diff options
author | startx2017 <vradu.startx@yandex.com> | 2018-09-04 07:29:09 -0400 |
---|---|---|
committer | startx2017 <vradu.startx@yandex.com> | 2018-09-04 07:29:09 -0400 |
commit | d8c567ea0c6dc7d6d4722c1c7d0067113303948d (patch) | |
tree | abe4a87ca7ca89b7c137417abae8381e250d1220 /etc | |
parent | merge from mainline (diff) | |
download | firejail-d8c567ea0c6dc7d6d4722c1c7d0067113303948d.tar.gz firejail-d8c567ea0c6dc7d6d4722c1c7d0067113303948d.tar.zst firejail-d8c567ea0c6dc7d6d4722c1c7d0067113303948d.zip |
mainline merge
Diffstat (limited to 'etc')
-rw-r--r-- | etc/0ad.profile | 1 | ||||
-rw-r--r-- | etc/JDownloader.profile | 51 | ||||
-rw-r--r-- | etc/awesome.profile | 19 | ||||
-rw-r--r-- | etc/blackbox.profile | 18 | ||||
-rw-r--r-- | etc/dig.profile | 47 | ||||
-rw-r--r-- | etc/disable-common.inc | 5 | ||||
-rw-r--r-- | etc/disable-programs.inc | 1 | ||||
-rw-r--r-- | etc/evince.profile | 2 | ||||
-rw-r--r-- | etc/firejail-default | 103 | ||||
-rw-r--r-- | etc/fluxbox.profile | 18 | ||||
-rw-r--r-- | etc/i3.profile | 18 | ||||
-rw-r--r-- | etc/jdownloader.profile | 10 | ||||
-rw-r--r-- | etc/spotify.profile | 2 | ||||
-rw-r--r-- | etc/whois.profile | 45 |
14 files changed, 271 insertions, 69 deletions
diff --git a/etc/0ad.profile b/etc/0ad.profile index f5c3491ff..f9320f6c7 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile | |||
@@ -39,6 +39,7 @@ shell none | |||
39 | tracelog | 39 | tracelog |
40 | 40 | ||
41 | disable-mnt | 41 | disable-mnt |
42 | private-bin 0ad,pyrogenesis,sh,which | ||
42 | private-dev | 43 | private-dev |
43 | private-tmp | 44 | private-tmp |
44 | 45 | ||
diff --git a/etc/JDownloader.profile b/etc/JDownloader.profile new file mode 100644 index 000000000..659a41603 --- /dev/null +++ b/etc/JDownloader.profile | |||
@@ -0,0 +1,51 @@ | |||
1 | # Firejail profile for JDownloader | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/JDownloader.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.jd | ||
10 | |||
11 | # Allow access to java | ||
12 | noblacklist ${PATH}/java | ||
13 | noblacklist /usr/lib/java | ||
14 | noblacklist /etc/java | ||
15 | noblacklist /usr/share/java | ||
16 | |||
17 | include /etc/firejail/disable-common.inc | ||
18 | include /etc/firejail/disable-devel.inc | ||
19 | include /etc/firejail/disable-interpreters.inc | ||
20 | include /etc/firejail/disable-passwdmgr.inc | ||
21 | include /etc/firejail/disable-programs.inc | ||
22 | include /etc/firejail/disable-xdg.inc | ||
23 | |||
24 | mkdir ${HOME}/.jd | ||
25 | whitelist ${HOME}/.jd | ||
26 | whitelist ${DOWNLOADS} | ||
27 | include /etc/firejail/whitelist-common.inc | ||
28 | include /etc/firejail/whitelist-var-common.inc | ||
29 | |||
30 | caps.drop all | ||
31 | ipc-namespace | ||
32 | netfilter | ||
33 | no3d | ||
34 | nodbus | ||
35 | nodvd | ||
36 | nogroups | ||
37 | nonewprivs | ||
38 | noroot | ||
39 | nosound | ||
40 | notv | ||
41 | novideo | ||
42 | protocol unix,inet,inet6 | ||
43 | seccomp | ||
44 | shell none | ||
45 | |||
46 | private-cache | ||
47 | private-dev | ||
48 | private-tmp | ||
49 | |||
50 | noexec ${HOME} | ||
51 | noexec /tmp | ||
diff --git a/etc/awesome.profile b/etc/awesome.profile new file mode 100644 index 000000000..49c1a4aad --- /dev/null +++ b/etc/awesome.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # Firejail profile for awesome | ||
2 | # Description: Standards-compliant, fast, light-weight and extensible window manager | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/awesome.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | # all applications started in awesome will run in this profile | ||
10 | noblacklist ${HOME}/.config/awesome | ||
11 | include /etc/firejail/disable-common.inc | ||
12 | |||
13 | caps.drop all | ||
14 | netfilter | ||
15 | noroot | ||
16 | protocol unix,inet,inet6 | ||
17 | seccomp | ||
18 | |||
19 | read-only ${HOME}/.config/awesome/autorun.sh | ||
diff --git a/etc/blackbox.profile b/etc/blackbox.profile new file mode 100644 index 000000000..2672c812a --- /dev/null +++ b/etc/blackbox.profile | |||
@@ -0,0 +1,18 @@ | |||
1 | # Firejail profile for blackbox | ||
2 | # Description: Standards-compliant, fast, light-weight and extensible window manager | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/blackbox.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | # all applications started in awesome will run in this profile | ||
10 | noblacklist ${HOME}/.blackbox | ||
11 | include /etc/firejail/disable-common.inc | ||
12 | |||
13 | caps.drop all | ||
14 | netfilter | ||
15 | noroot | ||
16 | protocol unix,inet,inet6 | ||
17 | seccomp | ||
18 | |||
diff --git a/etc/dig.profile b/etc/dig.profile new file mode 100644 index 000000000..4b6ab0975 --- /dev/null +++ b/etc/dig.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | quiet | ||
2 | # Firejail profile for dig | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/dig.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | include /etc/firejail/disable-common.inc | ||
10 | # include /etc/firejail/disable-devel.inc | ||
11 | # include /etc/firejail/disable-interpreters.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | #include /etc/firejail/disable-xdg.inc | ||
15 | |||
16 | whitelist ~/.digrc | ||
17 | include /etc/firejail/whitelist-common.inc | ||
18 | include /etc/firejail/whitelist-var-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | # ipc-namespace | ||
22 | netfilter | ||
23 | no3d | ||
24 | nodbus | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | nosound | ||
30 | notv | ||
31 | novideo | ||
32 | protocol unix,inet,inet6 | ||
33 | seccomp | ||
34 | shell none | ||
35 | |||
36 | disable-mnt | ||
37 | private | ||
38 | private-bin sh,bash,dig | ||
39 | private-cache | ||
40 | private-dev | ||
41 | # private-etc resolv.conf | ||
42 | private-lib | ||
43 | private-tmp | ||
44 | |||
45 | memory-deny-write-execute | ||
46 | # noexec ${HOME} | ||
47 | # noexec /tmp | ||
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 0c295ae6d..94254931e 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -17,14 +17,17 @@ blacklist-nolog /tmp/clipmenu* | |||
17 | # X11 session autostart | 17 | # X11 session autostart |
18 | # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs | 18 | # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs |
19 | blacklist ${HOME}/.Xsession | 19 | blacklist ${HOME}/.Xsession |
20 | blacklist ${HOME}/.blackbox | ||
20 | blacklist ${HOME}/.config/autostart | 21 | blacklist ${HOME}/.config/autostart |
21 | blacklist ${HOME}/.config/autostart-scripts | 22 | blacklist ${HOME}/.config/autostart-scripts |
23 | blacklist ${HOME}/.config/awesome | ||
24 | blacklist ${HOME}/.config/i3 | ||
22 | blacklist ${HOME}/.config/lxsession/LXDE/autostart | 25 | blacklist ${HOME}/.config/lxsession/LXDE/autostart |
23 | blacklist ${HOME}/.config/openbox | 26 | blacklist ${HOME}/.config/openbox |
24 | blacklist ${HOME}/.config/plasma-workspace | 27 | blacklist ${HOME}/.config/plasma-workspace |
25 | blacklist ${HOME}/.config/startupconfig | 28 | blacklist ${HOME}/.config/startupconfig |
26 | blacklist ${HOME}/.config/startupconfigkeys | 29 | blacklist ${HOME}/.config/startupconfigkeys |
27 | blacklist ${HOME}/.fluxbox/startup | 30 | blacklist ${HOME}/.fluxbox |
28 | blacklist ${HOME}/.gnomerc | 31 | blacklist ${HOME}/.gnomerc |
29 | blacklist ${HOME}/.kde/Autostart | 32 | blacklist ${HOME}/.kde/Autostart |
30 | blacklist ${HOME}/.kde/env | 33 | blacklist ${HOME}/.kde/env |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index d685fceed..1213e4f24 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -287,6 +287,7 @@ blacklist ${HOME}/.inkscape | |||
287 | blacklist ${HOME}/.jack-server | 287 | blacklist ${HOME}/.jack-server |
288 | blacklist ${HOME}/.jack-settings | 288 | blacklist ${HOME}/.jack-settings |
289 | blacklist ${HOME}/.java | 289 | blacklist ${HOME}/.java |
290 | blacklist ${HOME}/.jd | ||
290 | blacklist ${HOME}/.jitsi | 291 | blacklist ${HOME}/.jitsi |
291 | blacklist ${HOME}/.kde/share/apps/digikam | 292 | blacklist ${HOME}/.kde/share/apps/digikam |
292 | blacklist ${HOME}/.kde/share/apps/gwenview | 293 | blacklist ${HOME}/.kde/share/apps/gwenview |
diff --git a/etc/evince.profile b/etc/evince.profile index 94f706440..2ade9c6f6 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -23,7 +23,7 @@ machine-id | |||
23 | # net none breaks AppArmor on Ubuntu systems | 23 | # net none breaks AppArmor on Ubuntu systems |
24 | netfilter | 24 | netfilter |
25 | no3d | 25 | no3d |
26 | # nodbus | 26 | nodbus |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | nonewprivs | 29 | nonewprivs |
diff --git a/etc/firejail-default b/etc/firejail-default index 09dc896e6..c4107270c 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
@@ -22,42 +22,30 @@ dbus, | |||
22 | 22 | ||
23 | ########## | 23 | ########## |
24 | # With ptrace it is possible to inspect and hijack running programs. Usually this | 24 | # With ptrace it is possible to inspect and hijack running programs. Usually this |
25 | # is needed only for debugging. To allow ptrace, uncomment the following line | 25 | # is needed only for debugging. To allow ptrace, uncomment the following line. |
26 | ########## | 26 | ########## |
27 | #ptrace, | 27 | #ptrace, |
28 | 28 | ||
29 | ########## | 29 | ########## |
30 | # Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes | 30 | # Allow read access to whole filesystem and control it from firejail. |
31 | ########## | 31 | ########## |
32 | / r, | 32 | /{,**} rklm, |
33 | /{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk, | ||
34 | /run/firejail/mnt/oroot/{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk, | ||
35 | 33 | ||
36 | /{,var/}run/ r, | 34 | ########## |
37 | /{,var/}run/** r, | 35 | # Allow write access to paths writable in firejail which aren't used for |
38 | /run/firejail/mnt/oroot/{,var/}run/ r, | 36 | # executing programs. /run, /proc and /sys are handled separately. |
39 | /run/firejail/mnt/oroot/{,var/}run/** r, | 37 | # Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes. |
40 | 38 | ########## | |
41 | owner /{,var/}run/user/[0-9]*/** rw, | 39 | /{,run/firejail/mnt/oroot/}{dev,etc,home,media,mnt,root,srv,tmp,var}/** w, |
42 | owner /{,var/}run/user/[0-9]*/*.slave-socket rwl, | ||
43 | owner /{,var/}run/user/[0-9]*/orcexec.* rwkm, | ||
44 | owner /run/firejail/mnt/oroot/{,var/}run/user/[0-9]*/** rw, | ||
45 | owner /run/firejail/mnt/oroot/{,var/}run/user/[0-9]*/*.slave-socket rwl, | ||
46 | owner /run/firejail/mnt/oroot/{,var/}run/user/[0-9]*/orcexec.* rwkm, | ||
47 | 40 | ||
48 | /{,var/}run/firejail/mnt/fslogger r, | 41 | ########## |
49 | /{,var/}run/firejail/appimage r, | 42 | # Whitelist writable paths under /run, /proc and /sys. |
50 | /{,var/}run/firejail/appimage/** r, | 43 | ########## |
51 | /{,var/}run/firejail/appimage/** ix, | 44 | owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w, |
52 | /run/firejail/mnt/oroot/{,var/}run/firejail/mnt/fslogger r, | 45 | owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/*.slave-socket w, |
53 | /run/firejail/mnt/oroot/{,var/}run/firejail/appimage r, | 46 | owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/orcexec.* w, |
54 | /run/firejail/mnt/oroot/{,var/}run/firejail/appimage/** r, | ||
55 | /run/firejail/mnt/oroot/{,var/}run/firejail/appimage/** ix, | ||
56 | 47 | ||
57 | /{run,dev}/shm/ r, | 48 | owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w, |
58 | owner /{run,dev}/shm/** rmwk, | ||
59 | /run/firejail/mnt/oroot/{run,dev}/shm/ r, | ||
60 | owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, | ||
61 | 49 | ||
62 | # Allow logging Firejail blacklist violations to journal | 50 | # Allow logging Firejail blacklist violations to journal |
63 | /{,var/}run/systemd/journal/socket w, | 51 | /{,var/}run/systemd/journal/socket w, |
@@ -66,58 +54,41 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, | |||
66 | # Needed for wine | 54 | # Needed for wine |
67 | /{,var/}run/firejail/profile/@{PID} w, | 55 | /{,var/}run/firejail/profile/@{PID} w, |
68 | 56 | ||
69 | ########## | 57 | # Allow access to cups printing socket. |
70 | # Allow /proc and /sys read-only access. | 58 | /{,var/}run/cups/cups.sock w, |
71 | # Blacklisting is controlled from userspace Firejail. | 59 | |
72 | ########## | 60 | # Needed for firefox sandbox |
73 | /proc/ r, | ||
74 | /proc/** r, | ||
75 | /proc/[0-9]*/{uid_map,gid_map,setgroups} w, | 61 | /proc/[0-9]*/{uid_map,gid_map,setgroups} w, |
76 | # Uncomment to silence all denied write warnings | 62 | |
77 | #deny /proc/** w, | 63 | # Silence noise |
78 | deny /proc/@{PID}/oom_adj w, | 64 | deny /proc/@{PID}/oom_adj w, |
79 | deny /proc/@{PID}/oom_score_adj w, | 65 | deny /proc/@{PID}/oom_score_adj w, |
80 | 66 | ||
81 | /sys/ r, | ||
82 | /sys/** r, | ||
83 | # Uncomment to silence all denied write warnings | 67 | # Uncomment to silence all denied write warnings |
84 | #deny /sys/** w, | 68 | #deny /proc/** w, |
85 | 69 | ||
86 | # Blacklist snapshots | 70 | # Uncomment to silence all denied write warnings |
87 | deny /**/.snapshots/ rwx, | 71 | #deny /sys/** w, |
88 | 72 | ||
89 | ########## | 73 | ########## |
90 | # Allow running programs only from well-known system directories. If you need | 74 | # Allow running programs only from well-known system directories. If you need |
91 | # to run programs from your home directory, uncomment /home line. | 75 | # to run programs from your home directory, uncomment /home line. |
92 | ########## | 76 | ########## |
93 | /lib/** ix, | 77 | /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix, |
94 | /lib64/** ix, | 78 | /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix, |
95 | /bin/** ix, | 79 | /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}games/** ix, |
96 | /sbin/** ix, | 80 | /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64}/** ix, |
97 | /usr/bin/** ix, | 81 | /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}opt/** ix, |
98 | /usr/sbin/** ix, | 82 | #/{,run/firejail/mnt/oroot/}home/** ix, |
99 | /usr/local/** ix, | 83 | |
100 | /usr/lib/** ix, | 84 | # Appimage support |
101 | /usr/lib64/** ix, | 85 | /{,run/firejail/mnt/oroot/}{,var/}run/firejail/appimage/** ix, |
102 | /usr/games/** ix, | ||
103 | /opt/** ix, | ||
104 | #/home/** ix, | ||
105 | /run/firejail/mnt/oroot/lib/** ix, | ||
106 | /run/firejail/mnt/oroot/lib64/** ix, | ||
107 | /run/firejail/mnt/oroot/bin/** ix, | ||
108 | /run/firejail/mnt/oroot/sbin/** ix, | ||
109 | /run/firejail/mnt/oroot/usr/bin/** ix, | ||
110 | /run/firejail/mnt/oroot/usr/sbin/** ix, | ||
111 | /run/firejail/mnt/oroot/usr/local/** ix, | ||
112 | /run/firejail/mnt/oroot/usr/lib/** ix, | ||
113 | /run/firejail/mnt/oroot/usr/lib64/** ix, | ||
114 | /run/firejail/mnt/oroot/usr/games/** ix, | ||
115 | /run/firejail/mnt/oroot/opt/** ix, | ||
116 | 86 | ||
117 | ########## | 87 | ########## |
118 | # Allow access to cups printing socket. | 88 | # Blacklist specific sensitive paths. |
119 | ########## | 89 | ########## |
120 | /run/cups/cups.sock w, | 90 | # Common backup directory |
91 | deny /**/.snapshots/ rwx, | ||
121 | 92 | ||
122 | ########## | 93 | ########## |
123 | # Allow all networking functionality, and control it from Firejail. | 94 | # Allow all networking functionality, and control it from Firejail. |
diff --git a/etc/fluxbox.profile b/etc/fluxbox.profile new file mode 100644 index 000000000..5fafef95a --- /dev/null +++ b/etc/fluxbox.profile | |||
@@ -0,0 +1,18 @@ | |||
1 | # Firejail profile for fluxbox | ||
2 | # Description: Standards-compliant, fast, light-weight and extensible window manager | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/fluxbox.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | # all applications started in awesome will run in this profile | ||
10 | noblacklist ${HOME}/.fluxbox | ||
11 | include /etc/firejail/disable-common.inc | ||
12 | |||
13 | caps.drop all | ||
14 | netfilter | ||
15 | noroot | ||
16 | protocol unix,inet,inet6 | ||
17 | seccomp | ||
18 | |||
diff --git a/etc/i3.profile b/etc/i3.profile new file mode 100644 index 000000000..efbc1f6e7 --- /dev/null +++ b/etc/i3.profile | |||
@@ -0,0 +1,18 @@ | |||
1 | # Firejail profile for i3 | ||
2 | # Description: Standards-compliant, fast, light-weight and extensible window manager | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/i3.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | # all applications started in awesome will run in this profile | ||
10 | noblacklist ${HOME}/.config/i3 | ||
11 | include /etc/firejail/disable-common.inc | ||
12 | |||
13 | caps.drop all | ||
14 | netfilter | ||
15 | noroot | ||
16 | protocol unix,inet,inet6 | ||
17 | seccomp | ||
18 | |||
diff --git a/etc/jdownloader.profile b/etc/jdownloader.profile new file mode 100644 index 000000000..dbcc85e8d --- /dev/null +++ b/etc/jdownloader.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for jdownloader | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/jdownloader.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | # Redirect | ||
10 | include /etc/firejail/JDownloader.profile | ||
diff --git a/etc/spotify.profile b/etc/spotify.profile index 4e2718c95..3adf3183c 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile | |||
@@ -45,7 +45,7 @@ tracelog | |||
45 | disable-mnt | 45 | disable-mnt |
46 | private-bin spotify,bash,sh,zenity | 46 | private-bin spotify,bash,sh,zenity |
47 | private-dev | 47 | private-dev |
48 | private-etc fonts,group,ld.so.cache,machine-id,pulse,resolv.conf,ca-certificates,ssl,pki,crypto-policies | 48 | private-etc fonts,group,ld.so.cache,machine-id,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies |
49 | private-opt spotify | 49 | private-opt spotify |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
diff --git a/etc/whois.profile b/etc/whois.profile new file mode 100644 index 000000000..3ef2e1476 --- /dev/null +++ b/etc/whois.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | quiet | ||
2 | # Firejail profile for whois | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/whois.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | include /etc/firejail/disable-common.inc | ||
10 | # include /etc/firejail/disable-devel.inc | ||
11 | # include /etc/firejail/disable-interpreters.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | #include /etc/firejail/disable-xdg.inc | ||
15 | |||
16 | include /etc/firejail/whitelist-var-common.inc | ||
17 | |||
18 | caps.drop all | ||
19 | # ipc-namespace | ||
20 | netfilter | ||
21 | no3d | ||
22 | nodbus | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | nosound | ||
28 | notv | ||
29 | novideo | ||
30 | protocol inet,inet6 | ||
31 | seccomp | ||
32 | shell none | ||
33 | |||
34 | disable-mnt | ||
35 | private | ||
36 | private-bin sh,bash,whois | ||
37 | private-cache | ||
38 | private-dev | ||
39 | # private-etc hosts,services,whois.conf | ||
40 | private-lib | ||
41 | private-tmp | ||
42 | |||
43 | memory-deny-write-execute | ||
44 | # noexec ${HOME} | ||
45 | # noexec /tmp | ||