diff options
Diffstat (limited to 'etc/firejail-default')
-rw-r--r-- | etc/firejail-default | 129 |
1 files changed, 129 insertions, 0 deletions
diff --git a/etc/firejail-default b/etc/firejail-default new file mode 100644 index 000000000..609ab6c19 --- /dev/null +++ b/etc/firejail-default | |||
@@ -0,0 +1,129 @@ | |||
1 | #include <tunables/global> | ||
2 | |||
3 | profile firejail-default { | ||
4 | |||
5 | ##### | ||
6 | # D-Bus is a huge security hole, we disable it here. Uncomment this line if you | ||
7 | # need D-Bus functionality. | ||
8 | # | ||
9 | #dbus, | ||
10 | |||
11 | ##### | ||
12 | # Mask /proc and /sys information leakage. The configuration here is barely | ||
13 | # enough to run "top" or "ps aux". | ||
14 | # | ||
15 | / r, | ||
16 | /[^proc,^sys]** mrwlk, | ||
17 | |||
18 | /proc/ r, | ||
19 | /proc/meminfo r, | ||
20 | /proc/cpuinfo r, | ||
21 | /proc/filesystems r, | ||
22 | /proc/uptime r, | ||
23 | /proc/loadavg r, | ||
24 | /proc/stat r, | ||
25 | /proc/@{pid}/ r, | ||
26 | /proc/@{pid}/fd/ r, | ||
27 | /proc/@{pid}/task/ r, | ||
28 | /proc/@{pid}/cmdline r, | ||
29 | /proc/@{pid}/comm r, | ||
30 | /proc/@{pid}/stat r, | ||
31 | /proc/@{pid}/statm r, | ||
32 | /proc/@{pid}/status r, | ||
33 | /proc/sys/kernel/pid_max r, | ||
34 | /proc/sys/kernel/shmmax r, | ||
35 | /sys/ r, | ||
36 | /sys/bus/ r, | ||
37 | /sys/bus/** r, | ||
38 | /sys/class/ r, | ||
39 | /sys/class/** r, | ||
40 | /sys/devices/ r, | ||
41 | /sys/devices/** r, | ||
42 | |||
43 | /proc/@{pid}/maps r, | ||
44 | /proc/@{pid}/mounts r, | ||
45 | /proc/@{pid}/mountinfo r, | ||
46 | /proc/@{pid}/oom_score_adj r, | ||
47 | |||
48 | /{,var/}run/firejail/mnt/fslogger r, | ||
49 | /{,var/}run/user/**/dconf/ r, | ||
50 | /{,var/}run/user/**/dconf/user r, | ||
51 | |||
52 | ##### | ||
53 | # Allow running programs only from well-known system directories. If you need | ||
54 | # to run programs from your home directory, uncomment /home line. | ||
55 | # | ||
56 | /lib/** ix, | ||
57 | /lib64/** ix, | ||
58 | /bin/** ix, | ||
59 | /sbin/** ix, | ||
60 | /usr/bin/** ix, | ||
61 | /usr/sbin/** ix, | ||
62 | /usr/local/** ix, | ||
63 | /usr/lib/** ix, | ||
64 | /usr/games/** ix, | ||
65 | /opt/** ix, | ||
66 | #/home/** ix, | ||
67 | |||
68 | ##### | ||
69 | # Allow all networking functionality, and control it from Firejail. | ||
70 | # | ||
71 | network inet, | ||
72 | network inet6, | ||
73 | network unix, | ||
74 | network netlink, | ||
75 | network raw, | ||
76 | |||
77 | ##### | ||
78 | # There is no equivalent in Firejail for filtering signals. | ||
79 | # | ||
80 | signal, | ||
81 | |||
82 | ##### | ||
83 | # Disable all capabilities. If you run your sandbox as root, you might need to | ||
84 | # enable/uncomment some of them. | ||
85 | # | ||
86 | capability chown, | ||
87 | capability dac_override, | ||
88 | capability dac_read_search, | ||
89 | capability fowner, | ||
90 | capability fsetid, | ||
91 | capability kill, | ||
92 | capability setgid, | ||
93 | capability setuid, | ||
94 | capability setpcap, | ||
95 | capability linux_immutable, | ||
96 | capability net_bind_service, | ||
97 | capability net_broadcast, | ||
98 | capability net_admin, | ||
99 | capability net_raw, | ||
100 | capability ipc_lock, | ||
101 | capability ipc_owner, | ||
102 | capability sys_module, | ||
103 | capability sys_rawio, | ||
104 | capability sys_chroot, | ||
105 | capability sys_ptrace, | ||
106 | capability sys_pacct, | ||
107 | capability sys_admin, | ||
108 | capability sys_boot, | ||
109 | capability sys_nice, | ||
110 | capability sys_resource, | ||
111 | capability sys_time, | ||
112 | capability sys_tty_config, | ||
113 | capability mknod, | ||
114 | capability lease, | ||
115 | capability audit_write, | ||
116 | capability audit_control, | ||
117 | capability setfcap, | ||
118 | capability mac_override, | ||
119 | capability mac_admin, | ||
120 | |||
121 | ##### | ||
122 | # No mount/umount functionality when running as regular user. | ||
123 | # | ||
124 | mount, | ||
125 | remount, | ||
126 | umount, | ||
127 | pivot_root, | ||
128 | |||
129 | } | ||