Merge pull request netblue30#5763 from kmk3/profiles-mv-readonly

profiles: move read-only config entries to disable-common.inc

etc/inc/disable-common.inc

@@ -69,6 +69,9 @@ blacklist ${HOME}/.xsessionrc
 blacklist /etc/X11/Xsession.d
 blacklist /etc/xdg/autostart
 read-only ${HOME}/.Xauthority
+read-only ${HOME}/.config/awesome/autorun.sh
+read-only ${HOME}/.config/openbox/autostart
+read-only ${HOME}/.config/openbox/environment
 
 # Session manager
 # see #3358
@@ -329,6 +332,7 @@ read-only ${HOME}/.ssh/config.d
 # Initialization files that allow arbitrary command execution
 read-only ${HOME}/.caffrc
 read-only ${HOME}/.cargo/env
+read-only ${HOME}/.config/mpv
 read-only ${HOME}/.config/nano
 read-only ${HOME}/.config/nvim
 read-only ${HOME}/.config/pkcs11
@@ -337,6 +341,7 @@ read-only ${HOME}/.elinks
 read-only ${HOME}/.emacs
 read-only ${HOME}/.emacs.d
 read-only ${HOME}/.exrc
+read-only ${HOME}/.gnupg/gpg.conf
 read-only ${HOME}/.gvimrc
 read-only ${HOME}/.homesick
 read-only ${HOME}/.iscreenrc
@@ -345,6 +350,7 @@ read-only ${HOME}/.local/share/cool-retro-term
 read-only ${HOME}/.local/share/nvim
 read-only ${HOME}/.local/state/nvim
 read-only ${HOME}/.mailcap
+read-only ${HOME}/.mozilla/firefox/profiles.ini
 read-only ${HOME}/.msmtprc
 read-only ${HOME}/.mutt/muttrc
 read-only ${HOME}/.muttrc
@@ -366,6 +372,10 @@ read-only ${HOME}/_gvimrc
 read-only ${HOME}/_vimrc
 read-only ${HOME}/dotfiles
 
+# System package managers and AUR helpers
+blacklist ${HOME}/.config/cower
+read-only ${HOME}/.config/cower/config
+
 # Make directories commonly found in $PATH read-only
 read-only ${HOME}/.bin
 read-only ${HOME}/.cargo/bin
@@ -391,6 +401,11 @@ read-only ${HOME}/.config/user-dirs.dirs
 read-only ${HOME}/.config/user-dirs.locale
 read-only ${HOME}/.local/share/mime
 
+# Configuration files that do not allow arbitrary command execution but that
+# are intended to be modified manually (in a text editor and/or by a program
+# dedicated to managing them)
+read-only ${HOME}/.config/MangoHud
+
 # Write-protection for thumbnailer dir
 read-only ${HOME}/.local/share/thumbnailers
 

etc/inc/disable-programs.inc

@@ -402,7 +402,6 @@ blacklist ${HOME}/.config/cmus
 blacklist ${HOME}/.config/cointop
 blacklist ${HOME}/.config/com.github.bleakgrey.tootle
 blacklist ${HOME}/.config/corebird
-blacklist ${HOME}/.config/cower
 blacklist ${HOME}/.config/coyim
 blacklist ${HOME}/.config/d-feet
 blacklist ${HOME}/.config/darktable

etc/inc/whitelist-common.inc

@@ -10,16 +10,12 @@ whitelist ${HOME}/.asoundrc
 whitelist ${HOME}/.config/ibus
 whitelist ${HOME}/.config/mimeapps.list
 whitelist ${HOME}/.config/pkcs11
-read-only ${HOME}/.config/pkcs11
 whitelist ${HOME}/.config/user-dirs.dirs
-read-only ${HOME}/.config/user-dirs.dirs
 whitelist ${HOME}/.config/user-dirs.locale
-read-only ${HOME}/.config/user-dirs.locale
 whitelist ${HOME}/.drirc
 whitelist ${HOME}/.icons
 ?HAS_APPIMAGE: whitelist ${HOME}/.local/share/appimagekit
 whitelist ${HOME}/.local/share/applications
-read-only ${HOME}/.local/share/applications
 whitelist ${HOME}/.local/share/icons
 whitelist ${HOME}/.local/share/mime
 whitelist ${HOME}/.mime.types

etc/profile-a-l/ani-cli.profile

@@ -35,7 +35,5 @@ private-bin ani-cli,aria2c,cat,cp,curl,cut,ffmpeg,fzf,grep,head,mkdir,mv,nl,nohu
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
 private-tmp
 
-read-only ${HOME}/.config/mpv
-
 # Redirect
 include mpv.profile

etc/profile-a-l/awesome.profile

@@ -16,5 +16,4 @@ noroot
 protocol unix,inet,inet6
 seccomp !chroot
 
-read-only ${HOME}/.config/awesome/autorun.sh
 #restrict-namespaces

etc/profile-a-l/cower.profile

@@ -45,5 +45,4 @@ private-dev
 private-tmp
 
 memory-deny-write-execute
-read-only ${HOME}/.config/cower/config
 restrict-namespaces

etc/profile-a-l/electron-mail.profile

@@ -24,7 +24,6 @@ whitelist ${HOME}/.config/electron-mail
 # there isn't a Firefox instance running with the default profile; see #5352)
 noblacklist ${HOME}/.mozilla
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 
 machine-id
 nosound

etc/profile-a-l/email-common.profile

@@ -85,6 +85,5 @@ dbus-user.talk org.gnome.seahorse.*
 dbus-user.talk org.mozilla.*
 dbus-system none
 
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 read-only ${HOME}/.signature
 restrict-namespaces

etc/profile-a-l/firefox.profile

@@ -14,6 +14,9 @@ include globals.local
 # https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox
 # https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968
 
+# (Ignore entry from disable-common.inc)
+ignore read-only ${HOME}/.mozilla/firefox/profiles.ini
+
 noblacklist ${HOME}/.cache/mozilla
 noblacklist ${HOME}/.mozilla
 noblacklist ${RUNUSER}/*firefox*

etc/profile-a-l/geary.profile

@@ -91,5 +91,4 @@ dbus-user.talk org.gnome.evolution.dataserver.Sources5
 dbus-user.talk org.mozilla.*
 dbus-system none
 
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 restrict-namespaces

etc/profile-a-l/kube.profile

@@ -77,5 +77,4 @@ dbus-user.talk org.freedesktop.secrets
 dbus-user.talk org.freedesktop.Notifications
 dbus-system none
 
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 restrict-namespaces

etc/profile-a-l/linuxqq.profile

@@ -37,7 +37,5 @@ dbus-user.talk org.gnome.Mutter.IdleMonitor
 dbus-user.talk org.mozilla.*
 ignore dbus-user none
 
-read-only ${HOME}/.mozilla/firefox/profiles.ini
-
 # Redirect
 include electron-common.profile

etc/profile-a-l/lobster.profile

@@ -35,7 +35,5 @@ private-bin curl,cut,fzf,grep,head,lobster,mv,patch,rm,sed,sh,tail,tput,tr,uname
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
 private-tmp
 
-read-only ${HOME}/.config/mpv
-
 # Redirect
 include mpv.profile

etc/profile-m-z/makepkg.profile

@@ -19,7 +19,6 @@ blacklist ${RUNUSER}/wayland-*
 
 # Enable severely restricted access to ${HOME}/.gnupg
 noblacklist ${HOME}/.gnupg
-read-only ${HOME}/.gnupg/gpg.conf
 read-only ${HOME}/.gnupg/trustdb.gpg
 read-only ${HOME}/.gnupg/pubring.kbx
 blacklist ${HOME}/.gnupg/random_seed

etc/profile-m-z/mov-cli.profile

@@ -25,7 +25,5 @@ private-bin ffmpeg,fzf,mov-cli
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
 private-tmp
 
-read-only ${HOME}/.config/mpv
-
 # Redirect
 include mpv.profile

etc/profile-m-z/openbox.profile

@@ -16,6 +16,4 @@ noroot
 protocol unix,inet,inet6
 seccomp !chroot
 
-read-only ${HOME}/.config/openbox/autostart
-read-only ${HOME}/.config/openbox/environment
 #restrict-namespaces

etc/profile-m-z/signal-desktop.profile

@@ -14,7 +14,6 @@ noblacklist ${HOME}/.config/Signal
 # These lines are needed to allow Firefox to open links
 noblacklist ${HOME}/.mozilla
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 
 mkdir ${HOME}/.config/Signal
 whitelist ${HOME}/.config/Signal

etc/profile-m-z/steam.profile

@@ -181,5 +181,4 @@ private-tmp
 #dbus-user none
 #dbus-system none
 
-read-only ${HOME}/.config/MangoHud
 #restrict-namespaces

etc/profile-m-z/thunderbird.profile

@@ -24,7 +24,6 @@ writable-run-user
 # These lines are needed to allow Firefox to load your profile when clicking a link in an email
 noblacklist ${HOME}/.mozilla
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 
 noblacklist ${HOME}/.cache/thunderbird
 noblacklist ${HOME}/.gnupg

etc/profile-m-z/trojita.profile

@@ -60,5 +60,4 @@ dbus-user filter
 dbus-user.talk org.freedesktop.secrets
 dbus-system none
 
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 restrict-namespaces

etc/profile-m-z/tutanota-desktop.profile

@@ -28,7 +28,6 @@ whitelist ${HOME}/.config/tutanota-desktop
 # there isn't a Firefox instance running with the default profile; see #5352)
 noblacklist ${HOME}/.mozilla
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 
 machine-id
 nosound

etc/profile-m-z/youtube-viewers-common.profile

@@ -24,7 +24,6 @@ include allow-python3.inc
 # there isn't a Firefox instance running with the default profile; see #5352)
 noblacklist ${HOME}/.mozilla
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 
 include disable-common.inc
 include disable-devel.inc

etc/profile-m-z/zeal.profile

@@ -23,7 +23,6 @@ include disable-xdg.inc
 # This also requires dbus-user filtering (see below).
 noblacklist ${HOME}/.mozilla
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 
 mkdir ${HOME}/.cache/Zeal
 mkdir ${HOME}/.config/Zeal

etc/templates/profile.template

@@ -221,6 +221,8 @@ include globals.local
 #dbus-user.talk org.freedesktop.Notifications
 #dbus-system none
 
+# Note: read-only entries should usually go in disable-common.inc (especially
+# entries for configuration files that allow arbitrary command execution).
 ##deterministic-shutdown
 ##env VAR=VALUE
 ##join-or-start NAME