diff --git a/.gitignore b/.gitignore index aae7b817d45..db3b16893d5 100644 --- a/.gitignore +++ b/.gitignore @@ -47,7 +47,6 @@ src/fcopy/fcopy src/fldd/fldd src/fbuilder/fbuilder src/profstats/profstats -src/etc-cleanup/etc-cleanup src/bash_completion/firejail.bash_completion src/zsh_completion/_firejail src/jailcheck/jailcheck diff --git a/Makefile b/Makefile index 010f7f0aab9..0d93747afb2 100644 --- a/Makefile +++ b/Makefile @@ -12,7 +12,7 @@ endif COMPLETIONDIRS = src/zsh_completion src/bash_completion -APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck src/etc-cleanup/etc-cleanup +APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee src/fids/fids SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter src/fzenity/fzenity SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp @@ -200,7 +200,6 @@ endif install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS) install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/profstats/profstats - install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/etc-cleanup/etc-cleanup # plugins w/o read permission (non-dumpable) install -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE) install -m 0711 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh diff --git a/etc/profile-a-l/1password.profile b/etc/profile-a-l/1password.profile index b340ad22887..bc8bfae0d2a 100644 --- a/etc/profile-a-l/1password.profile +++ b/etc/profile-a-l/1password.profile @@ -11,7 +11,7 @@ noblacklist ${HOME}/.config/1Password mkdir ${HOME}/.config/1Password whitelist ${HOME}/.config/1Password -private-etc @tls-ca +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,nsswitch.conf,pki,resolv.conf,ssl # Needed for keychain things, talking to Firefox, possibly other things? Not sure how to narrow down ignore dbus-user none diff --git a/etc/profile-a-l/abiword.profile b/etc/profile-a-l/abiword.profile index a0eed24ca7c..eb7a5254f9c 100644 --- a/etc/profile-a-l/abiword.profile +++ b/etc/profile-a-l/abiword.profile @@ -41,7 +41,7 @@ tracelog private-bin abiword private-cache private-dev -private-etc @x11 +private-etc alternatives,fonts,gtk-3.0,ld.so.cache,ld.so.preload,passwd private-tmp # dbus-user none diff --git a/etc/profile-a-l/agetpkg.profile b/etc/profile-a-l/agetpkg.profile index 7a36302f14d..96c56d85d2c 100644 --- a/etc/profile-a-l/agetpkg.profile +++ b/etc/profile-a-l/agetpkg.profile @@ -49,7 +49,7 @@ tracelog private-bin agetpkg,python3 private-cache private-dev -private-etc @tls-ca +private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl private-tmp dbus-user none diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile index 22a303cdd54..9612ffdd2da 100644 --- a/etc/profile-a-l/alacarte.profile +++ b/etc/profile-a-l/alacarte.profile @@ -52,7 +52,7 @@ disable-mnt # private-bin alacarte,bash,python*,sh private-cache private-dev -private-etc @tls-ca,@x11,mime.types +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg private-tmp dbus-user none diff --git a/etc/profile-a-l/alienarena.profile b/etc/profile-a-l/alienarena.profile index 9f9bd975a7c..0f7407f05e3 100644 --- a/etc/profile-a-l/alienarena.profile +++ b/etc/profile-a-l/alienarena.profile @@ -43,7 +43,7 @@ disable-mnt private-bin alienarena private-cache private-dev -private-etc @tls-ca,@x11,bumblebee,glvnd,host.conf,rpc,services +private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11 private-tmp dbus-user none diff --git a/etc/profile-a-l/alpine.profile b/etc/profile-a-l/alpine.profile index 5ccb9896f04..4e994c025e7 100644 --- a/etc/profile-a-l/alpine.profile +++ b/etc/profile-a-l/alpine.profile @@ -90,7 +90,7 @@ disable-mnt private-bin alpine private-cache private-dev -private-etc @tls-ca,@x11,c-client.cf,host.conf,krb5.keytab,mailcap,mime.types,pine.conf,pinerc.fixed,rpc,services,terminfo +private-etc alternatives,c-client.cf,ca-certificates,crypto-policies,host.conf,hostname,hosts,krb5.keytab,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mailcap,mime.types,nsswitch.conf,passwd,pine.conf,pinerc.fixed,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg private-tmp writable-run-user writable-var diff --git a/etc/profile-a-l/anki.profile b/etc/profile-a-l/anki.profile index 2d0bfcb6ceb..466f60bdaf0 100644 --- a/etc/profile-a-l/anki.profile +++ b/etc/profile-a-l/anki.profile @@ -49,7 +49,7 @@ disable-mnt private-bin anki,python* private-cache private-dev -private-etc @tls-ca,@x11 +private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,resolv.conf,ssl,Trolltech.conf private-tmp dbus-user none diff --git a/etc/profile-a-l/apostrophe.profile b/etc/profile-a-l/apostrophe.profile index 4ad6ac6bc33..dab91fe7d59 100644 --- a/etc/profile-a-l/apostrophe.profile +++ b/etc/profile-a-l/apostrophe.profile @@ -62,7 +62,7 @@ disable-mnt private-bin apostrophe,fmtutil,kpsewhich,mktexfmt,pandoc,pdftex,perl,python3*,sh,xdvipdfmx,xelatex,xetex private-cache private-dev -private-etc @x11,texlive +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,texlive,X11 private-tmp dbus-user filter diff --git a/etc/profile-a-l/aria2c.profile b/etc/profile-a-l/aria2c.profile index 7f9463c4f67..17eb2451c59 100644 --- a/etc/profile-a-l/aria2c.profile +++ b/etc/profile-a-l/aria2c.profile @@ -45,7 +45,7 @@ private-bin aria2c,gzip # Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772). #private-cache private-dev -private-etc @tls-ca +private-etc alternatives,ca-certificates,crypto-policies,groups,ld.so.cache,ld.so.preload,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl private-lib libreadline.so.* private-tmp diff --git a/etc/profile-a-l/arm.profile b/etc/profile-a-l/arm.profile index 1c2fbcccced..ed0629c9b4a 100644 --- a/etc/profile-a-l/arm.profile +++ b/etc/profile-a-l/arm.profile @@ -42,7 +42,7 @@ tracelog disable-mnt private-bin arm,bash,ldconfig,lsof,ps,python*,sh,tor private-dev -private-etc @tls-ca,tor +private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,passwd,pki,resolv.conf,ssl,tor private-tmp restrict-namespaces diff --git a/etc/profile-a-l/artha.profile b/etc/profile-a-l/artha.profile index 8971408577c..b1347b0d9c1 100644 --- a/etc/profile-a-l/artha.profile +++ b/etc/profile-a-l/artha.profile @@ -54,7 +54,7 @@ disable-mnt private-bin artha,enchant,notify-send private-cache private-dev -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id private-lib libnotify.so.* private-tmp diff --git a/etc/profile-a-l/atool.profile b/etc/profile-a-l/atool.profile index 672286087fa..b2bc17c67ae 100644 --- a/etc/profile-a-l/atool.profile +++ b/etc/profile-a-l/atool.profile @@ -13,7 +13,7 @@ include allow-perl.inc noroot # without login.defs atool complains and uses UID/GID 1000 by default -private-etc +private-etc alternatives,group,ld.so.cache,ld.so.preload,login.defs,passwd,resolv.conf private-tmp # Redirect diff --git a/etc/profile-a-l/atril.profile b/etc/profile-a-l/atril.profile index d0513d2a757..f24aff1083a 100644 --- a/etc/profile-a-l/atril.profile +++ b/etc/profile-a-l/atril.profile @@ -41,7 +41,7 @@ tracelog private-bin 7z,7za,7zr,atril,atril-previewer,atril-thumbnailer,sh,tar,unrar,unzip,zipnote private-dev -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.preload # atril uses webkit gtk to display epub files # waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0 #private-lib webkit2gtk-4.0 - problems on Arch with the new version of WebKit diff --git a/etc/profile-a-l/audio-recorder.profile b/etc/profile-a-l/audio-recorder.profile index deba11a47fb..74dba7411b3 100644 --- a/etc/profile-a-l/audio-recorder.profile +++ b/etc/profile-a-l/audio-recorder.profile @@ -43,7 +43,7 @@ tracelog disable-mnt # private-bin audio-recorder private-cache -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload private-tmp dbus-user filter diff --git a/etc/profile-a-l/authenticator-rs.profile b/etc/profile-a-l/authenticator-rs.profile index 215f22fd056..73a2e1806d0 100644 --- a/etc/profile-a-l/authenticator-rs.profile +++ b/etc/profile-a-l/authenticator-rs.profile @@ -46,7 +46,7 @@ disable-mnt private-bin authenticator-rs private-cache private-dev -private-etc @tls-ca,@x11 +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl,xdg private-tmp dbus-user filter diff --git a/etc/profile-a-l/authenticator.profile b/etc/profile-a-l/authenticator.profile index 96c70a8389f..02c1d8768d9 100644 --- a/etc/profile-a-l/authenticator.profile +++ b/etc/profile-a-l/authenticator.profile @@ -38,7 +38,7 @@ seccomp disable-mnt # private-bin authenticator,python* private-dev -private-etc @tls-ca +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl private-tmp # makes settings immutable diff --git a/etc/profile-a-l/ballbuster.profile b/etc/profile-a-l/ballbuster.profile index 9ca94710651..b60b5715cd8 100644 --- a/etc/profile-a-l/ballbuster.profile +++ b/etc/profile-a-l/ballbuster.profile @@ -44,7 +44,7 @@ disable-mnt private-bin ballbuster private-cache private-dev -private-etc +private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pulse private-tmp dbus-user none diff --git a/etc/profile-a-l/bibletime.profile b/etc/profile-a-l/bibletime.profile index 3fb2a82c333..85a1a58c751 100644 --- a/etc/profile-a-l/bibletime.profile +++ b/etc/profile-a-l/bibletime.profile @@ -51,7 +51,7 @@ disable-mnt # private-bin bibletime private-cache private-dev -private-etc @tls-ca,sword,sword.conf +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf private-tmp dbus-user none diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile index 53d212e340e..b6b52601eba 100644 --- a/etc/profile-a-l/bijiben.profile +++ b/etc/profile-a-l/bijiben.profile @@ -50,7 +50,7 @@ disable-mnt private-bin bijiben # private-cache -- access to .cache/tracker is required private-dev -private-etc @x11 +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload private-tmp dbus-user filter diff --git a/etc/profile-a-l/bitwarden.profile b/etc/profile-a-l/bitwarden.profile index ba30c365483..f8114c71b65 100644 --- a/etc/profile-a-l/bitwarden.profile +++ b/etc/profile-a-l/bitwarden.profile @@ -23,7 +23,7 @@ no3d nosound ?HAS_APPIMAGE: ignore private-dev -private-etc @tls-ca +private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl private-opt Bitwarden # Redirect diff --git a/etc/profile-a-l/bless.profile b/etc/profile-a-l/bless.profile index 6dd54094368..9badb43578d 100644 --- a/etc/profile-a-l/bless.profile +++ b/etc/profile-a-l/bless.profile @@ -34,7 +34,7 @@ seccomp # private-bin bash,bless,mono,sh private-cache private-dev -private-etc mono +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,mono private-tmp dbus-user none diff --git a/etc/profile-a-l/blobby.profile b/etc/profile-a-l/blobby.profile index dccdae924c0..6e7a87e5f3c 100644 --- a/etc/profile-a-l/blobby.profile +++ b/etc/profile-a-l/blobby.profile @@ -40,7 +40,7 @@ tracelog disable-mnt private-bin blobby private-dev -private-etc @x11 +private-etc alsa,alternatives,asound.conf,drirc,group,hosts,ld.so.cache,ld.so.preload,login.defs,machine-id,passwd,pulse private-lib private-tmp diff --git a/etc/profile-a-l/blobwars.profile b/etc/profile-a-l/blobwars.profile index fc0a769455e..e6926ee297f 100644 --- a/etc/profile-a-l/blobwars.profile +++ b/etc/profile-a-l/blobwars.profile @@ -42,7 +42,7 @@ disable-mnt private-bin blobwars private-cache private-dev -private-etc +private-etc alternatives,ld.so.cache,ld.so.preload,machine-id private-tmp dbus-user none diff --git a/etc/profile-a-l/bsdtar.profile b/etc/profile-a-l/bsdtar.profile index c5c2e33ebd1..fbc7c9056ef 100644 --- a/etc/profile-a-l/bsdtar.profile +++ b/etc/profile-a-l/bsdtar.profile @@ -6,7 +6,7 @@ include bsdtar.local # Persistent global definitions include globals.local -private-etc +private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,passwd # Redirect include archiver-common.profile diff --git a/etc/profile-a-l/cameramonitor.profile b/etc/profile-a-l/cameramonitor.profile index df94ac859ac..b2248ad06a9 100644 --- a/etc/profile-a-l/cameramonitor.profile +++ b/etc/profile-a-l/cameramonitor.profile @@ -45,7 +45,7 @@ tracelog disable-mnt private-bin cameramonitor,python* private-cache -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.preload private-tmp # dbus-user none diff --git a/etc/profile-a-l/cargo.profile b/etc/profile-a-l/cargo.profile index a0fe8ddf175..4c8afd8950e 100644 --- a/etc/profile-a-l/cargo.profile +++ b/etc/profile-a-l/cargo.profile @@ -16,7 +16,7 @@ noblacklist ${HOME}/.cargo/credentials.toml #whitelist ${HOME}/.rustup #private-bin cargo,rustc -private-etc @tls-ca,host.conf,magic,magic.mgc,rpc,services +private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,magic,magic.mgc,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl memory-deny-write-execute diff --git a/etc/profile-a-l/cawbird.profile b/etc/profile-a-l/cawbird.profile index 17887b6cc9d..e4e32b26520 100644 --- a/etc/profile-a-l/cawbird.profile +++ b/etc/profile-a-l/cawbird.profile @@ -38,7 +38,7 @@ disable-mnt private-bin cawbird private-cache private-dev -private-etc @tls-ca,@x11,host.conf,mime.types +private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,pki,resolv.conf,ssl,X11,xdg private-tmp # dbus-user none diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile index 7b0f7bdf0df..0c4335e8fd3 100644 --- a/etc/profile-a-l/celluloid.profile +++ b/etc/profile-a-l/celluloid.profile @@ -52,7 +52,7 @@ tracelog private-bin celluloid,env,gnome-mpv,python*,youtube-dl private-cache -private-etc @tls-ca,@x11,libva.conf,pkcs11 +private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg private-dev private-tmp diff --git a/etc/profile-a-l/chatterino.profile b/etc/profile-a-l/chatterino.profile index 2df03b10b82..4dfd85740cb 100644 --- a/etc/profile-a-l/chatterino.profile +++ b/etc/profile-a-l/chatterino.profile @@ -70,7 +70,7 @@ private-bin chatterino,cvlc,env,ffmpeg,mpv,nvlc,pgrep,python*,qvlc,rvlc,streamli # private-cache may cause issues with mpv (see #2838) private-cache private-dev -private-etc @tls-ca,@x11,dbus-1,rpc,services +private-etc alsa,alternatives,asound.conf,ca-certificates,dbus-1,fonts,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,nvidia,passwd,pulse,resolv.conf,rpc,services,ssl,Trolltech.conf,X11 private-srv none private-tmp diff --git a/etc/profile-a-l/cheese.profile b/etc/profile-a-l/cheese.profile index 93d9c9a8bee..8aed77c04d1 100644 --- a/etc/profile-a-l/cheese.profile +++ b/etc/profile-a-l/cheese.profile @@ -51,7 +51,7 @@ disable-mnt private-bin cheese private-cache private-dev -private-etc @x11,clutter-1.0 +private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0,ld.so.cache,ld.so.preload private-tmp dbus-user filter diff --git a/etc/profile-a-l/clawsker.profile b/etc/profile-a-l/clawsker.profile index 3b8eb7bbd79..4f4e8e7bf7c 100644 --- a/etc/profile-a-l/clawsker.profile +++ b/etc/profile-a-l/clawsker.profile @@ -43,7 +43,7 @@ disable-mnt private-bin bash,clawsker,perl,sh,which private-cache private-dev -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.preload private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-3.so.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl* private-tmp diff --git a/etc/profile-a-l/cmus.profile b/etc/profile-a-l/cmus.profile index cc7a436091e..ad6332f78cd 100644 --- a/etc/profile-a-l/cmus.profile +++ b/etc/profile-a-l/cmus.profile @@ -26,6 +26,6 @@ protocol unix,inet,inet6 seccomp private-bin cmus -private-etc @tls-ca +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl restrict-namespaces diff --git a/etc/profile-a-l/cointop.profile b/etc/profile-a-l/cointop.profile index aa053e2f750..c341c4ea236 100644 --- a/etc/profile-a-l/cointop.profile +++ b/etc/profile-a-l/cointop.profile @@ -52,7 +52,7 @@ disable-mnt private-bin cointop private-cache private-dev -private-etc @tls-ca,host.conf,rpc,services +private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl private-lib private-tmp diff --git a/etc/profile-a-l/colorful.profile b/etc/profile-a-l/colorful.profile index 50f8f67f3d0..442d50259c3 100644 --- a/etc/profile-a-l/colorful.profile +++ b/etc/profile-a-l/colorful.profile @@ -44,7 +44,7 @@ disable-mnt private-bin colorful private-cache private-dev -private-etc +private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pulse private-tmp dbus-user none diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile index 8b7d2317cd6..990b6bc5ade 100644 --- a/etc/profile-a-l/com.github.bleakgrey.tootle.profile +++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile @@ -44,7 +44,7 @@ disable-mnt private-bin com.github.bleakgrey.tootle private-cache private-dev -private-etc @tls-ca,@x11,host.conf,mime.types +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg private-tmp # Settings are immutable diff --git a/etc/profile-a-l/com.github.dahenson.agenda.profile b/etc/profile-a-l/com.github.dahenson.agenda.profile index ab389d3ee87..5f2a1c3e69a 100644 --- a/etc/profile-a-l/com.github.dahenson.agenda.profile +++ b/etc/profile-a-l/com.github.dahenson.agenda.profile @@ -51,7 +51,7 @@ disable-mnt private-bin com.github.dahenson.agenda private-cache private-dev -private-etc @x11 +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload private-tmp dbus-user filter diff --git a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile index f4533b53718..21f37494b36 100644 --- a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile +++ b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile @@ -54,7 +54,7 @@ disable-mnt private-bin com.github.johnfactotum.Foliate,gjs private-cache private-dev -private-etc @x11,gconf +private-etc alternatives,dconf,fonts,gconf,gtk-3.0,ld.so.cache,ld.so.preload private-tmp read-only ${HOME} diff --git a/etc/profile-a-l/com.github.phase1geo.minder.profile b/etc/profile-a-l/com.github.phase1geo.minder.profile index 22a64cb3510..07a6a68135b 100644 --- a/etc/profile-a-l/com.github.phase1geo.minder.profile +++ b/etc/profile-a-l/com.github.phase1geo.minder.profile @@ -51,7 +51,7 @@ disable-mnt private-bin com.github.phase1geo.minder private-cache private-dev -private-etc @x11,mime.types +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,pango,passwd,X11,xdg private-tmp dbus-user filter diff --git a/etc/profile-a-l/com.github.tchx84.Flatseal.profile b/etc/profile-a-l/com.github.tchx84.Flatseal.profile index eee98ba8df2..fd4494e92bd 100644 --- a/etc/profile-a-l/com.github.tchx84.Flatseal.profile +++ b/etc/profile-a-l/com.github.tchx84.Flatseal.profile @@ -51,7 +51,7 @@ disable-mnt private-bin com.github.tchx84.Flatseal,gjs private-cache private-dev -private-etc @x11 +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload private-tmp dbus-user filter diff --git a/etc/profile-a-l/coyim.profile b/etc/profile-a-l/coyim.profile index 21b576fb7da..793de8ab475 100644 --- a/etc/profile-a-l/coyim.profile +++ b/etc/profile-a-l/coyim.profile @@ -39,7 +39,7 @@ tracelog disable-mnt private-cache private-dev -private-etc @tls-ca +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,pki,ssl private-tmp dbus-user none diff --git a/etc/profile-a-l/crow.profile b/etc/profile-a-l/crow.profile index 601daacfa33..842191f3fb1 100644 --- a/etc/profile-a-l/crow.profile +++ b/etc/profile-a-l/crow.profile @@ -38,7 +38,7 @@ seccomp disable-mnt private-bin crow private-dev -private-etc @tls-ca,@x11 +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl private-opt none private-tmp private-srv none diff --git a/etc/profile-a-l/d-feet.profile b/etc/profile-a-l/d-feet.profile index 7dd5ca2602d..63d89ec360b 100644 --- a/etc/profile-a-l/d-feet.profile +++ b/etc/profile-a-l/d-feet.profile @@ -49,7 +49,7 @@ disable-mnt private-bin d-feet,python* private-cache private-dev -private-etc dbus-1 +private-etc alternatives,dbus-1,fonts,ld.so.cache,ld.so.preload,machine-id private-tmp #memory-deny-write-execute - breaks on Arch (see issue #1803) diff --git a/etc/profile-a-l/dbus-send.profile b/etc/profile-a-l/dbus-send.profile index 80790bb0c42..b259c7e9322 100644 --- a/etc/profile-a-l/dbus-send.profile +++ b/etc/profile-a-l/dbus-send.profile @@ -50,7 +50,7 @@ private private-bin dbus-send private-cache private-dev -private-etc dbus-1 +private-etc alternatives,dbus-1,ld.so.cache,ld.so.preload private-lib libpcre* private-tmp diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile index e2e2492bc85..876e637b270 100644 --- a/etc/profile-a-l/dconf-editor.profile +++ b/etc/profile-a-l/dconf-editor.profile @@ -42,7 +42,7 @@ disable-mnt private-bin dconf-editor private-cache private-dev -private-etc @x11 +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id private-lib private-tmp diff --git a/etc/profile-a-l/dconf.profile b/etc/profile-a-l/dconf.profile index 2b2ada742c9..5136445da60 100644 --- a/etc/profile-a-l/dconf.profile +++ b/etc/profile-a-l/dconf.profile @@ -45,7 +45,7 @@ disable-mnt private-bin dconf,gsettings private-cache private-dev -private-etc @x11 +private-etc alternatives,dconf,ld.so.cache,ld.so.preload private-lib private-tmp diff --git a/etc/profile-a-l/ddgtk.profile b/etc/profile-a-l/ddgtk.profile index 9811c90d679..8ea5d178e68 100644 --- a/etc/profile-a-l/ddgtk.profile +++ b/etc/profile-a-l/ddgtk.profile @@ -44,7 +44,7 @@ tracelog disable-mnt private-bin bash,dd,ddgtk,grep,lsblk,python*,sed,sh,tr private-cache -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.preload private-tmp dbus-user none diff --git a/etc/profile-a-l/devhelp.profile b/etc/profile-a-l/devhelp.profile index 066cdc8b0ba..ef31fc3eb1b 100644 --- a/etc/profile-a-l/devhelp.profile +++ b/etc/profile-a-l/devhelp.profile @@ -41,7 +41,7 @@ disable-mnt private-bin devhelp private-cache private-dev -private-etc @tls-ca,@x11 +private-etc alternatives,dconf,fonts,ld.so.cache,ld.so.preload,machine-id,ssl private-tmp # makes settings immutable diff --git a/etc/profile-a-l/devilspie.profile b/etc/profile-a-l/devilspie.profile index 4461c2a8225..0579547affe 100644 --- a/etc/profile-a-l/devilspie.profile +++ b/etc/profile-a-l/devilspie.profile @@ -47,7 +47,7 @@ disable-mnt private-bin devilspie private-cache private-dev -private-etc +private-etc alternatives,ld.so.cache,ld.so.preload private-lib gconv private-tmp diff --git a/etc/profile-a-l/dig.profile b/etc/profile-a-l/dig.profile index 7c0fee9c3cf..3ee58147abb 100644 --- a/etc/profile-a-l/dig.profile +++ b/etc/profile-a-l/dig.profile @@ -48,7 +48,7 @@ tracelog disable-mnt private-bin bash,dig,sh private-dev -private-etc +private-etc alternatives,ld.so.cache,ld.so.preload,login.defs,passwd,resolv.conf # Add the next line to your dig.local on non Debian/Ubuntu OS (see issue #3038). #private-lib private-tmp diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile index c5317012650..bf49c8d48d8 100644 --- a/etc/profile-a-l/discord-common.profile +++ b/etc/profile-a-l/discord-common.profile @@ -24,7 +24,7 @@ whitelist ${HOME}/.config/BetterDiscord whitelist ${HOME}/.local/share/betterdiscordctl private-bin awk,bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],fish,grep,head,sed,sh,tclsh,tr,which,xdg-mime,xdg-open,zsh -private-etc @tls-ca +private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl join-or-start discord diff --git a/etc/profile-a-l/display.profile b/etc/profile-a-l/display.profile index bf77828beb7..15f6e441d31 100644 --- a/etc/profile-a-l/display.profile +++ b/etc/profile-a-l/display.profile @@ -39,7 +39,7 @@ seccomp private-bin display,python* private-dev # On Debian-based systems, display is a symlink in /etc/alternatives -private-etc ImageMagick-6,ImageMagick-7 +private-etc alternatives,ImageMagick-6,ImageMagick-7,ld.so.cache,ld.so.preload private-lib gcc/*/*/libgcc_s.so.*,gcc/*/*/libgomp.so.*,ImageMagick*,libfreetype.so.*,libltdl.so.*,libMagickWand-*.so.*,libXext.so.* private-tmp diff --git a/etc/profile-a-l/dolphin-emu.profile b/etc/profile-a-l/dolphin-emu.profile index 9743ebfbd4b..acaf2e0212e 100644 --- a/etc/profile-a-l/dolphin-emu.profile +++ b/etc/profile-a-l/dolphin-emu.profile @@ -54,7 +54,7 @@ private-bin bash,dolphin-emu,dolphin-emu-x11,sh private-cache # Add the next line to your dolphin-emu.local if you do not need controller support. #private-dev -private-etc @tls-ca,@x11,bumblebee,gconf,glvnd,host.conf,mime.types,rpc,services +private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg private-opt none private-tmp diff --git a/etc/profile-a-l/drawio.profile b/etc/profile-a-l/drawio.profile index 79366b8ee52..9d9fa291b1c 100644 --- a/etc/profile-a-l/drawio.profile +++ b/etc/profile-a-l/drawio.profile @@ -44,7 +44,7 @@ seccomp !chroot private-bin drawio private-cache private-dev -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.preload private-tmp dbus-user none diff --git a/etc/profile-a-l/easystroke.profile b/etc/profile-a-l/easystroke.profile index 40fd8be7c03..920eb7697b1 100644 --- a/etc/profile-a-l/easystroke.profile +++ b/etc/profile-a-l/easystroke.profile @@ -44,7 +44,7 @@ disable-mnt #private-bin bash,easystroke,sh private-cache private-dev -private-etc +private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,passwd # breaks custom shell command functionality #private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* private-tmp diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile index 4872223f116..d0d0f2168b2 100644 --- a/etc/profile-a-l/electron-mail.profile +++ b/etc/profile-a-l/electron-mail.profile @@ -29,7 +29,7 @@ read-only ${HOME}/.mozilla/firefox/profiles.ini machine-id nosound -private-etc @tls-ca,@x11 +private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl private-opt ElectronMail dbus-user filter diff --git a/etc/profile-a-l/electrum.profile b/etc/profile-a-l/electrum.profile index 48ce0aa22f4..78a996f7102 100644 --- a/etc/profile-a-l/electrum.profile +++ b/etc/profile-a-l/electrum.profile @@ -46,7 +46,7 @@ private-bin electrum,python* private-cache ?HAS_APPIMAGE: ignore private-dev private-dev -private-etc @tls-ca,@x11 +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,ld.so.cache,ld.so.preload,machine-id,pki,resolv.conf,ssl private-tmp # dbus-user none diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile index 86442d44128..0d5d18fe26d 100644 --- a/etc/profile-a-l/email-common.profile +++ b/etc/profile-a-l/email-common.profile @@ -69,7 +69,7 @@ tracelog # disable-mnt private-cache private-dev -private-etc @tls-ca,@x11,gnupg,hosts.conf,mailname,timezone +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,localtime,machine-id,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,timezone,xdg private-tmp # encrypting and signing email writable-run-user diff --git a/etc/profile-a-l/enchant.profile b/etc/profile-a-l/enchant.profile index 051c75fc1f8..37a6c088b68 100644 --- a/etc/profile-a-l/enchant.profile +++ b/etc/profile-a-l/enchant.profile @@ -47,7 +47,7 @@ x11 none private-bin enchant,enchant-* private-cache private-dev -private-etc +private-etc alternatives,ld.so.cache,ld.so.preload private-lib private-tmp diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile index c487a5add4a..83abb551efd 100644 --- a/etc/profile-a-l/eo-common.profile +++ b/etc/profile-a-l/eo-common.profile @@ -46,7 +46,7 @@ tracelog private-cache private-dev -private-etc @x11 +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.* private-tmp diff --git a/etc/profile-a-l/ephemeral.profile b/etc/profile-a-l/ephemeral.profile index 8b32d08b137..adda53660e8 100644 --- a/etc/profile-a-l/ephemeral.profile +++ b/etc/profile-a-l/ephemeral.profile @@ -55,7 +55,7 @@ disable-mnt private-cache ?BROWSER_DISABLE_U2F: private-dev # private-etc below works fine on most distributions. There are some problems on CentOS. -#private-etc @tls-ca,@x11,mailcap,mime.types,os-release +#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,login.defs,machine-id,mailcap,mime.types,nsswitch.conf,os-release,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg private-tmp # breaks preferences diff --git a/etc/profile-a-l/equalx.profile b/etc/profile-a-l/equalx.profile index 8cbdccbb564..2fe0a4af4a4 100644 --- a/etc/profile-a-l/equalx.profile +++ b/etc/profile-a-l/equalx.profile @@ -53,7 +53,7 @@ disable-mnt private-bin equalx,gs,pdflatex,pdftocairo private-cache private-dev -private-etc @x11,equalx,equalx.conf,latexmk.conf,papersize,texlive +private-etc alternatives,equalx,equalx.conf,fonts,gtk-2.0,latexmk.conf,ld.so.cache,ld.so.preload,machine-id,papersize,passwd,texlive,Trolltech.conf private-tmp dbus-user none diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile index 75a3958ad01..95115d48499 100644 --- a/etc/profile-a-l/evince.profile +++ b/etc/profile-a-l/evince.profile @@ -54,7 +54,7 @@ tracelog private-bin evince,evince-previewer,evince-thumbnailer,sh private-cache private-dev -private-etc +private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd # private-lib might break two-page-view on some systems private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libarchive.so.*,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.* private-tmp diff --git a/etc/profile-a-l/exiftool.profile b/etc/profile-a-l/exiftool.profile index a8be4828f61..45331487c56 100644 --- a/etc/profile-a-l/exiftool.profile +++ b/etc/profile-a-l/exiftool.profile @@ -47,7 +47,7 @@ x11 none #private-bin exiftool,perl private-cache private-dev -private-etc +private-etc alternatives,ld.so.cache,ld.so.preload private-tmp dbus-user none diff --git a/etc/profile-a-l/falkon.profile b/etc/profile-a-l/falkon.profile index d805766eb1d..2daf1ff1589 100644 --- a/etc/profile-a-l/falkon.profile +++ b/etc/profile-a-l/falkon.profile @@ -47,7 +47,7 @@ disable-mnt # private-bin falkon private-cache private-dev -private-etc @tls-ca,@x11,adobe,mailcap,mime.types +private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg private-tmp # dbus-user filter diff --git a/etc/profile-a-l/fdns.profile b/etc/profile-a-l/fdns.profile index 77e16a56b0f..248cb5b4950 100644 --- a/etc/profile-a-l/fdns.profile +++ b/etc/profile-a-l/fdns.profile @@ -42,7 +42,7 @@ private private-bin bash,fdns,sh private-cache #private-dev -private-etc @tls-ca,fdns +private-etc alternatives,ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl # private-lib private-tmp diff --git a/etc/profile-a-l/feh-network.inc.profile b/etc/profile-a-l/feh-network.inc.profile index 4b45cd19817..7293e89a8dd 100644 --- a/etc/profile-a-l/feh-network.inc.profile +++ b/etc/profile-a-l/feh-network.inc.profile @@ -5,4 +5,4 @@ include feh-network.inc.local ignore net none netfilter protocol unix,inet,inet6 -private-etc @tls-ca +private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile index 82b3f76453d..be5ab8627a1 100644 --- a/etc/profile-a-l/feh.profile +++ b/etc/profile-a-l/feh.profile @@ -35,7 +35,7 @@ seccomp private-bin feh,jpegexiforient,jpegtran private-cache private-dev -private-etc feh +private-etc alternatives,feh,ld.so.cache,ld.so.preload private-tmp dbus-user none diff --git a/etc/profile-a-l/ffmpeg.profile b/etc/profile-a-l/ffmpeg.profile index b7d54f05d7d..160f26f7841 100644 --- a/etc/profile-a-l/ffmpeg.profile +++ b/etc/profile-a-l/ffmpeg.profile @@ -47,7 +47,7 @@ tracelog private-bin ffmpeg private-cache private-dev -private-etc @tls-ca,pkcs11 +private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pkcs11,pki,resolv.conf,ssl private-tmp dbus-user none diff --git a/etc/profile-a-l/ffplay.profile b/etc/profile-a-l/ffplay.profile index 5cffd4980f1..52abb99d4f7 100644 --- a/etc/profile-a-l/ffplay.profile +++ b/etc/profile-a-l/ffplay.profile @@ -14,7 +14,7 @@ ignore nogroups ignore nosound private-bin ffplay -private-etc +private-etc alsa,alternatives,asound.conf,group,ld.so.cache,ld.so.preload # Redirect include ffmpeg.profile diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile index 4f39bec55e4..ef4e0e117f9 100644 --- a/etc/profile-a-l/file-roller.profile +++ b/etc/profile-a-l/file-roller.profile @@ -42,7 +42,7 @@ tracelog private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,unzstd,xz,xzdec,zip,zoo,zstd private-cache private-dev -private-etc @x11 +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,xdg # private-tmp dbus-system none diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index 42d12c5d9e3..57c9b5dfb85 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile @@ -57,7 +57,9 @@ seccomp !chroot disable-mnt ?BROWSER_DISABLE_U2F: private-dev -# private-etc below works fine on most distributions. There could be some problems on CentOS. +# private-etc below works fine on most distributions. There are some problems on CentOS. +# Add it to your firefox-common.local if you want to enable it. +#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg private-etc @tls-ca,@x11,mailcap,mime.types,os-release private-tmp diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile index 3f4432857b6..0984055a3df 100644 --- a/etc/profile-a-l/flameshot.profile +++ b/etc/profile-a-l/flameshot.profile @@ -51,7 +51,7 @@ tracelog disable-mnt private-bin flameshot private-cache -private-etc @tls-ca +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.preload,machine-id,pki,resolv.conf,ssl private-dev #private-tmp diff --git a/etc/profile-a-l/fractal.profile b/etc/profile-a-l/fractal.profile index fe0bc8756a6..a614d7d9f2f 100644 --- a/etc/profile-a-l/fractal.profile +++ b/etc/profile-a-l/fractal.profile @@ -46,7 +46,7 @@ disable-mnt private-bin fractal private-cache private-dev -private-etc @tls-ca,@x11,host.conf,mime.types +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg private-tmp dbus-user filter diff --git a/etc/profile-a-l/freemind.profile b/etc/profile-a-l/freemind.profile index 9bf5a14be87..ae5843f7fac 100644 --- a/etc/profile-a-l/freemind.profile +++ b/etc/profile-a-l/freemind.profile @@ -43,7 +43,7 @@ disable-mnt private-bin bash,cp,dirname,dpkg,echo,freemind,grep,java,lsb_release,mkdir,readlink,rpm,sed,sh,uname,which private-cache private-dev -#private-etc alternatives,fonts,java* +#private-etc alternatives,fonts,java private-tmp private-opt none private-srv none diff --git a/etc/profile-a-l/freetube.profile b/etc/profile-a-l/freetube.profile index bdc5fa55786..bcde18b362b 100644 --- a/etc/profile-a-l/freetube.profile +++ b/etc/profile-a-l/freetube.profile @@ -18,7 +18,7 @@ mkdir ${HOME}/.config/FreeTube whitelist ${HOME}/.config/FreeTube private-bin electron,electron[0-9],electron[0-9][0-9],freetube,sh -private-etc @tls-ca,@x11,host.conf,mime.types +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg dbus-user filter dbus-user.own org.mpris.MediaPlayer2.chromium.* diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile index d9ee054ab0f..067fe3caa87 100644 --- a/etc/profile-a-l/frogatto.profile +++ b/etc/profile-a-l/frogatto.profile @@ -44,7 +44,7 @@ disable-mnt private-bin frogatto,sh private-cache private-dev -private-etc +private-etc alternatives,ld.so.cache,ld.so.preload,machine-id private-tmp dbus-user none diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile index ed7b32f6e9c..d4d578dd43c 100644 --- a/etc/profile-a-l/gajim.profile +++ b/etc/profile-a-l/gajim.profile @@ -58,7 +58,7 @@ disable-mnt private-bin bash,gajim,gajim-history-manager,gpg,gpg2,paplay,python*,sh,zsh private-cache private-dev -private-etc @tls-ca,@x11 +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,xdg private-tmp writable-run-user diff --git a/etc/profile-a-l/galculator.profile b/etc/profile-a-l/galculator.profile index 96ded592d5a..0fba8ac07c7 100644 --- a/etc/profile-a-l/galculator.profile +++ b/etc/profile-a-l/galculator.profile @@ -42,7 +42,7 @@ tracelog private-bin galculator private-cache private-dev -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.preload private-lib private-tmp diff --git a/etc/profile-a-l/gallery-dl.profile b/etc/profile-a-l/gallery-dl.profile index 9c8200dc4ec..2947873ef07 100644 --- a/etc/profile-a-l/gallery-dl.profile +++ b/etc/profile-a-l/gallery-dl.profile @@ -12,7 +12,7 @@ noblacklist ${HOME}/.config/gallery-dl noblacklist ${HOME}/.gallery-dl.conf private-bin gallery-dl -private-etc gallery-dl.conf +private-etc alternatives,gallery-dl.conf,ld.so.cache,ld.so.preload # Redirect include youtube-dl.profile diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile index baf8f614e77..106e0eda672 100644 --- a/etc/profile-a-l/gapplication.profile +++ b/etc/profile-a-l/gapplication.profile @@ -48,7 +48,7 @@ private private-bin gapplication private-cache private-dev -private-etc +private-etc alternatives,ld.so.cache,ld.so.preload private-tmp # Add the next line to your gapplication.local to filter D-Bus names. diff --git a/etc/profile-a-l/gcloud.profile b/etc/profile-a-l/gcloud.profile index ad37312a873..313b34a5359 100644 --- a/etc/profile-a-l/gcloud.profile +++ b/etc/profile-a-l/gcloud.profile @@ -35,7 +35,7 @@ tracelog disable-mnt private-dev -private-etc @tls-ca +private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl private-tmp dbus-user none diff --git a/etc/profile-a-l/gconf.profile b/etc/profile-a-l/gconf.profile index ead78d98384..5b434342b52 100644 --- a/etc/profile-a-l/gconf.profile +++ b/etc/profile-a-l/gconf.profile @@ -53,7 +53,7 @@ disable-mnt private-bin gconf-editor,gconf-merge-*,gconfpkg,gconftool-2,gsettings-*-convert,python2* private-cache private-dev -private-etc gconf +private-etc alternatives,fonts,gconf,ld.so.cache,ld.so.preload private-lib GConf,libpython*,python2* private-tmp diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile index a19a20ba72c..6aaf1ab050f 100644 --- a/etc/profile-a-l/geary.profile +++ b/etc/profile-a-l/geary.profile @@ -75,7 +75,7 @@ tracelog #private-bin geary,sh private-cache private-dev -private-etc @tls-ca,@x11,mailcap,mime.types +private-etc alternatives,ca-certificates,crypto-policies,fonts,group,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,mailcap,mime.types,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg private-tmp dbus-user filter diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile index 3a929774a5a..cda47a7e905 100644 --- a/etc/profile-a-l/geekbench.profile +++ b/etc/profile-a-l/geekbench.profile @@ -47,7 +47,7 @@ disable-mnt #private-bin bash,geekbench*,sh -- #4576 private-cache private-dev -private-etc lsb-release +private-etc alternatives,group,ld.so.cache,ld.so.preload,lsb-release,passwd private-tmp dbus-user none diff --git a/etc/profile-a-l/gfeeds.profile b/etc/profile-a-l/gfeeds.profile index 1c97ad21c99..d3d49433b22 100644 --- a/etc/profile-a-l/gfeeds.profile +++ b/etc/profile-a-l/gfeeds.profile @@ -60,7 +60,7 @@ disable-mnt private-bin gfeeds,python3* # private-cache -- feeds are stored in ~/.cache private-dev -private-etc @tls-ca,@x11,dbus-1,gconf,host.conf,mime.types,rpc,services +private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,fonts,gconf,group,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg private-tmp dbus-user filter diff --git a/etc/profile-a-l/gget.profile b/etc/profile-a-l/gget.profile index 11d5f620ccb..02c4f950941 100644 --- a/etc/profile-a-l/gget.profile +++ b/etc/profile-a-l/gget.profile @@ -48,7 +48,7 @@ disable-mnt private-bin gget private-cache private-dev -private-etc @tls-ca +private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl private-lib private-tmp diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile index dabf0dd7fc2..9c719ddb14f 100644 --- a/etc/profile-a-l/ghostwriter.profile +++ b/etc/profile-a-l/ghostwriter.profile @@ -51,7 +51,7 @@ private-bin context,gettext,ghostwriter,latex,mktexfmt,pandoc,pdflatex,pdfroff,p private-cache private-dev # passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed -private-etc @tls-ca,@x11,dbus-1,firejail,gconf,host.conf,mime.types,rpc,services,texlive +private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,firejail,fonts,gconf,groups,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,texlive,Trolltech.conf,X11,xdg private-tmp dbus-user filter diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile index 717519112e5..f29929a724f 100644 --- a/etc/profile-a-l/gimp.profile +++ b/etc/profile-a-l/gimp.profile @@ -59,7 +59,7 @@ seccomp !mbind tracelog private-dev -private-etc @tls-ca,@x11,python* +private-etc @x11,gcrypt,python* private-tmp dbus-user none diff --git a/etc/profile-a-l/gist.profile b/etc/profile-a-l/gist.profile index 6eea076f750..d315619b779 100644 --- a/etc/profile-a-l/gist.profile +++ b/etc/profile-a-l/gist.profile @@ -51,7 +51,7 @@ tracelog disable-mnt private-cache private-dev -private-etc +private-etc alternatives,ld.so.cache,ld.so.preload private-tmp dbus-user none diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile index 49568ba238d..2f7068d6835 100644 --- a/etc/profile-a-l/git-cola.profile +++ b/etc/profile-a-l/git-cola.profile @@ -69,7 +69,7 @@ tracelog private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed private-cache private-dev -private-etc @tls-ca,@x11,gitconfig,host.conf,mime.types,ssh +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg private-tmp writable-run-user diff --git a/etc/profile-a-l/gitter.profile b/etc/profile-a-l/gitter.profile index e3cf87c8757..0f9ed95920c 100644 --- a/etc/profile-a-l/gitter.profile +++ b/etc/profile-a-l/gitter.profile @@ -36,7 +36,7 @@ seccomp disable-mnt private-bin bash,env,gitter -private-etc @tls-ca +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,pulse,resolv.conf,ssl private-opt Gitter private-dev private-tmp diff --git a/etc/profile-a-l/gl-117.profile b/etc/profile-a-l/gl-117.profile index fbfbdd20425..92ba7011349 100644 --- a/etc/profile-a-l/gl-117.profile +++ b/etc/profile-a-l/gl-117.profile @@ -43,7 +43,7 @@ disable-mnt private-bin gl-117 private-cache private-dev -private-etc @x11,bumblebee,glvnd +private-etc alsa,alternatives,asound.conf,bumblebee,drirc,glvnd,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nvidia,pulse private-tmp dbus-user none diff --git a/etc/profile-a-l/glaxium.profile b/etc/profile-a-l/glaxium.profile index 5aa69f7145e..d61b566d85a 100644 --- a/etc/profile-a-l/glaxium.profile +++ b/etc/profile-a-l/glaxium.profile @@ -43,7 +43,7 @@ disable-mnt private-bin glaxium private-cache private-dev -private-etc @x11,bumblebee,glvnd +private-etc alsa,alternatives,asound.conf,bumblebee,drirc,glvnd,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nvidia,pulse private-tmp dbus-user none diff --git a/etc/profile-a-l/gmpc.profile b/etc/profile-a-l/gmpc.profile index f3e04500083..b337dc4d55c 100644 --- a/etc/profile-a-l/gmpc.profile +++ b/etc/profile-a-l/gmpc.profile @@ -43,7 +43,7 @@ tracelog disable-mnt #private-bin gmpc private-cache -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,resolv.conf private-tmp writable-run-user diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile index 70a302138a7..b0d3f1d3464 100644 --- a/etc/profile-a-l/gnome-calendar.profile +++ b/etc/profile-a-l/gnome-calendar.profile @@ -44,7 +44,7 @@ private private-bin gnome-calendar private-cache private-dev -private-etc @tls-ca,@x11 +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl private-tmp dbus-user filter diff --git a/etc/profile-a-l/gnome-characters.profile b/etc/profile-a-l/gnome-characters.profile index 9e9730e53db..2e11f335b79 100644 --- a/etc/profile-a-l/gnome-characters.profile +++ b/etc/profile-a-l/gnome-characters.profile @@ -48,7 +48,7 @@ disable-mnt private-bin gjs,gnome-characters private-cache private-dev -private-etc @x11,gconf,mime.types +private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,pango,X11,xdg private-tmp # Add the next lines to your gnome-characters.local if you don't need access to recently used chars. diff --git a/etc/profile-a-l/gnome-chess.profile b/etc/profile-a-l/gnome-chess.profile index 9f5174b9edb..78bd54b642b 100644 --- a/etc/profile-a-l/gnome-chess.profile +++ b/etc/profile-a-l/gnome-chess.profile @@ -49,7 +49,7 @@ disable-mnt private-bin fairymax,gnome-chess,gnuchess,hoichess private-cache private-dev -private-etc @x11,gnome-chess +private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0,ld.so.cache,ld.so.preload private-tmp restrict-namespaces diff --git a/etc/profile-a-l/gnome-clocks.profile b/etc/profile-a-l/gnome-clocks.profile index f290b26deec..5563afcbd15 100644 --- a/etc/profile-a-l/gnome-clocks.profile +++ b/etc/profile-a-l/gnome-clocks.profile @@ -41,7 +41,7 @@ disable-mnt private-bin gnome-clocks,gsound-play private-cache private-dev -private-etc @tls-ca,@x11,pkcs11 +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,pkcs11,pki,resolv.conf,ssl private-tmp restrict-namespaces diff --git a/etc/profile-a-l/gnome-hexgl.profile b/etc/profile-a-l/gnome-hexgl.profile index 4f436202c89..f0493c645f5 100644 --- a/etc/profile-a-l/gnome-hexgl.profile +++ b/etc/profile-a-l/gnome-hexgl.profile @@ -41,7 +41,7 @@ private private-bin gnome-hexgl private-cache private-dev -private-etc +private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.preload,machine-id,pulse private-tmp dbus-user none diff --git a/etc/profile-a-l/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile index b15439aeeef..43e0a1ec18d 100644 --- a/etc/profile-a-l/gnome-latex.profile +++ b/etc/profile-a-l/gnome-latex.profile @@ -47,7 +47,7 @@ tracelog private-cache private-dev # passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed -private-etc @x11,latexmk.conf,texlive +private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,ld.so.cache,ld.so.preload,login.defs,passwd,texlive dbus-system none diff --git a/etc/profile-a-l/gnome-logs.profile b/etc/profile-a-l/gnome-logs.profile index 61f4f41071b..b619b0f272d 100644 --- a/etc/profile-a-l/gnome-logs.profile +++ b/etc/profile-a-l/gnome-logs.profile @@ -39,7 +39,7 @@ disable-mnt private-bin gnome-logs private-cache private-dev -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,localtime,machine-id private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* private-tmp writable-var-log diff --git a/etc/profile-a-l/gnome-maps.profile b/etc/profile-a-l/gnome-maps.profile index 17f52e58855..d14b2a5a13a 100644 --- a/etc/profile-a-l/gnome-maps.profile +++ b/etc/profile-a-l/gnome-maps.profile @@ -63,7 +63,7 @@ disable-mnt private-bin gjs,gnome-maps # private-cache -- gnome-maps cache all maps/satelite-images private-dev -private-etc @tls-ca,@x11,clutter-1.0,gconf,host.conf,mime.types,pkcs11,rpc,services +private-etc alternatives,ca-certificates,clutter-1.0,crypto-policies,dconf,drirc,fonts,gconf,gcrypt,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pango,pkcs11,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg private-tmp dbus-user filter diff --git a/etc/profile-a-l/gnome-music.profile b/etc/profile-a-l/gnome-music.profile index 22d5f87eaf2..ec033dbf02a 100644 --- a/etc/profile-a-l/gnome-music.profile +++ b/etc/profile-a-l/gnome-music.profile @@ -41,7 +41,7 @@ tracelog # private-bin calls a file manager - whatever is installed! #private-bin env,gio-launch-desktop,gnome-music,python*,yelp private-dev -private-etc @x11 +private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pulse,selinux,xdg private-tmp restrict-namespaces diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile index 450e76082be..0d7fb2de800 100644 --- a/etc/profile-a-l/gnome-passwordsafe.profile +++ b/etc/profile-a-l/gnome-passwordsafe.profile @@ -52,7 +52,7 @@ disable-mnt private-bin gnome-passwordsafe,python3* private-cache private-dev -private-etc @x11 +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,passwd private-tmp dbus-user filter diff --git a/etc/profile-a-l/gnome-pie.profile b/etc/profile-a-l/gnome-pie.profile index ac0fb555d27..6d90773aa2d 100644 --- a/etc/profile-a-l/gnome-pie.profile +++ b/etc/profile-a-l/gnome-pie.profile @@ -33,7 +33,7 @@ seccomp disable-mnt private-cache private-dev -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* private-tmp diff --git a/etc/profile-a-l/gnome-pomodoro.profile b/etc/profile-a-l/gnome-pomodoro.profile index 9906b15d90a..fb019227f56 100644 --- a/etc/profile-a-l/gnome-pomodoro.profile +++ b/etc/profile-a-l/gnome-pomodoro.profile @@ -43,7 +43,7 @@ disable-mnt private-bin gnome-pomodoro private-cache private-dev -private-etc @x11 +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id private-tmp dbus-user filter diff --git a/etc/profile-a-l/gnome-recipes.profile b/etc/profile-a-l/gnome-recipes.profile index aa1ded51627..75f3199e291 100644 --- a/etc/profile-a-l/gnome-recipes.profile +++ b/etc/profile-a-l/gnome-recipes.profile @@ -46,7 +46,7 @@ seccomp disable-mnt private-bin gnome-recipes,tar private-dev -private-etc @tls-ca +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,ssl private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,libgnutls.so.*,libjpeg.so.*,libp11-kit.so.*,libproxy.so.*,librsvg-2.so.* private-tmp diff --git a/etc/profile-a-l/gnome-screenshot.profile b/etc/profile-a-l/gnome-screenshot.profile index 25be407b5d0..74238a109be 100644 --- a/etc/profile-a-l/gnome-screenshot.profile +++ b/etc/profile-a-l/gnome-screenshot.profile @@ -41,7 +41,7 @@ tracelog disable-mnt private-bin gnome-screenshot private-dev -private-etc @x11 +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,localtime,machine-id private-tmp dbus-user filter diff --git a/etc/profile-a-l/gnome-sound-recorder.profile b/etc/profile-a-l/gnome-sound-recorder.profile index f278b332b6c..d07bd80a758 100644 --- a/etc/profile-a-l/gnome-sound-recorder.profile +++ b/etc/profile-a-l/gnome-sound-recorder.profile @@ -39,7 +39,7 @@ tracelog disable-mnt private-cache private-dev -private-etc @games,@x11 +private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,openal,pango,pulse,xdg private-tmp restrict-namespaces diff --git a/etc/profile-a-l/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile index f4e98534271..4c74c0a61f5 100644 --- a/etc/profile-a-l/gnome-system-log.profile +++ b/etc/profile-a-l/gnome-system-log.profile @@ -42,7 +42,7 @@ disable-mnt private-bin gnome-system-log private-cache private-dev -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,localtime,machine-id private-lib private-tmp writable-var-log diff --git a/etc/profile-a-l/gnome-todo.profile b/etc/profile-a-l/gnome-todo.profile index 5c375de2db8..ae7ea83d80e 100644 --- a/etc/profile-a-l/gnome-todo.profile +++ b/etc/profile-a-l/gnome-todo.profile @@ -45,7 +45,7 @@ disable-mnt private-bin gnome-todo private-cache private-dev -private-etc @x11 +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,localtime,passwd,xdg private-tmp dbus-user filter diff --git a/etc/profile-a-l/gnome_games-common.profile b/etc/profile-a-l/gnome_games-common.profile index c03d41f06e4..c9145d78e83 100644 --- a/etc/profile-a-l/gnome_games-common.profile +++ b/etc/profile-a-l/gnome_games-common.profile @@ -40,7 +40,7 @@ tracelog disable-mnt private-cache private-dev -private-etc @x11,gconf +private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pango,passwd,X11 private-tmp dbus-user filter diff --git a/etc/profile-a-l/gnote.profile b/etc/profile-a-l/gnote.profile index c6ce0c2c00b..d7944ae249e 100644 --- a/etc/profile-a-l/gnote.profile +++ b/etc/profile-a-l/gnote.profile @@ -50,7 +50,7 @@ disable-mnt private-bin gnote private-cache private-dev -private-etc @x11 +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,pango,X11 private-tmp dbus-user filter diff --git a/etc/profile-a-l/gnubik.profile b/etc/profile-a-l/gnubik.profile index 025cb74b633..bdbcf9baf8b 100644 --- a/etc/profile-a-l/gnubik.profile +++ b/etc/profile-a-l/gnubik.profile @@ -42,7 +42,7 @@ private private-bin gnubik private-cache private-dev -private-etc @x11 +private-etc alternatives,drirc,fonts,gtk-2.0,ld.so.cache,ld.so.preload private-tmp dbus-user none diff --git a/etc/profile-a-l/godot.profile b/etc/profile-a-l/godot.profile index 5e41384abb4..36a2cae07f6 100644 --- a/etc/profile-a-l/godot.profile +++ b/etc/profile-a-l/godot.profile @@ -37,7 +37,7 @@ tracelog # private-bin godot private-cache private-dev -private-etc @games,@tls-ca,@x11,mono +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,ld.so.cache,ld.so.preload,machine-id,mono,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl private-tmp dbus-user none diff --git a/etc/profile-a-l/goldendict.profile b/etc/profile-a-l/goldendict.profile index 822e5ffc2dd..327648cd18f 100644 --- a/etc/profile-a-l/goldendict.profile +++ b/etc/profile-a-l/goldendict.profile @@ -50,7 +50,7 @@ disable-mnt private-bin goldendict private-cache private-dev -private-etc @tls-ca +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl private-tmp dbus-user none diff --git a/etc/profile-a-l/googler-common.profile b/etc/profile-a-l/googler-common.profile index 58769643a43..da7c24581a3 100644 --- a/etc/profile-a-l/googler-common.profile +++ b/etc/profile-a-l/googler-common.profile @@ -53,7 +53,7 @@ disable-mnt private-bin env,python3*,sh,w3m private-cache private-dev -private-etc @tls-ca,host.conf,rpc,services +private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl private-tmp dbus-user none diff --git a/etc/profile-a-l/gpicview.profile b/etc/profile-a-l/gpicview.profile index 0525995c368..1012f5774d1 100644 --- a/etc/profile-a-l/gpicview.profile +++ b/etc/profile-a-l/gpicview.profile @@ -40,7 +40,7 @@ tracelog private-bin gpicview private-cache private-dev -private-etc +private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,passwd private-lib private-tmp diff --git a/etc/profile-a-l/gpredict.profile b/etc/profile-a-l/gpredict.profile index 99c840a27fb..53a6f94e2f4 100644 --- a/etc/profile-a-l/gpredict.profile +++ b/etc/profile-a-l/gpredict.profile @@ -35,7 +35,7 @@ tracelog private-bin gpredict private-dev -private-etc @tls-ca +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl private-tmp restrict-namespaces diff --git a/etc/profile-a-l/gradio.profile b/etc/profile-a-l/gradio.profile index a0d2247e089..368482fa329 100644 --- a/etc/profile-a-l/gradio.profile +++ b/etc/profile-a-l/gradio.profile @@ -44,7 +44,7 @@ disable-mnt private-bin gradio private-cache private-dev -private-etc @tls-ca,@x11,host.conf +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg private-tmp dbus-user filter diff --git a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile index 19af7c0b963..02a49134c18 100644 --- a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile +++ b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile @@ -39,7 +39,7 @@ private private-bin gravity-beams-and-evaporating-stars private-cache private-dev -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id private-tmp dbus-user none diff --git a/etc/profile-a-l/gtk-update-icon-cache.profile b/etc/profile-a-l/gtk-update-icon-cache.profile index eb09fe38194..5fd92fd4f7d 100644 --- a/etc/profile-a-l/gtk-update-icon-cache.profile +++ b/etc/profile-a-l/gtk-update-icon-cache.profile @@ -45,7 +45,7 @@ disable-mnt private-bin gtk-update-icon-cache private-cache private-dev -private-etc +private-etc alternatives,ld.so.cache,ld.so.preload private-lib private-tmp diff --git a/etc/profile-a-l/gucharmap.profile b/etc/profile-a-l/gucharmap.profile index ef4aad4dac5..68b78ec6232 100644 --- a/etc/profile-a-l/gucharmap.profile +++ b/etc/profile-a-l/gucharmap.profile @@ -42,7 +42,7 @@ disable-mnt private-bin gnome-character-map,gucharmap private-cache private-dev -private-etc @x11,dbus-1,gconf,mime.types +private-etc alternatives,dbus-1,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,pango,X11,xdg private-lib private-tmp diff --git a/etc/profile-a-l/guvcview.profile b/etc/profile-a-l/guvcview.profile index 467bee3a0c0..db307e9401b 100644 --- a/etc/profile-a-l/guvcview.profile +++ b/etc/profile-a-l/guvcview.profile @@ -47,7 +47,7 @@ disable-mnt private-bin guvcview private-cache private-dev -private-etc @x11,bumblebee,glvnd +private-etc alsa,alternatives,asound.conf,bumblebee,dconf,drirc,fonts,glvnd,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nvidia,pango,pulse,X11 private-tmp dbus-user none diff --git a/etc/profile-a-l/gwenview.profile b/etc/profile-a-l/gwenview.profile index 4be71f6d38f..8f7f74e0de6 100644 --- a/etc/profile-a-l/gwenview.profile +++ b/etc/profile-a-l/gwenview.profile @@ -46,7 +46,7 @@ seccomp private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4 private-dev -private-etc @x11,gimp +private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,ld.so.preload,machine-id,passwd,pulse,xdg # dbus-user none # dbus-system none diff --git a/etc/profile-a-l/homebank.profile b/etc/profile-a-l/homebank.profile index ccbb6633360..91b73e8e9dc 100644 --- a/etc/profile-a-l/homebank.profile +++ b/etc/profile-a-l/homebank.profile @@ -49,7 +49,7 @@ disable-mnt private-bin homebank private-cache private-dev -private-etc @tls-ca,@x11,mime.types +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11 private-tmp dbus-user none diff --git a/etc/profile-a-l/host.profile b/etc/profile-a-l/host.profile index 3f7901d3f42..b33709ef0dc 100644 --- a/etc/profile-a-l/host.profile +++ b/etc/profile-a-l/host.profile @@ -42,7 +42,7 @@ tracelog disable-mnt private private-bin bash,host,sh -private-etc +private-etc alternatives,ld.so.cache,ld.so.preload,login.defs,passwd,resolv.conf private-dev private-tmp diff --git a/etc/profile-a-l/hyperrogue.profile b/etc/profile-a-l/hyperrogue.profile index 72d28ed08cf..13dc06eccce 100644 --- a/etc/profile-a-l/hyperrogue.profile +++ b/etc/profile-a-l/hyperrogue.profile @@ -43,7 +43,7 @@ private-bin hyperrogue private-cache private-cwd private-dev -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id private-tmp dbus-user none diff --git a/etc/profile-a-l/i2prouter.profile b/etc/profile-a-l/i2prouter.profile index 6ee92e98663..757af67b068 100644 --- a/etc/profile-a-l/i2prouter.profile +++ b/etc/profile-a-l/i2prouter.profile @@ -67,7 +67,7 @@ seccomp disable-mnt private-cache private-dev -private-etc @tls-ca,@x11,i2p,java* +private-etc alternatives,ca-certificates,crypto-policies,dconf,group,hostname,hosts,i2p,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl private-tmp restrict-namespaces diff --git a/etc/profile-a-l/io.github.lainsce.Notejot.profile b/etc/profile-a-l/io.github.lainsce.Notejot.profile index 4730802a23c..cb2f30350a7 100644 --- a/etc/profile-a-l/io.github.lainsce.Notejot.profile +++ b/etc/profile-a-l/io.github.lainsce.Notejot.profile @@ -50,7 +50,7 @@ disable-mnt private-bin io.github.lainsce.Notejot private-cache private-dev -private-etc @x11 +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11 private-tmp dbus-user filter diff --git a/etc/profile-a-l/ipcalc.profile b/etc/profile-a-l/ipcalc.profile index 7eabbca8480..983c31bcb95 100644 --- a/etc/profile-a-l/ipcalc.profile +++ b/etc/profile-a-l/ipcalc.profile @@ -49,7 +49,7 @@ private-bin bash,ipcalc,ipcalc-ng,perl,sh # private-cache private-dev # empty etc directory -private-etc +private-etc alternatives,ld.so.cache,ld.so.preload private-lib private-opt none private-tmp diff --git a/etc/profile-a-l/jerry.profile b/etc/profile-a-l/jerry.profile index 0cdfa2ace8a..3136b412efe 100644 --- a/etc/profile-a-l/jerry.profile +++ b/etc/profile-a-l/jerry.profile @@ -33,7 +33,7 @@ tracelog private-bin bash,jerry,sh,stockfish private-dev -private-etc @x11 +private-etc alternatives,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload private-tmp dbus-user none diff --git a/etc/profile-a-l/jitsi-meet-desktop.profile b/etc/profile-a-l/jitsi-meet-desktop.profile index 8c85d104396..edb7ed84038 100644 --- a/etc/profile-a-l/jitsi-meet-desktop.profile +++ b/etc/profile-a-l/jitsi-meet-desktop.profile @@ -21,7 +21,7 @@ mkdir ${HOME}/.config/Jitsi Meet whitelist ${HOME}/.config/Jitsi Meet private-bin bash,electron,electron[0-9],electron[0-9][0-9],jitsi-meet-desktop,sh -private-etc @tls-ca,@x11,bumblebee,glvnd,host.conf,mime.types,rpc,services +private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg # Redirect include electron.profile diff --git a/etc/profile-a-l/jumpnbump.profile b/etc/profile-a-l/jumpnbump.profile index cefceefed53..66d63283a89 100644 --- a/etc/profile-a-l/jumpnbump.profile +++ b/etc/profile-a-l/jumpnbump.profile @@ -40,7 +40,7 @@ disable-mnt private-bin jumpnbump private-cache private-dev -private-etc +private-etc alternatives,ld.so.cache,ld.so.preload private-tmp dbus-user none diff --git a/etc/profile-a-l/kalgebra.profile b/etc/profile-a-l/kalgebra.profile index a4e67cf6be9..bde52f30e57 100644 --- a/etc/profile-a-l/kalgebra.profile +++ b/etc/profile-a-l/kalgebra.profile @@ -41,7 +41,7 @@ disable-mnt private-bin kalgebra,kalgebramobile private-cache private-dev -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id private-tmp dbus-user none diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile index 70414eeea9f..c01000af166 100644 --- a/etc/profile-a-l/kazam.profile +++ b/etc/profile-a-l/kazam.profile @@ -48,7 +48,7 @@ disable-mnt # private-bin kazam,python* private-cache private-dev -private-etc @x11 +private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pulse,selinux,X11,xdg private-tmp dbus-system none diff --git a/etc/profile-a-l/kcalc.profile b/etc/profile-a-l/kcalc.profile index cfb756c4373..ea56f2d3969 100644 --- a/etc/profile-a-l/kcalc.profile +++ b/etc/profile-a-l/kcalc.profile @@ -59,7 +59,7 @@ disable-mnt private-bin kcalc private-cache private-dev -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,locale,locale.conf # private-lib - problems on Arch private-tmp diff --git a/etc/profile-a-l/keepassx.profile b/etc/profile-a-l/keepassx.profile index 4644d598d94..935fe3933d2 100644 --- a/etc/profile-a-l/keepassx.profile +++ b/etc/profile-a-l/keepassx.profile @@ -40,7 +40,7 @@ tracelog private-bin keepassx,keepassx2 private-dev -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id private-tmp dbus-user none diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile index f7959ca81f0..80374690c82 100644 --- a/etc/profile-a-l/keepassxc.profile +++ b/etc/profile-a-l/keepassxc.profile @@ -89,7 +89,7 @@ private-bin keepassxc,keepassxc-cli,keepassxc-proxy # hardware keys) on /dev after it has already started; add "ignore private-dev" # to keepassxc.local if this is an issue (see #4883). private-dev -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id private-tmp dbus-user filter diff --git a/etc/profile-a-l/kid3.profile b/etc/profile-a-l/kid3.profile index 651571fd9e2..424fb006eff 100644 --- a/etc/profile-a-l/kid3.profile +++ b/etc/profile-a-l/kid3.profile @@ -36,7 +36,7 @@ tracelog private-cache private-dev -private-etc @tls-ca,@x11 +private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hostname,hosts,kde5rc,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl private-tmp private-opt none private-srv none diff --git a/etc/profile-a-l/kiwix-desktop.profile b/etc/profile-a-l/kiwix-desktop.profile index 2e369b94571..5a028aeea96 100644 --- a/etc/profile-a-l/kiwix-desktop.profile +++ b/etc/profile-a-l/kiwix-desktop.profile @@ -43,7 +43,7 @@ seccomp !chroot disable-mnt private-cache private-dev -private-etc @tls-ca +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl private-tmp dbus-user none diff --git a/etc/profile-a-l/klavaro.profile b/etc/profile-a-l/klavaro.profile index faf6a2d08fa..0785b904deb 100644 --- a/etc/profile-a-l/klavaro.profile +++ b/etc/profile-a-l/klavaro.profile @@ -44,7 +44,7 @@ disable-mnt private-bin bash,klavaro,sh,tclsh,tclsh* private-cache private-dev -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.preload private-tmp private-opt none private-srv none diff --git a/etc/profile-a-l/ktouch.profile b/etc/profile-a-l/ktouch.profile index b5ce96e7013..68ef6111a91 100644 --- a/etc/profile-a-l/ktouch.profile +++ b/etc/profile-a-l/ktouch.profile @@ -45,7 +45,7 @@ disable-mnt private-bin ktouch private-cache private-dev -private-etc @x11 +private-etc alternatives,fonts,kde5rc,ld.so.cache,ld.so.preload,machine-id private-tmp dbus-user none diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile index 5183a932750..0cdfe4f1041 100644 --- a/etc/profile-a-l/kube.profile +++ b/etc/profile-a-l/kube.profile @@ -67,7 +67,7 @@ tracelog private-bin kube,sink_synchronizer private-cache private-dev -private-etc @tls-ca,@x11 +private-etc alternatives,ca-certificates,crypto-policies,fonts,gcrypt,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,selinux,ssl,xdg private-tmp writable-run-user diff --git a/etc/profile-a-l/kwin_x11.profile b/etc/profile-a-l/kwin_x11.profile index 58981164364..7ecf26d8e4b 100644 --- a/etc/profile-a-l/kwin_x11.profile +++ b/etc/profile-a-l/kwin_x11.profile @@ -42,7 +42,7 @@ tracelog disable-mnt private-bin kwin_x11 private-dev -private-etc @x11 +private-etc alternatives,drirc,fonts,kde5rc,ld.so.cache,ld.so.preload,machine-id,xdg private-tmp restrict-namespaces diff --git a/etc/profile-a-l/kwrite.profile b/etc/profile-a-l/kwrite.profile index 34fe2ace66b..18a024c7ee3 100644 --- a/etc/profile-a-l/kwrite.profile +++ b/etc/profile-a-l/kwrite.profile @@ -46,7 +46,7 @@ tracelog private-bin kbuildsycoca4,kdeinit4,kwrite private-dev -private-etc @x11 +private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,ld.so.preload,machine-id,pulse,xdg private-tmp # dbus-user none diff --git a/etc/profile-a-l/lifeograph.profile b/etc/profile-a-l/lifeograph.profile index 4440757ad14..025156d2dc4 100644 --- a/etc/profile-a-l/lifeograph.profile +++ b/etc/profile-a-l/lifeograph.profile @@ -48,7 +48,7 @@ disable-mnt private-bin lifeograph private-cache private-dev -private-etc @x11 +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11 private-tmp dbus-user filter diff --git a/etc/profile-a-l/links-common.profile b/etc/profile-a-l/links-common.profile index 838d619b76b..22a4a2a2adf 100644 --- a/etc/profile-a-l/links-common.profile +++ b/etc/profile-a-l/links-common.profile @@ -50,7 +50,7 @@ disable-mnt private-bin sh private-cache private-dev -private-etc @tls-ca +private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl # Add the next line to your links-common.local to allow external media players. # private-etc alsa,asound.conf,machine-id,openal,pulse private-tmp diff --git a/etc/profile-a-l/linuxqq.profile b/etc/profile-a-l/linuxqq.profile index 83f3d11d372..8855f09f59d 100644 --- a/etc/profile-a-l/linuxqq.profile +++ b/etc/profile-a-l/linuxqq.profile @@ -23,7 +23,7 @@ noprinters # If you don't need/want to save anything to disk you can add `private` to your linuxqq.local. #private -private-etc @tls-ca,@x11,host.conf,os-release +private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,nsswitch.conf,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg private-opt QQ dbus-user filter diff --git a/etc/profile-a-l/lollypop.profile b/etc/profile-a-l/lollypop.profile index bb13e03014e..78b78662b81 100644 --- a/etc/profile-a-l/lollypop.profile +++ b/etc/profile-a-l/lollypop.profile @@ -36,7 +36,7 @@ protocol unix,inet,inet6 seccomp private-dev -private-etc @tls-ca,@x11,host.conf +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg private-tmp restrict-namespaces diff --git a/etc/profile-a-l/lyx.profile b/etc/profile-a-l/lyx.profile index c3366acef62..ae2f2d4341c 100644 --- a/etc/profile-a-l/lyx.profile +++ b/etc/profile-a-l/lyx.profile @@ -32,7 +32,7 @@ apparmor machine-id # private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex -private-etc @x11,lyx,mime.types,texmf +private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,lyx,machine-id,mime.types,passwd,texmf,X11,xdg # Redirect include latex-common.profile diff --git a/etc/profile-m-z/PCSX2.profile b/etc/profile-m-z/PCSX2.profile index e75de80ac07..902fc9a6a57 100644 --- a/etc/profile-m-z/PCSX2.profile +++ b/etc/profile-m-z/PCSX2.profile @@ -47,7 +47,7 @@ private-bin PCSX2 private-cache # Add the next line to your PCSX2.local if you do not need controller support. #private-dev -private-etc @tls-ca,@x11,bumblebee,gconf,glvnd,host.conf,mime.types,rpc,services +private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg private-opt none private-tmp diff --git a/etc/profile-m-z/QMediathekView.profile b/etc/profile-m-z/QMediathekView.profile index f8b5cec1332..22c4c4631ec 100644 --- a/etc/profile-m-z/QMediathekView.profile +++ b/etc/profile-m-z/QMediathekView.profile @@ -71,7 +71,7 @@ disable-mnt private-bin mplayer,mpv,QMediathekView,smplayer,totem,vlc,xplayer private-cache private-dev -private-etc @tls-ca +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,login.defs,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl private-tmp dbus-user none diff --git a/etc/profile-m-z/QOwnNotes.profile b/etc/profile-m-z/QOwnNotes.profile index eed839041ad..6140de60fa3 100644 --- a/etc/profile-m-z/QOwnNotes.profile +++ b/etc/profile-m-z/QOwnNotes.profile @@ -49,7 +49,7 @@ tracelog disable-mnt private-bin gio,QOwnNotes private-dev -private-etc @tls-ca,host.conf +private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl private-tmp restrict-namespaces diff --git a/etc/profile-m-z/Viber.profile b/etc/profile-m-z/Viber.profile index 34d500bb1ff..2ea185ec036 100644 --- a/etc/profile-m-z/Viber.profile +++ b/etc/profile-m-z/Viber.profile @@ -32,7 +32,7 @@ seccomp !chroot disable-mnt private-bin awk,bash,dig,sh,Viber -private-etc @tls-ca,@x11,mailcap,proxychains.conf +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11 private-tmp # restrict-namespaces diff --git a/etc/profile-m-z/Xvfb.profile b/etc/profile-m-z/Xvfb.profile index ee19fa3b0c2..8bf79f554f9 100644 --- a/etc/profile-m-z/Xvfb.profile +++ b/etc/profile-m-z/Xvfb.profile @@ -42,7 +42,7 @@ private # private-bin sh,xkbcomp,Xvfb # private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb private-dev -private-etc gai.conf,host.conf +private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,nsswitch.conf,resolv.conf private-tmp restrict-namespaces diff --git a/etc/profile-m-z/magicor.profile b/etc/profile-m-z/magicor.profile index d9990825a72..e5d994b57b0 100644 --- a/etc/profile-m-z/magicor.profile +++ b/etc/profile-m-z/magicor.profile @@ -44,7 +44,7 @@ disable-mnt private-bin magicor,python2* private-cache private-dev -private-etc +private-etc alternatives,ld.so.cache,ld.so.preload,machine-id private-tmp dbus-user none diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile index cdf1d807f3e..0e3f9e6e2c1 100644 --- a/etc/profile-m-z/man.profile +++ b/etc/profile-m-z/man.profile @@ -56,7 +56,7 @@ disable-mnt #private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim private-cache private-dev -private-etc @x11,groff,man_db.conf,manpath.config,sysless +private-etc alternatives,fonts,groff,group,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,login.defs,man_db.conf,manpath.config,passwd,selinux,sysless,xdg #private-tmp dbus-user none diff --git a/etc/profile-m-z/marker.profile b/etc/profile-m-z/marker.profile index 2fb527ad5d7..7066f422929 100644 --- a/etc/profile-m-z/marker.profile +++ b/etc/profile-m-z/marker.profile @@ -53,7 +53,7 @@ tracelog private-bin marker,python3* private-cache private-dev -private-etc @x11 +private-etc alternatives,dconfgtk-3.0,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,pango,X11 private-tmp dbus-user filter diff --git a/etc/profile-m-z/masterpdfeditor.profile b/etc/profile-m-z/masterpdfeditor.profile index 95a16cbb83a..176506ff228 100644 --- a/etc/profile-m-z/masterpdfeditor.profile +++ b/etc/profile-m-z/masterpdfeditor.profile @@ -35,7 +35,7 @@ tracelog private-cache private-dev -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.preload private-tmp restrict-namespaces diff --git a/etc/profile-m-z/mate-calc.profile b/etc/profile-m-z/mate-calc.profile index ee780333dec..e3a5c6ab658 100644 --- a/etc/profile-m-z/mate-calc.profile +++ b/etc/profile-m-z/mate-calc.profile @@ -41,7 +41,7 @@ seccomp disable-mnt private-bin mate-calc,mate-calculator -private-etc @x11 +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload private-dev private-opt none private-tmp diff --git a/etc/profile-m-z/mate-color-select.profile b/etc/profile-m-z/mate-color-select.profile index 37cae5c70df..337c2d6e50b 100644 --- a/etc/profile-m-z/mate-color-select.profile +++ b/etc/profile-m-z/mate-color-select.profile @@ -32,7 +32,7 @@ seccomp disable-mnt private-bin mate-color-select -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.preload private-dev private-lib private-tmp diff --git a/etc/profile-m-z/mate-dictionary.profile b/etc/profile-m-z/mate-dictionary.profile index b563170378e..e80b220b761 100644 --- a/etc/profile-m-z/mate-dictionary.profile +++ b/etc/profile-m-z/mate-dictionary.profile @@ -36,7 +36,7 @@ seccomp disable-mnt private-bin mate-dictionary -private-etc @tls-ca +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl private-opt mate-dictionary private-dev private-tmp diff --git a/etc/profile-m-z/mattermost-desktop.profile b/etc/profile-m-z/mattermost-desktop.profile index f4eb6d40495..3c2bf4fa390 100644 --- a/etc/profile-m-z/mattermost-desktop.profile +++ b/etc/profile-m-z/mattermost-desktop.profile @@ -17,7 +17,7 @@ include disable-shell.inc mkdir ${HOME}/.config/Mattermost whitelist ${HOME}/.config/Mattermost -private-etc @tls-ca +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl # Not tested #dbus-user filter diff --git a/etc/profile-m-z/mcabber.profile b/etc/profile-m-z/mcabber.profile index d880228dea0..1ebe9aabad5 100644 --- a/etc/profile-m-z/mcabber.profile +++ b/etc/profile-m-z/mcabber.profile @@ -30,6 +30,6 @@ seccomp private-bin mcabber private-dev -private-etc @tls-ca +private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,ssl restrict-namespaces diff --git a/etc/profile-m-z/mcomix.profile b/etc/profile-m-z/mcomix.profile index a288f1972cc..a3ff768b71d 100644 --- a/etc/profile-m-z/mcomix.profile +++ b/etc/profile-m-z/mcomix.profile @@ -57,7 +57,7 @@ private-bin 7z,lha,mcomix,mutool,python*,rar,sh,unrar,unzip private-cache private-dev # mcomix <= 1.2 uses gtk-2.0 -private-etc @x11,gconf,mime.types +private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,pango,passwd,X11,xdg private-tmp dbus-user none diff --git a/etc/profile-m-z/mdr.profile b/etc/profile-m-z/mdr.profile index d3b3c6d487b..e1025a1fb5d 100644 --- a/etc/profile-m-z/mdr.profile +++ b/etc/profile-m-z/mdr.profile @@ -44,7 +44,7 @@ disable-mnt private-bin mdr private-cache private-dev -private-etc +private-etc alternatives,ld.so.cache,ld.so.preload private-lib private-tmp diff --git a/etc/profile-m-z/mediainfo.profile b/etc/profile-m-z/mediainfo.profile index 01edd23abc3..12d692b7256 100644 --- a/etc/profile-m-z/mediainfo.profile +++ b/etc/profile-m-z/mediainfo.profile @@ -42,7 +42,7 @@ x11 none private-bin mediainfo private-cache private-dev -private-etc +private-etc alternatives,ld.so.cache,ld.so.preload private-tmp dbus-user none diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile index fcac70fb377..cd4938ec698 100644 --- a/etc/profile-m-z/menulibre.profile +++ b/etc/profile-m-z/menulibre.profile @@ -51,7 +51,7 @@ tracelog disable-mnt private-cache private-dev -private-etc @tls-ca,@x11,mime.types +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,locale.alias,locale.conf,mime.types,nsswitch.conf,passwd,pki,selinux,X11,xdg private-tmp dbus-user none diff --git a/etc/profile-m-z/mindless.profile b/etc/profile-m-z/mindless.profile index 48ac0ec694c..a26896b1957 100644 --- a/etc/profile-m-z/mindless.profile +++ b/etc/profile-m-z/mindless.profile @@ -41,7 +41,7 @@ private private-bin mindless private-cache private-dev -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.preload private-tmp dbus-user none diff --git a/etc/profile-m-z/minecraft-launcher.profile b/etc/profile-m-z/minecraft-launcher.profile index 4f2c89b2752..e6bf8680235 100644 --- a/etc/profile-m-z/minecraft-launcher.profile +++ b/etc/profile-m-z/minecraft-launcher.profile @@ -50,7 +50,7 @@ private-cache private-dev # If multiplayer or realms break, add 'private-etc ' # or 'ignore private-etc' to your minecraft-launcher.local. -private-etc @tls-ca,@x11,host.conf,java*,mime.types,services,timezone +private-etc alternatives,asound.conf,ati,ca-certificates,crypto-policies,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-14-openjdk,java-7-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,login.defs,machine-id,mime.types,nvidia,passwd,pki,pulse,resolv.conf,selinux,services,ssl,timezone,X11,xdg private-opt minecraft-launcher private-tmp diff --git a/etc/profile-m-z/minitube.profile b/etc/profile-m-z/minitube.profile index 9e72f9996af..ce938c8673f 100644 --- a/etc/profile-m-z/minitube.profile +++ b/etc/profile-m-z/minitube.profile @@ -53,7 +53,7 @@ disable-mnt private-bin minitube private-cache private-dev -private-etc @tls-ca,@x11,host.conf,mime.types +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg private-tmp dbus-user none diff --git a/etc/profile-m-z/mirage.profile b/etc/profile-m-z/mirage.profile index 665b32ecfdf..d36c0fc8101 100644 --- a/etc/profile-m-z/mirage.profile +++ b/etc/profile-m-z/mirage.profile @@ -53,7 +53,7 @@ disable-mnt private-bin ldconfig,mirage private-cache private-dev -private-etc @tls-ca,@x11,host.conf,mime.types +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg private-tmp dbus-user none diff --git a/etc/profile-m-z/mirrormagic.profile b/etc/profile-m-z/mirrormagic.profile index 4943a80aff8..34721b4a3b7 100644 --- a/etc/profile-m-z/mirrormagic.profile +++ b/etc/profile-m-z/mirrormagic.profile @@ -43,7 +43,7 @@ private private-bin mirrormagic private-cache private-dev -private-etc +private-etc alternatives,ld.so.cache,ld.so.preload,machine-id private-tmp dbus-user none diff --git a/etc/profile-m-z/mocp.profile b/etc/profile-m-z/mocp.profile index 2ba03ec974c..46320f8eaca 100644 --- a/etc/profile-m-z/mocp.profile +++ b/etc/profile-m-z/mocp.profile @@ -41,7 +41,7 @@ tracelog private-bin mocp private-cache private-dev -private-etc @tls-ca +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl private-tmp dbus-user none diff --git a/etc/profile-m-z/mp3splt-gtk.profile b/etc/profile-m-z/mp3splt-gtk.profile index ed344ba3fb7..89cee657d2d 100644 --- a/etc/profile-m-z/mp3splt-gtk.profile +++ b/etc/profile-m-z/mp3splt-gtk.profile @@ -36,7 +36,7 @@ tracelog private-bin mp3splt-gtk private-cache private-dev -private-etc @games,@x11 +private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,openal,pulse private-tmp dbus-user none diff --git a/etc/profile-m-z/mp3splt.profile b/etc/profile-m-z/mp3splt.profile index ef463507538..77ad30d0c4c 100644 --- a/etc/profile-m-z/mp3splt.profile +++ b/etc/profile-m-z/mp3splt.profile @@ -43,7 +43,7 @@ disable-mnt private-bin flacsplt,mp3splt,mp3wrap,oggsplt private-cache private-dev -private-etc +private-etc alternatives,ld.so.cache,ld.so.preload private-tmp dbus-user none diff --git a/etc/profile-m-z/mpDris2.profile b/etc/profile-m-z/mpDris2.profile index a9631733cb6..94b34286561 100644 --- a/etc/profile-m-z/mpDris2.profile +++ b/etc/profile-m-z/mpDris2.profile @@ -48,7 +48,7 @@ seccomp private-bin mpDris2,notify-send,python* private-cache private-dev -private-etc +private-etc alternatives,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,resolv.conf private-lib libdbus-1.so.*,libdbus-glib-1.so.*,libgirepository-1.0.so.*,libnotify.so.*,libpython*,python2*,python3* private-tmp diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile index fd79e2a8038..4f7ae09b9ff 100644 --- a/etc/profile-m-z/mrrescue.profile +++ b/etc/profile-m-z/mrrescue.profile @@ -51,7 +51,7 @@ disable-mnt private-bin love,mrrescue,sh private-cache private-dev -private-etc +private-etc alternatives,ld.so.cache,ld.so.preload,machine-id private-tmp dbus-user none diff --git a/etc/profile-m-z/ms-office.profile b/etc/profile-m-z/ms-office.profile index 91e990cf66a..d979e7401ce 100644 --- a/etc/profile-m-z/ms-office.profile +++ b/etc/profile-m-z/ms-office.profile @@ -34,7 +34,7 @@ tracelog disable-mnt private-bin bash,env,fonts,jak,ms-office,python*,sh -private-etc @tls-ca +private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl private-dev private-tmp diff --git a/etc/profile-m-z/mupdf-x11-curl.profile b/etc/profile-m-z/mupdf-x11-curl.profile index f8dec6e7d87..006f64ba83c 100644 --- a/etc/profile-m-z/mupdf-x11-curl.profile +++ b/etc/profile-m-z/mupdf-x11-curl.profile @@ -12,7 +12,7 @@ ignore net none netfilter protocol unix,inet,inet6 -private-etc @tls-ca +private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl # Redirect include mupdf.profile diff --git a/etc/profile-m-z/mupdf.profile b/etc/profile-m-z/mupdf.profile index 1e92b07bf42..954016c2cd6 100644 --- a/etc/profile-m-z/mupdf.profile +++ b/etc/profile-m-z/mupdf.profile @@ -36,7 +36,7 @@ seccomp tracelog private-dev -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload private-tmp dbus-user none diff --git a/etc/profile-m-z/musictube.profile b/etc/profile-m-z/musictube.profile index 3387ed5dedb..01b8d20b3f2 100644 --- a/etc/profile-m-z/musictube.profile +++ b/etc/profile-m-z/musictube.profile @@ -49,7 +49,7 @@ disable-mnt private-bin musictube private-cache private-dev -private-etc @tls-ca,@x11,host.conf,mime.types +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg private-tmp dbus-user none diff --git a/etc/profile-m-z/musixmatch.profile b/etc/profile-m-z/musixmatch.profile index 7ce7fbd19e5..d2032dcf643 100644 --- a/etc/profile-m-z/musixmatch.profile +++ b/etc/profile-m-z/musixmatch.profile @@ -33,6 +33,6 @@ seccomp !chroot disable-mnt private-dev -private-etc @tls-ca +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,machine-id,pki,pulse,ssl # restrict-namespaces diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile index 288ffedf1fa..904b0cd7cc7 100644 --- a/etc/profile-m-z/mutt.profile +++ b/etc/profile-m-z/mutt.profile @@ -124,7 +124,7 @@ tracelog # disable-mnt private-cache private-dev -private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gai.conf,gnupg,gnutls,hosts.conf,mail,mailname,nntpserver,terminfo +private-etc alternatives,ca-certificates,crypto-policies,fonts,gai.conf,gcrypt,gnupg,gnutls,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,mail,mailname,Mutt,Muttrc,Muttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,terminfo,xdg private-tmp writable-run-user writable-var diff --git a/etc/profile-m-z/mypaint.profile b/etc/profile-m-z/mypaint.profile index 774865a38e6..18117965e9d 100644 --- a/etc/profile-m-z/mypaint.profile +++ b/etc/profile-m-z/mypaint.profile @@ -42,7 +42,7 @@ tracelog private-cache private-dev -private-etc @x11 +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload private-tmp dbus-user none diff --git a/etc/profile-m-z/nano.profile b/etc/profile-m-z/nano.profile index 6b4074dfb41..74403c3353c 100644 --- a/etc/profile-m-z/nano.profile +++ b/etc/profile-m-z/nano.profile @@ -48,7 +48,7 @@ private-dev # Add the next lines to your nano.local if you want to edit files in /etc directly. #ignore private-etc #writable-etc -private-etc nanorc +private-etc alternatives,ld.so.cache,ld.so.preload,nanorc # Add the next line to your nano.local if you want to edit files in /var directly. #writable-var diff --git a/etc/profile-m-z/neochat.profile b/etc/profile-m-z/neochat.profile index 80e28a5e506..fde1d4d2c5e 100644 --- a/etc/profile-m-z/neochat.profile +++ b/etc/profile-m-z/neochat.profile @@ -53,7 +53,7 @@ tracelog disable-mnt private-bin neochat private-dev -private-etc @tls-ca,@x11,dbus-1,host.conf,mime.types,rpc,services +private-etc alternatives,ca-certificates,crypto-policies,dbus-1,fonts,host.conf,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg private-tmp dbus-user filter diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile index 5bd1e7cbabe..f343226ae9c 100644 --- a/etc/profile-m-z/neomutt.profile +++ b/etc/profile-m-z/neomutt.profile @@ -116,7 +116,7 @@ tracelog # disable-mnt private-cache private-dev -private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gnupg,hosts.conf,mail,mailname,neomuttrc,neomuttrc.d,nntpserver +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,mail,mailname,Mutt,Muttrc,Muttrc.d,neomuttrc,neomuttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg private-tmp writable-run-user writable-var diff --git a/etc/profile-m-z/netactview.profile b/etc/profile-m-z/netactview.profile index b0828cd76f1..1ede4240531 100644 --- a/etc/profile-m-z/netactview.profile +++ b/etc/profile-m-z/netactview.profile @@ -44,7 +44,7 @@ disable-mnt private-bin netactview,netactview_polkit private-cache private-dev -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,resolv.conf private-lib private-tmp diff --git a/etc/profile-m-z/neverball.profile b/etc/profile-m-z/neverball.profile index a7c4042018e..68b0ce2ea78 100644 --- a/etc/profile-m-z/neverball.profile +++ b/etc/profile-m-z/neverball.profile @@ -43,7 +43,7 @@ disable-mnt private-bin neverball private-cache private-dev -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,machine-id private-tmp dbus-user none diff --git a/etc/profile-m-z/newsboat.profile b/etc/profile-m-z/newsboat.profile index a08fbad36e5..b80a0a1516f 100644 --- a/etc/profile-m-z/newsboat.profile +++ b/etc/profile-m-z/newsboat.profile @@ -52,7 +52,7 @@ disable-mnt private-bin gzip,lynx,newsboat,sh,w3m private-cache private-dev -private-etc @tls-ca,lynx.cfg,lynx.lss,terminfo +private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo private-tmp dbus-user none diff --git a/etc/profile-m-z/newsflash.profile b/etc/profile-m-z/newsflash.profile index c7c8abc0b0b..59f16bb10c9 100644 --- a/etc/profile-m-z/newsflash.profile +++ b/etc/profile-m-z/newsflash.profile @@ -50,7 +50,7 @@ disable-mnt private-bin com.gitlab.newsflash,newsflash private-cache private-dev -private-etc @tls-ca,@x11 +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pango,pki,resolv.conf,ssl,X11 private-tmp dbus-user none diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile index d4bad2f6700..c26942c81f2 100644 --- a/etc/profile-m-z/nextcloud.profile +++ b/etc/profile-m-z/nextcloud.profile @@ -61,7 +61,7 @@ tracelog disable-mnt private-bin nextcloud,nextcloud-desktop private-cache -private-etc @tls-ca,@x11,Nextcloud,host.conf,os-release +private-etc alternatives,ca-certificates,crypto-policies,drirc,fonts,gcrypt,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,Nextcloud,nsswitch.conf,os-release,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg private-dev private-tmp diff --git a/etc/profile-m-z/nheko.profile b/etc/profile-m-z/nheko.profile index cdd2ffc3f27..4e4c7bfe742 100644 --- a/etc/profile-m-z/nheko.profile +++ b/etc/profile-m-z/nheko.profile @@ -47,7 +47,7 @@ disable-mnt private-bin nheko private-cache private-dev -private-etc @tls-ca,@x11,host.conf,mime.types +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg private-tmp dbus-user filter diff --git a/etc/profile-m-z/nitroshare.profile b/etc/profile-m-z/nitroshare.profile index 7a97ca8258d..cefe9fa79aa 100644 --- a/etc/profile-m-z/nitroshare.profile +++ b/etc/profile-m-z/nitroshare.profile @@ -41,7 +41,7 @@ disable-mnt private-bin awk,grep,nitroshare,nitroshare-cli,nitroshare-nmh,nitroshare-send,nitroshare-ui private-cache private-dev -private-etc @tls-ca,@x11 +private-etc alternatives,ca-certificates,dconf,fonts,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,ssl # private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare private-tmp diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile index f3b0c8a49e0..f185a04ee63 100644 --- a/etc/profile-m-z/nodejs-common.profile +++ b/etc/profile-m-z/nodejs-common.profile @@ -92,7 +92,7 @@ seccomp.block-secondary disable-mnt private-dev -private-etc @tls-ca,@x11,host.conf,mime.types,rpc,services +private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl,xdg #private-tmp dbus-user none diff --git a/etc/profile-m-z/nomacs.profile b/etc/profile-m-z/nomacs.profile index 87373a02b4b..ac83363315c 100644 --- a/etc/profile-m-z/nomacs.profile +++ b/etc/profile-m-z/nomacs.profile @@ -40,7 +40,7 @@ tracelog #private-bin nomacs private-cache private-dev -private-etc @tls-ca,@x11 +private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,login.defs,machine-id,pki,resolv.conf,ssl private-tmp restrict-namespaces diff --git a/etc/profile-m-z/notify-send.profile b/etc/profile-m-z/notify-send.profile index f0f2cca2e58..11d6bd79592 100644 --- a/etc/profile-m-z/notify-send.profile +++ b/etc/profile-m-z/notify-send.profile @@ -48,7 +48,7 @@ private private-bin notify-send private-cache private-dev -private-etc +private-etc alternatives,ld.so.cache,ld.so.preload private-tmp dbus-user filter diff --git a/etc/profile-m-z/nslookup.profile b/etc/profile-m-z/nslookup.profile index dcd76f2ad1a..5866cda47cc 100644 --- a/etc/profile-m-z/nslookup.profile +++ b/etc/profile-m-z/nslookup.profile @@ -45,7 +45,7 @@ tracelog disable-mnt private-bin bash,nslookup,sh -private-etc +private-etc alternatives,ld.so.cache,ld.so.preload,login.defs,passwd,resolv.conf private-dev private-tmp diff --git a/etc/profile-m-z/nuclear.profile b/etc/profile-m-z/nuclear.profile index 6ab21af5bc5..9f4a6ec4608 100644 --- a/etc/profile-m-z/nuclear.profile +++ b/etc/profile-m-z/nuclear.profile @@ -18,7 +18,7 @@ whitelist ${HOME}/.config/nuclear no3d # private-bin nuclear -private-etc @tls-ca,@x11,host.conf,mime.types +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg private-opt nuclear # Redirect diff --git a/etc/profile-m-z/nyx.profile b/etc/profile-m-z/nyx.profile index 4355fd0c7f8..4f767f046dc 100644 --- a/etc/profile-m-z/nyx.profile +++ b/etc/profile-m-z/nyx.profile @@ -44,7 +44,7 @@ disable-mnt private-bin nyx,python* private-cache private-dev -private-etc tor +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,passwd,tor private-opt none private-srv none private-tmp diff --git a/etc/profile-m-z/ocenaudio.profile b/etc/profile-m-z/ocenaudio.profile index 830483bd490..87c665cbafe 100644 --- a/etc/profile-m-z/ocenaudio.profile +++ b/etc/profile-m-z/ocenaudio.profile @@ -53,7 +53,7 @@ tracelog private-bin ocenaudio,ocenvst private-cache private-dev -private-etc @tls-ca,@x11,mime.types +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg private-opt ocenaudio private-tmp diff --git a/etc/profile-m-z/odt2txt.profile b/etc/profile-m-z/odt2txt.profile index 73b72efc24e..25da2139fdd 100644 --- a/etc/profile-m-z/odt2txt.profile +++ b/etc/profile-m-z/odt2txt.profile @@ -37,7 +37,7 @@ x11 none private-bin odt2txt private-cache private-dev -private-etc +private-etc alternatives,ld.so.cache,ld.so.preload private-tmp dbus-user none diff --git a/etc/profile-m-z/okular.profile b/etc/profile-m-z/okular.profile index 8e0758c376c..568b6566e82 100644 --- a/etc/profile-m-z/okular.profile +++ b/etc/profile-m-z/okular.profile @@ -61,7 +61,7 @@ tracelog private-bin kbuildsycoca4,kdeinit4,lpr,okular,unar,unrar private-dev -private-etc @x11,cups +private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,ld.so.preload,machine-id,passwd,xdg # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients # dbus-user none diff --git a/etc/profile-m-z/onboard.profile b/etc/profile-m-z/onboard.profile index f8be5819b09..913b499d31b 100644 --- a/etc/profile-m-z/onboard.profile +++ b/etc/profile-m-z/onboard.profile @@ -49,7 +49,7 @@ disable-mnt private-cache private-bin onboard,python*,tput private-dev -private-etc @x11,dbus-1,mime.types +private-etc alternatives,dbus-1,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,mime.types,selinux,X11,xdg private-tmp dbus-system none diff --git a/etc/profile-m-z/openarena.profile b/etc/profile-m-z/openarena.profile index 46d0bb86b96..053f54b48cd 100644 --- a/etc/profile-m-z/openarena.profile +++ b/etc/profile-m-z/openarena.profile @@ -42,7 +42,7 @@ disable-mnt private-bin bash,cut,glxinfo,grep,head,openarena,openarena_ded,quake3,zenity private-cache private-dev -private-etc @games,@x11,udev +private-etc alternatives,drirc,ld.so.cache,ld.so.preload,machine-id,openal,passwd,selinux,udev,xdg private-tmp dbus-user none diff --git a/etc/profile-m-z/openmw.profile b/etc/profile-m-z/openmw.profile index 721b061173e..be97552ab7d 100644 --- a/etc/profile-m-z/openmw.profile +++ b/etc/profile-m-z/openmw.profile @@ -52,7 +52,7 @@ tracelog private-bin bsatool,esmtool,niftest,openmw,openmw-cs,openmw-essimporter,openmw-iniimporter,openmw-launcher,openmw-wizard private-cache private-dev -private-etc @x11,bumblebee,glvnd,mime.types,openmw +private-etc alsa,alternatives,asound.conf,bumblebee,drirc,fonts,glvnd,group,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nvidia,openmw,pango,passwd,pulse,Trolltech.conf,X11,xdg private-opt none private-tmp diff --git a/etc/profile-m-z/otter-browser.profile b/etc/profile-m-z/otter-browser.profile index a1c0462ba78..028c6fe906c 100644 --- a/etc/profile-m-z/otter-browser.profile +++ b/etc/profile-m-z/otter-browser.profile @@ -52,7 +52,7 @@ disable-mnt private-bin bash,otter-browser,sh,which private-cache ?BROWSER_DISABLE_U2F: private-dev -private-etc @tls-ca,@x11,mailcap,mime.types +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg private-tmp dbus-system none diff --git a/etc/profile-m-z/pandoc.profile b/etc/profile-m-z/pandoc.profile index 0a906718a67..2610ae67a9d 100644 --- a/etc/profile-m-z/pandoc.profile +++ b/etc/profile-m-z/pandoc.profile @@ -49,7 +49,7 @@ x11 none disable-mnt private-cache private-dev -private-etc texlive,texmf +private-etc alternatives,ld.so.cache,ld.so.preload,texlive,texmf private-tmp dbus-user none diff --git a/etc/profile-m-z/parole.profile b/etc/profile-m-z/parole.profile index 66289653081..fb629669aa9 100644 --- a/etc/profile-m-z/parole.profile +++ b/etc/profile-m-z/parole.profile @@ -26,6 +26,6 @@ seccomp private-bin dbus-launch,parole private-cache -private-etc @tls-ca +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd,pki,pulse,ssl restrict-namespaces diff --git a/etc/profile-m-z/pavucontrol.profile b/etc/profile-m-z/pavucontrol.profile index 196ce424dfe..1780f982c77 100644 --- a/etc/profile-m-z/pavucontrol.profile +++ b/etc/profile-m-z/pavucontrol.profile @@ -44,7 +44,7 @@ disable-mnt private-bin pavucontrol private-cache private-dev -private-etc avahi +private-etc alternatives,asound.conf,avahi,fonts,ld.so.cache,ld.so.preload,machine-id,pulse,resolv.conf private-lib private-tmp diff --git a/etc/profile-m-z/pcsxr.profile b/etc/profile-m-z/pcsxr.profile index 5b3cf0fef5d..784d8273643 100644 --- a/etc/profile-m-z/pcsxr.profile +++ b/etc/profile-m-z/pcsxr.profile @@ -47,7 +47,7 @@ private-bin pcsxr private-cache # Add the next line to your pcsxr.local if you do not need controller support. #private-dev -private-etc @tls-ca,@x11,bumblebee,gconf,glvnd,host.conf,mime.types,rpc,services +private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg private-opt none private-tmp diff --git a/etc/profile-m-z/pdfchain.profile b/etc/profile-m-z/pdfchain.profile index 0ab006084d7..2e38dde3bac 100644 --- a/etc/profile-m-z/pdfchain.profile +++ b/etc/profile-m-z/pdfchain.profile @@ -33,7 +33,7 @@ seccomp private-bin pdfchain,pdftk,sh private-dev -private-etc @x11 +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,xdg private-tmp dbus-user none diff --git a/etc/profile-m-z/pdftotext.profile b/etc/profile-m-z/pdftotext.profile index cb7e0809fd3..7ece10835bd 100644 --- a/etc/profile-m-z/pdftotext.profile +++ b/etc/profile-m-z/pdftotext.profile @@ -48,7 +48,7 @@ x11 none private-bin pdftotext private-cache private-dev -private-etc +private-etc alternatives,ld.so.cache,ld.so.preload private-tmp dbus-user none diff --git a/etc/profile-m-z/peek.profile b/etc/profile-m-z/peek.profile index 96744e01980..24a1bc97936 100644 --- a/etc/profile-m-z/peek.profile +++ b/etc/profile-m-z/peek.profile @@ -47,7 +47,7 @@ tracelog disable-mnt private-bin bash,convert,ffmpeg,firejail,fish,peek,sh,which,zsh private-dev -private-etc @x11,firejail +private-etc alternatives,dconf,firejail,fonts,gtk-3.0,ld.so.cache,ld.so.preload,login.defs,pango,passwd,X11 private-tmp dbus-user filter diff --git a/etc/profile-m-z/photoflare.profile b/etc/profile-m-z/photoflare.profile index 5261093d203..dcb52c846ec 100644 --- a/etc/profile-m-z/photoflare.profile +++ b/etc/profile-m-z/photoflare.profile @@ -42,7 +42,7 @@ disable-mnt private-bin photoflare private-cache private-dev -private-etc @x11,mime.types +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,mime.types,X11 private-tmp dbus-user none diff --git a/etc/profile-m-z/pinball.profile b/etc/profile-m-z/pinball.profile index 08aa67bf7ac..3664e1469da 100644 --- a/etc/profile-m-z/pinball.profile +++ b/etc/profile-m-z/pinball.profile @@ -47,7 +47,7 @@ disable-mnt private-bin pinball private-cache private-dev -private-etc +private-etc alsa,alternatives,asound.conf,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,machine-id,pulse private-tmp dbus-user none diff --git a/etc/profile-m-z/ping.profile b/etc/profile-m-z/ping.profile index dbb333afb0c..ddb8ff86792 100644 --- a/etc/profile-m-z/ping.profile +++ b/etc/profile-m-z/ping.profile @@ -56,7 +56,7 @@ private #private-bin ping - has mammoth problems with execvp: "No such file or directory" private-cache private-dev -private-etc @tls-ca +private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.preload,login.defs,passwd,pki,resolv.conf,ssl private-lib private-tmp diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile index 3ff033e0b97..a86b6da0406 100644 --- a/etc/profile-m-z/pingus.profile +++ b/etc/profile-m-z/pingus.profile @@ -50,7 +50,7 @@ disable-mnt private-bin pingus,pingus.bin,sh private-cache private-dev -private-etc +private-etc alternatives,ld.so.cache,ld.so.preload,machine-id private-tmp dbus-user none diff --git a/etc/profile-m-z/pkglog.profile b/etc/profile-m-z/pkglog.profile index 799c8f60799..88173edca89 100644 --- a/etc/profile-m-z/pkglog.profile +++ b/etc/profile-m-z/pkglog.profile @@ -43,7 +43,7 @@ private private-bin pkglog,python* private-cache private-dev -private-etc +private-etc alternatives,ld.so.cache,ld.so.preload private-opt none private-tmp writable-var-log diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile index 34e18cbd701..62927f9f701 100644 --- a/etc/profile-m-z/plv.profile +++ b/etc/profile-m-z/plv.profile @@ -45,7 +45,7 @@ disable-mnt private-bin plv private-cache private-dev -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.preload private-opt none private-tmp writable-var-log diff --git a/etc/profile-m-z/pngquant.profile b/etc/profile-m-z/pngquant.profile index 34199a08d79..8e2c39b83b4 100644 --- a/etc/profile-m-z/pngquant.profile +++ b/etc/profile-m-z/pngquant.profile @@ -46,7 +46,7 @@ x11 none private-bin pngquant private-cache private-dev -private-etc +private-etc alternatives,ld.so.cache,ld.so.preload private-tmp dbus-user none diff --git a/etc/profile-m-z/ppsspp.profile b/etc/profile-m-z/ppsspp.profile index da16ae91211..58528c37204 100644 --- a/etc/profile-m-z/ppsspp.profile +++ b/etc/profile-m-z/ppsspp.profile @@ -42,7 +42,7 @@ seccomp private-bin ppsspp,PPSSPP,PPSSPPQt,PPSSPPSDL # Add the next line to your ppsspp.local if you do not need controller support. #private-dev -private-etc @tls-ca,@x11,host.conf +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl private-opt ppsspp private-tmp diff --git a/etc/profile-m-z/pragha.profile b/etc/profile-m-z/pragha.profile index 6d766b212c7..73b37771244 100644 --- a/etc/profile-m-z/pragha.profile +++ b/etc/profile-m-z/pragha.profile @@ -32,7 +32,7 @@ protocol unix,inet,inet6 seccomp private-dev -private-etc @tls-ca,@x11,host.conf +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg private-tmp restrict-namespaces diff --git a/etc/profile-m-z/profanity.profile b/etc/profile-m-z/profanity.profile index c866c3d1613..279536bb9c9 100644 --- a/etc/profile-m-z/profanity.profile +++ b/etc/profile-m-z/profanity.profile @@ -43,7 +43,7 @@ seccomp private-bin profanity private-cache private-dev -private-etc @tls-ca,mime.types +private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl private-tmp dbus-user filter diff --git a/etc/profile-m-z/psi.profile b/etc/profile-m-z/psi.profile index a1a0606b94f..be06c5d8967 100644 --- a/etc/profile-m-z/psi.profile +++ b/etc/profile-m-z/psi.profile @@ -70,7 +70,7 @@ disable-mnt private-bin getopt,psi private-cache private-dev -private-etc @tls-ca,@x11 +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gcrypt,group,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,machine-id,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg private-tmp dbus-user none diff --git a/etc/profile-m-z/pybitmessage.profile b/etc/profile-m-z/pybitmessage.profile index 0789450cb6c..ba71ab29d29 100644 --- a/etc/profile-m-z/pybitmessage.profile +++ b/etc/profile-m-z/pybitmessage.profile @@ -40,7 +40,7 @@ seccomp disable-mnt private-bin bash,env,ldconfig,pybitmessage,python*,sh,stat private-dev -private-etc @tls-ca,@x11,PyBitmessage,PyBitmessage.conf,sni-qt.conf,system-fips +private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,hosts,ld.so.cache,ld.so.preload,localtime,pki,pki,PyBitmessage,PyBitmessage.conf,resolv.conf,selinux,sni-qt.conf,ssl,system-fips,Trolltech.conf,xdg private-tmp restrict-namespaces diff --git a/etc/profile-m-z/qcomicbook.profile b/etc/profile-m-z/qcomicbook.profile index 19ef7a4640b..71374a8c865 100644 --- a/etc/profile-m-z/qcomicbook.profile +++ b/etc/profile-m-z/qcomicbook.profile @@ -52,7 +52,7 @@ tracelog private-bin 7z,7zr,qcomicbook,rar,sh,tar,unace,unrar,unzip private-cache private-dev -private-etc @x11,mime.types +private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,pango,passwd,Trolltech.conf,X11,xdg private-tmp dbus-user none diff --git a/etc/profile-m-z/qgis.profile b/etc/profile-m-z/qgis.profile index 1f378e00434..d4b71f9723a 100644 --- a/etc/profile-m-z/qgis.profile +++ b/etc/profile-m-z/qgis.profile @@ -51,7 +51,7 @@ tracelog disable-mnt private-cache private-dev -private-etc @tls-ca,@x11,QGIS,QGIS.conf +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,pki,QGIS,QGIS.conf,resolv.conf,ssl,Trolltech.conf private-tmp dbus-user none diff --git a/etc/profile-m-z/qnapi.profile b/etc/profile-m-z/qnapi.profile index 1cfbaee6a14..cafdb98e927 100644 --- a/etc/profile-m-z/qnapi.profile +++ b/etc/profile-m-z/qnapi.profile @@ -46,7 +46,7 @@ tracelog private-bin 7z,qnapi private-cache private-dev -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,resolv.conf private-opt none private-tmp diff --git a/etc/profile-m-z/qrencode.profile b/etc/profile-m-z/qrencode.profile index 42c098487a7..09b70756b63 100644 --- a/etc/profile-m-z/qrencode.profile +++ b/etc/profile-m-z/qrencode.profile @@ -46,7 +46,7 @@ disable-mnt private-bin qrencode private-cache private-dev -private-etc +private-etc alternatives,ld.so.cache,ld.so.preload private-lib libpcre* private-tmp diff --git a/etc/profile-m-z/qtox.profile b/etc/profile-m-z/qtox.profile index ab0f9425a8e..f95720d71c4 100644 --- a/etc/profile-m-z/qtox.profile +++ b/etc/profile-m-z/qtox.profile @@ -42,7 +42,7 @@ disable-mnt private-bin qtox private-cache private-dev -private-etc @tls-ca +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl private-tmp dbus-user none diff --git a/etc/profile-m-z/quaternion.profile b/etc/profile-m-z/quaternion.profile index fbc003d6553..ad45a26d566 100644 --- a/etc/profile-m-z/quaternion.profile +++ b/etc/profile-m-z/quaternion.profile @@ -46,7 +46,7 @@ disable-mnt private-bin quaternion private-cache private-dev -private-etc @tls-ca,@x11,host.conf,mime.types +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg private-tmp dbus-user none diff --git a/etc/profile-m-z/quodlibet.profile b/etc/profile-m-z/quodlibet.profile index 56bfaa9171f..ea49684e394 100644 --- a/etc/profile-m-z/quodlibet.profile +++ b/etc/profile-m-z/quodlibet.profile @@ -59,7 +59,7 @@ tracelog private-bin exfalso,operon,python*,quodlibet,sh private-cache private-dev -private-etc @tls-ca,@x11 +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,passwd,pki,pulse,resolv.conf,ssl private-tmp dbus-system none diff --git a/etc/profile-m-z/qutebrowser.profile b/etc/profile-m-z/qutebrowser.profile index e83484ae58c..ea0e2afa789 100644 --- a/etc/profile-m-z/qutebrowser.profile +++ b/etc/profile-m-z/qutebrowser.profile @@ -56,7 +56,7 @@ seccomp !chroot,!name_to_handle_at disable-mnt private-cache private-dev -private-etc @tls-ca +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl private-tmp dbus-user filter diff --git a/etc/profile-m-z/raincat.profile b/etc/profile-m-z/raincat.profile index 72c5f397989..e320d82f7eb 100644 --- a/etc/profile-m-z/raincat.profile +++ b/etc/profile-m-z/raincat.profile @@ -39,7 +39,7 @@ private private-bin raincat private-cache private-dev -private-etc @games,@x11 +private-etc alternatives,drirc,ld.so.cache,ld.so.preload,machine-id,passwd,pulse,timidity,timidity.cfg #private-lib private-tmp diff --git a/etc/profile-m-z/rednotebook.profile b/etc/profile-m-z/rednotebook.profile index e0dea194a0e..1295ce00d98 100644 --- a/etc/profile-m-z/rednotebook.profile +++ b/etc/profile-m-z/rednotebook.profile @@ -58,7 +58,7 @@ disable-mnt private-bin python3*,rednotebook private-cache private-dev -private-etc @x11 +private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11 private-tmp dbus-user none diff --git a/etc/profile-m-z/regextester.profile b/etc/profile-m-z/regextester.profile index 2e962b1ea41..571381f57f8 100644 --- a/etc/profile-m-z/regextester.profile +++ b/etc/profile-m-z/regextester.profile @@ -42,7 +42,7 @@ disable-mnt private-bin regextester private-cache private-dev -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.preload private-lib libgranite.so.* private-tmp diff --git a/etc/profile-m-z/rsync-download_only.profile b/etc/profile-m-z/rsync-download_only.profile index c908319cae6..91b18678ffa 100644 --- a/etc/profile-m-z/rsync-download_only.profile +++ b/etc/profile-m-z/rsync-download_only.profile @@ -48,7 +48,7 @@ disable-mnt private-bin rsync private-cache private-dev -private-etc @tls-ca,host.conf,rpc,services +private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl private-tmp dbus-user none diff --git a/etc/profile-m-z/rtv.profile b/etc/profile-m-z/rtv.profile index 0d57e691611..565925e7a29 100644 --- a/etc/profile-m-z/rtv.profile +++ b/etc/profile-m-z/rtv.profile @@ -58,7 +58,7 @@ disable-mnt private-bin less,python*,rtv,sh,xdg-settings private-cache private-dev -private-etc @tls-ca,@x11,host.conf,mailcap,mime.types,rpc,services,terminfo +private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mailcap,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg dbus-user none dbus-system none diff --git a/etc/profile-m-z/scorchwentbonkers.profile b/etc/profile-m-z/scorchwentbonkers.profile index fb432526490..6dfb50c5a49 100644 --- a/etc/profile-m-z/scorchwentbonkers.profile +++ b/etc/profile-m-z/scorchwentbonkers.profile @@ -42,7 +42,7 @@ disable-mnt private-bin scorchwentbonkers private-cache private-dev -private-etc +private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.preload,machine-id,pulse private-tmp dbus-user none diff --git a/etc/profile-m-z/seafile-applet.profile b/etc/profile-m-z/seafile-applet.profile index bbf46fe1949..184a0695836 100644 --- a/etc/profile-m-z/seafile-applet.profile +++ b/etc/profile-m-z/seafile-applet.profile @@ -53,7 +53,7 @@ disable-mnt private-bin seaf-cli,seaf-daemon,seafile-applet private-cache private-dev -private-etc @tls-ca,host.conf,rpc,services +private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl #private-opt none private-tmp diff --git a/etc/profile-m-z/seahorse-adventures.profile b/etc/profile-m-z/seahorse-adventures.profile index 5985e0da345..7ff252ec7cd 100644 --- a/etc/profile-m-z/seahorse-adventures.profile +++ b/etc/profile-m-z/seahorse-adventures.profile @@ -47,7 +47,7 @@ private private-bin bash,dash,python*,seahorse-adventures,sh private-cache private-dev -private-etc +private-etc alternatives,ld.so.cache,ld.so.preload,machine-id private-tmp dbus-user none diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile index 19008246145..e6f51bff9a9 100644 --- a/etc/profile-m-z/seahorse.profile +++ b/etc/profile-m-z/seahorse.profile @@ -57,7 +57,7 @@ tracelog disable-mnt private-cache private-dev -private-etc @tls-ca,@x11,gconf,host.conf,pkcs11,rpc,services,ssh +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,login.defs,nsswitch.conf,pango,passwd,pkcs11,pki,protocols,resolv.conf,rpc,services,ssh,ssl,xdg private-tmp writable-run-user diff --git a/etc/profile-m-z/shortwave.profile b/etc/profile-m-z/shortwave.profile index 87621de698c..cd2a9f13e89 100644 --- a/etc/profile-m-z/shortwave.profile +++ b/etc/profile-m-z/shortwave.profile @@ -45,7 +45,7 @@ disable-mnt private-bin shortwave private-cache private-dev -private-etc @tls-ca,@x11,gconf,host.conf,mime.types +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gconf,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl,X11,xdg private-tmp restrict-namespaces diff --git a/etc/profile-m-z/shotwell.profile b/etc/profile-m-z/shotwell.profile index 387d45cdcbd..d33a97ffc2c 100644 --- a/etc/profile-m-z/shotwell.profile +++ b/etc/profile-m-z/shotwell.profile @@ -48,7 +48,7 @@ tracelog private-bin shotwell private-cache private-dev -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id private-opt none private-tmp diff --git a/etc/profile-m-z/signal-cli.profile b/etc/profile-m-z/signal-cli.profile index d881db714e7..d2b604df5b3 100644 --- a/etc/profile-m-z/signal-cli.profile +++ b/etc/profile-m-z/signal-cli.profile @@ -46,7 +46,7 @@ private-bin java,sh,signal-cli private-cache private-dev # Does not work with all Java configurations. You will notice immediately, so you might want to give it a try -#private-etc alternatives,ca-certificates,crypto-policies,dbus-1,host.conf,hostname,hosts,java*,machine-id,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl +#private-etc alternatives,ca-certificates,crypto-policies,dbus-1,host.conf,hostname,hosts,java-10-openjdk,java-7-openjdk,java-8-openjdk,java-9-openjdk,java.conf,machine-id,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl private-tmp restrict-namespaces diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile index 4a57bf38c5b..2c4bdecd8a7 100644 --- a/etc/profile-m-z/signal-desktop.profile +++ b/etc/profile-m-z/signal-desktop.profile @@ -19,7 +19,7 @@ read-only ${HOME}/.mozilla/firefox/profiles.ini mkdir ${HOME}/.config/Signal whitelist ${HOME}/.config/Signal -private-etc @tls-ca +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,nsswitch.conf,pki,resolv.conf,ssl dbus-user filter diff --git a/etc/profile-m-z/slack.profile b/etc/profile-m-z/slack.profile index a94176bf7d0..a511ebb1cb8 100644 --- a/etc/profile-m-z/slack.profile +++ b/etc/profile-m-z/slack.profile @@ -26,7 +26,7 @@ mkdir ${HOME}/.config/Slack whitelist ${HOME}/.config/Slack private-bin electron,electron[0-9],electron[0-9][0-9],locale,sh,slack -private-etc @tls-ca,debian_version,fedora-release,os-release,redhat-release,system-release,system-release-cpe +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,ld.so.preload,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe # Redirect include electron.profile diff --git a/etc/profile-m-z/smuxi-frontend-gnome.profile b/etc/profile-m-z/smuxi-frontend-gnome.profile index 89342aad86b..ffed9d44c22 100644 --- a/etc/profile-m-z/smuxi-frontend-gnome.profile +++ b/etc/profile-m-z/smuxi-frontend-gnome.profile @@ -47,7 +47,7 @@ disable-mnt private-bin bash,mono,mono-sgen,sh,smuxi-frontend-gnome private-cache private-dev -private-etc @tls-ca,@x11,mono +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,machine-id,mono,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg private-tmp dbus-user none diff --git a/etc/profile-m-z/softmaker-common.profile b/etc/profile-m-z/softmaker-common.profile index f130176c1b3..b4658b7af11 100644 --- a/etc/profile-m-z/softmaker-common.profile +++ b/etc/profile-m-z/softmaker-common.profile @@ -42,7 +42,7 @@ tracelog private-bin freeoffice-planmaker,freeoffice-presentations,freeoffice-textmaker,planmaker18,planmaker18free,presentations18,presentations18free,sh,textmaker18,textmaker18free private-cache private-dev -private-etc @tls-ca,SoftMaker +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,SoftMaker,ssl private-tmp dbus-user none diff --git a/etc/profile-m-z/spectacle.profile b/etc/profile-m-z/spectacle.profile index cf64076e3ae..5a131431558 100644 --- a/etc/profile-m-z/spectacle.profile +++ b/etc/profile-m-z/spectacle.profile @@ -55,7 +55,7 @@ disable-mnt private-bin spectacle private-cache private-dev -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload private-tmp dbus-user filter diff --git a/etc/profile-m-z/spectral.profile b/etc/profile-m-z/spectral.profile index 41b1f650795..4bc23fc041f 100644 --- a/etc/profile-m-z/spectral.profile +++ b/etc/profile-m-z/spectral.profile @@ -45,7 +45,7 @@ disable-mnt private-cache private-bin spectral private-dev -private-etc @tls-ca,@x11,host.conf,mime.types +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg private-tmp dbus-user filter diff --git a/etc/profile-m-z/spotify.profile b/etc/profile-m-z/spotify.profile index f07b1031904..721e39cd4c7 100644 --- a/etc/profile-m-z/spotify.profile +++ b/etc/profile-m-z/spotify.profile @@ -45,7 +45,7 @@ disable-mnt private-bin bash,cat,dirname,find,grep,head,rm,sh,spotify,tclsh,touch,zenity private-dev # If you want to see album covers or want to use the radio, add 'ignore private-etc' to your spotify.local. -private-etc @tls-ca,host.conf,spotify-adblock +private-etc alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,spotify-adblock,ssl private-opt spotify private-srv none private-tmp diff --git a/etc/profile-m-z/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile index 4e28958e44b..00df625c0ce 100644 --- a/etc/profile-m-z/sqlitebrowser.profile +++ b/etc/profile-m-z/sqlitebrowser.profile @@ -41,7 +41,7 @@ seccomp.block-secondary private-bin sqlitebrowser private-cache private-dev -private-etc @tls-ca +private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd,pki,resolv.conf,ssl private-tmp # breaks proxy creation diff --git a/etc/profile-m-z/standardnotes-desktop.profile b/etc/profile-m-z/standardnotes-desktop.profile index 95dc3574153..868c724d25c 100644 --- a/etc/profile-m-z/standardnotes-desktop.profile +++ b/etc/profile-m-z/standardnotes-desktop.profile @@ -38,7 +38,7 @@ seccomp !chroot disable-mnt private-dev private-tmp -private-etc @tls-ca,@x11,host.conf +private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl,xdg dbus-user none dbus-system none diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index a5b4d5d87d2..f807afdc79a 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile @@ -175,7 +175,7 @@ seccomp.32 !process_vm_readv private-dev # private-etc breaks a small selection of games on some systems. Add 'ignore private-etc' # to your steam.local to support those. -private-etc @games,@tls-ca,@x11,bumblebee,dbus-1,host.conf,lsb-release,mime.types,os-release,services +private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl,vulkan private-tmp #dbus-user none diff --git a/etc/profile-m-z/strawberry.profile b/etc/profile-m-z/strawberry.profile index b6b2c63d371..e9d2ca4305b 100644 --- a/etc/profile-m-z/strawberry.profile +++ b/etc/profile-m-z/strawberry.profile @@ -42,7 +42,7 @@ disable-mnt private-bin strawberry,strawberry-tagreader private-cache private-dev -private-etc @tls-ca,host.conf +private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl private-tmp dbus-system none diff --git a/etc/profile-m-z/subdownloader.profile b/etc/profile-m-z/subdownloader.profile index 6de288c46c8..896d4bc3e84 100644 --- a/etc/profile-m-z/subdownloader.profile +++ b/etc/profile-m-z/subdownloader.profile @@ -43,7 +43,7 @@ tracelog private-cache private-dev -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.preload private-tmp dbus-user none diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile index 2ad107f1a16..1f532d76c81 100644 --- a/etc/profile-m-z/supertux2.profile +++ b/etc/profile-m-z/supertux2.profile @@ -43,7 +43,7 @@ tracelog disable-mnt # private-bin supertux2 private-cache -private-etc +private-etc alternatives,ld.so.cache,ld.so.preload,machine-id private-dev private-tmp diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile index 0a436b22f94..b4eb70fcb7d 100644 --- a/etc/profile-m-z/supertuxkart.profile +++ b/etc/profile-m-z/supertuxkart.profile @@ -53,7 +53,7 @@ private-bin supertuxkart private-cache # Add the next line to your supertuxkart.local if you do not need controller support. #private-dev -private-etc @games,@tls-ca,@x11 +private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,ld.so.cache,ld.so.preload,machine-id,openal,pki,resolv.conf,ssl private-tmp private-opt none private-srv none diff --git a/etc/profile-m-z/surf.profile b/etc/profile-m-z/surf.profile index 9be7aaf3c5a..3508e11b056 100644 --- a/etc/profile-m-z/surf.profile +++ b/etc/profile-m-z/surf.profile @@ -33,7 +33,7 @@ tracelog disable-mnt private-bin bash,curl,dmenu,ls,printf,sed,sh,sleep,st,stterm,surf,xargs,xprop private-dev -private-etc @tls-ca +private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,ld.so.cache,ld.so.preload,machine-id,passwd,pki,resolv.conf,ssl private-tmp restrict-namespaces diff --git a/etc/profile-m-z/sysprof.profile b/etc/profile-m-z/sysprof.profile index 726baf336e7..cef0294016a 100644 --- a/etc/profile-m-z/sysprof.profile +++ b/etc/profile-m-z/sysprof.profile @@ -62,7 +62,7 @@ disable-mnt #private-bin sysprof - breaks help menu private-cache private-dev -private-etc @tls-ca +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id,ssl # private-lib - breaks help menu #private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so private-tmp diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile index da3b4f78232..a9d0a60d1f8 100644 --- a/etc/profile-m-z/tar.profile +++ b/etc/profile-m-z/tar.profile @@ -17,7 +17,7 @@ ignore include disable-shell.inc # all capabilities this is automatically read-only. noblacklist /var/lib/pacman -private-etc +private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,login.defs,passwd #private-lib libfakeroot,liblzma.so.*,libreadline.so.* # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) writable-var diff --git a/etc/profile-m-z/teams-for-linux.profile b/etc/profile-m-z/teams-for-linux.profile index fd55daa4a1a..5711c1b3603 100644 --- a/etc/profile-m-z/teams-for-linux.profile +++ b/etc/profile-m-z/teams-for-linux.profile @@ -22,7 +22,7 @@ mkdir ${HOME}/.config/teams-for-linux whitelist ${HOME}/.config/teams-for-linux private-bin bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh -private-etc @tls-ca +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,resolv.conf,ssl # Redirect include electron.profile diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile index ba915c2d442..886d303c833 100644 --- a/etc/profile-m-z/telegram.profile +++ b/etc/profile-m-z/telegram.profile @@ -46,7 +46,7 @@ disable-mnt private-bin bash,sh,telegram,Telegram,telegram-desktop,xdg-open private-cache private-dev -private-etc @tls-ca,@x11,os-release +private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg private-tmp dbus-user filter diff --git a/etc/profile-m-z/terasology.profile b/etc/profile-m-z/terasology.profile index ced3aaa8aca..9249e33c831 100644 --- a/etc/profile-m-z/terasology.profile +++ b/etc/profile-m-z/terasology.profile @@ -40,7 +40,7 @@ seccomp disable-mnt private-dev -private-etc @tls-ca,@x11,dbus-1,host.conf,java*,lsb-release,mime.types +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,java-7-openjdk,java-8-openjdk,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pki,pulse,resolv.conf,ssl private-tmp dbus-user none diff --git a/etc/profile-m-z/tesseract.profile b/etc/profile-m-z/tesseract.profile index 54568b7d3e0..11a21c471c5 100644 --- a/etc/profile-m-z/tesseract.profile +++ b/etc/profile-m-z/tesseract.profile @@ -54,7 +54,7 @@ x11 none private-bin ambiguous_words,classifier_tester,cntraining,combine_lang_model,combine_tessdata,dawg2wordlist,lstmeval,lstmtraining,merge_unicharsets,mftraining,set_unicharset_properties,shapeclustering,tesseract,text2image,unicharset_extractor,wordlist2dawg private-cache private-dev -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload #private-lib libtesseract.so.* private-tmp diff --git a/etc/profile-m-z/tilp.profile b/etc/profile-m-z/tilp.profile index ed8cd7369c4..f49738f2b1b 100644 --- a/etc/profile-m-z/tilp.profile +++ b/etc/profile-m-z/tilp.profile @@ -29,7 +29,7 @@ tracelog disable-mnt private-bin tilp private-cache -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.preload private-tmp restrict-namespaces diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile index a03a6caa0c2..3cbf90660a0 100644 --- a/etc/profile-m-z/tin.profile +++ b/etc/profile-m-z/tin.profile @@ -57,7 +57,7 @@ disable-mnt private-bin rtin,tin private-cache private-dev -private-etc terminfo,tin +private-etc alternatives,ld.so.cache,ld.so.preload,passwd,resolv.conf,terminfo,tin private-lib terminfo private-tmp diff --git a/etc/profile-m-z/tor.profile b/etc/profile-m-z/tor.profile index b58aec9260d..275b170ff2a 100644 --- a/etc/profile-m-z/tor.profile +++ b/etc/profile-m-z/tor.profile @@ -45,7 +45,7 @@ private private-bin bash,tor private-cache private-dev -private-etc @tls-ca,tor +private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,passwd,pki,ssl,tor private-tmp writable-var diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile index 41ac6f7a7b0..fab79282648 100644 --- a/etc/profile-m-z/torbrowser-launcher.profile +++ b/etc/profile-m-z/torbrowser-launcher.profile @@ -58,7 +58,7 @@ seccomp !chroot disable-mnt private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity private-dev -private-etc @tls-ca +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl private-tmp dbus-user none diff --git a/etc/profile-m-z/transgui.profile b/etc/profile-m-z/transgui.profile index 645c55c3b02..6069be500c9 100644 --- a/etc/profile-m-z/transgui.profile +++ b/etc/profile-m-z/transgui.profile @@ -44,7 +44,7 @@ tracelog private-bin geoiplookup,geoiplookup6,transgui private-cache private-dev -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,resolv.conf private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*,libX11.so.* private-tmp diff --git a/etc/profile-m-z/transmission-cli.profile b/etc/profile-m-z/transmission-cli.profile index edb4db8aa74..8a1711e97e0 100644 --- a/etc/profile-m-z/transmission-cli.profile +++ b/etc/profile-m-z/transmission-cli.profile @@ -8,7 +8,7 @@ include transmission-cli.local include globals.local private-bin transmission-cli -private-etc @tls-ca +private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl # Redirect include transmission-common.profile diff --git a/etc/profile-m-z/transmission-daemon.profile b/etc/profile-m-z/transmission-daemon.profile index 4fc5a3aa742..5d28f2f10e6 100644 --- a/etc/profile-m-z/transmission-daemon.profile +++ b/etc/profile-m-z/transmission-daemon.profile @@ -17,7 +17,7 @@ caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot protocol packet private-bin transmission-daemon -private-etc @tls-ca +private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl read-write /var/lib/transmission writable-var-log diff --git a/etc/profile-m-z/transmission-remote-gtk.profile b/etc/profile-m-z/transmission-remote-gtk.profile index a8dd960019b..f93c4229cea 100644 --- a/etc/profile-m-z/transmission-remote-gtk.profile +++ b/etc/profile-m-z/transmission-remote-gtk.profile @@ -12,7 +12,7 @@ noblacklist ${HOME}/.config/transmission-remote-gtk mkdir ${HOME}/.config/transmission-remote-gtk whitelist ${HOME}/.config/transmission-remote-gtk -private-etc +private-etc alternatives,fonts,hostname,hosts,ld.so.cache,ld.so.preload,resolv.conf ignore memory-deny-write-execute diff --git a/etc/profile-m-z/transmission-remote.profile b/etc/profile-m-z/transmission-remote.profile index a431164f68d..565433d992b 100644 --- a/etc/profile-m-z/transmission-remote.profile +++ b/etc/profile-m-z/transmission-remote.profile @@ -8,7 +8,7 @@ include transmission-remote.local include globals.local private-bin transmission-remote -private-etc +private-etc alternatives,hosts,ld.so.cache,ld.so.preload,nsswitch.conf # Redirect include transmission-common.profile diff --git a/etc/profile-m-z/transmission-show.profile b/etc/profile-m-z/transmission-show.profile index dc667ae0511..0a5826ec4b2 100644 --- a/etc/profile-m-z/transmission-show.profile +++ b/etc/profile-m-z/transmission-show.profile @@ -8,7 +8,7 @@ include transmission-show.local include globals.local private-bin transmission-show -private-etc +private-etc alternatives,hosts,ld.so.cache,ld.so.preload,nsswitch.conf # Redirect include transmission-common.profile diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile index 378c8a1b70b..63e964355c4 100644 --- a/etc/profile-m-z/trojita.profile +++ b/etc/profile-m-z/trojita.profile @@ -53,7 +53,7 @@ tracelog private-bin trojita private-cache private-dev -private-etc @tls-ca,@x11 +private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,selinux,ssl,xdg private-tmp dbus-user filter diff --git a/etc/profile-m-z/tutanota-desktop.profile b/etc/profile-m-z/tutanota-desktop.profile index 56eacf33824..d2cb0cc8ac5 100644 --- a/etc/profile-m-z/tutanota-desktop.profile +++ b/etc/profile-m-z/tutanota-desktop.profile @@ -24,7 +24,7 @@ whitelist ${HOME}/.mozilla/firefox/profiles.ini read-only ${HOME}/.mozilla/firefox/profiles.ini ?HAS_APPIMAGE: ignore private-dev -private-etc @tls-ca +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl private-opt tutanota-desktop # Redirect diff --git a/etc/profile-m-z/twitch.profile b/etc/profile-m-z/twitch.profile index 1f548a92dd6..987a2b71951 100644 --- a/etc/profile-m-z/twitch.profile +++ b/etc/profile-m-z/twitch.profile @@ -18,7 +18,7 @@ mkdir ${HOME}/.config/Twitch whitelist ${HOME}/.config/Twitch private-bin electron,electron[0-9],electron[0-9][0-9],twitch -private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types +private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg private-opt Twitch # Redirect diff --git a/etc/profile-m-z/udiskie.profile b/etc/profile-m-z/udiskie.profile index c182326bb8f..7e3c7ac5aab 100644 --- a/etc/profile-m-z/udiskie.profile +++ b/etc/profile-m-z/udiskie.profile @@ -40,7 +40,7 @@ private-bin awk,cut,dbus-send,egrep,file,grep,head,python*,readlink,sed,sh,udisk # private-bin thunar private-cache private-dev -private-etc @x11,mime.types +private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg private-tmp restrict-namespaces diff --git a/etc/profile-m-z/unf.profile b/etc/profile-m-z/unf.profile index aac99aed56a..6ec6ea609db 100644 --- a/etc/profile-m-z/unf.profile +++ b/etc/profile-m-z/unf.profile @@ -48,7 +48,7 @@ private-bin unf private-cache ?HAS_APPIMAGE: ignore private-dev private-dev -private-etc +private-etc alternatives,ld.so.cache,ld.so.preload private-lib gcc/*/*/libgcc_s.so.* private-tmp diff --git a/etc/profile-m-z/unrar.profile b/etc/profile-m-z/unrar.profile index 43d5dae5eb6..443d1f41542 100644 --- a/etc/profile-m-z/unrar.profile +++ b/etc/profile-m-z/unrar.profile @@ -8,7 +8,7 @@ include unrar.local include globals.local private-bin unrar -private-etc +private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,passwd private-tmp # Redirect diff --git a/etc/profile-m-z/unzip.profile b/etc/profile-m-z/unzip.profile index 9fefe6ad341..97df693ba76 100644 --- a/etc/profile-m-z/unzip.profile +++ b/etc/profile-m-z/unzip.profile @@ -10,7 +10,7 @@ include globals.local # GNOME Shell integration (chrome-gnome-shell) noblacklist ${HOME}/.local/share/gnome-shell -private-etc +private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,passwd # Redirect include archiver-common.profile diff --git a/etc/profile-m-z/utox.profile b/etc/profile-m-z/utox.profile index 046b75a87f3..f85e522736e 100644 --- a/etc/profile-m-z/utox.profile +++ b/etc/profile-m-z/utox.profile @@ -42,7 +42,7 @@ disable-mnt private-bin utox private-cache private-dev -private-etc @games,@tls-ca +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,openal,pki,pulse,resolv.conf,ssl private-tmp memory-deny-write-execute diff --git a/etc/profile-m-z/uudeview.profile b/etc/profile-m-z/uudeview.profile index a6d2a65e9a4..29d88832c72 100644 --- a/etc/profile-m-z/uudeview.profile +++ b/etc/profile-m-z/uudeview.profile @@ -40,7 +40,7 @@ x11 none private-bin uudeview private-cache private-dev -private-etc +private-etc alternatives,ld.so.cache,ld.so.preload dbus-user none dbus-system none diff --git a/etc/profile-m-z/viewnior.profile b/etc/profile-m-z/viewnior.profile index aa81994429f..cdf615a02d1 100644 --- a/etc/profile-m-z/viewnior.profile +++ b/etc/profile-m-z/viewnior.profile @@ -43,7 +43,7 @@ tracelog private-bin viewnior private-cache private-dev -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id private-tmp dbus-user none diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile index 37e96286717..b9a5c08e8dd 100644 --- a/etc/profile-m-z/virtualbox.profile +++ b/etc/profile-m-z/virtualbox.profile @@ -44,7 +44,7 @@ tracelog #disable-mnt #private-bin awk,basename,bash,env,gawk,grep,ps,readlink,sh,virtualbox,VirtualBox,VBox*,vbox*,whoami private-cache -private-etc @tls-ca,@x11,conf.d +private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl private-tmp dbus-user none diff --git a/etc/profile-m-z/vmware-view.profile b/etc/profile-m-z/vmware-view.profile index c2fd14811df..ba413641334 100644 --- a/etc/profile-m-z/vmware-view.profile +++ b/etc/profile-m-z/vmware-view.profile @@ -48,7 +48,7 @@ tracelog disable-mnt private-cache private-dev -private-etc @tls-ca,@x11,bumblebee,gai.conf,gconf,glvnd,host.conf,magic,magic.mgc,mime.types,proxychains.conf,rpc,services,terminfo,vmware,vmware-tools,vmware-vix +private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gai.conf,gconf,glvnd,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,magic,magic.mgc,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,proxychains.conf,pulse,resolv.conf,rpc,services,ssl,terminfo,vmware,vmware-tools,vmware-vix,X11,xdg # Logs are kept in /tmp. Add 'ignore private-tmp' to your vmware-view.local if you need them without joining the sandbox. private-tmp diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile index 7619ef47b9a..74c951fe642 100644 --- a/etc/profile-m-z/vmware.profile +++ b/etc/profile-m-z/vmware.profile @@ -38,6 +38,6 @@ tracelog #disable-mnt # Add the next line to your vmware.local to enable private-bin. #private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-* -private-etc @tls-ca,@x11,conf.d,mtab,vmware,vmware-installer,vmware-vix +private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mtab,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix dbus-user none dbus-system none diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile index edc08ca443d..1e111f83ec3 100644 --- a/etc/profile-m-z/w3m.profile +++ b/etc/profile-m-z/w3m.profile @@ -61,7 +61,7 @@ disable-mnt private-bin perl,sh,w3m private-cache private-dev -private-etc @tls-ca,mailcap +private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,mailcap,nsswitch.conf,pki,resolv.conf,ssl private-tmp dbus-user none diff --git a/etc/profile-m-z/warmux.profile b/etc/profile-m-z/warmux.profile index 5765613d4fe..37a8f78bbd4 100644 --- a/etc/profile-m-z/warmux.profile +++ b/etc/profile-m-z/warmux.profile @@ -48,7 +48,7 @@ disable-mnt private-bin warmux private-cache private-dev -private-etc @tls-ca,host.conf,rpc,services +private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl private-tmp dbus-user none diff --git a/etc/profile-m-z/whalebird.profile b/etc/profile-m-z/whalebird.profile index 62d667d574e..8a9614fb07f 100644 --- a/etc/profile-m-z/whalebird.profile +++ b/etc/profile-m-z/whalebird.profile @@ -22,7 +22,7 @@ whitelist ${HOME}/.config/Whalebird no3d private-bin electron,electron[0-9],electron[0-9][0-9],whalebird -private-etc @tls-ca +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl # Redirect include electron.profile diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile index 8958564ef2a..d8c72ac8bb6 100644 --- a/etc/profile-m-z/whois.profile +++ b/etc/profile-m-z/whois.profile @@ -46,7 +46,7 @@ private private-bin bash,sh,whois private-cache private-dev -private-etc jwhois.conf,services,whois.conf +private-etc alternatives,hosts,jwhois.conf,ld.so.cache,ld.so.preload,resolv.conf,services,whois.conf private-lib gconv private-tmp diff --git a/etc/profile-m-z/wire-desktop.profile b/etc/profile-m-z/wire-desktop.profile index fc4fa24350f..d8742cd7190 100644 --- a/etc/profile-m-z/wire-desktop.profile +++ b/etc/profile-m-z/wire-desktop.profile @@ -26,7 +26,7 @@ mkdir ${HOME}/.config/Wire whitelist ${HOME}/.config/Wire private-bin bash,electron,electron[0-9],electron[0-9][0-9],env,sh,wire-desktop -private-etc @tls-ca +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,pki,resolv.conf,ssl # Redirect include electron.profile diff --git a/etc/profile-m-z/wordwarvi.profile b/etc/profile-m-z/wordwarvi.profile index 310e8b47000..ccc2e8dd036 100644 --- a/etc/profile-m-z/wordwarvi.profile +++ b/etc/profile-m-z/wordwarvi.profile @@ -44,7 +44,7 @@ private private-bin wordwarvi private-cache private-dev -private-etc +private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.preload,machine-id,pulse private-tmp dbus-user none diff --git a/etc/profile-m-z/xbill.profile b/etc/profile-m-z/xbill.profile index e85bb9f1893..1b44b63e0d9 100644 --- a/etc/profile-m-z/xbill.profile +++ b/etc/profile-m-z/xbill.profile @@ -43,7 +43,7 @@ private private-bin xbill private-cache private-dev -private-etc +private-etc alternatives,ld.so.cache,ld.so.preload private-tmp dbus-user none diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile index 9c4fa829322..95eb2046e39 100644 --- a/etc/profile-m-z/xfce4-mixer.profile +++ b/etc/profile-m-z/xfce4-mixer.profile @@ -45,7 +45,7 @@ disable-mnt private-bin xfce4-mixer,xfconf-query private-cache private-dev -private-etc +private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,machine-id,pulse private-tmp dbus-user filter diff --git a/etc/profile-m-z/xfce4-screenshooter.profile b/etc/profile-m-z/xfce4-screenshooter.profile index 4d841b35cdf..575acc9b286 100644 --- a/etc/profile-m-z/xfce4-screenshooter.profile +++ b/etc/profile-m-z/xfce4-screenshooter.profile @@ -41,7 +41,7 @@ tracelog disable-mnt private-bin xfce4-screenshooter,xfconf-query private-dev -private-etc @tls-ca,@x11 +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl private-tmp dbus-user none diff --git a/etc/profile-m-z/xiphos.profile b/etc/profile-m-z/xiphos.profile index 76e58aff3d7..371db722c1d 100644 --- a/etc/profile-m-z/xiphos.profile +++ b/etc/profile-m-z/xiphos.profile @@ -46,7 +46,7 @@ disable-mnt private-bin xiphos private-cache private-dev -private-etc @tls-ca,sword,sword.conf +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssli,sword,sword.conf private-tmp restrict-namespaces diff --git a/etc/profile-m-z/xlinks.profile b/etc/profile-m-z/xlinks.profile index b597dc7a2c2..404baf6073a 100644 --- a/etc/profile-m-z/xlinks.profile +++ b/etc/profile-m-z/xlinks.profile @@ -14,7 +14,7 @@ include whitelist-common.inc # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' # to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line private-bin xlinks -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.preload # Redirect include links.profile diff --git a/etc/profile-m-z/xlinks2.profile b/etc/profile-m-z/xlinks2.profile index 83356fb7b04..d7edd3543f1 100644 --- a/etc/profile-m-z/xlinks2.profile +++ b/etc/profile-m-z/xlinks2.profile @@ -14,7 +14,7 @@ include whitelist-common.inc # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' # to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line private-bin xlinks2 -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.preload # Redirect include links2.profile diff --git a/etc/profile-m-z/xmr-stak.profile b/etc/profile-m-z/xmr-stak.profile index b8bf0ae96db..ad1ba8ca3f0 100644 --- a/etc/profile-m-z/xmr-stak.profile +++ b/etc/profile-m-z/xmr-stak.profile @@ -37,7 +37,7 @@ disable-mnt private ${HOME}/.xmr-stak private-bin xmr-stak private-dev -private-etc @tls-ca +private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl #private-lib libxmrstak_opencl_backend,libxmrstak_cuda_backend private-opt cuda private-tmp diff --git a/etc/profile-m-z/xonotic.profile b/etc/profile-m-z/xonotic.profile index 87e75986d56..9128c330b87 100644 --- a/etc/profile-m-z/xonotic.profile +++ b/etc/profile-m-z/xonotic.profile @@ -45,7 +45,7 @@ disable-mnt private-cache private-bin blind-id,darkplaces-glx,darkplaces-sdl,dirname,ldd,netstat,ps,readlink,sh,uname,xonotic* private-dev -private-etc @tls-ca,@x11,host.conf +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl private-tmp dbus-user none diff --git a/etc/profile-m-z/xournal.profile b/etc/profile-m-z/xournal.profile index e2e97f0286d..a17464a2a3c 100644 --- a/etc/profile-m-z/xournal.profile +++ b/etc/profile-m-z/xournal.profile @@ -42,7 +42,7 @@ tracelog private-bin xournal private-cache private-dev -private-etc +private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd # TODO should use private-lib private-tmp diff --git a/etc/profile-m-z/xournalpp.profile b/etc/profile-m-z/xournalpp.profile index e1c9c03e8fe..a23ad68df53 100644 --- a/etc/profile-m-z/xournalpp.profile +++ b/etc/profile-m-z/xournalpp.profile @@ -28,7 +28,7 @@ include whitelist-runuser-common.inc #include whitelist-common.inc private-bin kpsewhich,pdflatex,xournalpp -private-etc latexmk.conf,texlive +private-etc alternatives,latexmk.conf,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,texlive # Redirect include xournal.profile diff --git a/etc/profile-m-z/xreader.profile b/etc/profile-m-z/xreader.profile index 6edbf935705..ff5dc619bed 100644 --- a/etc/profile-m-z/xreader.profile +++ b/etc/profile-m-z/xreader.profile @@ -38,7 +38,7 @@ tracelog private-bin xreader,xreader-previewer,xreader-thumbnailer private-dev -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.preload private-tmp memory-deny-write-execute diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile index f5dd0c309b2..6ea7fdfbdf7 100644 --- a/etc/profile-m-z/yelp.profile +++ b/etc/profile-m-z/yelp.profile @@ -55,7 +55,7 @@ disable-mnt private-bin groff,man,tbl,troff,yelp private-cache private-dev -private-etc @games,@tls-ca,@x11,cups,groff,man_db.conf,os-release,sgml,xml +private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,groff,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,man_db.conf,openal,os-release,pulse,sgml,xml private-tmp dbus-user filter diff --git a/etc/profile-m-z/youtube-dl-gui.profile b/etc/profile-m-z/youtube-dl-gui.profile index b706bec4e68..c846893ef9e 100644 --- a/etc/profile-m-z/youtube-dl-gui.profile +++ b/etc/profile-m-z/youtube-dl-gui.profile @@ -48,7 +48,7 @@ disable-mnt private-bin atomicparsley,ffmpeg,ffprobe,python*,youtube-dl-gui private-cache private-dev -private-etc @tls-ca,@x11 +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,locale,locale.conf,passwd,pki,resolv.conf,ssl private-tmp dbus-user none diff --git a/etc/profile-m-z/youtube-dl.profile b/etc/profile-m-z/youtube-dl.profile index 8376b4989c1..4f2cc95239b 100644 --- a/etc/profile-m-z/youtube-dl.profile +++ b/etc/profile-m-z/youtube-dl.profile @@ -57,7 +57,7 @@ tracelog private-bin env,ffmpeg,python*,youtube-dl private-cache private-dev -private-etc @tls-ca,mime.types,youtube-dl.conf +private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,pki,resolv.conf,ssl,youtube-dl.conf private-tmp dbus-user none diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile index 9ef90eb92fc..f66e2938b06 100644 --- a/etc/profile-m-z/youtube-viewers-common.profile +++ b/etc/profile-m-z/youtube-viewers-common.profile @@ -59,7 +59,7 @@ disable-mnt private-bin bash,ffmpeg,ffprobe,firefox,mpv,perl,python*,sh,smplayer,stty,wget,wget2,which,xterm,youtube-dl,yt-dlp private-cache private-dev -private-etc @tls-ca,@x11,host.conf,mime.types +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg private-tmp dbus-user filter diff --git a/etc/profile-m-z/youtube.profile b/etc/profile-m-z/youtube.profile index 9bb1991c230..5c4d697da5e 100644 --- a/etc/profile-m-z/youtube.profile +++ b/etc/profile-m-z/youtube.profile @@ -17,7 +17,7 @@ mkdir ${HOME}/.config/Youtube whitelist ${HOME}/.config/Youtube private-bin electron,electron[0-9],electron[0-9][0-9],youtube -private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types +private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg private-opt Youtube # Redirect diff --git a/etc/profile-m-z/youtubemusic-nativefier.profile b/etc/profile-m-z/youtubemusic-nativefier.profile index 09a8a446fa2..2b5ffeaaf4b 100644 --- a/etc/profile-m-z/youtubemusic-nativefier.profile +++ b/etc/profile-m-z/youtubemusic-nativefier.profile @@ -14,7 +14,7 @@ mkdir ${HOME}/.config/youtubemusic-nativefier-040164 whitelist ${HOME}/.config/youtubemusic-nativefier-040164 private-bin electron,electron[0-9],electron[0-9][0-9],youtubemusic-nativefier -private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types +private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg private-opt youtubemusic-nativefier # Redirect diff --git a/etc/profile-m-z/yt-dlp.profile b/etc/profile-m-z/yt-dlp.profile index 49d4b3b56bf..6e835b03f0e 100644 --- a/etc/profile-m-z/yt-dlp.profile +++ b/etc/profile-m-z/yt-dlp.profile @@ -15,7 +15,7 @@ noblacklist ${HOME}/yt-dlp.conf noblacklist ${HOME}/yt-dlp.conf.txt private-bin ffprobe,yt-dlp -private-etc yt-dlp.conf +private-etc alternatives,ld.so.cache,ld.so.preload,yt-dlp.conf # Redirect include youtube-dl.profile diff --git a/etc/profile-m-z/ytmdesktop.profile b/etc/profile-m-z/ytmdesktop.profile index 43b624705bd..aa466871cb8 100644 --- a/etc/profile-m-z/ytmdesktop.profile +++ b/etc/profile-m-z/ytmdesktop.profile @@ -14,7 +14,7 @@ mkdir ${HOME}/.config/youtube-music-desktop-app whitelist ${HOME}/.config/youtube-music-desktop-app # private-bin env,ytmdesktop -private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types +private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg # private-opt # Redirect diff --git a/etc/profile-m-z/zathura.profile b/etc/profile-m-z/zathura.profile index 35c3f13006b..1daf89c8473 100644 --- a/etc/profile-m-z/zathura.profile +++ b/etc/profile-m-z/zathura.profile @@ -48,7 +48,7 @@ tracelog private-bin zathura private-cache private-dev -private-etc +private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id # private-lib has problems on Debian 10 #private-lib gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,libarchive.so.*,libdjvulibre.so.*,libgirara-gtk*,libpoppler-glib.so.*,libspectre.so.*,zathura private-tmp diff --git a/etc/profile-m-z/zeal.profile b/etc/profile-m-z/zeal.profile index caf9eab632f..453f40e73fd 100644 --- a/etc/profile-m-z/zeal.profile +++ b/etc/profile-m-z/zeal.profile @@ -60,7 +60,7 @@ disable-mnt private-bin zeal private-cache private-dev -private-etc @tls-ca,@x11,host.conf,mime.types,rpc,services +private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg private-tmp dbus-user filter diff --git a/etc/profile-m-z/zim.profile b/etc/profile-m-z/zim.profile index 69ec3a706d9..a9e5aa5c3ac 100644 --- a/etc/profile-m-z/zim.profile +++ b/etc/profile-m-z/zim.profile @@ -63,7 +63,7 @@ disable-mnt private-bin python*,zim private-cache private-dev -private-etc @x11,gconf +private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11 private-tmp dbus-user none diff --git a/etc/profile-m-z/zulip.profile b/etc/profile-m-z/zulip.profile index 1622b388637..b69de3be11c 100644 --- a/etc/profile-m-z/zulip.profile +++ b/etc/profile-m-z/zulip.profile @@ -43,7 +43,7 @@ disable-mnt private-bin locale,zulip private-cache private-dev -private-etc +private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,machine-id private-tmp restrict-namespaces diff --git a/src/etc-cleanup/Makefile b/src/etc-cleanup/Makefile deleted file mode 100644 index 349da882153..00000000000 --- a/src/etc-cleanup/Makefile +++ /dev/null @@ -1,9 +0,0 @@ -ROOT = ../.. --include $(ROOT)/config.mk - -PROG = etc-cleanup -TARGET = $(PROG) - -MOD_HDRS = ../include/etc-groups.h - -include $(ROOT)/src/prog.mk diff --git a/src/include/etc_groups.h b/src/include/etc_groups.h index dd9d94ffd60..e3f8bcc7e9f 100644 --- a/src/include/etc_groups.h +++ b/src/include/etc_groups.h @@ -20,7 +20,6 @@ #ifndef ETC_GROUPS_H #define ETC_GROUPS_H -#include #define ETC_MAX 256 @@ -40,7 +39,6 @@ static char *etc_list[ETC_MAX + 1] = { // plus 1 for ending NULL pointer "login.defs", // firejail reading UID/GID MIN and MAX at startup "nsswitch.conf", "passwd", - "selinux", NULL }; @@ -49,7 +47,6 @@ static char *etc_group_games[] = { "openal", // 3D sound "timidity", // MIDI "timidity.cfg", - "vulkan", // next generation OpenGL stack NULL }; @@ -92,7 +89,6 @@ static char *etc_group_x11[] = { "kde5rc", "nvidia", // 3D "pango", // text rendering/internationalization - "Trolltech.conf", // old QT config file "X11", "xdg", NULL diff --git a/src/etc-cleanup/main.c b/src/tools/cleanup_etc.c similarity index 65% rename from src/etc-cleanup/main.c rename to src/tools/cleanup_etc.c index 47fe1556ba5..5c926a8c646 100644 --- a/src/etc-cleanup/main.c +++ b/src/tools/cleanup_etc.c @@ -18,9 +18,15 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ -#include "../include/etc_groups.h" -#include "../include/common.h" +#include +#include +#include #include +#include +#include "../include/etc_groups.h" +#define errExit(msg) do { char msgout[500]; sprintf(msgout, "Error %s:%s(%d)", msg, __FUNCTION__, __LINE__); perror(msgout); exit(1);} while (0) + + #define MAX_BUF 4098 #define MAX_ARR 1024 @@ -32,8 +38,6 @@ static int arr_x11 = 0; static int arr_games = 0; static char outbuf[256 * 1024]; static char *outptr; -static int arg_replace = 0; -static int arg_debug = 0; void outprintf(char* fmt, ...) { va_list args; @@ -74,17 +78,6 @@ static void arr_add(const char *fname) { arr_cnt++; } -int arr_cmp(const void *p1, const void *p2) { - char **ptr1 = (char **) p1; - char **ptr2 = (char **) p2; - - return strcmp(*ptr1, *ptr2); -} - -static void arr_sort(void) { - qsort(&arr[0], arr_cnt, sizeof(char *), arr_cmp); -} - static void arr_clean(void) { int i; for (i = 0; i < arr_cnt; i++) { @@ -98,27 +91,29 @@ static void arr_clean(void) { arr_x11 = 0; } -static char *arr_print(void) { - char *last_line = outptr; +static void arr_print(void) { + printf("private-etc "); outprintf("private-etc "); - if (arr_games) + if (arr_games) { + printf("@games,"); outprintf("@games,"); - if (arr_tls_ca) + } + if (arr_tls_ca) { + printf("@tls-ca,"); outprintf("@tls-ca,"); - if (arr_x11) + } + if (arr_x11) { + printf("@x11,"); outprintf("@x11,"); - + } int i; - for (i = 0; i < arr_cnt; i++) + for (i = 0; i < arr_cnt; i++) { + printf("%s,", arr[i]); outprintf("%s,", arr[i]); - if (*(outptr - 1) == ' ' || *(outptr - 1) == ',') { - outptr--; - *outptr = '\0'; } + printf("\n"); outprintf("\n"); - - return last_line; } static void process_file(const char *fname) { @@ -126,13 +121,12 @@ static void process_file(const char *fname) { FILE *fp = fopen(fname, "r"); if (!fp) { - fprintf(stderr, "Error: cannot open %s file\n", fname); + fprintf(stderr, "Error: cannot open profile file\n"); exit(1); } outptr = outbuf; *outptr = '\0'; - arr_clean(); char line[MAX_BUF]; char orig_line[MAX_BUF]; @@ -140,16 +134,18 @@ static void process_file(const char *fname) { int print = 0; while (fgets(line, MAX_BUF, fp)) { cnt++; - if (strncmp(line, "private-etc", 11) != 0) { - outprintf("%s", line); + if (strncmp(line, "private-etc ", 12) != 0) { + sprintf(outptr, "%s", line); + outptr += strlen(outptr); continue; } - - strcpy(orig_line,line); char *ptr = strchr(line, '\n'); if (ptr) *ptr = '\0'; + print = 1; + strcpy(orig_line,line); + ptr = line + 12; while (*ptr == ' ' || *ptr == '\t') ptr++; @@ -158,7 +154,7 @@ static void process_file(const char *fname) { char *ptr2 = ptr; while (*ptr2 != '\0') { if (*ptr2 == ' ' || *ptr2 == '\t') { - fprintf(stderr, "Error: invalid private-etc line %s:%d\n", fname, cnt); + fprintf(stderr, "Error: invlid private-etc line %s:%d\n", fname, cnt); exit(1); } ptr2++; @@ -166,8 +162,6 @@ static void process_file(const char *fname) { ptr = strtok(ptr, ","); while (ptr) { - if (arg_debug) - printf("%s\n", ptr); if (arr_check(ptr, &etc_list[0])); else if (arr_check(ptr, &etc_group_sound[0])); else if (arr_check(ptr, &etc_group_network[0])); @@ -189,36 +183,30 @@ static void process_file(const char *fname) { ptr = strtok(NULL, ","); } - arr_sort(); - char *last_line = arr_print(); - if (strcmp(last_line, orig_line) == 0) { - fclose(fp); - return; - } - printf("\n********************\nfile: %s\n\nold: %s\nnew: %s\n", fname, orig_line, last_line); - print = 1; + printf("\n%s: %s\n%s: ", fname, orig_line, fname); + arr_print(); + arr_clean(); } fclose(fp); - if (print && arg_replace) { - fp = fopen(fname, "w"); - if (!fp) { - fprintf(stderr, "Error: cannot open profile file\n"); - exit(1); + if (print) { + printf("Replace %s file? (Y/N): ", fname); + fgets(line, MAX_BUF, stdin); + if (*line == 'y' || *line == 'Y') { + fp = fopen(fname, "w"); + if (!fp) { + fprintf(stderr, "Error: cannot open profile file\n"); + exit(1); + } + fprintf(fp, "%s", outbuf); + fclose(fp); } - fprintf(fp, "%s", outbuf); - fclose(fp); } } static void usage(void) { - printf("usage: cleanup-etc [options] file.profile [file.profile]\n"); - printf("Group and clean private-etc entries in one or more profile files.\n"); - printf("Options:\n"); - printf(" --debug - print debug messages\n"); - printf(" -h, -?, --help - this help screen\n"); - printf(" --replace - replace profile file\n"); + printf("usage: cleanup-etc file.profile\n"); } int main(int argc, char **argv) { @@ -230,25 +218,13 @@ int main(int argc, char **argv) { int i; for (i = 1; i < argc; i++) { - if (strcmp(argv[i], "-h") == 0 || - strcmp(argv[i], "-?") == 0 || - strcmp(argv[i], "--help") == 0) { + if (strcmp(argv[i], "-h") == 0) { usage(); return 0; } - else if (strcmp(argv[i], "--debug") == 0) - arg_debug = 1; - else if (strcmp(argv[i], "--replace") == 0) - arg_replace = 1; - else if (*argv[i] == '-') { - fprintf(stderr, "Error: invalid program option %s\n", argv[i]); - return 1; - } - else - break; } - for (; i < argc; i++) + for (i = 1; i < argc; i++) process_file(argv[i]); return 0;