Use whitelisting for video players (netblue30#3472)

* Use whitelisting for video players

See netblue30#3469

* Update media player whitelists

See reviews at netblue30#3472

Block $DOCUMENTS

Make $DESKTOP read-only

* Review fixes: include read-only Desktop in whitelist

etc/profile-a-l/celluloid.profile

@@ -9,8 +9,6 @@ include globals.local
 noblacklist ${HOME}/.config/celluloid
 noblacklist ${HOME}/.config/gnome-mpv
 noblacklist ${HOME}/.config/youtube-dl
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -22,8 +20,20 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-include disable-xdg.inc
 
+read-only ${DESKTOP}
+mkdir ${HOME}/.config/celluloid
+mkdir ${HOME}/.config/gnome-mpv
+mkdir ${HOME}/.config/youtube-dl
+whitelist ${HOME}/.config/celluloid
+whitelist ${HOME}/.config/gnome-mpv
+whitelist ${HOME}/.config/youtube-dl
+whitelist ${DESKTOP}
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+whitelist ${PICTURES}
+whitelist ${VIDEOS}
+include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc

etc/profile-m-z/mplayer.profile

@@ -7,17 +7,23 @@ include mplayer.local
 include globals.local
 
 noblacklist ${HOME}/.mplayer
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-include disable-xdg.inc
 
+read-only ${DESKTOP}
+mkdir ${HOME}/.mplayer
+whitelist ${HOME}/.mplayer
+whitelist ${DESKTOP}
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+whitelist ${PICTURES}
+whitelist ${VIDEOS}
+include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -36,4 +42,3 @@ shell none
 private-bin mplayer
 private-dev
 private-tmp
-

etc/profile-m-z/mpv.profile

@@ -7,6 +7,10 @@ include mpv.local
 # Persistent global definitions
 include globals.local
 
+# In order to save screenshots to a persistent location,
+# edit ~/.config/mpv/foobar.conf:
+#    screenshot-directory=~/Pictures
+
 noblacklist ${HOME}/.config/mpv
 noblacklist ${HOME}/.config/youtube-dl
 noblacklist ${HOME}/.netrc
@@ -17,19 +21,27 @@ include allow-lua.inc
 include allow-python2.inc
 include allow-python3.inc
 
-noblacklist ${MUSIC}
-noblacklist ${PICTURES}
-noblacklist ${VIDEOS}
-
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
-include disable-xdg.inc
 
+read-only ${DESKTOP}
+mkdir ${HOME}/.config/mpv
+mkdir ${HOME}/.config/youtube-dl
+mkdir ${HOME}/.netrc
+whitelist ${HOME}/.config/mpv
+whitelist ${HOME}/.config/youtube-dl
+whitelist ${HOME}/.netrc
+whitelist ${DESKTOP}
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+whitelist ${PICTURES}
+whitelist ${VIDEOS}
+include whitelist-common.inc
 whitelist /usr/share/lua
 whitelist /usr/share/lua*
 whitelist /usr/share/vulkan

etc/profile-m-z/totem.profile

@@ -14,9 +14,6 @@ include allow-python3.inc
 
 noblacklist ${HOME}/.config/totem
 noblacklist ${HOME}/.local/share/totem
-noblacklist ${MUSIC}
-noblacklist ${PICTURES}
-noblacklist ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -25,8 +22,18 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
-include disable-xdg.inc
 
+read-only ${DESKTOP}
+mkdir ${HOME}/.config/totem
+mkdir ${HOME}/.local/share/totem
+whitelist ${HOME}/.config/totem
+whitelist ${HOME}/.local/share/totem
+whitelist ${DESKTOP}
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+whitelist ${PICTURES}
+whitelist ${VIDEOS}
+include whitelist-common.inc
 include whitelist-var-common.inc
 
 # apparmor - makes settings immutable

etc/profile-m-z/vlc.profile

@@ -9,17 +9,27 @@ include globals.local
 noblacklist ${HOME}/.cache/vlc
 noblacklist ${HOME}/.config/vlc
 noblacklist ${HOME}/.local/share/vlc
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-include disable-xdg.inc
 
+read-only ${DESKTOP}
+mkdir ${HOME}/.cache/vlc
+mkdir ${HOME}/.config/vlc
+mkdir ${HOME}/.local/share/vlc
+whitelist ${HOME}/.cache/vlc
+whitelist ${HOME}/.config/vlc
+whitelist ${HOME}/.local/share/vlc
+whitelist ${DESKTOP}
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+whitelist ${PICTURES}
+whitelist ${VIDEOS}
+include whitelist-common.inc
 include whitelist-var-common.inc
 
 #apparmor - on Ubuntu 18.04 it refuses to start without dbus access

etc/profile-m-z/xplayer.profile

@@ -7,8 +7,6 @@ include globals.local
 
 noblacklist ${HOME}/.config/xplayer
 noblacklist ${HOME}/.local/share/xplayer
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -20,8 +18,18 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-include disable-xdg.inc
 
+read-only ${DESKTOP}
+mkdir ${HOME}/.config/xplayer
+mkdir ${HOME}/.local/share/xplayer
+whitelist ${HOME}/.config/xplayer
+whitelist ${HOME}/.local/share/xplayer
+whitelist ${DESKTOP}
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+whitelist ${PICTURES}
+whitelist ${VIDEOS}
+include whitelist-common.inc
 include whitelist-var-common.inc
 
 # apparmor - makes settings immutable