diff options
Diffstat (limited to 'etc/xpra.profile')
| -rw-r--r-- | etc/xpra.profile | 37 |
1 files changed, 18 insertions, 19 deletions
diff --git a/etc/xpra.profile b/etc/xpra.profile index c8bb3ef52..ed393d70b 100644 --- a/etc/xpra.profile +++ b/etc/xpra.profile | |||
| @@ -1,10 +1,9 @@ | |||
| 1 | # Persistent global definitions go here | 1 | # Firejail profile for xpra |
| 2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
| 3 | 3 | # Persistent local customizations | |
| 4 | # This file is overwritten during software install. | ||
| 5 | # Persistent customizations should go in a .local file. | ||
| 6 | include /etc/firejail/xpra.local | 4 | include /etc/firejail/xpra.local |
| 7 | 5 | # Persistent global definitions | |
| 6 | include /etc/firejail/globals.local | ||
| 8 | 7 | ||
| 9 | # | 8 | # |
| 10 | # This profile will sandbox Xpra server itself when used with firejail --x11=xpra. | 9 | # This profile will sandbox Xpra server itself when used with firejail --x11=xpra. |
| @@ -14,12 +13,15 @@ include /etc/firejail/xpra.local | |||
| 14 | # | 13 | # |
| 15 | # or run "sudo firecfg" | 14 | # or run "sudo firecfg" |
| 16 | 15 | ||
| 17 | # private home directory doesn't work on some distros, so we go for a regular home | 16 | blacklist /media |
| 18 | #private | 17 | |
| 19 | include /etc/firejail/disable-common.inc | 18 | include /etc/firejail/disable-common.inc |
| 20 | include /etc/firejail/disable-programs.inc | ||
| 21 | include /etc/firejail/disable-devel.inc | 19 | include /etc/firejail/disable-devel.inc |
| 22 | include /etc/firejail/disable-passwdmgr.inc | 20 | include /etc/firejail/disable-passwdmgr.inc |
| 21 | include /etc/firejail/disable-programs.inc | ||
| 22 | |||
| 23 | whitelist /var/lib/xkb | ||
| 24 | include /etc/firejail/whitelist-common.inc | ||
| 23 | 25 | ||
| 24 | caps.drop all | 26 | caps.drop all |
| 25 | # xpra needs to be allowed access to the abstract Unix socket namespace. | 27 | # xpra needs to be allowed access to the abstract Unix socket namespace. |
| @@ -28,17 +30,14 @@ nonewprivs | |||
| 28 | # In noroot mode, xpra cannot create a socket in the real /tmp/.X11-unix. | 30 | # In noroot mode, xpra cannot create a socket in the real /tmp/.X11-unix. |
| 29 | #noroot | 31 | #noroot |
| 30 | nosound | 32 | nosound |
| 31 | shell none | ||
| 32 | seccomp | ||
| 33 | protocol unix | 33 | protocol unix |
| 34 | seccomp | ||
| 35 | shell none | ||
| 34 | 36 | ||
| 35 | 37 | # private home directory doesn't work on some distros, so we go for a regular home | |
| 38 | # private | ||
| 39 | # older Xpra versions also use Xvfb | ||
| 40 | # private-bin xpra,python,Xvfb,Xorg,sh,xkbcomp,xauth,dbus-launch,pactl,ldconfig,which,strace,bash,cat,ls | ||
| 36 | private-dev | 41 | private-dev |
| 42 | # private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname,machine-id,xpra,X11 | ||
| 37 | private-tmp | 43 | private-tmp |
| 38 | # older Xpra versions also use Xvfb | ||
| 39 | #private-bin xpra,python,Xvfb,Xorg,sh,xkbcomp,xauth,dbus-launch,pactl,ldconfig,which,strace,bash,cat,ls | ||
| 40 | #private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname,machine-id,xpra,X11 | ||
| 41 | |||
| 42 | blacklist /media | ||
| 43 | whitelist /var/lib/xkb | ||
| 44 | |||