From 5ec7c2292cac3846b78e30027d615df58922439b Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Fri, 22 Mar 2024 14:08:37 -0300 Subject: [PATCH 1/2] sstmp.profile: sort disable includes Move disable-X11.inc before disable-xdg.inc for consistency with other profiles. Added on commit 73a6fced2 ("New profile: ssmtp (#5544)", 2022-12-21). --- etc/profile-m-z/ssmtp.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/profile-m-z/ssmtp.profile b/etc/profile-m-z/ssmtp.profile index b87f514f995..356a732e76a 100644 --- a/etc/profile-m-z/ssmtp.profile +++ b/etc/profile-m-z/ssmtp.profile @@ -24,8 +24,8 @@ include disable-interpreters.inc include disable-proc.inc include disable-programs.inc include disable-shell.inc -include disable-xdg.inc include disable-X11.inc +include disable-xdg.inc mkfile ${HOME}/dead.letter whitelist ${HOME}/dead.letter From 04efbb27631e2f4abb5f1c0a915612e8cc98397c Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Fri, 22 Mar 2024 13:44:53 -0300 Subject: [PATCH 2/2] profiles: replace x11 socket blacklist with disable-X11.inc Replace all occurrences of `blacklist /tmp/.X11-unix` with `include disable-X11.inc`, which blacklists more X11-related files. Commands used to search and replace: $ git grep -Ilz '^blacklist /tmp/.X11-unix' -- \ etc/profile*/*.profile | xargs -0 perl -0 -pi -e '\ s/\nblacklist \/tmp\/.X11-unix\n/\n/; \ s/(\ninclude disable-xdg.inc\n)/\ninclude disable-X11.inc$1/; \ s/(\ninclude disable-[^Xx\n]+\n)(\n|# )/$1include disable-X11.inc\n$2/' Note: The following files were also edited manually: * etc/profile-a-l/erd.profile * etc/profile-a-l/links-common.profile * etc/profile-m-z/termshark.profile * etc/profile-m-z/tmux.profile * etc/profile-m-z/tshark.profile Relates to #4462 #4854. --- etc/profile-a-l/agetpkg.profile | 2 +- etc/profile-a-l/alpine.profile | 2 +- etc/profile-a-l/aria2c.profile | 2 +- etc/profile-a-l/bpftop.profile | 2 +- etc/profile-a-l/cloneit.profile | 2 +- etc/profile-a-l/curl.profile | 2 +- etc/profile-a-l/dbus-send.profile | 2 +- etc/profile-a-l/deadlink.profile | 2 +- etc/profile-a-l/dexios.profile | 2 +- etc/profile-a-l/dig.profile | 2 +- etc/profile-a-l/dnscrypt-proxy.profile | 2 +- etc/profile-a-l/dnsmasq.profile | 2 +- etc/profile-a-l/drill.profile | 2 +- etc/profile-a-l/editorconfiger.profile | 2 +- etc/profile-a-l/erd.profile | 3 +-- etc/profile-a-l/fdns.profile | 2 +- etc/profile-a-l/gget.profile | 2 +- etc/profile-a-l/gist.profile | 2 +- etc/profile-a-l/git.profile | 2 +- etc/profile-a-l/gnome-keyring-daemon.profile | 2 +- etc/profile-a-l/googler-common.profile | 2 +- etc/profile-a-l/gpg-agent.profile | 2 +- etc/profile-a-l/gpg.profile | 2 +- etc/profile-a-l/links-common.profile | 2 +- etc/profile-a-l/lynx.profile | 2 +- etc/profile-m-z/makepkg.profile | 2 +- etc/profile-m-z/mimetype.profile | 2 +- etc/profile-m-z/mocp.profile | 2 +- etc/profile-m-z/mutt.profile | 2 +- etc/profile-m-z/neomutt.profile | 2 +- etc/profile-m-z/nslookup.profile | 2 +- etc/profile-m-z/rsync-download_only.profile | 2 +- etc/profile-m-z/rtv.profile | 2 +- etc/profile-m-z/server.profile | 2 +- etc/profile-m-z/signal-cli.profile | 2 +- etc/profile-m-z/ssh-agent.profile | 2 +- etc/profile-m-z/statusof.profile | 2 +- etc/profile-m-z/termshark.profile | 3 ++- etc/profile-m-z/tin.profile | 2 +- etc/profile-m-z/tmux.profile | 2 +- etc/profile-m-z/tracker.profile | 2 +- etc/profile-m-z/tshark.profile | 3 ++- etc/profile-m-z/tvnamer.profile | 2 +- etc/profile-m-z/unbound.profile | 2 +- etc/profile-m-z/w3m.profile | 2 +- etc/profile-m-z/wget.profile | 2 +- etc/profile-m-z/whois.profile | 2 +- etc/profile-m-z/yt-dlp.profile | 2 +- 48 files changed, 50 insertions(+), 49 deletions(-) diff --git a/etc/profile-a-l/agetpkg.profile b/etc/profile-a-l/agetpkg.profile index 9ebbf1cb053..e455a17dbcb 100644 --- a/etc/profile-a-l/agetpkg.profile +++ b/etc/profile-a-l/agetpkg.profile @@ -7,7 +7,6 @@ include agetpkg.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* # Allow python (blacklisted by disable-interpreters.inc) @@ -20,6 +19,7 @@ include disable-exec.inc include disable-interpreters.inc include disable-programs.inc include disable-shell.inc +include disable-X11.inc include disable-xdg.inc whitelist ${DOWNLOADS} diff --git a/etc/profile-a-l/alpine.profile b/etc/profile-a-l/alpine.profile index 5ccb9896f04..2ded329592e 100644 --- a/etc/profile-a-l/alpine.profile +++ b/etc/profile-a-l/alpine.profile @@ -30,7 +30,6 @@ noblacklist ${HOME}/.pinercex noblacklist ${HOME}/.signature noblacklist ${HOME}/mail -blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* include disable-common.inc @@ -39,6 +38,7 @@ include disable-exec.inc include disable-interpreters.inc include disable-programs.inc include disable-shell.inc +include disable-X11.inc include disable-xdg.inc #whitelist ${DOCUMENTS} diff --git a/etc/profile-a-l/aria2c.profile b/etc/profile-a-l/aria2c.profile index 65ffdfa1be0..0d70cf3811c 100644 --- a/etc/profile-a-l/aria2c.profile +++ b/etc/profile-a-l/aria2c.profile @@ -11,7 +11,6 @@ noblacklist ${HOME}/.cache/winetricks # XXX: See #5238 noblacklist ${HOME}/.config/aria2 noblacklist ${HOME}/.netrc -blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* include disable-common.inc @@ -19,6 +18,7 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-programs.inc +include disable-X11.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc diff --git a/etc/profile-a-l/bpftop.profile b/etc/profile-a-l/bpftop.profile index 1bcfce06ca1..8c64a77c678 100644 --- a/etc/profile-a-l/bpftop.profile +++ b/etc/profile-a-l/bpftop.profile @@ -7,7 +7,6 @@ include bpftop.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix blacklist /usr/libexec blacklist ${RUNUSER} @@ -18,6 +17,7 @@ include disable-interpreters.inc include disable-proc.inc include disable-programs.inc include disable-shell.inc +include disable-X11.inc include disable-xdg.inc include whitelist-common.inc diff --git a/etc/profile-a-l/cloneit.profile b/etc/profile-a-l/cloneit.profile index b5328a807be..445ef4890e9 100644 --- a/etc/profile-a-l/cloneit.profile +++ b/etc/profile-a-l/cloneit.profile @@ -7,7 +7,6 @@ include cloneit.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix blacklist /usr/libexec blacklist ${RUNUSER} @@ -18,6 +17,7 @@ include disable-interpreters.inc include disable-proc.inc include disable-programs.inc include disable-shell.inc +include disable-X11.inc include disable-xdg.inc include whitelist-run-common.inc diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile index 417abcc910d..1d9ec5fa458 100644 --- a/etc/profile-a-l/curl.profile +++ b/etc/profile-a-l/curl.profile @@ -16,7 +16,6 @@ noblacklist ${HOME}/.config/curlrc # since curl 7.73.0 noblacklist ${HOME}/.curl-hsts noblacklist ${HOME}/.curlrc -blacklist /tmp/.X11-unix blacklist ${RUNUSER} # If you use nvm, add the below lines to your curl.local @@ -26,6 +25,7 @@ blacklist ${RUNUSER} include disable-common.inc include disable-exec.inc include disable-programs.inc +include disable-X11.inc # Depending on workflow you can add 'include disable-xdg.inc' to your curl.local. #include disable-xdg.inc diff --git a/etc/profile-a-l/dbus-send.profile b/etc/profile-a-l/dbus-send.profile index 70bd7370d5e..3a552b92956 100644 --- a/etc/profile-a-l/dbus-send.profile +++ b/etc/profile-a-l/dbus-send.profile @@ -7,7 +7,6 @@ include dbus-send.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* include disable-common.inc @@ -17,6 +16,7 @@ include disable-interpreters.inc include disable-programs.inc include disable-shell.inc include disable-write-mnt.inc +include disable-X11.inc include disable-xdg.inc #include whitelist-common.inc # see #903 diff --git a/etc/profile-a-l/deadlink.profile b/etc/profile-a-l/deadlink.profile index 2e3fe9e0cc4..f7535c5977d 100644 --- a/etc/profile-a-l/deadlink.profile +++ b/etc/profile-a-l/deadlink.profile @@ -6,7 +6,6 @@ include deadlink.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix blacklist /usr/libexec blacklist ${RUNUSER} @@ -23,6 +22,7 @@ include disable-interpreters.inc include disable-proc.inc include disable-programs.inc include disable-shell.inc +include disable-X11.inc include disable-xdg.inc include whitelist-run-common.inc diff --git a/etc/profile-a-l/dexios.profile b/etc/profile-a-l/dexios.profile index 4dfccd685e6..55d6c83cea5 100644 --- a/etc/profile-a-l/dexios.profile +++ b/etc/profile-a-l/dexios.profile @@ -7,7 +7,6 @@ include dexios.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix blacklist /usr/libexec blacklist ${RUNUSER} @@ -18,6 +17,7 @@ include disable-interpreters.inc include disable-proc.inc include disable-programs.inc include disable-shell.inc +include disable-X11.inc include disable-xdg.inc whitelist ${DOWNLOADS} diff --git a/etc/profile-a-l/dig.profile b/etc/profile-a-l/dig.profile index 781dfdcbca6..80eef569c8f 100644 --- a/etc/profile-a-l/dig.profile +++ b/etc/profile-a-l/dig.profile @@ -10,7 +10,6 @@ include globals.local noblacklist ${HOME}/.digrc noblacklist ${PATH}/dig -blacklist /tmp/.X11-unix blacklist ${RUNUSER} include disable-common.inc @@ -18,6 +17,7 @@ include disable-common.inc include disable-exec.inc #include disable-interpreters.inc include disable-programs.inc +include disable-X11.inc include disable-xdg.inc #mkfile ${HOME}/.digrc # see #903 diff --git a/etc/profile-a-l/dnscrypt-proxy.profile b/etc/profile-a-l/dnscrypt-proxy.profile index 50b56fb2d14..e27fa202ba9 100644 --- a/etc/profile-a-l/dnscrypt-proxy.profile +++ b/etc/profile-a-l/dnscrypt-proxy.profile @@ -7,7 +7,6 @@ include dnscrypt-proxy.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* noblacklist /sbin @@ -18,6 +17,7 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-programs.inc +include disable-X11.inc include disable-xdg.inc whitelist /usr/share/dnscrypt-proxy diff --git a/etc/profile-a-l/dnsmasq.profile b/etc/profile-a-l/dnsmasq.profile index 40ccab8c7df..b41eff3aebc 100644 --- a/etc/profile-a-l/dnsmasq.profile +++ b/etc/profile-a-l/dnsmasq.profile @@ -11,13 +11,13 @@ noblacklist /sbin noblacklist /usr/sbin noblacklist /var/lib/libvirt -blacklist /tmp/.X11-unix blacklist ${RUNUSER} include disable-common.inc include disable-devel.inc include disable-interpreters.inc include disable-programs.inc +include disable-X11.inc include disable-xdg.inc whitelist /var/lib/libvirt/dnsmasq diff --git a/etc/profile-a-l/drill.profile b/etc/profile-a-l/drill.profile index 63dfd6c0d29..95e86e5b95f 100644 --- a/etc/profile-a-l/drill.profile +++ b/etc/profile-a-l/drill.profile @@ -9,7 +9,6 @@ include globals.local noblacklist ${PATH}/drill -blacklist /tmp/.X11-unix blacklist ${RUNUSER} include disable-common.inc @@ -17,6 +16,7 @@ include disable-common.inc include disable-exec.inc #include disable-interpreters.inc include disable-programs.inc +include disable-X11.inc include disable-xdg.inc #include whitelist-common.inc # see #903 diff --git a/etc/profile-a-l/editorconfiger.profile b/etc/profile-a-l/editorconfiger.profile index 452ca7e6e1b..a921ae2d560 100644 --- a/etc/profile-a-l/editorconfiger.profile +++ b/etc/profile-a-l/editorconfiger.profile @@ -6,7 +6,6 @@ include editorconfiger.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix blacklist /usr/libexec blacklist ${RUNUSER} @@ -17,6 +16,7 @@ include disable-interpreters.inc include disable-proc.inc include disable-programs.inc include disable-shell.inc +include disable-X11.inc include disable-xdg.inc apparmor diff --git a/etc/profile-a-l/erd.profile b/etc/profile-a-l/erd.profile index 8ab1450169d..d821f5882e8 100644 --- a/etc/profile-a-l/erd.profile +++ b/etc/profile-a-l/erd.profile @@ -7,9 +7,8 @@ include erd.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix - include disable-exec.inc +#include disable-X11.inc # x11 none apparmor caps.drop all diff --git a/etc/profile-a-l/fdns.profile b/etc/profile-a-l/fdns.profile index e9d5709ecaa..cacd7025db0 100644 --- a/etc/profile-a-l/fdns.profile +++ b/etc/profile-a-l/fdns.profile @@ -8,7 +8,6 @@ include globals.local noblacklist /sbin noblacklist /usr/sbin -blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* include disable-common.inc @@ -16,6 +15,7 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-programs.inc +include disable-X11.inc include disable-xdg.inc #include whitelist-usr-share-common.inc diff --git a/etc/profile-a-l/gget.profile b/etc/profile-a-l/gget.profile index 11d5f620ccb..e0268a68c91 100644 --- a/etc/profile-a-l/gget.profile +++ b/etc/profile-a-l/gget.profile @@ -7,7 +7,6 @@ include gget.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix blacklist ${RUNUSER} include disable-common.inc @@ -16,6 +15,7 @@ include disable-exec.inc include disable-interpreters.inc include disable-programs.inc include disable-shell.inc +include disable-X11.inc include disable-xdg.inc whitelist ${DOWNLOADS} diff --git a/etc/profile-a-l/gist.profile b/etc/profile-a-l/gist.profile index 6eea076f750..c7be8dcc5db 100644 --- a/etc/profile-a-l/gist.profile +++ b/etc/profile-a-l/gist.profile @@ -7,7 +7,6 @@ include gist.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* noblacklist ${HOME}/.gist @@ -20,6 +19,7 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-programs.inc +include disable-X11.inc include disable-xdg.inc mkdir ${HOME}/.gist diff --git a/etc/profile-a-l/git.profile b/etc/profile-a-l/git.profile index 78d6cb2a1c5..a900e10f31d 100644 --- a/etc/profile-a-l/git.profile +++ b/etc/profile-a-l/git.profile @@ -28,12 +28,12 @@ ignore rmenv GITHUB_ENTERPRISE_TOKEN # Allow ssh (blacklisted by disable-common.inc) include allow-ssh.inc -blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* include disable-common.inc include disable-exec.inc include disable-programs.inc +include disable-X11.inc whitelist /usr/share/git whitelist /usr/share/git-core diff --git a/etc/profile-a-l/gnome-keyring-daemon.profile b/etc/profile-a-l/gnome-keyring-daemon.profile index 41ea136a69a..0370b04728a 100644 --- a/etc/profile-a-l/gnome-keyring-daemon.profile +++ b/etc/profile-a-l/gnome-keyring-daemon.profile @@ -7,7 +7,6 @@ include gnome-keyring-daemon.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* include disable-common.inc @@ -16,6 +15,7 @@ include disable-exec.inc include disable-interpreters.inc include disable-programs.inc #include disable-X11.inc # x11 none +include disable-X11.inc include disable-xdg.inc whitelist ${RUNUSER}/gnupg diff --git a/etc/profile-a-l/googler-common.profile b/etc/profile-a-l/googler-common.profile index 58769643a43..e1ec5f4b97e 100644 --- a/etc/profile-a-l/googler-common.profile +++ b/etc/profile-a-l/googler-common.profile @@ -7,7 +7,6 @@ include googler-common.local # added by caller profile #include globals.local -blacklist /tmp/.X11-unix blacklist ${RUNUSER} noblacklist ${HOME}/.w3m @@ -23,6 +22,7 @@ include disable-exec.inc include disable-interpreters.inc include disable-programs.inc include disable-shell.inc +include disable-X11.inc include disable-xdg.inc whitelist ${HOME}/.w3m diff --git a/etc/profile-a-l/gpg-agent.profile b/etc/profile-a-l/gpg-agent.profile index 3b623a33805..29249cf2107 100644 --- a/etc/profile-a-l/gpg-agent.profile +++ b/etc/profile-a-l/gpg-agent.profile @@ -9,13 +9,13 @@ include globals.local noblacklist ${HOME}/.gnupg -blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* include disable-common.inc include disable-devel.inc include disable-interpreters.inc include disable-programs.inc +include disable-X11.inc include disable-xdg.inc mkdir ${HOME}/.gnupg diff --git a/etc/profile-a-l/gpg.profile b/etc/profile-a-l/gpg.profile index bf4a1c60bf4..02dd3b07642 100644 --- a/etc/profile-a-l/gpg.profile +++ b/etc/profile-a-l/gpg.profile @@ -9,13 +9,13 @@ include globals.local noblacklist ${HOME}/.gnupg -blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* include disable-common.inc include disable-devel.inc include disable-interpreters.inc include disable-programs.inc +include disable-X11.inc whitelist ${RUNUSER}/gnupg whitelist ${RUNUSER}/keyring diff --git a/etc/profile-a-l/links-common.profile b/etc/profile-a-l/links-common.profile index 63656078913..4bab6b0cc45 100644 --- a/etc/profile-a-l/links-common.profile +++ b/etc/profile-a-l/links-common.profile @@ -4,7 +4,6 @@ include links-common.local # common profile for links browsers -blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* include disable-common.inc @@ -14,6 +13,7 @@ include disable-interpreters.inc # Additional noblacklist files/directories (blacklisted in disable-programs.inc) # used as associated programs can be added in your links-common.local. include disable-programs.inc +include disable-X11.inc include disable-xdg.inc whitelist ${DOWNLOADS} diff --git a/etc/profile-a-l/lynx.profile b/etc/profile-a-l/lynx.profile index 248061b3fa6..2c61147ec56 100644 --- a/etc/profile-a-l/lynx.profile +++ b/etc/profile-a-l/lynx.profile @@ -7,13 +7,13 @@ include lynx.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* include disable-common.inc include disable-devel.inc include disable-interpreters.inc include disable-programs.inc +include disable-X11.inc include disable-xdg.inc include whitelist-runuser-common.inc diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile index 49e84dedb50..3bda47fad1e 100644 --- a/etc/profile-m-z/makepkg.profile +++ b/etc/profile-m-z/makepkg.profile @@ -7,7 +7,6 @@ include makepkg.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* # Note: see this Arch forum discussion https://bbs.archlinux.org/viewtopic.php?pid=1743138 @@ -33,6 +32,7 @@ noblacklist /var/lib/pacman include disable-common.inc include disable-exec.inc include disable-programs.inc +include disable-X11.inc caps.drop all ipc-namespace diff --git a/etc/profile-m-z/mimetype.profile b/etc/profile-m-z/mimetype.profile index 9902da882af..4b62624bbbe 100644 --- a/etc/profile-m-z/mimetype.profile +++ b/etc/profile-m-z/mimetype.profile @@ -7,11 +7,11 @@ include mimetype.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* include disable-exec.inc include disable-proc.inc +include disable-X11.inc apparmor caps.drop all diff --git a/etc/profile-m-z/mocp.profile b/etc/profile-m-z/mocp.profile index 0a5e4255a8c..d80e263b6e4 100644 --- a/etc/profile-m-z/mocp.profile +++ b/etc/profile-m-z/mocp.profile @@ -10,7 +10,6 @@ include globals.local noblacklist ${HOME}/.moc noblacklist ${MUSIC} -blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* include disable-common.inc @@ -19,6 +18,7 @@ include disable-exec.inc include disable-interpreters.inc include disable-proc.inc include disable-programs.inc +include disable-X11.inc include disable-xdg.inc mkdir ${HOME}/.moc diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile index 097ce6e835a..447301d4611 100644 --- a/etc/profile-m-z/mutt.profile +++ b/etc/profile-m-z/mutt.profile @@ -38,7 +38,6 @@ noblacklist ${HOME}/postponed noblacklist ${HOME}/sent noblacklist /etc/msmtprc -blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* # Add the next lines to your mutt.local for oauth.py,S/MIME support. @@ -51,6 +50,7 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-programs.inc +include disable-X11.inc include disable-xdg.inc mkdir ${HOME}/.Mail diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile index 51e2e43bfe0..22720422be9 100644 --- a/etc/profile-m-z/neomutt.profile +++ b/etc/profile-m-z/neomutt.profile @@ -39,7 +39,6 @@ noblacklist /etc/msmtprc noblacklist /var/mail noblacklist /var/spool/mail -blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* include allow-lua.inc @@ -49,6 +48,7 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-programs.inc +include disable-X11.inc include disable-xdg.inc mkdir ${HOME}/.Mail diff --git a/etc/profile-m-z/nslookup.profile b/etc/profile-m-z/nslookup.profile index dcd76f2ad1a..aae506b0b25 100644 --- a/etc/profile-m-z/nslookup.profile +++ b/etc/profile-m-z/nslookup.profile @@ -7,7 +7,6 @@ include nslookup.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix blacklist ${RUNUSER} noblacklist ${PATH}/nslookup @@ -17,6 +16,7 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-programs.inc +include disable-X11.inc include disable-xdg.inc whitelist ${HOME}/.nslookuprc diff --git a/etc/profile-m-z/rsync-download_only.profile b/etc/profile-m-z/rsync-download_only.profile index ce90012e360..52ccb4309a1 100644 --- a/etc/profile-m-z/rsync-download_only.profile +++ b/etc/profile-m-z/rsync-download_only.profile @@ -11,7 +11,6 @@ include globals.local # not as a daemon (rsync --daemon) nor to create backups. # Usage: firejail --profile=rsync-download_only rsync -blacklist /tmp/.X11-unix blacklist ${RUNUSER} include disable-common.inc @@ -20,6 +19,7 @@ include disable-exec.inc include disable-interpreters.inc include disable-programs.inc include disable-shell.inc +include disable-X11.inc include disable-xdg.inc # Add the next line to your rsync-download_only.local to enable extra hardening. diff --git a/etc/profile-m-z/rtv.profile b/etc/profile-m-z/rtv.profile index 0d57e691611..e719b0d0de2 100644 --- a/etc/profile-m-z/rtv.profile +++ b/etc/profile-m-z/rtv.profile @@ -6,7 +6,6 @@ include rtv.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* noblacklist ${HOME}/.config/rtv @@ -28,6 +27,7 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-programs.inc +include disable-X11.inc include disable-xdg.inc mkdir ${HOME}/.config/rtv diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile index 74587c99201..a77cf7e0b7d 100644 --- a/etc/profile-m-z/server.profile +++ b/etc/profile-m-z/server.profile @@ -36,7 +36,6 @@ noblacklist /usr/sbin noblacklist /etc/init.d #noblacklist /var/opt -blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* include disable-common.inc @@ -45,6 +44,7 @@ include disable-common.inc #include disable-interpreters.inc include disable-programs.inc include disable-write-mnt.inc +include disable-X11.inc include disable-xdg.inc #include whitelist-runuser-common.inc diff --git a/etc/profile-m-z/signal-cli.profile b/etc/profile-m-z/signal-cli.profile index d881db714e7..979d71b3339 100644 --- a/etc/profile-m-z/signal-cli.profile +++ b/etc/profile-m-z/signal-cli.profile @@ -6,7 +6,6 @@ include signal-cli.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* noblacklist ${HOME}/.local/share/signal-cli @@ -18,6 +17,7 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-programs.inc +include disable-X11.inc include disable-xdg.inc mkdir ${HOME}/.local/share/signal-cli diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile index 76755def4c1..6630244becd 100644 --- a/etc/profile-m-z/ssh-agent.profile +++ b/etc/profile-m-z/ssh-agent.profile @@ -9,11 +9,11 @@ include globals.local # Allow ssh (blacklisted by disable-common.inc) include allow-ssh.inc -blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* include disable-common.inc include disable-programs.inc +include disable-X11.inc include whitelist-usr-share-common.inc diff --git a/etc/profile-m-z/statusof.profile b/etc/profile-m-z/statusof.profile index 7463b90f5a8..25c8df6800d 100644 --- a/etc/profile-m-z/statusof.profile +++ b/etc/profile-m-z/statusof.profile @@ -7,7 +7,6 @@ include statusof.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix blacklist /usr/libexec blacklist ${RUNUSER} @@ -21,6 +20,7 @@ include disable-interpreters.inc include disable-proc.inc include disable-programs.inc include disable-shell.inc +include disable-X11.inc include disable-xdg.inc include whitelist-common.inc diff --git a/etc/profile-m-z/termshark.profile b/etc/profile-m-z/termshark.profile index 630d5dda6e5..bdee14e6401 100644 --- a/etc/profile-m-z/termshark.profile +++ b/etc/profile-m-z/termshark.profile @@ -8,8 +8,9 @@ include termshark.local # added by included profile #include globals.local -blacklist /tmp/.X11-unix blacklist ${RUNUSER} +include disable-X11.inc + # Redirect include wireshark.profile diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile index 35ff14e88da..7c1d534e9e0 100644 --- a/etc/profile-m-z/tin.profile +++ b/etc/profile-m-z/tin.profile @@ -9,7 +9,6 @@ include globals.local noblacklist ${HOME}/.newsrc noblacklist ${HOME}/.tin -blacklist /tmp/.X11-unix blacklist ${RUNUSER} blacklist /usr/libexec @@ -19,6 +18,7 @@ include disable-exec.inc include disable-interpreters.inc include disable-programs.inc include disable-shell.inc +include disable-X11.inc include disable-xdg.inc mkdir ${HOME}/.tin diff --git a/etc/profile-m-z/tmux.profile b/etc/profile-m-z/tmux.profile index ddd2aa85f8e..55d84a61827 100644 --- a/etc/profile-m-z/tmux.profile +++ b/etc/profile-m-z/tmux.profile @@ -7,7 +7,6 @@ include tmux.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix blacklist ${RUNUSER} noblacklist /tmp/tmux-* @@ -16,6 +15,7 @@ noblacklist /tmp/tmux-* #include disable-devel.inc #include disable-exec.inc #include disable-programs.inc +include disable-X11.inc caps.drop all ipc-namespace diff --git a/etc/profile-m-z/tracker.profile b/etc/profile-m-z/tracker.profile index c46b00fc960..8a34644966d 100644 --- a/etc/profile-m-z/tracker.profile +++ b/etc/profile-m-z/tracker.profile @@ -8,7 +8,6 @@ include globals.local # Tracker is started by systemd on most systems. Therefore it is not firejailed by default -blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* include disable-common.inc @@ -16,6 +15,7 @@ include disable-devel.inc include disable-interpreters.inc include disable-programs.inc include disable-shell.inc +include disable-X11.inc include whitelist-runuser-common.inc diff --git a/etc/profile-m-z/tshark.profile b/etc/profile-m-z/tshark.profile index f2273e6a7ff..fab45a334d5 100644 --- a/etc/profile-m-z/tshark.profile +++ b/etc/profile-m-z/tshark.profile @@ -7,8 +7,9 @@ include tshark.local # added by included profile #include globals.local -blacklist /tmp/.X11-unix blacklist ${RUNUSER} +include disable-X11.inc + # Redirect include wireshark.profile diff --git a/etc/profile-m-z/tvnamer.profile b/etc/profile-m-z/tvnamer.profile index ccfd07e4081..24439672a4c 100644 --- a/etc/profile-m-z/tvnamer.profile +++ b/etc/profile-m-z/tvnamer.profile @@ -6,7 +6,6 @@ include tvnamer.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix blacklist /usr/libexec blacklist ${RUNUSER} @@ -24,6 +23,7 @@ include disable-interpreters.inc include disable-programs.inc include disable-proc.inc include disable-shell.inc +include disable-X11.inc include disable-xdg.inc mkdir ${HOME}/.config/tvnamer diff --git a/etc/profile-m-z/unbound.profile b/etc/profile-m-z/unbound.profile index 63d84688c43..dfce92e2d77 100644 --- a/etc/profile-m-z/unbound.profile +++ b/etc/profile-m-z/unbound.profile @@ -9,7 +9,6 @@ include globals.local noblacklist /sbin noblacklist /usr/sbin -blacklist /tmp/.X11-unix blacklist ${RUNUSER} include disable-common.inc @@ -17,6 +16,7 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-programs.inc +include disable-X11.inc include disable-xdg.inc whitelist /usr/share/dns diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile index edc08ca443d..4e2f1bb3e44 100644 --- a/etc/profile-m-z/w3m.profile +++ b/etc/profile-m-z/w3m.profile @@ -14,7 +14,6 @@ include globals.local noblacklist ${HOME}/.w3m -blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* # Allow /bin/sh (blacklisted by disable-shell.inc) @@ -29,6 +28,7 @@ include disable-exec.inc include disable-interpreters.inc include disable-programs.inc include disable-shell.inc +include disable-X11.inc include disable-xdg.inc mkdir ${HOME}/.w3m diff --git a/etc/profile-m-z/wget.profile b/etc/profile-m-z/wget.profile index 5e18235938c..90a1d3d7a72 100644 --- a/etc/profile-m-z/wget.profile +++ b/etc/profile-m-z/wget.profile @@ -15,7 +15,6 @@ noblacklist ${HOME}/.wgetrc #ignore read-only ${HOME}/.nvm #noblacklist ${HOME}/.nvm -blacklist /tmp/.X11-unix blacklist ${RUNUSER} include disable-common.inc @@ -24,6 +23,7 @@ include disable-exec.inc include disable-interpreters.inc include disable-programs.inc include disable-shell.inc +include disable-X11.inc # Depending on workflow you can add the next line to your wget.local. #include disable-xdg.inc diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile index 8265e1ff805..e7f66cf760f 100644 --- a/etc/profile-m-z/whois.profile +++ b/etc/profile-m-z/whois.profile @@ -7,7 +7,6 @@ include whois.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix blacklist ${RUNUSER} include disable-common.inc @@ -15,6 +14,7 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-programs.inc +include disable-X11.inc include disable-xdg.inc include whitelist-usr-share-common.inc diff --git a/etc/profile-m-z/yt-dlp.profile b/etc/profile-m-z/yt-dlp.profile index 97f9e620a94..6dd9d03a385 100644 --- a/etc/profile-m-z/yt-dlp.profile +++ b/etc/profile-m-z/yt-dlp.profile @@ -29,7 +29,6 @@ noblacklist ${VIDEOS} # Allow python (blacklisted by disable-interpreters.inc) include allow-python3.inc -blacklist /tmp/.X11-unix blacklist ${RUNUSER} include disable-common.inc @@ -38,6 +37,7 @@ include disable-exec.inc include disable-interpreters.inc include disable-programs.inc include disable-shell.inc +include disable-X11.inc include disable-xdg.inc include whitelist-usr-share-common.inc