summaryrefslogtreecommitdiff
path: root/profiles/poi.profile
blob: 355f5c87fc0702eefb45e1641a83e87d567e7411 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
# Firejail profile for poi
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/poi.local
# Persistent global definitions
include /etc/firejail/globals.local

# noblacklist: exclude from blacklist
noblacklist ${HOME}/.cache/smolbote
noblacklist ${HOME}/.config/smolbote
noblacklist ${HOME}/.local/share/smolbote

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-interpreters.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-shell.inc
include /etc/firejail/disable-write-mnt.inc
include /etc/firejail/disable-xdg.inc

mkdir ${HOME}/.cache/smolbote
mkdir ${HOME}/.config/smolbote
mkdir ${HOME}/.local/share/smolbote

whitelist ${DOWNLOADS}
whitelist ${HOME}/.cache/smolbote
whitelist ${HOME}/.config/smolbote
whitelist ${HOME}/.local/share/smolbote
include /etc/firejail/whitelist-common.inc


## caps.drop all - Removes the ability to call programs usually run only by root. Ex - chown, setuid
caps.drop all

## ipc-namespace - Enable a new IPC namespace if the sandbox was started as a regular user.
# Breaks audio
# ipc-namespace

## machine-id - Generates a random machine-id each time the program is run, rather than using the static system machine-id.
# Breaks audio
# machine-id

## netfilter - Creates a simple but restrictive iptables firewall for any --net device created. Does nothing if --net is not used.
netfilter

## dbus-user/system none - Disable access to dbus.
dbus-user none
dbus-system none

## nodvd - Disable access to optical disk drives.
nodvd

## nogroups - The program can only see the current user's main group. Always applied if the program is run as root.
nogroups

## noinput - Disable access to /dev/input devices. ie, accelerometers, controllers, joysticks, infrared receivers, etc.
noinput

##  nownewprivs - Prevents Child processes from requesting additional priviledges. If --seccomp is enabled, --nonewprivs is redundant.
nonewprivs

## noroot - The program can only see the current user. Requires kernel 3.8 or higher. Mutually exclusive with --chroot or --overlay or running as root.
noroot

## notv - Disable access to DVB TV devices.
notv

## nou2f - Disable access to U2F devices.
nou2f

# novideo - Disable access to video devices.
novideo

## protocol - Only allows sockets of the following types. Not supported on i386 architecture.
protocol unix,inet,inet6,netlink

## restrict-namespaces - Install a seccomp filter that blocks attempts to create new cgroup, ipc, net, mount, pid, time, user or uts namespaces.
restrict-namespaces

## seccomp - Blacklists a large swath of syscalls from being accessible.
# QtWebEngine require chroot syscall on AMD CPUS and/or ATI Graphics for some bizarre reason
seccomp !name_to_handle_at,!chroot

## tracelog - Log all viloations to syslog.
# tracelog segfaults QtWebEngine on AMD CPUS and/or ATI Graphics for some bizarre reason
#tracelog

## disable-mnt - Deny access to /mnt, /media, /run/mount, and /run/media
disable-mnt

## private-bin - Creates a virtual /bin directory containing only temporary copies of the following executables.
# bash required to launch from kde kickoff menu
# breaks if installed to /usr/local
private-bin bash,poi

## private-dev - Create a virtual /dev directory. Only dri, full, log, input, null, ptmx, pts, random, shm, snd, tty, urandom, video, and zero devices are available.
private-dev

## private-etc - Creates a virtual /etc directory containing only temporary copies of the following files and directories.
# Experimental support for only fonts, alsa audio, and dns resolution.
private-etc fonts,group,machine-id,resolv.conf

## private-tmp - Creates a virtual /tmp directory to prevent the program from accessing the /tmp files from other programs.
# breaks SingleApplication without join-or-start set
## now it breaks SingleApplication even with join-or-start
#private-tmp


## noexec - Prevent execution of files in the specified locations
noexec ${HOME}
noexec /tmp


# join-or-start - Join the sandbox identified by name or start a new one
join-or-start poi