diff options
| author |  glitsj16 <glitsj16@users.noreply.github.com> | 2019-06-30 20:51:17 +0000 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2019-06-30 20:51:17 +0000 |
| commit | 1dea9cfc5d10002c773a0efc5234cbc24fe1fe9f (patch) | |
| tree | fc90b1f2d350b7d7aaffabfa77abe64054c16904 | |
| parent | Change include/redirect logic in autokey profiles (#2814) (diff) | |
| download | firejail-1dea9cf.tar.gz firejail-1dea9cf.tar.zst firejail-1dea9cf.zip | |
Update wording in templates (#2815)
* Change wording in redirect_alias-profile.template
* Change wording in profile.template
* Update wording in redirect_alias-profile.template
| -rw-r--r-- | etc/templates/profile.template | 18 | ||||
| -rw-r--r-- | etc/templates/redirect_alias-profile.template | 25 |
2 files changed, 22 insertions, 21 deletions
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 7ea2853c1..2fc5c3ef1 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
| @@ -3,16 +3,16 @@ | |||
| 3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
| 4 | # --- CUT HERE --- | 4 | # --- CUT HERE --- |
| 5 | # This is a generic template to help you with creation of profiles | 5 | # This is a generic template to help you with creation of profiles |
| 6 | # for new programs. PRs welcome at https://github.com/netblue30/firejail/ | 6 | # for new programs. PRs welcome at https://github.com/netblue30/firejail/. |
| 7 | # | 7 | # |
| 8 | # Rules to follow: | 8 | # Rules to follow: |
| 9 | # - lines with one # are often used in profiles | 9 | # - lines with one # are often used in profiles |
| 10 | # - lines with two ## are only needed in special situations | 10 | # - lines with two ## are only needed in special situations |
| 11 | # - make the profile as restrictive as possible while still keeping the program useful | 11 | # - make the profile as restrictive as possible while still keeping the program useful |
| 12 | # (e. g. a program that is unable to save user's work is considered a bad practice) | 12 | # (e. g. a program that is unable to save user's work is considered bad practice) |
| 13 | # - dedicate some time (based on how complex the application is) to profile testing before raising | 13 | # - dedicate some time (based on the complexity of the application) to profile testing before raising |
| 14 | # a pull request | 14 | # a pull request |
| 15 | # - keep the sections structure, use a single empty line as a separator | 15 | # - keep the sections structure, use a single empty line as separator |
| 16 | # - entries within sections are alphabetically sorted | 16 | # - entries within sections are alphabetically sorted |
| 17 | # - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware | 17 | # - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware |
| 18 | # to not do this for essential utilities as this may *break* your OS! (related discussion: | 18 | # to not do this for essential utilities as this may *break* your OS! (related discussion: |
| @@ -66,8 +66,8 @@ include globals.local | |||
| 66 | # One way to retrieve the files a program uses is: | 66 | # One way to retrieve the files a program uses is: |
| 67 | # - launch binary with --private naming a sandbox | 67 | # - launch binary with --private naming a sandbox |
| 68 | # `firejail --name=test --ignore=private-bin [--profile=PROFILE] --private BINARY` | 68 | # `firejail --name=test --ignore=private-bin [--profile=PROFILE] --private BINARY` |
| 69 | # - work with the program, do some configuration changes and save them, open new documents, | 69 | # - work with the program, make some configuration changes and save them, open new documents, |
| 70 | # install plugins if they exists, etc | 70 | # install plugins if they exists, etc. |
| 71 | # - join the sandbox with bash: | 71 | # - join the sandbox with bash: |
| 72 | # `firejail --join=test bash` | 72 | # `firejail --join=test bash` |
| 73 | # - look what has changed and use that information to populate blacklist and whitelist sections | 73 | # - look what has changed and use that information to populate blacklist and whitelist sections |
| @@ -128,14 +128,14 @@ include globals.local | |||
| 128 | #notv | 128 | #notv |
| 129 | #nou2f | 129 | #nou2f |
| 130 | #novideo | 130 | #novideo |
| 131 | # Remove every not needed protocol | 131 | # Remove each unneeded protocol: |
| 132 | # - unix is usually needed | 132 | # - unix is usually needed |
| 133 | # - inet,inet6 only if internet access is requiered (see 'net none'/'netfilter' above) | 133 | # - inet,inet6 only if internet access is required (see 'net none'/'netfilter' above) |
| 134 | # - netlink is rarely needed | 134 | # - netlink is rarely needed |
| 135 | # - packet almost never | 135 | # - packet almost never |
| 136 | #protocol unix,inet,inet6,netlink,packet | 136 | #protocol unix,inet,inet6,netlink,packet |
| 137 | #seccomp | 137 | #seccomp |
| 138 | ##seccomp.drop SYSCALLS (see also syscalls.txt) | 138 | ##seccomp.drop SYSCALLS (see syscalls.txt) |
| 139 | #shell none | 139 | #shell none |
| 140 | #tracelog | 140 | #tracelog |
| 141 | # Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set | 141 | # Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set |
diff --git a/etc/templates/redirect_alias-profile.template b/etc/templates/redirect_alias-profile.template index 02df1776f..0c7ba0b72 100644 --- a/etc/templates/redirect_alias-profile.template +++ b/etc/templates/redirect_alias-profile.template | |||
| @@ -6,38 +6,39 @@ include PROFILE.local | |||
| 6 | # Persistent global definitions | 6 | # Persistent global definitions |
| 7 | # added by included profile | 7 | # added by included profile |
| 8 | #include globals.local | 8 | #include globals.local |
| 9 | #NOTE: let include globals.local commented, except redirecting to a -common.profile | 9 | #NOTE: keep include globals.local commented, except when redirecting to a *-common.profile |
| 10 | 10 | ||
| 11 | # For more informations see profile.template | 11 | # For more information, see profile.template |
| 12 | 12 | ||
| 13 | # Ignore something that is in the included profile | 13 | # Ignoring option(s) from the included profile |
| 14 | #ignore net none | 14 | #ignore net none |
| 15 | #ignore private-bin | 15 | #ignore private-bin |
| 16 | #ignore seccomp | 16 | #ignore seccomp |
| 17 | #... | 17 | #... |
| 18 | 18 | ||
| 19 | # Additional noblacklisting (if needed) | 19 | # Additional noblacklisting (when needed) |
| 20 | #noblacklist PATH | 20 | #noblacklist PATH |
| 21 | 21 | ||
| 22 | # Additional allow includes (if needed) | 22 | # Additional allow includes (when needed) |
| 23 | 23 | ||
| 24 | # Additional blacklisting (if needed) | 24 | # Additional blacklisting (when needed) |
| 25 | #blacklist PATH | 25 | #blacklist PATH |
| 26 | 26 | ||
| 27 | # Additional whitelisting (if needed) | 27 | # Additional whitelisting (when needed) |
| 28 | #NOTE: never use mkdir/mkfile when 'private' is set (see https://github.com/netblue30/firejail/issues/903) | ||
| 28 | #mkdir PATH | 29 | #mkdir PATH |
| 29 | ##mkfile PATH | 30 | ##mkfile PATH |
| 30 | #whitelist PATH | 31 | #whitelist PATH |
| 31 | 32 | ||
| 32 | # Additional options (if needed) | 33 | # Additional options (when needed) |
| 33 | 34 | ||
| 34 | # Additional private-options (if needed) | 35 | # Additional private-options (when needed) |
| 35 | # Add programs to private-bin (if needed) | 36 | # Add programs to private-bin (when needed) |
| 36 | #private-bin PROGRAMS | 37 | #private-bin PROGRAMS |
| 37 | # Add files to private-etc (if needed) | 38 | # Add files to private-etc (when needed) |
| 38 | #private-etc FILES | 39 | #private-etc FILES |
| 39 | 40 | ||
| 40 | # Additional special options (if needed) | 41 | # Additional special options (when needed) |
| 41 | 42 | ||
| 42 | # Redirect | 43 | # Redirect |
| 43 | include PROFILE.profile | 44 | include PROFILE.profile |