many profile cleanup (4)

containing:
 - files forgotten in 4beaf8f
 - workarounds for #903
 - commented useless private-etc lines removed
 - remove commented seccomp.keep lines
 - much more

etc/QMediathekView.profile

@@ -48,8 +48,6 @@ disable-mnt
 private-bin mplayer,mpv,QMediathekView,smplayer,totem,vlc,xplayer
 private-cache
 private-dev
-# private-etc alternatives
-# private-lib
 private-tmp
 
 #memory-deny-write-execute - breaks on Arch (see issue #1803)

etc/amarok.profile

@@ -31,5 +31,5 @@ shell none
 
 # private-bin amarok
 private-dev
-# private-etc alternatives,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,ssl
 private-tmp

etc/arch-audit.profile

@@ -7,7 +7,6 @@ include arch-audit.local
 # Persistent global definitions
 include globals.local
 
-
 noblacklist /var/lib/pacman
 
 include disable-common.inc

etc/archaudit-report.profile

@@ -6,7 +6,6 @@ include archaudit-report.local
 # Persistent global definitions
 include globals.local
 
-
 noblacklist /var/lib/pacman
 
 include disable-common.inc
@@ -17,8 +16,6 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-include whitelist-common.inc
-
 caps.drop all
 ipc-namespace
 netfilter

etc/asunder.profile

@@ -34,7 +34,6 @@ protocol unix,inet,inet6
 seccomp
 shell none
 
-#private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
 private-dev
 private-tmp
 

etc/bitlbee.profile

@@ -6,12 +6,15 @@ include bitlbee.local
 # Persistent global definitions
 include globals.local
 
+ignore noexec ${HOME}
+
 noblacklist /sbin
 noblacklist /usr/sbin
 # noblacklist /var/log
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -34,5 +37,4 @@ private-cache
 private-dev
 private-tmp
 
-noexec /tmp
 read-write /var/lib/bitlbee

etc/brasero.profile

@@ -31,7 +31,6 @@ tracelog
 # private-bin brasero
 private-cache
 # private-dev
-# private-etc alternatives,fonts
 # private-tmp
 
 memory-deny-write-execute

etc/caja.profile

@@ -39,5 +39,4 @@ tracelog
 # caja needs to be able to start arbitrary applications so we cannot blacklist their files
 # private-bin caja
 # private-dev
-# private-etc alternatives,fonts
 # private-tmp

etc/catfish.profile

@@ -15,11 +15,11 @@ noblacklist ${HOME}/.config/catfish
 include allow-python2.inc
 include allow-python3.inc
 
-include disable-common.inc
+# include disable-common.inc
 # include disable-devel.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
-include disable-programs.inc
+# include disable-programs.inc
 
 whitelist /var/lib/mlocate
 include whitelist-var-common.inc

etc/dig.profile

@@ -17,7 +17,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-mkfile ${HOME}/.digrc
+#mkfile ${HOME}/.digrc -- see #903
 whitelist ${HOME}/.digrc
 include whitelist-common.inc
 include whitelist-var-common.inc
@@ -45,7 +45,6 @@ private
 private-bin bash,dig,sh
 private-cache
 private-dev
-# private-etc alternatives,resolv.conf
 private-lib
 private-tmp
 

etc/digikam.profile

@@ -33,11 +33,8 @@ noroot
 notv
 protocol unix,inet,inet6,netlink
 seccomp
-# seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group
 shell none
 
-# private-bin program
 # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device
-# private-etc alternatives,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
 private-tmp
-

etc/engrampa.profile

@@ -35,7 +35,6 @@ tracelog
 
 # private-bin engrampa
 private-dev
-# private-etc alternatives,fonts
 # private-tmp
 
 memory-deny-write-execute

etc/ffmpeg.profile

@@ -36,7 +36,6 @@ nou2f
 novideo
 protocol inet,inet6
 seccomp
-# seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom
 shell none
 tracelog
 

etc/file-roller.profile

@@ -39,7 +39,6 @@ tracelog
 
 # private-bin file-roller
 private-dev
-# private-etc alternatives,fonts
 # private-tmp
 
 # memory-deny-write-execute

etc/frozen-bubble.profile

@@ -38,5 +38,4 @@ shell none
 disable-mnt
 # private-bin frozen-bubble
 private-dev
-# private-etc alternatives
 private-tmp

etc/gedit.profile

@@ -44,7 +44,6 @@ tracelog
 
 # private-bin gedit
 private-dev
-# private-etc alternatives,fonts
 private-lib aspell,gconv,gedit,libgspell-1.so.*,libreadline.so.*,libtinfo.so.*
 private-tmp
 

etc/geeqie.profile

@@ -31,4 +31,3 @@ shell none
 
 # private-bin geeqie
 private-dev
-# private-etc alternatives,X11

etc/github-desktop.profile

@@ -42,7 +42,6 @@ disable-mnt
 private-cache
 ?HAS_APPIMAGE: ignore private-dev
 private-dev
-# private-etc alternatives
 # private-lib
 private-tmp
 

etc/gnome-books.profile

@@ -36,8 +36,7 @@ seccomp
 shell none
 tracelog
 
-# private-bin gjs gnome-books
+# private-bin gjs,gnome-books
 private-dev
-# private-etc alternatives,fonts
 private-tmp
 

etc/gnome-nettool.profile

@@ -14,7 +14,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-include whitelist-common.inc
+#include whitelist-common.inc -- see #903
 include whitelist-var-common.inc
 
 caps.keep net_raw

etc/gnome-photos.profile

@@ -33,8 +33,7 @@ seccomp
 shell none
 tracelog
 
-# private-bin gjs gnome-photos
+# private-bin gjs,gnome-photos
 private-dev
-# private-etc alternatives,fonts
 private-tmp
 

etc/gnome-schedule.profile

@@ -69,6 +69,5 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-# private-etc alternatives
 writable-var
 

etc/highlight.profile

@@ -34,5 +34,4 @@ tracelog
 private-bin highlight
 private-cache
 private-dev
-# private-etc alternatives
 private-tmp

etc/img2txt.profile

@@ -38,7 +38,6 @@ tracelog
 # private-bin img2txt
 private-cache
 private-dev
-# private-etc alternatives
 private-tmp
 
 memory-deny-write-execute

etc/nautilus.profile

@@ -40,5 +40,4 @@ tracelog
 # nautilus needs to be able to start arbitrary applications so we cannot blacklist their files
 # private-bin nautilus
 # private-dev
-# private-etc alternatives,fonts
 # private-tmp

etc/open-invaders.profile

@@ -33,5 +33,4 @@ shell none
 
 # private-bin open-invaders
 private-dev
-# private-etc alternatives
 private-tmp

etc/openarena.profile

@@ -21,16 +21,12 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 # ipc-namespace
-# machine-id
-# net none
 # netfilter
-# no3d
 # nodbus
 # nodvd
 # nogroups
 nonewprivs
 noroot
-# nosound
 notv
 # nou2f
 novideo
@@ -40,12 +36,8 @@ shell none
 # tracelog
 
 # disable-mnt
-# private
 # private-bin openarena
 private-cache
 private-dev
-# private-etc machine-id,xdg,openal,udev,drirc,passwd,selinux
-# private-lib
+# private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg
 private-tmp
-
-# memory-deny-write-execute

etc/ping.profile

@@ -30,10 +30,8 @@ nosound
 notv
 nou2f
 novideo
-
 # protocol command is built using seccomp; nonewprivs will kill it
 #protocol unix,inet,inet6,netlink,packet
-
 # killed by no-new-privs
 #seccomp
 
@@ -42,7 +40,7 @@ private
 #private-bin has mammoth problems with execvp: "No such file or directory"
 private-dev
 # /etc/hosts is required in private-etc; however, just adding it to the list doesn't solve the problem!
-#private-etc resolv.conf,hosts,ca-certificates,ssl,pki,crypto-policies
+#private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl
 private-tmp
 
 # memory-deny-write-execute is built using seccomp; nonewprivs will kill it

etc/pingus.profile

@@ -33,5 +33,4 @@ shell none
 
 # private-bin pingus
 private-dev
-# private-etc alternatives
 private-tmp

etc/pluma.profile

@@ -39,7 +39,6 @@ tracelog
 
 private-bin pluma
 private-dev
-# private-etc alternatives,fonts
 private-lib pluma
 private-tmp
 

etc/remmina.profile

@@ -31,7 +31,6 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
-# seccomp.keep access,arch_prctl,brk,chmod,clock_getres,clock_gettime,clone,close,connect,dup3,eventfd2,execve,fadvise64,fallocate,fcntl,flock,fstat,fstatfs,fsync,ftruncate,futex,getdents,getegid,geteuid,getgid,getpeername,getpid,getrandom,getresgid,getresuid,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,memfd_create,mmap,mprotect,mremap,munmap,nanosleep,open,openat,pipe,pipe2,poll,prctl,prlimit64,pwrite64,read,readlink,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,sendmmsg,sendmsg,sendto,set_robust_list,setsockopt,set_tid_address,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,tgkill,uname,utimensat,write,writev
 shell none
 
 private-cache

etc/shotcut.profile

@@ -5,10 +5,13 @@ include shotcut.local
 # Persistent global definitions
 include globals.local
 
+ignore noexec ${HOME}
+
 noblacklist ${HOME}/.config/Meltytech
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -26,9 +29,6 @@ protocol unix
 seccomp
 shell none
 
-#private-bin shotcut,melt,qmelt,nice
+#private-bin melt,nice,qmelt,shotcut
 private-cache
 private-dev
-
-#noexec ${HOME}
-noexec /tmp

etc/simplescreenrecorder.profile

@@ -31,7 +31,6 @@ tracelog
 
 private-cache
 private-dev
-# private-etc alternatives
 private-tmp
 
 memory-deny-write-execute

etc/simutrans.profile

@@ -33,5 +33,4 @@ shell none
 
 # private-bin simutrans
 private-dev
-# private-etc alternatives
 private-tmp

etc/skanlite.profile

@@ -16,7 +16,6 @@ include disable-programs.inc
 include disable-xdg.inc
 
 caps.drop all
-# net none
 netfilter
 # nodbus
 nodvd
@@ -31,6 +30,6 @@ protocol unix,inet,inet6,netlink
 seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 shell none
 
-# private-bin skanlite,kbuildsycoca4,kdeinit4
+# private-bin kbuildsycoca4,kdeinit4,skanlite
 # private-dev
 # private-tmp

etc/supertux2.profile

@@ -34,5 +34,4 @@ shell none
 disable-mnt
 # private-bin supertux2
 private-dev
-# private-etc alternatives
 private-tmp

etc/tor.profile

@@ -49,4 +49,3 @@ private-cache
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor
 private-tmp
-

etc/tracker.profile

@@ -33,5 +33,4 @@ tracelog
 
 # private-bin tracker
 # private-dev
-# private-etc alternatives,fonts
 # private-tmp

etc/xed.profile

@@ -42,7 +42,6 @@ tracelog
 
 private-bin xed
 private-dev
-# private-etc alternatives,fonts
 private-tmp
 
 # xed uses python plugins, memory-deny-write-execute breaks python