diff options
Diffstat (limited to 'etc/templates/profile.template')
-rw-r--r-- | etc/templates/profile.template | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 7ea2853c1..2fc5c3ef1 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -3,16 +3,16 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # --- CUT HERE --- | 4 | # --- CUT HERE --- |
5 | # This is a generic template to help you with creation of profiles | 5 | # This is a generic template to help you with creation of profiles |
6 | # for new programs. PRs welcome at https://github.com/netblue30/firejail/ | 6 | # for new programs. PRs welcome at https://github.com/netblue30/firejail/. |
7 | # | 7 | # |
8 | # Rules to follow: | 8 | # Rules to follow: |
9 | # - lines with one # are often used in profiles | 9 | # - lines with one # are often used in profiles |
10 | # - lines with two ## are only needed in special situations | 10 | # - lines with two ## are only needed in special situations |
11 | # - make the profile as restrictive as possible while still keeping the program useful | 11 | # - make the profile as restrictive as possible while still keeping the program useful |
12 | # (e. g. a program that is unable to save user's work is considered a bad practice) | 12 | # (e. g. a program that is unable to save user's work is considered bad practice) |
13 | # - dedicate some time (based on how complex the application is) to profile testing before raising | 13 | # - dedicate some time (based on the complexity of the application) to profile testing before raising |
14 | # a pull request | 14 | # a pull request |
15 | # - keep the sections structure, use a single empty line as a separator | 15 | # - keep the sections structure, use a single empty line as separator |
16 | # - entries within sections are alphabetically sorted | 16 | # - entries within sections are alphabetically sorted |
17 | # - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware | 17 | # - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware |
18 | # to not do this for essential utilities as this may *break* your OS! (related discussion: | 18 | # to not do this for essential utilities as this may *break* your OS! (related discussion: |
@@ -66,8 +66,8 @@ include globals.local | |||
66 | # One way to retrieve the files a program uses is: | 66 | # One way to retrieve the files a program uses is: |
67 | # - launch binary with --private naming a sandbox | 67 | # - launch binary with --private naming a sandbox |
68 | # `firejail --name=test --ignore=private-bin [--profile=PROFILE] --private BINARY` | 68 | # `firejail --name=test --ignore=private-bin [--profile=PROFILE] --private BINARY` |
69 | # - work with the program, do some configuration changes and save them, open new documents, | 69 | # - work with the program, make some configuration changes and save them, open new documents, |
70 | # install plugins if they exists, etc | 70 | # install plugins if they exists, etc. |
71 | # - join the sandbox with bash: | 71 | # - join the sandbox with bash: |
72 | # `firejail --join=test bash` | 72 | # `firejail --join=test bash` |
73 | # - look what has changed and use that information to populate blacklist and whitelist sections | 73 | # - look what has changed and use that information to populate blacklist and whitelist sections |
@@ -128,14 +128,14 @@ include globals.local | |||
128 | #notv | 128 | #notv |
129 | #nou2f | 129 | #nou2f |
130 | #novideo | 130 | #novideo |
131 | # Remove every not needed protocol | 131 | # Remove each unneeded protocol: |
132 | # - unix is usually needed | 132 | # - unix is usually needed |
133 | # - inet,inet6 only if internet access is requiered (see 'net none'/'netfilter' above) | 133 | # - inet,inet6 only if internet access is required (see 'net none'/'netfilter' above) |
134 | # - netlink is rarely needed | 134 | # - netlink is rarely needed |
135 | # - packet almost never | 135 | # - packet almost never |
136 | #protocol unix,inet,inet6,netlink,packet | 136 | #protocol unix,inet,inet6,netlink,packet |
137 | #seccomp | 137 | #seccomp |
138 | ##seccomp.drop SYSCALLS (see also syscalls.txt) | 138 | ##seccomp.drop SYSCALLS (see syscalls.txt) |
139 | #shell none | 139 | #shell none |
140 | #tracelog | 140 | #tracelog |
141 | # Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set | 141 | # Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set |