* blacklist .local/share/kxmlgui5
KDE programs use this to store their toolbar config.
* noblacklist .local/share/kxmlgui5 in the relevant KDE applications.
* Whitelist kxmlgui file for okular.
* Use a glob to blacklist subfolders instead of the parent folder.
noblacklisting individual subdirectories works only if we do it this way
(tested by launching bash in the kate profile).
* Make directory, not file.
* noblacklist relevant subdirs for more KDE applications
* Whitelist some config files used by Okular.
These files are used to store the toolbar configurations.
* Whitelist files required for okular in firefox-common-addons.inc
Without this, okular does not follow the user configuration for toolbars
and keyboard shortcuts when launched inside the firefox sandbox (for
eg., while opening a downloaded PDF).
* Alphabetical sort
* Remove noblacklist for files which are not actually blacklisted.
I have blacklisted them in a separate pull request.
* clarify writing to /var/mail and /var/spool/mail in apparmor
Thunderbird seems to be our only mail client profile that enables the `apparmor` option. Users need this when they follow instructions on how to allow reading local mail.
* fix mail clients rule in firejail-default
Atom 1.48 requires a looser sandbox and no longer works with
noroot, nonewprivs, protocol, and seccomp
caps filter needed adjusting to keep sys_admin and sys_chroot
* Add strawberry profile
* Fix comment
* Add to disable-programs.inc & firecfg.config
* Add /home/amin/.local/share/strawberry to profile and disable-programs
* Various hardening for strawberry profile
Signed-off-by: Amin Vakil <info@aminvakil.com>
* Change nodbus to dbus-system none in strawberry profile
* Add dbus-user none to strawberry profile
* Add whitelist-var-common, sort private-etc
* Sort, Add wruc, Add netlink to protocol in strawberry profile
* Remove dbus-user none to allow using gnome functions for various usage in strawberry profile
* disable-shell.inc
* add disable-shell.inc to all profiles with a …
… private-bin line without bash/sh except profiles with redirect
profiles.
* add it to some more profiles
* exclude aria2c.profile
w3m is a text-based web browser as well as a pager like `more' or `less'. With w3m you can browse web pages through a terminal emulator window (xterm, rxvt or something like that).
As it outputs I suppose setting quiet in its profile is appropriate.
* Create mocp.profile
* add mocp support to disable-programs.inc
* add mocp support in firecfg.config
* update RELNOTES for mocp
* fix configuration access for mocp
Thanks to @rusty-snake for spotting this.
