diff options
| author |  Tad <tad@spotco.us> | 2017-08-07 14:24:51 -0400 |
|---|---|---|
| committer | Tad <tad@spotco.us> | 2017-08-07 14:29:40 -0400 |
| commit | 39dc3c893b5d895ed9db9071dd47b3de7b28f2fd (patch) | |
| tree | b76dbe39efe41bded67e3fe95d030b277d4a0236 /etc/Xephyr.profile | |
| parent | Fix comments in 88 profiles (diff) | |
| download | firejail-39dc3c893b5d895ed9db9071dd47b3de7b28f2fd.tar.gz firejail-39dc3c893b5d895ed9db9071dd47b3de7b28f2fd.tar.zst firejail-39dc3c893b5d895ed9db9071dd47b3de7b28f2fd.zip | |
Unify last 8 profiles
Diffstat (limited to 'etc/Xephyr.profile')
| -rw-r--r-- | etc/Xephyr.profile | 32 |
1 files changed, 16 insertions, 16 deletions
diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile index 22c0202ee..db3b3858c 100644 --- a/etc/Xephyr.profile +++ b/etc/Xephyr.profile | |||
| @@ -1,9 +1,9 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for Xephyr |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/Xephyr.local | 4 | include /etc/firejail/Xephyr.local |
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | 7 | ||
| 8 | # | 8 | # |
| 9 | # This profile will sandbox Xephyr server itself when used with firejail --x11=xephyr. | 9 | # This profile will sandbox Xephyr server itself when used with firejail --x11=xephyr. |
| @@ -15,26 +15,26 @@ include /etc/firejail/Xephyr.local | |||
| 15 | # | 15 | # |
| 16 | 16 | ||
| 17 | 17 | ||
| 18 | # using a private home directory | 18 | blacklist /media |
| 19 | private | ||
| 20 | 19 | ||
| 20 | whitelist /var/lib/xkb | ||
| 21 | include /etc/firejail/whitelist-common.inc | ||
| 21 | 22 | ||
| 22 | caps.drop all | 23 | caps.drop all |
| 23 | # Xephyr needs to be allowed access to the abstract Unix socket namespace. | 24 | # Xephyr needs to be allowed access to the abstract Unix socket namespace. |
| 24 | nogroups | 25 | nogroups |
| 25 | nonewprivs | 26 | nonewprivs |
| 26 | # In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix. | 27 | # In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix. |
| 27 | #noroot | 28 | # noroot |
| 28 | nosound | 29 | nosound |
| 29 | shell none | ||
| 30 | seccomp | ||
| 31 | protocol unix | 30 | protocol unix |
| 31 | seccomp | ||
| 32 | shell none | ||
| 32 | 33 | ||
| 34 | # using a private home directory | ||
| 35 | private | ||
| 36 | # private-bin Xephyr,sh,xkbcomp | ||
| 37 | # private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls | ||
| 33 | private-dev | 38 | private-dev |
| 39 | # private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname | ||
| 34 | private-tmp | 40 | private-tmp |
| 35 | #private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls | ||
| 36 | #private-bin Xephyr,sh,xkbcomp | ||
| 37 | #private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname | ||
| 38 | |||
| 39 | blacklist /media | ||
| 40 | whitelist /var/lib/xkb | ||