diff options
author | netblue30 <netblue30@yahoo.com> | 2016-11-20 11:19:25 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-11-20 11:19:25 -0500 |
commit | aaa9bcb02fae1eb9ffb765080d6b466f52918285 (patch) | |
tree | 9cca4deb274e5d4270bb2782cd4b69e740ae90f1 /etc | |
parent | Merge pull request #924 from valoq/master (diff) | |
download | firejail-aaa9bcb02fae1eb9ffb765080d6b466f52918285.tar.gz firejail-aaa9bcb02fae1eb9ffb765080d6b466f52918285.tar.zst firejail-aaa9bcb02fae1eb9ffb765080d6b466f52918285.zip |
profiles
Diffstat (limited to 'etc')
-rw-r--r-- | etc/default.profile | 7 | ||||
-rw-r--r-- | etc/mupdf.profile | 8 |
2 files changed, 10 insertions, 5 deletions
diff --git a/etc/default.profile b/etc/default.profile index 487e80c64..603321316 100644 --- a/etc/default.profile +++ b/etc/default.profile | |||
@@ -7,13 +7,16 @@ include /etc/firejail/disable-passwdmgr.inc | |||
7 | 7 | ||
8 | caps.drop all | 8 | caps.drop all |
9 | netfilter | 9 | netfilter |
10 | nogroups | ||
11 | nonewprivs | 10 | nonewprivs |
12 | noroot | 11 | noroot |
13 | protocol unix,inet,inet6 | 12 | protocol unix,inet,inet6 |
14 | seccomp | 13 | seccomp |
15 | shell none | ||
16 | 14 | ||
15 | # | ||
16 | # depending on you usage, you can enable some of the commands below: | ||
17 | # | ||
18 | # nogroups | ||
19 | # shell none | ||
17 | # private-bin program | 20 | # private-bin program |
18 | # private-etc none | 21 | # private-etc none |
19 | # private-dev | 22 | # private-dev |
diff --git a/etc/mupdf.profile b/etc/mupdf.profile index 7116fa1a6..7f9261d8b 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile | |||
@@ -16,9 +16,6 @@ net none | |||
16 | shell none | 16 | shell none |
17 | tracelog | 17 | tracelog |
18 | 18 | ||
19 | #seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev | ||
20 | |||
21 | private-bin mupdf,sh,tempfile,rm | ||
22 | private-tmp | 19 | private-tmp |
23 | private-dev | 20 | private-dev |
24 | private-etc fonts | 21 | private-etc fonts |
@@ -26,3 +23,8 @@ private-etc fonts | |||
26 | # mupdf will never write anything | 23 | # mupdf will never write anything |
27 | read-only ${HOME} | 24 | read-only ${HOME} |
28 | 25 | ||
26 | # | ||
27 | # Experimental: | ||
28 | # | ||
29 | #seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev | ||
30 | # private-bin mupdf,sh,tempfile,rm | ||