diff options
author | netblue30 <netblue30@yahoo.com> | 2020-04-21 08:24:28 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2020-04-21 08:24:28 -0400 |
commit | 018d75775eab4a0f045949a9d069c57686ca2686 (patch) | |
tree | aac3a1a65cca0d4875795c55109a5c3e35efdefb /etc/profile-m-z/server.profile | |
parent | small fixes (diff) | |
download | firejail-018d75775eab4a0f045949a9d069c57686ca2686.tar.gz firejail-018d75775eab4a0f045949a9d069c57686ca2686.tar.zst firejail-018d75775eab4a0f045949a9d069c57686ca2686.zip |
reorganize github etc directory
Diffstat (limited to 'etc/profile-m-z/server.profile')
-rw-r--r-- | etc/profile-m-z/server.profile | 77 |
1 files changed, 77 insertions, 0 deletions
diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile new file mode 100644 index 000000000..5bc4735ae --- /dev/null +++ b/etc/profile-m-z/server.profile | |||
@@ -0,0 +1,77 @@ | |||
1 | # Generic Firejail profile for servers started as root | ||
2 | # | ||
3 | # This profile is used as a default when starting the sandbox as root. | ||
4 | # Example: | ||
5 | # | ||
6 | # $ sudo firejail | ||
7 | # [sudo] password for netblue: | ||
8 | # Reading profile /etc/firejail/server.profile | ||
9 | # Reading profile /etc/firejail/disable-common.inc | ||
10 | # Reading profile /etc/firejail/disable-passwdmgr.inc | ||
11 | # Reading profile /etc/firejail/disable-programs.inc | ||
12 | # | ||
13 | # ** Note: you can use --noprofile to disable server.profile ** | ||
14 | # | ||
15 | # Parent pid 5347, child pid 5348 | ||
16 | # The new log directory is /proc/5348/root/var/log | ||
17 | # Child process initialized in 64.43 ms | ||
18 | # root@debian:~# | ||
19 | # | ||
20 | # Customize the profile as usual. Examples: unbound.profile, fdns.profile. | ||
21 | # All the rules for regular user profiles apply with the exception of | ||
22 | # /usr/local/bin symlink redirection and firecfg tool. The redirection is disabled | ||
23 | # by default for root user. | ||
24 | |||
25 | # This file is overwritten after every install/update | ||
26 | # Persistent local customizations | ||
27 | include server.local | ||
28 | # Persistent global definitions | ||
29 | include globals.local | ||
30 | |||
31 | # generic server profile | ||
32 | # it allows /sbin and /usr/sbin directories - this is where servers are installed | ||
33 | # depending on your usage, you can enable some of the commands below: | ||
34 | |||
35 | noblacklist /sbin | ||
36 | noblacklist /usr/sbin | ||
37 | # noblacklist /var/opt | ||
38 | |||
39 | blacklist /tmp/.X11-unix | ||
40 | blacklist ${RUNUSER}/wayland-* | ||
41 | |||
42 | include disable-common.inc | ||
43 | # include disable-devel.inc | ||
44 | # include disable-exec.inc | ||
45 | # include disable-interpreters.inc | ||
46 | include disable-passwdmgr.inc | ||
47 | include disable-programs.inc | ||
48 | # include disable-xdg.inc | ||
49 | |||
50 | caps | ||
51 | # ipc-namespace | ||
52 | # netfilter /etc/firejail/webserver.net | ||
53 | no3d | ||
54 | nodvd | ||
55 | # nogroups | ||
56 | # nonewprivs | ||
57 | # noroot | ||
58 | nosound | ||
59 | notv | ||
60 | nou2f | ||
61 | novideo | ||
62 | seccomp | ||
63 | # shell none | ||
64 | |||
65 | # disable-mnt | ||
66 | private | ||
67 | # private-bin program | ||
68 | # private-cache | ||
69 | private-dev | ||
70 | # private-etc alternatives | ||
71 | # private-lib | ||
72 | private-tmp | ||
73 | |||
74 | # dbus-user none | ||
75 | # dbus-system none | ||
76 | |||
77 | # memory-deny-write-execute | ||