aboutsummaryrefslogtreecommitdiffstats
path: root/etc/profile-m-z/server.profile
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@yahoo.com>2020-04-21 08:24:28 -0400
committerLibravatar netblue30 <netblue30@yahoo.com>2020-04-21 08:24:28 -0400
commit018d75775eab4a0f045949a9d069c57686ca2686 (patch)
treeaac3a1a65cca0d4875795c55109a5c3e35efdefb /etc/profile-m-z/server.profile
parentsmall fixes (diff)
downloadfirejail-018d75775eab4a0f045949a9d069c57686ca2686.tar.gz
firejail-018d75775eab4a0f045949a9d069c57686ca2686.tar.zst
firejail-018d75775eab4a0f045949a9d069c57686ca2686.zip
reorganize github etc directory
Diffstat (limited to 'etc/profile-m-z/server.profile')
-rw-r--r--etc/profile-m-z/server.profile77
1 files changed, 77 insertions, 0 deletions
diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile
new file mode 100644
index 000000000..5bc4735ae
--- /dev/null
+++ b/etc/profile-m-z/server.profile
@@ -0,0 +1,77 @@
1# Generic Firejail profile for servers started as root
2#
3# This profile is used as a default when starting the sandbox as root.
4# Example:
5#
6# $ sudo firejail
7# [sudo] password for netblue:
8# Reading profile /etc/firejail/server.profile
9# Reading profile /etc/firejail/disable-common.inc
10# Reading profile /etc/firejail/disable-passwdmgr.inc
11# Reading profile /etc/firejail/disable-programs.inc
12#
13# ** Note: you can use --noprofile to disable server.profile **
14#
15# Parent pid 5347, child pid 5348
16# The new log directory is /proc/5348/root/var/log
17# Child process initialized in 64.43 ms
18# root@debian:~#
19#
20# Customize the profile as usual. Examples: unbound.profile, fdns.profile.
21# All the rules for regular user profiles apply with the exception of
22# /usr/local/bin symlink redirection and firecfg tool. The redirection is disabled
23# by default for root user.
24
25# This file is overwritten after every install/update
26# Persistent local customizations
27include server.local
28# Persistent global definitions
29include globals.local
30
31# generic server profile
32# it allows /sbin and /usr/sbin directories - this is where servers are installed
33# depending on your usage, you can enable some of the commands below:
34
35noblacklist /sbin
36noblacklist /usr/sbin
37# noblacklist /var/opt
38
39blacklist /tmp/.X11-unix
40blacklist ${RUNUSER}/wayland-*
41
42include disable-common.inc
43# include disable-devel.inc
44# include disable-exec.inc
45# include disable-interpreters.inc
46include disable-passwdmgr.inc
47include disable-programs.inc
48# include disable-xdg.inc
49
50caps
51# ipc-namespace
52# netfilter /etc/firejail/webserver.net
53no3d
54nodvd
55# nogroups
56# nonewprivs
57# noroot
58nosound
59notv
60nou2f
61novideo
62seccomp
63# shell none
64
65# disable-mnt
66private
67# private-bin program
68# private-cache
69private-dev
70# private-etc alternatives
71# private-lib
72private-tmp
73
74# dbus-user none
75# dbus-system none
76
77# memory-deny-write-execute