diff options
Diffstat (limited to 'etc/xpra.profile')
-rw-r--r-- | etc/xpra.profile | 37 |
1 files changed, 18 insertions, 19 deletions
diff --git a/etc/xpra.profile b/etc/xpra.profile index c8bb3ef52..ed393d70b 100644 --- a/etc/xpra.profile +++ b/etc/xpra.profile | |||
@@ -1,10 +1,9 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for xpra |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/xpra.local | 4 | include /etc/firejail/xpra.local |
7 | 5 | # Persistent global definitions | |
6 | include /etc/firejail/globals.local | ||
8 | 7 | ||
9 | # | 8 | # |
10 | # This profile will sandbox Xpra server itself when used with firejail --x11=xpra. | 9 | # This profile will sandbox Xpra server itself when used with firejail --x11=xpra. |
@@ -14,12 +13,15 @@ include /etc/firejail/xpra.local | |||
14 | # | 13 | # |
15 | # or run "sudo firecfg" | 14 | # or run "sudo firecfg" |
16 | 15 | ||
17 | # private home directory doesn't work on some distros, so we go for a regular home | 16 | blacklist /media |
18 | #private | 17 | |
19 | include /etc/firejail/disable-common.inc | 18 | include /etc/firejail/disable-common.inc |
20 | include /etc/firejail/disable-programs.inc | ||
21 | include /etc/firejail/disable-devel.inc | 19 | include /etc/firejail/disable-devel.inc |
22 | include /etc/firejail/disable-passwdmgr.inc | 20 | include /etc/firejail/disable-passwdmgr.inc |
21 | include /etc/firejail/disable-programs.inc | ||
22 | |||
23 | whitelist /var/lib/xkb | ||
24 | include /etc/firejail/whitelist-common.inc | ||
23 | 25 | ||
24 | caps.drop all | 26 | caps.drop all |
25 | # xpra needs to be allowed access to the abstract Unix socket namespace. | 27 | # xpra needs to be allowed access to the abstract Unix socket namespace. |
@@ -28,17 +30,14 @@ nonewprivs | |||
28 | # In noroot mode, xpra cannot create a socket in the real /tmp/.X11-unix. | 30 | # In noroot mode, xpra cannot create a socket in the real /tmp/.X11-unix. |
29 | #noroot | 31 | #noroot |
30 | nosound | 32 | nosound |
31 | shell none | ||
32 | seccomp | ||
33 | protocol unix | 33 | protocol unix |
34 | seccomp | ||
35 | shell none | ||
34 | 36 | ||
35 | 37 | # private home directory doesn't work on some distros, so we go for a regular home | |
38 | # private | ||
39 | # older Xpra versions also use Xvfb | ||
40 | # private-bin xpra,python,Xvfb,Xorg,sh,xkbcomp,xauth,dbus-launch,pactl,ldconfig,which,strace,bash,cat,ls | ||
36 | private-dev | 41 | private-dev |
42 | # private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname,machine-id,xpra,X11 | ||
37 | private-tmp | 43 | private-tmp |
38 | # older Xpra versions also use Xvfb | ||
39 | #private-bin xpra,python,Xvfb,Xorg,sh,xkbcomp,xauth,dbus-launch,pactl,ldconfig,which,strace,bash,cat,ls | ||
40 | #private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname,machine-id,xpra,X11 | ||
41 | |||
42 | blacklist /media | ||
43 | whitelist /var/lib/xkb | ||
44 | |||