diff options
author | Tad <tad@spotco.us> | 2017-08-07 14:24:51 -0400 |
---|---|---|
committer | Tad <tad@spotco.us> | 2017-08-07 14:29:40 -0400 |
commit | 39dc3c893b5d895ed9db9071dd47b3de7b28f2fd (patch) | |
tree | b76dbe39efe41bded67e3fe95d030b277d4a0236 /etc/Xephyr.profile | |
parent | Fix comments in 88 profiles (diff) | |
download | firejail-39dc3c893b5d895ed9db9071dd47b3de7b28f2fd.tar.gz firejail-39dc3c893b5d895ed9db9071dd47b3de7b28f2fd.tar.zst firejail-39dc3c893b5d895ed9db9071dd47b3de7b28f2fd.zip |
Unify last 8 profiles
Diffstat (limited to 'etc/Xephyr.profile')
-rw-r--r-- | etc/Xephyr.profile | 32 |
1 files changed, 16 insertions, 16 deletions
diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile index 22c0202ee..db3b3858c 100644 --- a/etc/Xephyr.profile +++ b/etc/Xephyr.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for Xephyr |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/Xephyr.local | 4 | include /etc/firejail/Xephyr.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # | 8 | # |
9 | # This profile will sandbox Xephyr server itself when used with firejail --x11=xephyr. | 9 | # This profile will sandbox Xephyr server itself when used with firejail --x11=xephyr. |
@@ -15,26 +15,26 @@ include /etc/firejail/Xephyr.local | |||
15 | # | 15 | # |
16 | 16 | ||
17 | 17 | ||
18 | # using a private home directory | 18 | blacklist /media |
19 | private | ||
20 | 19 | ||
20 | whitelist /var/lib/xkb | ||
21 | include /etc/firejail/whitelist-common.inc | ||
21 | 22 | ||
22 | caps.drop all | 23 | caps.drop all |
23 | # Xephyr needs to be allowed access to the abstract Unix socket namespace. | 24 | # Xephyr needs to be allowed access to the abstract Unix socket namespace. |
24 | nogroups | 25 | nogroups |
25 | nonewprivs | 26 | nonewprivs |
26 | # In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix. | 27 | # In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix. |
27 | #noroot | 28 | # noroot |
28 | nosound | 29 | nosound |
29 | shell none | ||
30 | seccomp | ||
31 | protocol unix | 30 | protocol unix |
31 | seccomp | ||
32 | shell none | ||
32 | 33 | ||
34 | # using a private home directory | ||
35 | private | ||
36 | # private-bin Xephyr,sh,xkbcomp | ||
37 | # private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls | ||
33 | private-dev | 38 | private-dev |
39 | # private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname | ||
34 | private-tmp | 40 | private-tmp |
35 | #private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls | ||
36 | #private-bin Xephyr,sh,xkbcomp | ||
37 | #private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname | ||
38 | |||
39 | blacklist /media | ||
40 | whitelist /var/lib/xkb | ||