diff options
author | Tad <tad@spotco.us> | 2018-09-22 01:44:35 -0400 |
---|---|---|
committer | Tad <tad@spotco.us> | 2018-09-22 01:44:35 -0400 |
commit | 4642e8a3017864f74620a7f2917a99c02539fa52 (patch) | |
tree | be826e5383e95369b48541d851728187a77d1fe8 /etc/spectre-meltdown-checker.profile | |
parent | tests: skip more tests if capabilities/seccomp of host differs (diff) | |
download | firejail-4642e8a3017864f74620a7f2917a99c02539fa52.tar.gz firejail-4642e8a3017864f74620a7f2917a99c02539fa52.tar.zst firejail-4642e8a3017864f74620a7f2917a99c02539fa52.zip |
Add profile for spectre-meltdown-checker
Will need to support allow-debuggers in profiles before it can be enabled in firecfg
Diffstat (limited to 'etc/spectre-meltdown-checker.profile')
-rw-r--r-- | etc/spectre-meltdown-checker.profile | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/etc/spectre-meltdown-checker.profile b/etc/spectre-meltdown-checker.profile new file mode 100644 index 000000000..18d3a0575 --- /dev/null +++ b/etc/spectre-meltdown-checker.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for spectre-meltdown-checker | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/spectre-meltdown-checker.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | # sudo firejail --allow-debuggers spectre-meltdown-checker | ||
10 | |||
11 | noblacklist ${PATH}/mount | ||
12 | noblacklist ${PATH}/umount | ||
13 | |||
14 | # Allow access to perl | ||
15 | noblacklist ${PATH}/cpan* | ||
16 | noblacklist ${PATH}/core_perl | ||
17 | noblacklist ${PATH}/perl | ||
18 | noblacklist /usr/lib/perl* | ||
19 | noblacklist /usr/share/perl* | ||
20 | |||
21 | include /etc/firejail/disable-common.inc | ||
22 | include /etc/firejail/disable-devel.inc | ||
23 | include /etc/firejail/disable-interpreters.inc | ||
24 | include /etc/firejail/disable-passwdmgr.inc | ||
25 | include /etc/firejail/disable-programs.inc | ||
26 | include /etc/firejail/disable-xdg.inc | ||
27 | |||
28 | include /etc/firejail/whitelist-var-common.inc | ||
29 | |||
30 | caps.keep sys_rawio | ||
31 | ipc-namespace | ||
32 | net none | ||
33 | no3d | ||
34 | nodbus | ||
35 | nodvd | ||
36 | nogroups | ||
37 | nonewprivs | ||
38 | nosound | ||
39 | notv | ||
40 | novideo | ||
41 | protocol unix | ||
42 | seccomp.drop @clock,@cpu-emulation,@module,@obsolete,@reboot,@resources,@swap | ||
43 | shell none | ||
44 | |||
45 | disable-mnt | ||
46 | private | ||
47 | private-bin awk,bzip2,cat,coreos-install,cpucontrol,cut,dd,dmesg,dnf,echo,grep,gunzip,gz,gzip,head,id,kldload,kldstat,liblz4-tool,lzop,mktemp,modinfo,modprobe,mount,nm,objdump,od,perl,printf,readelf,rm,sed,seq,sh,sort,spectre-meltdown-checker,spectre-meltdown-checker.sh,stat,strings,sysctl,tail,test,toolbox,tr,uname,which,xz-utils | ||
48 | private-cache | ||
49 | private-tmp | ||
50 | |||
51 | memory-deny-write-execute | ||
52 | noexec ${HOME} | ||
53 | noexec /tmp | ||