diff options
-rw-r--r-- | etc/k3b.profile | 13 | ||||
-rw-r--r-- | src/firejail/profile.c | 5 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 2 |
3 files changed, 13 insertions, 7 deletions
diff --git a/etc/k3b.profile b/etc/k3b.profile index 60da458ab..0c1da7ae1 100644 --- a/etc/k3b.profile +++ b/etc/k3b.profile | |||
@@ -20,17 +20,18 @@ include disable-xdg.inc | |||
20 | 20 | ||
21 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
22 | 22 | ||
23 | caps.drop all | 23 | caps.keep ipc_lock,sys_nice,sys_rawio,sys_resource |
24 | # net none | ||
24 | netfilter | 25 | netfilter |
25 | no3d | 26 | no3d |
26 | nonewprivs | 27 | # nonewprivs - breaks privileged helpers |
27 | noroot | 28 | # noroot - breaks privileged helpers |
28 | nosound | 29 | nosound |
29 | notv | 30 | notv |
30 | novideo | 31 | novideo |
31 | protocol unix | 32 | # protocol unix - breaks privileged helpers |
32 | seccomp | 33 | # seccomp - breaks privileged helpers |
33 | shell none | 34 | shell none |
34 | tracelog | ||
35 | 35 | ||
36 | private-dev | ||
36 | # private-tmp | 37 | # private-tmp |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 03cd9dadb..9a724331b 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -143,6 +143,10 @@ static int check_appimage(void) { | |||
143 | return arg_appimage != 0; | 143 | return arg_appimage != 0; |
144 | } | 144 | } |
145 | 145 | ||
146 | static int check_netoptions(void) { | ||
147 | return (arg_nonetwork || any_bridge_configured()); | ||
148 | } | ||
149 | |||
146 | static int check_nodbus(void) { | 150 | static int check_nodbus(void) { |
147 | return arg_nodbus != 0; | 151 | return arg_nodbus != 0; |
148 | } | 152 | } |
@@ -161,6 +165,7 @@ static int check_allow_drm(void) { | |||
161 | 165 | ||
162 | Cond conditionals[] = { | 166 | Cond conditionals[] = { |
163 | {"HAS_APPIMAGE", check_appimage}, | 167 | {"HAS_APPIMAGE", check_appimage}, |
168 | {"HAS_NET", check_netoptions}, | ||
164 | {"HAS_NODBUS", check_nodbus}, | 169 | {"HAS_NODBUS", check_nodbus}, |
165 | {"HAS_X11", check_x11}, | 170 | {"HAS_X11", check_x11}, |
166 | {"BROWSER_DISABLE_U2F", check_disable_u2f}, | 171 | {"BROWSER_DISABLE_U2F", check_disable_u2f}, |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 4a84cc828..719a80c2c 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -103,7 +103,7 @@ Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir" | |||
103 | 103 | ||
104 | This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line. | 104 | This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line. |
105 | 105 | ||
106 | Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NODBUS and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM | 106 | Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM |
107 | can be enabled or disabled globally in Firejail's configuration file. | 107 | can be enabled or disabled globally in Firejail's configuration file. |
108 | 108 | ||
109 | The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. | 109 | The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. |