diff options
Diffstat (limited to 'etc/templates/profile.template')
| -rw-r--r-- | etc/templates/profile.template | 68 |
1 files changed, 34 insertions, 34 deletions
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 9e9fc3fe9..72b7d3025 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
| @@ -2,15 +2,15 @@ | |||
| 2 | # Description: DESCRIPTION | 2 | # Description: DESCRIPTION |
| 3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
| 4 | # --- CUT HERE --- | 4 | # --- CUT HERE --- |
| 5 | # This is a generic template to help you with creation of profiles | 5 | # This is a generic template to help you create profiles. |
| 6 | # for new programs. PRs welcome at https://github.com/netblue30/firejail/. | 6 | # PRs welcome at https://github.com/netblue30/firejail/. |
| 7 | # | 7 | # |
| 8 | # Rules to follow: | 8 | # Rules to follow: |
| 9 | # - lines with one # are often used in profiles | 9 | # - lines with one # are often used in profiles |
| 10 | # - lines with two ## are only needed in special situations | 10 | # - lines with two ## are only needed in special situations |
| 11 | # - make the profile as restrictive as possible while still keeping the program useful | 11 | # - make the profile as restrictive as possible while still keeping the program useful |
| 12 | # (e. g. a program that is unable to save user's work is considered bad practice) | 12 | # (e.g. a program that is unable to save user's work is considered bad practice) |
| 13 | # - dedicate some time (based on the complexity of the application) to profile testing before raising | 13 | # - dedicate ample time (based on the complexity of the application) to profile testing before raising |
| 14 | # a pull request | 14 | # a pull request |
| 15 | # - keep the sections structure, use a single empty line as separator | 15 | # - keep the sections structure, use a single empty line as separator |
| 16 | # - entries within sections are alphabetically sorted | 16 | # - entries within sections are alphabetically sorted |
| @@ -42,7 +42,7 @@ | |||
| 42 | # ${DOCUMENTS} | 42 | # ${DOCUMENTS} |
| 43 | # ${DOWNLOADS} | 43 | # ${DOWNLOADS} |
| 44 | # ${HOME} (user's home) | 44 | # ${HOME} (user's home) |
| 45 | # ${PATH} (contents of PATH envvar) | 45 | # ${PATH} (contents of PATH env var) |
| 46 | # ${MUSIC} | 46 | # ${MUSIC} |
| 47 | # ${RUNUSER} (/run/user/UID) | 47 | # ${RUNUSER} (/run/user/UID) |
| 48 | # ${VIDEOS} | 48 | # ${VIDEOS} |
| @@ -81,12 +81,11 @@ include globals.local | |||
| 81 | # `ls -aR` | 81 | # `ls -aR` |
| 82 | #noblacklist PATH | 82 | #noblacklist PATH |
| 83 | 83 | ||
| 84 | # Allow python (blacklisted by disable-interpreters.inc) | 84 | # Allows files commonly used by IDEs |
| 85 | #include allow-python2.inc | 85 | #include allow-common-devel.inc |
| 86 | #include allow-python3.inc | ||
| 87 | 86 | ||
| 88 | # Allow perl (blacklisted by disable-interpreters.inc) | 87 | # Allow gjs (blacklisted by disable-interpreters.inc) |
| 89 | #include allow-perl.inc | 88 | #include allow-gjs.inc |
| 90 | 89 | ||
| 91 | # Allow java (blacklisted by disable-devel.inc) | 90 | # Allow java (blacklisted by disable-devel.inc) |
| 92 | #include allow-java.inc | 91 | #include allow-java.inc |
| @@ -94,14 +93,15 @@ include globals.local | |||
| 94 | # Allow lua (blacklisted by disable-interpreters.inc) | 93 | # Allow lua (blacklisted by disable-interpreters.inc) |
| 95 | #include allow-lua.inc | 94 | #include allow-lua.inc |
| 96 | 95 | ||
| 97 | # Allow ruby (blacklisted by disable-interpreters.inc) | 96 | # Allow perl (blacklisted by disable-interpreters.inc) |
| 98 | #include allow-ruby.inc | 97 | #include allow-perl.inc |
| 99 | 98 | ||
| 100 | # Allow gjs (blacklisted by disable-interpreters.inc) | 99 | # Allow python (blacklisted by disable-interpreters.inc) |
| 101 | #include allow-gjs.inc | 100 | #include allow-python2.inc |
| 101 | #include allow-python3.inc | ||
| 102 | 102 | ||
| 103 | # Allows files commonly used by IDEs | 103 | # Allow ruby (blacklisted by disable-interpreters.inc) |
| 104 | #include allow-common-devel.inc | 104 | #include allow-ruby.inc |
| 105 | 105 | ||
| 106 | # Allow ssh (blacklisted by disable-common.inc) | 106 | # Allow ssh (blacklisted by disable-common.inc) |
| 107 | #include allow-ssh.inc | 107 | #include allow-ssh.inc |
| @@ -117,10 +117,10 @@ include globals.local | |||
| 117 | #include disable-xdg.inc | 117 | #include disable-xdg.inc |
| 118 | 118 | ||
| 119 | # This section often mirrors noblacklist section above. The idea is | 119 | # This section often mirrors noblacklist section above. The idea is |
| 120 | # that if a user feels too restricted (he's unable to save files into | 120 | # that if a user feels too restricted (e.g. unable to save files into |
| 121 | # home directory for instance) he/she may disable whitelist (nowhitelist) | 121 | # home directory) they may disable whitelist (nowhitelist) |
| 122 | # in PROFILE.local but still be protected by BLACKLISTS section | 122 | # in PROFILE.local but still be protected by BLACKLISTS section |
| 123 | # (further explanation at https://github.com/netblue30/firejail/issues/1569) | 123 | # (explanation at https://github.com/netblue30/firejail/issues/1569) |
| 124 | #mkdir PATH | 124 | #mkdir PATH |
| 125 | ##mkfile PATH | 125 | ##mkfile PATH |
| 126 | #whitelist PATH | 126 | #whitelist PATH |
| @@ -136,7 +136,7 @@ include globals.local | |||
| 136 | ##hostname NAME | 136 | ##hostname NAME |
| 137 | # CLI only | 137 | # CLI only |
| 138 | ##ipc-namespace | 138 | ##ipc-namespace |
| 139 | # breaks sound and sometime dbus related functions | 139 | # breaks audio and sometimes dbus related functions |
| 140 | #machine-id | 140 | #machine-id |
| 141 | # 'net none' or 'netfilter' | 141 | # 'net none' or 'netfilter' |
| 142 | #net none | 142 | #net none |
| @@ -161,7 +161,7 @@ include globals.local | |||
| 161 | ##seccomp !chroot | 161 | ##seccomp !chroot |
| 162 | ##seccomp.drop SYSCALLS (see syscalls.txt) | 162 | ##seccomp.drop SYSCALLS (see syscalls.txt) |
| 163 | #seccomp.block-secondary | 163 | #seccomp.block-secondary |
| 164 | ##seccomp-error-action log (Only for debugging seccomp issues) | 164 | ##seccomp-error-action log (only for debugging seccomp issues) |
| 165 | #shell none | 165 | #shell none |
| 166 | #tracelog | 166 | #tracelog |
| 167 | # Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set | 167 | # Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set |
| @@ -176,16 +176,16 @@ include globals.local | |||
| 176 | #private-etc FILES | 176 | #private-etc FILES |
| 177 | # private-etc templates (see also #1734, #2093) | 177 | # private-etc templates (see also #1734, #2093) |
| 178 | # Common: alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg | 178 | # Common: alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg |
| 179 | # Extra: magic,magic.mgc,passwd,group | 179 | # Extra: group,magic,magic.mgc,passwd |
| 180 | # Networking: ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf,hosts,host.conf,hostname,protocols,services,rpc | 180 | # 3D: bumblebee,drirc,glvnd,nvidia |
| 181 | # Extra: proxychains.conf,gai.conf | 181 | # Audio: alsa,asound.conf,machine-id,pulse |
| 182 | # Sound: alsa,asound.conf,pulse,machine-id | 182 | # D-Bus: dbus-1,machine-id |
| 183 | # GUI: fonts,pango,X11 | 183 | # GUI: fonts,pango,X11 |
| 184 | # GTK: dconf,gconf,gtk-2.0,gtk-3.0 | 184 | # GTK: dconf,gconf,gtk-2.0,gtk-3.0 |
| 185 | # Qt: Trolltech.conf | ||
| 186 | # KDE: kde4rc,kde5rc | 185 | # KDE: kde4rc,kde5rc |
| 187 | # 3D: drirc,glvnd,bumblebee,nvidia | 186 | # Networking: ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,services,rpc,ssl |
| 188 | # D-Bus: dbus-1,machine-id | 187 | # Extra: gai.conf,proxychains.conf |
| 188 | # Qt: Trolltech.conf | ||
| 189 | ##private-lib LIBS | 189 | ##private-lib LIBS |
| 190 | ##private-opt NAME | 190 | ##private-opt NAME |
| 191 | #private-tmp | 191 | #private-tmp |
| @@ -194,14 +194,14 @@ include globals.local | |||
| 194 | ##writable-var | 194 | ##writable-var |
| 195 | ##writable-var-log | 195 | ##writable-var-log |
| 196 | 196 | ||
| 197 | # Since 0.9.63 also a more granular regulation of dbus is supported. | 197 | # Since 0.9.63 also a more granular control of dbus is supported. |
| 198 | # To get the dbus-addresses to which an application needs access to. | 198 | # To get the dbus-addresses an application needs access to you can |
| 199 | # You can look at flatpak if the application is also distriputed via flatpak: | 199 | # check with flatpak (when the application is distriputed that way): |
| 200 | # flatpak remote-info --show-metadata flathub <APP-ID> | 200 | # flatpak remote-info --show-metadata flathub <APP-ID> |
| 201 | # Notes: | 201 | # Notes: |
| 202 | # - flatpak implicitly allows an app to own <APP-ID> on the session bus | 202 | # - flatpak implicitly allows an app to own <APP-ID> on the session bus |
| 203 | # - In order to make dconf work (if it is used by the app) you need to allow | 203 | # - In order to make dconf work (when used by the app) you need to allow |
| 204 | # 'ca.desrt.dconf' even if it is not allowed by flatpak. | 204 | # 'ca.desrt.dconf' even when not allowed by flatpak. |
| 205 | # Notes and Policiy about addresses can be found at | 205 | # Notes and Policiy about addresses can be found at |
| 206 | # <https://github.com/netblue30/firejail/wiki/Restrict-D-Bus> | 206 | # <https://github.com/netblue30/firejail/wiki/Restrict-D-Bus> |
| 207 | #dbus-user filter | 207 | #dbus-user filter |
| @@ -211,7 +211,7 @@ include globals.local | |||
| 211 | #dbus-system none | 211 | #dbus-system none |
| 212 | 212 | ||
| 213 | ##env VAR=VALUE | 213 | ##env VAR=VALUE |
| 214 | ##join-or-start NAME | ||
| 214 | #memory-deny-write-execute | 215 | #memory-deny-write-execute |
| 215 | ##noexec PATH | 216 | ##noexec PATH |
| 216 | ##read-only ${HOME} | 217 | ##read-only ${HOME} |
| 217 | ##join-or-start NAME | ||