diff options
Diffstat (limited to 'etc/templates')
-rw-r--r-- | etc/templates/profile.template | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index d7da0ed20..fe0ec713b 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -1,6 +1,39 @@ | |||
1 | # Firejail profile for PROGRAM_NAME | 1 | # Firejail profile for PROGRAM_NAME |
2 | # Description: DESCRIPTION | 2 | # Description: DESCRIPTION |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # --- CUT HERE --- | ||
5 | # This is a generic template to help you with creation of profiles | ||
6 | # for new programs. PRs welcome at https://github.com/netblue30/firejail/ | ||
7 | # | ||
8 | # Rules to follow: | ||
9 | # - lines with one # are often used in profiles | ||
10 | # - lines with two ## are only needed in special situations | ||
11 | # - make the profile as restrictive as possible while still keeping the program useful | ||
12 | # (e. g. a program that is unable to save user's work is considered a bad practice) | ||
13 | # - dedicate some time (based on how complex the application is) to profile testing before raising | ||
14 | # a pull request | ||
15 | # - keep the sections structure, use a single empty line as a separator | ||
16 | # - entries within sections are alphabetically sorted | ||
17 | # - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware | ||
18 | # to not do this for essential utilities as this may *break* your OS! (related discussion: | ||
19 | # https://github.com/netblue30/firejail/issues/2507) | ||
20 | # - remove this comment section and any generic comment past 'Persistent global definitions' | ||
21 | # | ||
22 | # Sections structure | ||
23 | # HEADER | ||
24 | # COMMENTS | ||
25 | # BLACKLISTS | ||
26 | # NOBLACKLISTS | ||
27 | # DISABLE INCLUDES | ||
28 | # MKDIRS | ||
29 | # WHITELISTS | ||
30 | # WHITELIST INCLUDES | ||
31 | # OPTIONS (no*) | ||
32 | # PRIVATE OPTIONS (disable-mnt, private-*) | ||
33 | # SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start) | ||
34 | # REDIRECT INCLUDES | ||
35 | # | ||
36 | # --- CUT HERE --- | ||
4 | ##quiet | 37 | ##quiet |
5 | # Persistent local customizations | 38 | # Persistent local customizations |
6 | #include PROFILE.local | 39 | #include PROFILE.local |
@@ -11,6 +44,18 @@ | |||
11 | 44 | ||
12 | ##blacklist PATH | 45 | ##blacklist PATH |
13 | 46 | ||
47 | # It is common practice to add files/dirs containing program-specific configuration | ||
48 | # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc | ||
49 | # (keep list sorted) and then disable blacklisting below. | ||
50 | # One way to retrieve the files a program uses is: | ||
51 | # - launch binary with --private naming a sandbox | ||
52 | # `firejail --name=test --ignore=private-bin [--profile=PROFILE] --private BINARY` | ||
53 | # - work with the program, do some configuration changes and save them, open new documents, | ||
54 | # install plugins if they exists, etc | ||
55 | # - join the sandbox with bash: | ||
56 | # `firejail --join=test bash` | ||
57 | # - look what has changed and use that information to populate blacklist and whitelist sections | ||
58 | # `ls -aR` | ||
14 | #noblacklist PATH | 59 | #noblacklist PATH |
15 | 60 | ||
16 | # Allow python (blacklisted by disable-interpreters.inc) | 61 | # Allow python (blacklisted by disable-interpreters.inc) |
@@ -21,6 +66,13 @@ | |||
21 | #noblacklist /usr/local/lib/python2* | 66 | #noblacklist /usr/local/lib/python2* |
22 | #noblacklist /usr/local/lib/python3* | 67 | #noblacklist /usr/local/lib/python3* |
23 | 68 | ||
69 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
70 | #noblacklist ${PATH}/cpan* | ||
71 | #noblacklist ${PATH}/core_perl | ||
72 | #noblacklist ${PATH}/perl | ||
73 | #noblacklist /usr/lib/perl* | ||
74 | #noblacklist /usr/share/perl* | ||
75 | |||
24 | #include disable-common.inc | 76 | #include disable-common.inc |
25 | #include disable-devel.inc | 77 | #include disable-devel.inc |
26 | #include disable-exec.inc | 78 | #include disable-exec.inc |
@@ -29,6 +81,11 @@ | |||
29 | #include disable-programs.inc | 81 | #include disable-programs.inc |
30 | #include disable-xdg.inc | 82 | #include disable-xdg.inc |
31 | 83 | ||
84 | # This section often mirrors noblacklist section above. The idea is | ||
85 | # that if a user feels too restricted (he's unable to save files into | ||
86 | # home directory for instance) he/she may disable whitelist (nowhitelist) | ||
87 | # in PROFILE.local but still be protected by BLACKLISTS section | ||
88 | # (further explanation at https://github.com/netblue30/firejail/issues/1569) | ||
32 | #mkdir PATH | 89 | #mkdir PATH |
33 | #mkfile PATH | 90 | #mkfile PATH |
34 | #whitelist PATH | 91 | #whitelist PATH |