profiles: split commands that increase/reduce access (profiles)

Command used to search for the relevant profiles:

    git grep -El 'allow-debuggers|allusers|keep-|writable-' -- etc

Author: kmk3

etc/profile-a-l/alpine.profile

@@ -66,6 +66,9 @@ include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+writable-run-user
+writable-var
+
 apparmor
 caps.drop all
 ipc-namespace
@@ -92,8 +95,6 @@ private-cache
 private-dev
 private-etc @tls-ca,@x11,c-client.cf,host.conf,krb5.keytab,mailcap,mime.types,pine.conf,pinerc.fixed,rpc,services,terminfo
 private-tmp
-writable-run-user
-writable-var
 
 dbus-user none
 dbus-system none

etc/profile-a-l/audacity.profile

@@ -30,6 +30,7 @@ include whitelist-var-common.inc
 
 # Silence blacklist violation. See #5539.
 allow-debuggers
+
 ## Enabling App Armor appears to break some Fedora / Arch installs
 #apparmor
 caps.drop all

etc/profile-a-l/dnsmasq.profile

@@ -23,6 +23,8 @@ include disable-xdg.inc
 whitelist /var/lib/libvirt/dnsmasq
 whitelist /var/run
 
+writable-var
+
 caps.keep net_admin,net_bind_service,net_raw,setgid,setuid
 no3d
 nodvd
@@ -39,6 +41,5 @@ disable-mnt
 private
 private-dev
 private-tmp
-writable-var
 
 restrict-namespaces

etc/profile-a-l/email-common.profile

@@ -61,6 +61,10 @@ include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+# encrypting and signing email
+writable-run-user
+writable-var
+
 apparmor
 caps.drop all
 machine-id
@@ -85,9 +89,6 @@ private-cache
 private-dev
 private-etc @tls-ca,@x11,bogofilter,bogofilter.cf,clamav,gnupg,hosts.conf,mailname,timezone
 private-tmp
-# encrypting and signing email
-writable-run-user
-writable-var
 
 dbus-user filter
 dbus-user.talk ca.desrt.dconf

etc/profile-a-l/evolution.profile

@@ -25,6 +25,8 @@ include disable-programs.inc
 
 include whitelist-runuser-common.inc
 
+writable-var
+
 caps.drop all
 netfilter
 # no3d breaks under wayland
@@ -43,6 +45,5 @@ seccomp
 
 private-dev
 #private-tmp
-writable-var
 
 restrict-namespaces

etc/profile-a-l/file-manager-common.profile

@@ -29,6 +29,7 @@ include disable-interpreters.inc
 #include disable-programs.inc
 
 allusers
+
 #apparmor
 caps.drop all
 #net none

etc/profile-a-l/freshclam.profile

@@ -8,6 +8,9 @@ include globals.local
 
 include disable-exec.inc
 
+writable-var
+writable-var-log
+
 caps.keep setgid,setuid
 ipc-namespace
 netfilter
@@ -29,8 +32,6 @@ private
 private-cache
 private-dev
 private-tmp
-writable-var
-writable-var-log
 
 memory-deny-write-execute
 restrict-namespaces

etc/profile-a-l/gajim.profile

@@ -41,6 +41,8 @@ include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+writable-run-user
+
 apparmor
 caps.drop all
 netfilter
@@ -61,7 +63,6 @@ private-cache
 private-dev
 private-etc @tls-ca,@x11
 private-tmp
-writable-run-user
 
 dbus-user filter
 dbus-user.own org.gajim.Gajim

etc/profile-a-l/geki2.profile

@@ -18,6 +18,8 @@ include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+writable-var # game scores are stored under /var/games
+
 apparmor
 caps.drop all
 ipc-namespace
@@ -40,7 +42,6 @@ private-bin geki2
 private-dev
 private-etc @games,@sound,@x11
 private-tmp
-writable-var # game scores are stored under /var/games
 
 dbus-user none
 dbus-system none

etc/profile-a-l/geki3.profile

@@ -18,6 +18,8 @@ include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+writable-var # game scores are stored under /var/games
+
 apparmor
 caps.drop all
 ipc-namespace
@@ -40,7 +42,6 @@ private-bin geki3
 private-dev
 private-etc @games,@sound,@x11
 private-tmp
-writable-var # game scores are stored under /var/games
 
 dbus-user none
 dbus-system none

etc/profile-a-l/git-cola.profile

@@ -46,6 +46,8 @@ include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+writable-run-user
+
 apparmor
 caps.drop all
 machine-id
@@ -71,7 +73,6 @@ private-cache
 private-dev
 private-etc @tls-ca,@x11,gitconfig,host.conf,mime.types,ssh
 private-tmp
-writable-run-user
 
 # dbus-user filtering breaks meld as diff viewer
 # Add the next line to your git-cola.local if you don't use meld.

etc/profile-a-l/gmpc.profile

@@ -24,6 +24,8 @@ include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+writable-run-user
+
 apparmor
 caps.drop all
 ipc-namespace
@@ -45,7 +47,6 @@ disable-mnt
 private-cache
 private-etc
 private-tmp
-writable-run-user
 
 dbus-user filter
 dbus-user.talk org.mpris.MediaPlayer2.mpd

etc/profile-a-l/gnome-schedule.profile

@@ -42,6 +42,8 @@ include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+writable-var
+
 apparmor
 caps.keep chown,dac_override,setgid,setuid
 ipc-namespace
@@ -60,4 +62,3 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-writable-var

etc/profile-a-l/kmail.profile

@@ -41,6 +41,9 @@ include disable-programs.inc
 include whitelist-run-common.inc
 include whitelist-var-common.inc
 
+# writable-run-user is needed for signing and encrypting emails
+writable-run-user
+
 #apparmor
 caps.drop all
 netfilter
@@ -59,8 +62,6 @@ seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set
 
 private-dev
 #private-tmp # interrupts connection to akonadi, breaks opening of email attachments
-# writable-run-user is needed for signing and encrypting emails
-writable-run-user
 
 # To harden kmail.profile, add the following lines to kmail.local:
 #dbus-user filter

etc/profile-a-l/kopete.profile

@@ -21,6 +21,8 @@ include disable-programs.inc
 whitelist /var/lib/winpopup
 include whitelist-var-common.inc
 
+writable-var
+
 caps.drop all
 netfilter
 nodvd
@@ -35,6 +37,5 @@ seccomp
 
 private-dev
 private-tmp
-writable-var
 
 restrict-namespaces

etc/profile-a-l/kube.profile

@@ -51,6 +51,8 @@ include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+writable-run-user
+
 apparmor
 caps.drop all
 netfilter
@@ -75,7 +77,6 @@ private-cache
 private-dev
 private-etc @tls-ca,@x11
 private-tmp
-writable-run-user
 
 dbus-user filter
 dbus-user.talk ca.desrt.dconf

etc/profile-a-l/lbreakouthd.profile

@@ -28,6 +28,8 @@ include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+writable-var # game scores are stored under /var/games
+
 apparmor
 caps.drop all
 ipc-namespace
@@ -49,7 +51,6 @@ private-bin lbreakouthd
 private-dev
 private-etc @games,@sound,@x11
 private-tmp
-writable-var # game scores are stored under /var/games
 
 dbus-user none
 dbus-system none

etc/profile-a-l/less.profile

@@ -15,6 +15,8 @@ include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 
+writable-var-log
+
 apparmor
 caps.drop all
 ipc-namespace
@@ -40,7 +42,6 @@ x11 none
 #private-lib
 private-cache
 private-dev
-writable-var-log
 
 dbus-user none
 dbus-system none

etc/profile-a-l/lutris.profile

@@ -63,6 +63,8 @@ include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 #allow-debuggers
+keep-dev-ntsync
+
 #apparmor
 caps.drop all
 ipc-namespace
@@ -79,7 +81,6 @@ protocol unix,inet,inet6,netlink
 seccomp !clone3,!modify_ldt,!process_vm_readv,!ptrace
 seccomp.32 !modify_ldt
 
-keep-dev-ntsync
 # Add the next line to your lutris.local if you do not need controller support.
 #private-dev
 private-tmp

etc/profile-m-z/mutt.profile

@@ -104,6 +104,9 @@ include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+writable-run-user
+writable-var
+
 apparmor
 caps.drop all
 ipc-namespace
@@ -129,8 +132,6 @@ private-cache
 private-dev
 private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gai.conf,gnupg,hosts.conf,mail,mailname,msmtprc,nntpserver,terminfo
 private-tmp
-writable-run-user
-writable-var
 
 dbus-user none
 dbus-system none

etc/profile-m-z/nano.profile

@@ -21,6 +21,12 @@ include disable-programs.inc
 whitelist /usr/share/nano
 include whitelist-usr-share-common.inc
 
+# Add the next lines to your nano.local if you want to edit files in /etc directly.
+#ignore private-etc
+#writable-etc
+# Add the next line to your nano.local if you want to edit files in /var directly.
+#writable-var
+
 apparmor
 caps.drop all
 ipc-namespace
@@ -45,12 +51,7 @@ x11 none
 private-bin nano,rnano
 private-cache
 private-dev
-# Add the next lines to your nano.local if you want to edit files in /etc directly.
-#ignore private-etc
-#writable-etc
 private-etc nanorc
-# Add the next line to your nano.local if you want to edit files in /var directly.
-#writable-var
 
 dbus-user none
 dbus-system none

etc/profile-m-z/ncmpcpp.profile

@@ -39,6 +39,8 @@ include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+writable-var
+
 apparmor
 caps.drop all
 ipc-namespace
@@ -66,7 +68,6 @@ private-cache
 private-dev
 private-etc terminfo
 private-tmp
-writable-var
 
 dbus-user none
 dbus-system none

etc/profile-m-z/neomutt.profile

@@ -96,6 +96,9 @@ include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+writable-run-user
+writable-var
+
 apparmor
 caps.drop all
 ipc-namespace
@@ -121,8 +124,6 @@ private-cache
 private-dev
 private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gnupg,hosts.conf,mail,mailname,msmtprc,neomuttrc,neomuttrc.d,nntpserver
 private-tmp
-writable-run-user
-writable-var
 
 dbus-user none
 dbus-system none