diff options
author | netblue30 <netblue30@yahoo.com> | 2020-04-07 19:52:56 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2020-04-07 19:52:56 -0400 |
commit | 7373cf31d4ba6638c0477a254f62552556921521 (patch) | |
tree | 5c63852fb86899be8483e99ad11e530f15329b3f | |
parent | Update support/EOL information (diff) | |
download | firejail-7373cf31d4ba6638c0477a254f62552556921521.tar.gz firejail-7373cf31d4ba6638c0477a254f62552556921521.tar.zst firejail-7373cf31d4ba6638c0477a254f62552556921521.zip |
fdns profile
-rw-r--r-- | README.md | 10 | ||||
-rw-r--r-- | RELNOTES | 2 | ||||
-rw-r--r-- | etc/fdns.profile | 52 | ||||
-rw-r--r-- | etc/server.profile | 25 |
4 files changed, 85 insertions, 4 deletions
@@ -180,5 +180,11 @@ Run ./profstats -h for help. | |||
180 | 180 | ||
181 | ### New profiles: | 181 | ### New profiles: |
182 | 182 | ||
183 | gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et, multimc, gnome-hexgl, com.github.johnfactotum.Foliate, desktopeditors, impressive, mupdf-gl, mupdf-x11, mupdf-x11-curl, muraster, mutool, planmaker18, planmaker18free, presentations18, presentations18free, textmaker18, textmaker18free, teams, xournal, | 183 | gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et, |
184 | gnome-screenshot, ripperX, sound-juicer, iagno, com.github.dahenson.agenda, gnome-pomodoro, gnome-todo, kmplayer, penguin-command, x2goclient, frogatto, gnome-mines, gnome-nibbles, lightsoff, ts3client_runscript.sh, warmux, ferdi, abiword, four-in-a-row, gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin, gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars, hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless, mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers, seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more, swell-foop | 184 | multimc, gnome-hexgl, com.github.johnfactotum.Foliate, desktopeditors, impressive, mupdf-gl, mupdf-x11, mupdf-x11-curl, |
185 | muraster, mutool, planmaker18, planmaker18free, presentations18, presentations18free, textmaker18, textmaker18free, teams, xournal, | ||
186 | gnome-screenshot, ripperX, sound-juicer, iagno, com.github.dahenson.agenda, gnome-pomodoro, gnome-todo, kmplayer, | ||
187 | penguin-command, x2goclient, frogatto, gnome-mines, gnome-nibbles, lightsoff, ts3client_runscript.sh, warmux, ferdi, abiword, | ||
188 | four-in-a-row, gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin, gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars, | ||
189 | hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless, mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers, | ||
190 | seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more, swell-foop,,fdns | ||
@@ -27,7 +27,7 @@ firejail (0.9.63) baseline; urgency=low | |||
27 | * new profiles: hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless | 27 | * new profiles: hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless |
28 | * new profiles: mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers | 28 | * new profiles: mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers |
29 | * new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more | 29 | * new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more |
30 | * new profiles: swell-foop | 30 | * new profiles: swell-foop, fdns |
31 | 31 | ||
32 | firejail (0.9.62) baseline; urgency=low | 32 | firejail (0.9.62) baseline; urgency=low |
33 | * added file-copy-limit in /etc/firejail/firejail.config | 33 | * added file-copy-limit in /etc/firejail/firejail.config |
diff --git a/etc/fdns.profile b/etc/fdns.profile new file mode 100644 index 000000000..2ab69cd5b --- /dev/null +++ b/etc/fdns.profile | |||
@@ -0,0 +1,52 @@ | |||
1 | # Firejail profile for server | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include server.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | # generic server profile | ||
9 | # it allows /sbin and /usr/sbin directories - this is where servers are installed | ||
10 | # depending on your usage, you can enable some of the commands below: | ||
11 | # | ||
12 | noblacklist /sbin | ||
13 | noblacklist /usr/sbin | ||
14 | |||
15 | blacklist /tmp/.X11-unix | ||
16 | blacklist ${RUNUSER}/wayland-* | ||
17 | |||
18 | include disable-common.inc | ||
19 | include disable-devel.inc | ||
20 | include disable-exec.inc | ||
21 | include disable-interpreters.inc | ||
22 | include disable-passwdmgr.inc | ||
23 | include disable-programs.inc | ||
24 | include disable-xdg.inc | ||
25 | |||
26 | caps.keep chown,kill,setgid,setuid,net_bind_service,net_admin,sys_chroot,sys_admin,syslog | ||
27 | |||
28 | ipc-namespace | ||
29 | # netfilter /etc/firejail/webserver.net | ||
30 | no3d | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | # noroot | ||
35 | nosound | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | #seccomp | ||
40 | #shell none | ||
41 | |||
42 | disable-mnt | ||
43 | private | ||
44 | private-bin fdns,bash,sh | ||
45 | # private-cache | ||
46 | private-dev | ||
47 | # private-etc alternatives | ||
48 | # private-lib | ||
49 | private-tmp | ||
50 | |||
51 | protocol unix,inet,inet6 | ||
52 | memory-deny-write-execute | ||
diff --git a/etc/server.profile b/etc/server.profile index bee8df932..5bc4735ae 100644 --- a/etc/server.profile +++ b/etc/server.profile | |||
@@ -1,4 +1,27 @@ | |||
1 | # Firejail profile for server | 1 | # Generic Firejail profile for servers started as root |
2 | # | ||
3 | # This profile is used as a default when starting the sandbox as root. | ||
4 | # Example: | ||
5 | # | ||
6 | # $ sudo firejail | ||
7 | # [sudo] password for netblue: | ||
8 | # Reading profile /etc/firejail/server.profile | ||
9 | # Reading profile /etc/firejail/disable-common.inc | ||
10 | # Reading profile /etc/firejail/disable-passwdmgr.inc | ||
11 | # Reading profile /etc/firejail/disable-programs.inc | ||
12 | # | ||
13 | # ** Note: you can use --noprofile to disable server.profile ** | ||
14 | # | ||
15 | # Parent pid 5347, child pid 5348 | ||
16 | # The new log directory is /proc/5348/root/var/log | ||
17 | # Child process initialized in 64.43 ms | ||
18 | # root@debian:~# | ||
19 | # | ||
20 | # Customize the profile as usual. Examples: unbound.profile, fdns.profile. | ||
21 | # All the rules for regular user profiles apply with the exception of | ||
22 | # /usr/local/bin symlink redirection and firecfg tool. The redirection is disabled | ||
23 | # by default for root user. | ||
24 | |||
2 | # This file is overwritten after every install/update | 25 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 26 | # Persistent local customizations |
4 | include server.local | 27 | include server.local |