diff options
Diffstat (limited to 'etc/xpra.profile')
-rw-r--r-- | etc/xpra.profile | 31 |
1 files changed, 24 insertions, 7 deletions
diff --git a/etc/xpra.profile b/etc/xpra.profile index d0fff2ebf..f4f28f9de 100644 --- a/etc/xpra.profile +++ b/etc/xpra.profile | |||
@@ -2,26 +2,43 @@ | |||
2 | # Persistent customizations should go in a .local file. | 2 | # Persistent customizations should go in a .local file. |
3 | include /etc/firejail/xpra.local | 3 | include /etc/firejail/xpra.local |
4 | 4 | ||
5 | # xpra profile | 5 | |
6 | # | ||
7 | # This profile will sandbox Xpra server itself when used with firejail --x11=xpra. | ||
8 | # The target program is sandboxed with its own profile. By default the this functionality | ||
9 | # is disabled. To enable it, create a firejail-xpra symlink in /usr/local/bin: | ||
10 | # | ||
11 | # $ sudo ln -s /usr/bin/firejail /usr/local/bin/xpra | ||
12 | # | ||
13 | # We have this functionality disabled by default because it creates problems on | ||
14 | # some Linux distributions. | ||
15 | # | ||
16 | |||
17 | # private home directory doesn't work on some distros, so we go for a regular home | ||
18 | #private | ||
6 | include /etc/firejail/disable-common.inc | 19 | include /etc/firejail/disable-common.inc |
7 | include /etc/firejail/disable-programs.inc | 20 | include /etc/firejail/disable-programs.inc |
8 | include /etc/firejail/disable-devel.inc | 21 | include /etc/firejail/disable-devel.inc |
9 | include /etc/firejail/disable-passwdmgr.inc | 22 | include /etc/firejail/disable-passwdmgr.inc |
10 | 23 | ||
11 | caps.drop all | 24 | caps.drop all |
12 | netfilter | 25 | # xpra needs to be allowed access to the abstract Unix socket namespace. |
26 | #net none | ||
13 | nogroups | 27 | nogroups |
14 | nonewprivs | 28 | nonewprivs |
15 | noroot | 29 | # In noroot mode, xpra cannot create a socket in the real /tmp/.X11-unix. |
30 | #noroot | ||
16 | nosound | 31 | nosound |
17 | shell none | 32 | shell none |
18 | seccomp | 33 | seccomp |
19 | protocol unix,inet,inet6 | 34 | protocol unix |
20 | 35 | ||
21 | # blacklist /tmp/.X11-unix | ||
22 | 36 | ||
23 | # private-bin | ||
24 | private-dev | 37 | private-dev |
25 | private-tmp | 38 | private-tmp |
26 | # private-etc | 39 | #private-bin xpra,python,Xvfb,Xorg,sh,xkbcomp,xauth,dbus-launch,pactl,ldconfig,which,strace,bash,cat,ls |
40 | #private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname,machine-id,xpra,X11 | ||
41 | |||
42 | blacklist /media | ||
43 | whitelist /var/lib/xkb | ||
27 | 44 | ||