fdns profile

author: netblue30 <netblue30@yahoo.com> 2020-04-07 19:52:56 -0400
committer: netblue30 <netblue30@yahoo.com> 2020-04-07 19:52:56 -0400
commit: 7373cf31d4ba6638c0477a254f62552556921521 (patch)
tree: 5c63852fb86899be8483e99ad11e530f15329b3f /etc
parent: Update support/EOL information (diff)
download: firejail-7373cf31d4ba6638c0477a254f62552556921521.tar.gz
firejail-7373cf31d4ba6638c0477a254f62552556921521.tar.zst
firejail-7373cf31d4ba6638c0477a254f62552556921521.zip
2 files changed, 76 insertions, 1 deletions
diff --git a/etc/fdns.profile b/etc/fdns.profile
new file mode 100644
index 000000000..2ab69cd5b
--- /dev/null
+++ b/etc/fdns.profile
@@ -0,0 +1,52 @@
+# Firejail profile for server
+# This file is overwritten after every install/update
+# Persistent local customizations
+include server.local
+# Persistent global definitions
+include globals.local
+# generic server profile
+# it allows /sbin and /usr/sbin directories - this is where servers are installed
+# depending on your usage, you can enable some of the commands below:
+#
+noblacklist /sbin
+noblacklist /usr/sbin
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+caps.keep chown,kill,setgid,setuid,net_bind_service,net_admin,sys_chroot,sys_admin,syslog
+ipc-namespace
+# netfilter /etc/firejail/webserver.net
+no3d
+nodvd
+nogroups
+nonewprivs
+# noroot
+nosound
+notv
+nou2f
+novideo
+#seccomp
+#shell none
+disable-mnt
+private
+private-bin fdns,bash,sh
+# private-cache
+private-dev
+# private-etc alternatives
+# private-lib
+private-tmp
+protocol unix,inet,inet6
+memory-deny-write-execute
diff --git a/etc/server.profile b/etc/server.profile
index bee8df932..5bc4735ae 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -1,4 +1,27 @@
-# Firejail profile for server
+# Generic Firejail profile for servers started as root
+#
+# This profile is used as a default when starting the sandbox as root.
+# Example:
+#
+#       $ sudo firejail
+#       [sudo] password for netblue:
+#       Reading profile /etc/firejail/server.profile
+#       Reading profile /etc/firejail/disable-common.inc
+#       Reading profile /etc/firejail/disable-passwdmgr.inc
+#       Reading profile /etc/firejail/disable-programs.inc
+#
+#       ** Note: you can use --noprofile to disable server.profile **
+#
+#       Parent pid 5347, child pid 5348
+#       The new log directory is /proc/5348/root/var/log
+#       Child process initialized in 64.43 ms
+#       root@debian:~#
+#
+# Customize the profile as usual. Examples: unbound.profile, fdns.profile.
+# All the rules for regular user profiles apply with the exception of
+# /usr/local/bin symlink redirection and firecfg tool. The redirection is disabled
+# by default for root user.
 # This file is overwritten after every install/update
 # Persistent local customizations
 include server.local
author	netblue30 <netblue30@yahoo.com>	2020-04-07 19:52:56 -0400
committer	netblue30 <netblue30@yahoo.com>	2020-04-07 19:52:56 -0400
commit	7373cf31d4ba6638c0477a254f62552556921521 (patch)
tree	5c63852fb86899be8483e99ad11e530f15329b3f /etc
parent	Update support/EOL information (diff)
download	firejail-7373cf31d4ba6638c0477a254f62552556921521.tar.gz firejail-7373cf31d4ba6638c0477a254f62552556921521.tar.zst firejail-7373cf31d4ba6638c0477a254f62552556921521.zip

diff --git a/etc/fdns.profile b/etc/fdns.profile new file mode 100644 index 000000000..2ab69cd5b --- /dev/null +++ b/etc/fdns.profile
@@ -0,0 +1,52 @@
		1	# Firejail profile for server
		2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include server.local
		5	# Persistent global definitions
		6	include globals.local
		7
		8	# generic server profile
		9	# it allows /sbin and /usr/sbin directories - this is where servers are installed
		10	# depending on your usage, you can enable some of the commands below:
		11	#
		12	noblacklist /sbin
		13	noblacklist /usr/sbin
		14
		15	blacklist /tmp/.X11-unix
		16	blacklist ${RUNUSER}/wayland-*
		17
		18	include disable-common.inc
		19	include disable-devel.inc
		20	include disable-exec.inc
		21	include disable-interpreters.inc
		22	include disable-passwdmgr.inc
		23	include disable-programs.inc
		24	include disable-xdg.inc
		25
		26	caps.keep chown,kill,setgid,setuid,net_bind_service,net_admin,sys_chroot,sys_admin,syslog
		27
		28	ipc-namespace
		29	# netfilter /etc/firejail/webserver.net
		30	no3d
		31	nodvd
		32	nogroups
		33	nonewprivs
		34	# noroot
		35	nosound
		36	notv
		37	nou2f
		38	novideo
		39	#seccomp
		40	#shell none
		41
		42	disable-mnt
		43	private
		44	private-bin fdns,bash,sh
		45	# private-cache
		46	private-dev
		47	# private-etc alternatives
		48	# private-lib
		49	private-tmp
		50
		51	protocol unix,inet,inet6
		52	memory-deny-write-execute


diff --git a/etc/server.profile b/etc/server.profile index bee8df932..5bc4735ae 100644 --- a/etc/server.profile +++ b/etc/server.profile
@@ -1,4 +1,27 @@
1	# Firejail profile for server	1	# Generic Firejail profile for servers started as root
		2	#
		3	# This profile is used as a default when starting the sandbox as root.
		4	# Example:
		5	#
		6	# $ sudo firejail
		7	# [sudo] password for netblue:
		8	# Reading profile /etc/firejail/server.profile
		9	# Reading profile /etc/firejail/disable-common.inc
		10	# Reading profile /etc/firejail/disable-passwdmgr.inc
		11	# Reading profile /etc/firejail/disable-programs.inc
		12	#
		13	# Note: you can use --noprofile to disable server.profile
		14	#
		15	# Parent pid 5347, child pid 5348
		16	# The new log directory is /proc/5348/root/var/log
		17	# Child process initialized in 64.43 ms
		18	# root@debian:~#
		19	#
		20	# Customize the profile as usual. Examples: unbound.profile, fdns.profile.
		21	# All the rules for regular user profiles apply with the exception of
		22	# /usr/local/bin symlink redirection and firecfg tool. The redirection is disabled
		23	# by default for root user.
		24
2	# This file is overwritten after every install/update	25	# This file is overwritten after every install/update
3	# Persistent local customizations	26	# Persistent local customizations
4	include server.local	27	include server.local