diff options
author | glitsj16 <glitsj16@users.noreply.github.com> | 2019-02-13 22:48:33 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-02-13 22:48:33 +0000 |
commit | fadaac29530845119e957d995c8d7e6470023c8c (patch) | |
tree | d5375b1c0bb4763462823c32930ddb0222259048 | |
parent | Merge pull request #2398 from glitsj16/snap (diff) | |
download | firejail-fadaac29530845119e957d995c8d7e6470023c8c.tar.gz firejail-fadaac29530845119e957d995c8d7e6470023c8c.tar.zst firejail-fadaac29530845119e957d995c8d7e6470023c8c.zip |
Refactor snap.profile
-rw-r--r-- | etc/snap.profile | 55 |
1 files changed, 50 insertions, 5 deletions
diff --git a/etc/snap.profile b/etc/snap.profile index 6d95e719a..ef4f3d3a6 100644 --- a/etc/snap.profile +++ b/etc/snap.profile | |||
@@ -1,17 +1,62 @@ | |||
1 | # Firejail profile for snap | 1 | # Firejail profile for snap |
2 | # Description: generic Ubuntu snap application profile | 2 | # Description: Install, configure, refresh and remove snap packages |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include snap.local | 6 | include snap.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
7 | include globals.local | 8 | include globals.local |
8 | 9 | ||
9 | # Generic Ubuntu snap application profile | 10 | # Note: Snap packages have their own confinement mechanism relying on snapd and apparmor. |
11 | # As such firejail is not able to deliver any additional sandboxing for snaps. This profile does sandbox | ||
12 | # the snap tool which is used to interact with snap packages. | ||
13 | # See https://docs.snapcraft.io/ for more detailed info. | ||
14 | |||
15 | noblacklist ${HOME}/.snap | ||
16 | noblacklist ${HOME}/snap | ||
17 | noblacklist ${DOWNLOADS} | ||
18 | |||
19 | noblacklist /var/cache/snapd | ||
20 | noblacklist /var/lib/snapd | ||
21 | noblacklist /var/snap | ||
22 | |||
23 | mkdir ${HOME}/.snap | ||
24 | mkdir ${HOME}/snap | ||
25 | whitelist ${HOME}/.snap | ||
26 | whitelist ${HOME}/snap | ||
10 | 27 | ||
11 | include disable-common.inc | 28 | include disable-common.inc |
29 | include disable-devel.inc | ||
30 | include disable-interpreters.inc | ||
12 | include disable-passwdmgr.inc | 31 | include disable-passwdmgr.inc |
13 | include disable-programs.inc | 32 | include disable-programs.inc |
33 | include disable-xdg.inc | ||
14 | 34 | ||
15 | whitelist ${DOWNLOADS} | 35 | caps.drop all |
16 | whitelist ${HOME}/snap | 36 | ipc-namespace |
17 | include whitelist-common.inc | 37 | machine-id |
38 | netfilter | ||
39 | no3d | ||
40 | nodbus | ||
41 | nodvd | ||
42 | nogroups | ||
43 | nonewprivs | ||
44 | noroot | ||
45 | nosound | ||
46 | notv | ||
47 | nou2f | ||
48 | novideo | ||
49 | protocol unix,inet,inet6 | ||
50 | seccomp | ||
51 | shell none | ||
52 | |||
53 | disable-mnt | ||
54 | private-bin snap | ||
55 | private-dev | ||
56 | private-etc group,passwd | ||
57 | private-lib snapd | ||
58 | private-tmp | ||
59 | |||
60 | memory-deny-write-execute | ||
61 | noexec ${HOME} | ||
62 | noexec /tmp | ||