUSIC}
include disable-common.inc
include disable-devel.inc

6
etc/profile-a-l/amule.profile
View file

@ -6,7 +6,7 @@ include amule.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.aMule
noblacklist ${HOME}/.aMule
include disable-common.inc
include disable-devel.inc
@ -16,8 +16,8 @@ include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.aMule
allow ${DOWNLOADS}
allow ${HOME}/.aMule
whitelist ${DOWNLOADS}
whitelist ${HOME}/.aMule
include whitelist-common.inc
caps.drop all

14
etc/profile-a-l/android-studio.profile
View file

@ -5,13 +5,13 @@ include android-studio.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.config/Google
nodeny ${HOME}/.AndroidStudio*
nodeny ${HOME}/.android
nodeny ${HOME}/.jack-server
nodeny ${HOME}/.jack-settings
nodeny ${HOME}/.local/share/JetBrains
nodeny ${HOME}/.tooling
noblacklist ${HOME}/.config/Google
noblacklist ${HOME}/.AndroidStudio*
noblacklist ${HOME}/.android
noblacklist ${HOME}/.jack-server
noblacklist ${HOME}/.jack-settings
noblacklist ${HOME}/.local/share/JetBrains
noblacklist ${HOME}/.tooling
# Allows files commonly used by IDEs
include allow-common-devel.inc

8
etc/profile-a-l/anki.profile
View file

@ -6,8 +6,8 @@ include anki.local
# Persistent global definitions
include globals.local
nodeny ${DOCUMENTS}
nodeny ${HOME}/.local/share/Anki2
noblacklist ${DOCUMENTS}
noblacklist ${HOME}/.local/share/Anki2
# Allow python (blacklisted by disable-interpreters.inc)
include allow-python2.inc
@ -23,8 +23,8 @@ include disable-shell.inc
include disable-xdg.inc
mkdir ${HOME}/.local/share/Anki2
allow ${DOCUMENTS}
allow ${HOME}/.local/share/Anki2
whitelist ${DOCUMENTS}
whitelist ${HOME}/.local/share/Anki2
include whitelist-common.inc
include whitelist-var-common.inc

4
etc/profile-a-l/anydesk.profile
View file

@ -5,7 +5,7 @@ include anydesk.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.anydesk
noblacklist ${HOME}/.anydesk
include disable-common.inc
include disable-devel.inc
@ -15,7 +15,7 @@ include disable-programs.inc
include disable-shell.inc
mkdir ${HOME}/.anydesk
allow ${HOME}/.anydesk
whitelist ${HOME}/.anydesk
include whitelist-common.inc
caps.drop all

14
etc/profile-a-l/aosp.profile
View file

@ -5,13 +5,13 @@ include aosp.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.android
nodeny ${HOME}/.bash_history
nodeny ${HOME}/.jack-server
nodeny ${HOME}/.jack-settings
nodeny ${HOME}/.repo_.gitconfig.json
nodeny ${HOME}/.repoconfig
nodeny ${HOME}/.tooling
noblacklist ${HOME}/.android
noblacklist ${HOME}/.bash_history
noblacklist ${HOME}/.jack-server
noblacklist ${HOME}/.jack-settings
noblacklist ${HOME}/.repo_.gitconfig.json
noblacklist ${HOME}/.repoconfig
noblacklist ${HOME}/.tooling
# Allows files commonly used by IDEs
include allow-common-devel.inc

18
etc/profile-a-l/apostrophe.profile
View file

@ -6,9 +6,9 @@ include apostrophe.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.texlive20*
nodeny ${DOCUMENTS}
nodeny ${PICTURES}
noblacklist ${HOME}/.texlive20*
noblacklist ${DOCUMENTS}
noblacklist ${PICTURES}
# Allow lua (blacklisted by disable-interpreters.inc)
include allow-lua.inc
@ -31,12 +31,12 @@ include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
allow /usr/libexec/webkit2gtk-4.0
allow /usr/share/apostrophe
allow /usr/share/texlive
allow /usr/share/texmf
allow /usr/share/pandoc-*
allow /usr/share/perl5
whitelist /usr/libexec/webkit2gtk-4.0
whitelist /usr/share/apostrophe
whitelist /usr/share/texlive
whitelist /usr/share/texmf
whitelist /usr/share/pandoc-*
whitelist /usr/share/perl5
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

4
etc/profile-a-l/arch-audit.profile
View file

@ -7,7 +7,7 @@ include arch-audit.local
# Persistent global definitions
include globals.local
nodeny /var/lib/pacman
noblacklist /var/lib/pacman
include disable-common.inc
include disable-devel.inc
@ -18,7 +18,7 @@ include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
allow /usr/share/arch-audit
whitelist /usr/share/arch-audit
include whitelist-usr-share-common.inc
apparmor

2
etc/profile-a-l/archaudit-report.profile
View file

@ -6,7 +6,7 @@ include archaudit-report.local
# Persistent global definitions
include globals.local
nodeny /var/lib/pacman
noblacklist /var/lib/pacman
include disable-common.inc
include disable-devel.inc

2
etc/profile-a-l/archiver-common.profile
View file

@ -4,7 +4,7 @@ include archiver-common.local
# common profile for archiver/compression tools
deny ${RUNUSER}
blacklist ${RUNUSER}
# Comment/uncomment the relevant include file(s) in your archiver-common.local
# to (un)restrict file access for **all** archivers. Another option is to do this **per archiver**

12
etc/profile-a-l/ardour5.profile
View file

@ -5,12 +5,12 @@ include ardour5.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.config/ardour4
nodeny ${HOME}/.config/ardour5
nodeny ${HOME}/.lv2
nodeny ${HOME}/.vst
nodeny ${DOCUMENTS}
nodeny ${MUSIC}
noblacklist ${HOME}/.config/ardour4
noblacklist ${HOME}/.config/ardour5
noblacklist ${HOME}/.lv2
noblacklist ${HOME}/.vst
noblacklist ${DOCUMENTS}
noblacklist ${MUSIC}
include disable-common.inc
include disable-devel.inc

6
etc/profile-a-l/arduino.profile
View file

@ -6,9 +6,9 @@ include arduino.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.arduino15
nodeny ${HOME}/Arduino
nodeny ${DOCUMENTS}
noblacklist ${HOME}/.arduino15
noblacklist ${HOME}/Arduino
noblacklist ${DOCUMENTS}
# Allow java (blacklisted by disable-devel.inc)
include allow-java.inc

10
etc/profile-a-l/aria2c.profile
View file

@ -6,12 +6,12 @@ include aria2c.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.aria2
nodeny ${HOME}/.config/aria2
nodeny ${HOME}/.netrc
noblacklist ${HOME}/.aria2
noblacklist ${HOME}/.config/aria2
noblacklist ${HOME}/.netrc
deny /tmp/.X11-unix
deny ${RUNUSER}/wayland-*
blacklist /tmp/.X11-unix
blacklist ${RUNUSER}/wayland-*
include disable-common.inc
include disable-devel.inc

6
etc/profile-a-l/ark.profile
View file

@ -6,8 +6,8 @@ include ark.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.config/arkrc
nodeny ${HOME}/.local/share/kxmlgui5/ark
noblacklist ${HOME}/.config/arkrc
noblacklist ${HOME}/.local/share/kxmlgui5/ark
include disable-common.inc
include disable-devel.inc
@ -16,7 +16,7 @@ include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
allow /usr/share/ark
whitelist /usr/share/ark
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

4
etc/profile-a-l/arm.profile
View file

@ -6,7 +6,7 @@ include arm.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.arm
noblacklist ${HOME}/.arm
# Allow python (blacklisted by disable-interpreters.inc)
include allow-python2.inc
@ -20,7 +20,7 @@ include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.arm
allow ${HOME}/.arm
whitelist ${HOME}/.arm
include whitelist-common.inc
caps.drop all

14
etc/profile-a-l/artha.profile
View file

@ -6,12 +6,12 @@ include artha.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.config/artha.conf
nodeny ${HOME}/.config/artha.log
nodeny ${HOME}/.config/enchant
noblacklist ${HOME}/.config/artha.conf
noblacklist ${HOME}/.config/artha.log
noblacklist ${HOME}/.config/enchant
deny /tmp/.X11-unix
deny ${RUNUSER}/wayland-*
blacklist /tmp/.X11-unix
blacklist ${RUNUSER}/wayland-*
include disable-common.inc
include disable-devel.inc
@ -28,8 +28,8 @@ include disable-xdg.inc
#whitelist ${HOME}/.config/artha.conf
#whitelist ${HOME}/.config/artha.log
#whitelist ${HOME}/.config/enchant
allow /usr/share/artha
allow /usr/share/wordnet
whitelist /usr/share/artha
whitelist /usr/share/wordnet
#include whitelist-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

4
etc/profile-a-l/assogiate.profile
View file

@ -6,7 +6,7 @@ include assogiate.local
# Persistent global definitions
include globals.local
nodeny ${PICTURES}
noblacklist ${PICTURES}
include disable-common.inc
include disable-devel.inc
@ -17,7 +17,7 @@ include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
allow ${PICTURES}
whitelist ${PICTURES}
include whitelist-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

10
etc/profile-a-l/asunder.profile
View file

@ -6,11 +6,11 @@ include asunder.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.config/asunder
nodeny ${HOME}/.asunder_album_genre
nodeny ${HOME}/.asunder_album_title
nodeny ${HOME}/.asunder_album_artist
nodeny ${MUSIC}
noblacklist ${HOME}/.config/asunder
noblacklist ${HOME}/.asunder_album_genre
noblacklist ${HOME}/.asunder_album_title
noblacklist ${HOME}/.asunder_album_artist
noblacklist ${MUSIC}
include disable-common.inc
include disable-devel.inc

4
etc/profile-a-l/atom.profile
View file

@ -18,8 +18,8 @@ ignore include whitelist-var-common.inc
ignore apparmor
ignore disable-mnt
nodeny ${HOME}/.atom
nodeny ${HOME}/.config/Atom
noblacklist ${HOME}/.atom
noblacklist ${HOME}/.config/Atom
# Allows files commonly used by IDEs
include allow-common-devel.inc

6
etc/profile-a-l/atril.profile
View file

@ -6,9 +6,9 @@ include atril.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.cache/atril
nodeny ${HOME}/.config/atril
nodeny ${DOCUMENTS}
noblacklist ${HOME}/.cache/atril
noblacklist ${HOME}/.config/atril
noblacklist ${DOCUMENTS}
#noblacklist ${HOME}/.local/share
# it seems to use only ${HOME}/.local/share/webkitgtk

6
etc/profile-a-l/audacious.profile
View file

@ -6,9 +6,9 @@ include audacious.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.config/Audaciousrc
nodeny ${HOME}/.config/audacious
nodeny ${MUSIC}
noblacklist ${HOME}/.config/Audaciousrc
noblacklist ${HOME}/.config/audacious
noblacklist ${MUSIC}
include disable-common.inc
include disable-devel.inc

6
etc/profile-a-l/audacity.profile
View file

@ -6,9 +6,9 @@ include audacity.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.audacity-data
nodeny ${DOCUMENTS}
nodeny ${MUSIC}
noblacklist ${HOME}/.audacity-data
noblacklist ${DOCUMENTS}
noblacklist ${MUSIC}
include disable-common.inc
include disable-devel.inc

10
etc/profile-a-l/audio-recorder.profile
View file

@ -7,7 +7,7 @@ include audio-recorder.local
# Persistent global definitions
include globals.local
nodeny ${MUSIC}
noblacklist ${MUSIC}
include disable-common.inc
include disable-devel.inc
@ -17,10 +17,10 @@ include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
allow ${MUSIC}
allow ${DOWNLOADS}
allow /usr/share/audio-recorder
allow /usr/share/gstreamer-1.0
whitelist ${MUSIC}
whitelist ${DOWNLOADS}
whitelist /usr/share/audio-recorder
whitelist /usr/share/gstreamer-1.0
include whitelist-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

8
etc/profile-a-l/authenticator-rs.profile
View file

@ -6,7 +6,7 @@ include authenticator-rs.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.local/share/authenticator-rs
noblacklist ${HOME}/.local/share/authenticator-rs
include disable-common.inc
include disable-devel.inc
@ -18,9 +18,9 @@ include disable-shell.inc
include disable-xdg.inc
mkdir ${HOME}/.local/share/authenticator-rs
allow ${HOME}/.local/share/authenticator-rs
allow ${DOWNLOADS}
allow /usr/share/uk.co.grumlimited.authenticator-rs
whitelist ${HOME}/.local/share/authenticator-rs
whitelist ${DOWNLOADS}
whitelist /usr/share/uk.co.grumlimited.authenticator-rs
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc

4
etc/profile-a-l/authenticator.profile
View file

@ -6,8 +6,8 @@ include authenticator.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.cache/Authenticator
nodeny ${HOME}/.config/Authenticator
noblacklist ${HOME}/.cache/Authenticator
noblacklist ${HOME}/.config/Authenticator
# Allow python (blacklisted by disable-interpreters.inc)
#include allow-python2.inc

4
etc/profile-a-l/autokey-common.profile
View file

@ -7,8 +7,8 @@ include autokey-common.local
# added by caller profile
#include globals.local
nodeny ${HOME}/.config/autokey
nodeny ${HOME}/.local/share/autokey
noblacklist ${HOME}/.config/autokey
noblacklist ${HOME}/.local/share/autokey
# Allow python (blacklisted by disable-interpreters.inc)
include allow-python2.inc

12
etc/profile-a-l/avidemux.profile
View file

@ -5,9 +5,9 @@ include avidemux.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.avidemux6
nodeny ${HOME}/.config/avidemux3_qt5rc
nodeny ${VIDEOS}
noblacklist ${HOME}/.avidemux6
noblacklist ${HOME}/.config/avidemux3_qt5rc
noblacklist ${VIDEOS}
include disable-common.inc
include disable-devel.inc
@ -20,9 +20,9 @@ include disable-xdg.inc
mkdir ${HOME}/.avidemux6
mkdir ${HOME}/.config/avidemux3_qt5rc
allow ${HOME}/.avidemux6
allow ${HOME}/.config/avidemux3_qt5rc
allow ${VIDEOS}
whitelist ${HOME}/.avidemux6
whitelist ${HOME}/.config/avidemux3_qt5rc
whitelist ${VIDEOS}
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc

4
etc/profile-a-l/aweather.profile
View file

@ -6,7 +6,7 @@ include aweather.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.config/aweather
noblacklist ${HOME}/.config/aweather
include disable-common.inc
include disable-devel.inc
@ -16,7 +16,7 @@ include disable-programs.inc
include disable-shell.inc
mkdir ${HOME}/.config/aweather
allow ${HOME}/.config/aweather
whitelist ${HOME}/.config/aweather
include whitelist-common.inc
include whitelist-var-common.inc

2
etc/profile-a-l/awesome.profile
View file

@ -7,7 +7,7 @@ include awesome.local
include globals.local
# all applications started in awesome will run in this profile
nodeny ${HOME}/.config/awesome
noblacklist ${HOME}/.config/awesome
include disable-common.inc
caps.drop all

6
etc/profile-a-l/ballbuster.profile
View file

@ -6,7 +6,7 @@ include ballbuster.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.ballbuster.hs
noblacklist ${HOME}/.ballbuster.hs
include disable-common.inc
include disable-devel.inc
@ -18,8 +18,8 @@ include disable-shell.inc
include disable-xdg.inc
mkfile ${HOME}/.ballbuster.hs
allow ${HOME}/.ballbuster.hs
allow /usr/share/ballbuster
whitelist ${HOME}/.ballbuster.hs
whitelist /usr/share/ballbuster
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc

12
etc/profile-a-l/baloo_file.profile
View file

@ -12,12 +12,12 @@ include globals.local
# read-write ${HOME}/.local/share/baloo
# ignore read-write
nodeny ${HOME}/.config/baloofilerc
nodeny ${HOME}/.kde/share/config/baloofilerc
nodeny ${HOME}/.kde/share/config/baloorc
nodeny ${HOME}/.kde4/share/config/baloofilerc
nodeny ${HOME}/.kde4/share/config/baloorc
nodeny ${HOME}/.local/share/baloo
noblacklist ${HOME}/.config/baloofilerc
noblacklist ${HOME}/.kde/share/config/baloofilerc
noblacklist ${HOME}/.kde/share/config/baloorc
noblacklist ${HOME}/.kde4/share/config/baloofilerc
noblacklist ${HOME}/.kde4/share/config/baloorc
noblacklist ${HOME}/.local/share/baloo
include disable-common.inc
include disable-devel.inc

36
etc/profile-a-l/balsa.profile
View file

@ -6,13 +6,13 @@ include balsa.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.balsa
nodeny ${HOME}/.gnupg
nodeny ${HOME}/.mozilla
nodeny ${HOME}/.signature
nodeny ${HOME}/mail
nodeny /var/mail
nodeny /var/spool/mail
noblacklist ${HOME}/.balsa
noblacklist ${HOME}/.gnupg
noblacklist ${HOME}/.mozilla
noblacklist ${HOME}/.signature
noblacklist ${HOME}/mail
noblacklist /var/mail
noblacklist /var/spool/mail
include disable-common.inc
include disable-devel.inc
@ -27,17 +27,17 @@ mkdir ${HOME}/.balsa
mkdir ${HOME}/.gnupg
mkfile ${HOME}/.signature
mkdir ${HOME}/mail
allow ${HOME}/.balsa
allow ${HOME}/.gnupg
allow ${HOME}/.mozilla/firefox/profiles.ini
allow ${HOME}/.signature
allow ${HOME}/mail
allow ${RUNUSER}/gnupg
allow /usr/share/balsa
allow /usr/share/gnupg
allow /usr/share/gnupg2
allow /var/mail
allow /var/spool/mail
whitelist ${HOME}/.balsa
whitelist ${HOME}/.gnupg
whitelist ${HOME}/.mozilla/firefox/profiles.ini
whitelist ${HOME}/.signature
whitelist ${HOME}/mail
whitelist ${RUNUSER}/gnupg
whitelist /usr/share/balsa
whitelist /usr/share/gnupg
whitelist /usr/share/gnupg2
whitelist /var/mail
whitelist /var/spool/mail
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc

6
etc/profile-a-l/barrier.profile
View file

@ -6,9 +6,9 @@ include barrier.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.config/Debauchee/Barrier.conf
nodeny ${HOME}/.local/share/barrier
nodeny ${PATH}/openssl
noblacklist ${HOME}/.config/Debauchee/Barrier.conf
noblacklist ${HOME}/.local/share/barrier
noblacklist ${PATH}/openssl
include disable-common.inc
include disable-devel.inc

8
etc/profile-a-l/basilisk.profile
View file

@ -5,13 +5,13 @@ include basilisk.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.cache/moonchild productions/basilisk
nodeny ${HOME}/.moonchild productions/basilisk
noblacklist ${HOME}/.cache/moonchild productions/basilisk
noblacklist ${HOME}/.moonchild productions/basilisk
mkdir ${HOME}/.cache/moonchild productions/basilisk
mkdir ${HOME}/.moonchild productions
allow ${HOME}/.cache/moonchild productions/basilisk
allow ${HOME}/.moonchild productions
whitelist ${HOME}/.cache/moonchild productions/basilisk
whitelist ${HOME}/.moonchild productions
# Basilisk can use the full firejail seccomp filter (unlike firefox >= 60)
seccomp

4
etc/profile-a-l/bcompare.profile
View file

@ -7,10 +7,10 @@ include bcompare.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.config/bcompare
noblacklist ${HOME}/.config/bcompare
# In case the user decides to include disable-programs.inc, still allow
# KDE's Gwenview to view images via right click -> Open With -> Associated Application
nodeny ${HOME}/.config/gwenviewrc
noblacklist ${HOME}/.config/gwenviewrc
# Add the next line to your bcompare.local if you don't need to compare files in disable-common.inc.
#include disable-common.inc

4
etc/profile-a-l/beaker.profile
View file

@ -19,10 +19,10 @@ ignore private-cache
ignore private-dev
ignore private-tmp
nodeny ${HOME}/.config/Beaker Browser
noblacklist ${HOME}/.config/Beaker Browser
mkdir ${HOME}/.config/Beaker Browser
allow ${HOME}/.config/Beaker Browser
whitelist ${HOME}/.config/Beaker Browser
# Redirect
include electron.profile

20
etc/profile-a-l/bibletime.profile
View file

@ -6,11 +6,11 @@ include bibletime.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.bibletime
nodeny ${HOME}/.sword
nodeny ${HOME}/.local/share/bibletime
noblacklist ${HOME}/.bibletime
noblacklist ${HOME}/.sword
noblacklist ${HOME}/.local/share/bibletime
deny ${HOME}/.bashrc
blacklist ${HOME}/.bashrc
include disable-common.inc
include disable-devel.inc
@ -22,12 +22,12 @@ include disable-programs.inc
mkdir ${HOME}/.bibletime
mkdir ${HOME}/.sword
mkdir ${HOME}/.local/share/bibletime
allow ${HOME}/.bibletime
allow ${HOME}/.sword
allow ${HOME}/.local/share/bibletime
allow /usr/share/bibletime
allow /usr/share/doc/bibletime
allow /usr/share/sword
whitelist ${HOME}/.bibletime
whitelist ${HOME}/.sword
whitelist ${HOME}/.local/share/bibletime
whitelist /usr/share/bibletime
whitelist /usr/share/doc/bibletime
whitelist /usr/share/sword
include whitelist-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

14
etc/profile-a-l/bijiben.profile
View file

@ -6,7 +6,7 @@ include bijiben.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.local/share/bijiben
noblacklist ${HOME}/.local/share/bijiben
include disable-common.inc
include disable-devel.inc
@ -18,12 +18,12 @@ include disable-shell.inc
include disable-xdg.inc
mkdir ${HOME}/.local/share/bijiben
allow ${HOME}/.local/share/bijiben
allow ${HOME}/.cache/tracker
allow /usr/libexec/webkit2gtk-4.0
allow /usr/share/bijiben
allow /usr/share/tracker
allow /usr/share/tracker3
whitelist ${HOME}/.local/share/bijiben
whitelist ${HOME}/.cache/tracker
whitelist /usr/libexec/webkit2gtk-4.0
whitelist /usr/share/bijiben
whitelist /usr/share/tracker
whitelist /usr/share/tracker3
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc

8
etc/profile-a-l/bitcoin-qt.profile
View file

@ -6,8 +6,8 @@ include bitcoin-qt.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.bitcoin
nodeny ${HOME}/.config/Bitcoin
noblacklist ${HOME}/.bitcoin
noblacklist ${HOME}/.config/Bitcoin
include disable-common.inc
include disable-devel.inc
@ -19,8 +19,8 @@ include disable-shell.inc
mkdir ${HOME}/.bitcoin
mkdir ${HOME}/.config/Bitcoin
allow ${HOME}/.bitcoin
allow ${HOME}/.config/Bitcoin
whitelist ${HOME}/.bitcoin
whitelist ${HOME}/.config/Bitcoin
include whitelist-common.inc
include whitelist-var-common.inc

4
etc/profile-a-l/bitlbee.profile
View file

@ -8,8 +8,8 @@ include globals.local
ignore noexec ${HOME}
nodeny /sbin
nodeny /usr/sbin
noblacklist /sbin
noblacklist /usr/sbin
# noblacklist /var/log
include disable-common.inc

4
etc/profile-a-l/bitwarden.profile
View file

@ -11,12 +11,12 @@ ignore include whitelist-usr-share-common.inc
ignore noexec /tmp
nodeny ${HOME}/.config/Bitwarden
noblacklist ${HOME}/.config/Bitwarden
include disable-shell.inc
mkdir ${HOME}/.config/Bitwarden
allow ${HOME}/.config/Bitwarden
whitelist ${HOME}/.config/Bitwarden
machine-id
no3d

2
etc/profile-a-l/blackbox.profile
View file

@ -7,7 +7,7 @@ include blackbox.local
include globals.local
# all applications started in blackbox will run in this profile
nodeny ${HOME}/.blackbox
noblacklist ${HOME}/.blackbox
include disable-common.inc
caps.drop all

6
etc/profile-a-l/blender.profile
View file

@ -6,7 +6,7 @@ include blender.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.config/blender
noblacklist ${HOME}/.config/blender
# Allow python (blacklisted by disable-interpreters.inc)
include allow-python2.inc
@ -20,8 +20,8 @@ include disable-passwdmgr.inc
include disable-programs.inc
# Allow usage of AMD GPU by OpenCL
nodeny /sys/module
allow /sys/module/amdgpu
noblacklist /sys/module
whitelist /sys/module/amdgpu
read-only /sys/module/amdgpu
caps.drop all

2
etc/profile-a-l/bless.profile
View file

@ -6,7 +6,7 @@ include bless.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.config/bless
noblacklist ${HOME}/.config/bless
include disable-common.inc
include disable-devel.inc

6
etc/profile-a-l/blobby.profile
View file

@ -4,7 +4,7 @@ include blobby.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.blobby
noblacklist ${HOME}/.blobby
include disable-common.inc
include disable-devel.inc
@ -16,9 +16,9 @@ include disable-shell.inc
include disable-xdg.inc
mkdir ${HOME}/.blobby
allow ${HOME}/.blobby
whitelist ${HOME}/.blobby
include whitelist-common.inc
allow /usr/share/blobby
whitelist /usr/share/blobby
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

6
etc/profile-a-l/blobwars.profile
View file

@ -6,7 +6,7 @@ include blobwars.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.parallelrealities/blobwars
noblacklist ${HOME}/.parallelrealities/blobwars
include disable-common.inc
include disable-devel.inc
@ -18,8 +18,8 @@ include disable-shell.inc
include disable-xdg.inc
mkdir ${HOME}/.parallelrealities/blobwars
allow ${HOME}/.parallelrealities/blobwars
allow /usr/share/blobwars
whitelist ${HOME}/.parallelrealities/blobwars
whitelist /usr/share/blobwars
include whitelist-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

8
etc/profile-a-l/bnox.profile
View file

@ -10,13 +10,13 @@ ignore whitelist /usr/share/chromium
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
nodeny ${HOME}/.cache/bnox
nodeny ${HOME}/.config/bnox
noblacklist ${HOME}/.cache/bnox
noblacklist ${HOME}/.config/bnox
mkdir ${HOME}/.cache/bnox
mkdir ${HOME}/.config/bnox
allow ${HOME}/.cache/bnox
allow ${HOME}/.config/bnox
whitelist ${HOME}/.cache/bnox
whitelist ${HOME}/.config/bnox
# Redirect
include chromium-common.profile

2
etc/profile-a-l/brackets.profile
View file

@ -5,7 +5,7 @@ include brackets.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.config/Brackets
noblacklist ${HOME}/.config/Brackets
#noblacklist /opt/brackets
#noblacklist /opt/google

2
etc/profile-a-l/brasero.profile
View file

@ -6,7 +6,7 @@ include brasero.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.config/brasero
noblacklist ${HOME}/.config/brasero
include disable-common.inc
include disable-devel.inc

22
etc/profile-a-l/brave.profile
View file

@ -14,24 +14,24 @@ ignore noexec /tmp
# Alternatively you can add 'ignore apparmor' to your brave.local.
ignore noexec ${HOME}
nodeny ${HOME}/.cache/BraveSoftware
nodeny ${HOME}/.config/BraveSoftware
nodeny ${HOME}/.config/brave
nodeny ${HOME}/.config/brave-flags.conf
noblacklist ${HOME}/.cache/BraveSoftware
noblacklist ${HOME}/.config/BraveSoftware
noblacklist ${HOME}/.config/brave
noblacklist ${HOME}/.config/brave-flags.conf
# brave uses gpg for built-in password manager
nodeny ${HOME}/.gnupg
noblacklist ${HOME}/.gnupg
mkdir ${HOME}/.cache/BraveSoftware
mkdir ${HOME}/.config/BraveSoftware
mkdir ${HOME}/.config/brave
allow ${HOME}/.cache/BraveSoftware
allow ${HOME}/.config/BraveSoftware
allow ${HOME}/.config/brave
allow ${HOME}/.config/brave-flags.conf
allow ${HOME}/.gnupg
whitelist ${HOME}/.cache/BraveSoftware
whitelist ${HOME}/.config/BraveSoftware
whitelist ${HOME}/.config/brave
whitelist ${HOME}/.config/brave-flags.conf
whitelist ${HOME}/.gnupg
# Brave sandbox needs read access to /proc/config.gz
nodeny /proc/config.gz
noblacklist /proc/config.gz
# Redirect
include chromium-common.profile

4
etc/profile-a-l/bzflag.profile
View file

@ -6,7 +6,7 @@ include bzflag.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.bzf
noblacklist ${HOME}/.bzf
include disable-common.inc
include disable-devel.inc
@ -18,7 +18,7 @@ include disable-shell.inc
include disable-xdg.inc
mkdir ${HOME}/.bzf
allow ${HOME}/.bzf
whitelist ${HOME}/.bzf
include whitelist-common.inc
include whitelist-var-common.inc

6
etc/profile-a-l/calibre.profile
View file

@ -6,9 +6,9 @@ include calibre.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.cache/calibre
nodeny ${HOME}/.config/calibre
nodeny ${DOCUMENTS}
noblacklist ${HOME}/.cache/calibre
noblacklist ${HOME}/.config/calibre
noblacklist ${DOCUMENTS}
include disable-common.inc
include disable-devel.inc

2
etc/profile-a-l/calligra.profile
View file

@ -6,7 +6,7 @@ include calligra.local
# Persistent global definitions
include globals.local
nodeny ${HOME}/.local/share/kxmlgui5/calligra
noblacklist ${HOME}/.local/share/kxmlgui5/calligra
include disable-common.inc
include disable-devel.inc

2
etc/profile-a-l/calligragemini.profile
View file

@ -6,7 +6,7 @@ include calligragemini.local
# added by included profile
#include globals.local
nodeny ${HOME}/.local/share/calligragemini
noblacklist ${HOME}/.local/share/calligragemini
# Redirect
include calligra.profile

2
etc/profile-a-l/calligraplan.profile
View file

@ -6,7 +6,7 @@ include calligraplan.local
# added by included profile
#include globals.local
nodeny ${HOME}/.local/share/kxmlgui5/calligraplan
noblacklist ${HOME}/.local/share/kxmlgui5/calligraplan
# Redirect
include calligra.profile

2
etc/profile-a-l/calligraplanwork.profile
View file

@ -6,7 +6,7 @@ include calligraplanwork.local
# added by included profile
#include globals.local
nodeny ${HOME}/.local/share/kxmlgui5/calligraplanwork
noblacklist ${HOME}/.local/share/kxmlgui5/calligraplanwork
# Redirect
include calligra.profile

2
etc/profile-a-l/calligrasheets.profile
View file

@ -6,7 +6,7 @@ include calligrasheets.local
# added by included profile
#include globals.local
nodeny ${HOME}/.local/share/kxmlgui5/calligrasheets
noblacklist ${HOME}/.local/share/kxmlgui5/calligrasheets
# Redirect
include calligra.profile

2
etc/profile-a-l/calligrastage.profile
View file

@ -6,7 +6,7 @@ include calligrastage.local
# added by included profile
#include globals.local
nodeny ${HOME}/.local/share/kxmlgui5/calligrastage
noblacklist ${HOME}/.local/share/kxmlgui5/calligrastage
# Redirect
include calligra.profile

2
etc/profile-a-l/calligrawords.profile
View file

@ -6,7 +6,7 @@ include calligrawords.local
# added by included profile
#include globals.local
nodeny ${HOME}/.local/share/kxmlgui5/calligrawords
noblacklist ${HOME}/.local/share/kxmlgui5/calligrawords
# Redirect
include calligra.profile

Some files were not shown because too many files have changed in this diff Show more