diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/Xephyr.profile | 40 | ||||
-rw-r--r-- | etc/Xvfb.profile | 39 | ||||
-rw-r--r-- | etc/xpra.profile | 31 |
3 files changed, 103 insertions, 7 deletions
diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile new file mode 100644 index 000000000..362318bb1 --- /dev/null +++ b/etc/Xephyr.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/Xephyr.local | ||
4 | |||
5 | # | ||
6 | # This profile will sandbox Xephyr server itself when used with firejail --x11=xephyr. | ||
7 | # The target program is sandboxed with its own profile. By default the this functionality | ||
8 | # is disabled. To enable it, create a firejail-Xephyr symlink in /usr/local/bin: | ||
9 | # | ||
10 | # $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xephyr | ||
11 | # | ||
12 | # We have this functionality disabled by default because it creates problems on | ||
13 | # some Linux distributions. | ||
14 | # | ||
15 | |||
16 | |||
17 | # using a private home directory | ||
18 | private | ||
19 | |||
20 | |||
21 | caps.drop all | ||
22 | # Xephyr needs to be allowed access to the abstract Unix socket namespace. | ||
23 | #net none | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | # In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix. | ||
27 | #noroot | ||
28 | nosound | ||
29 | shell none | ||
30 | seccomp | ||
31 | protocol unix | ||
32 | |||
33 | private-dev | ||
34 | private-tmp | ||
35 | #private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls | ||
36 | #private-bin Xephyr,sh,xkbcomp | ||
37 | #private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname | ||
38 | |||
39 | blacklist /media | ||
40 | whitelist /var/lib/xkb | ||
diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile new file mode 100644 index 000000000..9c919f432 --- /dev/null +++ b/etc/Xvfb.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/xvfb.local | ||
4 | |||
5 | # | ||
6 | # This profile will sandbox Xvfb server itself when used with firejail --x11=xvfb. | ||
7 | # The target program is sandboxed with its own profile. By default the this functionality | ||
8 | # is disabled. To enable it, create a firejail-Xvfb symlink in /usr/local/bin: | ||
9 | # | ||
10 | # $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xvfb | ||
11 | # | ||
12 | # We have this functionality disabled by default because it creates problems on | ||
13 | # some Linux distributions. | ||
14 | # | ||
15 | |||
16 | |||
17 | # using a private home directory | ||
18 | private | ||
19 | |||
20 | caps.drop all | ||
21 | # Xvfb needs to be allowed access to the abstract Unix socket namespace. | ||
22 | #net none | ||
23 | nogroups | ||
24 | nonewprivs | ||
25 | # In noroot mode, Xvfb cannot create a socket in the real /tmp/.X11-unix. | ||
26 | #noroot | ||
27 | nosound | ||
28 | shell none | ||
29 | seccomp | ||
30 | protocol unix | ||
31 | |||
32 | private-dev | ||
33 | private-tmp | ||
34 | private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname | ||
35 | #private-bin Xvfb,sh,xkbcomp,strace,bash,cat,ls | ||
36 | #private-bin Xvfb,sh,xkbcomp | ||
37 | |||
38 | blacklist /media | ||
39 | whitelist /var/lib/xkb | ||
diff --git a/etc/xpra.profile b/etc/xpra.profile index d0fff2ebf..f4f28f9de 100644 --- a/etc/xpra.profile +++ b/etc/xpra.profile | |||
@@ -2,26 +2,43 @@ | |||
2 | # Persistent customizations should go in a .local file. | 2 | # Persistent customizations should go in a .local file. |
3 | include /etc/firejail/xpra.local | 3 | include /etc/firejail/xpra.local |
4 | 4 | ||
5 | # xpra profile | 5 | |
6 | # | ||
7 | # This profile will sandbox Xpra server itself when used with firejail --x11=xpra. | ||
8 | # The target program is sandboxed with its own profile. By default the this functionality | ||
9 | # is disabled. To enable it, create a firejail-xpra symlink in /usr/local/bin: | ||
10 | # | ||
11 | # $ sudo ln -s /usr/bin/firejail /usr/local/bin/xpra | ||
12 | # | ||
13 | # We have this functionality disabled by default because it creates problems on | ||
14 | # some Linux distributions. | ||
15 | # | ||
16 | |||
17 | # private home directory doesn't work on some distros, so we go for a regular home | ||
18 | #private | ||
6 | include /etc/firejail/disable-common.inc | 19 | include /etc/firejail/disable-common.inc |
7 | include /etc/firejail/disable-programs.inc | 20 | include /etc/firejail/disable-programs.inc |
8 | include /etc/firejail/disable-devel.inc | 21 | include /etc/firejail/disable-devel.inc |
9 | include /etc/firejail/disable-passwdmgr.inc | 22 | include /etc/firejail/disable-passwdmgr.inc |
10 | 23 | ||
11 | caps.drop all | 24 | caps.drop all |
12 | netfilter | 25 | # xpra needs to be allowed access to the abstract Unix socket namespace. |
26 | #net none | ||
13 | nogroups | 27 | nogroups |
14 | nonewprivs | 28 | nonewprivs |
15 | noroot | 29 | # In noroot mode, xpra cannot create a socket in the real /tmp/.X11-unix. |
30 | #noroot | ||
16 | nosound | 31 | nosound |
17 | shell none | 32 | shell none |
18 | seccomp | 33 | seccomp |
19 | protocol unix,inet,inet6 | 34 | protocol unix |
20 | 35 | ||
21 | # blacklist /tmp/.X11-unix | ||
22 | 36 | ||
23 | # private-bin | ||
24 | private-dev | 37 | private-dev |
25 | private-tmp | 38 | private-tmp |
26 | # private-etc | 39 | #private-bin xpra,python,Xvfb,Xorg,sh,xkbcomp,xauth,dbus-launch,pactl,ldconfig,which,strace,bash,cat,ls |
40 | #private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname,machine-id,xpra,X11 | ||
41 | |||
42 | blacklist /media | ||
43 | whitelist /var/lib/xkb | ||
27 | 44 | ||