github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-16 14:16:16 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

Revert "move whitelist/blacklist to allow/deny"

Browse source 
This reverts commit fe0f975f44.

Note: This only reverts the changes from etc.

The 4 aliases introduced on commit 45f2ba544 are mere, well, aliases.
That is, they fail to address the different usability problems discussed
on [#3447][3447] and in fact only make things more confusing (as has
already been mentioned on [this][4379] and later comments).  The main
reason is that the aliases do not meaningfully map to the original
commands.  For example, the commands from each pair below seem like they
would do the exact same thing:

* `allow` and `nodeny`
* `deny` and `noallow`

Additionally, if these aliases are not the final commands, but only a
test/work-in-progress, then keeping the wide-scale search/replace
changes made on commit fe0f975f4 would only serve to cause confusion, as
users of firejail-git, contributors and downstream projects might start
changing the commands used on their profiles, only to later have to
change them again, potentially to completely different commands.

The sooner this is undone the better, as (besides the above reasons) the
more profile changes there are between the original commit and the
revert, the harder it is to e.g.: `git diff` versions of files across
the following revision ranges: before the commit, after the commit but
before the revert and after the revert.  Note: This is still the case
even if a commit is [ignored by `git blame`][4390].

So let us revert fe0f975f4 and only reapply similar large-scale changes
once we have discussed and settled on better commands.

How the revert was applied: Despite using the auto-generated message
from `git revert`, to ensure correctness and to avoid conflicts the
changes were reverted in different steps: Firstly, revert the files
which can be safely reverted directly ("filestorevert"):

    # Find out which files have been changed on fe0f975f44, but have not
    # been changed afterwards and list them on "filestorevert"
    git show --pretty='' --name-only fe0f975f44 -- etc | LC_ALL=C sort >allfiles
    git diff --name-only fe0f975f44..master -- etc | LC_ALL=C sort >filestoignore
    comm -2 -3 allfiles filestoignore >filestorevert

    # Note: There are 3 extra files on filestoignore because they were
    # added after commit fe0f975f44
    wc -l allfiles filestoignore filestorevert | head -n 3
    #   797 allfiles
    #     8 filestoignore
    #   792 filestorevert

    # Automatically revert files in "filestorevert"
    # See https://stackoverflow.com/a/23401018/10095231
    tr '\n' '\000' <filestorevert | xargs -0 git show fe0f975f44 -- |
    git apply --reverse

    printf 'Total files reverted:\n'
    git diff --name-only | wc -l
    # 792

Secondly, do some search/replace on the rest:

    tr '\n' '\000' <filestoignore | xargs -0 sed -i.bak \
      -e 's/allow  /whitelist /' -e 's/noallow  /nowhitelist /' \
      -e 's/deny  /blacklist /' -e 's/nodeny  /noblacklist /' \
      -e 's/deny-nolog  /blacklist-nolog /'

    find etc -name '*.bak' -print0 | xargs -0 rm

Thirdly, verify the result.  The following command shows the difference
between all the changes in etc from before fe0f975f44 and this commit
(inclusive):

    git diff fe0f975f44~1 -- etc

From the output, it looks like all alias changes are fully reverted and
that the other changes to etc (from after fe0f975f44) remain, so the
revert seems to be done correctly.

[3447]: https://github.com/netblue30/firejail/issues/3447
[4379]: https://github.com/netblue30/firejail/issues/4379#issuecomment-876460222
[4390]: https://github.com/netblue30/firejail/issues/4390
This commit is contained in:
Kelvin M. Klann 2021-07-18 20:39:14 -03:00
parent 42a03511d0
commit f43382f1e9
798 changed files with 5083 additions and 5083 deletions
Download patch file Download diff file Expand all files Collapse all files

6
etc/inc/allow-bin-sh.inc
View file

@ -2,6 +2,6 @@
# Persistent customizations should go in a .local file. # Persistent customizations should go in a .local file.
include allow-bin-sh.local include allow-bin-sh.local
nodeny ${PATH}/bash noblacklist ${PATH}/bash
nodeny ${PATH}/dash noblacklist ${PATH}/dash
nodeny ${PATH}/sh noblacklist ${PATH}/sh

36
etc/inc/allow-common-devel.inc
View file

@ -3,29 +3,29 @@
include allow-common-devel.local include allow-common-devel.local
# Git # Git
nodeny ${HOME}/.config/git noblacklist ${HOME}/.config/git
nodeny ${HOME}/.gitconfig noblacklist ${HOME}/.gitconfig
nodeny ${HOME}/.git-credentials noblacklist ${HOME}/.git-credentials
# Java # Java
nodeny ${HOME}/.gradle noblacklist ${HOME}/.gradle
nodeny ${HOME}/.java noblacklist ${HOME}/.java
# Node.js # Node.js
nodeny ${HOME}/.node-gyp noblacklist ${HOME}/.node-gyp
nodeny ${HOME}/.npm noblacklist ${HOME}/.npm
nodeny ${HOME}/.npmrc noblacklist ${HOME}/.npmrc
nodeny ${HOME}/.nvm noblacklist ${HOME}/.nvm
nodeny ${HOME}/.yarn noblacklist ${HOME}/.yarn
nodeny ${HOME}/.yarn-config noblacklist ${HOME}/.yarn-config
nodeny ${HOME}/.yarncache noblacklist ${HOME}/.yarncache
nodeny ${HOME}/.yarnrc noblacklist ${HOME}/.yarnrc
# Python # Python
nodeny ${HOME}/.pylint.d noblacklist ${HOME}/.pylint.d
nodeny ${HOME}/.python-history noblacklist ${HOME}/.python-history
nodeny ${HOME}/.python_history noblacklist ${HOME}/.python_history
nodeny ${HOME}/.pythonhist noblacklist ${HOME}/.pythonhist
# Rust # Rust
nodeny ${HOME}/.cargo/* noblacklist ${HOME}/.cargo/*

16
etc/inc/allow-gjs.inc
View file

@ -2,11 +2,11 @@
# Persistent customizations should go in a .local file. # Persistent customizations should go in a .local file.
include allow-gjs.local include allow-gjs.local
nodeny ${PATH}/gjs noblacklist ${PATH}/gjs
nodeny ${PATH}/gjs-console noblacklist ${PATH}/gjs-console
nodeny /usr/lib/gjs noblacklist /usr/lib/gjs
nodeny /usr/lib/libgjs* noblacklist /usr/lib/libgjs*
nodeny /usr/lib/libmozjs-* noblacklist /usr/lib/libmozjs-*
nodeny /usr/lib64/gjs noblacklist /usr/lib64/gjs
nodeny /usr/lib64/libgjs* noblacklist /usr/lib64/libgjs*
nodeny /usr/lib64/libmozjs-* noblacklist /usr/lib64/libmozjs-*

10
etc/inc/allow-java.inc
View file

@ -2,8 +2,8 @@
# Persistent customizations should go in a .local file. # Persistent customizations should go in a .local file.
include allow-java.local include allow-java.local
nodeny ${HOME}/.java noblacklist ${HOME}/.java
nodeny ${PATH}/java noblacklist ${PATH}/java
nodeny /etc/java noblacklist /etc/java
nodeny /usr/lib/java noblacklist /usr/lib/java
nodeny /usr/share/java noblacklist /usr/share/java

16
etc/inc/allow-lua.inc
View file

@ -2,11 +2,11 @@
# Persistent customizations should go in a .local file. # Persistent customizations should go in a .local file.
include allow-lua.local include allow-lua.local
nodeny ${PATH}/lua* noblacklist ${PATH}/lua*
nodeny /usr/include noblacklist /usr/include
nodeny /usr/lib/liblua* noblacklist /usr/lib/liblua*
nodeny /usr/lib/lua noblacklist /usr/lib/lua
nodeny /usr/lib64/liblua* noblacklist /usr/lib64/liblua*
nodeny /usr/lib64/lua noblacklist /usr/lib64/lua
nodeny /usr/share/lua noblacklist /usr/share/lua
nodeny /usr/share/lua* noblacklist /usr/share/lua*

4
etc/inc/allow-nodejs.inc
View file

@ -2,8 +2,8 @@
# Persistent customizations should go in a .local file. # Persistent customizations should go in a .local file.
include allow-nodejs.local include allow-nodejs.local
nodeny ${PATH}/node noblacklist ${PATH}/node
nodeny /usr/include/node noblacklist /usr/include/node
# Allow python for node-gyp (blacklisted by disable-interpreters.inc) # Allow python for node-gyp (blacklisted by disable-interpreters.inc)
include allow-python2.inc include allow-python2.inc

4
etc/inc/allow-opengl-game.inc
View file

@ -2,6 +2,6 @@
# Persistent customizations should go in a .local file. # Persistent customizations should go in a .local file.
include allow-opengl-game.local include allow-opengl-game.local
nodeny ${PATH}/bash noblacklist ${PATH}/bash
allow /usr/share/opengl-games-utils/opengl-game-functions.sh whitelist /usr/share/opengl-games-utils/opengl-game-functions.sh
private-bin basename,bash,cut,glxinfo,grep,head,sed,zenity private-bin basename,bash,cut,glxinfo,grep,head,sed,zenity

16
etc/inc/allow-perl.inc
View file

@ -2,11 +2,11 @@
# Persistent customizations should go in a .local file. # Persistent customizations should go in a .local file.
include allow-perl.local include allow-perl.local
nodeny ${PATH}/core_perl noblacklist ${PATH}/core_perl
nodeny ${PATH}/cpan* noblacklist ${PATH}/cpan*
nodeny ${PATH}/perl noblacklist ${PATH}/perl
nodeny ${PATH}/site_perl noblacklist ${PATH}/site_perl
nodeny ${PATH}/vendor_perl noblacklist ${PATH}/vendor_perl
nodeny /usr/lib/perl* noblacklist /usr/lib/perl*
nodeny /usr/lib64/perl* noblacklist /usr/lib64/perl*
nodeny /usr/share/perl* noblacklist /usr/share/perl*

6
etc/inc/allow-php.inc
View file

@ -2,6 +2,6 @@
# Persistent customizations should go in a .local file. # Persistent customizations should go in a .local file.
include allow-php.local include allow-php.local
nodeny ${PATH}/php* noblacklist ${PATH}/php*
nodeny /usr/lib/php* noblacklist /usr/lib/php*
nodeny /usr/share/php* noblacklist /usr/share/php*

10
etc/inc/allow-python2.inc
View file

@ -2,8 +2,8 @@
# Persistent customizations should go in a .local file. # Persistent customizations should go in a .local file.
include allow-python2.local include allow-python2.local
nodeny ${PATH}/python2* noblacklist ${PATH}/python2*
nodeny /usr/include/python2* noblacklist /usr/include/python2*
nodeny /usr/lib/python2* noblacklist /usr/lib/python2*
nodeny /usr/local/lib/python2* noblacklist /usr/local/lib/python2*
nodeny /usr/share/python2* noblacklist /usr/share/python2*

12
etc/inc/allow-python3.inc
View file

@ -2,9 +2,9 @@
# Persistent customizations should go in a .local file. # Persistent customizations should go in a .local file.
include allow-python3.local include allow-python3.local
nodeny ${PATH}/python3* noblacklist ${PATH}/python3*
nodeny /usr/include/python3* noblacklist /usr/include/python3*
nodeny /usr/lib/python3* noblacklist /usr/lib/python3*
nodeny /usr/lib64/python3* noblacklist /usr/lib64/python3*
nodeny /usr/local/lib/python3* noblacklist /usr/local/lib/python3*
nodeny /usr/share/python3* noblacklist /usr/share/python3*

4
etc/inc/allow-ruby.inc
View file

@ -2,5 +2,5 @@
# Persistent customizations should go in a .local file. # Persistent customizations should go in a .local file.
include allow-ruby.local include allow-ruby.local
nodeny ${PATH}/ruby noblacklist ${PATH}/ruby
nodeny /usr/lib/ruby noblacklist /usr/lib/ruby

8
etc/inc/allow-ssh.inc
View file

@ -2,7 +2,7 @@
# Persistent customizations should go in a .local file. # Persistent customizations should go in a .local file.
include allow-ssh.local include allow-ssh.local
nodeny ${HOME}/.ssh noblacklist ${HOME}/.ssh
nodeny /etc/ssh noblacklist /etc/ssh
nodeny /etc/ssh/ssh_config noblacklist /etc/ssh/ssh_config
nodeny /tmp/ssh-* noblacklist /tmp/ssh-*

710
etc/inc/disable-common.inc
View file

@ -5,63 +5,63 @@ include disable-common.local
# The following block breaks trash functionality in file managers # The following block breaks trash functionality in file managers
#read-only ${HOME}/.local #read-only ${HOME}/.local
#read-write ${HOME}/.local/share #read-write ${HOME}/.local/share
deny ${HOME}/.local/share/Trash blacklist ${HOME}/.local/share/Trash
# History files in $HOME and clipboard managers # History files in $HOME and clipboard managers
deny-nolog ${HOME}/.*_history blacklist-nolog ${HOME}/.*_history
deny-nolog ${HOME}/.adobe blacklist-nolog ${HOME}/.adobe
deny-nolog ${HOME}/.cache/greenclip* blacklist-nolog ${HOME}/.cache/greenclip*
deny-nolog ${HOME}/.histfile blacklist-nolog ${HOME}/.histfile
deny-nolog ${HOME}/.history blacklist-nolog ${HOME}/.history
deny-nolog ${HOME}/.kde/share/apps/klipper blacklist-nolog ${HOME}/.kde/share/apps/klipper
deny-nolog ${HOME}/.kde4/share/apps/klipper blacklist-nolog ${HOME}/.kde4/share/apps/klipper
deny-nolog ${HOME}/.local/share/fish/fish_history blacklist-nolog ${HOME}/.local/share/fish/fish_history
deny-nolog ${HOME}/.local/share/klipper blacklist-nolog ${HOME}/.local/share/klipper
deny-nolog ${HOME}/.macromedia blacklist-nolog ${HOME}/.macromedia
deny-nolog ${HOME}/.mupdf.history blacklist-nolog ${HOME}/.mupdf.history
deny-nolog ${HOME}/.python-history blacklist-nolog ${HOME}/.python-history
deny-nolog ${HOME}/.python_history blacklist-nolog ${HOME}/.python_history
deny-nolog ${HOME}/.pythonhist blacklist-nolog ${HOME}/.pythonhist
deny-nolog ${HOME}/.lesshst blacklist-nolog ${HOME}/.lesshst
deny-nolog ${HOME}/.viminfo blacklist-nolog ${HOME}/.viminfo
deny-nolog /tmp/clipmenu* blacklist-nolog /tmp/clipmenu*
# X11 session autostart # X11 session autostart
# blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs
deny ${HOME}/.Xsession blacklist ${HOME}/.Xsession
deny ${HOME}/.blackbox blacklist ${HOME}/.blackbox
deny ${HOME}/.config/autostart blacklist ${HOME}/.config/autostart
deny ${HOME}/.config/autostart-scripts blacklist ${HOME}/.config/autostart-scripts
deny ${HOME}/.config/awesome blacklist ${HOME}/.config/awesome
deny ${HOME}/.config/i3 blacklist ${HOME}/.config/i3
deny ${HOME}/.config/sway blacklist ${HOME}/.config/sway
deny ${HOME}/.config/lxsession/LXDE/autostart blacklist ${HOME}/.config/lxsession/LXDE/autostart
deny ${HOME}/.config/openbox blacklist ${HOME}/.config/openbox
deny ${HOME}/.config/plasma-workspace blacklist ${HOME}/.config/plasma-workspace
deny ${HOME}/.config/startupconfig blacklist ${HOME}/.config/startupconfig
deny ${HOME}/.config/startupconfigkeys blacklist ${HOME}/.config/startupconfigkeys
deny ${HOME}/.fluxbox blacklist ${HOME}/.fluxbox
deny ${HOME}/.gnomerc blacklist ${HOME}/.gnomerc
deny ${HOME}/.kde/Autostart blacklist ${HOME}/.kde/Autostart
deny ${HOME}/.kde/env blacklist ${HOME}/.kde/env
deny ${HOME}/.kde/share/autostart blacklist ${HOME}/.kde/share/autostart
deny ${HOME}/.kde/share/config/startupconfig blacklist ${HOME}/.kde/share/config/startupconfig
deny ${HOME}/.kde/share/config/startupconfigkeys blacklist ${HOME}/.kde/share/config/startupconfigkeys
deny ${HOME}/.kde/shutdown blacklist ${HOME}/.kde/shutdown
deny ${HOME}/.kde4/env blacklist ${HOME}/.kde4/env
deny ${HOME}/.kde4/Autostart blacklist ${HOME}/.kde4/Autostart
deny ${HOME}/.kde4/share/autostart blacklist ${HOME}/.kde4/share/autostart
deny ${HOME}/.kde4/shutdown blacklist ${HOME}/.kde4/shutdown
deny ${HOME}/.kde4/share/config/startupconfig blacklist ${HOME}/.kde4/share/config/startupconfig
deny ${HOME}/.kde4/share/config/startupconfigkeys blacklist ${HOME}/.kde4/share/config/startupconfigkeys
deny ${HOME}/.local/share/autostart blacklist ${HOME}/.local/share/autostart
deny ${HOME}/.xinitrc blacklist ${HOME}/.xinitrc
deny ${HOME}/.xprofile blacklist ${HOME}/.xprofile
deny ${HOME}/.xserverrc blacklist ${HOME}/.xserverrc
deny ${HOME}/.xsession blacklist ${HOME}/.xsession
deny ${HOME}/.xsessionrc blacklist ${HOME}/.xsessionrc
deny /etc/X11/Xsession.d blacklist /etc/X11/Xsession.d
deny /etc/xdg/autostart blacklist /etc/xdg/autostart
read-only ${HOME}/.Xauthority read-only ${HOME}/.Xauthority
# Session manager # Session manager
@ -70,46 +70,46 @@ read-only ${HOME}/.Xauthority
#?HAS_X11: blacklist /tmp/.ICE-unix #?HAS_X11: blacklist /tmp/.ICE-unix
# KDE config # KDE config
deny ${HOME}/.cache/konsole blacklist ${HOME}/.cache/konsole
deny ${HOME}/.config/khotkeysrc blacklist ${HOME}/.config/khotkeysrc
deny ${HOME}/.config/krunnerrc blacklist ${HOME}/.config/krunnerrc
deny ${HOME}/.config/kscreenlockerrc blacklist ${HOME}/.config/kscreenlockerrc
deny ${HOME}/.config/ksslcertificatemanager blacklist ${HOME}/.config/ksslcertificatemanager
deny ${HOME}/.config/kwalletrc blacklist ${HOME}/.config/kwalletrc
deny ${HOME}/.config/kwinrc blacklist ${HOME}/.config/kwinrc
deny ${HOME}/.config/kwinrulesrc blacklist ${HOME}/.config/kwinrulesrc
deny ${HOME}/.config/plasma-locale-settings.sh blacklist ${HOME}/.config/plasma-locale-settings.sh
deny ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc
deny ${HOME}/.config/plasmashellrc blacklist ${HOME}/.config/plasmashellrc
deny ${HOME}/.config/plasmavaultrc blacklist ${HOME}/.config/plasmavaultrc
deny ${HOME}/.kde/share/apps/kwin blacklist ${HOME}/.kde/share/apps/kwin
deny ${HOME}/.kde/share/apps/plasma blacklist ${HOME}/.kde/share/apps/plasma
deny ${HOME}/.kde/share/apps/solid blacklist ${HOME}/.kde/share/apps/solid
deny ${HOME}/.kde/share/config/khotkeysrc blacklist ${HOME}/.kde/share/config/khotkeysrc
deny ${HOME}/.kde/share/config/krunnerrc blacklist ${HOME}/.kde/share/config/krunnerrc
deny ${HOME}/.kde/share/config/kscreensaverrc blacklist ${HOME}/.kde/share/config/kscreensaverrc
deny ${HOME}/.kde/share/config/ksslcertificatemanager blacklist ${HOME}/.kde/share/config/ksslcertificatemanager
deny ${HOME}/.kde/share/config/kwalletrc blacklist ${HOME}/.kde/share/config/kwalletrc
deny ${HOME}/.kde/share/config/kwinrc blacklist ${HOME}/.kde/share/config/kwinrc
deny ${HOME}/.kde/share/config/kwinrulesrc blacklist ${HOME}/.kde/share/config/kwinrulesrc
deny ${HOME}/.kde/share/config/plasma-desktop-appletsrc blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc
deny ${HOME}/.kde4/share/apps/kwin blacklist ${HOME}/.kde4/share/apps/kwin
deny ${HOME}/.kde4/share/apps/plasma blacklist ${HOME}/.kde4/share/apps/plasma
deny ${HOME}/.kde4/share/apps/solid blacklist ${HOME}/.kde4/share/apps/solid
deny ${HOME}/.kde4/share/config/khotkeysrc blacklist ${HOME}/.kde4/share/config/khotkeysrc
deny ${HOME}/.kde4/share/config/krunnerrc blacklist ${HOME}/.kde4/share/config/krunnerrc
deny ${HOME}/.kde4/share/config/kscreensaverrc blacklist ${HOME}/.kde4/share/config/kscreensaverrc
deny ${HOME}/.kde4/share/config/ksslcertificatemanager blacklist ${HOME}/.kde4/share/config/ksslcertificatemanager
deny ${HOME}/.kde4/share/config/kwalletrc blacklist ${HOME}/.kde4/share/config/kwalletrc
deny ${HOME}/.kde4/share/config/kwinrc blacklist ${HOME}/.kde4/share/config/kwinrc
deny ${HOME}/.kde4/share/config/kwinrulesrc blacklist ${HOME}/.kde4/share/config/kwinrulesrc
deny ${HOME}/.kde4/share/config/plasma-desktop-appletsrc blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc
deny ${HOME}/.local/share/kglobalaccel blacklist ${HOME}/.local/share/kglobalaccel
deny ${HOME}/.local/share/kwin blacklist ${HOME}/.local/share/kwin
deny ${HOME}/.local/share/plasma blacklist ${HOME}/.local/share/plasma
deny ${HOME}/.local/share/plasmashell blacklist ${HOME}/.local/share/plasmashell
deny ${HOME}/.local/share/solid blacklist ${HOME}/.local/share/solid
deny /tmp/konsole-*.history blacklist /tmp/konsole-*.history
read-only ${HOME}/.cache/ksycoca5_* read-only ${HOME}/.cache/ksycoca5_*
read-only ${HOME}/.config/*notifyrc read-only ${HOME}/.config/*notifyrc
read-only ${HOME}/.config/kdeglobals read-only ${HOME}/.config/kdeglobals
@ -138,139 +138,139 @@ read-only ${HOME}/.local/share/kservices5
read-only ${HOME}/.local/share/kssl read-only ${HOME}/.local/share/kssl
# KDE sockets # KDE sockets
deny ${RUNUSER}/*.slave-socket blacklist ${RUNUSER}/*.slave-socket
deny ${RUNUSER}/kdeinit5__* blacklist ${RUNUSER}/kdeinit5__*
deny ${RUNUSER}/kdesud_* blacklist ${RUNUSER}/kdesud_*
# see #3358 # see #3358
#?HAS_NODBUS: blacklist ${RUNUSER}/ksocket-* #?HAS_NODBUS: blacklist ${RUNUSER}/ksocket-*
#?HAS_NODBUS: blacklist /tmp/ksocket-* #?HAS_NODBUS: blacklist /tmp/ksocket-*
# gnome # gnome
# contains extensions, last used times of applications, and notifications # contains extensions, last used times of applications, and notifications
deny ${HOME}/.local/share/gnome-shell blacklist ${HOME}/.local/share/gnome-shell
# contains recently used files and serials of static/removable storage # contains recently used files and serials of static/removable storage
deny ${HOME}/.local/share/gvfs-metadata blacklist ${HOME}/.local/share/gvfs-metadata
# no direct modification of dconf database # no direct modification of dconf database
read-only ${HOME}/.config/dconf read-only ${HOME}/.config/dconf
deny ${RUNUSER}/gnome-session-leader-fifo blacklist ${RUNUSER}/gnome-session-leader-fifo
deny ${RUNUSER}/gnome-shell blacklist ${RUNUSER}/gnome-shell
deny ${RUNUSER}/gsconnect blacklist ${RUNUSER}/gsconnect
# systemd # systemd
deny ${HOME}/.config/systemd blacklist ${HOME}/.config/systemd
deny ${HOME}/.local/share/systemd blacklist ${HOME}/.local/share/systemd
deny /var/lib/systemd blacklist /var/lib/systemd
deny ${PATH}/systemd-run blacklist ${PATH}/systemd-run
deny ${RUNUSER}/systemd blacklist ${RUNUSER}/systemd
deny ${PATH}/systemctl blacklist ${PATH}/systemctl
deny /etc/systemd/system blacklist /etc/systemd/system
deny /etc/systemd/network blacklist /etc/systemd/network
# creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf
#blacklist /var/run/systemd #blacklist /var/run/systemd
# openrc # openrc
deny /etc/runlevels/ blacklist /etc/runlevels/
deny /etc/init.d/ blacklist /etc/init.d/
deny /etc/rc.conf blacklist /etc/rc.conf
# VirtualBox # VirtualBox
deny ${HOME}/.VirtualBox blacklist ${HOME}/.VirtualBox
deny ${HOME}/.config/VirtualBox blacklist ${HOME}/.config/VirtualBox
deny ${HOME}/VirtualBox VMs blacklist ${HOME}/VirtualBox VMs
# GNOME Boxes # GNOME Boxes
deny ${HOME}/.config/gnome-boxes blacklist ${HOME}/.config/gnome-boxes
deny ${HOME}/.local/share/gnome-boxes blacklist ${HOME}/.local/share/gnome-boxes
# libvirt # libvirt
deny ${HOME}/.cache/libvirt blacklist ${HOME}/.cache/libvirt
deny ${HOME}/.config/libvirt blacklist ${HOME}/.config/libvirt
deny ${RUNUSER}/libvirt blacklist ${RUNUSER}/libvirt
deny /var/cache/libvirt blacklist /var/cache/libvirt
deny /var/lib/libvirt blacklist /var/lib/libvirt
deny /var/log/libvirt blacklist /var/log/libvirt
# OCI-Containers / Podman # OCI-Containers / Podman
deny ${RUNUSER}/containers blacklist ${RUNUSER}/containers
deny ${RUNUSER}/crun blacklist ${RUNUSER}/crun
deny ${RUNUSER}/libpod blacklist ${RUNUSER}/libpod
deny ${RUNUSER}/runc blacklist ${RUNUSER}/runc
deny ${RUNUSER}/toolbox blacklist ${RUNUSER}/toolbox
# VeraCrypt # VeraCrypt
deny ${HOME}/.VeraCrypt blacklist ${HOME}/.VeraCrypt
deny ${PATH}/veracrypt blacklist ${PATH}/veracrypt
deny ${PATH}/veracrypt-uninstall.sh blacklist ${PATH}/veracrypt-uninstall.sh
deny /usr/share/applications/veracrypt.* blacklist /usr/share/applications/veracrypt.*
deny /usr/share/pixmaps/veracrypt.* blacklist /usr/share/pixmaps/veracrypt.*
deny /usr/share/veracrypt blacklist /usr/share/veracrypt
# TrueCrypt # TrueCrypt
deny ${HOME}/.TrueCrypt blacklist ${HOME}/.TrueCrypt
deny ${PATH}/truecrypt blacklist ${PATH}/truecrypt
deny ${PATH}/truecrypt-uninstall.sh blacklist ${PATH}/truecrypt-uninstall.sh
deny /usr/share/applications/truecrypt.* blacklist /usr/share/applications/truecrypt.*
deny /usr/share/pixmaps/truecrypt.* blacklist /usr/share/pixmaps/truecrypt.*
deny /usr/share/truecrypt blacklist /usr/share/truecrypt
# zuluCrypt # zuluCrypt
deny ${HOME}/.zuluCrypt blacklist ${HOME}/.zuluCrypt
deny ${HOME}/.zuluCrypt-socket blacklist ${HOME}/.zuluCrypt-socket
deny ${PATH}/zuluCrypt-cli blacklist ${PATH}/zuluCrypt-cli
deny ${PATH}/zuluMount-cli blacklist ${PATH}/zuluMount-cli
# var # var
deny /var/cache/apt blacklist /var/cache/apt
deny /var/cache/pacman blacklist /var/cache/pacman
deny /var/lib/apt blacklist /var/lib/apt
deny /var/lib/clamav blacklist /var/lib/clamav
deny /var/lib/dkms blacklist /var/lib/dkms
deny /var/lib/mysql/mysql.sock blacklist /var/lib/mysql/mysql.sock
deny /var/lib/mysqld/mysql.sock blacklist /var/lib/mysqld/mysql.sock
deny /var/lib/pacman blacklist /var/lib/pacman
deny /var/lib/upower blacklist /var/lib/upower
# blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for # blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for
# every sandbox, unless --writable-var-log switch is activated # every sandbox, unless --writable-var-log switch is activated
deny /var/mail blacklist /var/mail
deny /var/opt blacklist /var/opt
deny /var/run/acpid.socket blacklist /var/run/acpid.socket
deny /var/run/docker.sock blacklist /var/run/docker.sock
deny /var/run/minissdpd.sock blacklist /var/run/minissdpd.sock
deny /var/run/mysql/mysqld.sock blacklist /var/run/mysql/mysqld.sock
deny /var/run/mysqld/mysqld.sock blacklist /var/run/mysqld/mysqld.sock
deny /var/run/rpcbind.sock blacklist /var/run/rpcbind.sock
deny /var/run/screens blacklist /var/run/screens
deny /var/spool/anacron blacklist /var/spool/anacron
deny /var/spool/cron blacklist /var/spool/cron
deny /var/spool/mail blacklist /var/spool/mail
# etc # etc
deny /etc/anacrontab blacklist /etc/anacrontab
deny /etc/cron* blacklist /etc/cron*
deny /etc/profile.d blacklist /etc/profile.d
deny /etc/rc.local blacklist /etc/rc.local
# rc1.d, rc2.d, ... # rc1.d, rc2.d, ...
deny /etc/rc?.d blacklist /etc/rc?.d
deny /etc/kernel* blacklist /etc/kernel*
deny /etc/grub* blacklist /etc/grub*
deny /etc/dkms blacklist /etc/dkms
deny /etc/apparmor* blacklist /etc/apparmor*
deny /etc/selinux blacklist /etc/selinux
deny /etc/modules* blacklist /etc/modules*
deny /etc/logrotate* blacklist /etc/logrotate*
deny /etc/adduser.conf blacklist /etc/adduser.conf
# hide config for various intrusion detection systems # hide config for various intrusion detection systems
deny /etc/rkhunter.conf blacklist /etc/rkhunter.conf
deny /var/lib/rkhunter blacklist /var/lib/rkhunter
deny /etc/chkrootkit.conf blacklist /etc/chkrootkit.conf
deny /etc/lynis blacklist /etc/lynis
deny /etc/aide blacklist /etc/aide
deny /etc/logcheck blacklist /etc/logcheck
deny /etc/tripwire blacklist /etc/tripwire
deny /etc/snort blacklist /etc/snort
deny /etc/fail2ban.conf blacklist /etc/fail2ban.conf
deny /etc/suricata blacklist /etc/suricata
# Startup files # Startup files
read-only ${HOME}/.antigen read-only ${HOME}/.antigen
@ -307,13 +307,13 @@ read-only ${HOME}/.zshrc
read-only ${HOME}/.zshrc.local read-only ${HOME}/.zshrc.local
# Remote access # Remote access
deny ${HOME}/.rhosts blacklist ${HOME}/.rhosts
deny ${HOME}/.shosts blacklist ${HOME}/.shosts
deny ${HOME}/.ssh/authorized_keys blacklist ${HOME}/.ssh/authorized_keys
deny ${HOME}/.ssh/authorized_keys2 blacklist ${HOME}/.ssh/authorized_keys2
deny ${HOME}/.ssh/environment blacklist ${HOME}/.ssh/environment
deny ${HOME}/.ssh/rc blacklist ${HOME}/.ssh/rc
deny /etc/hosts.equiv blacklist /etc/hosts.equiv
read-only ${HOME}/.ssh/config read-only ${HOME}/.ssh/config
read-only ${HOME}/.ssh/config.d read-only ${HOME}/.ssh/config.d
@ -374,200 +374,200 @@ read-only ${HOME}/.local/share/mime
read-only ${HOME}/.local/share/thumbnailers read-only ${HOME}/.local/share/thumbnailers
# prevent access to ssh-agent # prevent access to ssh-agent
deny /tmp/ssh-* blacklist /tmp/ssh-*
# top secret # top secret
deny ${HOME}/*.kdb blacklist ${HOME}/*.kdb
deny ${HOME}/*.kdbx blacklist ${HOME}/*.kdbx
deny ${HOME}/*.key blacklist ${HOME}/*.key
deny ${HOME}/.Private blacklist ${HOME}/.Private
deny ${HOME}/.caff blacklist ${HOME}/.caff
deny ${HOME}/.cargo/credentials blacklist ${HOME}/.cargo/credentials
deny ${HOME}/.cargo/credentials.toml blacklist ${HOME}/.cargo/credentials.toml
deny ${HOME}/.cert blacklist ${HOME}/.cert
deny ${HOME}/.config/keybase blacklist ${HOME}/.config/keybase
deny ${HOME}/.davfs2/secrets blacklist ${HOME}/.davfs2/secrets
deny ${HOME}/.ecryptfs blacklist ${HOME}/.ecryptfs
deny ${HOME}/.fetchmailrc blacklist ${HOME}/.fetchmailrc
deny ${HOME}/.fscrypt blacklist ${HOME}/.fscrypt
deny ${HOME}/.git-credential-cache blacklist ${HOME}/.git-credential-cache
deny ${HOME}/.git-credentials blacklist ${HOME}/.git-credentials
deny ${HOME}/.gnome2/keyrings blacklist ${HOME}/.gnome2/keyrings
deny ${HOME}/.gnupg blacklist ${HOME}/.gnupg
deny ${HOME}/.config/hub blacklist ${HOME}/.config/hub
deny ${HOME}/.kde/share/apps/kwallet blacklist ${HOME}/.kde/share/apps/kwallet
deny ${HOME}/.kde4/share/apps/kwallet blacklist ${HOME}/.kde4/share/apps/kwallet
deny ${HOME}/.local/share/keyrings blacklist ${HOME}/.local/share/keyrings
deny ${HOME}/.local/share/kwalletd blacklist ${HOME}/.local/share/kwalletd
deny ${HOME}/.local/share/plasma-vault blacklist ${HOME}/.local/share/plasma-vault
deny ${HOME}/.msmtprc blacklist ${HOME}/.msmtprc
deny ${HOME}/.mutt blacklist ${HOME}/.mutt
deny ${HOME}/.muttrc blacklist ${HOME}/.muttrc
deny ${HOME}/.netrc blacklist ${HOME}/.netrc
deny ${HOME}/.nyx blacklist ${HOME}/.nyx
deny ${HOME}/.pki blacklist ${HOME}/.pki
deny ${HOME}/.local/share/pki blacklist ${HOME}/.local/share/pki
deny ${HOME}/.smbcredentials blacklist ${HOME}/.smbcredentials
deny ${HOME}/.ssh blacklist ${HOME}/.ssh
deny ${HOME}/.vaults blacklist ${HOME}/.vaults
deny /.fscrypt blacklist /.fscrypt
deny /etc/davfs2/secrets blacklist /etc/davfs2/secrets
deny /etc/group+ blacklist /etc/group+
deny /etc/group- blacklist /etc/group-
deny /etc/gshadow blacklist /etc/gshadow
deny /etc/gshadow+ blacklist /etc/gshadow+
deny /etc/gshadow- blacklist /etc/gshadow-
deny /etc/passwd+ blacklist /etc/passwd+
deny /etc/passwd- blacklist /etc/passwd-
deny /etc/shadow blacklist /etc/shadow
deny /etc/shadow+ blacklist /etc/shadow+
deny /etc/shadow- blacklist /etc/shadow-
deny /etc/ssh blacklist /etc/ssh
deny /etc/ssh/* blacklist /etc/ssh/*
deny /home/.ecryptfs blacklist /home/.ecryptfs
deny /home/.fscrypt blacklist /home/.fscrypt
deny /var/backup blacklist /var/backup
# cloud provider configuration # cloud provider configuration
deny ${HOME}/.aws blacklist ${HOME}/.aws
deny ${HOME}/.boto blacklist ${HOME}/.boto
deny ${HOME}/.config/gcloud blacklist ${HOME}/.config/gcloud
deny ${HOME}/.kube blacklist ${HOME}/.kube
deny ${HOME}/.passwd-s3fs blacklist ${HOME}/.passwd-s3fs
deny ${HOME}/.s3cmd blacklist ${HOME}/.s3cmd
deny /etc/boto.cfg blacklist /etc/boto.cfg
# system directories # system directories
deny /sbin blacklist /sbin
deny /usr/local/sbin blacklist /usr/local/sbin
deny /usr/sbin blacklist /usr/sbin
# system management # system management
deny ${PATH}/at blacklist ${PATH}/at
deny ${PATH}/busybox blacklist ${PATH}/busybox
deny ${PATH}/chage blacklist ${PATH}/chage
deny ${PATH}/chfn blacklist ${PATH}/chfn
deny ${PATH}/chsh blacklist ${PATH}/chsh
deny ${PATH}/crontab blacklist ${PATH}/crontab
deny ${PATH}/evtest blacklist ${PATH}/evtest
deny ${PATH}/expiry blacklist ${PATH}/expiry
deny ${PATH}/fusermount blacklist ${PATH}/fusermount
deny ${PATH}/gksu blacklist ${PATH}/gksu
deny ${PATH}/gksudo blacklist ${PATH}/gksudo
deny ${PATH}/gpasswd blacklist ${PATH}/gpasswd
deny ${PATH}/kdesudo blacklist ${PATH}/kdesudo
deny ${PATH}/ksu blacklist ${PATH}/ksu
deny ${PATH}/mount blacklist ${PATH}/mount
deny ${PATH}/mount.ecryptfs_private blacklist ${PATH}/mount.ecryptfs_private
deny ${PATH}/nc blacklist ${PATH}/nc
deny ${PATH}/ncat blacklist ${PATH}/ncat
deny ${PATH}/nmap blacklist ${PATH}/nmap
deny ${PATH}/newgidmap blacklist ${PATH}/newgidmap
deny ${PATH}/newgrp blacklist ${PATH}/newgrp
deny ${PATH}/newuidmap blacklist ${PATH}/newuidmap
deny ${PATH}/ntfs-3g blacklist ${PATH}/ntfs-3g
deny ${PATH}/pkexec blacklist ${PATH}/pkexec
deny ${PATH}/procmail blacklist ${PATH}/procmail
deny ${PATH}/sg blacklist ${PATH}/sg
deny ${PATH}/strace blacklist ${PATH}/strace
deny ${PATH}/su blacklist ${PATH}/su
deny ${PATH}/sudo blacklist ${PATH}/sudo
deny ${PATH}/tcpdump blacklist ${PATH}/tcpdump
deny ${PATH}/umount blacklist ${PATH}/umount
deny ${PATH}/unix_chkpwd blacklist ${PATH}/unix_chkpwd
deny ${PATH}/xev blacklist ${PATH}/xev
deny ${PATH}/xinput blacklist ${PATH}/xinput
# other SUID binaries # other SUID binaries
deny /usr/lib/virtualbox blacklist /usr/lib/virtualbox
deny /usr/lib64/virtualbox blacklist /usr/lib64/virtualbox
# prevent lxterminal connecting to an existing lxterminal session # prevent lxterminal connecting to an existing lxterminal session
deny /tmp/.lxterminal-socket* blacklist /tmp/.lxterminal-socket*
# prevent tmux connecting to an existing session # prevent tmux connecting to an existing session
deny /tmp/tmux-* blacklist /tmp/tmux-*
# disable terminals running as server resulting in sandbox escape # disable terminals running as server resulting in sandbox escape
deny ${PATH}/lxterminal blacklist ${PATH}/lxterminal
deny ${PATH}/gnome-terminal blacklist ${PATH}/gnome-terminal
deny ${PATH}/gnome-terminal.wrapper blacklist ${PATH}/gnome-terminal.wrapper
deny ${PATH}/lilyterm blacklist ${PATH}/lilyterm
deny ${PATH}/mate-terminal blacklist ${PATH}/mate-terminal
deny ${PATH}/mate-terminal.wrapper blacklist ${PATH}/mate-terminal.wrapper
deny ${PATH}/pantheon-terminal blacklist ${PATH}/pantheon-terminal
deny ${PATH}/roxterm blacklist ${PATH}/roxterm
deny ${PATH}/roxterm-config blacklist ${PATH}/roxterm-config
deny ${PATH}/terminix blacklist ${PATH}/terminix
deny ${PATH}/tilix blacklist ${PATH}/tilix
deny ${PATH}/urxvtc blacklist ${PATH}/urxvtc
deny ${PATH}/urxvtcd blacklist ${PATH}/urxvtcd
deny ${PATH}/xfce4-terminal blacklist ${PATH}/xfce4-terminal
deny ${PATH}/xfce4-terminal.wrapper blacklist ${PATH}/xfce4-terminal.wrapper
# blacklist ${PATH}/konsole # blacklist ${PATH}/konsole
# konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 # konsole doesn't seem to have this problem - last tested on Ubuntu 16.04
# kernel files # kernel files
deny /initrd* blacklist /initrd*
deny /vmlinuz* blacklist /vmlinuz*
# snapshot files # snapshot files
deny /.snapshots blacklist /.snapshots
# flatpak # flatpak
deny ${HOME}/.cache/flatpak blacklist ${HOME}/.cache/flatpak
deny ${HOME}/.config/flatpak blacklist ${HOME}/.config/flatpak
nodeny ${HOME}/.local/share/flatpak/exports noblacklist ${HOME}/.local/share/flatpak/exports
read-only ${HOME}/.local/share/flatpak/exports read-only ${HOME}/.local/share/flatpak/exports
deny ${HOME}/.local/share/flatpak/* blacklist ${HOME}/.local/share/flatpak/*
deny ${HOME}/.var blacklist ${HOME}/.var
deny ${RUNUSER}/app blacklist ${RUNUSER}/app
deny ${RUNUSER}/doc blacklist ${RUNUSER}/doc
deny ${RUNUSER}/.dbus-proxy blacklist ${RUNUSER}/.dbus-proxy
deny ${RUNUSER}/.flatpak blacklist ${RUNUSER}/.flatpak
deny ${RUNUSER}/.flatpak-cache blacklist ${RUNUSER}/.flatpak-cache
deny ${RUNUSER}/.flatpak-helper blacklist ${RUNUSER}/.flatpak-helper
deny /usr/share/flatpak blacklist /usr/share/flatpak
nodeny /var/lib/flatpak/exports noblacklist /var/lib/flatpak/exports
deny /var/lib/flatpak/* blacklist /var/lib/flatpak/*
# most of the time bwrap is SUID binary # most of the time bwrap is SUID binary
deny ${PATH}/bwrap blacklist ${PATH}/bwrap
# snap # snap
deny ${RUNUSER}/snapd-session-agent.socket blacklist ${RUNUSER}/snapd-session-agent.socket
# mail directories used by mutt # mail directories used by mutt
deny ${HOME}/.Mail blacklist ${HOME}/.Mail
deny ${HOME}/.mail blacklist ${HOME}/.mail
deny ${HOME}/.signature blacklist ${HOME}/.signature
deny ${HOME}/Mail blacklist ${HOME}/Mail
deny ${HOME}/mail blacklist ${HOME}/mail
deny ${HOME}/postponed blacklist ${HOME}/postponed
deny ${HOME}/sent blacklist ${HOME}/sent
# kernel configuration # kernel configuration
deny /proc/config.gz blacklist /proc/config.gz
# prevent DNS malware attempting to communicate with the server # prevent DNS malware attempting to communicate with the server
# using regular DNS tools # using regular DNS tools
deny ${PATH}/dig blacklist ${PATH}/dig
deny ${PATH}/dlint blacklist ${PATH}/dlint
deny ${PATH}/dns2tcp blacklist ${PATH}/dns2tcp
deny ${PATH}/dnssec-* blacklist ${PATH}/dnssec-*
deny ${PATH}/dnswalk blacklist ${PATH}/dnswalk
deny ${PATH}/drill blacklist ${PATH}/drill
deny ${PATH}/host blacklist ${PATH}/host
deny ${PATH}/iodine blacklist ${PATH}/iodine
deny ${PATH}/kdig blacklist ${PATH}/kdig
deny ${PATH}/khost blacklist ${PATH}/khost
deny ${PATH}/knsupdate blacklist ${PATH}/knsupdate
deny ${PATH}/ldns-* blacklist ${PATH}/ldns-*
deny ${PATH}/ldnsd blacklist ${PATH}/ldnsd
deny ${PATH}/nslookup blacklist ${PATH}/nslookup
deny ${PATH}/resolvectl blacklist ${PATH}/resolvectl
deny ${PATH}/unbound-host blacklist ${PATH}/unbound-host
# rest of ${RUNUSER} # rest of ${RUNUSER}
deny ${RUNUSER}/*.lock blacklist ${RUNUSER}/*.lock
deny ${RUNUSER}/inaccessible blacklist ${RUNUSER}/inaccessible
deny ${RUNUSER}/pk-debconf-socket blacklist ${RUNUSER}/pk-debconf-socket
deny ${RUNUSER}/update-notifier.pid blacklist ${RUNUSER}/update-notifier.pid

80
etc/inc/disable-devel.inc
View file

@ -5,65 +5,65 @@ include disable-devel.local
# development tools # development tools
# clang/llvm # clang/llvm
deny ${PATH}/clang* blacklist ${PATH}/clang*
deny ${PATH}/lldb* blacklist ${PATH}/lldb*
deny ${PATH}/llvm* blacklist ${PATH}/llvm*
# see issue #2106 - it disables hardware acceleration in Firefox on Radeon GPU # see issue #2106 - it disables hardware acceleration in Firefox on Radeon GPU
# blacklist /usr/lib/llvm* # blacklist /usr/lib/llvm*
# GCC # GCC
deny ${PATH}/as blacklist ${PATH}/as
deny ${PATH}/cc blacklist ${PATH}/cc
deny ${PATH}/c++* blacklist ${PATH}/c++*
deny ${PATH}/c8* blacklist ${PATH}/c8*
deny ${PATH}/c9* blacklist ${PATH}/c9*
deny ${PATH}/cpp* blacklist ${PATH}/cpp*
deny ${PATH}/g++* blacklist ${PATH}/g++*
deny ${PATH}/gcc* blacklist ${PATH}/gcc*
deny ${PATH}/gdb blacklist ${PATH}/gdb
deny ${PATH}/ld blacklist ${PATH}/ld
deny ${PATH}/*-gcc* blacklist ${PATH}/*-gcc*
deny ${PATH}/*-g++* blacklist ${PATH}/*-g++*
deny ${PATH}/*-gcc* blacklist ${PATH}/*-gcc*
deny ${PATH}/*-g++* blacklist ${PATH}/*-g++*
# seems to create problems on Gentoo # seems to create problems on Gentoo
#blacklist /usr/lib/gcc #blacklist /usr/lib/gcc
#Go #Go
deny ${PATH}/gccgo blacklist ${PATH}/gccgo
deny ${PATH}/go blacklist ${PATH}/go
deny ${PATH}/gofmt blacklist ${PATH}/gofmt
# Java # Java
deny ${PATH}/java blacklist ${PATH}/java
deny ${PATH}/javac blacklist ${PATH}/javac
deny /etc/java blacklist /etc/java
deny /usr/lib/java blacklist /usr/lib/java
deny /usr/share/java blacklist /usr/share/java
#OpenSSL #OpenSSL
deny ${PATH}/openssl blacklist ${PATH}/openssl
deny ${PATH}/openssl-1.0 blacklist ${PATH}/openssl-1.0
#Rust #Rust
deny ${PATH}/rust-gdb blacklist ${PATH}/rust-gdb
deny ${PATH}/rust-lldb blacklist ${PATH}/rust-lldb
deny ${PATH}/rustc blacklist ${PATH}/rustc
deny ${HOME}/.rustup blacklist ${HOME}/.rustup
# tcc - Tiny C Compiler # tcc - Tiny C Compiler
deny ${PATH}/tcc blacklist ${PATH}/tcc
deny ${PATH}/x86_64-tcc blacklist ${PATH}/x86_64-tcc
deny /usr/lib/tcc blacklist /usr/lib/tcc
# Valgrind # Valgrind
deny ${PATH}/valgrind* blacklist ${PATH}/valgrind*
deny /usr/lib/valgrind blacklist /usr/lib/valgrind
# Source-Code # Source-Code
deny /usr/src blacklist /usr/src
deny /usr/local/src blacklist /usr/local/src
deny /usr/include blacklist /usr/include
deny /usr/local/include blacklist /usr/local/include

84
etc/inc/disable-interpreters.inc
View file

@ -3,66 +3,66 @@
include disable-interpreters.local include disable-interpreters.local
# gjs # gjs
deny ${PATH}/gjs blacklist ${PATH}/gjs
deny ${PATH}/gjs-console blacklist ${PATH}/gjs-console
deny /usr/lib/gjs blacklist /usr/lib/gjs
deny /usr/lib/libgjs* blacklist /usr/lib/libgjs*
deny /usr/lib64/gjs blacklist /usr/lib64/gjs
deny /usr/lib64/libgjs* blacklist /usr/lib64/libgjs*
# Lua # Lua
deny ${PATH}/lua* blacklist ${PATH}/lua*
deny /usr/include/lua* blacklist /usr/include/lua*
deny /usr/lib/liblua* blacklist /usr/lib/liblua*
deny /usr/lib/lua blacklist /usr/lib/lua
deny /usr/lib64/liblua* blacklist /usr/lib64/liblua*
deny /usr/lib64/lua blacklist /usr/lib64/lua
deny /usr/share/lua* blacklist /usr/share/lua*
# mozjs # mozjs
deny /usr/lib/libmozjs-* blacklist /usr/lib/libmozjs-*
deny /usr/lib64/libmozjs-* blacklist /usr/lib64/libmozjs-*
# Node.js # Node.js
deny ${PATH}/node blacklist ${PATH}/node
deny /usr/include/node blacklist /usr/include/node
# nvm # nvm
deny ${HOME}/.nvm blacklist ${HOME}/.nvm
# Perl # Perl
deny ${PATH}/core_perl blacklist ${PATH}/core_perl
deny ${PATH}/cpan* blacklist ${PATH}/cpan*
deny ${PATH}/perl blacklist ${PATH}/perl
deny ${PATH}/site_perl blacklist ${PATH}/site_perl
deny ${PATH}/vendor_perl blacklist ${PATH}/vendor_perl
deny /usr/lib/perl* blacklist /usr/lib/perl*
deny /usr/lib64/perl* blacklist /usr/lib64/perl*
deny /usr/share/perl* blacklist /usr/share/perl*
# PHP # PHP
deny ${PATH}/php* blacklist ${PATH}/php*
deny /usr/lib/php* blacklist /usr/lib/php*
deny /usr/share/php* blacklist /usr/share/php*
# Ruby # Ruby
deny ${PATH}/ruby blacklist ${PATH}/ruby
deny /usr/lib/ruby blacklist /usr/lib/ruby
# Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus # Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus
# Python 2 # Python 2
deny ${PATH}/python2* blacklist ${PATH}/python2*
deny /usr/include/python2* blacklist /usr/include/python2*
deny /usr/lib/python2* blacklist /usr/lib/python2*
deny /usr/local/lib/python2* blacklist /usr/local/lib/python2*
deny /usr/share/python2* blacklist /usr/share/python2*
# You will want to add noblacklist for python3 stuff in the firefox and/or chromium profiles if you use the Gnome connector (see Issue #2026) # You will want to add noblacklist for python3 stuff in the firefox and/or chromium profiles if you use the Gnome connector (see Issue #2026)
# Python 3 # Python 3
deny ${PATH}/python3* blacklist ${PATH}/python3*
deny /usr/include/python3* blacklist /usr/include/python3*
deny /usr/lib/python3* blacklist /usr/lib/python3*
deny /usr/lib64/python3* blacklist /usr/lib64/python3*
deny /usr/local/lib/python3* blacklist /usr/local/lib/python3*
deny /usr/share/python3* blacklist /usr/share/python3*

30
etc/inc/disable-passwdmgr.inc
View file

@ -2,18 +2,18 @@
# Persistent customizations should go in a .local file. # Persistent customizations should go in a .local file.
include disable-passwdmgr.local include disable-passwdmgr.local
deny ${HOME}/.config/Bitwarden blacklist ${HOME}/.config/Bitwarden
deny ${HOME}/.config/KeePass blacklist ${HOME}/.config/KeePass
deny ${HOME}/.config/keepass blacklist ${HOME}/.config/keepass
deny ${HOME}/.config/keepassx blacklist ${HOME}/.config/keepassx
deny ${HOME}/.config/keepassxc blacklist ${HOME}/.config/keepassxc
deny ${HOME}/.config/KeePassXCrc blacklist ${HOME}/.config/KeePassXCrc
deny ${HOME}/.config/Sinew Software Systems blacklist ${HOME}/.config/Sinew Software Systems
deny ${HOME}/.fpm blacklist ${HOME}/.fpm
deny ${HOME}/.keepass blacklist ${HOME}/.keepass
deny ${HOME}/.keepassx blacklist ${HOME}/.keepassx
deny ${HOME}/.keepassxc blacklist ${HOME}/.keepassxc
deny ${HOME}/.lastpass blacklist ${HOME}/.lastpass
deny ${HOME}/.local/share/KeePass blacklist ${HOME}/.local/share/KeePass
deny ${HOME}/.local/share/keepass blacklist ${HOME}/.local/share/keepass
deny ${HOME}/.password-store blacklist ${HOME}/.password-store

2184
etc/inc/disable-programs.inc
View file

File diff suppressed because it is too large Load diff

22
etc/inc/disable-shell.inc
View file

@ -2,14 +2,14 @@
# Persistent customizations should go in a .local file. # Persistent customizations should go in a .local file.
include disable-shell.local include disable-shell.local
deny ${PATH}/bash blacklist ${PATH}/bash
deny ${PATH}/csh blacklist ${PATH}/csh
deny ${PATH}/dash blacklist ${PATH}/dash
deny ${PATH}/fish blacklist ${PATH}/fish
deny ${PATH}/ksh blacklist ${PATH}/ksh
deny ${PATH}/mksh blacklist ${PATH}/mksh
deny ${PATH}/oksh blacklist ${PATH}/oksh
deny ${PATH}/sh blacklist ${PATH}/sh
deny ${PATH}/tclsh blacklist ${PATH}/tclsh
deny ${PATH}/tcsh blacklist ${PATH}/tcsh
deny ${PATH}/zsh blacklist ${PATH}/zsh

8
etc/inc/disable-xdg.inc
View file

@ -2,10 +2,10 @@
# Persistent customizations should go in a .local file. # Persistent customizations should go in a .local file.
include disable-xdg.local include disable-xdg.local
deny ${DOCUMENTS} blacklist ${DOCUMENTS}
deny ${MUSIC} blacklist ${MUSIC}
deny ${PICTURES} blacklist ${PICTURES}
deny ${VIDEOS} blacklist ${VIDEOS}
# The following should be considered catch-all directories # The following should be considered catch-all directories
#blacklist ${DESKTOP} #blacklist ${DESKTOP}

46
etc/inc/whitelist-1793-workaround.inc
View file

@ -3,27 +3,27 @@
include whitelist-1793-workaround.local include whitelist-1793-workaround.local
# This works around bug 1793, and allows whitelisting to be used for some KDE applications. # This works around bug 1793, and allows whitelisting to be used for some KDE applications.
nodeny ${HOME}/.config/ibus noblacklist ${HOME}/.config/ibus
nodeny ${HOME}/.config/mimeapps.list noblacklist ${HOME}/.config/mimeapps.list
nodeny ${HOME}/.config/pkcs11 noblacklist ${HOME}/.config/pkcs11
nodeny ${HOME}/.config/user-dirs.dirs noblacklist ${HOME}/.config/user-dirs.dirs
nodeny ${HOME}/.config/user-dirs.locale noblacklist ${HOME}/.config/user-dirs.locale
nodeny ${HOME}/.config/dconf noblacklist ${HOME}/.config/dconf
nodeny ${HOME}/.config/fontconfig noblacklist ${HOME}/.config/fontconfig
nodeny ${HOME}/.config/gtk-2.0 noblacklist ${HOME}/.config/gtk-2.0
nodeny ${HOME}/.config/gtk-3.0 noblacklist ${HOME}/.config/gtk-3.0
nodeny ${HOME}/.config/gtk-4.0 noblacklist ${HOME}/.config/gtk-4.0
nodeny ${HOME}/.config/gtkrc noblacklist ${HOME}/.config/gtkrc
nodeny ${HOME}/.config/gtkrc-2.0 noblacklist ${HOME}/.config/gtkrc-2.0
nodeny ${HOME}/.config/Kvantum noblacklist ${HOME}/.config/Kvantum
nodeny ${HOME}/.config/Trolltech.conf noblacklist ${HOME}/.config/Trolltech.conf
nodeny ${HOME}/.config/QtProject.conf noblacklist ${HOME}/.config/QtProject.conf
nodeny ${HOME}/.config/kdeglobals noblacklist ${HOME}/.config/kdeglobals
nodeny ${HOME}/.config/kio_httprc noblacklist ${HOME}/.config/kio_httprc
nodeny ${HOME}/.config/kioslaverc noblacklist ${HOME}/.config/kioslaverc
nodeny ${HOME}/.config/ksslcablacklist noblacklist ${HOME}/.config/ksslcablacklist
nodeny ${HOME}/.config/qt5ct noblacklist ${HOME}/.config/qt5ct
nodeny ${HOME}/.config/qtcurve noblacklist ${HOME}/.config/qtcurve
deny ${HOME}/.config/* blacklist ${HOME}/.config/*
allow ${HOME}/.config whitelist ${HOME}/.config

130
etc/inc/whitelist-common.inc
View file

@ -4,82 +4,82 @@ include whitelist-common.local
# common whitelist for all profiles # common whitelist for all profiles
allow ${HOME}/.XCompose whitelist ${HOME}/.XCompose
allow ${HOME}/.alsaequal.bin whitelist ${HOME}/.alsaequal.bin
allow ${HOME}/.asoundrc whitelist ${HOME}/.asoundrc
allow ${HOME}/.config/ibus whitelist ${HOME}/.config/ibus
allow ${HOME}/.config/mimeapps.list whitelist ${HOME}/.config/mimeapps.list
allow ${HOME}/.config/pkcs11 whitelist ${HOME}/.config/pkcs11
read-only ${HOME}/.config/pkcs11 read-only ${HOME}/.config/pkcs11
allow ${HOME}/.config/user-dirs.dirs whitelist ${HOME}/.config/user-dirs.dirs
read-only ${HOME}/.config/user-dirs.dirs read-only ${HOME}/.config/user-dirs.dirs
allow ${HOME}/.config/user-dirs.locale whitelist ${HOME}/.config/user-dirs.locale
read-only ${HOME}/.config/user-dirs.locale read-only ${HOME}/.config/user-dirs.locale
allow ${HOME}/.drirc whitelist ${HOME}/.drirc
allow ${HOME}/.icons whitelist ${HOME}/.icons
?HAS_APPIMAGE: whitelist ${HOME}/.local/share/appimagekit ?HAS_APPIMAGE: whitelist ${HOME}/.local/share/appimagekit
allow ${HOME}/.local/share/applications whitelist ${HOME}/.local/share/applications
read-only ${HOME}/.local/share/applications read-only ${HOME}/.local/share/applications
allow ${HOME}/.local/share/icons whitelist ${HOME}/.local/share/icons
allow ${HOME}/.local/share/mime whitelist ${HOME}/.local/share/mime
allow ${HOME}/.mime.types whitelist ${HOME}/.mime.types
allow ${HOME}/.sndio/cookie whitelist ${HOME}/.sndio/cookie
allow ${HOME}/.uim.d whitelist ${HOME}/.uim.d
# dconf # dconf
mkdir ${HOME}/.config/dconf mkdir ${HOME}/.config/dconf
allow ${HOME}/.config/dconf whitelist ${HOME}/.config/dconf
# fonts # fonts
allow ${HOME}/.cache/fontconfig whitelist ${HOME}/.cache/fontconfig
allow ${HOME}/.config/fontconfig whitelist ${HOME}/.config/fontconfig
allow ${HOME}/.fontconfig whitelist ${HOME}/.fontconfig
allow ${HOME}/.fonts whitelist ${HOME}/.fonts
allow ${HOME}/.fonts.conf whitelist ${HOME}/.fonts.conf
allow ${HOME}/.fonts.conf.d whitelist ${HOME}/.fonts.conf.d
allow ${HOME}/.fonts.d whitelist ${HOME}/.fonts.d
allow ${HOME}/.local/share/fonts whitelist ${HOME}/.local/share/fonts
allow ${HOME}/.pangorc whitelist ${HOME}/.pangorc
# gtk # gtk
allow ${HOME}/.config/gtk-2.0 whitelist ${HOME}/.config/gtk-2.0
allow ${HOME}/.config/gtk-3.0 whitelist ${HOME}/.config/gtk-3.0
allow ${HOME}/.config/gtk-4.0 whitelist ${HOME}/.config/gtk-4.0
allow ${HOME}/.config/gtkrc whitelist ${HOME}/.config/gtkrc
allow ${HOME}/.config/gtkrc-2.0 whitelist ${HOME}/.config/gtkrc-2.0
allow ${HOME}/.gnome2 whitelist ${HOME}/.gnome2
allow ${HOME}/.gnome2-private whitelist ${HOME}/.gnome2-private
allow ${HOME}/.gtk-2.0 whitelist ${HOME}/.gtk-2.0
allow ${HOME}/.gtkrc whitelist ${HOME}/.gtkrc
allow ${HOME}/.gtkrc-2.0 whitelist ${HOME}/.gtkrc-2.0
allow ${HOME}/.kde/share/config/gtkrc whitelist ${HOME}/.kde/share/config/gtkrc
allow ${HOME}/.kde/share/config/gtkrc-2.0 whitelist ${HOME}/.kde/share/config/gtkrc-2.0
allow ${HOME}/.kde4/share/config/gtkrc whitelist ${HOME}/.kde4/share/config/gtkrc
allow ${HOME}/.kde4/share/config/gtkrc-2.0 whitelist ${HOME}/.kde4/share/config/gtkrc-2.0
allow ${HOME}/.local/share/themes whitelist ${HOME}/.local/share/themes
allow ${HOME}/.themes whitelist ${HOME}/.themes
# qt/kde # qt/kde
allow ${HOME}/.cache/kioexec/krun whitelist ${HOME}/.cache/kioexec/krun
allow ${HOME}/.config/Kvantum whitelist ${HOME}/.config/Kvantum
allow ${HOME}/.config/Trolltech.conf whitelist ${HOME}/.config/Trolltech.conf
allow ${HOME}/.config/QtProject.conf whitelist ${HOME}/.config/QtProject.conf
allow ${HOME}/.config/kdeglobals whitelist ${HOME}/.config/kdeglobals
allow ${HOME}/.config/kio_httprc whitelist ${HOME}/.config/kio_httprc
allow ${HOME}/.config/kioslaverc whitelist ${HOME}/.config/kioslaverc
allow ${HOME}/.config/ksslcablacklist whitelist ${HOME}/.config/ksslcablacklist
allow ${HOME}/.config/qt5ct whitelist ${HOME}/.config/qt5ct
allow ${HOME}/.config/qtcurve whitelist ${HOME}/.config/qtcurve
allow ${HOME}/.kde/share/config/kdeglobals whitelist ${HOME}/.kde/share/config/kdeglobals
allow ${HOME}/.kde/share/config/kio_httprc whitelist ${HOME}/.kde/share/config/kio_httprc
allow ${HOME}/.kde/share/config/kioslaverc whitelist ${HOME}/.kde/share/config/kioslaverc
allow ${HOME}/.kde/share/config/ksslcablacklist whitelist ${HOME}/.kde/share/config/ksslcablacklist
allow ${HOME}/.kde/share/config/oxygenrc whitelist ${HOME}/.kde/share/config/oxygenrc
allow ${HOME}/.kde/share/icons whitelist ${HOME}/.kde/share/icons
allow ${HOME}/.kde4/share/config/kdeglobals whitelist ${HOME}/.kde4/share/config/kdeglobals
allow ${HOME}/.kde4/share/config/kio_httprc whitelist ${HOME}/.kde4/share/config/kio_httprc
allow ${HOME}/.kde4/share/config/kioslaverc whitelist ${HOME}/.kde4/share/config/kioslaverc
allow ${HOME}/.kde4/share/config/ksslcablacklist whitelist ${HOME}/.kde4/share/config/ksslcablacklist
allow ${HOME}/.kde4/share/config/oxygenrc whitelist ${HOME}/.kde4/share/config/oxygenrc
allow ${HOME}/.kde4/share/icons whitelist ${HOME}/.kde4/share/icons
allow ${HOME}/.local/share/qt5ct whitelist ${HOME}/.local/share/qt5ct

10
etc/inc/whitelist-player-common.inc
View file

@ -4,8 +4,8 @@ include whitelist-player-common.local
# common whitelist for all media players # common whitelist for all media players
allow ${DESKTOP} whitelist ${DESKTOP}
allow ${DOWNLOADS} whitelist ${DOWNLOADS}
allow ${MUSIC} whitelist ${MUSIC}
allow ${PICTURES} whitelist ${PICTURES}
allow ${VIDEOS} whitelist ${VIDEOS}

20
etc/inc/whitelist-runuser-common.inc
View file

@ -4,13 +4,13 @@ include whitelist-runuser-common.local
# common ${RUNUSER} (=/run/user/$UID) whitelist for all profiles # common ${RUNUSER} (=/run/user/$UID) whitelist for all profiles
allow ${RUNUSER}/bus whitelist ${RUNUSER}/bus
allow ${RUNUSER}/dconf whitelist ${RUNUSER}/dconf
allow ${RUNUSER}/gdm/Xauthority whitelist ${RUNUSER}/gdm/Xauthority
allow ${RUNUSER}/ICEauthority whitelist ${RUNUSER}/ICEauthority
allow ${RUNUSER}/.mutter-Xwaylandauth.* whitelist ${RUNUSER}/.mutter-Xwaylandauth.*
allow ${RUNUSER}/pulse/native whitelist ${RUNUSER}/pulse/native
allow ${RUNUSER}/wayland-0 whitelist ${RUNUSER}/wayland-0
allow ${RUNUSER}/wayland-1 whitelist ${RUNUSER}/wayland-1
allow ${RUNUSER}/xauth_* whitelist ${RUNUSER}/xauth_*
allow ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]] whitelist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]

126
etc/inc/whitelist-usr-share-common.inc
View file

@ -4,66 +4,66 @@ include whitelist-usr-share-common.local
# common /usr/share whitelist for all profiles # common /usr/share whitelist for all profiles
allow /usr/share/alsa whitelist /usr/share/alsa
allow /usr/share/applications whitelist /usr/share/applications
allow /usr/share/ca-certificates whitelist /usr/share/ca-certificates
allow /usr/share/crypto-policies whitelist /usr/share/crypto-policies
allow /usr/share/cursors whitelist /usr/share/cursors
allow /usr/share/dconf whitelist /usr/share/dconf
allow /usr/share/distro-info whitelist /usr/share/distro-info
allow /usr/share/drirc.d whitelist /usr/share/drirc.d
allow /usr/share/enchant whitelist /usr/share/enchant
allow /usr/share/enchant-2 whitelist /usr/share/enchant-2
allow /usr/share/file whitelist /usr/share/file
allow /usr/share/fontconfig whitelist /usr/share/fontconfig
allow /usr/share/fonts whitelist /usr/share/fonts
allow /usr/share/fonts-config whitelist /usr/share/fonts-config
allow /usr/share/gir-1.0 whitelist /usr/share/gir-1.0
allow /usr/share/gjs-1.0 whitelist /usr/share/gjs-1.0
allow /usr/share/glib-2.0 whitelist /usr/share/glib-2.0
allow /usr/share/glvnd whitelist /usr/share/glvnd
allow /usr/share/gtk-2.0 whitelist /usr/share/gtk-2.0
allow /usr/share/gtk-3.0 whitelist /usr/share/gtk-3.0
allow /usr/share/gtk-engines whitelist /usr/share/gtk-engines
allow /usr/share/gtksourceview-3.0 whitelist /usr/share/gtksourceview-3.0
allow /usr/share/gtksourceview-4 whitelist /usr/share/gtksourceview-4
allow /usr/share/hunspell whitelist /usr/share/hunspell
allow /usr/share/hwdata whitelist /usr/share/hwdata
allow /usr/share/icons whitelist /usr/share/icons
allow /usr/share/icu whitelist /usr/share/icu
allow /usr/share/knotifications5 whitelist /usr/share/knotifications5
allow /usr/share/kservices5 whitelist /usr/share/kservices5
allow /usr/share/Kvantum whitelist /usr/share/Kvantum
allow /usr/share/kxmlgui5 whitelist /usr/share/kxmlgui5
allow /usr/share/libdrm whitelist /usr/share/libdrm
allow /usr/share/libthai whitelist /usr/share/libthai
allow /usr/share/locale whitelist /usr/share/locale
allow /usr/share/mime whitelist /usr/share/mime
allow /usr/share/misc whitelist /usr/share/misc
allow /usr/share/Modules whitelist /usr/share/Modules
allow /usr/share/myspell whitelist /usr/share/myspell
allow /usr/share/p11-kit whitelist /usr/share/p11-kit
allow /usr/share/perl whitelist /usr/share/perl
allow /usr/share/perl5 whitelist /usr/share/perl5
allow /usr/share/pixmaps whitelist /usr/share/pixmaps
allow /usr/share/pki whitelist /usr/share/pki
allow /usr/share/plasma whitelist /usr/share/plasma
allow /usr/share/publicsuffix whitelist /usr/share/publicsuffix
allow /usr/share/qt whitelist /usr/share/qt
allow /usr/share/qt4 whitelist /usr/share/qt4
allow /usr/share/qt5 whitelist /usr/share/qt5
allow /usr/share/qt5ct whitelist /usr/share/qt5ct
allow /usr/share/sounds whitelist /usr/share/sounds
allow /usr/share/tcl8.6 whitelist /usr/share/tcl8.6
allow /usr/share/tcltk whitelist /usr/share/tcltk
allow /usr/share/terminfo whitelist /usr/share/terminfo
allow /usr/share/texlive whitelist /usr/share/texlive
allow /usr/share/texmf whitelist /usr/share/texmf
allow /usr/share/themes whitelist /usr/share/themes
allow /usr/share/thumbnail.so whitelist /usr/share/thumbnail.so
allow /usr/share/uim whitelist /usr/share/uim
allow /usr/share/vulkan whitelist /usr/share/vulkan
allow /usr/share/X11 whitelist /usr/share/X11
allow /usr/share/xml whitelist /usr/share/xml
allow /usr/share/zenity whitelist /usr/share/zenity
allow /usr/share/zoneinfo whitelist /usr/share/zoneinfo

18
etc/inc/whitelist-var-common.inc
View file

@ -4,12 +4,12 @@ include whitelist-var-common.local
# common /var whitelist for all profiles # common /var whitelist for all profiles
allow /var/lib/aspell whitelist /var/lib/aspell
allow /var/lib/ca-certificates whitelist /var/lib/ca-certificates
allow /var/lib/dbus whitelist /var/lib/dbus
allow /var/lib/menu-xdg whitelist /var/lib/menu-xdg
allow /var/lib/uim whitelist /var/lib/uim
allow /var/cache/fontconfig whitelist /var/cache/fontconfig
allow /var/tmp whitelist /var/tmp
allow /var/run whitelist /var/run
allow /var/lock whitelist /var/lock

18
etc/profile-a-l/0ad.profile
View file

@ -6,11 +6,11 @@ include 0ad.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.cache/0ad noblacklist ${HOME}/.cache/0ad
nodeny ${HOME}/.config/0ad noblacklist ${HOME}/.config/0ad
nodeny ${HOME}/.local/share/0ad noblacklist ${HOME}/.local/share/0ad
deny /usr/libexec blacklist /usr/libexec
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc
@ -23,11 +23,11 @@ include disable-xdg.inc
mkdir ${HOME}/.cache/0ad mkdir ${HOME}/.cache/0ad
mkdir ${HOME}/.config/0ad mkdir ${HOME}/.config/0ad
mkdir ${HOME}/.local/share/0ad mkdir ${HOME}/.local/share/0ad
allow ${HOME}/.cache/0ad whitelist ${HOME}/.cache/0ad
allow ${HOME}/.config/0ad whitelist ${HOME}/.config/0ad
allow ${HOME}/.local/share/0ad whitelist ${HOME}/.local/share/0ad
allow /usr/share/0ad whitelist /usr/share/0ad
allow /usr/share/games whitelist /usr/share/games
include whitelist-common.inc include whitelist-common.inc
include whitelist-usr-share-common.inc include whitelist-usr-share-common.inc
include whitelist-var-common.inc include whitelist-var-common.inc

8
etc/profile-a-l/2048-qt.profile
View file

@ -6,8 +6,8 @@ include 2048-qt.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.config/2048-qt noblacklist ${HOME}/.config/2048-qt
nodeny ${HOME}/.config/xiaoyong noblacklist ${HOME}/.config/xiaoyong
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc
@ -18,8 +18,8 @@ include disable-programs.inc
mkdir ${HOME}/.config/2048-qt mkdir ${HOME}/.config/2048-qt
mkdir ${HOME}/.config/xiaoyong mkdir ${HOME}/.config/xiaoyong
allow ${HOME}/.config/2048-qt whitelist ${HOME}/.config/2048-qt
allow ${HOME}/.config/xiaoyong whitelist ${HOME}/.config/xiaoyong
include whitelist-common.inc include whitelist-common.inc
include whitelist-var-common.inc include whitelist-var-common.inc

2
etc/profile-a-l/Cryptocat.profile
View file

@ -5,7 +5,7 @@ include Cryptocat.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.config/Cryptocat noblacklist ${HOME}/.config/Cryptocat
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc

4
etc/profile-a-l/Discord.profile
View file

@ -5,10 +5,10 @@ include Discord.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.config/discord noblacklist ${HOME}/.config/discord
mkdir ${HOME}/.config/discord mkdir ${HOME}/.config/discord
allow ${HOME}/.config/discord whitelist ${HOME}/.config/discord
private-bin Discord private-bin Discord
private-opt Discord private-opt Discord

4
etc/profile-a-l/DiscordCanary.profile
View file

@ -5,10 +5,10 @@ include DiscordCanary.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.config/discordcanary noblacklist ${HOME}/.config/discordcanary
mkdir ${HOME}/.config/discordcanary mkdir ${HOME}/.config/discordcanary
allow ${HOME}/.config/discordcanary whitelist ${HOME}/.config/discordcanary
private-bin DiscordCanary private-bin DiscordCanary
private-opt DiscordCanary private-opt DiscordCanary

4
etc/profile-a-l/Fritzing.profile
View file

@ -6,8 +6,8 @@ include Fritzing.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.config/Fritzing noblacklist ${HOME}/.config/Fritzing
nodeny ${DOCUMENTS} noblacklist ${DOCUMENTS}
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc

6
etc/profile-a-l/JDownloader.profile
View file

@ -5,7 +5,7 @@ include JDownloader.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.jd noblacklist ${HOME}/.jd
# Allow java (blacklisted by disable-devel.inc) # Allow java (blacklisted by disable-devel.inc)
include allow-java.inc include allow-java.inc
@ -19,8 +19,8 @@ include disable-programs.inc
include disable-xdg.inc include disable-xdg.inc
mkdir ${HOME}/.jd mkdir ${HOME}/.jd
allow ${HOME}/.jd whitelist ${HOME}/.jd
allow ${DOWNLOADS} whitelist ${DOWNLOADS}
include whitelist-common.inc include whitelist-common.inc
include whitelist-var-common.inc include whitelist-var-common.inc

4
etc/profile-a-l/abiword.profile
View file

@ -6,7 +6,7 @@ include abiword.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.config/abiword noblacklist ${HOME}/.config/abiword
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc
@ -16,7 +16,7 @@ include disable-passwdmgr.inc
include disable-programs.inc include disable-programs.inc
include disable-shell.inc include disable-shell.inc
allow /usr/share/abiword-3.0 whitelist /usr/share/abiword-3.0
include whitelist-usr-share-common.inc include whitelist-usr-share-common.inc
include whitelist-runuser-common.inc include whitelist-runuser-common.inc
include whitelist-var-common.inc include whitelist-var-common.inc

8
etc/profile-a-l/abrowser.profile
View file

@ -5,13 +5,13 @@ include abrowser.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.cache/mozilla noblacklist ${HOME}/.cache/mozilla
nodeny ${HOME}/.mozilla noblacklist ${HOME}/.mozilla
mkdir ${HOME}/.cache/mozilla/abrowser mkdir ${HOME}/.cache/mozilla/abrowser
mkdir ${HOME}/.mozilla mkdir ${HOME}/.mozilla
allow ${HOME}/.cache/mozilla/abrowser whitelist ${HOME}/.cache/mozilla/abrowser
allow ${HOME}/.mozilla whitelist ${HOME}/.mozilla
# private-etc must first be enabled in firefox-common.profile # private-etc must first be enabled in firefox-common.profile
#private-etc abrowser #private-etc abrowser

6
etc/profile-a-l/agetpkg.profile
View file

@ -7,8 +7,8 @@ include agetpkg.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
deny /tmp/.X11-unix blacklist /tmp/.X11-unix
deny ${RUNUSER}/wayland-* blacklist ${RUNUSER}/wayland-*
# Allow python (blacklisted by disable-interpreters.inc) # Allow python (blacklisted by disable-interpreters.inc)
#include allow-python2.inc #include allow-python2.inc
@ -23,7 +23,7 @@ include disable-programs.inc
include disable-shell.inc include disable-shell.inc
include disable-xdg.inc include disable-xdg.inc
allow ${DOWNLOADS} whitelist ${DOWNLOADS}
include whitelist-common.inc include whitelist-common.inc
include whitelist-usr-share-common.inc include whitelist-usr-share-common.inc
include whitelist-var-common.inc include whitelist-var-common.inc

32
etc/profile-a-l/akonadi_control.profile
View file

@ -4,22 +4,22 @@ include akonadi_control.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.cache/akonadi* noblacklist ${HOME}/.cache/akonadi*
nodeny ${HOME}/.config/akonadi* noblacklist ${HOME}/.config/akonadi*
nodeny ${HOME}/.config/baloorc noblacklist ${HOME}/.config/baloorc
nodeny ${HOME}/.config/emaildefaults noblacklist ${HOME}/.config/emaildefaults
nodeny ${HOME}/.config/emailidentities noblacklist ${HOME}/.config/emailidentities
nodeny ${HOME}/.config/kmail2rc noblacklist ${HOME}/.config/kmail2rc
nodeny ${HOME}/.config/mailtransports noblacklist ${HOME}/.config/mailtransports
nodeny ${HOME}/.config/specialmailcollectionsrc noblacklist ${HOME}/.config/specialmailcollectionsrc
nodeny ${HOME}/.local/share/akonadi* noblacklist ${HOME}/.local/share/akonadi*
nodeny ${HOME}/.local/share/apps/korganizer noblacklist ${HOME}/.local/share/apps/korganizer
nodeny ${HOME}/.local/share/contacts noblacklist ${HOME}/.local/share/contacts
nodeny ${HOME}/.local/share/local-mail noblacklist ${HOME}/.local/share/local-mail
nodeny ${HOME}/.local/share/notes noblacklist ${HOME}/.local/share/notes
nodeny /sbin noblacklist /sbin
nodeny /tmp/akonadi-* noblacklist /tmp/akonadi-*
nodeny /usr/sbin noblacklist /usr/sbin
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc

14
etc/profile-a-l/akregator.profile
View file

@ -6,9 +6,9 @@ include akregator.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.config/akregatorrc noblacklist ${HOME}/.config/akregatorrc
nodeny ${HOME}/.local/share/akregator noblacklist ${HOME}/.local/share/akregator
nodeny ${HOME}/.local/share/kxmlgui5/akregator noblacklist ${HOME}/.local/share/kxmlgui5/akregator
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc
@ -21,10 +21,10 @@ include disable-shell.inc
mkfile ${HOME}/.config/akregatorrc mkfile ${HOME}/.config/akregatorrc
mkdir ${HOME}/.local/share/akregator mkdir ${HOME}/.local/share/akregator
mkdir ${HOME}/.local/share/kxmlgui5/akregator mkdir ${HOME}/.local/share/kxmlgui5/akregator
allow ${HOME}/.config/akregatorrc whitelist ${HOME}/.config/akregatorrc
allow ${HOME}/.local/share/akregator whitelist ${HOME}/.local/share/akregator
allow ${HOME}/.local/share/kssl whitelist ${HOME}/.local/share/kssl
allow ${HOME}/.local/share/kxmlgui5/akregator whitelist ${HOME}/.local/share/kxmlgui5/akregator
include whitelist-common.inc include whitelist-common.inc
include whitelist-var-common.inc include whitelist-var-common.inc

14
etc/profile-a-l/alacarte.profile
View file

@ -19,13 +19,13 @@ include disable-passwdmgr.inc
include disable-xdg.inc include disable-xdg.inc
# Whitelist your system icon directory,varies by distro # Whitelist your system icon directory,varies by distro
allow /usr/share/alacarte whitelist /usr/share/alacarte
allow /usr/share/app-info whitelist /usr/share/app-info
allow /usr/share/desktop-directories whitelist /usr/share/desktop-directories
allow /usr/share/icons whitelist /usr/share/icons
allow /var/lib/app-info/icons whitelist /var/lib/app-info/icons
allow /var/lib/flatpak/exports/share/applications whitelist /var/lib/flatpak/exports/share/applications
allow /var/lib/flatpak/exports/share/icons whitelist /var/lib/flatpak/exports/share/icons
include whitelist-runuser-common.inc include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc include whitelist-usr-share-common.inc
include whitelist-var-common.inc include whitelist-var-common.inc

6
etc/profile-a-l/alienarena.profile
View file

@ -6,7 +6,7 @@ include alienarena.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.local/share/cor-games noblacklist ${HOME}/.local/share/cor-games
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc
@ -18,8 +18,8 @@ include disable-shell.inc
include disable-xdg.inc include disable-xdg.inc
mkdir ${HOME}/.local/share/cor-games mkdir ${HOME}/.local/share/cor-games
allow ${HOME}/.local/share/cor-games whitelist ${HOME}/.local/share/cor-games
allow /usr/share/alienarena whitelist /usr/share/alienarena
include whitelist-common.inc include whitelist-common.inc
include whitelist-runuser-common.inc include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc include whitelist-usr-share-common.inc

46
etc/profile-a-l/alpine.profile
View file

@ -10,28 +10,28 @@ include globals.local
# Workaround for bug https://github.com/netblue30/firejail/issues/2747 # Workaround for bug https://github.com/netblue30/firejail/issues/2747
# firejail --private-bin=sh --include='${CFG}/allow-bin-sh.inc' --profile=alpine sh -c '(alpine)' # firejail --private-bin=sh --include='${CFG}/allow-bin-sh.inc' --profile=alpine sh -c '(alpine)'
nodeny /var/mail noblacklist /var/mail
nodeny /var/spool/mail noblacklist /var/spool/mail
nodeny ${DOCUMENTS} noblacklist ${DOCUMENTS}
nodeny ${HOME}/.addressbook noblacklist ${HOME}/.addressbook
nodeny ${HOME}/.alpine-smime noblacklist ${HOME}/.alpine-smime
nodeny ${HOME}/.mailcap noblacklist ${HOME}/.mailcap
nodeny ${HOME}/.mh_profile noblacklist ${HOME}/.mh_profile
nodeny ${HOME}/.mime.types noblacklist ${HOME}/.mime.types
nodeny ${HOME}/.newsrc noblacklist ${HOME}/.newsrc
nodeny ${HOME}/.pine-crash noblacklist ${HOME}/.pine-crash
nodeny ${HOME}/.pine-debug1 noblacklist ${HOME}/.pine-debug1
nodeny ${HOME}/.pine-debug2 noblacklist ${HOME}/.pine-debug2
nodeny ${HOME}/.pine-debug3 noblacklist ${HOME}/.pine-debug3
nodeny ${HOME}/.pine-debug4 noblacklist ${HOME}/.pine-debug4
nodeny ${HOME}/.pine-interrupted-mail noblacklist ${HOME}/.pine-interrupted-mail
nodeny ${HOME}/.pinerc noblacklist ${HOME}/.pinerc
nodeny ${HOME}/.pinercex noblacklist ${HOME}/.pinercex
nodeny ${HOME}/.signature noblacklist ${HOME}/.signature
nodeny ${HOME}/mail noblacklist ${HOME}/mail
deny /tmp/.X11-unix blacklist /tmp/.X11-unix
deny ${RUNUSER}/wayland-* blacklist ${RUNUSER}/wayland-*
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc
@ -60,8 +60,8 @@ include disable-xdg.inc
#whitelist ${HOME}/.pine-debug4 #whitelist ${HOME}/.pine-debug4
#whitelist ${HOME}/.signature #whitelist ${HOME}/.signature
#whitelist ${HOME}/mail #whitelist ${HOME}/mail
allow /var/mail whitelist /var/mail
allow /var/spool/mail whitelist /var/spool/mail
#include whitelist-common.inc #include whitelist-common.inc
include whitelist-runuser-common.inc include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc include whitelist-usr-share-common.inc

2
etc/profile-a-l/amarok.profile
View file

@ -6,7 +6,7 @@ include amarok.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${MUSIC} noblacklist ${MUSIC}
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc

6
etc/profile-a-l/amule.profile
View file

@ -6,7 +6,7 @@ include amule.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.aMule noblacklist ${HOME}/.aMule
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc
@ -16,8 +16,8 @@ include disable-passwdmgr.inc
include disable-programs.inc include disable-programs.inc
mkdir ${HOME}/.aMule mkdir ${HOME}/.aMule
allow ${DOWNLOADS} whitelist ${DOWNLOADS}
allow ${HOME}/.aMule whitelist ${HOME}/.aMule
include whitelist-common.inc include whitelist-common.inc
caps.drop all caps.drop all

14
etc/profile-a-l/android-studio.profile
View file

@ -5,13 +5,13 @@ include android-studio.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.config/Google noblacklist ${HOME}/.config/Google
nodeny ${HOME}/.AndroidStudio* noblacklist ${HOME}/.AndroidStudio*
nodeny ${HOME}/.android noblacklist ${HOME}/.android
nodeny ${HOME}/.jack-server noblacklist ${HOME}/.jack-server
nodeny ${HOME}/.jack-settings noblacklist ${HOME}/.jack-settings
nodeny ${HOME}/.local/share/JetBrains noblacklist ${HOME}/.local/share/JetBrains
nodeny ${HOME}/.tooling noblacklist ${HOME}/.tooling
# Allows files commonly used by IDEs # Allows files commonly used by IDEs
include allow-common-devel.inc include allow-common-devel.inc

8
etc/profile-a-l/anki.profile
View file

@ -6,8 +6,8 @@ include anki.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${DOCUMENTS} noblacklist ${DOCUMENTS}
nodeny ${HOME}/.local/share/Anki2 noblacklist ${HOME}/.local/share/Anki2
# Allow python (blacklisted by disable-interpreters.inc) # Allow python (blacklisted by disable-interpreters.inc)
include allow-python2.inc include allow-python2.inc
@ -23,8 +23,8 @@ include disable-shell.inc
include disable-xdg.inc include disable-xdg.inc
mkdir ${HOME}/.local/share/Anki2 mkdir ${HOME}/.local/share/Anki2
allow ${DOCUMENTS} whitelist ${DOCUMENTS}
allow ${HOME}/.local/share/Anki2 whitelist ${HOME}/.local/share/Anki2
include whitelist-common.inc include whitelist-common.inc
include whitelist-var-common.inc include whitelist-var-common.inc

4
etc/profile-a-l/anydesk.profile
View file

@ -5,7 +5,7 @@ include anydesk.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.anydesk noblacklist ${HOME}/.anydesk
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc
@ -15,7 +15,7 @@ include disable-programs.inc
include disable-shell.inc include disable-shell.inc
mkdir ${HOME}/.anydesk mkdir ${HOME}/.anydesk
allow ${HOME}/.anydesk whitelist ${HOME}/.anydesk
include whitelist-common.inc include whitelist-common.inc
caps.drop all caps.drop all

14
etc/profile-a-l/aosp.profile
View file

@ -5,13 +5,13 @@ include aosp.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.android noblacklist ${HOME}/.android
nodeny ${HOME}/.bash_history noblacklist ${HOME}/.bash_history
nodeny ${HOME}/.jack-server noblacklist ${HOME}/.jack-server
nodeny ${HOME}/.jack-settings noblacklist ${HOME}/.jack-settings
nodeny ${HOME}/.repo_.gitconfig.json noblacklist ${HOME}/.repo_.gitconfig.json
nodeny ${HOME}/.repoconfig noblacklist ${HOME}/.repoconfig
nodeny ${HOME}/.tooling noblacklist ${HOME}/.tooling
# Allows files commonly used by IDEs # Allows files commonly used by IDEs
include allow-common-devel.inc include allow-common-devel.inc

18
etc/profile-a-l/apostrophe.profile
View file

@ -6,9 +6,9 @@ include apostrophe.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.texlive20* noblacklist ${HOME}/.texlive20*
nodeny ${DOCUMENTS} noblacklist ${DOCUMENTS}
nodeny ${PICTURES} noblacklist ${PICTURES}
# Allow lua (blacklisted by disable-interpreters.inc) # Allow lua (blacklisted by disable-interpreters.inc)
include allow-lua.inc include allow-lua.inc
@ -31,12 +31,12 @@ include disable-programs.inc
include disable-shell.inc include disable-shell.inc
include disable-xdg.inc include disable-xdg.inc
allow /usr/libexec/webkit2gtk-4.0 whitelist /usr/libexec/webkit2gtk-4.0
allow /usr/share/apostrophe whitelist /usr/share/apostrophe
allow /usr/share/texlive whitelist /usr/share/texlive
allow /usr/share/texmf whitelist /usr/share/texmf
allow /usr/share/pandoc-* whitelist /usr/share/pandoc-*
allow /usr/share/perl5 whitelist /usr/share/perl5
include whitelist-runuser-common.inc include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc include whitelist-usr-share-common.inc
include whitelist-var-common.inc include whitelist-var-common.inc

4
etc/profile-a-l/arch-audit.profile
View file

@ -7,7 +7,7 @@ include arch-audit.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny /var/lib/pacman noblacklist /var/lib/pacman
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc
@ -18,7 +18,7 @@ include disable-programs.inc
include disable-shell.inc include disable-shell.inc
include disable-xdg.inc include disable-xdg.inc
allow /usr/share/arch-audit whitelist /usr/share/arch-audit
include whitelist-usr-share-common.inc include whitelist-usr-share-common.inc
apparmor apparmor

2
etc/profile-a-l/archaudit-report.profile
View file

@ -6,7 +6,7 @@ include archaudit-report.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny /var/lib/pacman noblacklist /var/lib/pacman
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc

2
etc/profile-a-l/archiver-common.profile
View file

@ -4,7 +4,7 @@ include archiver-common.local
# common profile for archiver/compression tools # common profile for archiver/compression tools
deny ${RUNUSER} blacklist ${RUNUSER}
# Comment/uncomment the relevant include file(s) in your archiver-common.local # Comment/uncomment the relevant include file(s) in your archiver-common.local
# to (un)restrict file access for **all** archivers. Another option is to do this **per archiver** # to (un)restrict file access for **all** archivers. Another option is to do this **per archiver**

12
etc/profile-a-l/ardour5.profile
View file

@ -5,12 +5,12 @@ include ardour5.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.config/ardour4 noblacklist ${HOME}/.config/ardour4
nodeny ${HOME}/.config/ardour5 noblacklist ${HOME}/.config/ardour5
nodeny ${HOME}/.lv2 noblacklist ${HOME}/.lv2
nodeny ${HOME}/.vst noblacklist ${HOME}/.vst
nodeny ${DOCUMENTS} noblacklist ${DOCUMENTS}
nodeny ${MUSIC} noblacklist ${MUSIC}
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc

6
etc/profile-a-l/arduino.profile
View file

@ -6,9 +6,9 @@ include arduino.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.arduino15 noblacklist ${HOME}/.arduino15
nodeny ${HOME}/Arduino noblacklist ${HOME}/Arduino
nodeny ${DOCUMENTS} noblacklist ${DOCUMENTS}
# Allow java (blacklisted by disable-devel.inc) # Allow java (blacklisted by disable-devel.inc)
include allow-java.inc include allow-java.inc

10
etc/profile-a-l/aria2c.profile
View file

@ -6,12 +6,12 @@ include aria2c.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.aria2 noblacklist ${HOME}/.aria2
nodeny ${HOME}/.config/aria2 noblacklist ${HOME}/.config/aria2
nodeny ${HOME}/.netrc noblacklist ${HOME}/.netrc
deny /tmp/.X11-unix blacklist /tmp/.X11-unix
deny ${RUNUSER}/wayland-* blacklist ${RUNUSER}/wayland-*
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc

6
etc/profile-a-l/ark.profile
View file

@ -6,8 +6,8 @@ include ark.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.config/arkrc noblacklist ${HOME}/.config/arkrc
nodeny ${HOME}/.local/share/kxmlgui5/ark noblacklist ${HOME}/.local/share/kxmlgui5/ark
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc
@ -16,7 +16,7 @@ include disable-interpreters.inc
include disable-passwdmgr.inc include disable-passwdmgr.inc
include disable-programs.inc include disable-programs.inc
allow /usr/share/ark whitelist /usr/share/ark
include whitelist-usr-share-common.inc include whitelist-usr-share-common.inc
include whitelist-var-common.inc include whitelist-var-common.inc

4
etc/profile-a-l/arm.profile
View file

@ -6,7 +6,7 @@ include arm.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.arm noblacklist ${HOME}/.arm
# Allow python (blacklisted by disable-interpreters.inc) # Allow python (blacklisted by disable-interpreters.inc)
include allow-python2.inc include allow-python2.inc
@ -20,7 +20,7 @@ include disable-passwdmgr.inc
include disable-programs.inc include disable-programs.inc
mkdir ${HOME}/.arm mkdir ${HOME}/.arm
allow ${HOME}/.arm whitelist ${HOME}/.arm
include whitelist-common.inc include whitelist-common.inc
caps.drop all caps.drop all

14
etc/profile-a-l/artha.profile
View file

@ -6,12 +6,12 @@ include artha.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.config/artha.conf noblacklist ${HOME}/.config/artha.conf
nodeny ${HOME}/.config/artha.log noblacklist ${HOME}/.config/artha.log
nodeny ${HOME}/.config/enchant noblacklist ${HOME}/.config/enchant
deny /tmp/.X11-unix blacklist /tmp/.X11-unix
deny ${RUNUSER}/wayland-* blacklist ${RUNUSER}/wayland-*
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc
@ -28,8 +28,8 @@ include disable-xdg.inc
#whitelist ${HOME}/.config/artha.conf #whitelist ${HOME}/.config/artha.conf
#whitelist ${HOME}/.config/artha.log #whitelist ${HOME}/.config/artha.log
#whitelist ${HOME}/.config/enchant #whitelist ${HOME}/.config/enchant
allow /usr/share/artha whitelist /usr/share/artha
allow /usr/share/wordnet whitelist /usr/share/wordnet
#include whitelist-common.inc #include whitelist-common.inc
include whitelist-usr-share-common.inc include whitelist-usr-share-common.inc
include whitelist-var-common.inc include whitelist-var-common.inc

4
etc/profile-a-l/assogiate.profile
View file

@ -6,7 +6,7 @@ include assogiate.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${PICTURES} noblacklist ${PICTURES}
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc
@ -17,7 +17,7 @@ include disable-programs.inc
include disable-shell.inc include disable-shell.inc
include disable-xdg.inc include disable-xdg.inc
allow ${PICTURES} whitelist ${PICTURES}
include whitelist-common.inc include whitelist-common.inc
include whitelist-usr-share-common.inc include whitelist-usr-share-common.inc
include whitelist-var-common.inc include whitelist-var-common.inc

10
etc/profile-a-l/asunder.profile
View file

@ -6,11 +6,11 @@ include asunder.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.config/asunder noblacklist ${HOME}/.config/asunder
nodeny ${HOME}/.asunder_album_genre noblacklist ${HOME}/.asunder_album_genre
nodeny ${HOME}/.asunder_album_title noblacklist ${HOME}/.asunder_album_title
nodeny ${HOME}/.asunder_album_artist noblacklist ${HOME}/.asunder_album_artist
nodeny ${MUSIC} noblacklist ${MUSIC}
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc

4
etc/profile-a-l/atom.profile
View file

@ -18,8 +18,8 @@ ignore include whitelist-var-common.inc
ignore apparmor ignore apparmor
ignore disable-mnt ignore disable-mnt
nodeny ${HOME}/.atom noblacklist ${HOME}/.atom
nodeny ${HOME}/.config/Atom noblacklist ${HOME}/.config/Atom
# Allows files commonly used by IDEs # Allows files commonly used by IDEs
include allow-common-devel.inc include allow-common-devel.inc

6
etc/profile-a-l/atril.profile
View file

@ -6,9 +6,9 @@ include atril.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.cache/atril noblacklist ${HOME}/.cache/atril
nodeny ${HOME}/.config/atril noblacklist ${HOME}/.config/atril
nodeny ${DOCUMENTS} noblacklist ${DOCUMENTS}
#noblacklist ${HOME}/.local/share #noblacklist ${HOME}/.local/share
# it seems to use only ${HOME}/.local/share/webkitgtk # it seems to use only ${HOME}/.local/share/webkitgtk

6
etc/profile-a-l/audacious.profile
View file

@ -6,9 +6,9 @@ include audacious.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.config/Audaciousrc noblacklist ${HOME}/.config/Audaciousrc
nodeny ${HOME}/.config/audacious noblacklist ${HOME}/.config/audacious
nodeny ${MUSIC} noblacklist ${MUSIC}
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc

6
etc/profile-a-l/audacity.profile
View file

@ -6,9 +6,9 @@ include audacity.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.audacity-data noblacklist ${HOME}/.audacity-data
nodeny ${DOCUMENTS} noblacklist ${DOCUMENTS}
nodeny ${MUSIC} noblacklist ${MUSIC}
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc

10
etc/profile-a-l/audio-recorder.profile
View file

@ -7,7 +7,7 @@ include audio-recorder.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${MUSIC} noblacklist ${MUSIC}
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc
@ -17,10 +17,10 @@ include disable-passwdmgr.inc
include disable-programs.inc include disable-programs.inc
include disable-xdg.inc include disable-xdg.inc
allow ${MUSIC} whitelist ${MUSIC}
allow ${DOWNLOADS} whitelist ${DOWNLOADS}
allow /usr/share/audio-recorder whitelist /usr/share/audio-recorder
allow /usr/share/gstreamer-1.0 whitelist /usr/share/gstreamer-1.0
include whitelist-common.inc include whitelist-common.inc
include whitelist-usr-share-common.inc include whitelist-usr-share-common.inc
include whitelist-var-common.inc include whitelist-var-common.inc

8
etc/profile-a-l/authenticator-rs.profile
View file

@ -6,7 +6,7 @@ include authenticator-rs.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.local/share/authenticator-rs noblacklist ${HOME}/.local/share/authenticator-rs
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc
@ -18,9 +18,9 @@ include disable-shell.inc
include disable-xdg.inc include disable-xdg.inc
mkdir ${HOME}/.local/share/authenticator-rs mkdir ${HOME}/.local/share/authenticator-rs
allow ${HOME}/.local/share/authenticator-rs whitelist ${HOME}/.local/share/authenticator-rs
allow ${DOWNLOADS} whitelist ${DOWNLOADS}
allow /usr/share/uk.co.grumlimited.authenticator-rs whitelist /usr/share/uk.co.grumlimited.authenticator-rs
include whitelist-common.inc include whitelist-common.inc
include whitelist-runuser-common.inc include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc include whitelist-usr-share-common.inc

4
etc/profile-a-l/authenticator.profile
View file

@ -6,8 +6,8 @@ include authenticator.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.cache/Authenticator noblacklist ${HOME}/.cache/Authenticator
nodeny ${HOME}/.config/Authenticator noblacklist ${HOME}/.config/Authenticator
# Allow python (blacklisted by disable-interpreters.inc) # Allow python (blacklisted by disable-interpreters.inc)
#include allow-python2.inc #include allow-python2.inc

4
etc/profile-a-l/autokey-common.profile
View file

@ -7,8 +7,8 @@ include autokey-common.local
# added by caller profile # added by caller profile
#include globals.local #include globals.local
nodeny ${HOME}/.config/autokey noblacklist ${HOME}/.config/autokey
nodeny ${HOME}/.local/share/autokey noblacklist ${HOME}/.local/share/autokey
# Allow python (blacklisted by disable-interpreters.inc) # Allow python (blacklisted by disable-interpreters.inc)
include allow-python2.inc include allow-python2.inc

12
etc/profile-a-l/avidemux.profile
View file

@ -5,9 +5,9 @@ include avidemux.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.avidemux6 noblacklist ${HOME}/.avidemux6
nodeny ${HOME}/.config/avidemux3_qt5rc noblacklist ${HOME}/.config/avidemux3_qt5rc
nodeny ${VIDEOS} noblacklist ${VIDEOS}
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc
@ -20,9 +20,9 @@ include disable-xdg.inc
mkdir ${HOME}/.avidemux6 mkdir ${HOME}/.avidemux6
mkdir ${HOME}/.config/avidemux3_qt5rc mkdir ${HOME}/.config/avidemux3_qt5rc
allow ${HOME}/.avidemux6 whitelist ${HOME}/.avidemux6
allow ${HOME}/.config/avidemux3_qt5rc whitelist ${HOME}/.config/avidemux3_qt5rc
allow ${VIDEOS} whitelist ${VIDEOS}
include whitelist-common.inc include whitelist-common.inc
include whitelist-runuser-common.inc include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc include whitelist-usr-share-common.inc

4
etc/profile-a-l/aweather.profile
View file

@ -6,7 +6,7 @@ include aweather.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.config/aweather noblacklist ${HOME}/.config/aweather
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc
@ -16,7 +16,7 @@ include disable-programs.inc
include disable-shell.inc include disable-shell.inc
mkdir ${HOME}/.config/aweather mkdir ${HOME}/.config/aweather
allow ${HOME}/.config/aweather whitelist ${HOME}/.config/aweather
include whitelist-common.inc include whitelist-common.inc
include whitelist-var-common.inc include whitelist-var-common.inc

2
etc/profile-a-l/awesome.profile
View file

@ -7,7 +7,7 @@ include awesome.local
include globals.local include globals.local
# all applications started in awesome will run in this profile # all applications started in awesome will run in this profile
nodeny ${HOME}/.config/awesome noblacklist ${HOME}/.config/awesome
include disable-common.inc include disable-common.inc
caps.drop all caps.drop all

6
etc/profile-a-l/ballbuster.profile
View file

@ -6,7 +6,7 @@ include ballbuster.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.ballbuster.hs noblacklist ${HOME}/.ballbuster.hs
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc
@ -18,8 +18,8 @@ include disable-shell.inc
include disable-xdg.inc include disable-xdg.inc
mkfile ${HOME}/.ballbuster.hs mkfile ${HOME}/.ballbuster.hs
allow ${HOME}/.ballbuster.hs whitelist ${HOME}/.ballbuster.hs
allow /usr/share/ballbuster whitelist /usr/share/ballbuster
include whitelist-common.inc include whitelist-common.inc
include whitelist-runuser-common.inc include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc include whitelist-usr-share-common.inc

12
etc/profile-a-l/baloo_file.profile
View file

@ -12,12 +12,12 @@ include globals.local
# read-write ${HOME}/.local/share/baloo # read-write ${HOME}/.local/share/baloo
# ignore read-write # ignore read-write
nodeny ${HOME}/.config/baloofilerc noblacklist ${HOME}/.config/baloofilerc
nodeny ${HOME}/.kde/share/config/baloofilerc noblacklist ${HOME}/.kde/share/config/baloofilerc
nodeny ${HOME}/.kde/share/config/baloorc noblacklist ${HOME}/.kde/share/config/baloorc
nodeny ${HOME}/.kde4/share/config/baloofilerc noblacklist ${HOME}/.kde4/share/config/baloofilerc
nodeny ${HOME}/.kde4/share/config/baloorc noblacklist ${HOME}/.kde4/share/config/baloorc
nodeny ${HOME}/.local/share/baloo noblacklist ${HOME}/.local/share/baloo
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc

36
etc/profile-a-l/balsa.profile
View file

@ -6,13 +6,13 @@ include balsa.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.balsa noblacklist ${HOME}/.balsa
nodeny ${HOME}/.gnupg noblacklist ${HOME}/.gnupg
nodeny ${HOME}/.mozilla noblacklist ${HOME}/.mozilla
nodeny ${HOME}/.signature noblacklist ${HOME}/.signature
nodeny ${HOME}/mail noblacklist ${HOME}/mail
nodeny /var/mail noblacklist /var/mail
nodeny /var/spool/mail noblacklist /var/spool/mail
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc
@ -27,17 +27,17 @@ mkdir ${HOME}/.balsa
mkdir ${HOME}/.gnupg mkdir ${HOME}/.gnupg
mkfile ${HOME}/.signature mkfile ${HOME}/.signature
mkdir ${HOME}/mail mkdir ${HOME}/mail
allow ${HOME}/.balsa whitelist ${HOME}/.balsa
allow ${HOME}/.gnupg whitelist ${HOME}/.gnupg
allow ${HOME}/.mozilla/firefox/profiles.ini whitelist ${HOME}/.mozilla/firefox/profiles.ini
allow ${HOME}/.signature whitelist ${HOME}/.signature
allow ${HOME}/mail whitelist ${HOME}/mail
allow ${RUNUSER}/gnupg whitelist ${RUNUSER}/gnupg
allow /usr/share/balsa whitelist /usr/share/balsa
allow /usr/share/gnupg whitelist /usr/share/gnupg
allow /usr/share/gnupg2 whitelist /usr/share/gnupg2
allow /var/mail whitelist /var/mail
allow /var/spool/mail whitelist /var/spool/mail
include whitelist-common.inc include whitelist-common.inc
include whitelist-runuser-common.inc include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc include whitelist-usr-share-common.inc

6
etc/profile-a-l/barrier.profile
View file

@ -6,9 +6,9 @@ include barrier.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.config/Debauchee/Barrier.conf noblacklist ${HOME}/.config/Debauchee/Barrier.conf
nodeny ${HOME}/.local/share/barrier noblacklist ${HOME}/.local/share/barrier
nodeny ${PATH}/openssl noblacklist ${PATH}/openssl
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc

8
etc/profile-a-l/basilisk.profile
View file

@ -5,13 +5,13 @@ include basilisk.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.cache/moonchild productions/basilisk noblacklist ${HOME}/.cache/moonchild productions/basilisk
nodeny ${HOME}/.moonchild productions/basilisk noblacklist ${HOME}/.moonchild productions/basilisk
mkdir ${HOME}/.cache/moonchild productions/basilisk mkdir ${HOME}/.cache/moonchild productions/basilisk
mkdir ${HOME}/.moonchild productions mkdir ${HOME}/.moonchild productions
allow ${HOME}/.cache/moonchild productions/basilisk whitelist ${HOME}/.cache/moonchild productions/basilisk
allow ${HOME}/.moonchild productions whitelist ${HOME}/.moonchild productions
# Basilisk can use the full firejail seccomp filter (unlike firefox >= 60) # Basilisk can use the full firejail seccomp filter (unlike firefox >= 60)
seccomp seccomp

4
etc/profile-a-l/bcompare.profile
View file

@ -7,10 +7,10 @@ include bcompare.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.config/bcompare noblacklist ${HOME}/.config/bcompare
# In case the user decides to include disable-programs.inc, still allow # In case the user decides to include disable-programs.inc, still allow
# KDE's Gwenview to view images via right click -> Open With -> Associated Application # KDE's Gwenview to view images via right click -> Open With -> Associated Application
nodeny ${HOME}/.config/gwenviewrc noblacklist ${HOME}/.config/gwenviewrc
# Add the next line to your bcompare.local if you don't need to compare files in disable-common.inc. # Add the next line to your bcompare.local if you don't need to compare files in disable-common.inc.
#include disable-common.inc #include disable-common.inc

4
etc/profile-a-l/beaker.profile
View file

@ -19,10 +19,10 @@ ignore private-cache
ignore private-dev ignore private-dev
ignore private-tmp ignore private-tmp
nodeny ${HOME}/.config/Beaker Browser noblacklist ${HOME}/.config/Beaker Browser
mkdir ${HOME}/.config/Beaker Browser mkdir ${HOME}/.config/Beaker Browser
allow ${HOME}/.config/Beaker Browser whitelist ${HOME}/.config/Beaker Browser
# Redirect # Redirect
include electron.profile include electron.profile

20
etc/profile-a-l/bibletime.profile
View file

@ -6,11 +6,11 @@ include bibletime.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.bibletime noblacklist ${HOME}/.bibletime
nodeny ${HOME}/.sword noblacklist ${HOME}/.sword
nodeny ${HOME}/.local/share/bibletime noblacklist ${HOME}/.local/share/bibletime
deny ${HOME}/.bashrc blacklist ${HOME}/.bashrc
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc
@ -22,12 +22,12 @@ include disable-programs.inc
mkdir ${HOME}/.bibletime mkdir ${HOME}/.bibletime
mkdir ${HOME}/.sword mkdir ${HOME}/.sword
mkdir ${HOME}/.local/share/bibletime mkdir ${HOME}/.local/share/bibletime
allow ${HOME}/.bibletime whitelist ${HOME}/.bibletime
allow ${HOME}/.sword whitelist ${HOME}/.sword
allow ${HOME}/.local/share/bibletime whitelist ${HOME}/.local/share/bibletime
allow /usr/share/bibletime whitelist /usr/share/bibletime
allow /usr/share/doc/bibletime whitelist /usr/share/doc/bibletime
allow /usr/share/sword whitelist /usr/share/sword
include whitelist-common.inc include whitelist-common.inc
include whitelist-usr-share-common.inc include whitelist-usr-share-common.inc
include whitelist-var-common.inc include whitelist-var-common.inc

14
etc/profile-a-l/bijiben.profile
View file

@ -6,7 +6,7 @@ include bijiben.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.local/share/bijiben noblacklist ${HOME}/.local/share/bijiben
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc
@ -18,12 +18,12 @@ include disable-shell.inc
include disable-xdg.inc include disable-xdg.inc
mkdir ${HOME}/.local/share/bijiben mkdir ${HOME}/.local/share/bijiben
allow ${HOME}/.local/share/bijiben whitelist ${HOME}/.local/share/bijiben
allow ${HOME}/.cache/tracker whitelist ${HOME}/.cache/tracker
allow /usr/libexec/webkit2gtk-4.0 whitelist /usr/libexec/webkit2gtk-4.0
allow /usr/share/bijiben whitelist /usr/share/bijiben
allow /usr/share/tracker whitelist /usr/share/tracker
allow /usr/share/tracker3 whitelist /usr/share/tracker3
include whitelist-common.inc include whitelist-common.inc
include whitelist-runuser-common.inc include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc include whitelist-usr-share-common.inc

8
etc/profile-a-l/bitcoin-qt.profile
View file

@ -6,8 +6,8 @@ include bitcoin-qt.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.bitcoin noblacklist ${HOME}/.bitcoin
nodeny ${HOME}/.config/Bitcoin noblacklist ${HOME}/.config/Bitcoin
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc
@ -19,8 +19,8 @@ include disable-shell.inc
mkdir ${HOME}/.bitcoin mkdir ${HOME}/.bitcoin
mkdir ${HOME}/.config/Bitcoin mkdir ${HOME}/.config/Bitcoin
allow ${HOME}/.bitcoin whitelist ${HOME}/.bitcoin
allow ${HOME}/.config/Bitcoin whitelist ${HOME}/.config/Bitcoin
include whitelist-common.inc include whitelist-common.inc
include whitelist-var-common.inc include whitelist-var-common.inc

4
etc/profile-a-l/bitlbee.profile
View file

@ -8,8 +8,8 @@ include globals.local
ignore noexec ${HOME} ignore noexec ${HOME}
nodeny /sbin noblacklist /sbin
nodeny /usr/sbin noblacklist /usr/sbin
# noblacklist /var/log # noblacklist /var/log
include disable-common.inc include disable-common.inc

4
etc/profile-a-l/bitwarden.profile
View file

@ -11,12 +11,12 @@ ignore include whitelist-usr-share-common.inc
ignore noexec /tmp ignore noexec /tmp
nodeny ${HOME}/.config/Bitwarden noblacklist ${HOME}/.config/Bitwarden
include disable-shell.inc include disable-shell.inc
mkdir ${HOME}/.config/Bitwarden mkdir ${HOME}/.config/Bitwarden
allow ${HOME}/.config/Bitwarden whitelist ${HOME}/.config/Bitwarden
machine-id machine-id
no3d no3d

2
etc/profile-a-l/blackbox.profile
View file

@ -7,7 +7,7 @@ include blackbox.local
include globals.local include globals.local
# all applications started in blackbox will run in this profile # all applications started in blackbox will run in this profile
nodeny ${HOME}/.blackbox noblacklist ${HOME}/.blackbox
include disable-common.inc include disable-common.inc
caps.drop all caps.drop all

6
etc/profile-a-l/blender.profile
View file

@ -6,7 +6,7 @@ include blender.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.config/blender noblacklist ${HOME}/.config/blender
# Allow python (blacklisted by disable-interpreters.inc) # Allow python (blacklisted by disable-interpreters.inc)
include allow-python2.inc include allow-python2.inc
@ -20,8 +20,8 @@ include disable-passwdmgr.inc
include disable-programs.inc include disable-programs.inc
# Allow usage of AMD GPU by OpenCL # Allow usage of AMD GPU by OpenCL
nodeny /sys/module noblacklist /sys/module
allow /sys/module/amdgpu whitelist /sys/module/amdgpu
read-only /sys/module/amdgpu read-only /sys/module/amdgpu
caps.drop all caps.drop all

2
etc/profile-a-l/bless.profile
View file

@ -6,7 +6,7 @@ include bless.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.config/bless noblacklist ${HOME}/.config/bless
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc

6
etc/profile-a-l/blobby.profile
View file

@ -4,7 +4,7 @@ include blobby.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.blobby noblacklist ${HOME}/.blobby
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc
@ -16,9 +16,9 @@ include disable-shell.inc
include disable-xdg.inc include disable-xdg.inc
mkdir ${HOME}/.blobby mkdir ${HOME}/.blobby
allow ${HOME}/.blobby whitelist ${HOME}/.blobby
include whitelist-common.inc include whitelist-common.inc
allow /usr/share/blobby whitelist /usr/share/blobby
include whitelist-usr-share-common.inc include whitelist-usr-share-common.inc
include whitelist-var-common.inc include whitelist-var-common.inc

6
etc/profile-a-l/blobwars.profile
View file

@ -6,7 +6,7 @@ include blobwars.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.parallelrealities/blobwars noblacklist ${HOME}/.parallelrealities/blobwars
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc
@ -18,8 +18,8 @@ include disable-shell.inc
include disable-xdg.inc include disable-xdg.inc
mkdir ${HOME}/.parallelrealities/blobwars mkdir ${HOME}/.parallelrealities/blobwars
allow ${HOME}/.parallelrealities/blobwars whitelist ${HOME}/.parallelrealities/blobwars
allow /usr/share/blobwars whitelist /usr/share/blobwars
include whitelist-common.inc include whitelist-common.inc
include whitelist-usr-share-common.inc include whitelist-usr-share-common.inc
include whitelist-var-common.inc include whitelist-var-common.inc

8
etc/profile-a-l/bnox.profile
View file

@ -10,13 +10,13 @@ ignore whitelist /usr/share/chromium
ignore include whitelist-runuser-common.inc ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc ignore include whitelist-usr-share-common.inc
nodeny ${HOME}/.cache/bnox noblacklist ${HOME}/.cache/bnox
nodeny ${HOME}/.config/bnox noblacklist ${HOME}/.config/bnox
mkdir ${HOME}/.cache/bnox mkdir ${HOME}/.cache/bnox
mkdir ${HOME}/.config/bnox mkdir ${HOME}/.config/bnox
allow ${HOME}/.cache/bnox whitelist ${HOME}/.cache/bnox
allow ${HOME}/.config/bnox whitelist ${HOME}/.config/bnox
# Redirect # Redirect
include chromium-common.profile include chromium-common.profile

2
etc/profile-a-l/brackets.profile
View file

@ -5,7 +5,7 @@ include brackets.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.config/Brackets noblacklist ${HOME}/.config/Brackets
#noblacklist /opt/brackets #noblacklist /opt/brackets
#noblacklist /opt/google #noblacklist /opt/google

2
etc/profile-a-l/brasero.profile
View file

@ -6,7 +6,7 @@ include brasero.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.config/brasero noblacklist ${HOME}/.config/brasero
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc

22
etc/profile-a-l/brave.profile
View file

@ -14,24 +14,24 @@ ignore noexec /tmp
# Alternatively you can add 'ignore apparmor' to your brave.local. # Alternatively you can add 'ignore apparmor' to your brave.local.
ignore noexec ${HOME} ignore noexec ${HOME}
nodeny ${HOME}/.cache/BraveSoftware noblacklist ${HOME}/.cache/BraveSoftware
nodeny ${HOME}/.config/BraveSoftware noblacklist ${HOME}/.config/BraveSoftware
nodeny ${HOME}/.config/brave noblacklist ${HOME}/.config/brave
nodeny ${HOME}/.config/brave-flags.conf noblacklist ${HOME}/.config/brave-flags.conf
# brave uses gpg for built-in password manager # brave uses gpg for built-in password manager
nodeny ${HOME}/.gnupg noblacklist ${HOME}/.gnupg
mkdir ${HOME}/.cache/BraveSoftware mkdir ${HOME}/.cache/BraveSoftware
mkdir ${HOME}/.config/BraveSoftware mkdir ${HOME}/.config/BraveSoftware
mkdir ${HOME}/.config/brave mkdir ${HOME}/.config/brave
allow ${HOME}/.cache/BraveSoftware whitelist ${HOME}/.cache/BraveSoftware
allow ${HOME}/.config/BraveSoftware whitelist ${HOME}/.config/BraveSoftware
allow ${HOME}/.config/brave whitelist ${HOME}/.config/brave
allow ${HOME}/.config/brave-flags.conf whitelist ${HOME}/.config/brave-flags.conf
allow ${HOME}/.gnupg whitelist ${HOME}/.gnupg
# Brave sandbox needs read access to /proc/config.gz # Brave sandbox needs read access to /proc/config.gz
nodeny /proc/config.gz noblacklist /proc/config.gz
# Redirect # Redirect
include chromium-common.profile include chromium-common.profile

4
etc/profile-a-l/bzflag.profile
View file

@ -6,7 +6,7 @@ include bzflag.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.bzf noblacklist ${HOME}/.bzf
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc
@ -18,7 +18,7 @@ include disable-shell.inc
include disable-xdg.inc include disable-xdg.inc
mkdir ${HOME}/.bzf mkdir ${HOME}/.bzf
allow ${HOME}/.bzf whitelist ${HOME}/.bzf
include whitelist-common.inc include whitelist-common.inc
include whitelist-var-common.inc include whitelist-var-common.inc

6
etc/profile-a-l/calibre.profile
View file

@ -6,9 +6,9 @@ include calibre.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.cache/calibre noblacklist ${HOME}/.cache/calibre
nodeny ${HOME}/.config/calibre noblacklist ${HOME}/.config/calibre
nodeny ${DOCUMENTS} noblacklist ${DOCUMENTS}
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc

2
etc/profile-a-l/calligra.profile
View file

@ -6,7 +6,7 @@ include calligra.local
# Persistent global definitions # Persistent global definitions
include globals.local include globals.local
nodeny ${HOME}/.local/share/kxmlgui5/calligra noblacklist ${HOME}/.local/share/kxmlgui5/calligra
include disable-common.inc include disable-common.inc
include disable-devel.inc include disable-devel.inc

2
etc/profile-a-l/calligragemini.profile
View file

@ -6,7 +6,7 @@ include calligragemini.local
# added by included profile # added by included profile
#include globals.local #include globals.local
nodeny ${HOME}/.local/share/calligragemini noblacklist ${HOME}/.local/share/calligragemini
# Redirect # Redirect
include calligra.profile include calligra.profile

2
etc/profile-a-l/calligraplan.profile
View file

@ -6,7 +6,7 @@ include calligraplan.local
# added by included profile # added by included profile
#include globals.local #include globals.local
nodeny ${HOME}/.local/share/kxmlgui5/calligraplan noblacklist ${HOME}/.local/share/kxmlgui5/calligraplan
# Redirect # Redirect
include calligra.profile include calligra.profile

2
etc/profile-a-l/calligraplanwork.profile
View file

@ -6,7 +6,7 @@ include calligraplanwork.local
# added by included profile # added by included profile
#include globals.local #include globals.local
nodeny ${HOME}/.local/share/kxmlgui5/calligraplanwork noblacklist ${HOME}/.local/share/kxmlgui5/calligraplanwork
# Redirect # Redirect
include calligra.profile include calligra.profile

2
etc/profile-a-l/calligrasheets.profile
View file

@ -6,7 +6,7 @@ include calligrasheets.local
# added by included profile # added by included profile
#include globals.local #include globals.local
nodeny ${HOME}/.local/share/kxmlgui5/calligrasheets noblacklist ${HOME}/.local/share/kxmlgui5/calligrasheets
# Redirect # Redirect
include calligra.profile include calligra.profile

2
etc/profile-a-l/calligrastage.profile
View file

@ -6,7 +6,7 @@ include calligrastage.local
# added by included profile # added by included profile
#include globals.local #include globals.local
nodeny ${HOME}/.local/share/kxmlgui5/calligrastage noblacklist ${HOME}/.local/share/kxmlgui5/calligrastage
# Redirect # Redirect
include calligra.profile include calligra.profile

2
etc/profile-a-l/calligrawords.profile
View file

@ -6,7 +6,7 @@ include calligrawords.local
# added by included profile # added by included profile
#include globals.local #include globals.local
nodeny ${HOME}/.local/share/kxmlgui5/calligrawords noblacklist ${HOME}/.local/share/kxmlgui5/calligrawords
# Redirect # Redirect
include calligra.profile include calligra.profile

Some files were not shown because too many files have changed in this diff Show more