diff options
author | rusty-snake <print_hello_world+Public@protonmail.com> | 2019-05-30 17:31:25 +0200 |
---|---|---|
committer | rusty-snake <print_hello_world+Public@protonmail.com> | 2019-05-30 17:31:25 +0200 |
commit | cb98aea61bf97c8125c2d2df6cb08b9f05355e3a (patch) | |
tree | 493a2a6c030f323a1966cb04d406df7b140d9593 /etc/templates | |
parent | profile housekeeping (diff) | |
download | firejail-cb98aea61bf97c8125c2d2df6cb08b9f05355e3a.tar.gz firejail-cb98aea61bf97c8125c2d2df6cb08b9f05355e3a.tar.zst firejail-cb98aea61bf97c8125c2d2df6cb08b9f05355e3a.zip |
Add profile templates
Create etc/templates
* profile.template
* redirect_alias-profile.template
* syscalls.txt
* Notes
Diffstat (limited to 'etc/templates')
-rw-r--r-- | etc/templates/Notes | 7 | ||||
-rw-r--r-- | etc/templates/profile.template | 82 | ||||
-rw-r--r-- | etc/templates/redirect_alias-profile.template | 36 | ||||
-rw-r--r-- | etc/templates/syscalls.txt | 43 |
4 files changed, 168 insertions, 0 deletions
diff --git a/etc/templates/Notes b/etc/templates/Notes new file mode 100644 index 000000000..a4170207b --- /dev/null +++ b/etc/templates/Notes | |||
@@ -0,0 +1,7 @@ | |||
1 | Notes | ||
2 | ===== | ||
3 | |||
4 | * Lines with one # are often used | ||
5 | * Lines with two ## are only in special situation needed | ||
6 | * Add programs specific paths like .config/program to disable-programs.inc | ||
7 | * Add the name of the profile/program to src/firecfg/firecfg.config | ||
diff --git a/etc/templates/profile.template b/etc/templates/profile.template new file mode 100644 index 000000000..d7da0ed20 --- /dev/null +++ b/etc/templates/profile.template | |||
@@ -0,0 +1,82 @@ | |||
1 | # Firejail profile for PROGRAM_NAME | ||
2 | # Description: DESCRIPTION | ||
3 | # This file is overwritten after every install/update | ||
4 | ##quiet | ||
5 | # Persistent local customizations | ||
6 | #include PROFILE.local | ||
7 | # Persistent global definitions | ||
8 | #include globals.local | ||
9 | |||
10 | ##ignore noexec ${HOME} | ||
11 | |||
12 | ##blacklist PATH | ||
13 | |||
14 | #noblacklist PATH | ||
15 | |||
16 | # Allow python (blacklisted by disable-interpreters.inc) | ||
17 | #noblacklist ${PATH}/python2* | ||
18 | #noblacklist ${PATH}/python3* | ||
19 | #noblacklist /usr/lib/python2* | ||
20 | #noblacklist /usr/lib/python3* | ||
21 | #noblacklist /usr/local/lib/python2* | ||
22 | #noblacklist /usr/local/lib/python3* | ||
23 | |||
24 | #include disable-common.inc | ||
25 | #include disable-devel.inc | ||
26 | #include disable-exec.inc | ||
27 | #include disable-interpreters.inc | ||
28 | #include disable-passwdmgr.inc | ||
29 | #include disable-programs.inc | ||
30 | #include disable-xdg.inc | ||
31 | |||
32 | #mkdir PATH | ||
33 | #mkfile PATH | ||
34 | #whitelist PATH | ||
35 | #include whitelist-common.inc | ||
36 | #include whitelist-var-common.inc | ||
37 | |||
38 | #apparmor | ||
39 | #caps.drop all | ||
40 | # CLI only | ||
41 | ##ipc-namespace | ||
42 | #machine-id | ||
43 | # 'net none' or 'netfilter' | ||
44 | #net none | ||
45 | #netfilter | ||
46 | #no3d | ||
47 | #nodbus | ||
48 | #nodvd | ||
49 | #nogroups | ||
50 | #nonewprivs | ||
51 | #noroot | ||
52 | #nosound | ||
53 | #notv | ||
54 | #nou2f | ||
55 | #novideo | ||
56 | #protocol unix,inet,inet6,netlink | ||
57 | #seccomp | ||
58 | ##seccomp.drop SYSCALLS | ||
59 | #shell none | ||
60 | #tracelog | ||
61 | |||
62 | #disable-mnt | ||
63 | ##private | ||
64 | #private-bin PROGRAMS | ||
65 | #private-cache | ||
66 | #private-dev | ||
67 | #private-etc FILES | ||
68 | # private-etc templates (see also #1734) | ||
69 | # Internet: ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl | ||
70 | # Sound: alsa,asound.conf,machine-id,openal,pulse | ||
71 | # GTK: dconf,fonts,gtk-2.0,gtk-3.0,pango,xdg | ||
72 | # KDE/QT: fonts,kde4rc,kde5rc,ld.so.cache,machine-id,Trolltech.conf,xdg | ||
73 | # GUIs: fonts | ||
74 | # Alternatives: alternatives | ||
75 | ##private-lib LIBS | ||
76 | ##private-opt NAME | ||
77 | #private-tmp | ||
78 | |||
79 | ##env VAR=VALUE | ||
80 | #memory-deny-write-execute | ||
81 | ##read-only ${HOME} | ||
82 | ##join-or-start NAME | ||
diff --git a/etc/templates/redirect_alias-profile.template b/etc/templates/redirect_alias-profile.template new file mode 100644 index 000000000..56dd43ca4 --- /dev/null +++ b/etc/templates/redirect_alias-profile.template | |||
@@ -0,0 +1,36 @@ | |||
1 | # Firejail profile for PRGOGRAM_NAME | ||
2 | # Description: DESCRIPTION | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include PROFILE.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | #NOTE: let include globals.local commented | ||
10 | |||
11 | # Additional blacklisting (if needed) | ||
12 | #blacklist PATH | ||
13 | |||
14 | # Additional noblacklisting (if needed) | ||
15 | #noblacklist PATH | ||
16 | |||
17 | # Additional whitelisting (if needed) | ||
18 | #mkdir PATH | ||
19 | #mkfile PATH | ||
20 | #whitelist PATH | ||
21 | |||
22 | # Additional options if needed (see firejail-profile.example) | ||
23 | |||
24 | # Add programs to private-bin (if needed) | ||
25 | #private-bin PROGRAMS | ||
26 | # Add files to private-etc (if needed) | ||
27 | #private-etc FILES | ||
28 | |||
29 | # Ignore something that is in the included profile | ||
30 | #ignore net none | ||
31 | #ignore private-bin | ||
32 | #ignore seccomp | ||
33 | #... | ||
34 | |||
35 | # Redirect | ||
36 | include PROFILE.profile | ||
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt new file mode 100644 index 000000000..ec8247517 --- /dev/null +++ b/etc/templates/syscalls.txt | |||
@@ -0,0 +1,43 @@ | |||
1 | Hints for writing seccomp.drop lines | ||
2 | ==================================== | ||
3 | |||
4 | @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime | ||
5 | @module=delete_module,finit_module,init_module | ||
6 | @raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write | ||
7 | @reboot=kexec_load,kexec_file_load,reboot, | ||
8 | @swap=swapon,swapoff | ||
9 | |||
10 | @privileged=@clock,@module,@raw-io,@reboot,@swap,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup | ||
11 | |||
12 | @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old | ||
13 | @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext | ||
14 | @obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver | ||
15 | @resources=set_mempolicy,migrate_pages,move_pages,mbind | ||
16 | |||
17 | @default=@cpu-emulation,@debug,@obsolete,@privileged,@resources,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,vmsplice,umount,userfaultfd,mincore | ||
18 | |||
19 | @default-nodebuggers=@default,ptrace,personality,process_vm_readv | ||
20 | |||
21 | @default-keep=execve,prctl | ||
22 | |||
23 | |||
24 | +---------+----------------+---------------+ | ||
25 | | @clock | @cpu-emulation | @default-keep | | ||
26 | | @module | @debug | | | ||
27 | | @raw-io | @obsolete | | | ||
28 | | @reboot | @resources | | | ||
29 | | @swap | | | | ||
30 | +---------+----------------+---------------+ | ||
31 | : : | ||
32 | +-------------+ : | ||
33 | | @privileged | : | ||
34 | +-------------+ : | ||
35 | : : | ||
36 | +----------+ : | ||
37 | | @default |........: | ||
38 | +----------+ | ||
39 | : | ||
40 | +----------------------+ | ||
41 | | @default-nodebuggers | | ||
42 | +----------------------+ | ||
43 | |||