From b2fc81dd161b9ee93c0f288558fb9d46293ea885 Mon Sep 17 00:00:00 2001 From: kortewegdevries Date: Sun, 9 Aug 2020 20:24:10 +0530 Subject: [PATCH 1/6] Add profile for twitch,youtube wrappers --- etc/inc/disable-programs.inc | 2 ++ etc/profile-a-l/git-cola.profile | 2 +- etc/profile-m-z/twitch.profile | 38 ++++++++++++++++++++++++++++++++ etc/profile-m-z/youtube.profile | 38 ++++++++++++++++++++++++++++++++ src/firecfg/firecfg.config | 2 ++ 5 files changed, 81 insertions(+), 1 deletion(-) create mode 100644 etc/profile-m-z/twitch.profile create mode 100644 etc/profile-m-z/youtube.profile diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index e911be93a84..4636f546456 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -131,9 +131,11 @@ blacklist ${HOME}/.config/Slack blacklist ${HOME}/.config/Standard Notes blacklist ${HOME}/.config/SubDownloader blacklist ${HOME}/.config/Thunar +blacklist ${HOME}/.config/Twitch blacklist ${HOME}/.config/Unknown Organization blacklist ${HOME}/.config/VirtualBox blacklist ${HOME}/.config/Wire +blacklist ${HOME}/.config/Youtube blacklist ${HOME}/.config/Zeal blacklist ${HOME}/.config/ZeGrapher Project blacklist ${HOME}/.config/abiword diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile index 30e80f51988..c9530c63fcf 100644 --- a/etc/profile-a-l/git-cola.profile +++ b/etc/profile-a-l/git-cola.profile @@ -62,5 +62,5 @@ dbus-user filter dbus-system none read-only ${HOME}/.ssh -read-only ${HOME}/.gnupg +# read-only ${HOME}/.gnupg read-only ${HOME}/.git-credentials diff --git a/etc/profile-m-z/twitch.profile b/etc/profile-m-z/twitch.profile new file mode 100644 index 00000000000..f99bd8b4844 --- /dev/null +++ b/etc/profile-m-z/twitch.profile @@ -0,0 +1,38 @@ +# Firejail profile for twitch +# Description: Unofficial electron based desktop warpper for Twitch +# This file is overwritten after every install/update +# Persistent local customizations +include twitch.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/Twitch + +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/Twitch +whitelist ${HOME}/.config/Twitch +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +nou2f +novideo +seccomp !chroot +shell none + +disable-mnt +private-bin twitch +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg +private-opt Twitch +private-tmp + +# Redirect +include electron.profile diff --git a/etc/profile-m-z/youtube.profile b/etc/profile-m-z/youtube.profile new file mode 100644 index 00000000000..c7e9ce70976 --- /dev/null +++ b/etc/profile-m-z/youtube.profile @@ -0,0 +1,38 @@ +# Firejail profile for youtube +# Description: Unofficial electron based desktop warpper for YouTube +# This file is overwritten after every install/update +# Persistent local customizations +include youtube.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/Youtube + +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/Youtube +whitelist ${HOME}/.config/Youtube +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +nou2f +novideo +seccomp !chroot +shell none + +disable-mnt +private-bin youtube +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg +private-opt Youtube +private-tmp + +# Redirect +include electron.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 05c5681d507..a746ce6fb83 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -738,6 +738,7 @@ truecraft tshark tuxguitar tvbrowser +twitch udiskie uefitool uget-gtk @@ -815,6 +816,7 @@ xreader-thumbnailer xviewer yandex-browser yelp +youtube youtube-dl zaproxy zart From 6909aab4ba6e840c01c0817c0866c92569f6206f Mon Sep 17 00:00:00 2001 From: kortewegdevries Date: Wed, 12 Aug 2020 19:43:53 +0530 Subject: [PATCH 2/6] Fix git-cola, add Youtube music wrapper profiles --- etc/inc/disable-programs.inc | 3 ++ etc/profile-a-l/git-cola.profile | 18 +++++++-- .../youtubemusic-nativefier.profile | 38 ++++++++++++++++++ etc/profile-m-z/ytmdesktop.profile | 39 +++++++++++++++++++ src/firecfg/firecfg.config | 6 +++ 5 files changed, 100 insertions(+), 4 deletions(-) create mode 100644 etc/profile-m-z/youtubemusic-nativefier.profile create mode 100644 etc/profile-m-z/ytmdesktop.profile diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 4636f546456..d08c2a102b7 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -398,6 +398,9 @@ blacklist ${HOME}/.config/yandex-browser blacklist ${HOME}/.config/yandex-browser-beta blacklist ${HOME}/.config/yelp blacklist ${HOME}/.config/youtube-dl +blacklist ${HOME}/.config/youtubemusic-nativefier-040164 +blacklist ${HOME}/.config/youtube-music-desktop-app +blacklist ${HOME}/.config/youtube-viewer blacklist ${HOME}/.config/zathura blacklist ${HOME}/.config/zoomus.conf blacklist ${HOME}/.config/Zulip diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile index c9530c63fcf..e707c87a7ed 100644 --- a/etc/profile-a-l/git-cola.profile +++ b/etc/profile-a-l/git-cola.profile @@ -28,7 +28,15 @@ include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc +# Put your editor,diff viewer,gnupg path below +whitelist /usr/share/git +whitelist /usr/share/git-cola +whitelist /usr/share/git-core +whitelist /usr/share/git-gui +whitelist /usr/share/gitk +whitelist /usr/share/gitweb include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor @@ -49,11 +57,11 @@ seccomp shell none tracelog -# private-bin atom,bash,colordiff,emacs,fldiff,geany,gedit,git,git gui,git-cola,git-dag,gitk,gpg,gvim,leafpad,meld,mousepad,nano,notepadqq,python*,sh,ssh,vim,vimdiff,which,xed +# private-bin atom,bash,colordiff,emacs,fldiff,geany,gedit,git,git gui,git-cola,git-dag,gitk,gpg,gpg-agent,gvim,leafpad,meld,mousepad,nano,notepadqq,pinentry,python*,sh,ssh,,ssh-agent,vim,vimdiff,which,xed private-cache private-dev # Comment if you sign commits with GPG -private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,X11,xdg +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg private-tmp dbus-user filter @@ -61,6 +69,8 @@ dbus-user filter # dbus-user.talk org.freedesktop.secrets dbus-system none -read-only ${HOME}/.ssh -# read-only ${HOME}/.gnupg read-only ${HOME}/.git-credentials +# Comment if you sign commits with GPG +read-only ${HOME}/.gnupg +# Comment if you need to allow hosts +read-only ${HOME}/.ssh diff --git a/etc/profile-m-z/youtubemusic-nativefier.profile b/etc/profile-m-z/youtubemusic-nativefier.profile new file mode 100644 index 00000000000..3a94a57079f --- /dev/null +++ b/etc/profile-m-z/youtubemusic-nativefier.profile @@ -0,0 +1,38 @@ +# Firejail profile for youtubemusic-nativefier +# Description: Unofficial electron based desktop warpper for YouTube Music +# This file is overwritten after every install/update +# Persistent local customizations +include youtube.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/youtubemusic-nativefier-040164 + +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/youtubemusic-nativefier-040164 +whitelist ${HOME}/.config/youtubemusic-nativefier-040164 +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +nou2f +novideo +seccomp !chroot +shell none + +disable-mnt +private-bin youtubemusic-nativefier +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg +private-opt youtubemusic-nativefier +private-tmp + +# Redirect +include electron.profile diff --git a/etc/profile-m-z/ytmdesktop.profile b/etc/profile-m-z/ytmdesktop.profile new file mode 100644 index 00000000000..5c37b838b8d --- /dev/null +++ b/etc/profile-m-z/ytmdesktop.profile @@ -0,0 +1,39 @@ +# Firejail profile for ytmdesktop +# Description: Unofficial electron based desktop warpper for YouTube Music +# This file is overwritten after every install/update +# Persistent local customizations +include youtube.local +# Persistent global definitions +include globals.local + +ignore dbus-user none + +noblacklist ${HOME}/.config/youtube-music-desktop-app + +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/youtube-music-desktop-app +whitelist ${HOME}/.config/youtube-music-desktop-app +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +nou2f +novideo +seccomp !chroot +shell none + +disable-mnt +# private-bin env,ytmdesktop +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg +# private-opt +private-tmp + +# Redirect +include electron.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index a746ce6fb83..4a535ceb986 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -327,6 +327,9 @@ gradio gramps gravity-beams-and-evaporating-stars gthumb +gtk-youtube-viewer +gtk2-youtube-viewer +gtk3-youtube-viewer guayadeque gucharmap gummi @@ -818,6 +821,9 @@ yandex-browser yelp youtube youtube-dl +youtube-viewer +youtubemusic-nativefier +ytmdesktop zaproxy zart zathura From 5b504909e0ad1f740dcd91394fab7c4cd362acc6 Mon Sep 17 00:00:00 2001 From: kortewegdevries Date: Fri, 14 Aug 2020 16:27:13 +0530 Subject: [PATCH 3/6] Fixes for git-cola again --- etc/inc/disable-programs.inc | 3 --- etc/profile-a-l/git-cola.profile | 19 ++++++++++++------- src/firecfg/firecfg.config | 3 --- 3 files changed, 12 insertions(+), 13 deletions(-) diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 8cb18f98bd4..d08c2a102b7 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -398,11 +398,8 @@ blacklist ${HOME}/.config/yandex-browser blacklist ${HOME}/.config/yandex-browser-beta blacklist ${HOME}/.config/yelp blacklist ${HOME}/.config/youtube-dl -<<<<<<< HEAD blacklist ${HOME}/.config/youtubemusic-nativefier-040164 blacklist ${HOME}/.config/youtube-music-desktop-app -======= ->>>>>>> 35ec6b6ce6c2bcf1abb81f9682a1921466cf1f6d blacklist ${HOME}/.config/youtube-viewer blacklist ${HOME}/.config/zathura blacklist ${HOME}/.config/zoomus.conf diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile index e707c87a7ed..565771ea234 100644 --- a/etc/profile-a-l/git-cola.profile +++ b/etc/profile-a-l/git-cola.profile @@ -8,12 +8,13 @@ include globals.local ignore noexec ${HOME} +noblacklist ${HOME}/.config/git +noblacklist ${HOME}/.config/git-cola noblacklist ${HOME}/.gitconfig noblacklist ${HOME}/.git-credentials noblacklist ${HOME}/.gnupg noblacklist ${HOME}/.ssh -noblacklist ${HOME}/.config/git -noblacklist ${HOME}/.config/git-cola +noblacklist ${HOME}/.subversion # Put your editor,diff viewer config path below and uncomment to load settings # noblacklist ${HOME}/ @@ -28,6 +29,9 @@ include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc +# Uncomment to allow ssh,gpg +# whitelist ${RUNUSER}/gnupg +# whitelist ${RUNUSER}/keyring # Put your editor,diff viewer,gnupg path below whitelist /usr/share/git whitelist /usr/share/git-cola @@ -35,6 +39,7 @@ whitelist /usr/share/git-core whitelist /usr/share/git-gui whitelist /usr/share/gitk whitelist /usr/share/gitweb +whitelist /usr/share/gnupg include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -57,20 +62,20 @@ seccomp shell none tracelog -# private-bin atom,bash,colordiff,emacs,fldiff,geany,gedit,git,git gui,git-cola,git-dag,gitk,gpg,gpg-agent,gvim,leafpad,meld,mousepad,nano,notepadqq,pinentry,python*,sh,ssh,,ssh-agent,vim,vimdiff,which,xed +private-bin atom,basename,bash,colordiff,diff,emacs,envsubst,fldiff,geany,gedit,gettext,git,git gui,git-cola,git-dag,gitk,gpg,gpg-agent,gvim,leafpad,meld,mousepad,nano,notepadqq,nvim,pinentry,pinentry-gtk-2,ps,python*,sh,ssh,ssh-agent,tclsh,tr,vim,vimdiff,wc,which,xed private-cache private-dev -# Comment if you sign commits with GPG -private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg private-tmp -dbus-user filter +# Breaks meld as diff viewer +# dbus-user filter # Uncomment if you need keyring access # dbus-user.talk org.freedesktop.secrets dbus-system none read-only ${HOME}/.git-credentials # Comment if you sign commits with GPG -read-only ${HOME}/.gnupg +# read-only ${HOME}/.gnupg # Comment if you need to allow hosts read-only ${HOME}/.ssh diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index e81f6401300..4a535ceb986 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -822,11 +822,8 @@ yelp youtube youtube-dl youtube-viewer -<<<<<<< HEAD youtubemusic-nativefier ytmdesktop -======= ->>>>>>> 35ec6b6ce6c2bcf1abb81f9682a1921466cf1f6d zaproxy zart zathura From fe12a99c2a13210d7c652e62efe98393c2eb145d Mon Sep 17 00:00:00 2001 From: kortewegdevries Date: Thu, 20 Aug 2020 20:32:17 +0530 Subject: [PATCH 4/6] Add profile for alternative name for git-cola --- etc/profile-a-l/cola.profile | 11 +++++++++++ src/firecfg/firecfg.config | 1 + 2 files changed, 12 insertions(+) create mode 100644 etc/profile-a-l/cola.profile diff --git a/etc/profile-a-l/cola.profile b/etc/profile-a-l/cola.profile new file mode 100644 index 00000000000..dc55b7d1756 --- /dev/null +++ b/etc/profile-a-l/cola.profile @@ -0,0 +1,11 @@ +# Firejail profile for cola +# Description: Linux native frontend for Git,alternative call for git-cola +# This file is overwritten after every install/update +# Persistent local customizations +include cola.local +# Persistent global definitions +include globals.local + +# Redirect + +include git-cola.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 4a535ceb986..aa6d7e2029b 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -135,6 +135,7 @@ clocks cmus code code-oss +cola com.github.dahenson.agenda com.github.johnfactotum.Foliate com.gitlab.newsflash From 218dbc9744150b23af733a0f947c233e38ff2718 Mon Sep 17 00:00:00 2001 From: kortewegdevries Date: Tue, 25 Aug 2020 08:43:30 +0000 Subject: [PATCH 5/6] Fixes --- etc/profile-a-l/git-cola.profile | 5 +++-- etc/profile-m-z/twitch.profile | 2 -- etc/profile-m-z/youtube.profile | 1 - 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile index 565771ea234..585eb817967 100644 --- a/etc/profile-a-l/git-cola.profile +++ b/etc/profile-a-l/git-cola.profile @@ -62,7 +62,8 @@ seccomp shell none tracelog -private-bin atom,basename,bash,colordiff,diff,emacs,envsubst,fldiff,geany,gedit,gettext,git,git gui,git-cola,git-dag,gitk,gpg,gpg-agent,gvim,leafpad,meld,mousepad,nano,notepadqq,nvim,pinentry,pinentry-gtk-2,ps,python*,sh,ssh,ssh-agent,tclsh,tr,vim,vimdiff,wc,which,xed +# Add your own diff viewer,editor,pinentry program +private-bin basename,bash,cola,envsubst,gettext,git,git-gui,git-cola,git-dag,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed private-cache private-dev private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg @@ -75,7 +76,7 @@ private-tmp dbus-system none read-only ${HOME}/.git-credentials -# Comment if you sign commits with GPG +# Uncomment if you sign commits with GPG # read-only ${HOME}/.gnupg # Comment if you need to allow hosts read-only ${HOME}/.ssh diff --git a/etc/profile-m-z/twitch.profile b/etc/profile-m-z/twitch.profile index f99bd8b4844..3c50344f131 100644 --- a/etc/profile-m-z/twitch.profile +++ b/etc/profile-m-z/twitch.profile @@ -21,8 +21,6 @@ include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc -nou2f -novideo seccomp !chroot shell none diff --git a/etc/profile-m-z/youtube.profile b/etc/profile-m-z/youtube.profile index c7e9ce70976..a6c7750a96c 100644 --- a/etc/profile-m-z/youtube.profile +++ b/etc/profile-m-z/youtube.profile @@ -21,7 +21,6 @@ include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc -nou2f novideo seccomp !chroot shell none From 1a812cd434b602d9e16ff8defcccbaa71cebcc66 Mon Sep 17 00:00:00 2001 From: kortewegdevries Date: Wed, 2 Sep 2020 16:47:35 +0000 Subject: [PATCH 6/6] Fix --- etc/profile-a-l/cola.profile | 3 +-- etc/profile-a-l/git-cola.profile | 19 ++++++++++--------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/etc/profile-a-l/cola.profile b/etc/profile-a-l/cola.profile index dc55b7d1756..e5debfd8280 100644 --- a/etc/profile-a-l/cola.profile +++ b/etc/profile-a-l/cola.profile @@ -7,5 +7,4 @@ include cola.local include globals.local # Redirect - -include git-cola.profile +include git-cola.profile \ No newline at end of file diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile index 585eb817967..4708078dd18 100644 --- a/etc/profile-a-l/git-cola.profile +++ b/etc/profile-a-l/git-cola.profile @@ -8,13 +8,13 @@ include globals.local ignore noexec ${HOME} -noblacklist ${HOME}/.config/git -noblacklist ${HOME}/.config/git-cola noblacklist ${HOME}/.gitconfig noblacklist ${HOME}/.git-credentials noblacklist ${HOME}/.gnupg noblacklist ${HOME}/.ssh noblacklist ${HOME}/.subversion +noblacklist ${HOME}/.config/git +noblacklist ${HOME}/.config/git-cola # Put your editor,diff viewer config path below and uncomment to load settings # noblacklist ${HOME}/ @@ -29,10 +29,9 @@ include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc -# Uncomment to allow ssh,gpg -# whitelist ${RUNUSER}/gnupg -# whitelist ${RUNUSER}/keyring -# Put your editor,diff viewer,gnupg path below +whitelist ${RUNUSER}/gnupg +whitelist ${RUNUSER}/keyring +# Whitelist your editor, diff viewer, gnupg path below in /usr/share/ whitelist /usr/share/git whitelist /usr/share/git-cola whitelist /usr/share/git-core @@ -40,6 +39,7 @@ whitelist /usr/share/git-gui whitelist /usr/share/gitk whitelist /usr/share/gitweb whitelist /usr/share/gnupg +whitelist /usr/share/gnupg2 include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -63,11 +63,13 @@ shell none tracelog # Add your own diff viewer,editor,pinentry program -private-bin basename,bash,cola,envsubst,gettext,git,git-gui,git-cola,git-dag,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed +# pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg +private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed private-cache private-dev private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg private-tmp +writable-run-user # Breaks meld as diff viewer # dbus-user filter @@ -76,7 +78,6 @@ private-tmp dbus-system none read-only ${HOME}/.git-credentials -# Uncomment if you sign commits with GPG -# read-only ${HOME}/.gnupg + # Comment if you need to allow hosts read-only ${HOME}/.ssh