From a8ad436d7e6f4464bdcc7464aa7df6cb4d0177af Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Wed, 9 Dec 2020 23:14:33 +0000 Subject: [PATCH] harden sysprof (#3802) --- etc/profile-m-z/sysprof.profile | 33 +++++++++++++++++++++++++-------- 1 file changed, 25 insertions(+), 8 deletions(-) diff --git a/etc/profile-m-z/sysprof.profile b/etc/profile-m-z/sysprof.profile index ad334628500..9e9d2a448ec 100644 --- a/etc/profile-m-z/sysprof.profile +++ b/etc/profile-m-z/sysprof.profile @@ -6,6 +6,7 @@ include sysprof.local # Persistent global definitions include globals.local +noblacklist ${DOCUMENTS} include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -14,6 +15,19 @@ include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc +# help menu functionality (yelp) - comment or add this block prepended with 'ignore' +# to your sysprof.local if you don't need the help functionality +noblacklist ${HOME}/.config/yelp +mkdir ${HOME}/.config/yelp +whitelist ${HOME}/.config/yelp +whitelist /usr/share/help/C/sysprof +whitelist /usr/share/yelp +whitelist /usr/share/yelp-tools +whitelist /usr/share/yelp-xsl + +whitelist ${DOCUMENTS} +include whitelist-common.inc +include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -26,27 +40,30 @@ no3d nodvd nogroups nonewprivs -# Ubuntu 16.04 version needs root privileges - uncomment or put in sysprof.local if you don't use that -#noroot +# Ubuntu 16.04 version needs root privileges - comment or put 'ignore noroot' in sysprof.local if you run Xenial +noroot nosound notv nou2f novideo protocol unix,netlink +seccomp shell none tracelog disable-mnt -#private-bin sysprof - breaks GUI help menu +#private-bin sysprof - breaks help menu private-cache private-dev private-etc alternatives,fonts,ld.so.cache,machine-id,ssl -# private-lib breaks GUI help menu +# private-lib breaks help menu #private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so private-tmp -# makes settings immutable -# dbus-user none -# dbus-system none +dbus-user filter +dbus-user.own org.gnome.Shell +dbus-user.own org.gnome.Yelp +dbus-user.own org.gnome.Sysprof3 +dbus-user.talk ca.desrt.dconf -# memory-deny-write-execute - Breaks GUI on Arch +# memory-deny-write-execute - breaks on Arch