merges, disable sort.py in profile checks temporarely, two more private-etc profiles

netblue30 · netblue30 · commit df6ea884f1d6 · 2023-02-14T09:17:00.000-05:00
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml
@@ -34,8 +34,8 @@ jobs:
           github.com:443
 
     - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
-    - name: sort.py
-      run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
+#   - name: sort.py
+#      run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
 # Currently broken (see #5610)
 #    - name: private-etc-always-required.sh
 #      run: ./ci/check/profiles/private-etc-always-required.sh etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
diff --git a/README b/README
@@ -774,6 +774,8 @@ Neo00001 (https://github.com/Neo00001)
 	- update telegram profile
 	- add spectacle profile
 	- add kdiff3 profile
+netcarver (https://github.com/netcarver)
+	- prevent access to LUKS keyfile
 NetSysFire (https://github.com/NetSysFire)
 	- update weechat profile
 	- update megaglest profile
@@ -996,6 +998,7 @@ slowpeek (https://github.com/slowpeek)
 	- allow access to avahi-daemon in apparmor/firejail-default
 	- make appimage examples consistent with --appimage option short description
 	- blacklist google-drive-ocamlfuse config
+	- blacklist sendgmail config
 smitsohu (https://github.com/smitsohu)
 	- read-only kde4 services directory
 	- enhanced mediathekview profile
diff --git a/etc/profile-a-l/dosbox.profile b/etc/profile-a-l/dosbox.profile
@@ -37,6 +37,7 @@ tracelog
 
 private-bin dosbox
 private-dev
+private-etc @games
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/etr.profile b/etc/profile-a-l/etr.profile
@@ -49,6 +49,7 @@ private-bin etr
 private-cache
 private-dev
 # private-etc alternatives,drirc,machine-id,openal,passwd
+private-etc @games,@x11
 private-tmp
 
 dbus-user none
diff --git a/src/include/etc_groups.h b/src/include/etc_groups.h
@@ -75,7 +75,8 @@ static char *etc_group_sound[] = {
 static char *etc_group_tls_ca[] = {
 	"ca-certificates",
 	"crypto-policies",
-	"gcrypt", // GNU crypto library (GPG)
+	"gcrypt", // GNU crypto library - contains hardware config for various encryption schemes
+		// and random number generators. The file is not installed by Debian.
 	"pki",
 	"ssl",
 	NULL
