aboutsummaryrefslogtreecommitdiffstats
path: root/etc/templates/profile.template
diff options
context:
space:
mode:
Diffstat (limited to 'etc/templates/profile.template')
-rw-r--r--etc/templates/profile.template128
1 files changed, 110 insertions, 18 deletions
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index d7da0ed20..892fd71ef 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -1,25 +1,91 @@
1# Firejail profile for PROGRAM_NAME 1# Firejail profile for PROGRAM_NAME
2# Description: DESCRIPTION 2# Description: DESCRIPTION
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4# --- CUT HERE ---
5# This is a generic template to help you with creation of profiles
6# for new programs. PRs welcome at https://github.com/netblue30/firejail/
7#
8# Rules to follow:
9# - lines with one # are often used in profiles
10# - lines with two ## are only needed in special situations
11# - make the profile as restrictive as possible while still keeping the program useful
12# (e. g. a program that is unable to save user's work is considered a bad practice)
13# - dedicate some time (based on how complex the application is) to profile testing before raising
14# a pull request
15# - keep the sections structure, use a single empty line as a separator
16# - entries within sections are alphabetically sorted
17# - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware
18# to not do this for essential utilities as this may *break* your OS! (related discussion:
19# https://github.com/netblue30/firejail/issues/2507)
20# - remove this comment section and any generic comment past 'Persistent global definitions'
21#
22# Sections structure
23# HEADER
24# COMMENTS
25# IGNORES
26# NOBLACKLISTS
27# ALLOW INCLUDES
28# BLACKLISTS
29# DISABLE INCLUDES
30# MKDIRS
31# WHITELISTS
32# WHITELIST INCLUDES
33# OPTIONS (caps*, net*, no*, protocol, seccomp*, shell none, tracelog)
34# PRIVATE OPTIONS (disable-mnt, private-*, writable-*)
35# SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start)
36# REDIRECT INCLUDES
37#
38# The following macros may be used in path names to substitute common locations:
39# ${DESKTOP}
40# ${DOCUMENTS}
41# ${DOWNLOADS}
42# ${HOME} (user's home)
43# ${PATH} (contents of PATH envvar)
44# ${MUSIC}
45# ${VIDEOS}
46#
47# Check contents of ~/.config/user-dirs.dirs to see how they translate to actual paths.
48#
49# --- CUT HERE ---
4##quiet 50##quiet
5# Persistent local customizations 51# Persistent local customizations
6#include PROFILE.local 52include PROFILE.local
7# Persistent global definitions 53# Persistent global definitions
8#include globals.local 54include globals.local
9 55
10##ignore noexec ${HOME} 56##ignore noexec ${HOME}
57##ignore noexec /tmp
11 58
12##blacklist PATH 59##blacklist PATH
60# Disable X11 (CLI only), see also 'x11 none' below
61#blacklist /tmp/.X11-unix
13 62
63# It is common practice to add files/dirs containing program-specific configuration
64# (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc
65# (keep list sorted) and then disable blacklisting below.
66# One way to retrieve the files a program uses is:
67# - launch binary with --private naming a sandbox
68# `firejail --name=test --ignore=private-bin [--profile=PROFILE] --private BINARY`
69# - work with the program, do some configuration changes and save them, open new documents,
70# install plugins if they exists, etc
71# - join the sandbox with bash:
72# `firejail --join=test bash`
73# - look what has changed and use that information to populate blacklist and whitelist sections
74# `ls -aR`
14#noblacklist PATH 75#noblacklist PATH
15 76
16# Allow python (blacklisted by disable-interpreters.inc) 77# Allow python (blacklisted by disable-interpreters.inc)
17#noblacklist ${PATH}/python2* 78#include allow-python2.inc
18#noblacklist ${PATH}/python3* 79#include allow-python3.inc
19#noblacklist /usr/lib/python2* 80
20#noblacklist /usr/lib/python3* 81# Allow perl (blacklisted by disable-interpreters.inc)
21#noblacklist /usr/local/lib/python2* 82#include allow-perl.inc
22#noblacklist /usr/local/lib/python3* 83
84# Allow java (blacklisted by disable-devel.inc)
85#include allow-java.inc
86
87# Allow lua (blacklisted by disable-interpreters.inc)
88#include allow-lua.inc
23 89
24#include disable-common.inc 90#include disable-common.inc
25#include disable-devel.inc 91#include disable-devel.inc
@@ -29,16 +95,24 @@
29#include disable-programs.inc 95#include disable-programs.inc
30#include disable-xdg.inc 96#include disable-xdg.inc
31 97
98# This section often mirrors noblacklist section above. The idea is
99# that if a user feels too restricted (he's unable to save files into
100# home directory for instance) he/she may disable whitelist (nowhitelist)
101# in PROFILE.local but still be protected by BLACKLISTS section
102# (further explanation at https://github.com/netblue30/firejail/issues/1569)
32#mkdir PATH 103#mkdir PATH
33#mkfile PATH 104##mkfile PATH
34#whitelist PATH 105#whitelist PATH
35#include whitelist-common.inc 106#include whitelist-common.inc
36#include whitelist-var-common.inc 107#include whitelist-var-common.inc
37 108
38#apparmor 109#apparmor
39#caps.drop all 110#caps.drop all
111##caps.keep CAPS
112##hostname NAME
40# CLI only 113# CLI only
41##ipc-namespace 114##ipc-namespace
115# breaks sound and sometime dbus related functions
42#machine-id 116#machine-id
43# 'net none' or 'netfilter' 117# 'net none' or 'netfilter'
44#net none 118#net none
@@ -53,30 +127,48 @@
53#notv 127#notv
54#nou2f 128#nou2f
55#novideo 129#novideo
56#protocol unix,inet,inet6,netlink 130# Remove every not needed protocol
131# - unix is usually needed
132# - inet,inet6 only if internet access is requiered (see 'net none'/'netfilter' above)
133# - netlink is rarely needed
134# - packet almost never
135#protocol unix,inet,inet6,netlink,packet
57#seccomp 136#seccomp
58##seccomp.drop SYSCALLS 137##seccomp.drop SYSCALLS (see also syscalls.txt)
59#shell none 138#shell none
60#tracelog 139#tracelog
140# Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set
141##x11 none
61 142
62#disable-mnt 143#disable-mnt
63##private 144##private
145# It's common practice to refer to the python executable(s) in private-bin with `python*`, which covers both v2 and v3
64#private-bin PROGRAMS 146#private-bin PROGRAMS
65#private-cache 147#private-cache
66#private-dev 148#private-dev
67#private-etc FILES 149#private-etc FILES
68# private-etc templates (see also #1734) 150# private-etc templates (see also #1734, #2093)
69# Internet: ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl 151# Common: alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg
70# Sound: alsa,asound.conf,machine-id,openal,pulse 152# Extra: magic,magic.mgc,passwd,group
71# GTK: dconf,fonts,gtk-2.0,gtk-3.0,pango,xdg 153# Networking: ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf,hosts,host.conf,hostname,protocols,services,rpc
72# KDE/QT: fonts,kde4rc,kde5rc,ld.so.cache,machine-id,Trolltech.conf,xdg 154# Extra: proxychains.conf,gai.conf
73# GUIs: fonts 155# Sound: alsa,asound.conf,pulse,machine-id
74# Alternatives: alternatives 156# GUI: fonts,pango,X11
157# GTK: dconf,gconf,gtk-2.0,gtk-3.0
158# Qt: Trolltech.conf
159# KDE: kde4rc,kde5rc
160# 3D: drirc,glvnd,bumblebee,nvidia
161# D-Bus: dbus-1,machine-id
75##private-lib LIBS 162##private-lib LIBS
76##private-opt NAME 163##private-opt NAME
77#private-tmp 164#private-tmp
165##writable-etc
166##writable-run-user
167##writable-var
168##writable-var-log
78 169
79##env VAR=VALUE 170##env VAR=VALUE
80#memory-deny-write-execute 171#memory-deny-write-execute
172##noexec PATH
81##read-only ${HOME} 173##read-only ${HOME}
82##join-or-start NAME 174##join-or-start NAME
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-23 10:08:43 +0000