diff options
author | netblue30 <netblue30@yahoo.com> | 2017-05-06 13:03:15 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-05-06 13:03:15 -0400 |
commit | 4515f44e59001c13122f9e9976f420c230806737 (patch) | |
tree | 42dd67e9279f1bbfc715271fcb420bfa8f664dda /etc/Xephyr.profile | |
parent | Merge pull request #1266 from SYN-cook/patch-2 (diff) | |
download | firejail-4515f44e59001c13122f9e9976f420c230806737.tar.gz firejail-4515f44e59001c13122f9e9976f420c230806737.tar.zst firejail-4515f44e59001c13122f9e9976f420c230806737.zip |
merge #1100 from zackw: added support for sandboxing Xpra, Xvfb and Xephyr in independent sandboxes when started with firejail --x11
Diffstat (limited to 'etc/Xephyr.profile')
-rw-r--r-- | etc/Xephyr.profile | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile new file mode 100644 index 000000000..362318bb1 --- /dev/null +++ b/etc/Xephyr.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/Xephyr.local | ||
4 | |||
5 | # | ||
6 | # This profile will sandbox Xephyr server itself when used with firejail --x11=xephyr. | ||
7 | # The target program is sandboxed with its own profile. By default the this functionality | ||
8 | # is disabled. To enable it, create a firejail-Xephyr symlink in /usr/local/bin: | ||
9 | # | ||
10 | # $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xephyr | ||
11 | # | ||
12 | # We have this functionality disabled by default because it creates problems on | ||
13 | # some Linux distributions. | ||
14 | # | ||
15 | |||
16 | |||
17 | # using a private home directory | ||
18 | private | ||
19 | |||
20 | |||
21 | caps.drop all | ||
22 | # Xephyr needs to be allowed access to the abstract Unix socket namespace. | ||
23 | #net none | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | # In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix. | ||
27 | #noroot | ||
28 | nosound | ||
29 | shell none | ||
30 | seccomp | ||
31 | protocol unix | ||
32 | |||
33 | private-dev | ||
34 | private-tmp | ||
35 | #private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls | ||
36 | #private-bin Xephyr,sh,xkbcomp | ||
37 | #private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname | ||
38 | |||
39 | blacklist /media | ||
40 | whitelist /var/lib/xkb | ||