profiles: hexchat: allow lua/downloads and harden (#6331)

* profiles: hexchat: hardenings

* profiles: hexchat: allow lua/downloads and harden

Allow more paths and add some extra options to harden the profile.

We allow Perl but keep it out of private-bin. Do the same for Lua and
clarify in the private-bin comment how to enable these interpreters.

Consulted resources:

- https://github.com/hexchat/hexchat/
- https://hexchat.readthedocs.io/

etc/profile-a-l/hexchat.profile

@@ -11,24 +11,34 @@ noblacklist ${HOME}/.config/hexchat
 # Allow /bin/sh (blacklisted by disable-shell.inc)
 include allow-bin-sh.inc
 
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+include disable-proc.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/hexchat
+whitelist ${DOWNLOADS}
 whitelist ${HOME}/.config/hexchat
 include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
@@ -45,14 +55,20 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 tracelog
 
 disable-mnt
-# debug note: private-bin requires perl, python, etc on some systems
+# If you need Lua and/or Perl support, add the relevant binaries from
+# allow-lua.inc/allow-perl.inc to private-bin in your hexchat.local.
 private-bin hexchat,python*,sh
 private-dev
 #private-lib # python problems
 private-tmp
 
+dbus-user filter
+dbus-user.own org.hexchat.service
+dbus-system none
+
 #memory-deny-write-execute # breaks python
 restrict-namespaces