From fe64b62f21575a569267be6dbfdf4a0fbd5f83f0 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sun, 23 Mar 2025 12:07:55 -0300 Subject: [PATCH] profiles: split commands that increase/reduce access (profiles) Command used to search for the relevant profiles: git grep -El 'allow-debuggers|allusers|keep-|writable-' -- etc --- etc/profile-a-l/alpine.profile | 5 +++-- etc/profile-a-l/audacity.profile | 1 + etc/profile-a-l/dnsmasq.profile | 3 ++- etc/profile-a-l/email-common.profile | 7 ++++--- etc/profile-a-l/evolution.profile | 3 ++- etc/profile-a-l/file-manager-common.profile | 1 + etc/profile-a-l/freshclam.profile | 5 +++-- etc/profile-a-l/gajim.profile | 3 ++- etc/profile-a-l/geki2.profile | 3 ++- etc/profile-a-l/geki3.profile | 3 ++- etc/profile-a-l/git-cola.profile | 3 ++- etc/profile-a-l/gmpc.profile | 3 ++- etc/profile-a-l/gnome-schedule.profile | 3 ++- etc/profile-a-l/kmail.profile | 5 +++-- etc/profile-a-l/kopete.profile | 3 ++- etc/profile-a-l/kube.profile | 3 ++- etc/profile-a-l/lbreakouthd.profile | 3 ++- etc/profile-a-l/less.profile | 3 ++- etc/profile-a-l/lutris.profile | 3 ++- etc/profile-m-z/mutt.profile | 5 +++-- etc/profile-m-z/nano.profile | 11 ++++++----- etc/profile-m-z/ncmpcpp.profile | 3 ++- etc/profile-m-z/neomutt.profile | 5 +++-- etc/profile-m-z/nethack-vultures.profile | 3 ++- etc/profile-m-z/nethack.profile | 3 ++- etc/profile-m-z/pkglog.profile | 3 ++- etc/profile-m-z/plv.profile | 3 ++- etc/profile-m-z/pyradio.profile | 3 ++- etc/profile-m-z/seahorse.profile | 3 ++- etc/profile-m-z/seamonkey.profile | 3 ++- etc/profile-m-z/server.profile | 7 ++++--- etc/profile-m-z/slashem.profile | 3 ++- etc/profile-m-z/spectre-meltdown-checker.profile | 1 + etc/profile-m-z/ssh-agent.profile | 4 ++-- etc/profile-m-z/ssh.profile | 3 ++- etc/profile-m-z/steam.profile | 3 ++- etc/profile-m-z/system-log-common.profile | 3 ++- etc/profile-m-z/tor.profile | 3 ++- etc/profile-m-z/transmission-daemon.profile | 5 +++-- etc/profile-m-z/tuxtype.profile | 3 ++- etc/profile-m-z/typespeed.profile | 3 ++- etc/profile-m-z/unbound.profile | 3 ++- etc/profile-m-z/virt-manager.profile | 3 ++- etc/profile-m-z/vmware.profile | 7 ++++--- etc/profile-m-z/wine.profile | 3 ++- 45 files changed, 103 insertions(+), 59 deletions(-) diff --git a/etc/profile-a-l/alpine.profile b/etc/profile-a-l/alpine.profile index 7ff2058a5..4c4c81497 100644 --- a/etc/profile-a-l/alpine.profile +++ b/etc/profile-a-l/alpine.profile @@ -66,6 +66,9 @@ include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc +writable-run-user +writable-var + apparmor caps.drop all ipc-namespace @@ -92,8 +95,6 @@ private-cache private-dev private-etc @tls-ca,@x11,c-client.cf,host.conf,krb5.keytab,mailcap,mime.types,pine.conf,pinerc.fixed,rpc,services,terminfo private-tmp -writable-run-user -writable-var dbus-user none dbus-system none diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile index 2893dda5a..6e9d96a64 100644 --- a/etc/profile-a-l/audacity.profile +++ b/etc/profile-a-l/audacity.profile @@ -30,6 +30,7 @@ include whitelist-var-common.inc # Silence blacklist violation. See #5539. allow-debuggers + ## Enabling App Armor appears to break some Fedora / Arch installs #apparmor caps.drop all diff --git a/etc/profile-a-l/dnsmasq.profile b/etc/profile-a-l/dnsmasq.profile index 2ce980cb1..6e7a01fe8 100644 --- a/etc/profile-a-l/dnsmasq.profile +++ b/etc/profile-a-l/dnsmasq.profile @@ -23,6 +23,8 @@ include disable-xdg.inc whitelist /var/lib/libvirt/dnsmasq whitelist /var/run +writable-var + caps.keep net_admin,net_bind_service,net_raw,setgid,setuid no3d nodvd @@ -39,6 +41,5 @@ disable-mnt private private-dev private-tmp -writable-var restrict-namespaces diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile index eccd64c95..91c0a04d6 100644 --- a/etc/profile-a-l/email-common.profile +++ b/etc/profile-a-l/email-common.profile @@ -61,6 +61,10 @@ include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc +# encrypting and signing email +writable-run-user +writable-var + apparmor caps.drop all machine-id @@ -85,9 +89,6 @@ private-cache private-dev private-etc @tls-ca,@x11,bogofilter,bogofilter.cf,clamav,gnupg,hosts.conf,mailname,timezone private-tmp -# encrypting and signing email -writable-run-user -writable-var dbus-user filter dbus-user.talk ca.desrt.dconf diff --git a/etc/profile-a-l/evolution.profile b/etc/profile-a-l/evolution.profile index e703938eb..c8447a390 100644 --- a/etc/profile-a-l/evolution.profile +++ b/etc/profile-a-l/evolution.profile @@ -25,6 +25,8 @@ include disable-programs.inc include whitelist-runuser-common.inc +writable-var + caps.drop all netfilter # no3d breaks under wayland @@ -43,6 +45,5 @@ seccomp private-dev #private-tmp -writable-var restrict-namespaces diff --git a/etc/profile-a-l/file-manager-common.profile b/etc/profile-a-l/file-manager-common.profile index bf8475758..34e42df3d 100644 --- a/etc/profile-a-l/file-manager-common.profile +++ b/etc/profile-a-l/file-manager-common.profile @@ -29,6 +29,7 @@ include disable-interpreters.inc #include disable-programs.inc allusers + #apparmor caps.drop all #net none diff --git a/etc/profile-a-l/freshclam.profile b/etc/profile-a-l/freshclam.profile index f59094567..a13334029 100644 --- a/etc/profile-a-l/freshclam.profile +++ b/etc/profile-a-l/freshclam.profile @@ -8,6 +8,9 @@ include globals.local include disable-exec.inc +writable-var +writable-var-log + caps.keep setgid,setuid ipc-namespace netfilter @@ -29,8 +32,6 @@ private private-cache private-dev private-tmp -writable-var -writable-var-log memory-deny-write-execute restrict-namespaces diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile index 7cef2dbbb..3cea60cc8 100644 --- a/etc/profile-a-l/gajim.profile +++ b/etc/profile-a-l/gajim.profile @@ -41,6 +41,8 @@ include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc +writable-run-user + apparmor caps.drop all netfilter @@ -61,7 +63,6 @@ private-cache private-dev private-etc @tls-ca,@x11 private-tmp -writable-run-user dbus-user filter dbus-user.own org.gajim.Gajim diff --git a/etc/profile-a-l/geki2.profile b/etc/profile-a-l/geki2.profile index 5ebd9b427..a944bd29f 100644 --- a/etc/profile-a-l/geki2.profile +++ b/etc/profile-a-l/geki2.profile @@ -18,6 +18,8 @@ include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc +writable-var # game scores are stored under /var/games + apparmor caps.drop all ipc-namespace @@ -40,7 +42,6 @@ private-bin geki2 private-dev private-etc @games,@sound,@x11 private-tmp -writable-var # game scores are stored under /var/games dbus-user none dbus-system none diff --git a/etc/profile-a-l/geki3.profile b/etc/profile-a-l/geki3.profile index 508c96002..da91a41d1 100644 --- a/etc/profile-a-l/geki3.profile +++ b/etc/profile-a-l/geki3.profile @@ -18,6 +18,8 @@ include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc +writable-var # game scores are stored under /var/games + apparmor caps.drop all ipc-namespace @@ -40,7 +42,6 @@ private-bin geki3 private-dev private-etc @games,@sound,@x11 private-tmp -writable-var # game scores are stored under /var/games dbus-user none dbus-system none diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile index 49568ba23..ca8775239 100644 --- a/etc/profile-a-l/git-cola.profile +++ b/etc/profile-a-l/git-cola.profile @@ -46,6 +46,8 @@ include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc +writable-run-user + apparmor caps.drop all machine-id @@ -71,7 +73,6 @@ private-cache private-dev private-etc @tls-ca,@x11,gitconfig,host.conf,mime.types,ssh private-tmp -writable-run-user # dbus-user filtering breaks meld as diff viewer # Add the next line to your git-cola.local if you don't use meld. diff --git a/etc/profile-a-l/gmpc.profile b/etc/profile-a-l/gmpc.profile index 4d4a0d50e..739f679e9 100644 --- a/etc/profile-a-l/gmpc.profile +++ b/etc/profile-a-l/gmpc.profile @@ -24,6 +24,8 @@ include whitelist-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc +writable-run-user + apparmor caps.drop all ipc-namespace @@ -45,7 +47,6 @@ disable-mnt private-cache private-etc private-tmp -writable-run-user dbus-user filter dbus-user.talk org.mpris.MediaPlayer2.mpd diff --git a/etc/profile-a-l/gnome-schedule.profile b/etc/profile-a-l/gnome-schedule.profile index 33f22136e..5a17289b6 100644 --- a/etc/profile-a-l/gnome-schedule.profile +++ b/etc/profile-a-l/gnome-schedule.profile @@ -42,6 +42,8 @@ include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc +writable-var + apparmor caps.keep chown,dac_override,setgid,setuid ipc-namespace @@ -60,4 +62,3 @@ tracelog disable-mnt private-cache private-dev -writable-var diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile index df5c25c67..58d7de175 100644 --- a/etc/profile-a-l/kmail.profile +++ b/etc/profile-a-l/kmail.profile @@ -41,6 +41,9 @@ include disable-programs.inc include whitelist-run-common.inc include whitelist-var-common.inc +# writable-run-user is needed for signing and encrypting emails +writable-run-user + #apparmor caps.drop all netfilter @@ -59,8 +62,6 @@ seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set private-dev #private-tmp # interrupts connection to akonadi, breaks opening of email attachments -# writable-run-user is needed for signing and encrypting emails -writable-run-user # To harden kmail.profile, add the following lines to kmail.local: #dbus-user filter diff --git a/etc/profile-a-l/kopete.profile b/etc/profile-a-l/kopete.profile index 91030f453..1c3114582 100644 --- a/etc/profile-a-l/kopete.profile +++ b/etc/profile-a-l/kopete.profile @@ -21,6 +21,8 @@ include disable-programs.inc whitelist /var/lib/winpopup include whitelist-var-common.inc +writable-var + caps.drop all netfilter nodvd @@ -35,6 +37,5 @@ seccomp private-dev private-tmp -writable-var restrict-namespaces diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile index 67ff64954..9fa908afc 100644 --- a/etc/profile-a-l/kube.profile +++ b/etc/profile-a-l/kube.profile @@ -51,6 +51,8 @@ include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc +writable-run-user + apparmor caps.drop all netfilter @@ -75,7 +77,6 @@ private-cache private-dev private-etc @tls-ca,@x11 private-tmp -writable-run-user dbus-user filter dbus-user.talk ca.desrt.dconf diff --git a/etc/profile-a-l/lbreakouthd.profile b/etc/profile-a-l/lbreakouthd.profile index e454772fc..9a0f8a692 100644 --- a/etc/profile-a-l/lbreakouthd.profile +++ b/etc/profile-a-l/lbreakouthd.profile @@ -28,6 +28,8 @@ include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc +writable-var # game scores are stored under /var/games + apparmor caps.drop all ipc-namespace @@ -49,7 +51,6 @@ private-bin lbreakouthd private-dev private-etc @games,@sound,@x11 private-tmp -writable-var # game scores are stored under /var/games dbus-user none dbus-system none diff --git a/etc/profile-a-l/less.profile b/etc/profile-a-l/less.profile index 661c0594a..0362aa2e8 100644 --- a/etc/profile-a-l/less.profile +++ b/etc/profile-a-l/less.profile @@ -15,6 +15,8 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc +writable-var-log + apparmor caps.drop all ipc-namespace @@ -40,7 +42,6 @@ x11 none #private-lib private-cache private-dev -writable-var-log dbus-user none dbus-system none diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile index e1353d64d..4fde200fe 100644 --- a/etc/profile-a-l/lutris.profile +++ b/etc/profile-a-l/lutris.profile @@ -63,6 +63,8 @@ include whitelist-runuser-common.inc include whitelist-var-common.inc #allow-debuggers +keep-dev-ntsync + #apparmor caps.drop all ipc-namespace @@ -79,7 +81,6 @@ protocol unix,inet,inet6,netlink seccomp !clone3,!modify_ldt,!process_vm_readv,!ptrace seccomp.32 !modify_ldt -keep-dev-ntsync # Add the next line to your lutris.local if you do not need controller support. #private-dev private-tmp diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile index bc8aaffbe..1c736cec7 100644 --- a/etc/profile-m-z/mutt.profile +++ b/etc/profile-m-z/mutt.profile @@ -104,6 +104,9 @@ include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc +writable-run-user +writable-var + apparmor caps.drop all ipc-namespace @@ -129,8 +132,6 @@ private-cache private-dev private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gai.conf,gnupg,hosts.conf,mail,mailname,msmtprc,nntpserver,terminfo private-tmp -writable-run-user -writable-var dbus-user none dbus-system none diff --git a/etc/profile-m-z/nano.profile b/etc/profile-m-z/nano.profile index ba63b2067..33dddff7c 100644 --- a/etc/profile-m-z/nano.profile +++ b/etc/profile-m-z/nano.profile @@ -21,6 +21,12 @@ include disable-programs.inc whitelist /usr/share/nano include whitelist-usr-share-common.inc +# Add the next lines to your nano.local if you want to edit files in /etc directly. +#ignore private-etc +#writable-etc +# Add the next line to your nano.local if you want to edit files in /var directly. +#writable-var + apparmor caps.drop all ipc-namespace @@ -45,12 +51,7 @@ x11 none private-bin nano,rnano private-cache private-dev -# Add the next lines to your nano.local if you want to edit files in /etc directly. -#ignore private-etc -#writable-etc private-etc nanorc -# Add the next line to your nano.local if you want to edit files in /var directly. -#writable-var dbus-user none dbus-system none diff --git a/etc/profile-m-z/ncmpcpp.profile b/etc/profile-m-z/ncmpcpp.profile index 72aaf9686..310259a41 100644 --- a/etc/profile-m-z/ncmpcpp.profile +++ b/etc/profile-m-z/ncmpcpp.profile @@ -39,6 +39,8 @@ include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc +writable-var + apparmor caps.drop all ipc-namespace @@ -66,7 +68,6 @@ private-cache private-dev private-etc terminfo private-tmp -writable-var dbus-user none dbus-system none diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile index 4101e74ee..2a1895f43 100644 --- a/etc/profile-m-z/neomutt.profile +++ b/etc/profile-m-z/neomutt.profile @@ -96,6 +96,9 @@ include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc +writable-run-user +writable-var + apparmor caps.drop all ipc-namespace @@ -121,8 +124,6 @@ private-cache private-dev private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gnupg,hosts.conf,mail,mailname,msmtprc,neomuttrc,neomuttrc.d,nntpserver private-tmp -writable-run-user -writable-var dbus-user none dbus-system none diff --git a/etc/profile-m-z/nethack-vultures.profile b/etc/profile-m-z/nethack-vultures.profile index c07bb7107..6dbd4eeb5 100644 --- a/etc/profile-m-z/nethack-vultures.profile +++ b/etc/profile-m-z/nethack-vultures.profile @@ -20,6 +20,8 @@ whitelist /var/log/vultures include whitelist-common.inc include whitelist-var-common.inc +writable-var + caps.drop all ipc-namespace net none @@ -38,7 +40,6 @@ disable-mnt private-cache private-dev private-tmp -writable-var dbus-user none dbus-system none diff --git a/etc/profile-m-z/nethack.profile b/etc/profile-m-z/nethack.profile index a43889349..b4d1a9829 100644 --- a/etc/profile-m-z/nethack.profile +++ b/etc/profile-m-z/nethack.profile @@ -18,6 +18,8 @@ whitelist /var/games/nethack include whitelist-common.inc include whitelist-var-common.inc +writable-var + caps.drop all ipc-namespace net none @@ -38,7 +40,6 @@ disable-mnt private-cache private-dev private-tmp -writable-var dbus-user none dbus-system none diff --git a/etc/profile-m-z/pkglog.profile b/etc/profile-m-z/pkglog.profile index 2f200e154..ae10ce36b 100644 --- a/etc/profile-m-z/pkglog.profile +++ b/etc/profile-m-z/pkglog.profile @@ -23,6 +23,8 @@ whitelist /var/log/apt/history.log whitelist /var/log/dnf.rpm.log whitelist /var/log/pacman.log +writable-var-log + apparmor caps.drop all ipc-namespace @@ -50,7 +52,6 @@ private-dev private-etc private-opt none private-tmp -writable-var-log dbus-user none dbus-system none diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile index 38fa01553..33f56bf8e 100644 --- a/etc/profile-m-z/plv.profile +++ b/etc/profile-m-z/plv.profile @@ -23,6 +23,8 @@ include whitelist-usr-share-common.inc include whitelist-runuser-common.inc include whitelist-var-common.inc +writable-var-log + apparmor caps.drop all ipc-namespace @@ -48,7 +50,6 @@ private-dev private-etc private-opt none private-tmp -writable-var-log dbus-user none dbus-system none diff --git a/etc/profile-m-z/pyradio.profile b/etc/profile-m-z/pyradio.profile index 5751624c7..75281f8be 100644 --- a/etc/profile-m-z/pyradio.profile +++ b/etc/profile-m-z/pyradio.profile @@ -69,6 +69,8 @@ include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc +writable-run-user + apparmor caps.drop all ipc-namespace @@ -93,7 +95,6 @@ private-dev # python-exec is required by any python executable on Gentoo Linux private-etc @sound,@tls-ca,mplayer,mpv,python-exec,terminfo private-tmp -writable-run-user dbus-user none dbus-system none diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile index 190082461..f04b3ce1a 100644 --- a/etc/profile-m-z/seahorse.profile +++ b/etc/profile-m-z/seahorse.profile @@ -36,6 +36,8 @@ include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc +writable-run-user + apparmor caps.drop all machine-id @@ -59,7 +61,6 @@ private-cache private-dev private-etc @tls-ca,@x11,gconf,host.conf,pkcs11,rpc,services,ssh private-tmp -writable-run-user dbus-user filter dbus-user.own org.gnome.seahorse diff --git a/etc/profile-m-z/seamonkey.profile b/etc/profile-m-z/seamonkey.profile index 1171a52f0..00cebf429 100644 --- a/etc/profile-m-z/seamonkey.profile +++ b/etc/profile-m-z/seamonkey.profile @@ -44,6 +44,8 @@ whitelist ${HOME}/.zotero whitelist ${HOME}/dwhelper include whitelist-common.inc +writable-run-user + caps.drop all netfilter nodvd @@ -56,6 +58,5 @@ tracelog disable-mnt #private-etc adobe,alternatives,asound.conf,ca-certificates,crypto-policies,firefox,fonts,group,gtk-2.0,hostname,hosts,iceweasel,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl -writable-run-user restrict-namespaces diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile index a2978ab19..ee6b9455c 100644 --- a/etc/profile-m-z/server.profile +++ b/etc/profile-m-z/server.profile @@ -51,6 +51,10 @@ include disable-xdg.inc #include whitelist-usr-share-common.inc #include whitelist-var-common.inc +#writable-run-user +#writable-var +#writable-var-log + # people use to install servers all over the place! # apparmor runs executable only from default system locations #apparmor @@ -82,9 +86,6 @@ private-dev #private-lib #private-opt none private-tmp -#writable-run-user -#writable-var -#writable-var-log dbus-user none #dbus-system none diff --git a/etc/profile-m-z/slashem.profile b/etc/profile-m-z/slashem.profile index 3ad182b9e..3125b389c 100644 --- a/etc/profile-m-z/slashem.profile +++ b/etc/profile-m-z/slashem.profile @@ -18,6 +18,8 @@ whitelist /var/games/slashem include whitelist-common.inc include whitelist-var-common.inc +writable-var + caps.drop all ipc-namespace net none @@ -38,7 +40,6 @@ disable-mnt private-cache private-dev private-tmp -writable-var dbus-user none dbus-system none diff --git a/etc/profile-m-z/spectre-meltdown-checker.profile b/etc/profile-m-z/spectre-meltdown-checker.profile index d2566040e..49d0b46e5 100644 --- a/etc/profile-m-z/spectre-meltdown-checker.profile +++ b/etc/profile-m-z/spectre-meltdown-checker.profile @@ -26,6 +26,7 @@ include whitelist-usr-share-common.inc include whitelist-var-common.inc allow-debuggers + caps.keep sys_rawio ipc-namespace net none diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile index 97ddfd292..3a23c3a51 100644 --- a/etc/profile-m-z/ssh-agent.profile +++ b/etc/profile-m-z/ssh-agent.profile @@ -17,6 +17,8 @@ include disable-x11.inc include whitelist-usr-share-common.inc +writable-run-user + caps.drop all netfilter no3d @@ -29,8 +31,6 @@ protocol unix,inet,inet6 seccomp tracelog -writable-run-user - dbus-user none dbus-system none diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile index 96839d082..0f5cd2f48 100644 --- a/etc/profile-m-z/ssh.profile +++ b/etc/profile-m-z/ssh.profile @@ -26,6 +26,8 @@ whitelist ${RUNUSER}/keyring/ssh include whitelist-runuser-common.inc include whitelist-usr-share-common.inc +writable-run-user + apparmor caps.drop all ipc-namespace @@ -47,7 +49,6 @@ tracelog private-cache private-dev #private-tmp # Breaks when exiting -writable-run-user dbus-user none dbus-system none diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index e697ffead..7f68ead64 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile @@ -153,6 +153,8 @@ include whitelist-var-common.inc #mkdir ${HOME}/.config/RogueLegacyStorageContainer #mkdir ${HOME}/.local/share/RogueLegacyStorageContainer +keep-dev-ntsync + caps.drop all #ipc-namespace netfilter @@ -185,7 +187,6 @@ seccomp.32 !process_vm_readv # To view screenshots add the next line to your steam.local. #private-bin eog,eom,gthumb,pix,viewnior,xviewer -keep-dev-ntsync private-dev # private-etc breaks a small selection of games on some systems. Add 'ignore private-etc' # to your steam.local to support those. diff --git a/etc/profile-m-z/system-log-common.profile b/etc/profile-m-z/system-log-common.profile index dda8bdc47..5c6c0f49e 100644 --- a/etc/profile-m-z/system-log-common.profile +++ b/etc/profile-m-z/system-log-common.profile @@ -24,6 +24,8 @@ include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc +writable-var-log + apparmor caps.drop all ipc-namespace @@ -57,4 +59,3 @@ restrict-namespaces # Add 'ignore read-only ${HOME}' to your system-log-common.local # if you export logs to a file under your ${HOME}. read-only ${HOME} -writable-var-log diff --git a/etc/profile-m-z/tor.profile b/etc/profile-m-z/tor.profile index 686396b2c..68fdaa211 100644 --- a/etc/profile-m-z/tor.profile +++ b/etc/profile-m-z/tor.profile @@ -24,6 +24,8 @@ include disable-interpreters.inc include disable-programs.inc include disable-xdg.inc +writable-var + caps.keep dac_read_search,net_bind_service,setgid,setuid ipc-namespace machine-id @@ -47,7 +49,6 @@ private-cache private-dev private-etc @tls-ca,tor private-tmp -writable-var memory-deny-write-execute restrict-namespaces diff --git a/etc/profile-m-z/transmission-daemon.profile b/etc/profile-m-z/transmission-daemon.profile index 4fc5a3aa7..1dd7eb618 100644 --- a/etc/profile-m-z/transmission-daemon.profile +++ b/etc/profile-m-z/transmission-daemon.profile @@ -13,6 +13,9 @@ mkdir ${HOME}/.config/transmission-daemon whitelist ${HOME}/.config/transmission-daemon whitelist /var/lib/transmission +writable-var-log +writable-run-user + caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot protocol packet @@ -20,8 +23,6 @@ private-bin transmission-daemon private-etc @tls-ca read-write /var/lib/transmission -writable-var-log -writable-run-user # Redirect include transmission-common.profile diff --git a/etc/profile-m-z/tuxtype.profile b/etc/profile-m-z/tuxtype.profile index 12b58850a..be5a69f95 100644 --- a/etc/profile-m-z/tuxtype.profile +++ b/etc/profile-m-z/tuxtype.profile @@ -24,6 +24,8 @@ include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc +writable-var # game scores are stored under /var/games + apparmor caps.drop all ipc-namespace @@ -45,7 +47,6 @@ private-bin tuxtype private-dev private-etc @games,@sound,@x11,tuxtype private-tmp -writable-var # game scores are stored under /var/games dbus-user none dbus-system none diff --git a/etc/profile-m-z/typespeed.profile b/etc/profile-m-z/typespeed.profile index b98777665..4bc18c016 100644 --- a/etc/profile-m-z/typespeed.profile +++ b/etc/profile-m-z/typespeed.profile @@ -20,6 +20,8 @@ include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc +writable-var # game scores are stored under /var/games + apparmor caps.drop all ipc-namespace @@ -40,7 +42,6 @@ private private-dev private-etc @games,@sound,@x11 private-tmp -writable-var # game scores are stored under /var/games dbus-user none dbus-system none diff --git a/etc/profile-m-z/unbound.profile b/etc/profile-m-z/unbound.profile index c12054d47..a658d7865 100644 --- a/etc/profile-m-z/unbound.profile +++ b/etc/profile-m-z/unbound.profile @@ -27,6 +27,8 @@ read-only /var/lib/ca-certificates whitelist /var/lib/unbound whitelist /var/run +writable-var + caps.keep net_admin,net_bind_service,setgid,setuid,sys_chroot,sys_resource ipc-namespace machine-id @@ -46,7 +48,6 @@ disable-mnt private private-dev private-tmp -writable-var dbus-user none dbus-system none diff --git a/etc/profile-m-z/virt-manager.profile b/etc/profile-m-z/virt-manager.profile index a93d873a8..16b7d8a9a 100644 --- a/etc/profile-m-z/virt-manager.profile +++ b/etc/profile-m-z/virt-manager.profile @@ -45,6 +45,8 @@ include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc +writable-var + # breaks app #apparmor # For host-only network sys_admin is needed. @@ -59,7 +61,6 @@ tracelog private-cache private-etc @network,@sound,@tls-ca,@x11 private-tmp -writable-var dbus-user filter dbus-user.own org.virt-manager.virt-manager diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile index ed4a47a83..65e1b84e0 100644 --- a/etc/profile-m-z/vmware.profile +++ b/etc/profile-m-z/vmware.profile @@ -17,13 +17,14 @@ include disable-interpreters.inc include disable-programs.inc include disable-xdg.inc +# Add the next lines to your vmware.local if you need to use "shared VM". +#whitelist /var/lib/vmware +#writable-var + mkdir ${HOME}/.cache/vmware mkdir ${HOME}/.vmware whitelist ${HOME}/.cache/vmware whitelist ${HOME}/.vmware -# Add the next lines to your vmware.local if you need to use "shared VM". -#whitelist /var/lib/vmware -#writable-var include whitelist-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc diff --git a/etc/profile-m-z/wine.profile b/etc/profile-m-z/wine.profile index 18be773e9..e9304110d 100644 --- a/etc/profile-m-z/wine.profile +++ b/etc/profile-m-z/wine.profile @@ -26,6 +26,8 @@ include whitelist-var-common.inc # Some applications don't need allow-debuggers. Add 'ignore allow-debuggers' to your wine.local if you want to override this. allow-debuggers +keep-dev-ntsync + caps.drop all #net none netfilter @@ -39,7 +41,6 @@ notv #novideo seccomp -keep-dev-ntsync private-dev restrict-namespaces