Refactor archivers

etc/inc/archiver-common.inc

@@ -0,0 +1,44 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include archiver-common.local
+
+# common profile for archiver/compression tools
+
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+
+apparmor
+caps.drop all
+hostname archiver
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+#noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+private-cache
+private-dev
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute

etc/profile-a-l/7z.profile

@@ -7,41 +7,8 @@ include 7z.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
-
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-apparmor
-caps.drop all
-hostname 7z
-ipc-namespace
-machine-id
-net none
-no3d
-nodvd
-#nogroups
-nonewprivs
-#noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-x11 none
+ignore include disable-shell.inc
+ignore nogroups
+include archiver-common.inc
 
 #private-bin 7z,7z*,p7zip
-private-cache
-private-dev
-
-dbus-user none
-dbus-system none
-
-memory-deny-write-execute

etc/profile-a-l/ar.profile

@@ -7,42 +7,6 @@ include ar.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
-
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-shell.inc
-
-apparmor
-caps.drop all
-hostname ar
-ipc-namespace
-machine-id
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-#noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-x11 none
+include archiver-common.inc
 
 private-bin ar
-private-cache
-private-dev
-
-dbus-user none
-dbus-system none
-
-memory-deny-write-execute

etc/profile-a-l/atool.profile

@@ -7,47 +7,15 @@ include atool.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
-
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
+ignore include disable-devel.inc
+ignore include disable-shell.inc
+include archiver-common.inc
 
-include disable-common.inc
-# include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-apparmor
-caps.drop all
-hostname atool
-ipc-namespace
-machine-id
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
 noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-x11 none
 
 # private-bin atool,perl
-private-cache
-private-dev
 # without login.defs atool complains and uses UID/GID 1000 by default
 private-etc alternatives,group,login.defs,passwd
 private-tmp
-
-dbus-user none
-dbus-system none
-
-memory-deny-write-execute

etc/profile-a-l/bsdtar.profile

@@ -6,43 +6,10 @@ include bsdtar.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
-
-include disable-common.inc
-# include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-apparmor
-caps.drop all
-hostname bsdtar
-ipc-namespace
-machine-id
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-# noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-x11 none
+ignore include disable-devel.inc
+ignore include disable-shell.inc
+include archiver-common.inc
 
 # support compressed archives
 private-bin bash,bsdcat,bsdcpio,bsdtar,bzip2,compress,gtar,gzip,lbzip2,libarchive,lz4,lzip,lzma,lzop,sh,xz
-private-cache
-private-dev
 private-etc alternatives,group,localtime,passwd
-
-dbus-user none
-dbus-system none
-
-memory-deny-write-execute

etc/profile-a-l/cpio.profile

@@ -7,40 +7,10 @@ include cpio.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
-
 noblacklist /sbin
 noblacklist /usr/sbin
 
-include disable-common.inc
-# include disable-devel.inc
-include disable-exec.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-apparmor
-caps.drop all
-hostname cpio
-ipc-namespace
-machine-id
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-nosound
-notv
-nou2f
-novideo
-seccomp
-shell none
-tracelog
-x11 none
-
-private-cache
-private-dev
-
-dbus-user none
-dbus-system none
-
-memory-deny-write-execute
+ignore include disable-devel.inc
+ignore include disable-interpreters.inc
+ignore include disable-shell.inc
+include archiver-common.inc

etc/profile-a-l/gzip.profile

@@ -7,43 +7,8 @@ include gzip.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
-
 # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only.
 noblacklist /var/lib/pacman
 
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-apparmor
-caps.drop all
-hostname gzip
-ipc-namespace
-machine-id
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-#noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-x11 none
-
-private-cache
-private-dev
-
-dbus-user none
-dbus-system none
-
-memory-deny-write-execute
+ignore include disable-shell.inc
+include archiver-common.inc

etc/profile-m-z/tar.profile

@@ -7,49 +7,15 @@ include tar.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
-
 # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only.
 noblacklist /var/lib/pacman
 
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-apparmor
-caps.drop all
-hostname tar
-ipc-namespace
-machine-id
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-#noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-x11 none
+ignore include disable-shell.inc
+include archiver-common.inc
 
 # support compressed archives
 private-bin awk,bash,bzip2,compress,firejail,grep,gtar,gzip,lbzip2,lzip,lzma,lzop,sh,tar,xz
-private-cache
-private-dev
 private-etc alternatives,group,localtime,login.defs,passwd
 private-lib libfakeroot
 # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
 writable-var
-
-dbus-user none
-dbus-system none
-
-memory-deny-write-execute