Added profiles

fetchmail.profile

@@ -0,0 +1,13 @@
+whitelist ${HOME}/scripts/fetchmail-real.sh
+# whitelist ${HOME}/.fetchmailrc.gpg
+whitelist /tmp/fetchmailrc
+whitelist ${HOME}/Mail
+whitelist ${HOME}/.procmailrc.gmail
+whitelist ${HOME}/.procmailrc.brown
+
+noroot
+private-dev
+caps.drop all
+seccomp
+nogroups
+nosound

firefox.profile

@@ -0,0 +1,49 @@
+# Blacklist/Whitelist
+
+blacklist /usr/local/bin
+blacklist /usr/local/sbin
+blacklist /media
+blacklist /mnt
+blacklist /boot
+blacklist /ae108
+
+whitelist ${HOME}/.mozilla
+whitelist ${HOME}/Downloads/
+whitelist ${HOME}/.pulse/
+whitelist ${HOME}/.config/pulse/
+whitelist ${HOME}/.config/gtk-3.0/
+whitelist ${HOME}/.config/google-googletalkplugin/
+whitelist ${HOME}/.config/fcitx/
+whitelist ${HOME}/.gtkrc-2.0
+whitelist ${HOME}/.gtkrc.mine
+whitelist ${HOME}/.Xauthority
+whitelist ${HOME}/PDF/
+
+# Private directories
+
+private-bin iceweasel,firefox,which,sh,dbus-launch,dbus-send,fcitx-dbus-watcher,fcitx-remote,fcitx,env
+private-etc hosts,passwd,mime.types,fonts/,mailcap,iceweasel/,xdg/,gtk-3.0/,resolv.conf,X11/,pulse/,alternatives/,localtime,nsswitch.conf
+whitelist /dev/dri
+whitelist /dev/full
+whitelist /dev/null
+whitelist /dev/ptmx
+whitelist /dev/pts
+whitelist /dev/random
+whitelist /dev/shm
+whitelist /dev/snd
+whitelist /dev/tty
+whitelist /dev/urandom
+whitelist /dev/video0
+whitelist /dev/zero
+whitelist /tmp/.X11-unix
+
+noexec ${HOME}
+noexec /tmp
+
+# Miscellaneous options
+
+shell none
+seccomp
+noroot
+caps.drop all
+# protocol unix,inet,inet6

libreoffice.profile

@@ -0,0 +1,29 @@
+whitelist ${HOME}/Downloads
+whitelist ${HOME}/Documents
+whitelist ${HOME}/.config/libreoffice
+whitelist ${HOME}/.config/gtk-3.0
+whitelist ${HOME}/.gtkrc-2.0
+whitelist ${HOME}/.gtkrc.mine
+blacklist /opt
+blacklist /boot
+blacklist /media
+blacklist /mnt
+blacklist /ae108
+
+private-dev
+private-bin sh,libreoffice,dirname,grep,uname,ls,sed,pwd,basename,dbus-launch,dbus-send,fcitx-dbus-watcher,fcitx-remote
+private-etc libreoffice,fonts,passwd,alternatives,X11
+whitelist /tmp/.X11-unix
+
+noexec ${HOME}/
+noexec /tmp/
+
+caps.drop all
+noroot
+nogroups
+nosound
+ipc-namespace
+shell none
+net none
+protocol unix
+seccomp

linphone.profile

@@ -0,0 +1,8 @@
+whitelist ${HOME}/.linphonerc
+whitelist ${HOME}/.linphone-history.db
+whitelist ${HOME}/Downloads
+whitelist ${HOME}/.gtkrc-2.0
+whitelist ${HOME}/.gtkrc.mine
+caps.drop all
+noroot
+seccomp

mpd.profile

@@ -0,0 +1,11 @@
+whitelist ${HOME}/Music
+whitelist ${HOME}/mpd
+whitelist ${HOME}/.mpdconf
+whitelist ${HOME}/.config/pulse/
+whitelist ${HOME}/.pulse/
+read-only ${HOME}/Music/
+private-dev
+private-bin mpd,bash
+caps.drop all
+noroot
+seccomp

mutt.profile

@@ -0,0 +1,30 @@
+# Necessary to get Mutt working
+whitelist ${HOME}/.mutt
+whitelist ${HOME}/.muttrc
+whitelist ${HOME}/.mutt_certificates
+whitelist ${HOME}/.signatures
+whitelist ${HOME}/.mailcap
+whitelist ${HOME}/sent
+whitelist ${HOME}/.mutt_cache
+whitelist ${HOME}/Mail
+whitelist ${HOME}/.gnupg
+
+# To store files
+whitelist ${HOME}/Downloads
+
+whitelist /tmp/user/1000/emacs1000/
+whitelist /tmp/user/1000/mutt1000/
+
+noexec ${HOME}/
+noexec /tmp/
+
+# Enhance security
+
+private-bin sh,mutt,mutt_dotlock,bash,emacsclient,elinks,gpg,gpg-agent,pinentry
+# private-dev
+
+private-etc Muttrc.d/,Muttrc,alternatives/,resolv.conf,ssl/,mime.types
+noroot
+caps.drop all
+seccomp.keep open,access,prctl,fstat,mmap,write,read,close,munmap,chown,unshare,fcntl,execve,brk,mprotect,arch_prctl,getpid,getuid,getgid,geteuid,getegid,rt_sigprocmask,rt_sigaction,uname,stat,getppid,getpgrp,getrlimit,getpeername,set_tid_address,set_robust_list,futex,getrusage,umask,ioctl,socket,connect,lseek,getsid,pipe,clone,dup2,wait4,openat,rt_sigreturn,getdents,exit_group,faccessat,lstat,pread64,pwrite64,ftruncate,select,unlink,mkdir,link,rmdir,alarm,readlink,sendto,fdatasync,recvfrom,chmod,getcwd,setrlimit,utime,mlock,clock_gettime,setresgid,chdir,fsync,nanosleep,poll,sendmmsg,bind,getsockname,recvmsg,writev,mremap,rename,truncate,sched_yield,sysinfo,kill,sendmsg,setresuid,setsid,listen,pselect6,accept,getsockopt,tgkill,madvise,exit,statfs,getrandom,fchmod,fchown,gettid
+nogroups

openshot.profile

@@ -0,0 +1,26 @@
+# Blacklist/Whitelist
+
+blacklist /usr/local/bin
+blacklist /usr/local/sbin
+blacklist /media
+blacklist /mnt
+blacklist /boot
+
+# I use Downloads as my data transfer directory
+whitelist ${HOME}/Downloads/
+whitelist ${HOME}/Videos/
+
+# Config files
+whitelist ${HOME}/.openshot/
+whitelist ${HOME}/.gtkrc-2.0
+whitelist ${HOME}/.gtkrc.mine
+
+private-bin openshot,python,dbus-launch
+private-dev
+whitelist /tmp/.X11-unix
+
+noroot
+protocol unix
+shell none
+seccomp
+caps.drop all

scribus.profile

@@ -0,0 +1,27 @@
+# Blacklist/Whitelist
+
+blacklist /usr/local/bin
+blacklist /usr/local/sbin
+blacklist /media
+blacklist /mnt
+blacklist /boot
+
+# I use Downloads as my data transfer directory
+whitelist ${HOME}/Downloads/
+whitelist ${HOME}/Documents/
+
+# Config files
+whitelist ${HOME}/.scribus/
+whitelist ${HOME}/.gtkrc-2.0
+whitelist ${HOME}/.gtkrc.mine
+whitelist ${HOME}/.config/Trolltech.conf
+
+private-bin scribus,dbus-launch,gs
+private-dev
+whitelist /tmp/.X11-unix
+
+noroot
+protocol unix
+shell none
+seccomp
+caps.drop all

skype.profile

@@ -0,0 +1,12 @@
+whitelist ${HOME}/.Skype
+whitelist ${HOME}/Downloads
+noexec ${HOME}/
+noexec /tmp/
+caps.drop all
+protocol inet,inet6,unix
+seccomp
+noroot
+private-etc resolv.conf,hosts,fonts,pulse
+private-bin skype,bash
+whitelist /tmp/.X11-unix
+ipc-namespace

virtualbox.profile

@@ -0,0 +1,13 @@
+caps.drop all
+
+whitelist ${HOME}/Downloads
+whitelist ${HOME}/VirtualBox_VMs
+whitelist ${HOME}/.config/VirtualBox
+whitelist ${HOME}/.gtkrc-2.0
+whitelist ${HOME}/.gtkrc.mine
+whitelist ${HOME}/.config/Trolltech.conf
+
+whitelist /dev/vboxdrv
+whitelist /dev/vboxdrvu
+whitelist /dev/vboxnetctl
+whitelist /dev/null

x-terminal-emulator.profile

@@ -0,0 +1,11 @@
+caps.drop all
+seccomp
+netfilter
+private-dev
+noroot
+net none
+protocol unix
+whitelist /tmp/user/1000/
+whitelist /tmp/.X11-unix/
+
+noexec /tmp