reorganize github etc directory

author: netblue30 <netblue30@yahoo.com> 2020-04-21 08:24:28 -0400
committer: netblue30 <netblue30@yahoo.com> 2020-04-21 08:24:28 -0400
commit: 018d75775eab4a0f045949a9d069c57686ca2686 (patch)
tree: aac3a1a65cca0d4875795c55109a5c3e35efdefb /etc/profile-m-z/server.profile
parent: small fixes (diff)
download: firejail-018d75775eab4a0f045949a9d069c57686ca2686.tar.gz
firejail-018d75775eab4a0f045949a9d069c57686ca2686.tar.zst
firejail-018d75775eab4a0f045949a9d069c57686ca2686.zip
1 files changed, 77 insertions, 0 deletions
diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile
new file mode 100644
index 000000000..5bc4735ae
--- /dev/null
+++ b/etc/profile-m-z/server.profile
@@ -0,0 +1,77 @@
+# Generic Firejail profile for servers started as root
+#
+# This profile is used as a default when starting the sandbox as root.
+# Example:
+#
+#       $ sudo firejail
+#       [sudo] password for netblue:
+#       Reading profile /etc/firejail/server.profile
+#       Reading profile /etc/firejail/disable-common.inc
+#       Reading profile /etc/firejail/disable-passwdmgr.inc
+#       Reading profile /etc/firejail/disable-programs.inc
+#
+#       ** Note: you can use --noprofile to disable server.profile **
+#
+#       Parent pid 5347, child pid 5348
+#       The new log directory is /proc/5348/root/var/log
+#       Child process initialized in 64.43 ms
+#       root@debian:~#
+#
+# Customize the profile as usual. Examples: unbound.profile, fdns.profile.
+# All the rules for regular user profiles apply with the exception of
+# /usr/local/bin symlink redirection and firecfg tool. The redirection is disabled
+# by default for root user.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include server.local
+# Persistent global definitions
+include globals.local
+# generic server profile
+# it allows /sbin and /usr/sbin directories - this is where servers are installed
+# depending on your usage, you can enable some of the commands below:
+noblacklist /sbin
+noblacklist /usr/sbin
+# noblacklist /var/opt
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+include disable-common.inc
+# include disable-devel.inc
+# include disable-exec.inc
+# include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+# include disable-xdg.inc
+caps
+# ipc-namespace
+# netfilter /etc/firejail/webserver.net
+no3d
+nodvd
+# nogroups
+# nonewprivs
+# noroot
+nosound
+notv
+nou2f
+novideo
+seccomp
+# shell none
+# disable-mnt
+private
+# private-bin program
+# private-cache
+private-dev
+# private-etc alternatives
+# private-lib
+private-tmp
+# dbus-user none
+# dbus-system none
+# memory-deny-write-execute
author	netblue30 <netblue30@yahoo.com>	2020-04-21 08:24:28 -0400
committer	netblue30 <netblue30@yahoo.com>	2020-04-21 08:24:28 -0400
commit	018d75775eab4a0f045949a9d069c57686ca2686 (patch)
tree	aac3a1a65cca0d4875795c55109a5c3e35efdefb /etc/profile-m-z/server.profile
parent	small fixes (diff)
download	firejail-018d75775eab4a0f045949a9d069c57686ca2686.tar.gz firejail-018d75775eab4a0f045949a9d069c57686ca2686.tar.zst firejail-018d75775eab4a0f045949a9d069c57686ca2686.zip

diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile new file mode 100644 index 000000000..5bc4735ae --- /dev/null +++ b/etc/profile-m-z/server.profile
@@ -0,0 +1,77 @@
	1	# Generic Firejail profile for servers started as root
	2	#
	3	# This profile is used as a default when starting the sandbox as root.
	4	# Example:
	5	#
	6	# $ sudo firejail
	7	# [sudo] password for netblue:
	8	# Reading profile /etc/firejail/server.profile
	9	# Reading profile /etc/firejail/disable-common.inc
	10	# Reading profile /etc/firejail/disable-passwdmgr.inc
	11	# Reading profile /etc/firejail/disable-programs.inc
	12	#
	13	# Note: you can use --noprofile to disable server.profile
	14	#
	15	# Parent pid 5347, child pid 5348
	16	# The new log directory is /proc/5348/root/var/log
	17	# Child process initialized in 64.43 ms
	18	# root@debian:~#
	19	#
	20	# Customize the profile as usual. Examples: unbound.profile, fdns.profile.
	21	# All the rules for regular user profiles apply with the exception of
	22	# /usr/local/bin symlink redirection and firecfg tool. The redirection is disabled
	23	# by default for root user.
	24
	25	# This file is overwritten after every install/update
	26	# Persistent local customizations
	27	include server.local
	28	# Persistent global definitions
	29	include globals.local
	30
	31	# generic server profile
	32	# it allows /sbin and /usr/sbin directories - this is where servers are installed
	33	# depending on your usage, you can enable some of the commands below:
	34
	35	noblacklist /sbin
	36	noblacklist /usr/sbin
	37	# noblacklist /var/opt
	38
	39	blacklist /tmp/.X11-unix
	40	blacklist ${RUNUSER}/wayland-*
	41
	42	include disable-common.inc
	43	# include disable-devel.inc
	44	# include disable-exec.inc
	45	# include disable-interpreters.inc
	46	include disable-passwdmgr.inc
	47	include disable-programs.inc
	48	# include disable-xdg.inc
	49
	50	caps
	51	# ipc-namespace
	52	# netfilter /etc/firejail/webserver.net
	53	no3d
	54	nodvd
	55	# nogroups
	56	# nonewprivs
	57	# noroot
	58	nosound
	59	notv
	60	nou2f
	61	novideo
	62	seccomp
	63	# shell none
	64
	65	# disable-mnt
	66	private
	67	# private-bin program
	68	# private-cache
	69	private-dev
	70	# private-etc alternatives
	71	# private-lib
	72	private-tmp
	73
	74	# dbus-user none
	75	# dbus-system none
	76
	77	# memory-deny-write-execute