adding noprofile.profile from rusty-snake

author: netblue30 <netblue30@protonmail.com> 2021-10-30 08:35:09 -0400
committer: netblue30 <netblue30@protonmail.com> 2021-10-30 08:35:09 -0400
commit: 41427b8f62358344d45197fb674786d1a4dd11bf (patch)
tree: 62bf87ce050b99bb76d53c1972cf092a8b3b93a0 /etc/profile-m-z/noprofile.profile
parent: Merge pull request #4643 from rusty-snake/profile-checks (diff)
download: firejail-41427b8f62358344d45197fb674786d1a4dd11bf.tar.gz
firejail-41427b8f62358344d45197fb674786d1a4dd11bf.tar.zst
firejail-41427b8f62358344d45197fb674786d1a4dd11bf.zip
1 files changed, 28 insertions, 0 deletions
diff --git a/etc/profile-m-z/noprofile.profile b/etc/profile-m-z/noprofile.profile
new file mode 100644
index 000000000..560ee9db3
--- /dev/null
+++ b/etc/profile-m-z/noprofile.profile
@@ -0,0 +1,28 @@
+# This is the weakest possible firejail profile.
+# If a program still fail with this profile, it is incompatible with firejail.
+# (from https://gist.github.com/rusty-snake/bb234cb3e50e1e4e7429f29a7931cc72)
+#
+# Usage:
+#   1. download
+#   2. firejail --profile=noprofile.profile /path/to/program
+# Keep in mind that even with this profile some things are done
+# which can break the program.
+# - some env-vars are cleared
+# - /etc/firejail/firejail.config can contain options such as 'force-nonewprivs yes'
+# - a new private pid-namespace is created
+# - a minimal hardcoded blacklist is applied
+# - ...
+noblacklist /sys/fs
+noblacklist /sys/module
+allow-debuggers
+allusers
+keep-config-pulse
+keep-dev-shm
+keep-var-tmp
+writable-etc
+writable-run-user
+writable-var
+writable-var-log
author	netblue30 <netblue30@protonmail.com>	2021-10-30 08:35:09 -0400
committer	netblue30 <netblue30@protonmail.com>	2021-10-30 08:35:09 -0400
commit	41427b8f62358344d45197fb674786d1a4dd11bf (patch)
tree	62bf87ce050b99bb76d53c1972cf092a8b3b93a0 /etc/profile-m-z/noprofile.profile
parent	Merge pull request #4643 from rusty-snake/profile-checks (diff)
download	firejail-41427b8f62358344d45197fb674786d1a4dd11bf.tar.gz firejail-41427b8f62358344d45197fb674786d1a4dd11bf.tar.zst firejail-41427b8f62358344d45197fb674786d1a4dd11bf.zip

diff --git a/etc/profile-m-z/noprofile.profile b/etc/profile-m-z/noprofile.profile new file mode 100644 index 000000000..560ee9db3 --- /dev/null +++ b/etc/profile-m-z/noprofile.profile
@@ -0,0 +1,28 @@
	1	# This is the weakest possible firejail profile.
	2	# If a program still fail with this profile, it is incompatible with firejail.
	3	# (from https://gist.github.com/rusty-snake/bb234cb3e50e1e4e7429f29a7931cc72)
	4	#
	5	# Usage:
	6	# 1. download
	7	# 2. firejail --profile=noprofile.profile /path/to/program
	8
	9	# Keep in mind that even with this profile some things are done
	10	# which can break the program.
	11	# - some env-vars are cleared
	12	# - /etc/firejail/firejail.config can contain options such as 'force-nonewprivs yes'
	13	# - a new private pid-namespace is created
	14	# - a minimal hardcoded blacklist is applied
	15	# - ...
	16
	17	noblacklist /sys/fs
	18	noblacklist /sys/module
	19
	20	allow-debuggers
	21	allusers
	22	keep-config-pulse
	23	keep-dev-shm
	24	keep-var-tmp
	25	writable-etc
	26	writable-run-user
	27	writable-var
	28	writable-var-log