diff options
author | jc_gargma <jc_gargma@iserlohn-fortress.net> | 2020-04-12 20:29:15 -0700 |
---|---|---|
committer | jc_gargma <jc_gargma@iserlohn-fortress.net> | 2020-04-12 20:29:15 -0700 |
commit | dc3a1afb419977b5504f60a8ea60c9f5c85a3f0a (patch) | |
tree | f18950f69481630ab63120f2cffb7bf61c341b5b /profiles/poi.profile | |
parent | Fix keepassxc whitelisting (diff) | |
download | firejail-profiles-dc3a1afb419977b5504f60a8ea60c9f5c85a3f0a.tar.xz |
Add calcurse profile
Update smolbote profile
Diffstat (limited to 'profiles/poi.profile')
-rw-r--r-- | profiles/poi.profile | 111 |
1 files changed, 111 insertions, 0 deletions
diff --git a/profiles/poi.profile b/profiles/poi.profile new file mode 100644 index 0000000..43e3739 --- /dev/null +++ b/profiles/poi.profile @@ -0,0 +1,111 @@ +# Firejail profile for poi +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/poi.local +# Persistent global definitions +include /etc/firejail/globals.local + +# noblacklist: exclude from blacklist +noblacklist ${HOME}/.cache/smolbote +noblacklist ${HOME}/.config/smolbote +noblacklist ${HOME}/.local/share/smolbote + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-xdg.inc + +mkdir ${HOME}/.cache/smolbote +mkdir ${HOME}/.config/smolbote +mkdir ${HOME}/.local/share/smolbote + +whitelist ${DOWNLOADS} +whitelist ${HOME}/.cache/smolbote +whitelist ${HOME}/.config/smolbote +whitelist ${HOME}/.local/share/smolbote +include /etc/firejail/whitelist-common.inc + + +## caps.drop all - Removes the ability to call programs usually run only by root. Ex - chown, setuid +caps.drop all + +## ipc-namespace - Enable a new IPC namespace if the sandbox was started as a regular user. +# Breaks audio +# ipc-namespace + +## machine-id - Generates a random machine-id each time the program is run, rather than using the static system machine-id. +# Breaks audio +# machine-id + +## netfilter - Creates a simple but restrictive iptables firewall for any --net device created. Does nothing if --net is not used. +netfilter + +## nodbus - Disable access to dbus. +nodbus + +## nodvd - Disable access to optical disk drives. +nodvd + +## nogroups - The program can only see the current user's main group. Always applied if the program is run as root. +nogroups + +## nownewprivs - Prevents Child processes from requesting additional priviledges. If --seccomp is enabled, --nonewprivs is redundant. +nonewprivs + +## noroot - The program can only see the current user. Requires kernel 3.8 or higher. Mutually exclusive with --chroot or --overlay or running as root. +noroot + +## notv - Disable access to DVB TV devices. +notv + +## nou2f - Disable access to U2F devices. +nou2f + +# novideo - Disable access to video devices. +novideo + +## protocol - Only allows sockets of the following types. Not supported on i386 architecture. +protocol unix,inet,inet6,netlink + +## seccomp - Blacklists a large swath of syscalls from being accessible. +# QtWebEngine require chroot syscall on AMD CPUS and/or ATI Graphics for some bizarre reason +seccomp !name_to_handle_at,!chroot + +## shell - Run the program directly, without a user shell. +# breaks secondary instances when using join-or-start after shell=none +shell none + +## tracelog - Log all viloations to syslog. +# tracelog segfaults QtWebEngine on AMD CPUS and/or ATI Graphics for some bizarre reason +#tracelog + +## disable-mnt - Deny access to /mnt, /media, /run/mount, and /run/media +disable-mnt + +## private-bin - Creates a virtual /bin directory containing only temporary copies of the following executables. +# bash required to launch from kde kickoff menu +# breaks if installed to /usr/local +private-bin bash,poi + +## private-dev - Create a virtual /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log and shm devices are available. +private-dev + +## private-etc - Creates a virtual /etc directory containing only temporary copies of the following files and directories. +# Experimental support for only fonts, alsa audio, and dns resolution. +private-etc fonts,group,machine-id,resolv.conf + +## private-tmp - Creates a virtual /tmp directory to prevent the program from accessing the /tmp files from other programs. +# breaks SingleApplication without join-or-start set +private-tmp + + +## noexec - Prevent execution of files in the specified locations +noexec ${HOME} +noexec /tmp + + +# join-or-start - Join the sandbox identified by name or start a new one +join-or-start poi + |