github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

move whitelist/blacklist to allow/deny

Browse source
This commit is contained in:
netblue30 2021-07-05 07:23:31 -04:00
parent c32924b825
commit fe0f975f44
799 changed files with 5141 additions and 5059 deletions
Download patch file Download diff file Expand all files Collapse all files

6
etc/inc/allow-bin-sh.inc
View file

@ -2,6 +2,6 @@
# Persistent customizations should go in a .local file.
include allow-bin-sh.local
noblacklist ${PATH}/bash
noblacklist ${PATH}/dash
noblacklist ${PATH}/sh
nodeny ${PATH}/bash
nodeny ${PATH}/dash
nodeny ${PATH}/sh

36
etc/inc/allow-common-devel.inc
View file

@ -3,29 +3,29 @@
include allow-common-devel.local
# Git
noblacklist ${HOME}/.config/git
noblacklist ${HOME}/.gitconfig
noblacklist ${HOME}/.git-credentials
nodeny ${HOME}/.config/git
nodeny ${HOME}/.gitconfig
nodeny ${HOME}/.git-credentials
# Java
noblacklist ${HOME}/.gradle
noblacklist ${HOME}/.java
nodeny ${HOME}/.gradle
nodeny ${HOME}/.java
# Node.js
noblacklist ${HOME}/.node-gyp
noblacklist ${HOME}/.npm
noblacklist ${HOME}/.npmrc
noblacklist ${HOME}/.nvm
noblacklist ${HOME}/.yarn
noblacklist ${HOME}/.yarn-config
noblacklist ${HOME}/.yarncache
noblacklist ${HOME}/.yarnrc
nodeny ${HOME}/.node-gyp
nodeny ${HOME}/.npm
nodeny ${HOME}/.npmrc
nodeny ${HOME}/.nvm
nodeny ${HOME}/.yarn
nodeny ${HOME}/.yarn-config
nodeny ${HOME}/.yarncache
nodeny ${HOME}/.yarnrc
# Python
noblacklist ${HOME}/.pylint.d
noblacklist ${HOME}/.python-history
noblacklist ${HOME}/.python_history
noblacklist ${HOME}/.pythonhist
nodeny ${HOME}/.pylint.d
nodeny ${HOME}/.python-history
nodeny ${HOME}/.python_history
nodeny ${HOME}/.pythonhist
# Rust
noblacklist ${HOME}/.cargo/*
nodeny ${HOME}/.cargo/*

16
etc/inc/allow-gjs.inc
View file

@ -2,11 +2,11 @@
# Persistent customizations should go in a .local file.
include allow-gjs.local
noblacklist ${PATH}/gjs
noblacklist ${PATH}/gjs-console
noblacklist /usr/lib/gjs
noblacklist /usr/lib/libgjs*
noblacklist /usr/lib/libmozjs-*
noblacklist /usr/lib64/gjs
noblacklist /usr/lib64/libgjs*
noblacklist /usr/lib64/libmozjs-*
nodeny ${PATH}/gjs
nodeny ${PATH}/gjs-console
nodeny /usr/lib/gjs
nodeny /usr/lib/libgjs*
nodeny /usr/lib/libmozjs-*
nodeny /usr/lib64/gjs
nodeny /usr/lib64/libgjs*
nodeny /usr/lib64/libmozjs-*

10
etc/inc/allow-java.inc
View file

@ -2,8 +2,8 @@
# Persistent customizations should go in a .local file.
include allow-java.local
noblacklist ${HOME}/.java
noblacklist ${PATH}/java
noblacklist /etc/java
noblacklist /usr/lib/java
noblacklist /usr/share/java
nodeny ${HOME}/.java
nodeny ${PATH}/java
nodeny /etc/java
nodeny /usr/lib/java
nodeny /usr/share/java

16
etc/inc/allow-lua.inc
View file

@ -2,11 +2,11 @@
# Persistent customizations should go in a .local file.
include allow-lua.local
noblacklist ${PATH}/lua*
noblacklist /usr/include
noblacklist /usr/lib/liblua*
noblacklist /usr/lib/lua
noblacklist /usr/lib64/liblua*
noblacklist /usr/lib64/lua
noblacklist /usr/share/lua
noblacklist /usr/share/lua*
nodeny ${PATH}/lua*
nodeny /usr/include
nodeny /usr/lib/liblua*
nodeny /usr/lib/lua
nodeny /usr/lib64/liblua*
nodeny /usr/lib64/lua
nodeny /usr/share/lua
nodeny /usr/share/lua*

4
etc/inc/allow-nodejs.inc
View file

@ -2,8 +2,8 @@
# Persistent customizations should go in a .local file.
include allow-nodejs.local
noblacklist ${PATH}/node
noblacklist /usr/include/node
nodeny ${PATH}/node
nodeny /usr/include/node
# Allow python for node-gyp (blacklisted by disable-interpreters.inc)
include allow-python2.inc

4
etc/inc/allow-opengl-game.inc
View file

@ -2,6 +2,6 @@
# Persistent customizations should go in a .local file.
include allow-opengl-game.local
noblacklist ${PATH}/bash
whitelist /usr/share/opengl-games-utils/opengl-game-functions.sh
nodeny ${PATH}/bash
allow /usr/share/opengl-games-utils/opengl-game-functions.sh
private-bin basename,bash,cut,glxinfo,grep,head,sed,zenity

16
etc/inc/allow-perl.inc
View file

@ -2,11 +2,11 @@
# Persistent customizations should go in a .local file.
include allow-perl.local
noblacklist ${PATH}/core_perl
noblacklist ${PATH}/cpan*
noblacklist ${PATH}/perl
noblacklist ${PATH}/site_perl
noblacklist ${PATH}/vendor_perl
noblacklist /usr/lib/perl*
noblacklist /usr/lib64/perl*
noblacklist /usr/share/perl*
nodeny ${PATH}/core_perl
nodeny ${PATH}/cpan*
nodeny ${PATH}/perl
nodeny ${PATH}/site_perl
nodeny ${PATH}/vendor_perl
nodeny /usr/lib/perl*
nodeny /usr/lib64/perl*
nodeny /usr/share/perl*

6
etc/inc/allow-php.inc
View file

@ -2,6 +2,6 @@
# Persistent customizations should go in a .local file.
include allow-php.local
noblacklist ${PATH}/php*
noblacklist /usr/lib/php*
noblacklist /usr/share/php*
nodeny ${PATH}/php*
nodeny /usr/lib/php*
nodeny /usr/share/php*

10
etc/inc/allow-python2.inc
View file

@ -2,8 +2,8 @@
# Persistent customizations should go in a .local file.
include allow-python2.local
noblacklist ${PATH}/python2*
noblacklist /usr/include/python2*
noblacklist /usr/lib/python2*
noblacklist /usr/local/lib/python2*
noblacklist /usr/share/python2*
nodeny ${PATH}/python2*
nodeny /usr/include/python2*
nodeny /usr/lib/python2*
nodeny /usr/local/lib/python2*
nodeny /usr/share/python2*

12
etc/inc/allow-python3.inc
View file

@ -2,9 +2,9 @@
# Persistent customizations should go in a .local file.
include allow-python3.local
noblacklist ${PATH}/python3*
noblacklist /usr/include/python3*
noblacklist /usr/lib/python3*
noblacklist /usr/lib64/python3*
noblacklist /usr/local/lib/python3*
noblacklist /usr/share/python3*
nodeny ${PATH}/python3*
nodeny /usr/include/python3*
nodeny /usr/lib/python3*
nodeny /usr/lib64/python3*
nodeny /usr/local/lib/python3*
nodeny /usr/share/python3*

4
etc/inc/allow-ruby.inc
View file

@ -2,5 +2,5 @@
# Persistent customizations should go in a .local file.
include allow-ruby.local
noblacklist ${PATH}/ruby
noblacklist /usr/lib/ruby
nodeny ${PATH}/ruby
nodeny /usr/lib/ruby

8
etc/inc/allow-ssh.inc
View file

@ -2,7 +2,7 @@
# Persistent customizations should go in a .local file.
include allow-ssh.local
noblacklist ${HOME}/.ssh
noblacklist /etc/ssh
noblacklist /etc/ssh/ssh_config
noblacklist /tmp/ssh-*
nodeny ${HOME}/.ssh
nodeny /etc/ssh
nodeny /etc/ssh/ssh_config
nodeny /tmp/ssh-*

684
etc/inc/disable-common.inc
View file

@ -5,63 +5,63 @@ include disable-common.local
# The following block breaks trash functionality in file managers
#read-only ${HOME}/.local
#read-write ${HOME}/.local/share
blacklist ${HOME}/.local/share/Trash
deny ${HOME}/.local/share/Trash
# History files in $HOME and clipboard managers
blacklist-nolog ${HOME}/.*_history
blacklist-nolog ${HOME}/.adobe
blacklist-nolog ${HOME}/.cache/greenclip*
blacklist-nolog ${HOME}/.histfile
blacklist-nolog ${HOME}/.history
blacklist-nolog ${HOME}/.kde/share/apps/klipper
blacklist-nolog ${HOME}/.kde4/share/apps/klipper
blacklist-nolog ${HOME}/.local/share/fish/fish_history
blacklist-nolog ${HOME}/.local/share/klipper
blacklist-nolog ${HOME}/.macromedia
blacklist-nolog ${HOME}/.mupdf.history
blacklist-nolog ${HOME}/.python-history
blacklist-nolog ${HOME}/.python_history
blacklist-nolog ${HOME}/.pythonhist
blacklist-nolog ${HOME}/.lesshst
blacklist-nolog ${HOME}/.viminfo
blacklist-nolog /tmp/clipmenu*
deny-nolog ${HOME}/.*_history
deny-nolog ${HOME}/.adobe
deny-nolog ${HOME}/.cache/greenclip*
deny-nolog ${HOME}/.histfile
deny-nolog ${HOME}/.history
deny-nolog ${HOME}/.kde/share/apps/klipper
deny-nolog ${HOME}/.kde4/share/apps/klipper
deny-nolog ${HOME}/.local/share/fish/fish_history
deny-nolog ${HOME}/.local/share/klipper
deny-nolog ${HOME}/.macromedia
deny-nolog ${HOME}/.mupdf.history
deny-nolog ${HOME}/.python-history
deny-nolog ${HOME}/.python_history
deny-nolog ${HOME}/.pythonhist
deny-nolog ${HOME}/.lesshst
deny-nolog ${HOME}/.viminfo
deny-nolog /tmp/clipmenu*
# X11 session autostart
# blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs
blacklist ${HOME}/.Xsession
blacklist ${HOME}/.blackbox
blacklist ${HOME}/.config/autostart
blacklist ${HOME}/.config/autostart-scripts
blacklist ${HOME}/.config/awesome
blacklist ${HOME}/.config/i3
blacklist ${HOME}/.config/sway
blacklist ${HOME}/.config/lxsession/LXDE/autostart
blacklist ${HOME}/.config/openbox
blacklist ${HOME}/.config/plasma-workspace
blacklist ${HOME}/.config/startupconfig
blacklist ${HOME}/.config/startupconfigkeys
blacklist ${HOME}/.fluxbox
blacklist ${HOME}/.gnomerc
blacklist ${HOME}/.kde/Autostart
blacklist ${HOME}/.kde/env
blacklist ${HOME}/.kde/share/autostart
blacklist ${HOME}/.kde/share/config/startupconfig
blacklist ${HOME}/.kde/share/config/startupconfigkeys
blacklist ${HOME}/.kde/shutdown
blacklist ${HOME}/.kde4/env
blacklist ${HOME}/.kde4/Autostart
blacklist ${HOME}/.kde4/share/autostart
blacklist ${HOME}/.kde4/shutdown
blacklist ${HOME}/.kde4/share/config/startupconfig
blacklist ${HOME}/.kde4/share/config/startupconfigkeys
blacklist ${HOME}/.local/share/autostart
blacklist ${HOME}/.xinitrc
blacklist ${HOME}/.xprofile
blacklist ${HOME}/.xserverrc
blacklist ${HOME}/.xsession
blacklist ${HOME}/.xsessionrc
blacklist /etc/X11/Xsession.d
blacklist /etc/xdg/autostart
deny ${HOME}/.Xsession
deny ${HOME}/.blackbox
deny ${HOME}/.config/autostart
deny ${HOME}/.config/autostart-scripts
deny ${HOME}/.config/awesome
deny ${HOME}/.config/i3
deny ${HOME}/.config/sway
deny ${HOME}/.config/lxsession/LXDE/autostart
deny ${HOME}/.config/openbox
deny ${HOME}/.config/plasma-workspace
deny ${HOME}/.config/startupconfig
deny ${HOME}/.config/startupconfigkeys
deny ${HOME}/.fluxbox
deny ${HOME}/.gnomerc
deny ${HOME}/.kde/Autostart
deny ${HOME}/.kde/env
deny ${HOME}/.kde/share/autostart
deny ${HOME}/.kde/share/config/startupconfig
deny ${HOME}/.kde/share/config/startupconfigkeys
deny ${HOME}/.kde/shutdown
deny ${HOME}/.kde4/env
deny ${HOME}/.kde4/Autostart
deny ${HOME}/.kde4/share/autostart
deny ${HOME}/.kde4/shutdown
deny ${HOME}/.kde4/share/config/startupconfig
deny ${HOME}/.kde4/share/config/startupconfigkeys
deny ${HOME}/.local/share/autostart
deny ${HOME}/.xinitrc
deny ${HOME}/.xprofile
deny ${HOME}/.xserverrc
deny ${HOME}/.xsession
deny ${HOME}/.xsessionrc
deny /etc/X11/Xsession.d
deny /etc/xdg/autostart
read-only ${HOME}/.Xauthority
# Session manager
@ -70,46 +70,46 @@ read-only ${HOME}/.Xauthority
#?HAS_X11: blacklist /tmp/.ICE-unix
# KDE config
blacklist ${HOME}/.cache/konsole
blacklist ${HOME}/.config/khotkeysrc
blacklist ${HOME}/.config/krunnerrc
blacklist ${HOME}/.config/kscreenlockerrc
blacklist ${HOME}/.config/ksslcertificatemanager
blacklist ${HOME}/.config/kwalletrc
blacklist ${HOME}/.config/kwinrc
blacklist ${HOME}/.config/kwinrulesrc
blacklist ${HOME}/.config/plasma-locale-settings.sh
blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc
blacklist ${HOME}/.config/plasmashellrc
blacklist ${HOME}/.config/plasmavaultrc
blacklist ${HOME}/.kde/share/apps/kwin
blacklist ${HOME}/.kde/share/apps/plasma
blacklist ${HOME}/.kde/share/apps/solid
blacklist ${HOME}/.kde/share/config/khotkeysrc
blacklist ${HOME}/.kde/share/config/krunnerrc
blacklist ${HOME}/.kde/share/config/kscreensaverrc
blacklist ${HOME}/.kde/share/config/ksslcertificatemanager
blacklist ${HOME}/.kde/share/config/kwalletrc
blacklist ${HOME}/.kde/share/config/kwinrc
blacklist ${HOME}/.kde/share/config/kwinrulesrc
blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc
blacklist ${HOME}/.kde4/share/apps/kwin
blacklist ${HOME}/.kde4/share/apps/plasma
blacklist ${HOME}/.kde4/share/apps/solid
blacklist ${HOME}/.kde4/share/config/khotkeysrc
blacklist ${HOME}/.kde4/share/config/krunnerrc
blacklist ${HOME}/.kde4/share/config/kscreensaverrc
blacklist ${HOME}/.kde4/share/config/ksslcertificatemanager
blacklist ${HOME}/.kde4/share/config/kwalletrc
blacklist ${HOME}/.kde4/share/config/kwinrc
blacklist ${HOME}/.kde4/share/config/kwinrulesrc
blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc
blacklist ${HOME}/.local/share/kglobalaccel
blacklist ${HOME}/.local/share/kwin
blacklist ${HOME}/.local/share/plasma
blacklist ${HOME}/.local/share/plasmashell
blacklist ${HOME}/.local/share/solid
blacklist /tmp/konsole-*.history
deny ${HOME}/.cache/konsole
deny ${HOME}/.config/khotkeysrc
deny ${HOME}/.config/krunnerrc
deny ${HOME}/.config/kscreenlockerrc
deny ${HOME}/.config/ksslcertificatemanager
deny ${HOME}/.config/kwalletrc
deny ${HOME}/.config/kwinrc
deny ${HOME}/.config/kwinrulesrc
deny ${HOME}/.config/plasma-locale-settings.sh
deny ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc
deny ${HOME}/.config/plasmashellrc
deny ${HOME}/.config/plasmavaultrc
deny ${HOME}/.kde/share/apps/kwin
deny ${HOME}/.kde/share/apps/plasma
deny ${HOME}/.kde/share/apps/solid
deny ${HOME}/.kde/share/config/khotkeysrc
deny ${HOME}/.kde/share/config/krunnerrc
deny ${HOME}/.kde/share/config/kscreensaverrc
deny ${HOME}/.kde/share/config/ksslcertificatemanager
deny ${HOME}/.kde/share/config/kwalletrc
deny ${HOME}/.kde/share/config/kwinrc
deny ${HOME}/.kde/share/config/kwinrulesrc
deny ${HOME}/.kde/share/config/plasma-desktop-appletsrc
deny ${HOME}/.kde4/share/apps/kwin
deny ${HOME}/.kde4/share/apps/plasma
deny ${HOME}/.kde4/share/apps/solid
deny ${HOME}/.kde4/share/config/khotkeysrc
deny ${HOME}/.kde4/share/config/krunnerrc
deny ${HOME}/.kde4/share/config/kscreensaverrc
deny ${HOME}/.kde4/share/config/ksslcertificatemanager
deny ${HOME}/.kde4/share/config/kwalletrc
deny ${HOME}/.kde4/share/config/kwinrc
deny ${HOME}/.kde4/share/config/kwinrulesrc
deny ${HOME}/.kde4/share/config/plasma-desktop-appletsrc
deny ${HOME}/.local/share/kglobalaccel
deny ${HOME}/.local/share/kwin
deny ${HOME}/.local/share/plasma
deny ${HOME}/.local/share/plasmashell
deny ${HOME}/.local/share/solid
deny /tmp/konsole-*.history
read-only ${HOME}/.cache/ksycoca5_*
read-only ${HOME}/.config/*notifyrc
read-only ${HOME}/.config/kdeglobals
@ -138,124 +138,124 @@ read-only ${HOME}/.local/share/kservices5
read-only ${HOME}/.local/share/kssl
# KDE sockets
blacklist ${RUNUSER}/*.slave-socket
blacklist ${RUNUSER}/kdeinit5__*
blacklist ${RUNUSER}/kdesud_*
deny ${RUNUSER}/*.slave-socket
deny ${RUNUSER}/kdeinit5__*
deny ${RUNUSER}/kdesud_*
# see #3358
#?HAS_NODBUS: blacklist ${RUNUSER}/ksocket-*
#?HAS_NODBUS: blacklist /tmp/ksocket-*
# gnome
# contains extensions, last used times of applications, and notifications
blacklist ${HOME}/.local/share/gnome-shell
deny ${HOME}/.local/share/gnome-shell
# contains recently used files and serials of static/removable storage
blacklist ${HOME}/.local/share/gvfs-metadata
deny ${HOME}/.local/share/gvfs-metadata
# no direct modification of dconf database
read-only ${HOME}/.config/dconf
blacklist ${RUNUSER}/gnome-session-leader-fifo
blacklist ${RUNUSER}/gnome-shell
blacklist ${RUNUSER}/gsconnect
deny ${RUNUSER}/gnome-session-leader-fifo
deny ${RUNUSER}/gnome-shell
deny ${RUNUSER}/gsconnect
# systemd
blacklist ${HOME}/.config/systemd
blacklist ${HOME}/.local/share/systemd
blacklist /var/lib/systemd
blacklist ${PATH}/systemd-run
blacklist ${RUNUSER}/systemd
deny ${HOME}/.config/systemd
deny ${HOME}/.local/share/systemd
deny /var/lib/systemd
deny ${PATH}/systemd-run
deny ${RUNUSER}/systemd
# creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf
#blacklist /var/run/systemd
# openrc
blacklist /etc/runlevels/
blacklist /etc/init.d/
blacklist /etc/rc.conf
deny /etc/runlevels/
deny /etc/init.d/
deny /etc/rc.conf
# VirtualBox
blacklist ${HOME}/.VirtualBox
blacklist ${HOME}/.config/VirtualBox
blacklist ${HOME}/VirtualBox VMs
deny ${HOME}/.VirtualBox
deny ${HOME}/.config/VirtualBox
deny ${HOME}/VirtualBox VMs
# GNOME Boxes
blacklist ${HOME}/.config/gnome-boxes
blacklist ${HOME}/.local/share/gnome-boxes
deny ${HOME}/.config/gnome-boxes
deny ${HOME}/.local/share/gnome-boxes
# libvirt
blacklist ${HOME}/.cache/libvirt
blacklist ${HOME}/.config/libvirt
blacklist ${RUNUSER}/libvirt
blacklist /var/cache/libvirt
blacklist /var/lib/libvirt
blacklist /var/log/libvirt
deny ${HOME}/.cache/libvirt
deny ${HOME}/.config/libvirt
deny ${RUNUSER}/libvirt
deny /var/cache/libvirt
deny /var/lib/libvirt
deny /var/log/libvirt
# OCI-Containers / Podman
blacklist ${RUNUSER}/containers
blacklist ${RUNUSER}/crun
blacklist ${RUNUSER}/libpod
blacklist ${RUNUSER}/runc
blacklist ${RUNUSER}/toolbox
deny ${RUNUSER}/containers
deny ${RUNUSER}/crun
deny ${RUNUSER}/libpod
deny ${RUNUSER}/runc
deny ${RUNUSER}/toolbox
# VeraCrypt
blacklist ${HOME}/.VeraCrypt
blacklist ${PATH}/veracrypt
blacklist ${PATH}/veracrypt-uninstall.sh
blacklist /usr/share/applications/veracrypt.*
blacklist /usr/share/pixmaps/veracrypt.*
blacklist /usr/share/veracrypt
deny ${HOME}/.VeraCrypt
deny ${PATH}/veracrypt
deny ${PATH}/veracrypt-uninstall.sh
deny /usr/share/applications/veracrypt.*
deny /usr/share/pixmaps/veracrypt.*
deny /usr/share/veracrypt
# TrueCrypt
blacklist ${HOME}/.TrueCrypt
blacklist ${PATH}/truecrypt
blacklist ${PATH}/truecrypt-uninstall.sh
blacklist /usr/share/applications/truecrypt.*
blacklist /usr/share/pixmaps/truecrypt.*
blacklist /usr/share/truecrypt
deny ${HOME}/.TrueCrypt
deny ${PATH}/truecrypt
deny ${PATH}/truecrypt-uninstall.sh
deny /usr/share/applications/truecrypt.*
deny /usr/share/pixmaps/truecrypt.*
deny /usr/share/truecrypt
# zuluCrypt
blacklist ${HOME}/.zuluCrypt
blacklist ${HOME}/.zuluCrypt-socket
blacklist ${PATH}/zuluCrypt-cli
blacklist ${PATH}/zuluMount-cli
deny ${HOME}/.zuluCrypt
deny ${HOME}/.zuluCrypt-socket
deny ${PATH}/zuluCrypt-cli
deny ${PATH}/zuluMount-cli
# var
blacklist /var/cache/apt
blacklist /var/cache/pacman
blacklist /var/lib/apt
blacklist /var/lib/clamav
blacklist /var/lib/dkms
blacklist /var/lib/mysql/mysql.sock
blacklist /var/lib/mysqld/mysql.sock
blacklist /var/lib/pacman
blacklist /var/lib/upower
deny /var/cache/apt
deny /var/cache/pacman
deny /var/lib/apt
deny /var/lib/clamav
deny /var/lib/dkms
deny /var/lib/mysql/mysql.sock
deny /var/lib/mysqld/mysql.sock
deny /var/lib/pacman
deny /var/lib/upower
# blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for
# every sandbox, unless --writable-var-log switch is activated
blacklist /var/mail
blacklist /var/opt
blacklist /var/run/acpid.socket
blacklist /var/run/docker.sock
blacklist /var/run/minissdpd.sock
blacklist /var/run/mysql/mysqld.sock
blacklist /var/run/mysqld/mysqld.sock
blacklist /var/run/rpcbind.sock
blacklist /var/run/screens
blacklist /var/spool/anacron
blacklist /var/spool/cron
blacklist /var/spool/mail
deny /var/mail
deny /var/opt
deny /var/run/acpid.socket
deny /var/run/docker.sock
deny /var/run/minissdpd.sock
deny /var/run/mysql/mysqld.sock
deny /var/run/mysqld/mysqld.sock
deny /var/run/rpcbind.sock
deny /var/run/screens
deny /var/spool/anacron
deny /var/spool/cron
deny /var/spool/mail
# etc
blacklist /etc/anacrontab
blacklist /etc/cron*
blacklist /etc/profile.d
blacklist /etc/rc.local
deny /etc/anacrontab
deny /etc/cron*
deny /etc/profile.d
deny /etc/rc.local
# rc1.d, rc2.d, ...
blacklist /etc/rc?.d
blacklist /etc/kernel*
blacklist /etc/grub*
blacklist /etc/dkms
blacklist /etc/apparmor*
blacklist /etc/selinux
blacklist /etc/modules*
blacklist /etc/logrotate*
blacklist /etc/adduser.conf
deny /etc/rc?.d
deny /etc/kernel*
deny /etc/grub*
deny /etc/dkms
deny /etc/apparmor*
deny /etc/selinux
deny /etc/modules*
deny /etc/logrotate*
deny /etc/adduser.conf
# Startup files
read-only ${HOME}/.antigen
@ -292,13 +292,13 @@ read-only ${HOME}/.zshrc
read-only ${HOME}/.zshrc.local
# Remote access
blacklist ${HOME}/.rhosts
blacklist ${HOME}/.shosts
blacklist ${HOME}/.ssh/authorized_keys
blacklist ${HOME}/.ssh/authorized_keys2
blacklist ${HOME}/.ssh/environment
blacklist ${HOME}/.ssh/rc
blacklist /etc/hosts.equiv
deny ${HOME}/.rhosts
deny ${HOME}/.shosts
deny ${HOME}/.ssh/authorized_keys
deny ${HOME}/.ssh/authorized_keys2
deny ${HOME}/.ssh/environment
deny ${HOME}/.ssh/rc
deny /etc/hosts.equiv
read-only ${HOME}/.ssh/config
read-only ${HOME}/.ssh/config.d
@ -359,200 +359,200 @@ read-only ${HOME}/.local/share/mime
read-only ${HOME}/.local/share/thumbnailers
# prevent access to ssh-agent
blacklist /tmp/ssh-*
deny /tmp/ssh-*
# top secret
blacklist ${HOME}/*.kdb
blacklist ${HOME}/*.kdbx
blacklist ${HOME}/*.key
blacklist ${HOME}/.Private
blacklist ${HOME}/.caff
blacklist ${HOME}/.cargo/credentials
blacklist ${HOME}/.cargo/credentials.toml
blacklist ${HOME}/.cert
blacklist ${HOME}/.config/keybase
blacklist ${HOME}/.davfs2/secrets
blacklist ${HOME}/.ecryptfs
blacklist ${HOME}/.fetchmailrc
blacklist ${HOME}/.fscrypt
blacklist ${HOME}/.git-credential-cache
blacklist ${HOME}/.git-credentials
blacklist ${HOME}/.gnome2/keyrings
blacklist ${HOME}/.gnupg
blacklist ${HOME}/.config/hub
blacklist ${HOME}/.kde/share/apps/kwallet
blacklist ${HOME}/.kde4/share/apps/kwallet
blacklist ${HOME}/.local/share/keyrings
blacklist ${HOME}/.local/share/kwalletd
blacklist ${HOME}/.local/share/plasma-vault
blacklist ${HOME}/.msmtprc
blacklist ${HOME}/.mutt
blacklist ${HOME}/.muttrc
blacklist ${HOME}/.netrc
blacklist ${HOME}/.nyx
blacklist ${HOME}/.pki
blacklist ${HOME}/.local/share/pki
blacklist ${HOME}/.smbcredentials
blacklist ${HOME}/.ssh
blacklist ${HOME}/.vaults
blacklist /.fscrypt
blacklist /etc/davfs2/secrets
blacklist /etc/group+
blacklist /etc/group-
blacklist /etc/gshadow
blacklist /etc/gshadow+
blacklist /etc/gshadow-
blacklist /etc/passwd+
blacklist /etc/passwd-
blacklist /etc/shadow
blacklist /etc/shadow+
blacklist /etc/shadow-
blacklist /etc/ssh
blacklist /etc/ssh/*
blacklist /home/.ecryptfs
blacklist /home/.fscrypt
blacklist /var/backup
deny ${HOME}/*.kdb
deny ${HOME}/*.kdbx
deny ${HOME}/*.key
deny ${HOME}/.Private
deny ${HOME}/.caff
deny ${HOME}/.cargo/credentials
deny ${HOME}/.cargo/credentials.toml
deny ${HOME}/.cert
deny ${HOME}/.config/keybase
deny ${HOME}/.davfs2/secrets
deny ${HOME}/.ecryptfs
deny ${HOME}/.fetchmailrc
deny ${HOME}/.fscrypt
deny ${HOME}/.git-credential-cache
deny ${HOME}/.git-credentials
deny ${HOME}/.gnome2/keyrings
deny ${HOME}/.gnupg
deny ${HOME}/.config/hub
deny ${HOME}/.kde/share/apps/kwallet
deny ${HOME}/.kde4/share/apps/kwallet
deny ${HOME}/.local/share/keyrings
deny ${HOME}/.local/share/kwalletd
deny ${HOME}/.local/share/plasma-vault
deny ${HOME}/.msmtprc
deny ${HOME}/.mutt
deny ${HOME}/.muttrc
deny ${HOME}/.netrc
deny ${HOME}/.nyx
deny ${HOME}/.pki
deny ${HOME}/.local/share/pki
deny ${HOME}/.smbcredentials
deny ${HOME}/.ssh
deny ${HOME}/.vaults
deny /.fscrypt
deny /etc/davfs2/secrets
deny /etc/group+
deny /etc/group-
deny /etc/gshadow
deny /etc/gshadow+
deny /etc/gshadow-
deny /etc/passwd+
deny /etc/passwd-
deny /etc/shadow
deny /etc/shadow+
deny /etc/shadow-
deny /etc/ssh
deny /etc/ssh/*
deny /home/.ecryptfs
deny /home/.fscrypt
deny /var/backup
# cloud provider configuration
blacklist ${HOME}/.aws
blacklist ${HOME}/.boto
blacklist ${HOME}/.config/gcloud
blacklist ${HOME}/.kube
blacklist ${HOME}/.passwd-s3fs
blacklist ${HOME}/.s3cmd
blacklist /etc/boto.cfg
deny ${HOME}/.aws
deny ${HOME}/.boto
deny ${HOME}/.config/gcloud
deny ${HOME}/.kube
deny ${HOME}/.passwd-s3fs
deny ${HOME}/.s3cmd
deny /etc/boto.cfg
# system directories
blacklist /sbin
blacklist /usr/local/sbin
blacklist /usr/sbin
deny /sbin
deny /usr/local/sbin
deny /usr/sbin
# system management
blacklist ${PATH}/at
blacklist ${PATH}/busybox
blacklist ${PATH}/chage
blacklist ${PATH}/chfn
blacklist ${PATH}/chsh
blacklist ${PATH}/crontab
blacklist ${PATH}/evtest
blacklist ${PATH}/expiry
blacklist ${PATH}/fusermount
blacklist ${PATH}/gksu
blacklist ${PATH}/gksudo
blacklist ${PATH}/gpasswd
blacklist ${PATH}/kdesudo
blacklist ${PATH}/ksu
blacklist ${PATH}/mount
blacklist ${PATH}/mount.ecryptfs_private
blacklist ${PATH}/nc
blacklist ${PATH}/ncat
blacklist ${PATH}/nmap
blacklist ${PATH}/newgidmap
blacklist ${PATH}/newgrp
blacklist ${PATH}/newuidmap
blacklist ${PATH}/ntfs-3g
blacklist ${PATH}/pkexec
blacklist ${PATH}/procmail
blacklist ${PATH}/sg
blacklist ${PATH}/strace
blacklist ${PATH}/su
blacklist ${PATH}/sudo
blacklist ${PATH}/tcpdump
blacklist ${PATH}/umount
blacklist ${PATH}/unix_chkpwd
blacklist ${PATH}/xev
blacklist ${PATH}/xinput
deny ${PATH}/at
deny ${PATH}/busybox
deny ${PATH}/chage
deny ${PATH}/chfn
deny ${PATH}/chsh
deny ${PATH}/crontab
deny ${PATH}/evtest
deny ${PATH}/expiry
deny ${PATH}/fusermount
deny ${PATH}/gksu
deny ${PATH}/gksudo
deny ${PATH}/gpasswd
deny ${PATH}/kdesudo
deny ${PATH}/ksu
deny ${PATH}/mount
deny ${PATH}/mount.ecryptfs_private
deny ${PATH}/nc
deny ${PATH}/ncat
deny ${PATH}/nmap
deny ${PATH}/newgidmap
deny ${PATH}/newgrp
deny ${PATH}/newuidmap
deny ${PATH}/ntfs-3g
deny ${PATH}/pkexec
deny ${PATH}/procmail
deny ${PATH}/sg
deny ${PATH}/strace
deny ${PATH}/su
deny ${PATH}/sudo
deny ${PATH}/tcpdump
deny ${PATH}/umount
deny ${PATH}/unix_chkpwd
deny ${PATH}/xev
deny ${PATH}/xinput
# other SUID binaries
blacklist /usr/lib/virtualbox
blacklist /usr/lib64/virtualbox
deny /usr/lib/virtualbox
deny /usr/lib64/virtualbox
# prevent lxterminal connecting to an existing lxterminal session
blacklist /tmp/.lxterminal-socket*
deny /tmp/.lxterminal-socket*
# prevent tmux connecting to an existing session
blacklist /tmp/tmux-*
deny /tmp/tmux-*
# disable terminals running as server resulting in sandbox escape
blacklist ${PATH}/lxterminal
blacklist ${PATH}/gnome-terminal
blacklist ${PATH}/gnome-terminal.wrapper
blacklist ${PATH}/lilyterm
blacklist ${PATH}/mate-terminal
blacklist ${PATH}/mate-terminal.wrapper
blacklist ${PATH}/pantheon-terminal
blacklist ${PATH}/roxterm
blacklist ${PATH}/roxterm-config
blacklist ${PATH}/terminix
blacklist ${PATH}/tilix
blacklist ${PATH}/urxvtc
blacklist ${PATH}/urxvtcd
blacklist ${PATH}/xfce4-terminal
blacklist ${PATH}/xfce4-terminal.wrapper
deny ${PATH}/lxterminal
deny ${PATH}/gnome-terminal
deny ${PATH}/gnome-terminal.wrapper
deny ${PATH}/lilyterm
deny ${PATH}/mate-terminal
deny ${PATH}/mate-terminal.wrapper
deny ${PATH}/pantheon-terminal
deny ${PATH}/roxterm
deny ${PATH}/roxterm-config
deny ${PATH}/terminix
deny ${PATH}/tilix
deny ${PATH}/urxvtc
deny ${PATH}/urxvtcd
deny ${PATH}/xfce4-terminal
deny ${PATH}/xfce4-terminal.wrapper
# blacklist ${PATH}/konsole
# konsole doesn't seem to have this problem - last tested on Ubuntu 16.04
# kernel files
blacklist /initrd*
blacklist /vmlinuz*
deny /initrd*
deny /vmlinuz*
# snapshot files
blacklist /.snapshots
deny /.snapshots
# flatpak
blacklist ${HOME}/.cache/flatpak
blacklist ${HOME}/.config/flatpak
noblacklist ${HOME}/.local/share/flatpak/exports
deny ${HOME}/.cache/flatpak
deny ${HOME}/.config/flatpak
nodeny ${HOME}/.local/share/flatpak/exports
read-only ${HOME}/.local/share/flatpak/exports
blacklist ${HOME}/.local/share/flatpak/*
blacklist ${HOME}/.var
blacklist ${RUNUSER}/app
blacklist ${RUNUSER}/doc
blacklist ${RUNUSER}/.dbus-proxy
blacklist ${RUNUSER}/.flatpak
blacklist ${RUNUSER}/.flatpak-cache
blacklist ${RUNUSER}/.flatpak-helper
blacklist /usr/share/flatpak
noblacklist /var/lib/flatpak/exports
blacklist /var/lib/flatpak/*
deny ${HOME}/.local/share/flatpak/*
deny ${HOME}/.var
deny ${RUNUSER}/app
deny ${RUNUSER}/doc
deny ${RUNUSER}/.dbus-proxy
deny ${RUNUSER}/.flatpak
deny ${RUNUSER}/.flatpak-cache
deny ${RUNUSER}/.flatpak-helper
deny /usr/share/flatpak
nodeny /var/lib/flatpak/exports
deny /var/lib/flatpak/*
# most of the time bwrap is SUID binary
blacklist ${PATH}/bwrap
deny ${PATH}/bwrap
# snap
blacklist ${RUNUSER}/snapd-session-agent.socket
deny ${RUNUSER}/snapd-session-agent.socket
# mail directories used by mutt
blacklist ${HOME}/.Mail
blacklist ${HOME}/.mail
blacklist ${HOME}/.signature
blacklist ${HOME}/Mail
blacklist ${HOME}/mail
blacklist ${HOME}/postponed
blacklist ${HOME}/sent
deny ${HOME}/.Mail
deny ${HOME}/.mail
deny ${HOME}/.signature
deny ${HOME}/Mail
deny ${HOME}/mail
deny ${HOME}/postponed
deny ${HOME}/sent
# kernel configuration
blacklist /proc/config.gz
deny /proc/config.gz
# prevent DNS malware attempting to communicate with the server
# using regular DNS tools
blacklist ${PATH}/dig
blacklist ${PATH}/dlint
blacklist ${PATH}/dns2tcp
blacklist ${PATH}/dnssec-*
blacklist ${PATH}/dnswalk
blacklist ${PATH}/drill
blacklist ${PATH}/host
blacklist ${PATH}/iodine
blacklist ${PATH}/kdig
blacklist ${PATH}/khost
blacklist ${PATH}/knsupdate
blacklist ${PATH}/ldns-*
blacklist ${PATH}/ldnsd
blacklist ${PATH}/nslookup
blacklist ${PATH}/resolvectl
blacklist ${PATH}/unbound-host
deny ${PATH}/dig
deny ${PATH}/dlint
deny ${PATH}/dns2tcp
deny ${PATH}/dnssec-*
deny ${PATH}/dnswalk
deny ${PATH}/drill
deny ${PATH}/host
deny ${PATH}/iodine
deny ${PATH}/kdig
deny ${PATH}/khost
deny ${PATH}/knsupdate
deny ${PATH}/ldns-*
deny ${PATH}/ldnsd
deny ${PATH}/nslookup
deny ${PATH}/resolvectl
deny ${PATH}/unbound-host
# rest of ${RUNUSER}
blacklist ${RUNUSER}/*.lock
blacklist ${RUNUSER}/inaccessible
blacklist ${RUNUSER}/pk-debconf-socket
blacklist ${RUNUSER}/update-notifier.pid
deny ${RUNUSER}/*.lock
deny ${RUNUSER}/inaccessible
deny ${RUNUSER}/pk-debconf-socket
deny ${RUNUSER}/update-notifier.pid

80
etc/inc/disable-devel.inc
View file

@ -5,65 +5,65 @@ include disable-devel.local
# development tools
# clang/llvm
blacklist ${PATH}/clang*
blacklist ${PATH}/lldb*
blacklist ${PATH}/llvm*
deny ${PATH}/clang*
deny ${PATH}/lldb*
deny ${PATH}/llvm*
# see issue #2106 - it disables hardware acceleration in Firefox on Radeon GPU
# blacklist /usr/lib/llvm*
# GCC
blacklist ${PATH}/as
blacklist ${PATH}/cc
blacklist ${PATH}/c++*
blacklist ${PATH}/c8*
blacklist ${PATH}/c9*
blacklist ${PATH}/cpp*
blacklist ${PATH}/g++*
blacklist ${PATH}/gcc*
blacklist ${PATH}/gdb
blacklist ${PATH}/ld
blacklist ${PATH}/*-gcc*
blacklist ${PATH}/*-g++*
blacklist ${PATH}/*-gcc*
blacklist ${PATH}/*-g++*
deny ${PATH}/as
deny ${PATH}/cc
deny ${PATH}/c++*
deny ${PATH}/c8*
deny ${PATH}/c9*
deny ${PATH}/cpp*
deny ${PATH}/g++*
deny ${PATH}/gcc*
deny ${PATH}/gdb
deny ${PATH}/ld
deny ${PATH}/*-gcc*
deny ${PATH}/*-g++*
deny ${PATH}/*-gcc*
deny ${PATH}/*-g++*
# seems to create problems on Gentoo
#blacklist /usr/lib/gcc
#Go
blacklist ${PATH}/gccgo
blacklist ${PATH}/go
blacklist ${PATH}/gofmt
deny ${PATH}/gccgo
deny ${PATH}/go
deny ${PATH}/gofmt
# Java
blacklist ${PATH}/java
blacklist ${PATH}/javac
blacklist /etc/java
blacklist /usr/lib/java
blacklist /usr/share/java
deny ${PATH}/java
deny ${PATH}/javac
deny /etc/java
deny /usr/lib/java
deny /usr/share/java
#OpenSSL
blacklist ${PATH}/openssl
blacklist ${PATH}/openssl-1.0
deny ${PATH}/openssl
deny ${PATH}/openssl-1.0
#Rust
blacklist ${PATH}/rust-gdb
blacklist ${PATH}/rust-lldb
blacklist ${PATH}/rustc
blacklist ${HOME}/.rustup
deny ${PATH}/rust-gdb
deny ${PATH}/rust-lldb
deny ${PATH}/rustc
deny ${HOME}/.rustup
# tcc - Tiny C Compiler
blacklist ${PATH}/tcc
blacklist ${PATH}/x86_64-tcc
blacklist /usr/lib/tcc
deny ${PATH}/tcc
deny ${PATH}/x86_64-tcc
deny /usr/lib/tcc
# Valgrind
blacklist ${PATH}/valgrind*
blacklist /usr/lib/valgrind
deny ${PATH}/valgrind*
deny /usr/lib/valgrind
# Source-Code
blacklist /usr/src
blacklist /usr/local/src
blacklist /usr/include
blacklist /usr/local/include
deny /usr/src
deny /usr/local/src
deny /usr/include
deny /usr/local/include

84
etc/inc/disable-interpreters.inc
View file

@ -3,66 +3,66 @@
include disable-interpreters.local
# gjs
blacklist ${PATH}/gjs
blacklist ${PATH}/gjs-console
blacklist /usr/lib/gjs
blacklist /usr/lib/libgjs*
blacklist /usr/lib64/gjs
blacklist /usr/lib64/libgjs*
deny ${PATH}/gjs
deny ${PATH}/gjs-console
deny /usr/lib/gjs
deny /usr/lib/libgjs*
deny /usr/lib64/gjs
deny /usr/lib64/libgjs*
# Lua
blacklist ${PATH}/lua*
blacklist /usr/include/lua*
blacklist /usr/lib/liblua*
blacklist /usr/lib/lua
blacklist /usr/lib64/liblua*
blacklist /usr/lib64/lua
blacklist /usr/share/lua*
deny ${PATH}/lua*
deny /usr/include/lua*
deny /usr/lib/liblua*
deny /usr/lib/lua
deny /usr/lib64/liblua*
deny /usr/lib64/lua
deny /usr/share/lua*
# mozjs
blacklist /usr/lib/libmozjs-*
blacklist /usr/lib64/libmozjs-*
deny /usr/lib/libmozjs-*
deny /usr/lib64/libmozjs-*
# Node.js
blacklist ${PATH}/node
blacklist /usr/include/node
deny ${PATH}/node
deny /usr/include/node
# nvm
blacklist ${HOME}/.nvm
deny ${HOME}/.nvm
# Perl
blacklist ${PATH}/core_perl
blacklist ${PATH}/cpan*
blacklist ${PATH}/perl
blacklist ${PATH}/site_perl
blacklist ${PATH}/vendor_perl
blacklist /usr/lib/perl*
blacklist /usr/lib64/perl*
blacklist /usr/share/perl*
deny ${PATH}/core_perl
deny ${PATH}/cpan*
deny ${PATH}/perl
deny ${PATH}/site_perl
deny ${PATH}/vendor_perl
deny /usr/lib/perl*
deny /usr/lib64/perl*
deny /usr/share/perl*
# PHP
blacklist ${PATH}/php*
blacklist /usr/lib/php*
blacklist /usr/share/php*
deny ${PATH}/php*
deny /usr/lib/php*
deny /usr/share/php*
# Ruby
blacklist ${PATH}/ruby
blacklist /usr/lib/ruby
deny ${PATH}/ruby
deny /usr/lib/ruby
# Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus
# Python 2
blacklist ${PATH}/python2*
blacklist /usr/include/python2*
blacklist /usr/lib/python2*
blacklist /usr/local/lib/python2*
blacklist /usr/share/python2*
deny ${PATH}/python2*
deny /usr/include/python2*
deny /usr/lib/python2*
deny /usr/local/lib/python2*
deny /usr/share/python2*
# You will want to add noblacklist for python3 stuff in the firefox and/or chromium profiles if you use the Gnome connector (see Issue #2026)
# Python 3
blacklist ${PATH}/python3*
blacklist /usr/include/python3*
blacklist /usr/lib/python3*
blacklist /usr/lib64/python3*
blacklist /usr/local/lib/python3*
blacklist /usr/share/python3*
deny ${PATH}/python3*
deny /usr/include/python3*
deny /usr/lib/python3*
deny /usr/lib64/python3*
deny /usr/local/lib/python3*
deny /usr/share/python3*

30
etc/inc/disable-passwdmgr.inc
View file

@ -2,18 +2,18 @@
# Persistent customizations should go in a .local file.
include disable-passwdmgr.local
blacklist ${HOME}/.config/Bitwarden
blacklist ${HOME}/.config/KeePass
blacklist ${HOME}/.config/keepass
blacklist ${HOME}/.config/keepassx
blacklist ${HOME}/.config/keepassxc
blacklist ${HOME}/.config/KeePassXCrc
blacklist ${HOME}/.config/Sinew Software Systems
blacklist ${HOME}/.fpm
blacklist ${HOME}/.keepass
blacklist ${HOME}/.keepassx
blacklist ${HOME}/.keepassxc
blacklist ${HOME}/.lastpass
blacklist ${HOME}/.local/share/KeePass
blacklist ${HOME}/.local/share/keepass
blacklist ${HOME}/.password-store
deny ${HOME}/.config/Bitwarden
deny ${HOME}/.config/KeePass
deny ${HOME}/.config/keepass
deny ${HOME}/.config/keepassx
deny ${HOME}/.config/keepassxc
deny ${HOME}/.config/KeePassXCrc
deny ${HOME}/.config/Sinew Software Systems
deny ${HOME}/.fpm
deny ${HOME}/.keepass
deny ${HOME}/.keepassx
deny ${HOME}/.keepassxc
deny ${HOME}/.lastpass
deny ${HOME}/.local/share/KeePass
deny ${HOME}/.local/share/keepass
deny ${HOME}/.password-store

2178
etc/inc/disable-programs.inc
View file

File diff suppressed because it is too large Load diff

22
etc/inc/disable-shell.inc
View file

@ -2,14 +2,14 @@
# Persistent customizations should go in a .local file.
include disable-shell.local
blacklist ${PATH}/bash
blacklist ${PATH}/csh
blacklist ${PATH}/dash
blacklist ${PATH}/fish
blacklist ${PATH}/ksh
blacklist ${PATH}/mksh
blacklist ${PATH}/oksh
blacklist ${PATH}/sh
blacklist ${PATH}/tclsh
blacklist ${PATH}/tcsh
blacklist ${PATH}/zsh
deny ${PATH}/bash
deny ${PATH}/csh
deny ${PATH}/dash
deny ${PATH}/fish
deny ${PATH}/ksh
deny ${PATH}/mksh
deny ${PATH}/oksh
deny ${PATH}/sh
deny ${PATH}/tclsh
deny ${PATH}/tcsh
deny ${PATH}/zsh

8
etc/inc/disable-xdg.inc
View file

@ -2,10 +2,10 @@
# Persistent customizations should go in a .local file.
include disable-xdg.local
blacklist ${DOCUMENTS}
blacklist ${MUSIC}
blacklist ${PICTURES}
blacklist ${VIDEOS}
deny ${DOCUMENTS}
deny ${MUSIC}
deny ${PICTURES}
deny ${VIDEOS}
# The following should be considered catch-all directories
#blacklist ${DESKTOP}

46
etc/inc/whitelist-1793-workaround.inc
View file

@ -3,27 +3,27 @@
include whitelist-1793-workaround.local
# This works around bug 1793, and allows whitelisting to be used for some KDE applications.
noblacklist ${HOME}/.config/ibus
noblacklist ${HOME}/.config/mimeapps.list
noblacklist ${HOME}/.config/pkcs11
noblacklist ${HOME}/.config/user-dirs.dirs
noblacklist ${HOME}/.config/user-dirs.locale
noblacklist ${HOME}/.config/dconf
noblacklist ${HOME}/.config/fontconfig
noblacklist ${HOME}/.config/gtk-2.0
noblacklist ${HOME}/.config/gtk-3.0
noblacklist ${HOME}/.config/gtk-4.0
noblacklist ${HOME}/.config/gtkrc
noblacklist ${HOME}/.config/gtkrc-2.0
noblacklist ${HOME}/.config/Kvantum
noblacklist ${HOME}/.config/Trolltech.conf
noblacklist ${HOME}/.config/QtProject.conf
noblacklist ${HOME}/.config/kdeglobals
noblacklist ${HOME}/.config/kio_httprc
noblacklist ${HOME}/.config/kioslaverc
noblacklist ${HOME}/.config/ksslcablacklist
noblacklist ${HOME}/.config/qt5ct
noblacklist ${HOME}/.config/qtcurve
nodeny ${HOME}/.config/ibus
nodeny ${HOME}/.config/mimeapps.list
nodeny ${HOME}/.config/pkcs11
nodeny ${HOME}/.config/user-dirs.dirs
nodeny ${HOME}/.config/user-dirs.locale
nodeny ${HOME}/.config/dconf
nodeny ${HOME}/.config/fontconfig
nodeny ${HOME}/.config/gtk-2.0
nodeny ${HOME}/.config/gtk-3.0
nodeny ${HOME}/.config/gtk-4.0
nodeny ${HOME}/.config/gtkrc
nodeny ${HOME}/.config/gtkrc-2.0
nodeny ${HOME}/.config/Kvantum
nodeny ${HOME}/.config/Trolltech.conf
nodeny ${HOME}/.config/QtProject.conf
nodeny ${HOME}/.config/kdeglobals
nodeny ${HOME}/.config/kio_httprc
nodeny ${HOME}/.config/kioslaverc
nodeny ${HOME}/.config/ksslcablacklist
nodeny ${HOME}/.config/qt5ct
nodeny ${HOME}/.config/qtcurve
blacklist ${HOME}/.config/*
whitelist ${HOME}/.config
deny ${HOME}/.config/*
allow ${HOME}/.config

130
etc/inc/whitelist-common.inc
View file

@ -4,82 +4,82 @@ include whitelist-common.local
# common whitelist for all profiles
whitelist ${HOME}/.XCompose
whitelist ${HOME}/.alsaequal.bin
whitelist ${HOME}/.asoundrc
whitelist ${HOME}/.config/ibus
whitelist ${HOME}/.config/mimeapps.list
whitelist ${HOME}/.config/pkcs11
allow ${HOME}/.XCompose
allow ${HOME}/.alsaequal.bin
allow ${HOME}/.asoundrc
allow ${HOME}/.config/ibus
allow ${HOME}/.config/mimeapps.list
allow ${HOME}/.config/pkcs11
read-only ${HOME}/.config/pkcs11
whitelist ${HOME}/.config/user-dirs.dirs
allow ${HOME}/.config/user-dirs.dirs
read-only ${HOME}/.config/user-dirs.dirs
whitelist ${HOME}/.config/user-dirs.locale
allow ${HOME}/.config/user-dirs.locale
read-only ${HOME}/.config/user-dirs.locale
whitelist ${HOME}/.drirc
whitelist ${HOME}/.icons
allow ${HOME}/.drirc
allow ${HOME}/.icons
?HAS_APPIMAGE: whitelist ${HOME}/.local/share/appimagekit
whitelist ${HOME}/.local/share/applications
allow ${HOME}/.local/share/applications
read-only ${HOME}/.local/share/applications
whitelist ${HOME}/.local/share/icons
whitelist ${HOME}/.local/share/mime
whitelist ${HOME}/.mime.types
whitelist ${HOME}/.sndio/cookie
whitelist ${HOME}/.uim.d
allow ${HOME}/.local/share/icons
allow ${HOME}/.local/share/mime
allow ${HOME}/.mime.types
allow ${HOME}/.sndio/cookie
allow ${HOME}/.uim.d
# dconf
mkdir ${HOME}/.config/dconf
whitelist ${HOME}/.config/dconf
allow ${HOME}/.config/dconf
# fonts
whitelist ${HOME}/.cache/fontconfig
whitelist ${HOME}/.config/fontconfig
whitelist ${HOME}/.fontconfig
whitelist ${HOME}/.fonts
whitelist ${HOME}/.fonts.conf
whitelist ${HOME}/.fonts.conf.d
whitelist ${HOME}/.fonts.d
whitelist ${HOME}/.local/share/fonts
whitelist ${HOME}/.pangorc
allow ${HOME}/.cache/fontconfig
allow ${HOME}/.config/fontconfig
allow ${HOME}/.fontconfig
allow ${HOME}/.fonts
allow ${HOME}/.fonts.conf
allow ${HOME}/.fonts.conf.d
allow ${HOME}/.fonts.d
allow ${HOME}/.local/share/fonts
allow ${HOME}/.pangorc
# gtk
whitelist ${HOME}/.config/gtk-2.0
whitelist ${HOME}/.config/gtk-3.0
whitelist ${HOME}/.config/gtk-4.0
whitelist ${HOME}/.config/gtkrc
whitelist ${HOME}/.config/gtkrc-2.0
whitelist ${HOME}/.gnome2
whitelist ${HOME}/.gnome2-private
whitelist ${HOME}/.gtk-2.0
whitelist ${HOME}/.gtkrc
whitelist ${HOME}/.gtkrc-2.0
whitelist ${HOME}/.kde/share/config/gtkrc
whitelist ${HOME}/.kde/share/config/gtkrc-2.0
whitelist ${HOME}/.kde4/share/config/gtkrc
whitelist ${HOME}/.kde4/share/config/gtkrc-2.0
whitelist ${HOME}/.local/share/themes
whitelist ${HOME}/.themes
allow ${HOME}/.config/gtk-2.0
allow ${HOME}/.config/gtk-3.0
allow ${HOME}/.config/gtk-4.0
allow ${HOME}/.config/gtkrc
allow ${HOME}/.config/gtkrc-2.0
allow ${HOME}/.gnome2
allow ${HOME}/.gnome2-private
allow ${HOME}/.gtk-2.0
allow ${HOME}/.gtkrc
allow ${HOME}/.gtkrc-2.0
allow ${HOME}/.kde/share/config/gtkrc
allow ${HOME}/.kde/share/config/gtkrc-2.0
allow ${HOME}/.kde4/share/config/gtkrc
allow ${HOME}/.kde4/share/config/gtkrc-2.0
allow ${HOME}/.local/share/themes
allow ${HOME}/.themes
# qt/kde
whitelist ${HOME}/.cache/kioexec/krun
whitelist ${HOME}/.config/Kvantum
whitelist ${HOME}/.config/Trolltech.conf
whitelist ${HOME}/.config/QtProject.conf
whitelist ${HOME}/.config/kdeglobals
whitelist ${HOME}/.config/kio_httprc
whitelist ${HOME}/.config/kioslaverc
whitelist ${HOME}/.config/ksslcablacklist
whitelist ${HOME}/.config/qt5ct
whitelist ${HOME}/.config/qtcurve
whitelist ${HOME}/.kde/share/config/kdeglobals
whitelist ${HOME}/.kde/share/config/kio_httprc
whitelist ${HOME}/.kde/share/config/kioslaverc
whitelist ${HOME}/.kde/share/config/ksslcablacklist
whitelist ${HOME}/.kde/share/config/oxygenrc
whitelist ${HOME}/.kde/share/icons
whitelist ${HOME}/.kde4/share/config/kdeglobals
whitelist ${HOME}/.kde4/share/config/kio_httprc
whitelist ${HOME}/.kde4/share/config/kioslaverc
whitelist ${HOME}/.kde4/share/config/ksslcablacklist
whitelist ${HOME}/.kde4/share/config/oxygenrc
whitelist ${HOME}/.kde4/share/icons
whitelist ${HOME}/.local/share/qt5ct
allow ${HOME}/.cache/kioexec/krun
allow ${HOME}/.config/Kvantum
allow ${HOME}/.config/Trolltech.conf
allow ${HOME}/.config/QtProject.conf
allow ${HOME}/.config/kdeglobals
allow ${HOME}/.config/kio_httprc
allow ${HOME}/.config/kioslaverc
allow ${HOME}/.config/ksslcablacklist
allow ${HOME}/.config/qt5ct
allow ${HOME}/.config/qtcurve
allow ${HOME}/.kde/share/config/kdeglobals
allow ${HOME}/.kde/share/config/kio_httprc
allow ${HOME}/.kde/share/config/kioslaverc
allow ${HOME}/.kde/share/config/ksslcablacklist
allow ${HOME}/.kde/share/config/oxygenrc
allow ${HOME}/.kde/share/icons
allow ${HOME}/.kde4/share/config/kdeglobals
allow ${HOME}/.kde4/share/config/kio_httprc
allow ${HOME}/.kde4/share/config/kioslaverc
allow ${HOME}/.kde4/share/config/ksslcablacklist
allow ${HOME}/.kde4/share/config/oxygenrc
allow ${HOME}/.kde4/share/icons
allow ${HOME}/.local/share/qt5ct

10
etc/inc/whitelist-player-common.inc
View file

@ -4,8 +4,8 @@ include whitelist-player-common.local
# common whitelist for all media players
whitelist ${DESKTOP}
whitelist ${DOWNLOADS}
whitelist ${MUSIC}
whitelist ${PICTURES}
whitelist ${VIDEOS}
allow ${DESKTOP}
allow ${DOWNLOADS}
allow ${MUSIC}
allow ${PICTURES}
allow ${VIDEOS}

20
etc/inc/whitelist-runuser-common.inc
View file

@ -4,13 +4,13 @@ include whitelist-runuser-common.local
# common ${RUNUSER} (=/run/user/$UID) whitelist for all profiles
whitelist ${RUNUSER}/bus
whitelist ${RUNUSER}/dconf
whitelist ${RUNUSER}/gdm/Xauthority
whitelist ${RUNUSER}/ICEauthority
whitelist ${RUNUSER}/.mutter-Xwaylandauth.*
whitelist ${RUNUSER}/pulse/native
whitelist ${RUNUSER}/wayland-0
whitelist ${RUNUSER}/wayland-1
whitelist ${RUNUSER}/xauth_*
whitelist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]
allow ${RUNUSER}/bus
allow ${RUNUSER}/dconf
allow ${RUNUSER}/gdm/Xauthority
allow ${RUNUSER}/ICEauthority
allow ${RUNUSER}/.mutter-Xwaylandauth.*
allow ${RUNUSER}/pulse/native
allow ${RUNUSER}/wayland-0
allow ${RUNUSER}/wayland-1
allow ${RUNUSER}/xauth_*
allow ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]

126
etc/inc/whitelist-usr-share-common.inc
View file

@ -4,66 +4,66 @@ include whitelist-usr-share-common.local
# common /usr/share whitelist for all profiles
whitelist /usr/share/alsa
whitelist /usr/share/applications
whitelist /usr/share/ca-certificates
whitelist /usr/share/crypto-policies
whitelist /usr/share/cursors
whitelist /usr/share/dconf
whitelist /usr/share/distro-info
whitelist /usr/share/drirc.d
whitelist /usr/share/enchant
whitelist /usr/share/enchant-2
whitelist /usr/share/file
whitelist /usr/share/fontconfig
whitelist /usr/share/fonts
whitelist /usr/share/fonts-config
whitelist /usr/share/gir-1.0
whitelist /usr/share/gjs-1.0
whitelist /usr/share/glib-2.0
whitelist /usr/share/glvnd
whitelist /usr/share/gtk-2.0
whitelist /usr/share/gtk-3.0
whitelist /usr/share/gtk-engines
whitelist /usr/share/gtksourceview-3.0
whitelist /usr/share/gtksourceview-4
whitelist /usr/share/hunspell
whitelist /usr/share/hwdata
whitelist /usr/share/icons
whitelist /usr/share/icu
whitelist /usr/share/knotifications5
whitelist /usr/share/kservices5
whitelist /usr/share/Kvantum
whitelist /usr/share/kxmlgui5
whitelist /usr/share/libdrm
whitelist /usr/share/libthai
whitelist /usr/share/locale
whitelist /usr/share/mime
whitelist /usr/share/misc
whitelist /usr/share/Modules
whitelist /usr/share/myspell
whitelist /usr/share/p11-kit
whitelist /usr/share/perl
whitelist /usr/share/perl5
whitelist /usr/share/pixmaps
whitelist /usr/share/pki
whitelist /usr/share/plasma
whitelist /usr/share/publicsuffix
whitelist /usr/share/qt
whitelist /usr/share/qt4
whitelist /usr/share/qt5
whitelist /usr/share/qt5ct
whitelist /usr/share/sounds
whitelist /usr/share/tcl8.6
whitelist /usr/share/tcltk
whitelist /usr/share/terminfo
whitelist /usr/share/texlive
whitelist /usr/share/texmf
whitelist /usr/share/themes
whitelist /usr/share/thumbnail.so
whitelist /usr/share/uim
whitelist /usr/share/vulkan
whitelist /usr/share/X11
whitelist /usr/share/xml
whitelist /usr/share/zenity
whitelist /usr/share/zoneinfo
allow /usr/share/alsa
allow /usr/share/applications
allow /usr/share/ca-certificates
allow /usr/share/crypto-policies
allow /usr/share/cursors
allow /usr/share/dconf
allow /usr/share/distro-info
allow /usr/share/drirc.d
allow /usr/share/enchant
allow /usr/share/enchant-2
allow /usr/share/file
allow /usr/share/fontconfig
allow /usr/share/fonts
allow /usr/share/fonts-config
allow /usr/share/gir-1.0
allow /usr/share/gjs-1.0
allow /usr/share/glib-2.0
allow /usr/share/glvnd
allow /usr/share/gtk-2.0
allow /usr/share/gtk-3.0
allow /usr/share/gtk-engines
allow /usr/share/gtksourceview-3.0
allow /usr/share/gtksourceview-4
allow /usr/share/hunspell
allow /usr/share/hwdata
allow /usr/share/icons
allow /usr/share/icu
allow /usr/share/knotifications5
allow /usr/share/kservices5
allow /usr/share/Kvantum
allow /usr/share/kxmlgui5
allow /usr/share/libdrm
allow /usr/share/libthai
allow /usr/share/locale
allow /usr/share/mime
allow /usr/share/misc
allow /usr/share/Modules
allow /usr/share/myspell
allow /usr/share/p11-kit
allow /usr/share/perl
allow /usr/share/perl5
allow /usr/share/pixmaps
allow /usr/share/pki
allow /usr/share/plasma
allow /usr/share/publicsuffix
allow /usr/share/qt
allow /usr/share/qt4
allow /usr/share/qt5
allow /usr/share/qt5ct
allow /usr/share/sounds
allow /usr/share/tcl8.6
allow /usr/share/tcltk
allow /usr/share/terminfo
allow /usr/share/texlive
allow /usr/share/texmf
allow /usr/share/themes
allow /usr/share/thumbnail.so
allow /usr/share/uim
allow /usr/share/vulkan
allow /usr/share/X11
allow /usr/share/xml
allow /usr/share/zenity
allow /usr/share/zoneinfo

18
etc/inc/whitelist-var-common.inc
View file

@ -4,12 +4,12 @@ include whitelist-var-common.local
# common /var whitelist for all profiles
whitelist /var/lib/aspell
whitelist /var/lib/ca-certificates
whitelist /var/lib/dbus
whitelist /var/lib/menu-xdg
whitelist /var/lib/uim
whitelist /var/cache/fontconfig
whitelist /var/tmp
whitelist /var/run
whitelist /var/lock
allow /var/lib/aspell
allow /var/lib/ca-certificates
allow /var/lib/dbus
allow /var/lib/menu-xdg
allow /var/lib/uim
allow /var/cache/fontconfig
allow /var/tmp
allow /var/run
allow /var/lock

18
etc/profile-a-l/0ad.profile
View file

@ -6,11 +6,11 @@ include 0ad.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.cache/0ad
noblacklist ${HOME}/.config/0ad
noblacklist ${HOME}/.local/share/0ad
nodeny ${HOME}/.cache/0ad
nodeny ${HOME}/.config/0ad
nodeny ${HOME}/.local/share/0ad
blacklist /usr/libexec
deny /usr/libexec
include disable-common.inc
include disable-devel.inc
@ -23,11 +23,11 @@ include disable-xdg.inc
mkdir ${HOME}/.cache/0ad
mkdir ${HOME}/.config/0ad
mkdir ${HOME}/.local/share/0ad
whitelist ${HOME}/.cache/0ad
whitelist ${HOME}/.config/0ad
whitelist ${HOME}/.local/share/0ad
whitelist /usr/share/0ad
whitelist /usr/share/games
allow ${HOME}/.cache/0ad
allow ${HOME}/.config/0ad
allow ${HOME}/.local/share/0ad
allow /usr/share/0ad
allow /usr/share/games
include whitelist-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

8
etc/profile-a-l/2048-qt.profile
View file

@ -6,8 +6,8 @@ include 2048-qt.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.config/2048-qt
noblacklist ${HOME}/.config/xiaoyong
nodeny ${HOME}/.config/2048-qt
nodeny ${HOME}/.config/xiaoyong
include disable-common.inc
include disable-devel.inc
@ -18,8 +18,8 @@ include disable-programs.inc
mkdir ${HOME}/.config/2048-qt
mkdir ${HOME}/.config/xiaoyong
whitelist ${HOME}/.config/2048-qt
whitelist ${HOME}/.config/xiaoyong
allow ${HOME}/.config/2048-qt
allow ${HOME}/.config/xiaoyong
include whitelist-common.inc
include whitelist-var-common.inc

2
etc/profile-a-l/Cryptocat.profile
View file

@ -5,7 +5,7 @@ include Cryptocat.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.config/Cryptocat
nodeny ${HOME}/.config/Cryptocat
include disable-common.inc
include disable-devel.inc

4
etc/profile-a-l/Discord.profile
View file

@ -5,10 +5,10 @@ include Discord.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.config/discord
nodeny ${HOME}/.config/discord
mkdir ${HOME}/.config/discord
whitelist ${HOME}/.config/discord
allow ${HOME}/.config/discord
private-bin Discord
private-opt Discord

4
etc/profile-a-l/DiscordCanary.profile
View file

@ -5,10 +5,10 @@ include DiscordCanary.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.config/discordcanary
nodeny ${HOME}/.config/discordcanary
mkdir ${HOME}/.config/discordcanary
whitelist ${HOME}/.config/discordcanary
allow ${HOME}/.config/discordcanary
private-bin DiscordCanary
private-opt DiscordCanary

4
etc/profile-a-l/Fritzing.profile
View file

@ -6,8 +6,8 @@ include Fritzing.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.config/Fritzing
noblacklist ${DOCUMENTS}
nodeny ${HOME}/.config/Fritzing
nodeny ${DOCUMENTS}
include disable-common.inc
include disable-devel.inc

6
etc/profile-a-l/JDownloader.profile
View file

@ -5,7 +5,7 @@ include JDownloader.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.jd
nodeny ${HOME}/.jd
# Allow java (blacklisted by disable-devel.inc)
include allow-java.inc
@ -19,8 +19,8 @@ include disable-programs.inc
include disable-xdg.inc
mkdir ${HOME}/.jd
whitelist ${HOME}/.jd
whitelist ${DOWNLOADS}
allow ${HOME}/.jd
allow ${DOWNLOADS}
include whitelist-common.inc
include whitelist-var-common.inc

4
etc/profile-a-l/abiword.profile
View file

@ -6,7 +6,7 @@ include abiword.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.config/abiword
nodeny ${HOME}/.config/abiword
include disable-common.inc
include disable-devel.inc
@ -16,7 +16,7 @@ include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
whitelist /usr/share/abiword-3.0
allow /usr/share/abiword-3.0
include whitelist-usr-share-common.inc
include whitelist-runuser-common.inc
include whitelist-var-common.inc

8
etc/profile-a-l/abrowser.profile
View file

@ -5,13 +5,13 @@ include abrowser.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.cache/mozilla
noblacklist ${HOME}/.mozilla
nodeny ${HOME}/.cache/mozilla
nodeny ${HOME}/.mozilla
mkdir ${HOME}/.cache/mozilla/abrowser
mkdir ${HOME}/.mozilla
whitelist ${HOME}/.cache/mozilla/abrowser
whitelist ${HOME}/.mozilla
allow ${HOME}/.cache/mozilla/abrowser
allow ${HOME}/.mozilla
# private-etc must first be enabled in firefox-common.profile
#private-etc abrowser

6
etc/profile-a-l/agetpkg.profile
View file

@ -7,8 +7,8 @@ include agetpkg.local
# Persistent global definitions
include globals.local
blacklist /tmp/.X11-unix
blacklist ${RUNUSER}/wayland-*
deny /tmp/.X11-unix
deny ${RUNUSER}/wayland-*
# Allow python (blacklisted by disable-interpreters.inc)
#include allow-python2.inc
@ -23,7 +23,7 @@ include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
whitelist ${DOWNLOADS}
allow ${DOWNLOADS}
include whitelist-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

32
etc/profile-a-l/akonadi_control.profile
View file

@ -4,22 +4,22 @@ include akonadi_control.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.cache/akonadi*
noblacklist ${HOME}/.config/akonadi*
noblacklist ${HOME}/.config/baloorc
noblacklist ${HOME}/.config/emaildefaults
noblacklist ${HOME}/.config/emailidentities
noblacklist ${HOME}/.config/kmail2rc
noblacklist ${HOME}/.config/mailtransports
noblacklist ${HOME}/.config/specialmailcollectionsrc
noblacklist ${HOME}/.local/share/akonadi*
noblacklist ${HOME}/.local/share/apps/korganizer
noblacklist ${HOME}/.local/share/contacts
noblacklist ${HOME}/.local/share/local-mail
noblacklist ${HOME}/.local/share/notes
noblacklist /sbin
noblacklist /tmp/akonadi-*
noblacklist /usr/sbin
nodeny ${HOME}/.cache/akonadi*
nodeny ${HOME}/.config/akonadi*
nodeny ${HOME}/.config/baloorc
nodeny ${HOME}/.config/emaildefaults
nodeny ${HOME}/.config/emailidentities
nodeny ${HOME}/.config/kmail2rc
nodeny ${HOME}/.config/mailtransports
nodeny ${HOME}/.config/specialmailcollectionsrc
nodeny ${HOME}/.local/share/akonadi*
nodeny ${HOME}/.local/share/apps/korganizer
nodeny ${HOME}/.local/share/contacts
nodeny ${HOME}/.local/share/local-mail
nodeny ${HOME}/.local/share/notes
nodeny /sbin
nodeny /tmp/akonadi-*
nodeny /usr/sbin
include disable-common.inc
include disable-devel.inc

14
etc/profile-a-l/akregator.profile
View file

@ -6,9 +6,9 @@ include akregator.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.config/akregatorrc
noblacklist ${HOME}/.local/share/akregator
noblacklist ${HOME}/.local/share/kxmlgui5/akregator
nodeny ${HOME}/.config/akregatorrc
nodeny ${HOME}/.local/share/akregator
nodeny ${HOME}/.local/share/kxmlgui5/akregator
include disable-common.inc
include disable-devel.inc
@ -21,10 +21,10 @@ include disable-shell.inc
mkfile ${HOME}/.config/akregatorrc
mkdir ${HOME}/.local/share/akregator
mkdir ${HOME}/.local/share/kxmlgui5/akregator
whitelist ${HOME}/.config/akregatorrc
whitelist ${HOME}/.local/share/akregator
whitelist ${HOME}/.local/share/kssl
whitelist ${HOME}/.local/share/kxmlgui5/akregator
allow ${HOME}/.config/akregatorrc
allow ${HOME}/.local/share/akregator
allow ${HOME}/.local/share/kssl
allow ${HOME}/.local/share/kxmlgui5/akregator
include whitelist-common.inc
include whitelist-var-common.inc

14
etc/profile-a-l/alacarte.profile
View file

@ -19,13 +19,13 @@ include disable-passwdmgr.inc
include disable-xdg.inc
# Whitelist your system icon directory,varies by distro
whitelist /usr/share/alacarte
whitelist /usr/share/app-info
whitelist /usr/share/desktop-directories
whitelist /usr/share/icons
whitelist /var/lib/app-info/icons
whitelist /var/lib/flatpak/exports/share/applications
whitelist /var/lib/flatpak/exports/share/icons
allow /usr/share/alacarte
allow /usr/share/app-info
allow /usr/share/desktop-directories
allow /usr/share/icons
allow /var/lib/app-info/icons
allow /var/lib/flatpak/exports/share/applications
allow /var/lib/flatpak/exports/share/icons
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

6
etc/profile-a-l/alienarena.profile
View file

@ -6,7 +6,7 @@ include alienarena.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.local/share/cor-games
nodeny ${HOME}/.local/share/cor-games
include disable-common.inc
include disable-devel.inc
@ -18,8 +18,8 @@ include disable-shell.inc
include disable-xdg.inc
mkdir ${HOME}/.local/share/cor-games
whitelist ${HOME}/.local/share/cor-games
whitelist /usr/share/alienarena
allow ${HOME}/.local/share/cor-games
allow /usr/share/alienarena
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc

46
etc/profile-a-l/alpine.profile
View file

@ -10,28 +10,28 @@ include globals.local
# Workaround for bug https://github.com/netblue30/firejail/issues/2747
# firejail --private-bin=sh --include='${CFG}/allow-bin-sh.inc' --profile=alpine sh -c '(alpine)'
noblacklist /var/mail
noblacklist /var/spool/mail
noblacklist ${DOCUMENTS}
noblacklist ${HOME}/.addressbook
noblacklist ${HOME}/.alpine-smime
noblacklist ${HOME}/.mailcap
noblacklist ${HOME}/.mh_profile
noblacklist ${HOME}/.mime.types
noblacklist ${HOME}/.newsrc
noblacklist ${HOME}/.pine-crash
noblacklist ${HOME}/.pine-debug1
noblacklist ${HOME}/.pine-debug2
noblacklist ${HOME}/.pine-debug3
noblacklist ${HOME}/.pine-debug4
noblacklist ${HOME}/.pine-interrupted-mail
noblacklist ${HOME}/.pinerc
noblacklist ${HOME}/.pinercex
noblacklist ${HOME}/.signature
noblacklist ${HOME}/mail
nodeny /var/mail
nodeny /var/spool/mail
nodeny ${DOCUMENTS}
nodeny ${HOME}/.addressbook
nodeny ${HOME}/.alpine-smime
nodeny ${HOME}/.mailcap
nodeny ${HOME}/.mh_profile
nodeny ${HOME}/.mime.types
nodeny ${HOME}/.newsrc
nodeny ${HOME}/.pine-crash
nodeny ${HOME}/.pine-debug1
nodeny ${HOME}/.pine-debug2
nodeny ${HOME}/.pine-debug3
nodeny ${HOME}/.pine-debug4
nodeny ${HOME}/.pine-interrupted-mail
nodeny ${HOME}/.pinerc
nodeny ${HOME}/.pinercex
nodeny ${HOME}/.signature
nodeny ${HOME}/mail
blacklist /tmp/.X11-unix
blacklist ${RUNUSER}/wayland-*
deny /tmp/.X11-unix
deny ${RUNUSER}/wayland-*
include disable-common.inc
include disable-devel.inc
@ -60,8 +60,8 @@ include disable-xdg.inc
#whitelist ${HOME}/.pine-debug4
#whitelist ${HOME}/.signature
#whitelist ${HOME}/mail
whitelist /var/mail
whitelist /var/spool/mail
allow /var/mail
allow /var/spool/mail
#include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc

2
etc/profile-a-l/amarok.profile
View file

@ -6,7 +6,7 @@ include amarok.local
# Persistent global definitions
include globals.local
noblacklist ${MUSIC}
nodeny ${MUSIC}
include disable-common.inc
include disable-devel.inc

6
etc/profile-a-l/amule.profile
View file

@ -6,7 +6,7 @@ include amule.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.aMule
nodeny ${HOME}/.aMule
include disable-common.inc
include disable-devel.inc
@ -16,8 +16,8 @@ include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.aMule
whitelist ${DOWNLOADS}
whitelist ${HOME}/.aMule
allow ${DOWNLOADS}
allow ${HOME}/.aMule
include whitelist-common.inc
caps.drop all

14
etc/profile-a-l/android-studio.profile
View file

@ -5,13 +5,13 @@ include android-studio.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.config/Google
noblacklist ${HOME}/.AndroidStudio*
noblacklist ${HOME}/.android
noblacklist ${HOME}/.jack-server
noblacklist ${HOME}/.jack-settings
noblacklist ${HOME}/.local/share/JetBrains
noblacklist ${HOME}/.tooling
nodeny ${HOME}/.config/Google
nodeny ${HOME}/.AndroidStudio*
nodeny ${HOME}/.android
nodeny ${HOME}/.jack-server
nodeny ${HOME}/.jack-settings
nodeny ${HOME}/.local/share/JetBrains
nodeny ${HOME}/.tooling
# Allows files commonly used by IDEs
include allow-common-devel.inc

8
etc/profile-a-l/anki.profile
View file

@ -6,8 +6,8 @@ include anki.local
# Persistent global definitions
include globals.local
noblacklist ${DOCUMENTS}
noblacklist ${HOME}/.local/share/Anki2
nodeny ${DOCUMENTS}
nodeny ${HOME}/.local/share/Anki2
# Allow python (blacklisted by disable-interpreters.inc)
include allow-python2.inc
@ -23,8 +23,8 @@ include disable-shell.inc
include disable-xdg.inc
mkdir ${HOME}/.local/share/Anki2
whitelist ${DOCUMENTS}
whitelist ${HOME}/.local/share/Anki2
allow ${DOCUMENTS}
allow ${HOME}/.local/share/Anki2
include whitelist-common.inc
include whitelist-var-common.inc

4
etc/profile-a-l/anydesk.profile
View file

@ -5,7 +5,7 @@ include anydesk.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.anydesk
nodeny ${HOME}/.anydesk
include disable-common.inc
include disable-devel.inc
@ -15,7 +15,7 @@ include disable-programs.inc
include disable-shell.inc
mkdir ${HOME}/.anydesk
whitelist ${HOME}/.anydesk
allow ${HOME}/.anydesk
include whitelist-common.inc
caps.drop all

14
etc/profile-a-l/aosp.profile
View file

@ -5,13 +5,13 @@ include aosp.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.android
noblacklist ${HOME}/.bash_history
noblacklist ${HOME}/.jack-server
noblacklist ${HOME}/.jack-settings
noblacklist ${HOME}/.repo_.gitconfig.json
noblacklist ${HOME}/.repoconfig
noblacklist ${HOME}/.tooling
nodeny ${HOME}/.android
nodeny ${HOME}/.bash_history
nodeny ${HOME}/.jack-server
nodeny ${HOME}/.jack-settings
nodeny ${HOME}/.repo_.gitconfig.json
nodeny ${HOME}/.repoconfig
nodeny ${HOME}/.tooling
# Allows files commonly used by IDEs
include allow-common-devel.inc

18
etc/profile-a-l/apostrophe.profile
View file

@ -6,9 +6,9 @@ include apostrophe.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.texlive20*
noblacklist ${DOCUMENTS}
noblacklist ${PICTURES}
nodeny ${HOME}/.texlive20*
nodeny ${DOCUMENTS}
nodeny ${PICTURES}
# Allow lua (blacklisted by disable-interpreters.inc)
include allow-lua.inc
@ -31,12 +31,12 @@ include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
whitelist /usr/libexec/webkit2gtk-4.0
whitelist /usr/share/apostrophe
whitelist /usr/share/texlive
whitelist /usr/share/texmf
whitelist /usr/share/pandoc-*
whitelist /usr/share/perl5
allow /usr/libexec/webkit2gtk-4.0
allow /usr/share/apostrophe
allow /usr/share/texlive
allow /usr/share/texmf
allow /usr/share/pandoc-*
allow /usr/share/perl5
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

4
etc/profile-a-l/arch-audit.profile
View file

@ -7,7 +7,7 @@ include arch-audit.local
# Persistent global definitions
include globals.local
noblacklist /var/lib/pacman
nodeny /var/lib/pacman
include disable-common.inc
include disable-devel.inc
@ -18,7 +18,7 @@ include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
whitelist /usr/share/arch-audit
allow /usr/share/arch-audit
include whitelist-usr-share-common.inc
apparmor

2
etc/profile-a-l/archaudit-report.profile
View file

@ -6,7 +6,7 @@ include archaudit-report.local
# Persistent global definitions
include globals.local
noblacklist /var/lib/pacman
nodeny /var/lib/pacman
include disable-common.inc
include disable-devel.inc

2
etc/profile-a-l/archiver-common.profile
View file

@ -4,7 +4,7 @@ include archiver-common.local
# common profile for archiver/compression tools
blacklist ${RUNUSER}
deny ${RUNUSER}
# Comment/uncomment the relevant include file(s) in your archiver-common.local
# to (un)restrict file access for **all** archivers. Another option is to do this **per archiver**

12
etc/profile-a-l/ardour5.profile
View file

@ -5,12 +5,12 @@ include ardour5.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.config/ardour4
noblacklist ${HOME}/.config/ardour5
noblacklist ${HOME}/.lv2
noblacklist ${HOME}/.vst
noblacklist ${DOCUMENTS}
noblacklist ${MUSIC}
nodeny ${HOME}/.config/ardour4
nodeny ${HOME}/.config/ardour5
nodeny ${HOME}/.lv2
nodeny ${HOME}/.vst
nodeny ${DOCUMENTS}
nodeny ${MUSIC}
include disable-common.inc
include disable-devel.inc

6
etc/profile-a-l/arduino.profile
View file

@ -6,9 +6,9 @@ include arduino.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.arduino15
noblacklist ${HOME}/Arduino
noblacklist ${DOCUMENTS}
nodeny ${HOME}/.arduino15
nodeny ${HOME}/Arduino
nodeny ${DOCUMENTS}
# Allow java (blacklisted by disable-devel.inc)
include allow-java.inc

10
etc/profile-a-l/aria2c.profile
View file

@ -6,12 +6,12 @@ include aria2c.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.aria2
noblacklist ${HOME}/.config/aria2
noblacklist ${HOME}/.netrc
nodeny ${HOME}/.aria2
nodeny ${HOME}/.config/aria2
nodeny ${HOME}/.netrc
blacklist /tmp/.X11-unix
blacklist ${RUNUSER}/wayland-*
deny /tmp/.X11-unix
deny ${RUNUSER}/wayland-*
include disable-common.inc
include disable-devel.inc

6
etc/profile-a-l/ark.profile
View file

@ -6,8 +6,8 @@ include ark.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.config/arkrc
noblacklist ${HOME}/.local/share/kxmlgui5/ark
nodeny ${HOME}/.config/arkrc
nodeny ${HOME}/.local/share/kxmlgui5/ark
include disable-common.inc
include disable-devel.inc
@ -16,7 +16,7 @@ include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
whitelist /usr/share/ark
allow /usr/share/ark
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

4
etc/profile-a-l/arm.profile
View file

@ -6,7 +6,7 @@ include arm.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.arm
nodeny ${HOME}/.arm
# Allow python (blacklisted by disable-interpreters.inc)
include allow-python2.inc
@ -20,7 +20,7 @@ include disable-passwdmgr.inc
include disable-programs.inc
mkdir ${HOME}/.arm
whitelist ${HOME}/.arm
allow ${HOME}/.arm
include whitelist-common.inc
caps.drop all

14
etc/profile-a-l/artha.profile
View file

@ -6,12 +6,12 @@ include artha.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.config/artha.conf
noblacklist ${HOME}/.config/artha.log
noblacklist ${HOME}/.config/enchant
nodeny ${HOME}/.config/artha.conf
nodeny ${HOME}/.config/artha.log
nodeny ${HOME}/.config/enchant
blacklist /tmp/.X11-unix
blacklist ${RUNUSER}/wayland-*
deny /tmp/.X11-unix
deny ${RUNUSER}/wayland-*
include disable-common.inc
include disable-devel.inc
@ -28,8 +28,8 @@ include disable-xdg.inc
#whitelist ${HOME}/.config/artha.conf
#whitelist ${HOME}/.config/artha.log
#whitelist ${HOME}/.config/enchant
whitelist /usr/share/artha
whitelist /usr/share/wordnet
allow /usr/share/artha
allow /usr/share/wordnet
#include whitelist-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

4
etc/profile-a-l/assogiate.profile
View file

@ -6,7 +6,7 @@ include assogiate.local
# Persistent global definitions
include globals.local
noblacklist ${PICTURES}
nodeny ${PICTURES}
include disable-common.inc
include disable-devel.inc
@ -17,7 +17,7 @@ include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
whitelist ${PICTURES}
allow ${PICTURES}
include whitelist-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

10
etc/profile-a-l/asunder.profile
View file

@ -6,11 +6,11 @@ include asunder.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.config/asunder
noblacklist ${HOME}/.asunder_album_genre
noblacklist ${HOME}/.asunder_album_title
noblacklist ${HOME}/.asunder_album_artist
noblacklist ${MUSIC}
nodeny ${HOME}/.config/asunder
nodeny ${HOME}/.asunder_album_genre
nodeny ${HOME}/.asunder_album_title
nodeny ${HOME}/.asunder_album_artist
nodeny ${MUSIC}
include disable-common.inc
include disable-devel.inc

4
etc/profile-a-l/atom.profile
View file

@ -18,8 +18,8 @@ ignore include whitelist-var-common.inc
ignore apparmor
ignore disable-mnt
noblacklist ${HOME}/.atom
noblacklist ${HOME}/.config/Atom
nodeny ${HOME}/.atom
nodeny ${HOME}/.config/Atom
# Allows files commonly used by IDEs
include allow-common-devel.inc

6
etc/profile-a-l/atril.profile
View file

@ -6,9 +6,9 @@ include atril.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.cache/atril
noblacklist ${HOME}/.config/atril
noblacklist ${DOCUMENTS}
nodeny ${HOME}/.cache/atril
nodeny ${HOME}/.config/atril
nodeny ${DOCUMENTS}
#noblacklist ${HOME}/.local/share
# it seems to use only ${HOME}/.local/share/webkitgtk

6
etc/profile-a-l/audacious.profile
View file

@ -6,9 +6,9 @@ include audacious.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.config/Audaciousrc
noblacklist ${HOME}/.config/audacious
noblacklist ${MUSIC}
nodeny ${HOME}/.config/Audaciousrc
nodeny ${HOME}/.config/audacious
nodeny ${MUSIC}
include disable-common.inc
include disable-devel.inc

6
etc/profile-a-l/audacity.profile
View file

@ -6,9 +6,9 @@ include audacity.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.audacity-data
noblacklist ${DOCUMENTS}
noblacklist ${MUSIC}
nodeny ${HOME}/.audacity-data
nodeny ${DOCUMENTS}
nodeny ${MUSIC}
include disable-common.inc
include disable-devel.inc

10
etc/profile-a-l/audio-recorder.profile
View file

@ -7,7 +7,7 @@ include audio-recorder.local
# Persistent global definitions
include globals.local
noblacklist ${MUSIC}
nodeny ${MUSIC}
include disable-common.inc
include disable-devel.inc
@ -17,10 +17,10 @@ include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
whitelist ${MUSIC}
whitelist ${DOWNLOADS}
whitelist /usr/share/audio-recorder
whitelist /usr/share/gstreamer-1.0
allow ${MUSIC}
allow ${DOWNLOADS}
allow /usr/share/audio-recorder
allow /usr/share/gstreamer-1.0
include whitelist-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

8
etc/profile-a-l/authenticator-rs.profile
View file

@ -6,7 +6,7 @@ include authenticator-rs.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.local/share/authenticator-rs
nodeny ${HOME}/.local/share/authenticator-rs
include disable-common.inc
include disable-devel.inc
@ -18,9 +18,9 @@ include disable-shell.inc
include disable-xdg.inc
mkdir ${HOME}/.local/share/authenticator-rs
whitelist ${HOME}/.local/share/authenticator-rs
whitelist ${DOWNLOADS}
whitelist /usr/share/uk.co.grumlimited.authenticator-rs
allow ${HOME}/.local/share/authenticator-rs
allow ${DOWNLOADS}
allow /usr/share/uk.co.grumlimited.authenticator-rs
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc

4
etc/profile-a-l/authenticator.profile
View file

@ -6,8 +6,8 @@ include authenticator.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.cache/Authenticator
noblacklist ${HOME}/.config/Authenticator
nodeny ${HOME}/.cache/Authenticator
nodeny ${HOME}/.config/Authenticator
# Allow python (blacklisted by disable-interpreters.inc)
#include allow-python2.inc

4
etc/profile-a-l/autokey-common.profile
View file

@ -7,8 +7,8 @@ include autokey-common.local
# added by caller profile
#include globals.local
noblacklist ${HOME}/.config/autokey
noblacklist ${HOME}/.local/share/autokey
nodeny ${HOME}/.config/autokey
nodeny ${HOME}/.local/share/autokey
# Allow python (blacklisted by disable-interpreters.inc)
include allow-python2.inc

12
etc/profile-a-l/avidemux.profile
View file

@ -5,9 +5,9 @@ include avidemux.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.avidemux6
noblacklist ${HOME}/.config/avidemux3_qt5rc
noblacklist ${VIDEOS}
nodeny ${HOME}/.avidemux6
nodeny ${HOME}/.config/avidemux3_qt5rc
nodeny ${VIDEOS}
include disable-common.inc
include disable-devel.inc
@ -20,9 +20,9 @@ include disable-xdg.inc
mkdir ${HOME}/.avidemux6
mkdir ${HOME}/.config/avidemux3_qt5rc
whitelist ${HOME}/.avidemux6
whitelist ${HOME}/.config/avidemux3_qt5rc
whitelist ${VIDEOS}
allow ${HOME}/.avidemux6
allow ${HOME}/.config/avidemux3_qt5rc
allow ${VIDEOS}
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc

4
etc/profile-a-l/aweather.profile
View file

@ -6,7 +6,7 @@ include aweather.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.config/aweather
nodeny ${HOME}/.config/aweather
include disable-common.inc
include disable-devel.inc
@ -16,7 +16,7 @@ include disable-programs.inc
include disable-shell.inc
mkdir ${HOME}/.config/aweather
whitelist ${HOME}/.config/aweather
allow ${HOME}/.config/aweather
include whitelist-common.inc
include whitelist-var-common.inc

2
etc/profile-a-l/awesome.profile
View file

@ -7,7 +7,7 @@ include awesome.local
include globals.local
# all applications started in awesome will run in this profile
noblacklist ${HOME}/.config/awesome
nodeny ${HOME}/.config/awesome
include disable-common.inc
caps.drop all

6
etc/profile-a-l/ballbuster.profile
View file

@ -6,7 +6,7 @@ include ballbuster.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.ballbuster.hs
nodeny ${HOME}/.ballbuster.hs
include disable-common.inc
include disable-devel.inc
@ -18,8 +18,8 @@ include disable-shell.inc
include disable-xdg.inc
mkfile ${HOME}/.ballbuster.hs
whitelist ${HOME}/.ballbuster.hs
whitelist /usr/share/ballbuster
allow ${HOME}/.ballbuster.hs
allow /usr/share/ballbuster
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc

12
etc/profile-a-l/baloo_file.profile
View file

@ -12,12 +12,12 @@ include globals.local
# read-write ${HOME}/.local/share/baloo
# ignore read-write
noblacklist ${HOME}/.config/baloofilerc
noblacklist ${HOME}/.kde/share/config/baloofilerc
noblacklist ${HOME}/.kde/share/config/baloorc
noblacklist ${HOME}/.kde4/share/config/baloofilerc
noblacklist ${HOME}/.kde4/share/config/baloorc
noblacklist ${HOME}/.local/share/baloo
nodeny ${HOME}/.config/baloofilerc
nodeny ${HOME}/.kde/share/config/baloofilerc
nodeny ${HOME}/.kde/share/config/baloorc
nodeny ${HOME}/.kde4/share/config/baloofilerc
nodeny ${HOME}/.kde4/share/config/baloorc
nodeny ${HOME}/.local/share/baloo
include disable-common.inc
include disable-devel.inc

36
etc/profile-a-l/balsa.profile
View file

@ -6,13 +6,13 @@ include balsa.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.balsa
noblacklist ${HOME}/.gnupg
noblacklist ${HOME}/.mozilla
noblacklist ${HOME}/.signature
noblacklist ${HOME}/mail
noblacklist /var/mail
noblacklist /var/spool/mail
nodeny ${HOME}/.balsa
nodeny ${HOME}/.gnupg
nodeny ${HOME}/.mozilla
nodeny ${HOME}/.signature
nodeny ${HOME}/mail
nodeny /var/mail
nodeny /var/spool/mail
include disable-common.inc
include disable-devel.inc
@ -27,17 +27,17 @@ mkdir ${HOME}/.balsa
mkdir ${HOME}/.gnupg
mkfile ${HOME}/.signature
mkdir ${HOME}/mail
whitelist ${HOME}/.balsa
whitelist ${HOME}/.gnupg
whitelist ${HOME}/.mozilla/firefox/profiles.ini
whitelist ${HOME}/.signature
whitelist ${HOME}/mail
whitelist ${RUNUSER}/gnupg
whitelist /usr/share/balsa
whitelist /usr/share/gnupg
whitelist /usr/share/gnupg2
whitelist /var/mail
whitelist /var/spool/mail
allow ${HOME}/.balsa
allow ${HOME}/.gnupg
allow ${HOME}/.mozilla/firefox/profiles.ini
allow ${HOME}/.signature
allow ${HOME}/mail
allow ${RUNUSER}/gnupg
allow /usr/share/balsa
allow /usr/share/gnupg
allow /usr/share/gnupg2
allow /var/mail
allow /var/spool/mail
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc

6
etc/profile-a-l/barrier.profile
View file

@ -6,9 +6,9 @@ include barrier.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.config/Debauchee/Barrier.conf
noblacklist ${HOME}/.local/share/barrier
noblacklist ${PATH}/openssl
nodeny ${HOME}/.config/Debauchee/Barrier.conf
nodeny ${HOME}/.local/share/barrier
nodeny ${PATH}/openssl
include disable-common.inc
include disable-devel.inc

8
etc/profile-a-l/basilisk.profile
View file

@ -5,13 +5,13 @@ include basilisk.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.cache/moonchild productions/basilisk
noblacklist ${HOME}/.moonchild productions/basilisk
nodeny ${HOME}/.cache/moonchild productions/basilisk
nodeny ${HOME}/.moonchild productions/basilisk
mkdir ${HOME}/.cache/moonchild productions/basilisk
mkdir ${HOME}/.moonchild productions
whitelist ${HOME}/.cache/moonchild productions/basilisk
whitelist ${HOME}/.moonchild productions
allow ${HOME}/.cache/moonchild productions/basilisk
allow ${HOME}/.moonchild productions
# Basilisk can use the full firejail seccomp filter (unlike firefox >= 60)
seccomp

4
etc/profile-a-l/bcompare.profile
View file

@ -7,10 +7,10 @@ include bcompare.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.config/bcompare
nodeny ${HOME}/.config/bcompare
# In case the user decides to include disable-programs.inc, still allow
# KDE's Gwenview to view images via right click -> Open With -> Associated Application
noblacklist ${HOME}/.config/gwenviewrc
nodeny ${HOME}/.config/gwenviewrc
# Add the next line to your bcompare.local if you don't need to compare files in disable-common.inc.
#include disable-common.inc

4
etc/profile-a-l/beaker.profile
View file

@ -19,10 +19,10 @@ ignore private-cache
ignore private-dev
ignore private-tmp
noblacklist ${HOME}/.config/Beaker Browser
nodeny ${HOME}/.config/Beaker Browser
mkdir ${HOME}/.config/Beaker Browser
whitelist ${HOME}/.config/Beaker Browser
allow ${HOME}/.config/Beaker Browser
# Redirect
include electron.profile

20
etc/profile-a-l/bibletime.profile
View file

@ -6,11 +6,11 @@ include bibletime.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.bibletime
noblacklist ${HOME}/.sword
noblacklist ${HOME}/.local/share/bibletime
nodeny ${HOME}/.bibletime
nodeny ${HOME}/.sword
nodeny ${HOME}/.local/share/bibletime
blacklist ${HOME}/.bashrc
deny ${HOME}/.bashrc
include disable-common.inc
include disable-devel.inc
@ -22,12 +22,12 @@ include disable-programs.inc
mkdir ${HOME}/.bibletime
mkdir ${HOME}/.sword
mkdir ${HOME}/.local/share/bibletime
whitelist ${HOME}/.bibletime
whitelist ${HOME}/.sword
whitelist ${HOME}/.local/share/bibletime
whitelist /usr/share/bibletime
whitelist /usr/share/doc/bibletime
whitelist /usr/share/sword
allow ${HOME}/.bibletime
allow ${HOME}/.sword
allow ${HOME}/.local/share/bibletime
allow /usr/share/bibletime
allow /usr/share/doc/bibletime
allow /usr/share/sword
include whitelist-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

14
etc/profile-a-l/bijiben.profile
View file

@ -6,7 +6,7 @@ include bijiben.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.local/share/bijiben
nodeny ${HOME}/.local/share/bijiben
include disable-common.inc
include disable-devel.inc
@ -18,12 +18,12 @@ include disable-shell.inc
include disable-xdg.inc
mkdir ${HOME}/.local/share/bijiben
whitelist ${HOME}/.local/share/bijiben
whitelist ${HOME}/.cache/tracker
whitelist /usr/libexec/webkit2gtk-4.0
whitelist /usr/share/bijiben
whitelist /usr/share/tracker
whitelist /usr/share/tracker3
allow ${HOME}/.local/share/bijiben
allow ${HOME}/.cache/tracker
allow /usr/libexec/webkit2gtk-4.0
allow /usr/share/bijiben
allow /usr/share/tracker
allow /usr/share/tracker3
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc

8
etc/profile-a-l/bitcoin-qt.profile
View file

@ -6,8 +6,8 @@ include bitcoin-qt.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.bitcoin
noblacklist ${HOME}/.config/Bitcoin
nodeny ${HOME}/.bitcoin
nodeny ${HOME}/.config/Bitcoin
include disable-common.inc
include disable-devel.inc
@ -19,8 +19,8 @@ include disable-shell.inc
mkdir ${HOME}/.bitcoin
mkdir ${HOME}/.config/Bitcoin
whitelist ${HOME}/.bitcoin
whitelist ${HOME}/.config/Bitcoin
allow ${HOME}/.bitcoin
allow ${HOME}/.config/Bitcoin
include whitelist-common.inc
include whitelist-var-common.inc

4
etc/profile-a-l/bitlbee.profile
View file

@ -8,8 +8,8 @@ include globals.local
ignore noexec ${HOME}
noblacklist /sbin
noblacklist /usr/sbin
nodeny /sbin
nodeny /usr/sbin
# noblacklist /var/log
include disable-common.inc

4
etc/profile-a-l/bitwarden.profile
View file

@ -11,12 +11,12 @@ ignore include whitelist-usr-share-common.inc
ignore noexec /tmp
noblacklist ${HOME}/.config/Bitwarden
nodeny ${HOME}/.config/Bitwarden
include disable-shell.inc
mkdir ${HOME}/.config/Bitwarden
whitelist ${HOME}/.config/Bitwarden
allow ${HOME}/.config/Bitwarden
machine-id
no3d

2
etc/profile-a-l/blackbox.profile
View file

@ -7,7 +7,7 @@ include blackbox.local
include globals.local
# all applications started in blackbox will run in this profile
noblacklist ${HOME}/.blackbox
nodeny ${HOME}/.blackbox
include disable-common.inc
caps.drop all

6
etc/profile-a-l/blender.profile
View file

@ -6,7 +6,7 @@ include blender.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.config/blender
nodeny ${HOME}/.config/blender
# Allow python (blacklisted by disable-interpreters.inc)
include allow-python2.inc
@ -20,8 +20,8 @@ include disable-passwdmgr.inc
include disable-programs.inc
# Allow usage of AMD GPU by OpenCL
noblacklist /sys/module
whitelist /sys/module/amdgpu
nodeny /sys/module
allow /sys/module/amdgpu
read-only /sys/module/amdgpu
caps.drop all

2
etc/profile-a-l/bless.profile
View file

@ -6,7 +6,7 @@ include bless.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.config/bless
nodeny ${HOME}/.config/bless
include disable-common.inc
include disable-devel.inc

6
etc/profile-a-l/blobby.profile
View file

@ -4,7 +4,7 @@ include blobby.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.blobby
nodeny ${HOME}/.blobby
include disable-common.inc
include disable-devel.inc
@ -16,9 +16,9 @@ include disable-shell.inc
include disable-xdg.inc
mkdir ${HOME}/.blobby
whitelist ${HOME}/.blobby
allow ${HOME}/.blobby
include whitelist-common.inc
whitelist /usr/share/blobby
allow /usr/share/blobby
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

6
etc/profile-a-l/blobwars.profile
View file

@ -6,7 +6,7 @@ include blobwars.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.parallelrealities/blobwars
nodeny ${HOME}/.parallelrealities/blobwars
include disable-common.inc
include disable-devel.inc
@ -18,8 +18,8 @@ include disable-shell.inc
include disable-xdg.inc
mkdir ${HOME}/.parallelrealities/blobwars
whitelist ${HOME}/.parallelrealities/blobwars
whitelist /usr/share/blobwars
allow ${HOME}/.parallelrealities/blobwars
allow /usr/share/blobwars
include whitelist-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

8
etc/profile-a-l/bnox.profile
View file

@ -10,13 +10,13 @@ ignore whitelist /usr/share/chromium
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
noblacklist ${HOME}/.cache/bnox
noblacklist ${HOME}/.config/bnox
nodeny ${HOME}/.cache/bnox
nodeny ${HOME}/.config/bnox
mkdir ${HOME}/.cache/bnox
mkdir ${HOME}/.config/bnox
whitelist ${HOME}/.cache/bnox
whitelist ${HOME}/.config/bnox
allow ${HOME}/.cache/bnox
allow ${HOME}/.config/bnox
# Redirect
include chromium-common.profile

2
etc/profile-a-l/brackets.profile
View file

@ -5,7 +5,7 @@ include brackets.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.config/Brackets
nodeny ${HOME}/.config/Brackets
#noblacklist /opt/brackets
#noblacklist /opt/google

2
etc/profile-a-l/brasero.profile
View file

@ -6,7 +6,7 @@ include brasero.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.config/brasero
nodeny ${HOME}/.config/brasero
include disable-common.inc
include disable-devel.inc

22
etc/profile-a-l/brave.profile
View file

@ -14,24 +14,24 @@ ignore noexec /tmp
# Alternatively you can add 'ignore apparmor' to your brave.local.
ignore noexec ${HOME}
noblacklist ${HOME}/.cache/BraveSoftware
noblacklist ${HOME}/.config/BraveSoftware
noblacklist ${HOME}/.config/brave
noblacklist ${HOME}/.config/brave-flags.conf
nodeny ${HOME}/.cache/BraveSoftware
nodeny ${HOME}/.config/BraveSoftware
nodeny ${HOME}/.config/brave
nodeny ${HOME}/.config/brave-flags.conf
# brave uses gpg for built-in password manager
noblacklist ${HOME}/.gnupg
nodeny ${HOME}/.gnupg
mkdir ${HOME}/.cache/BraveSoftware
mkdir ${HOME}/.config/BraveSoftware
mkdir ${HOME}/.config/brave
whitelist ${HOME}/.cache/BraveSoftware
whitelist ${HOME}/.config/BraveSoftware
whitelist ${HOME}/.config/brave
whitelist ${HOME}/.config/brave-flags.conf
whitelist ${HOME}/.gnupg
allow ${HOME}/.cache/BraveSoftware
allow ${HOME}/.config/BraveSoftware
allow ${HOME}/.config/brave
allow ${HOME}/.config/brave-flags.conf
allow ${HOME}/.gnupg
# Brave sandbox needs read access to /proc/config.gz
noblacklist /proc/config.gz
nodeny /proc/config.gz
# Redirect
include chromium-common.profile

4
etc/profile-a-l/bzflag.profile
View file

@ -6,7 +6,7 @@ include bzflag.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.bzf
nodeny ${HOME}/.bzf
include disable-common.inc
include disable-devel.inc
@ -18,7 +18,7 @@ include disable-shell.inc
include disable-xdg.inc
mkdir ${HOME}/.bzf
whitelist ${HOME}/.bzf
allow ${HOME}/.bzf
include whitelist-common.inc
include whitelist-var-common.inc

6
etc/profile-a-l/calibre.profile
View file

@ -6,9 +6,9 @@ include calibre.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.cache/calibre
noblacklist ${HOME}/.config/calibre
noblacklist ${DOCUMENTS}
nodeny ${HOME}/.cache/calibre
nodeny ${HOME}/.config/calibre
nodeny ${DOCUMENTS}
include disable-common.inc
include disable-devel.inc

2
etc/profile-a-l/calligra.profile
View file

@ -6,7 +6,7 @@ include calligra.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.local/share/kxmlgui5/calligra
nodeny ${HOME}/.local/share/kxmlgui5/calligra
include disable-common.inc
include disable-devel.inc

2
etc/profile-a-l/calligragemini.profile
View file

@ -6,7 +6,7 @@ include calligragemini.local
# added by included profile
#include globals.local
noblacklist ${HOME}/.local/share/calligragemini
nodeny ${HOME}/.local/share/calligragemini
# Redirect
include calligra.profile

2
etc/profile-a-l/calligraplan.profile
View file

@ -6,7 +6,7 @@ include calligraplan.local
# added by included profile
#include globals.local
noblacklist ${HOME}/.local/share/kxmlgui5/calligraplan
nodeny ${HOME}/.local/share/kxmlgui5/calligraplan
# Redirect
include calligra.profile

2
etc/profile-a-l/calligraplanwork.profile
View file

@ -6,7 +6,7 @@ include calligraplanwork.local
# added by included profile
#include globals.local
noblacklist ${HOME}/.local/share/kxmlgui5/calligraplanwork
nodeny ${HOME}/.local/share/kxmlgui5/calligraplanwork
# Redirect
include calligra.profile

2
etc/profile-a-l/calligrasheets.profile
View file

@ -6,7 +6,7 @@ include calligrasheets.local
# added by included profile
#include globals.local
noblacklist ${HOME}/.local/share/kxmlgui5/calligrasheets
nodeny ${HOME}/.local/share/kxmlgui5/calligrasheets
# Redirect
include calligra.profile

2
etc/profile-a-l/calligrastage.profile
View file

@ -6,7 +6,7 @@ include calligrastage.local
# added by included profile
#include globals.local
noblacklist ${HOME}/.local/share/kxmlgui5/calligrastage
nodeny ${HOME}/.local/share/kxmlgui5/calligrastage
# Redirect
include calligra.profile

2
etc/profile-a-l/calligrawords.profile
View file

@ -6,7 +6,7 @@ include calligrawords.local
# added by included profile
#include globals.local
noblacklist ${HOME}/.local/share/kxmlgui5/calligrawords
nodeny ${HOME}/.local/share/kxmlgui5/calligrawords
# Redirect
include calligra.profile

Some files were not shown because too many files have changed in this diff Show more