add restrict-namespaces to (almost) all profiles

netblue30 · Dec 20, 2022 · e4f0f91 · e4f0f91
1 parent 372f39d
commit e4f0f91
Show file tree

Hide file tree

Showing 628 changed files with 967 additions and 13 deletions.
diff --git a/etc/profile-a-l/0ad.profile b/etc/profile-a-l/0ad.profile
@@ -54,3 +54,5 @@ private-tmp
 
 dbus-user none
 dbus-system none
+
+restrict-namespaces
diff --git a/etc/profile-a-l/2048-qt.profile b/etc/profile-a-l/2048-qt.profile
@@ -40,3 +40,5 @@ seccomp
 disable-mnt
 private-dev
 private-tmp
+
+restrict-namespaces
diff --git a/etc/profile-a-l/Cryptocat.profile b/etc/profile-a-l/Cryptocat.profile
@@ -28,3 +28,5 @@ seccomp
 private-cache
 private-dev
 private-tmp
+
+restrict-namespaces
diff --git a/etc/profile-a-l/Fritzing.profile b/etc/profile-a-l/Fritzing.profile
@@ -36,3 +36,4 @@ seccomp
 private-dev
 private-tmp
 
+restrict-namespaces
diff --git a/etc/profile-a-l/JDownloader.profile b/etc/profile-a-l/JDownloader.profile
@@ -45,3 +45,5 @@ private-tmp
 
 dbus-user none
 dbus-system none
+
+restrict-namespaces
diff --git a/etc/profile-a-l/abiword.profile b/etc/profile-a-l/abiword.profile
@@ -46,3 +46,5 @@ private-tmp
 
 # dbus-user none
 # dbus-system none
+
+restrict-namespaces
diff --git a/etc/profile-a-l/agetpkg.profile b/etc/profile-a-l/agetpkg.profile
@@ -56,3 +56,4 @@ dbus-user none
 dbus-system none
 
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/akonadi_control.profile b/etc/profile-a-l/akonadi_control.profile
@@ -55,3 +55,4 @@ tracelog
 private-dev
 # private-tmp - breaks programs that depend on akonadi
 
+# restrict-namespaces
diff --git a/etc/profile-a-l/akregator.profile b/etc/profile-a-l/akregator.profile
@@ -49,3 +49,4 @@ private-dev
 private-tmp
 
 deterministic-shutdown
+# restrict-namespaces
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile
@@ -62,3 +62,4 @@ read-write ${HOME}/.config/menus
 read-write ${HOME}/.gnome/apps
 read-write ${HOME}/.local/share/applications
 read-write ${HOME}/.local/share/flatpak/exports
+restrict-namespaces
diff --git a/etc/profile-a-l/alienarena.profile b/etc/profile-a-l/alienarena.profile
@@ -48,3 +48,5 @@ private-tmp
 
 dbus-user none
 dbus-system none
+
+restrict-namespaces
diff --git a/etc/profile-a-l/alpine.profile b/etc/profile-a-l/alpine.profile
@@ -100,3 +100,4 @@ dbus-system none
 
 memory-deny-write-execute
 read-only ${HOME}/.signature
+restrict-namespaces
diff --git a/etc/profile-a-l/amarok.profile b/etc/profile-a-l/amarok.profile
@@ -44,3 +44,5 @@ dbus-user.talk org.freedesktop.Notifications
 #dbus-user.own org.kde.klauncher
 #dbus-user.talk org.kde.knotify
 dbus-system none
+
+# restrict-namespaces
diff --git a/etc/profile-a-l/amule.profile b/etc/profile-a-l/amule.profile
@@ -40,3 +40,4 @@ private-bin amule
 private-dev
 private-tmp
 
+restrict-namespaces
diff --git a/etc/profile-a-l/android-studio.profile b/etc/profile-a-l/android-studio.profile
@@ -40,3 +40,4 @@ private-cache
 
 # noexec /tmp breaks 'Android Profiler'
 #noexec /tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/anki.profile b/etc/profile-a-l/anki.profile
@@ -54,3 +54,5 @@ private-tmp
 
 dbus-user none
 dbus-system none
+
+# restrict-namespaces
diff --git a/etc/profile-a-l/anydesk.profile b/etc/profile-a-l/anydesk.profile
@@ -33,3 +33,5 @@ disable-mnt
 private-bin anydesk
 private-dev
 private-tmp
+
+restrict-namespaces
diff --git a/etc/profile-a-l/aosp.profile b/etc/profile-a-l/aosp.profile
@@ -40,3 +40,5 @@ protocol unix,inet,inet6
 #seccomp
 
 private-tmp
+
+#restrict-namespaces
diff --git a/etc/profile-a-l/apktool.profile b/etc/profile-a-l/apktool.profile
@@ -35,3 +35,5 @@ private-dev
 
 dbus-user none
 dbus-system none
+
+restrict-namespaces
diff --git a/etc/profile-a-l/apostrophe.profile b/etc/profile-a-l/apostrophe.profile
@@ -69,3 +69,5 @@ dbus-user filter
 dbus-user.own org.gnome.gitlab.somas.Apostrophe
 dbus-user.talk ca.desrt.dconf
 dbus-system none
+
+restrict-namespaces
diff --git a/etc/profile-a-l/arch-audit.profile b/etc/profile-a-l/arch-audit.profile
@@ -49,3 +49,4 @@ dbus-user none
 dbus-system none
 
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/archaudit-report.profile b/etc/profile-a-l/archaudit-report.profile
@@ -36,3 +36,4 @@ private-bin arch-audit,archaudit-report,bash,cat,comm,cut,date,fold,grep,pacman,
 private-tmp
 
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/archiver-common.profile b/etc/profile-a-l/archiver-common.profile
@@ -49,3 +49,4 @@ dbus-user none
 dbus-system none
 
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/ardour5.profile b/etc/profile-a-l/ardour5.profile
@@ -40,3 +40,5 @@ private-tmp
 
 dbus-user none
 dbus-system none
+
+restrict-namespaces
diff --git a/etc/profile-a-l/arduino.profile b/etc/profile-a-l/arduino.profile
@@ -33,3 +33,4 @@ seccomp
 private-cache
 private-tmp
 
+restrict-namespaces
diff --git a/etc/profile-a-l/aria2c.profile b/etc/profile-a-l/aria2c.profile
@@ -53,3 +53,4 @@ dbus-user none
 dbus-system none
 
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/ark.profile b/etc/profile-a-l/ark.profile
@@ -44,3 +44,5 @@ private-tmp
 
 # dbus-user none
 # dbus-system none
+
+restrict-namespaces
diff --git a/etc/profile-a-l/arm.profile b/etc/profile-a-l/arm.profile
@@ -45,3 +45,4 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,passwd,pki,ssl,tor
 private-tmp
 
+restrict-namespaces
diff --git a/etc/profile-a-l/artha.profile b/etc/profile-a-l/artha.profile
@@ -65,3 +65,4 @@ dbus-user.talk org.freedesktop.Notifications
 dbus-system none
 
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/assogiate.profile b/etc/profile-a-l/assogiate.profile
@@ -51,3 +51,4 @@ dbus-system none
 
 memory-deny-write-execute
 read-write ${HOME}/.local/share/mime
+restrict-namespaces
diff --git a/etc/profile-a-l/asunder.profile b/etc/profile-a-l/asunder.profile
@@ -45,3 +45,4 @@ dbus-system none
 
 # mdwe is disabled due to breaking hardware accelerated decoding
 # memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/atril.profile b/etc/profile-a-l/atril.profile
@@ -49,3 +49,4 @@ private-tmp
 
 # webkit gtk killed by memory-deny-write-execute
 #memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/audacious.profile b/etc/profile-a-l/audacious.profile
@@ -42,3 +42,5 @@ private-tmp
 # dbus needed for MPRIS
 # dbus-user none
 # dbus-system none
+
+restrict-namespaces
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile
@@ -44,3 +44,5 @@ private-tmp
 # problems on Fedora 27
 # dbus-user none
 # dbus-system none
+
+restrict-namespaces
diff --git a/etc/profile-a-l/audio-recorder.profile b/etc/profile-a-l/audio-recorder.profile
@@ -51,3 +51,4 @@ dbus-user.talk ca.desrt.dconf
 dbus-system none
 
 # memory-deny-write-execute - breaks on Arch
+restrict-namespaces
diff --git a/etc/profile-a-l/authenticator-rs.profile b/etc/profile-a-l/authenticator-rs.profile
@@ -52,3 +52,5 @@ private-tmp
 dbus-user filter
 dbus-user.talk ca.desrt.dconf
 dbus-system none
+
+restrict-namespaces
diff --git a/etc/profile-a-l/authenticator.profile b/etc/profile-a-l/authenticator.profile
@@ -46,3 +46,4 @@ private-tmp
 # dbus-system none
 
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
+restrict-namespaces
diff --git a/etc/profile-a-l/autokey-common.profile b/etc/profile-a-l/autokey-common.profile
@@ -39,3 +39,4 @@ private-dev
 private-tmp
 
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
+restrict-namespaces
diff --git a/etc/profile-a-l/avidemux.profile b/etc/profile-a-l/avidemux.profile
@@ -55,3 +55,5 @@ private-tmp
 
 dbus-user none
 dbus-system none
+
+restrict-namespaces
diff --git a/etc/profile-a-l/aweather.profile b/etc/profile-a-l/aweather.profile
@@ -37,3 +37,5 @@ tracelog
 private-bin aweather
 private-dev
 private-tmp
+
+restrict-namespaces
diff --git a/etc/profile-a-l/awesome.profile b/etc/profile-a-l/awesome.profile
@@ -17,3 +17,4 @@ protocol unix,inet,inet6
 seccomp
 
 read-only ${HOME}/.config/awesome/autorun.sh
+restrict-namespaces
diff --git a/etc/profile-a-l/ballbuster.profile b/etc/profile-a-l/ballbuster.profile
@@ -49,3 +49,5 @@ private-tmp
 
 dbus-user none
 dbus-system none
+
+restrict-namespaces
diff --git a/etc/profile-a-l/baloo_file.profile b/etc/profile-a-l/baloo_file.profile
@@ -52,3 +52,5 @@ private-bin baloo_file,baloo_file_extractor,baloo_filemetadata_temp_extractor,kb
 private-cache
 private-dev
 private-tmp
+
+restrict-namespaces
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile
@@ -79,3 +79,4 @@ dbus-user.talk org.gnome.keyring.SystemPrompter
 dbus-system none
 
 read-only ${HOME}/.mozilla/firefox/profiles.ini
+restrict-namespaces
diff --git a/etc/profile-a-l/baobab.profile b/etc/profile-a-l/baobab.profile
@@ -41,3 +41,4 @@ private-tmp
 # dbus-system none
 
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/barrier.profile b/etc/profile-a-l/barrier.profile
@@ -42,3 +42,4 @@ private-cache
 private-tmp
 
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/basilisk.profile b/etc/profile-a-l/basilisk.profile
@@ -22,5 +22,8 @@ ignore seccomp
 #private-etc basilisk
 #private-opt basilisk
 
+restrict-namespaces
+ignore restrict-namespaces
+
 # Redirect
 include firefox-common.profile
diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile
@@ -44,3 +44,5 @@ private-tmp
 
 dbus-user none
 dbus-system none
+
+restrict-namespaces
diff --git a/etc/profile-a-l/bibletime.profile b/etc/profile-a-l/bibletime.profile
@@ -56,3 +56,5 @@ private-tmp
 
 dbus-user none
 dbus-system none
+
+# restrict-namespaces
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile
@@ -60,3 +60,4 @@ dbus-user.talk org.freedesktop.Tracker1
 dbus-system none
 
 env WEBKIT_FORCE_SANDBOX=0
+restrict-namespaces
diff --git a/etc/profile-a-l/bitcoin-qt.profile b/etc/profile-a-l/bitcoin-qt.profile
@@ -47,3 +47,4 @@ private-dev
 private-tmp
 
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/bitlbee.profile b/etc/profile-a-l/bitlbee.profile
@@ -38,3 +38,4 @@ private-dev
 private-tmp
 
 read-write /var/lib/bitlbee
+restrict-namespaces
diff --git a/etc/profile-a-l/blackbox.profile b/etc/profile-a-l/blackbox.profile
@@ -16,3 +16,4 @@ noroot
 protocol unix,inet,inet6
 seccomp
 
+restrict-namespaces
diff --git a/etc/profile-a-l/bleachbit.profile b/etc/profile-a-l/bleachbit.profile
@@ -40,3 +40,4 @@ dbus-system none
 
 # memory-deny-write-execute breaks some systems, see issue #1850
 # memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/blender.profile b/etc/profile-a-l/blender.profile
@@ -37,3 +37,5 @@ protocol unix,inet,inet6,netlink
 seccomp !mbind
 
 private-dev
+
+restrict-namespaces
diff --git a/etc/profile-a-l/bless.profile b/etc/profile-a-l/bless.profile
@@ -39,3 +39,5 @@ private-tmp
 
 dbus-user none
 dbus-system none
+
+restrict-namespaces
diff --git a/etc/profile-a-l/blobby.profile b/etc/profile-a-l/blobby.profile
@@ -48,3 +48,4 @@ dbus-user none
 dbus-system none
 
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/blobwars.profile b/etc/profile-a-l/blobwars.profile
@@ -47,3 +47,5 @@ private-tmp
 
 dbus-user none
 dbus-system none
+
+restrict-namespaces
diff --git a/etc/profile-a-l/bluefish.profile b/etc/profile-a-l/bluefish.profile
@@ -37,3 +37,5 @@ private-tmp
 
 dbus-user none
 dbus-system none
+
+restrict-namespaces
diff --git a/etc/profile-a-l/brackets.profile b/etc/profile-a-l/brackets.profile
@@ -31,3 +31,5 @@ seccomp !chroot,!ioperm
 
 private-cache
 private-dev
+
+# restrict-namespaces
diff --git a/etc/profile-a-l/brasero.profile b/etc/profile-a-l/brasero.profile
@@ -33,3 +33,5 @@ tracelog
 private-cache
 # private-dev
 # private-tmp
+
+restrict-namespaces
diff --git a/etc/profile-a-l/build-systems-common.profile b/etc/profile-a-l/build-systems-common.profile
@@ -63,3 +63,5 @@ private-tmp
 
 dbus-user none
 dbus-system none
+
+restrict-namespaces
diff --git a/etc/profile-a-l/bzflag.profile b/etc/profile-a-l/bzflag.profile
@@ -44,3 +44,5 @@ private-tmp
 
 dbus-user none
 dbus-system none
+
+restrict-namespaces
diff --git a/etc/profile-a-l/calibre.profile b/etc/profile-a-l/calibre.profile
@@ -35,3 +35,5 @@ seccomp !chroot
 
 private-dev
 private-tmp
+
+# restrict-namespaces
diff --git a/etc/profile-a-l/calligra.profile b/etc/profile-a-l/calligra.profile
@@ -37,3 +37,4 @@ private-dev
 
 # noexec ${HOME}
 noexec /tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/cameramonitor.profile b/etc/profile-a-l/cameramonitor.profile
@@ -52,3 +52,4 @@ private-tmp
 # dbus-system none
 
 # memory-deny-write-execute - breaks on Arch
+restrict-namespaces
diff --git a/etc/profile-a-l/cantata.profile b/etc/profile-a-l/cantata.profile
@@ -37,3 +37,5 @@ seccomp
 # private-etc alternatives,drirc,fonts,gcrypt,hosts,kde5rc,mpd.conf,passwd,samba,ssl,xdg
 private-bin cantata,mpd,perl
 private-dev
+
+restrict-namespaces
diff --git a/etc/profile-a-l/catfish.profile b/etc/profile-a-l/catfish.profile
@@ -46,3 +46,5 @@ tracelog
 
 dbus-user none
 dbus-system none
+
+restrict-namespaces
diff --git a/etc/profile-a-l/cawbird.profile b/etc/profile-a-l/cawbird.profile
@@ -43,3 +43,5 @@ private-tmp
 
 # dbus-user none
 dbus-system none
+
+restrict-namespaces
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile
@@ -64,3 +64,4 @@ dbus-system none
 
 read-only ${HOME}
 read-write ${HOME}/.config/celluloid
+restrict-namespaces
diff --git a/etc/profile-a-l/chafa.profile b/etc/profile-a-l/chafa.profile
@@ -53,3 +53,4 @@ dbus-user none
 dbus-system none
 
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/checkbashisms.profile b/etc/profile-a-l/checkbashisms.profile
@@ -52,3 +52,4 @@ dbus-user none
 dbus-system none
 
 memory-deny-write-execute
+restrict-namespaces