diff options
Diffstat (limited to 'etc/Xvfb.profile')
-rw-r--r-- | etc/Xvfb.profile | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile new file mode 100644 index 000000000..9c919f432 --- /dev/null +++ b/etc/Xvfb.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/xvfb.local | ||
4 | |||
5 | # | ||
6 | # This profile will sandbox Xvfb server itself when used with firejail --x11=xvfb. | ||
7 | # The target program is sandboxed with its own profile. By default the this functionality | ||
8 | # is disabled. To enable it, create a firejail-Xvfb symlink in /usr/local/bin: | ||
9 | # | ||
10 | # $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xvfb | ||
11 | # | ||
12 | # We have this functionality disabled by default because it creates problems on | ||
13 | # some Linux distributions. | ||
14 | # | ||
15 | |||
16 | |||
17 | # using a private home directory | ||
18 | private | ||
19 | |||
20 | caps.drop all | ||
21 | # Xvfb needs to be allowed access to the abstract Unix socket namespace. | ||
22 | #net none | ||
23 | nogroups | ||
24 | nonewprivs | ||
25 | # In noroot mode, Xvfb cannot create a socket in the real /tmp/.X11-unix. | ||
26 | #noroot | ||
27 | nosound | ||
28 | shell none | ||
29 | seccomp | ||
30 | protocol unix | ||
31 | |||
32 | private-dev | ||
33 | private-tmp | ||
34 | private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname | ||
35 | #private-bin Xvfb,sh,xkbcomp,strace,bash,cat,ls | ||
36 | #private-bin Xvfb,sh,xkbcomp | ||
37 | |||
38 | blacklist /media | ||
39 | whitelist /var/lib/xkb | ||