diff options
| -rw-r--r-- | etc/k3b.profile | 13 | ||||
| -rw-r--r-- | src/firejail/profile.c | 5 | ||||
| -rw-r--r-- | src/man/firejail-profile.txt | 2 |
3 files changed, 13 insertions, 7 deletions
diff --git a/etc/k3b.profile b/etc/k3b.profile index 60da458ab..0c1da7ae1 100644 --- a/etc/k3b.profile +++ b/etc/k3b.profile | |||
| @@ -20,17 +20,18 @@ include disable-xdg.inc | |||
| 20 | 20 | ||
| 21 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
| 22 | 22 | ||
| 23 | caps.drop all | 23 | caps.keep ipc_lock,sys_nice,sys_rawio,sys_resource |
| 24 | # net none | ||
| 24 | netfilter | 25 | netfilter |
| 25 | no3d | 26 | no3d |
| 26 | nonewprivs | 27 | # nonewprivs - breaks privileged helpers |
| 27 | noroot | 28 | # noroot - breaks privileged helpers |
| 28 | nosound | 29 | nosound |
| 29 | notv | 30 | notv |
| 30 | novideo | 31 | novideo |
| 31 | protocol unix | 32 | # protocol unix - breaks privileged helpers |
| 32 | seccomp | 33 | # seccomp - breaks privileged helpers |
| 33 | shell none | 34 | shell none |
| 34 | tracelog | ||
| 35 | 35 | ||
| 36 | private-dev | ||
| 36 | # private-tmp | 37 | # private-tmp |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 03cd9dadb..9a724331b 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
| @@ -143,6 +143,10 @@ static int check_appimage(void) { | |||
| 143 | return arg_appimage != 0; | 143 | return arg_appimage != 0; |
| 144 | } | 144 | } |
| 145 | 145 | ||
| 146 | static int check_netoptions(void) { | ||
| 147 | return (arg_nonetwork || any_bridge_configured()); | ||
| 148 | } | ||
| 149 | |||
| 146 | static int check_nodbus(void) { | 150 | static int check_nodbus(void) { |
| 147 | return arg_nodbus != 0; | 151 | return arg_nodbus != 0; |
| 148 | } | 152 | } |
| @@ -161,6 +165,7 @@ static int check_allow_drm(void) { | |||
| 161 | 165 | ||
| 162 | Cond conditionals[] = { | 166 | Cond conditionals[] = { |
| 163 | {"HAS_APPIMAGE", check_appimage}, | 167 | {"HAS_APPIMAGE", check_appimage}, |
| 168 | {"HAS_NET", check_netoptions}, | ||
| 164 | {"HAS_NODBUS", check_nodbus}, | 169 | {"HAS_NODBUS", check_nodbus}, |
| 165 | {"HAS_X11", check_x11}, | 170 | {"HAS_X11", check_x11}, |
| 166 | {"BROWSER_DISABLE_U2F", check_disable_u2f}, | 171 | {"BROWSER_DISABLE_U2F", check_disable_u2f}, |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 4a84cc828..719a80c2c 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
| @@ -103,7 +103,7 @@ Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir" | |||
| 103 | 103 | ||
| 104 | This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line. | 104 | This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line. |
| 105 | 105 | ||
| 106 | Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NODBUS and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM | 106 | Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM |
| 107 | can be enabled or disabled globally in Firejail's configuration file. | 107 | can be enabled or disabled globally in Firejail's configuration file. |
| 108 | 108 | ||
| 109 | The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. | 109 | The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. |