diff options
author | rusty-snake <print_hello_world+Public@protonmail.com> | 2019-06-20 12:46:24 +0200 |
---|---|---|
committer | rusty-snake <print_hello_world+Public@protonmail.com> | 2019-06-20 12:46:24 +0200 |
commit | 4429e6fcafb2558661faad9a787281cb5ce6540e (patch) | |
tree | a21f6cb0092e3c3e3d8d30991e6a5b4e4facfae8 /etc | |
parent | add 'x11 none' to more profiles with 'net none' (diff) | |
download | firejail-4429e6fcafb2558661faad9a787281cb5ce6540e.tar.gz firejail-4429e6fcafb2558661faad9a787281cb5ce6540e.tar.zst firejail-4429e6fcafb2558661faad9a787281cb5ce6540e.zip |
Improve profile.template
* uncomment .local includes
* add options
* ##ignore noexec /tmp
* ##caps.keep CAPS
* ##hostname NAME
* ##writable-etc
* ##writable-run-user
* ##writable-var
* ##writable-var-log
* add disable x11
* x11 none
* blacklist /tmp/.X11-unix
* comment when which of the both option should be used
* sort private-etc template Common
* add comments
* machine-id: breaks sound and sometime dbus related functions
* private-bin: python should be added by 'python*'
* protocol: auxiliary comment for protocol line
* add 'packet' to protocol list
* Sections structure: OPTIONS: now has seccomp* instead of seccomp
Diffstat (limited to 'etc')
-rw-r--r-- | etc/templates/profile.template | 28 |
1 files changed, 23 insertions, 5 deletions
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 0ccb3fae0..892fd71ef 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -30,7 +30,7 @@ | |||
30 | # MKDIRS | 30 | # MKDIRS |
31 | # WHITELISTS | 31 | # WHITELISTS |
32 | # WHITELIST INCLUDES | 32 | # WHITELIST INCLUDES |
33 | # OPTIONS (caps*, net*, no*, protocol, seccomp, shell none, tracelog) | 33 | # OPTIONS (caps*, net*, no*, protocol, seccomp*, shell none, tracelog) |
34 | # PRIVATE OPTIONS (disable-mnt, private-*, writable-*) | 34 | # PRIVATE OPTIONS (disable-mnt, private-*, writable-*) |
35 | # SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start) | 35 | # SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start) |
36 | # REDIRECT INCLUDES | 36 | # REDIRECT INCLUDES |
@@ -49,13 +49,16 @@ | |||
49 | # --- CUT HERE --- | 49 | # --- CUT HERE --- |
50 | ##quiet | 50 | ##quiet |
51 | # Persistent local customizations | 51 | # Persistent local customizations |
52 | #include PROFILE.local | 52 | include PROFILE.local |
53 | # Persistent global definitions | 53 | # Persistent global definitions |
54 | #include globals.local | 54 | include globals.local |
55 | 55 | ||
56 | ##ignore noexec ${HOME} | 56 | ##ignore noexec ${HOME} |
57 | ##ignore noexec /tmp | ||
57 | 58 | ||
58 | ##blacklist PATH | 59 | ##blacklist PATH |
60 | # Disable X11 (CLI only), see also 'x11 none' below | ||
61 | #blacklist /tmp/.X11-unix | ||
59 | 62 | ||
60 | # It is common practice to add files/dirs containing program-specific configuration | 63 | # It is common practice to add files/dirs containing program-specific configuration |
61 | # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc | 64 | # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc |
@@ -105,8 +108,11 @@ | |||
105 | 108 | ||
106 | #apparmor | 109 | #apparmor |
107 | #caps.drop all | 110 | #caps.drop all |
111 | ##caps.keep CAPS | ||
112 | ##hostname NAME | ||
108 | # CLI only | 113 | # CLI only |
109 | ##ipc-namespace | 114 | ##ipc-namespace |
115 | # breaks sound and sometime dbus related functions | ||
110 | #machine-id | 116 | #machine-id |
111 | # 'net none' or 'netfilter' | 117 | # 'net none' or 'netfilter' |
112 | #net none | 118 | #net none |
@@ -121,20 +127,28 @@ | |||
121 | #notv | 127 | #notv |
122 | #nou2f | 128 | #nou2f |
123 | #novideo | 129 | #novideo |
124 | #protocol unix,inet,inet6,netlink | 130 | # Remove every not needed protocol |
131 | # - unix is usually needed | ||
132 | # - inet,inet6 only if internet access is requiered (see 'net none'/'netfilter' above) | ||
133 | # - netlink is rarely needed | ||
134 | # - packet almost never | ||
135 | #protocol unix,inet,inet6,netlink,packet | ||
125 | #seccomp | 136 | #seccomp |
126 | ##seccomp.drop SYSCALLS (see also syscalls.txt) | 137 | ##seccomp.drop SYSCALLS (see also syscalls.txt) |
127 | #shell none | 138 | #shell none |
128 | #tracelog | 139 | #tracelog |
140 | # Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set | ||
141 | ##x11 none | ||
129 | 142 | ||
130 | #disable-mnt | 143 | #disable-mnt |
131 | ##private | 144 | ##private |
145 | # It's common practice to refer to the python executable(s) in private-bin with `python*`, which covers both v2 and v3 | ||
132 | #private-bin PROGRAMS | 146 | #private-bin PROGRAMS |
133 | #private-cache | 147 | #private-cache |
134 | #private-dev | 148 | #private-dev |
135 | #private-etc FILES | 149 | #private-etc FILES |
136 | # private-etc templates (see also #1734, #2093) | 150 | # private-etc templates (see also #1734, #2093) |
137 | # Common: ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,locale,locale.alias,locale.conf,localtime,alternatives,mime.types,xdg | 151 | # Common: alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg |
138 | # Extra: magic,magic.mgc,passwd,group | 152 | # Extra: magic,magic.mgc,passwd,group |
139 | # Networking: ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf,hosts,host.conf,hostname,protocols,services,rpc | 153 | # Networking: ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf,hosts,host.conf,hostname,protocols,services,rpc |
140 | # Extra: proxychains.conf,gai.conf | 154 | # Extra: proxychains.conf,gai.conf |
@@ -148,6 +162,10 @@ | |||
148 | ##private-lib LIBS | 162 | ##private-lib LIBS |
149 | ##private-opt NAME | 163 | ##private-opt NAME |
150 | #private-tmp | 164 | #private-tmp |
165 | ##writable-etc | ||
166 | ##writable-run-user | ||
167 | ##writable-var | ||
168 | ##writable-var-log | ||
151 | 169 | ||
152 | ##env VAR=VALUE | 170 | ##env VAR=VALUE |
153 | #memory-deny-write-execute | 171 | #memory-deny-write-execute |