1 files changed, 54 insertions, 0 deletions
diff --git a/etc/profile-m-z/xpra.profile b/etc/profile-m-z/xpra.profile
new file mode 100644
index 000000000..1033a7471
--- /dev/null
+++ b/etc/profile-m-z/xpra.profile
@@ -0,0 +1,54 @@
+# Firejail profile for xpra
+# Description: Tool to detach/reattach running X programs
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include xpra.local
+# Persistent global definitions
+include globals.local
+#
+# This profile will sandbox Xpra server itself when used with firejail --x11=xpra.
+# To enable it, create a firejail-xpra symlink in /usr/local/bin:
+#
+#    $ sudo ln -s /usr/bin/firejail /usr/local/bin/xpra
+#
+# or run "sudo firecfg"
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+whitelist /var/lib/xkb
+# whitelisting home directory, or including whitelist-common.inc
+# will crash xpra on some platforms
+caps.drop all
+# xpra needs to be allowed access to the abstract Unix socket namespace.
+nodvd
+nogroups
+nonewprivs
+# In noroot mode, xpra cannot create a socket in the real /tmp/.X11-unix.
+#noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+disable-mnt
+# private home directory doesn't work on some distros, so we go for a regular home
+# private
+# older Xpra versions also use Xvfb
+# private-bin bash,cat,dbus-launch,ldconfig,ls,pactl,python*,sh,strace,which,xauth,xkbcomp,Xorg,xpra,Xvfb
+private-dev
+# private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,nsswitch.conf,resolv.conf,X11,xpra
+private-tmp

diff --git a/etc/profile-m-z/xpra.profile b/etc/profile-m-z/xpra.profile new file mode 100644 index 000000000..1033a7471 --- /dev/null +++ b/etc/profile-m-z/xpra.profile
@@ -0,0 +1,54 @@
	1	# Firejail profile for xpra
	2	# Description: Tool to detach/reattach running X programs
	3	# This file is overwritten after every install/update
	4	quiet
	5	# Persistent local customizations
	6	include xpra.local
	7	# Persistent global definitions
	8	include globals.local
	9
	10	#
	11	# This profile will sandbox Xpra server itself when used with firejail --x11=xpra.
	12	# To enable it, create a firejail-xpra symlink in /usr/local/bin:
	13	#
	14	# $ sudo ln -s /usr/bin/firejail /usr/local/bin/xpra
	15	#
	16	# or run "sudo firecfg"
	17
	18	# Allow python (blacklisted by disable-interpreters.inc)
	19	include allow-python2.inc
	20	include allow-python3.inc
	21
	22	include disable-common.inc
	23	include disable-devel.inc
	24	include disable-interpreters.inc
	25	include disable-passwdmgr.inc
	26	include disable-programs.inc
	27
	28	whitelist /var/lib/xkb
	29	# whitelisting home directory, or including whitelist-common.inc
	30	# will crash xpra on some platforms
	31
	32	caps.drop all
	33	# xpra needs to be allowed access to the abstract Unix socket namespace.
	34	nodvd
	35	nogroups
	36	nonewprivs
	37	# In noroot mode, xpra cannot create a socket in the real /tmp/.X11-unix.
	38	#noroot
	39	nosound
	40	notv
	41	nou2f
	42	novideo
	43	protocol unix
	44	seccomp
	45	shell none
	46
	47	disable-mnt
	48	# private home directory doesn't work on some distros, so we go for a regular home
	49	# private
	50	# older Xpra versions also use Xvfb
	51	# private-bin bash,cat,dbus-launch,ldconfig,ls,pactl,python*,sh,strace,which,xauth,xkbcomp,Xorg,xpra,Xvfb
	52	private-dev
	53	# private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,nsswitch.conf,resolv.conf,X11,xpra
	54	private-tmp