diff options
-rw-r--r-- | etc/disable-interpreters.inc | 3 | ||||
-rw-r--r-- | etc/fdns.profile | 14 | ||||
-rw-r--r-- | etc/scorched3d-wrapper.profile | 2 |
3 files changed, 11 insertions, 8 deletions
diff --git a/etc/disable-interpreters.inc b/etc/disable-interpreters.inc index 495a75a54..59e9c7de3 100644 --- a/etc/disable-interpreters.inc +++ b/etc/disable-interpreters.inc | |||
@@ -17,6 +17,9 @@ blacklist /usr/lib/liblua* | |||
17 | blacklist /usr/lib/lua | 17 | blacklist /usr/lib/lua |
18 | blacklist /usr/share/lua* | 18 | blacklist /usr/share/lua* |
19 | 19 | ||
20 | # mozjs | ||
21 | blacklist /usr/lib64/libmozjs-* | ||
22 | |||
20 | # Node.js | 23 | # Node.js |
21 | blacklist ${PATH}/node | 24 | blacklist ${PATH}/node |
22 | blacklist /usr/include/node | 25 | blacklist /usr/include/node |
diff --git a/etc/fdns.profile b/etc/fdns.profile index 4b266f7f8..179540806 100644 --- a/etc/fdns.profile +++ b/etc/fdns.profile | |||
@@ -1,14 +1,10 @@ | |||
1 | # Firejail profile for server | 1 | # Firejail profile for server |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include server.local | 4 | include fdns.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # generic server profile | ||
9 | # it allows /sbin and /usr/sbin directories - this is where servers are installed | ||
10 | # depending on your usage, you can enable some of the commands below: | ||
11 | # | ||
12 | noblacklist /sbin | 8 | noblacklist /sbin |
13 | noblacklist /usr/sbin | 9 | noblacklist /usr/sbin |
14 | 10 | ||
@@ -23,8 +19,10 @@ include disable-passwdmgr.inc | |||
23 | include disable-programs.inc | 19 | include disable-programs.inc |
24 | include disable-xdg.inc | 20 | include disable-xdg.inc |
25 | 21 | ||
26 | caps.keep chown,kill,net_admin,net_bind_service,setgid,setuid,sys_admin,sys_chroot,syslog | 22 | #include whitelist-usr-share-common.inc |
23 | #include whitelist-var-common.inc | ||
27 | 24 | ||
25 | caps.keep kill,net_bind_service,setgid,setuid,sys_admin,sys_chroot | ||
28 | ipc-namespace | 26 | ipc-namespace |
29 | # netfilter /etc/firejail/webserver.net | 27 | # netfilter /etc/firejail/webserver.net |
30 | no3d | 28 | no3d |
@@ -36,6 +34,7 @@ nosound | |||
36 | notv | 34 | notv |
37 | nou2f | 35 | nou2f |
38 | novideo | 36 | novideo |
37 | protocol unix,inet,inet6 | ||
39 | #seccomp | 38 | #seccomp |
40 | #shell none | 39 | #shell none |
41 | 40 | ||
@@ -44,9 +43,8 @@ private | |||
44 | private-bin bash,fdns,sh | 43 | private-bin bash,fdns,sh |
45 | # private-cache | 44 | # private-cache |
46 | private-dev | 45 | private-dev |
47 | # private-etc alternatives | 46 | private-etc ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl |
48 | # private-lib | 47 | # private-lib |
49 | private-tmp | 48 | private-tmp |
50 | 49 | ||
51 | protocol unix,inet,inet6 | ||
52 | memory-deny-write-execute | 50 | memory-deny-write-execute |
diff --git a/etc/scorched3d-wrapper.profile b/etc/scorched3d-wrapper.profile index 3eed8842b..9cbb19bff 100644 --- a/etc/scorched3d-wrapper.profile +++ b/etc/scorched3d-wrapper.profile | |||
@@ -1,5 +1,7 @@ | |||
1 | # Firejail profile for scorched3d | 1 | # Firejail profile for scorched3d |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include scorched3d-wrapper.local | ||
3 | 5 | ||
4 | # Redirect | 6 | # Redirect |
5 | include scorched3d.profile | 7 | include scorched3d.profile |