diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/Xephyr.profile | 32 | ||||
-rw-r--r-- | etc/Xvfb.profile | 30 | ||||
-rw-r--r-- | etc/baloo_file.profile | 27 | ||||
-rw-r--r-- | etc/brave.profile | 51 | ||||
-rw-r--r-- | etc/default.profile | 37 | ||||
-rw-r--r-- | etc/openbox.profile | 14 | ||||
-rw-r--r-- | etc/server.profile | 30 | ||||
-rw-r--r-- | etc/snap.profile | 17 | ||||
-rw-r--r-- | etc/xpra.profile | 37 |
9 files changed, 141 insertions, 134 deletions
diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile index 22c0202ee..db3b3858c 100644 --- a/etc/Xephyr.profile +++ b/etc/Xephyr.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for Xephyr |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/Xephyr.local | 4 | include /etc/firejail/Xephyr.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # | 8 | # |
9 | # This profile will sandbox Xephyr server itself when used with firejail --x11=xephyr. | 9 | # This profile will sandbox Xephyr server itself when used with firejail --x11=xephyr. |
@@ -15,26 +15,26 @@ include /etc/firejail/Xephyr.local | |||
15 | # | 15 | # |
16 | 16 | ||
17 | 17 | ||
18 | # using a private home directory | 18 | blacklist /media |
19 | private | ||
20 | 19 | ||
20 | whitelist /var/lib/xkb | ||
21 | include /etc/firejail/whitelist-common.inc | ||
21 | 22 | ||
22 | caps.drop all | 23 | caps.drop all |
23 | # Xephyr needs to be allowed access to the abstract Unix socket namespace. | 24 | # Xephyr needs to be allowed access to the abstract Unix socket namespace. |
24 | nogroups | 25 | nogroups |
25 | nonewprivs | 26 | nonewprivs |
26 | # In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix. | 27 | # In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix. |
27 | #noroot | 28 | # noroot |
28 | nosound | 29 | nosound |
29 | shell none | ||
30 | seccomp | ||
31 | protocol unix | 30 | protocol unix |
31 | seccomp | ||
32 | shell none | ||
32 | 33 | ||
34 | # using a private home directory | ||
35 | private | ||
36 | # private-bin Xephyr,sh,xkbcomp | ||
37 | # private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls | ||
33 | private-dev | 38 | private-dev |
39 | # private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname | ||
34 | private-tmp | 40 | private-tmp |
35 | #private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls | ||
36 | #private-bin Xephyr,sh,xkbcomp | ||
37 | #private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname | ||
38 | |||
39 | blacklist /media | ||
40 | whitelist /var/lib/xkb | ||
diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile index 8eba82db1..ce17a9732 100644 --- a/etc/Xvfb.profile +++ b/etc/Xvfb.profile | |||
@@ -1,10 +1,10 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for Xvfb |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/Xvfb.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/xvfb.local | ||
7 | |||
8 | # | 8 | # |
9 | # This profile will sandbox Xvfb server itself when used with firejail --x11=xvfb. | 9 | # This profile will sandbox Xvfb server itself when used with firejail --x11=xvfb. |
10 | # The target program is sandboxed with its own profile. By default the this functionality | 10 | # The target program is sandboxed with its own profile. By default the this functionality |
@@ -16,9 +16,10 @@ include /etc/firejail/xvfb.local | |||
16 | # some Linux distributions. Also, older versions of Xpra use Xvfb. | 16 | # some Linux distributions. Also, older versions of Xpra use Xvfb. |
17 | # | 17 | # |
18 | 18 | ||
19 | blacklist /media | ||
19 | 20 | ||
20 | # using a private home directory | 21 | whitelist /var/lib/xkb |
21 | private | 22 | include /etc/firejail/whitelist-common.inc |
22 | 23 | ||
23 | caps.drop all | 24 | caps.drop all |
24 | # Xvfb needs to be allowed access to the abstract Unix socket namespace. | 25 | # Xvfb needs to be allowed access to the abstract Unix socket namespace. |
@@ -27,15 +28,14 @@ nonewprivs | |||
27 | # In noroot mode, Xvfb cannot create a socket in the real /tmp/.X11-unix. | 28 | # In noroot mode, Xvfb cannot create a socket in the real /tmp/.X11-unix. |
28 | #noroot | 29 | #noroot |
29 | nosound | 30 | nosound |
30 | shell none | ||
31 | seccomp | ||
32 | protocol unix | 31 | protocol unix |
32 | seccomp | ||
33 | shell none | ||
33 | 34 | ||
35 | # using a private home directory | ||
36 | private | ||
37 | # private-bin Xvfb,sh,xkbcomp | ||
38 | # private-bin Xvfb,sh,xkbcomp,strace,bash,cat,ls | ||
34 | private-dev | 39 | private-dev |
35 | private-tmp | ||
36 | private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname | 40 | private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname |
37 | #private-bin Xvfb,sh,xkbcomp,strace,bash,cat,ls | 41 | private-tmp |
38 | #private-bin Xvfb,sh,xkbcomp | ||
39 | |||
40 | blacklist /media | ||
41 | whitelist /var/lib/xkb | ||
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile index 2fe6d1927..9c2909b0f 100644 --- a/etc/baloo_file.profile +++ b/etc/baloo_file.profile | |||
@@ -1,21 +1,21 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for baloo_file |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/baloo_file.local | 4 | include /etc/firejail/baloo_file.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # KDE Baloo file daemon profile | 8 | noblacklist ${HOME}/.config/baloofilerc |
9 | noblacklist ${HOME}/.kde4/share/config/baloofilerc | ||
10 | noblacklist ${HOME}/.kde4/share/config/baloorc | ||
11 | noblacklist ${HOME}/.kde/share/config/baloofilerc | 9 | noblacklist ${HOME}/.kde/share/config/baloofilerc |
12 | noblacklist ${HOME}/.kde/share/config/baloorc | 10 | noblacklist ${HOME}/.kde/share/config/baloorc |
13 | noblacklist ${HOME}/.config/baloofilerc | 11 | noblacklist ${HOME}/.kde4/share/config/baloofilerc |
12 | noblacklist ${HOME}/.kde4/share/config/baloorc | ||
14 | noblacklist ${HOME}/.local/share/baloo | 13 | noblacklist ${HOME}/.local/share/baloo |
14 | |||
15 | include /etc/firejail/disable-common.inc | 15 | include /etc/firejail/disable-common.inc |
16 | include /etc/firejail/disable-programs.inc | ||
17 | include /etc/firejail/disable-devel.inc | 16 | include /etc/firejail/disable-devel.inc |
18 | include /etc/firejail/disable-passwdmgr.inc | 17 | include /etc/firejail/disable-passwdmgr.inc |
18 | include /etc/firejail/disable-programs.inc | ||
19 | 19 | ||
20 | caps.drop all | 20 | caps.drop all |
21 | nogroups | 21 | nogroups |
@@ -26,7 +26,6 @@ novideo | |||
26 | protocol unix | 26 | protocol unix |
27 | # Baloo makes ioprio_set system calls, which are blacklisted by default. | 27 | # Baloo makes ioprio_set system calls, which are blacklisted by default. |
28 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old | 28 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old |
29 | |||
30 | x11 xorg | 29 | x11 xorg |
31 | 30 | ||
32 | private-dev | 31 | private-dev |
@@ -37,6 +36,6 @@ noexec /tmp | |||
37 | 36 | ||
38 | # Make home directory read-only and allow writing only to ~/.local/share | 37 | # Make home directory read-only and allow writing only to ~/.local/share |
39 | # Note: Baloo will not be able to update the "first run" key in its configuration files. | 38 | # Note: Baloo will not be able to update the "first run" key in its configuration files. |
40 | #read-only ${HOME} | 39 | # noexec ${HOME}/.local/share |
41 | #read-write ${HOME}/.local/share | 40 | # read-only ${HOME} |
42 | #noexec ${HOME}/.local/share | 41 | # read-write ${HOME}/.local/share |
diff --git a/etc/brave.profile b/etc/brave.profile index e73dd37a2..20dbf6c52 100644 --- a/etc/brave.profile +++ b/etc/brave.profile | |||
@@ -1,43 +1,36 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for brave |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/brave.local | 4 | include /etc/firejail/brave.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # Profile for Brave browser | ||
9 | noblacklist ~/.config/brave | 8 | noblacklist ~/.config/brave |
10 | noblacklist ~/.pki | ||
11 | |||
12 | # brave uses gpg for built-in password manager | 9 | # brave uses gpg for built-in password manager |
13 | noblacklist ~/.gnupg | 10 | noblacklist ~/.gnupg |
11 | noblacklist ~/.pki | ||
14 | 12 | ||
15 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
16 | include /etc/firejail/disable-programs.inc | ||
17 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
18 | 15 | include /etc/firejail/disable-programs.inc | |
19 | #caps.drop all | ||
20 | netfilter | ||
21 | #nonewprivs | ||
22 | #noroot | ||
23 | #protocol unix,inet,inet6,netlink | ||
24 | #seccomp | ||
25 | |||
26 | #disable-mnt | ||
27 | |||
28 | whitelist ${DOWNLOADS} | ||
29 | 16 | ||
30 | mkdir ~/.config/brave | 17 | mkdir ~/.config/brave |
31 | whitelist ~/.config/brave | ||
32 | mkdir ~/.pki | 18 | mkdir ~/.pki |
33 | whitelist ~/.pki | 19 | whitelist ${DOWNLOADS} |
34 | |||
35 | # lastpass, keepass | ||
36 | # for keepass we additionally need to whitelist our .kdbx password database | ||
37 | whitelist ~/.keepass | ||
38 | whitelist ~/.config/keepass | ||
39 | whitelist ~/.config/KeePass | 20 | whitelist ~/.config/KeePass |
40 | whitelist ~/.lastpass | 21 | whitelist ~/.config/brave |
22 | whitelist ~/.config/keepass | ||
41 | whitelist ~/.config/lastpass | 23 | whitelist ~/.config/lastpass |
42 | 24 | whitelist ~/.keepass | |
25 | whitelist ~/.lastpass | ||
26 | whitelist ~/.pki | ||
43 | include /etc/firejail/whitelist-common.inc | 27 | include /etc/firejail/whitelist-common.inc |
28 | |||
29 | # caps.drop all | ||
30 | netfilter | ||
31 | # nonewprivs | ||
32 | # noroot | ||
33 | # protocol unix,inet,inet6,netlink | ||
34 | # seccomp | ||
35 | |||
36 | # disable-mnt | ||
diff --git a/etc/default.profile b/etc/default.profile index 44a9e548b..693f89ad3 100644 --- a/etc/default.profile +++ b/etc/default.profile | |||
@@ -1,31 +1,38 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for default |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/default.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | 8 | # generic gui profile |
5 | # Persistent customizations should go in a .local file. | 9 | # depending on your usage, you can enable some of the commands below: |
6 | include /etc/firejail/default.local | ||
7 | 10 | ||
8 | ################################ | ||
9 | # Generic GUI application profile | ||
10 | ################################ | ||
11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | 12 | # include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | ||
14 | 15 | ||
15 | caps.drop all | 16 | caps.drop all |
17 | # ipc-namespace | ||
16 | netfilter | 18 | netfilter |
19 | # nogroups | ||
17 | nonewprivs | 20 | nonewprivs |
18 | noroot | 21 | noroot |
22 | # nosound | ||
23 | # novideo | ||
19 | protocol unix,inet,inet6 | 24 | protocol unix,inet,inet6 |
20 | seccomp | 25 | seccomp |
21 | |||
22 | # | ||
23 | # depending on your usage, you can enable some of the commands below: | ||
24 | # | ||
25 | # nogroups | ||
26 | # shell none | 26 | # shell none |
27 | |||
28 | # disable-mnt | ||
29 | # private | ||
27 | # private-bin program | 30 | # private-bin program |
28 | # private-etc none | ||
29 | # private-dev | 31 | # private-dev |
32 | # private-etc none | ||
33 | # private-lib | ||
30 | # private-tmp | 34 | # private-tmp |
31 | # nosound | 35 | |
36 | # memory-deny-write-execute | ||
37 | # noexec ${HOME} | ||
38 | # noexec /tmp | ||
diff --git a/etc/openbox.profile b/etc/openbox.profile index 4104e1e08..99c579c37 100644 --- a/etc/openbox.profile +++ b/etc/openbox.profile | |||
@@ -1,14 +1,12 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for openbox |
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/openbox.local | ||
5 | # Persistent global definitions | ||
2 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
3 | 7 | ||
4 | # This file is overwritten during software install. | 8 | # all applications started in OpenBox will run in this profile |
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/openbox.local | ||
7 | 9 | ||
8 | ####################################### | ||
9 | # OpenBox window manager profile | ||
10 | # - all applications started in OpenBox will run in this profile | ||
11 | ####################################### | ||
12 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
13 | 11 | ||
14 | caps.drop all | 12 | caps.drop all |
diff --git a/etc/server.profile b/etc/server.profile index 2d79fa1c8..b0dd13f80 100644 --- a/etc/server.profile +++ b/etc/server.profile | |||
@@ -1,25 +1,37 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for server |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/server.local | 4 | include /etc/firejail/server.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | # generic server profile | 8 | # generic server profile |
9 | # it allows /sbin and /usr/sbin directories - this is where servers are installed | 9 | # it allows /sbin and /usr/sbin directories - this is where servers are installed |
10 | # depending on your usage, you can enable some of the commands below: | ||
11 | |||
12 | blacklist /tmp/.X11-unix | ||
13 | |||
10 | noblacklist /sbin | 14 | noblacklist /sbin |
11 | noblacklist /usr/sbin | 15 | noblacklist /usr/sbin |
16 | |||
12 | include /etc/firejail/disable-common.inc | 17 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | 18 | # include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 19 | include /etc/firejail/disable-passwdmgr.inc |
20 | include /etc/firejail/disable-programs.inc | ||
15 | 21 | ||
16 | blacklist /tmp/.X11-unix | 22 | caps |
17 | |||
18 | no3d | 23 | no3d |
19 | nosound | 24 | nosound |
20 | seccomp | 25 | seccomp |
21 | caps | ||
22 | 26 | ||
27 | # disable-mnt | ||
23 | private | 28 | private |
29 | # private-bin program | ||
24 | private-dev | 30 | private-dev |
31 | # private-etc none | ||
32 | # private-lib | ||
25 | private-tmp | 33 | private-tmp |
34 | |||
35 | # memory-deny-write-execute | ||
36 | # noexec ${HOME} | ||
37 | # noexec /tmp | ||
diff --git a/etc/snap.profile b/etc/snap.profile index 8493fcbd3..38aef7c23 100644 --- a/etc/snap.profile +++ b/etc/snap.profile | |||
@@ -1,17 +1,16 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for snap |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/snap.local | 4 | include /etc/firejail/snap.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | ################################ | ||
9 | # Generic Ubuntu snap application profile | 8 | # Generic Ubuntu snap application profile |
10 | ################################ | 9 | |
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | ||
14 | 13 | ||
15 | whitelist ~/snap | ||
16 | whitelist ${DOWNLOADS} | 14 | whitelist ${DOWNLOADS} |
15 | whitelist ~/snap | ||
17 | include /etc/firejail/whitelist-common.inc | 16 | include /etc/firejail/whitelist-common.inc |
diff --git a/etc/xpra.profile b/etc/xpra.profile index c8bb3ef52..ed393d70b 100644 --- a/etc/xpra.profile +++ b/etc/xpra.profile | |||
@@ -1,10 +1,9 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for xpra |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/xpra.local | 4 | include /etc/firejail/xpra.local |
7 | 5 | # Persistent global definitions | |
6 | include /etc/firejail/globals.local | ||
8 | 7 | ||
9 | # | 8 | # |
10 | # This profile will sandbox Xpra server itself when used with firejail --x11=xpra. | 9 | # This profile will sandbox Xpra server itself when used with firejail --x11=xpra. |
@@ -14,12 +13,15 @@ include /etc/firejail/xpra.local | |||
14 | # | 13 | # |
15 | # or run "sudo firecfg" | 14 | # or run "sudo firecfg" |
16 | 15 | ||
17 | # private home directory doesn't work on some distros, so we go for a regular home | 16 | blacklist /media |
18 | #private | 17 | |
19 | include /etc/firejail/disable-common.inc | 18 | include /etc/firejail/disable-common.inc |
20 | include /etc/firejail/disable-programs.inc | ||
21 | include /etc/firejail/disable-devel.inc | 19 | include /etc/firejail/disable-devel.inc |
22 | include /etc/firejail/disable-passwdmgr.inc | 20 | include /etc/firejail/disable-passwdmgr.inc |
21 | include /etc/firejail/disable-programs.inc | ||
22 | |||
23 | whitelist /var/lib/xkb | ||
24 | include /etc/firejail/whitelist-common.inc | ||
23 | 25 | ||
24 | caps.drop all | 26 | caps.drop all |
25 | # xpra needs to be allowed access to the abstract Unix socket namespace. | 27 | # xpra needs to be allowed access to the abstract Unix socket namespace. |
@@ -28,17 +30,14 @@ nonewprivs | |||
28 | # In noroot mode, xpra cannot create a socket in the real /tmp/.X11-unix. | 30 | # In noroot mode, xpra cannot create a socket in the real /tmp/.X11-unix. |
29 | #noroot | 31 | #noroot |
30 | nosound | 32 | nosound |
31 | shell none | ||
32 | seccomp | ||
33 | protocol unix | 33 | protocol unix |
34 | seccomp | ||
35 | shell none | ||
34 | 36 | ||
35 | 37 | # private home directory doesn't work on some distros, so we go for a regular home | |
38 | # private | ||
39 | # older Xpra versions also use Xvfb | ||
40 | # private-bin xpra,python,Xvfb,Xorg,sh,xkbcomp,xauth,dbus-launch,pactl,ldconfig,which,strace,bash,cat,ls | ||
36 | private-dev | 41 | private-dev |
42 | # private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname,machine-id,xpra,X11 | ||
37 | private-tmp | 43 | private-tmp |
38 | # older Xpra versions also use Xvfb | ||
39 | #private-bin xpra,python,Xvfb,Xorg,sh,xkbcomp,xauth,dbus-launch,pactl,ldconfig,which,strace,bash,cat,ls | ||
40 | #private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname,machine-id,xpra,X11 | ||
41 | |||
42 | blacklist /media | ||
43 | whitelist /var/lib/xkb | ||
44 | |||