Add blacklists of common dangerous directories

chiraag-nataraj · Oct 2, 2016 · 5aa9387 · 5aa9387
1 parent 0ce9650
commit 5aa9387
Show file tree

Hide file tree

Showing 16 changed files with 80 additions and 7 deletions.
diff --git a/brackets.profile b/brackets.profile
@@ -7,6 +7,10 @@ whitelist ${HOME}/Documents
 whitelist /opt/brackets/
 whitelist /opt/google/
 
+blacklist /boot
+blacklist /media
+blacklist /mnt
+
 private-bin bash,brackets,readlink,dirname,google-chrome,cat
 private-dev
 whitelist /tmp/.X11-unix

diff --git a/cin.profile b/cin.profile
@@ -7,6 +7,11 @@ private-bin cin
 private-dev
 private-etc fonts,pulse
 
+blacklist /boot
+blacklist /media
+blacklist /mnt
+blacklist /opt
+
 whitelist /tmp/.X11-unix
 
 noexec /home

diff --git a/fetchmail.profile b/fetchmail.profile
@@ -5,6 +5,11 @@ whitelist ${HOME}/Mail
 whitelist ${HOME}/.procmailrc.gmail
 whitelist ${HOME}/.procmailrc.brown
 
+blacklist /boot
+blacklist /media
+blacklist /mnt
+blacklist /opt
+
 noroot
 private-dev
 caps.drop all

diff --git a/gimp.profile b/gimp.profile
@@ -5,6 +5,11 @@ whitelist ${HOME}/.themes
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/Pictures
 
+blacklist /boot
+blacklist /media
+blacklist /mnt
+blacklist /opt
+
 private-bin gimp,gimp-2.8,gimp-console,gimp-console-2.8,python2.7
 private-dev
 private-etc gimp,fonts

diff --git a/inkscape.profile b/inkscape.profile
@@ -5,6 +5,11 @@ whitelist ${HOME}/.themes
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/Pictures
 
+blacklist /boot
+blacklist /media
+blacklist /mnt
+blacklist /opt
+
 private-bin inkscape
 private-dev
 private-etc fonts

diff --git a/libreoffice.profile b/libreoffice.profile
@@ -4,11 +4,11 @@ whitelist ${HOME}/.config/libreoffice
 whitelist ${HOME}/.config/gtk-3.0
 whitelist ${HOME}/.gtkrc-2.0
 whitelist ${HOME}/.gtkrc.mine
-blacklist /opt
+
 blacklist /boot
 blacklist /media
 blacklist /mnt
-blacklist /ae108
+blacklist /opt
 
 private-dev
 private-bin sh,libreoffice,dirname,grep,uname,ls,sed,pwd,basename,dbus-launch,dbus-send,fcitx-dbus-watcher,fcitx-remote

diff --git a/linphone.profile b/linphone.profile
@@ -3,6 +3,12 @@ whitelist ${HOME}/.linphone-history.db
 whitelist ${HOME}/Downloads
 whitelist ${HOME}/.gtkrc-2.0
 whitelist ${HOME}/.gtkrc.mine
+
+blacklist /boot
+blacklist /media
+blacklist /mnt
+blacklist /opt
+
 caps.drop all
 noroot
 seccomp
diff --git a/lmms.profile b/lmms.profile
@@ -3,6 +3,11 @@ whitelist ${HOME}/Music
 whitelist ${HOME}/.lmmsrc.xml
 whitelist ${HOME}/lmms
 
+blacklist /boot
+blacklist /media
+blacklist /mnt
+blacklist /opt
+
 whitelist /tmp/.X11-unix
 
 private-dev

diff --git a/luminance-hdr.profile b/luminance-hdr.profile
@@ -1,13 +1,18 @@
-private-bin luminance-hdr,luminance-hdr-cli,align_image_stack
-private-dev
-private-etc fonts,X11,alternatives
-whitelist /tmp/.X11-unix
-
 whitelist ${HOME}/Pictures
 whitelist ${HOME}/Downloads
 whitelist ${HOME}/.LuminanceHDR
 whitelist ${HOME}/.config/Luminance
 
+blacklist /boot
+blacklist /media
+blacklist /mnt
+blacklist /opt
+
+private-bin luminance-hdr,luminance-hdr-cli,align_image_stack
+private-dev
+private-etc fonts,X11,alternatives
+whitelist /tmp/.X11-unix
+
 noexec ${HOME}
 noexec /tmp
 

diff --git a/mpd.profile b/mpd.profile
@@ -4,6 +4,12 @@ whitelist ${HOME}/.mpdconf
 whitelist ${HOME}/.config/pulse/
 whitelist ${HOME}/.pulse/
 read-only ${HOME}/Music/
+
+blacklist /boot
+blacklist /media
+blacklist /mnt
+blacklist /opt
+
 private-dev
 private-bin mpd,bash
 caps.drop all

diff --git a/mutt.profile b/mutt.profile
@@ -9,6 +9,11 @@ whitelist ${HOME}/.mutt_cache
 whitelist ${HOME}/Mail
 whitelist ${HOME}/.gnupg
 
+blacklist /boot
+blacklist /media
+blacklist /mnt
+blacklist /opt
+
 # To store files
 whitelist ${HOME}/Downloads
 

diff --git a/openshot.profile b/openshot.profile
@@ -5,6 +5,7 @@ blacklist /usr/local/sbin
 blacklist /media
 blacklist /mnt
 blacklist /boot
+blacklist /opt
 
 # I use Downloads as my data transfer directory
 whitelist ${HOME}/Downloads/

diff --git a/qpdfview.profile b/qpdfview.profile
@@ -9,6 +9,11 @@ whitelist ${HOME}/Documents
 
 whitelist ${HOME}/.config/qpdfview
 
+blacklist /boot
+blacklist /media
+blacklist /mnt
+blacklist /opt
+
 private-dev
 private-etc fonts,X11,alternatives
 private-bin qpdfview

diff --git a/skype.profile b/skype.profile
@@ -1,5 +1,11 @@
 whitelist ${HOME}/.Skype
 whitelist ${HOME}/Downloads
+
+blacklist /boot
+blacklist /media
+blacklist /mnt
+blacklist /opt
+
 noexec ${HOME}/
 noexec /tmp/
 caps.drop all

diff --git a/synfigstudio.profile b/synfigstudio.profile
@@ -1,6 +1,11 @@
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.synfig
 
+blacklist /boot
+blacklist /media
+blacklist /mnt
+blacklist /opt
+
 private-bin synfigstudio
 private-etc fonts,X11,synfig,synfig_modules.cfg
 private-dev

diff --git a/virtualbox.profile b/virtualbox.profile
@@ -7,6 +7,11 @@ whitelist ${HOME}/.gtkrc-2.0
 whitelist ${HOME}/.gtkrc.mine
 whitelist ${HOME}/.config/Trolltech.conf
 
+blacklist /boot
+blacklist /media
+blacklist /mnt
+blacklist /opt
+
 whitelist /dev/vboxdrv
 whitelist /dev/vboxdrvu
 whitelist /dev/vboxnetctl