1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
|
# Firejail profile for poi
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/poi.local
# Persistent global definitions
include /etc/firejail/globals.local
# noblacklist: exclude from blacklist
noblacklist ${HOME}/.cache/smolbote
noblacklist ${HOME}/.config/smolbote
noblacklist ${HOME}/.local/share/smolbote
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-interpreters.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-shell.inc
include /etc/firejail/disable-write-mnt.inc
include /etc/firejail/disable-xdg.inc
mkdir ${HOME}/.cache/smolbote
mkdir ${HOME}/.config/smolbote
mkdir ${HOME}/.local/share/smolbote
whitelist ${DOWNLOADS}
whitelist ${HOME}/.cache/smolbote
whitelist ${HOME}/.config/smolbote
whitelist ${HOME}/.local/share/smolbote
include /etc/firejail/whitelist-common.inc
## caps.drop all - Removes the ability to call programs usually run only by root. Ex - chown, setuid
caps.drop all
## ipc-namespace - Enable a new IPC namespace if the sandbox was started as a regular user.
# Breaks audio
# ipc-namespace
## machine-id - Generates a random machine-id each time the program is run, rather than using the static system machine-id.
# Breaks audio
# machine-id
## netfilter - Creates a simple but restrictive iptables firewall for any --net device created. Does nothing if --net is not used.
netfilter
## dbus-user/system none - Disable access to dbus.
dbus-user none
dbus-system none
## nodvd - Disable access to optical disk drives.
nodvd
## nogroups - The program can only see the current user's main group. Always applied if the program is run as root.
nogroups
## noinput - Disable access to /dev/input devices. ie, accelerometers, controllers, joysticks, infrared receivers, etc.
noinput
## nownewprivs - Prevents Child processes from requesting additional priviledges. If --seccomp is enabled, --nonewprivs is redundant.
nonewprivs
## noroot - The program can only see the current user. Requires kernel 3.8 or higher. Mutually exclusive with --chroot or --overlay or running as root.
noroot
## notv - Disable access to DVB TV devices.
notv
## nou2f - Disable access to U2F devices.
nou2f
# novideo - Disable access to video devices.
novideo
## protocol - Only allows sockets of the following types. Not supported on i386 architecture.
protocol unix,inet,inet6,netlink
## seccomp - Blacklists a large swath of syscalls from being accessible.
# QtWebEngine require chroot syscall on AMD CPUS and/or ATI Graphics for some bizarre reason
seccomp !name_to_handle_at,!chroot
## shell - Run the program directly, without a user shell.
# breaks secondary instances when using join-or-start after shell=none
shell none
## tracelog - Log all viloations to syslog.
# tracelog segfaults QtWebEngine on AMD CPUS and/or ATI Graphics for some bizarre reason
#tracelog
## disable-mnt - Deny access to /mnt, /media, /run/mount, and /run/media
disable-mnt
## private-bin - Creates a virtual /bin directory containing only temporary copies of the following executables.
# bash required to launch from kde kickoff menu
# breaks if installed to /usr/local
private-bin bash,poi
## private-dev - Create a virtual /dev directory. Only dri, full, log, input, null, ptmx, pts, random, shm, snd, tty, urandom, video, and zero devices are available.
private-dev
## private-etc - Creates a virtual /etc directory containing only temporary copies of the following files and directories.
# Experimental support for only fonts, alsa audio, and dns resolution.
private-etc fonts,group,machine-id,resolv.conf
## private-tmp - Creates a virtual /tmp directory to prevent the program from accessing the /tmp files from other programs.
# breaks SingleApplication without join-or-start set
private-tmp
## noexec - Prevent execution of files in the specified locations
noexec ${HOME}
noexec /tmp
# join-or-start - Join the sandbox identified by name or start a new one
join-or-start poi
|