aboutsummaryrefslogtreecommitdiffstats
path: root/src/fbuilder/build_profile.c
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@protonmail.com>2021-05-12 15:59:31 -0400
committerLibravatar netblue30 <netblue30@protonmail.com>2021-05-12 15:59:31 -0400
commit13e699fe26cc0eda1d7cd1f214d2909e08a1dc58 (patch)
treed45983d62b3286f10391c062fa7df7c68ca66986 /src/fbuilder/build_profile.c
parentUpdate dino.profile (diff)
downloadfirejail-13e699fe26cc0eda1d7cd1f214d2909e08a1dc58.tar.gz
firejail-13e699fe26cc0eda1d7cd1f214d2909e08a1dc58.tar.zst
firejail-13e699fe26cc0eda1d7cd1f214d2909e08a1dc58.zip
more --build
Diffstat (limited to 'src/fbuilder/build_profile.c')
-rw-r--r--src/fbuilder/build_profile.c44
1 files changed, 28 insertions, 16 deletions
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
index fb53f70a6..1726b4dbb 100644
--- a/src/fbuilder/build_profile.c
+++ b/src/fbuilder/build_profile.c
@@ -145,9 +145,9 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
145 fprintf(fp, "# program name) in ~/.config/firejail directory. Firejail will find it\n"); 145 fprintf(fp, "# program name) in ~/.config/firejail directory. Firejail will find it\n");
146 fprintf(fp, "# automatically every time you sandbox your application.\n#\n"); 146 fprintf(fp, "# automatically every time you sandbox your application.\n#\n");
147 fprintf(fp, "# Run \"firejail application\" to test it. In the file there are\n"); 147 fprintf(fp, "# Run \"firejail application\" to test it. In the file there are\n");
148 fprintf(fp, "# some other commands you can try. Enable them by removing the \"#\".\n"); 148 fprintf(fp, "# some other commands you can try. Enable them by removing the \"#\".\n\n");
149 149
150 fprintf(fp, "\n# Firejail profile for %s\n", argv[index]); 150 fprintf(fp, "# Firejail profile for %s\n", argv[index]);
151 fprintf(fp, "# Persistent local customizations\n"); 151 fprintf(fp, "# Persistent local customizations\n");
152 fprintf(fp, "#include %s.local\n", argv[index]); 152 fprintf(fp, "#include %s.local\n", argv[index]);
153 fprintf(fp, "# Persistent global definitions\n"); 153 fprintf(fp, "# Persistent global definitions\n");
@@ -164,6 +164,7 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
164 fprintf(fp, "#include disable-interpreters.inc\n"); 164 fprintf(fp, "#include disable-interpreters.inc\n");
165 fprintf(fp, "include disable-passwdmgr.inc\n"); 165 fprintf(fp, "include disable-passwdmgr.inc\n");
166 fprintf(fp, "include disable-programs.inc\n"); 166 fprintf(fp, "include disable-programs.inc\n");
167 fprintf(fp, "#include disable-shell.inc\n");
167 fprintf(fp, "#include disable-xdg.inc\n"); 168 fprintf(fp, "#include disable-xdg.inc\n");
168 fprintf(fp, "\n"); 169 fprintf(fp, "\n");
169 170
@@ -171,29 +172,27 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
171 fprintf(fp, "### If something goes wrong, this section is the first one to comment out.\n"); 172 fprintf(fp, "### If something goes wrong, this section is the first one to comment out.\n");
172 fprintf(fp, "### Instead, you'll have to relay on the basic blacklisting above.\n"); 173 fprintf(fp, "### Instead, you'll have to relay on the basic blacklisting above.\n");
173 build_home(trace_output, fp); 174 build_home(trace_output, fp);
175 fprintf(fp, "\n");
174 176
175 fprintf(fp, "\n### The Rest of the Filesystem ###\n"); 177 fprintf(fp, "### Filesystem Whitelisting ###\n");
176 build_share(trace_output, fp); 178 build_share(trace_output, fp);
179 //todo: include whitelist-runuser-common.inc
177 build_var(trace_output, fp); 180 build_var(trace_output, fp);
178 build_bin(trace_output, fp); 181 fprintf(fp, "\n");
179 build_dev(trace_output, fp);
180 fprintf(fp, "#nodvd\n");
181 fprintf(fp, "#noinput\n");
182 fprintf(fp, "#notv\n");
183 fprintf(fp, "#nou2f\n");
184 fprintf(fp, "#novideo\n");
185 build_etc(trace_output, fp);
186 build_tmp(trace_output, fp);
187 182
188 fprintf(fp, "\n### Security Filters ###\n");
189 fprintf(fp, "#apparmor\n"); 183 fprintf(fp, "#apparmor\n");
190 fprintf(fp, "caps.drop all\n"); 184 fprintf(fp, "caps.drop all\n");
185 fprintf(fp, "ipc-namespace\n");
191 fprintf(fp, "netfilter\n"); 186 fprintf(fp, "netfilter\n");
187 fprintf(fp, "#nodvd\n");
192 fprintf(fp, "#nogroups\n"); 188 fprintf(fp, "#nogroups\n");
193 fprintf(fp, "#noroot\n"); 189 fprintf(fp, "#noinput\n");
194 fprintf(fp, "nonewprivs\n"); 190 fprintf(fp, "nonewprivs\n");
191 fprintf(fp, "noroot\n");
192 fprintf(fp, "#notv\n");
193 fprintf(fp, "#nou2f\n");
194 fprintf(fp, "#novideo\n");
195 build_protocol(trace_output, fp); 195 build_protocol(trace_output, fp);
196
197 fprintf(fp, "seccomp\n"); 196 fprintf(fp, "seccomp\n");
198 if (!have_strace) { 197 if (!have_strace) {
199 fprintf(fp, "### If you install strace on your system, Firejail will also create a\n"); 198 fprintf(fp, "### If you install strace on your system, Firejail will also create a\n");
@@ -203,8 +202,21 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
203 fprintf(fp, "### Yama security module prevents creation of a whitelisted seccomp filter\n"); 202 fprintf(fp, "### Yama security module prevents creation of a whitelisted seccomp filter\n");
204 else 203 else
205 build_seccomp(strace_output, fp); 204 build_seccomp(strace_output, fp);
206 fprintf(fp, "#shell none\n"); 205 fprintf(fp, "shell none\n");
207 fprintf(fp, "#tracelog\n"); 206 fprintf(fp, "#tracelog\n");
207 fprintf(fp, "\n");
208
209 fprintf(fp, "#disable-mnt\n");
210 build_bin(trace_output, fp);
211 fprintf(fp, "#private-lib\n");
212 build_dev(trace_output, fp);
213 build_etc(trace_output, fp);
214 build_tmp(trace_output, fp);
215 fprintf(fp, "\n");
216
217 fprintf(fp, "#dbus-user none\n");
218 fprintf(fp, "#dbus-system none\n");
219 fprintf(fp, "#memory-deny-write-execute\n");
208 220
209 if (!arg_debug) { 221 if (!arg_debug) {
210 unlink(trace_output); 222 unlink(trace_output);
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-20 15:00:21 +0000