diff options
Diffstat (limited to 'etc/templates/profile.template')
-rw-r--r-- | etc/templates/profile.template | 128 |
1 files changed, 110 insertions, 18 deletions
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index d7da0ed20..892fd71ef 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -1,25 +1,91 @@ | |||
1 | # Firejail profile for PROGRAM_NAME | 1 | # Firejail profile for PROGRAM_NAME |
2 | # Description: DESCRIPTION | 2 | # Description: DESCRIPTION |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # --- CUT HERE --- | ||
5 | # This is a generic template to help you with creation of profiles | ||
6 | # for new programs. PRs welcome at https://github.com/netblue30/firejail/ | ||
7 | # | ||
8 | # Rules to follow: | ||
9 | # - lines with one # are often used in profiles | ||
10 | # - lines with two ## are only needed in special situations | ||
11 | # - make the profile as restrictive as possible while still keeping the program useful | ||
12 | # (e. g. a program that is unable to save user's work is considered a bad practice) | ||
13 | # - dedicate some time (based on how complex the application is) to profile testing before raising | ||
14 | # a pull request | ||
15 | # - keep the sections structure, use a single empty line as a separator | ||
16 | # - entries within sections are alphabetically sorted | ||
17 | # - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware | ||
18 | # to not do this for essential utilities as this may *break* your OS! (related discussion: | ||
19 | # https://github.com/netblue30/firejail/issues/2507) | ||
20 | # - remove this comment section and any generic comment past 'Persistent global definitions' | ||
21 | # | ||
22 | # Sections structure | ||
23 | # HEADER | ||
24 | # COMMENTS | ||
25 | # IGNORES | ||
26 | # NOBLACKLISTS | ||
27 | # ALLOW INCLUDES | ||
28 | # BLACKLISTS | ||
29 | # DISABLE INCLUDES | ||
30 | # MKDIRS | ||
31 | # WHITELISTS | ||
32 | # WHITELIST INCLUDES | ||
33 | # OPTIONS (caps*, net*, no*, protocol, seccomp*, shell none, tracelog) | ||
34 | # PRIVATE OPTIONS (disable-mnt, private-*, writable-*) | ||
35 | # SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start) | ||
36 | # REDIRECT INCLUDES | ||
37 | # | ||
38 | # The following macros may be used in path names to substitute common locations: | ||
39 | # ${DESKTOP} | ||
40 | # ${DOCUMENTS} | ||
41 | # ${DOWNLOADS} | ||
42 | # ${HOME} (user's home) | ||
43 | # ${PATH} (contents of PATH envvar) | ||
44 | # ${MUSIC} | ||
45 | # ${VIDEOS} | ||
46 | # | ||
47 | # Check contents of ~/.config/user-dirs.dirs to see how they translate to actual paths. | ||
48 | # | ||
49 | # --- CUT HERE --- | ||
4 | ##quiet | 50 | ##quiet |
5 | # Persistent local customizations | 51 | # Persistent local customizations |
6 | #include PROFILE.local | 52 | include PROFILE.local |
7 | # Persistent global definitions | 53 | # Persistent global definitions |
8 | #include globals.local | 54 | include globals.local |
9 | 55 | ||
10 | ##ignore noexec ${HOME} | 56 | ##ignore noexec ${HOME} |
57 | ##ignore noexec /tmp | ||
11 | 58 | ||
12 | ##blacklist PATH | 59 | ##blacklist PATH |
60 | # Disable X11 (CLI only), see also 'x11 none' below | ||
61 | #blacklist /tmp/.X11-unix | ||
13 | 62 | ||
63 | # It is common practice to add files/dirs containing program-specific configuration | ||
64 | # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc | ||
65 | # (keep list sorted) and then disable blacklisting below. | ||
66 | # One way to retrieve the files a program uses is: | ||
67 | # - launch binary with --private naming a sandbox | ||
68 | # `firejail --name=test --ignore=private-bin [--profile=PROFILE] --private BINARY` | ||
69 | # - work with the program, do some configuration changes and save them, open new documents, | ||
70 | # install plugins if they exists, etc | ||
71 | # - join the sandbox with bash: | ||
72 | # `firejail --join=test bash` | ||
73 | # - look what has changed and use that information to populate blacklist and whitelist sections | ||
74 | # `ls -aR` | ||
14 | #noblacklist PATH | 75 | #noblacklist PATH |
15 | 76 | ||
16 | # Allow python (blacklisted by disable-interpreters.inc) | 77 | # Allow python (blacklisted by disable-interpreters.inc) |
17 | #noblacklist ${PATH}/python2* | 78 | #include allow-python2.inc |
18 | #noblacklist ${PATH}/python3* | 79 | #include allow-python3.inc |
19 | #noblacklist /usr/lib/python2* | 80 | |
20 | #noblacklist /usr/lib/python3* | 81 | # Allow perl (blacklisted by disable-interpreters.inc) |
21 | #noblacklist /usr/local/lib/python2* | 82 | #include allow-perl.inc |
22 | #noblacklist /usr/local/lib/python3* | 83 | |
84 | # Allow java (blacklisted by disable-devel.inc) | ||
85 | #include allow-java.inc | ||
86 | |||
87 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
88 | #include allow-lua.inc | ||
23 | 89 | ||
24 | #include disable-common.inc | 90 | #include disable-common.inc |
25 | #include disable-devel.inc | 91 | #include disable-devel.inc |
@@ -29,16 +95,24 @@ | |||
29 | #include disable-programs.inc | 95 | #include disable-programs.inc |
30 | #include disable-xdg.inc | 96 | #include disable-xdg.inc |
31 | 97 | ||
98 | # This section often mirrors noblacklist section above. The idea is | ||
99 | # that if a user feels too restricted (he's unable to save files into | ||
100 | # home directory for instance) he/she may disable whitelist (nowhitelist) | ||
101 | # in PROFILE.local but still be protected by BLACKLISTS section | ||
102 | # (further explanation at https://github.com/netblue30/firejail/issues/1569) | ||
32 | #mkdir PATH | 103 | #mkdir PATH |
33 | #mkfile PATH | 104 | ##mkfile PATH |
34 | #whitelist PATH | 105 | #whitelist PATH |
35 | #include whitelist-common.inc | 106 | #include whitelist-common.inc |
36 | #include whitelist-var-common.inc | 107 | #include whitelist-var-common.inc |
37 | 108 | ||
38 | #apparmor | 109 | #apparmor |
39 | #caps.drop all | 110 | #caps.drop all |
111 | ##caps.keep CAPS | ||
112 | ##hostname NAME | ||
40 | # CLI only | 113 | # CLI only |
41 | ##ipc-namespace | 114 | ##ipc-namespace |
115 | # breaks sound and sometime dbus related functions | ||
42 | #machine-id | 116 | #machine-id |
43 | # 'net none' or 'netfilter' | 117 | # 'net none' or 'netfilter' |
44 | #net none | 118 | #net none |
@@ -53,30 +127,48 @@ | |||
53 | #notv | 127 | #notv |
54 | #nou2f | 128 | #nou2f |
55 | #novideo | 129 | #novideo |
56 | #protocol unix,inet,inet6,netlink | 130 | # Remove every not needed protocol |
131 | # - unix is usually needed | ||
132 | # - inet,inet6 only if internet access is requiered (see 'net none'/'netfilter' above) | ||
133 | # - netlink is rarely needed | ||
134 | # - packet almost never | ||
135 | #protocol unix,inet,inet6,netlink,packet | ||
57 | #seccomp | 136 | #seccomp |
58 | ##seccomp.drop SYSCALLS | 137 | ##seccomp.drop SYSCALLS (see also syscalls.txt) |
59 | #shell none | 138 | #shell none |
60 | #tracelog | 139 | #tracelog |
140 | # Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set | ||
141 | ##x11 none | ||
61 | 142 | ||
62 | #disable-mnt | 143 | #disable-mnt |
63 | ##private | 144 | ##private |
145 | # It's common practice to refer to the python executable(s) in private-bin with `python*`, which covers both v2 and v3 | ||
64 | #private-bin PROGRAMS | 146 | #private-bin PROGRAMS |
65 | #private-cache | 147 | #private-cache |
66 | #private-dev | 148 | #private-dev |
67 | #private-etc FILES | 149 | #private-etc FILES |
68 | # private-etc templates (see also #1734) | 150 | # private-etc templates (see also #1734, #2093) |
69 | # Internet: ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl | 151 | # Common: alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg |
70 | # Sound: alsa,asound.conf,machine-id,openal,pulse | 152 | # Extra: magic,magic.mgc,passwd,group |
71 | # GTK: dconf,fonts,gtk-2.0,gtk-3.0,pango,xdg | 153 | # Networking: ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf,hosts,host.conf,hostname,protocols,services,rpc |
72 | # KDE/QT: fonts,kde4rc,kde5rc,ld.so.cache,machine-id,Trolltech.conf,xdg | 154 | # Extra: proxychains.conf,gai.conf |
73 | # GUIs: fonts | 155 | # Sound: alsa,asound.conf,pulse,machine-id |
74 | # Alternatives: alternatives | 156 | # GUI: fonts,pango,X11 |
157 | # GTK: dconf,gconf,gtk-2.0,gtk-3.0 | ||
158 | # Qt: Trolltech.conf | ||
159 | # KDE: kde4rc,kde5rc | ||
160 | # 3D: drirc,glvnd,bumblebee,nvidia | ||
161 | # D-Bus: dbus-1,machine-id | ||
75 | ##private-lib LIBS | 162 | ##private-lib LIBS |
76 | ##private-opt NAME | 163 | ##private-opt NAME |
77 | #private-tmp | 164 | #private-tmp |
165 | ##writable-etc | ||
166 | ##writable-run-user | ||
167 | ##writable-var | ||
168 | ##writable-var-log | ||
78 | 169 | ||
79 | ##env VAR=VALUE | 170 | ##env VAR=VALUE |
80 | #memory-deny-write-execute | 171 | #memory-deny-write-execute |
172 | ##noexec PATH | ||
81 | ##read-only ${HOME} | 173 | ##read-only ${HOME} |
82 | ##join-or-start NAME | 174 | ##join-or-start NAME |