profiles: move blacklist of /etc/profile.d & blacklist /etc/profile

[kmk3]

disable-common.inc: move blacklist of /etc/profile.d

To disable-shell.inc.

Interactive shells can be executed from certain development-related
programs (such as IDEs) and the shells themselves are not blocked by
default, but this shell startup directory currently is. To avoid
running a shell without access to potentially needed startup files, only
blacklist /etc/profile.d when interactive shells are also blocked.

Note that /etc/profile.d should only be of concern to interactive
shells, so a profile that includes both disable-shell.inc and
allow-bin-sh.inc (which likely means that it needs access to only
non-interactive shells) should not be affected by the blacklisting.

Relates to #3411 #5159.

Cc: @hknaack (from #5159).

[glitsj16]

LGTM

[rusty-snake]

LGTM

• Does anyone know why we blacklist them?
• Should we add more shell startup files like /etc/bashrc, /etc/zpfoile, ...?

[kmk3]

@rusty-snake left a comment:

LGTM

• Does anyone know why we blacklist them?

Not exactly sure; it was added on commit 5db7520 ("profile work", 2015-09-22)
by @netblue30.

Maybe it's done as an extra layer of defense, as a program overwriting these
files is potentially as bad as it overwriting ~/.bashrc.

• Should we add more shell startup files like /etc/bashrc, /etc/zpfoile,
  ...?

I think that would make sense.

Note that /etc/profile is listed on etc/ids.config, along with other such
paths:

• firejail/etc/ids.config

  Line 61 in 7cf7108

  ### shells global ###

### shells global ###
# all
/etc/dircolors
/etc/environment
/etc/profile
/etc/profile.d
/etc/shells
/etc/skel
# bash
/etc/bash_completion*
/etc/bash.bashrc
/etc/bashrc
# fish
/etc/fish
# ksh
/etc/ksh.kshrc
# tcsh
/etc/complete.tcsh
/etc/csh.cshrc
/etc/csh.login
/etc/csh.logout
# zsh
/etc/zlogin
/etc/zlogout
/etc/zprofile
/etc/zshenv
/etc/zshrc

[netblue30]

Short attention span here, doesn't go as far back as 2015! So let's move them!