diff options
author | Tad <tad@spotco.us> | 2017-08-07 14:24:51 -0400 |
---|---|---|
committer | Tad <tad@spotco.us> | 2017-08-07 14:29:40 -0400 |
commit | 39dc3c893b5d895ed9db9071dd47b3de7b28f2fd (patch) | |
tree | b76dbe39efe41bded67e3fe95d030b277d4a0236 /etc/Xvfb.profile | |
parent | Fix comments in 88 profiles (diff) | |
download | firejail-39dc3c893b5d895ed9db9071dd47b3de7b28f2fd.tar.gz firejail-39dc3c893b5d895ed9db9071dd47b3de7b28f2fd.tar.zst firejail-39dc3c893b5d895ed9db9071dd47b3de7b28f2fd.zip |
Unify last 8 profiles
Diffstat (limited to 'etc/Xvfb.profile')
-rw-r--r-- | etc/Xvfb.profile | 30 |
1 files changed, 15 insertions, 15 deletions
diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile index 8eba82db1..ce17a9732 100644 --- a/etc/Xvfb.profile +++ b/etc/Xvfb.profile | |||
@@ -1,10 +1,10 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for Xvfb |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/Xvfb.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/xvfb.local | ||
7 | |||
8 | # | 8 | # |
9 | # This profile will sandbox Xvfb server itself when used with firejail --x11=xvfb. | 9 | # This profile will sandbox Xvfb server itself when used with firejail --x11=xvfb. |
10 | # The target program is sandboxed with its own profile. By default the this functionality | 10 | # The target program is sandboxed with its own profile. By default the this functionality |
@@ -16,9 +16,10 @@ include /etc/firejail/xvfb.local | |||
16 | # some Linux distributions. Also, older versions of Xpra use Xvfb. | 16 | # some Linux distributions. Also, older versions of Xpra use Xvfb. |
17 | # | 17 | # |
18 | 18 | ||
19 | blacklist /media | ||
19 | 20 | ||
20 | # using a private home directory | 21 | whitelist /var/lib/xkb |
21 | private | 22 | include /etc/firejail/whitelist-common.inc |
22 | 23 | ||
23 | caps.drop all | 24 | caps.drop all |
24 | # Xvfb needs to be allowed access to the abstract Unix socket namespace. | 25 | # Xvfb needs to be allowed access to the abstract Unix socket namespace. |
@@ -27,15 +28,14 @@ nonewprivs | |||
27 | # In noroot mode, Xvfb cannot create a socket in the real /tmp/.X11-unix. | 28 | # In noroot mode, Xvfb cannot create a socket in the real /tmp/.X11-unix. |
28 | #noroot | 29 | #noroot |
29 | nosound | 30 | nosound |
30 | shell none | ||
31 | seccomp | ||
32 | protocol unix | 31 | protocol unix |
32 | seccomp | ||
33 | shell none | ||
33 | 34 | ||
35 | # using a private home directory | ||
36 | private | ||
37 | # private-bin Xvfb,sh,xkbcomp | ||
38 | # private-bin Xvfb,sh,xkbcomp,strace,bash,cat,ls | ||
34 | private-dev | 39 | private-dev |
35 | private-tmp | ||
36 | private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname | 40 | private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname |
37 | #private-bin Xvfb,sh,xkbcomp,strace,bash,cat,ls | 41 | private-tmp |
38 | #private-bin Xvfb,sh,xkbcomp | ||
39 | |||
40 | blacklist /media | ||
41 | whitelist /var/lib/xkb | ||