4 files changed, 85 insertions, 4 deletions
diff --git a/README.md b/README.md
index 1f4fafe45..eb576d5f3 100644
--- a/README.md
+++ b/README.md
@@ -180,5 +180,11 @@ Run ./profstats -h for help.
 ### New profiles:
-gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et, multimc, gnome-hexgl, com.github.johnfactotum.Foliate, desktopeditors, impressive, mupdf-gl, mupdf-x11, mupdf-x11-curl, muraster, mutool, planmaker18, planmaker18free, presentations18, presentations18free, textmaker18, textmaker18free, teams, xournal,
+gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et,
-gnome-screenshot, ripperX, sound-juicer, iagno, com.github.dahenson.agenda, gnome-pomodoro, gnome-todo, kmplayer, penguin-command, x2goclient, frogatto, gnome-mines, gnome-nibbles, lightsoff, ts3client_runscript.sh, warmux, ferdi, abiword, four-in-a-row, gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin, gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars, hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless, mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers, seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more, swell-foop
+multimc, gnome-hexgl, com.github.johnfactotum.Foliate, desktopeditors, impressive, mupdf-gl, mupdf-x11, mupdf-x11-curl,
+muraster, mutool, planmaker18, planmaker18free, presentations18, presentations18free, textmaker18, textmaker18free, teams, xournal,
+gnome-screenshot, ripperX, sound-juicer, iagno, com.github.dahenson.agenda, gnome-pomodoro, gnome-todo, kmplayer,
+penguin-command, x2goclient, frogatto, gnome-mines, gnome-nibbles, lightsoff, ts3client_runscript.sh, warmux, ferdi, abiword,
+four-in-a-row, gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin, gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars,
+hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless, mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers,
+seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more, swell-foop,,fdns
diff --git a/RELNOTES b/RELNOTES
index 0d1f435f9..7cad9c257 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -27,7 +27,7 @@ firejail (0.9.63) baseline; urgency=low
  * new profiles: hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless
  * new profiles: mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers
  * new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more
-  * new profiles: swell-foop
+  * new profiles: swell-foop, fdns
 firejail (0.9.62) baseline; urgency=low
  * added file-copy-limit in /etc/firejail/firejail.config
diff --git a/etc/fdns.profile b/etc/fdns.profile
new file mode 100644
index 000000000..2ab69cd5b
--- /dev/null
+++ b/etc/fdns.profile
@@ -0,0 +1,52 @@
+# Firejail profile for server
+# This file is overwritten after every install/update
+# Persistent local customizations
+include server.local
+# Persistent global definitions
+include globals.local
+# generic server profile
+# it allows /sbin and /usr/sbin directories - this is where servers are installed
+# depending on your usage, you can enable some of the commands below:
+#
+noblacklist /sbin
+noblacklist /usr/sbin
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+caps.keep chown,kill,setgid,setuid,net_bind_service,net_admin,sys_chroot,sys_admin,syslog
+ipc-namespace
+# netfilter /etc/firejail/webserver.net
+no3d
+nodvd
+nogroups
+nonewprivs
+# noroot
+nosound
+notv
+nou2f
+novideo
+#seccomp
+#shell none
+disable-mnt
+private
+private-bin fdns,bash,sh
+# private-cache
+private-dev
+# private-etc alternatives
+# private-lib
+private-tmp
+protocol unix,inet,inet6
+memory-deny-write-execute
diff --git a/etc/server.profile b/etc/server.profile
index bee8df932..5bc4735ae 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -1,4 +1,27 @@
-# Firejail profile for server
+# Generic Firejail profile for servers started as root
+#
+# This profile is used as a default when starting the sandbox as root.
+# Example:
+#
+#       $ sudo firejail
+#       [sudo] password for netblue:
+#       Reading profile /etc/firejail/server.profile
+#       Reading profile /etc/firejail/disable-common.inc
+#       Reading profile /etc/firejail/disable-passwdmgr.inc
+#       Reading profile /etc/firejail/disable-programs.inc
+#
+#       ** Note: you can use --noprofile to disable server.profile **
+#
+#       Parent pid 5347, child pid 5348
+#       The new log directory is /proc/5348/root/var/log
+#       Child process initialized in 64.43 ms
+#       root@debian:~#
+#
+# Customize the profile as usual. Examples: unbound.profile, fdns.profile.
+# All the rules for regular user profiles apply with the exception of
+# /usr/local/bin symlink redirection and firecfg tool. The redirection is disabled
+# by default for root user.
 # This file is overwritten after every install/update
 # Persistent local customizations
 include server.local

diff --git a/README.md b/README.md index 1f4fafe45..eb576d5f3 100644 --- a/README.md +++ b/README.md
@@ -180,5 +180,11 @@ Run ./profstats -h for help.
180		180
181	### New profiles:	181	### New profiles:
182		182
183	gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et, multimc, gnome-hexgl, com.github.johnfactotum.Foliate, desktopeditors, impressive, mupdf-gl, mupdf-x11, mupdf-x11-curl, muraster, mutool, planmaker18, planmaker18free, presentations18, presentations18free, textmaker18, textmaker18free, teams, xournal,	183	gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et,
184	gnome-screenshot, ripperX, sound-juicer, iagno, com.github.dahenson.agenda, gnome-pomodoro, gnome-todo, kmplayer, penguin-command, x2goclient, frogatto, gnome-mines, gnome-nibbles, lightsoff, ts3client_runscript.sh, warmux, ferdi, abiword, four-in-a-row, gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin, gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars, hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless, mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers, seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more, swell-foop	184	multimc, gnome-hexgl, com.github.johnfactotum.Foliate, desktopeditors, impressive, mupdf-gl, mupdf-x11, mupdf-x11-curl,
		185	muraster, mutool, planmaker18, planmaker18free, presentations18, presentations18free, textmaker18, textmaker18free, teams, xournal,
		186	gnome-screenshot, ripperX, sound-juicer, iagno, com.github.dahenson.agenda, gnome-pomodoro, gnome-todo, kmplayer,
		187	penguin-command, x2goclient, frogatto, gnome-mines, gnome-nibbles, lightsoff, ts3client_runscript.sh, warmux, ferdi, abiword,
		188	four-in-a-row, gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin, gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars,
		189	hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless, mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers,
		190	seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more, swell-foop,,fdns


diff --git a/RELNOTES b/RELNOTES index 0d1f435f9..7cad9c257 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -27,7 +27,7 @@ firejail (0.9.63) baseline; urgency=low
27	* new profiles: hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless	27	* new profiles: hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless
28	* new profiles: mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers	28	* new profiles: mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers
29	* new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more	29	* new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more
30	* new profiles: swell-foop	30	* new profiles: swell-foop, fdns
31		31
32	firejail (0.9.62) baseline; urgency=low	32	firejail (0.9.62) baseline; urgency=low
33	* added file-copy-limit in /etc/firejail/firejail.config	33	* added file-copy-limit in /etc/firejail/firejail.config


diff --git a/etc/fdns.profile b/etc/fdns.profile new file mode 100644 index 000000000..2ab69cd5b --- /dev/null +++ b/etc/fdns.profile
@@ -0,0 +1,52 @@
		1	# Firejail profile for server
		2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include server.local
		5	# Persistent global definitions
		6	include globals.local
		7
		8	# generic server profile
		9	# it allows /sbin and /usr/sbin directories - this is where servers are installed
		10	# depending on your usage, you can enable some of the commands below:
		11	#
		12	noblacklist /sbin
		13	noblacklist /usr/sbin
		14
		15	blacklist /tmp/.X11-unix
		16	blacklist ${RUNUSER}/wayland-*
		17
		18	include disable-common.inc
		19	include disable-devel.inc
		20	include disable-exec.inc
		21	include disable-interpreters.inc
		22	include disable-passwdmgr.inc
		23	include disable-programs.inc
		24	include disable-xdg.inc
		25
		26	caps.keep chown,kill,setgid,setuid,net_bind_service,net_admin,sys_chroot,sys_admin,syslog
		27
		28	ipc-namespace
		29	# netfilter /etc/firejail/webserver.net
		30	no3d
		31	nodvd
		32	nogroups
		33	nonewprivs
		34	# noroot
		35	nosound
		36	notv
		37	nou2f
		38	novideo
		39	#seccomp
		40	#shell none
		41
		42	disable-mnt
		43	private
		44	private-bin fdns,bash,sh
		45	# private-cache
		46	private-dev
		47	# private-etc alternatives
		48	# private-lib
		49	private-tmp
		50
		51	protocol unix,inet,inet6
		52	memory-deny-write-execute


diff --git a/etc/server.profile b/etc/server.profile index bee8df932..5bc4735ae 100644 --- a/etc/server.profile +++ b/etc/server.profile
@@ -1,4 +1,27 @@
1	# Firejail profile for server	1	# Generic Firejail profile for servers started as root
		2	#
		3	# This profile is used as a default when starting the sandbox as root.
		4	# Example:
		5	#
		6	# $ sudo firejail
		7	# [sudo] password for netblue:
		8	# Reading profile /etc/firejail/server.profile
		9	# Reading profile /etc/firejail/disable-common.inc
		10	# Reading profile /etc/firejail/disable-passwdmgr.inc
		11	# Reading profile /etc/firejail/disable-programs.inc
		12	#
		13	# Note: you can use --noprofile to disable server.profile
		14	#
		15	# Parent pid 5347, child pid 5348
		16	# The new log directory is /proc/5348/root/var/log
		17	# Child process initialized in 64.43 ms
		18	# root@debian:~#
		19	#
		20	# Customize the profile as usual. Examples: unbound.profile, fdns.profile.
		21	# All the rules for regular user profiles apply with the exception of
		22	# /usr/local/bin symlink redirection and firecfg tool. The redirection is disabled
		23	# by default for root user.
		24
2	# This file is overwritten after every install/update	25	# This file is overwritten after every install/update
3	# Persistent local customizations	26	# Persistent local customizations
4	include server.local	27	include server.local