diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/templates/profile.template | 18 | ||||
-rw-r--r-- | etc/templates/redirect_alias-profile.template | 25 |
2 files changed, 22 insertions, 21 deletions
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 7ea2853c1..2fc5c3ef1 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -3,16 +3,16 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # --- CUT HERE --- | 4 | # --- CUT HERE --- |
5 | # This is a generic template to help you with creation of profiles | 5 | # This is a generic template to help you with creation of profiles |
6 | # for new programs. PRs welcome at https://github.com/netblue30/firejail/ | 6 | # for new programs. PRs welcome at https://github.com/netblue30/firejail/. |
7 | # | 7 | # |
8 | # Rules to follow: | 8 | # Rules to follow: |
9 | # - lines with one # are often used in profiles | 9 | # - lines with one # are often used in profiles |
10 | # - lines with two ## are only needed in special situations | 10 | # - lines with two ## are only needed in special situations |
11 | # - make the profile as restrictive as possible while still keeping the program useful | 11 | # - make the profile as restrictive as possible while still keeping the program useful |
12 | # (e. g. a program that is unable to save user's work is considered a bad practice) | 12 | # (e. g. a program that is unable to save user's work is considered bad practice) |
13 | # - dedicate some time (based on how complex the application is) to profile testing before raising | 13 | # - dedicate some time (based on the complexity of the application) to profile testing before raising |
14 | # a pull request | 14 | # a pull request |
15 | # - keep the sections structure, use a single empty line as a separator | 15 | # - keep the sections structure, use a single empty line as separator |
16 | # - entries within sections are alphabetically sorted | 16 | # - entries within sections are alphabetically sorted |
17 | # - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware | 17 | # - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware |
18 | # to not do this for essential utilities as this may *break* your OS! (related discussion: | 18 | # to not do this for essential utilities as this may *break* your OS! (related discussion: |
@@ -66,8 +66,8 @@ include globals.local | |||
66 | # One way to retrieve the files a program uses is: | 66 | # One way to retrieve the files a program uses is: |
67 | # - launch binary with --private naming a sandbox | 67 | # - launch binary with --private naming a sandbox |
68 | # `firejail --name=test --ignore=private-bin [--profile=PROFILE] --private BINARY` | 68 | # `firejail --name=test --ignore=private-bin [--profile=PROFILE] --private BINARY` |
69 | # - work with the program, do some configuration changes and save them, open new documents, | 69 | # - work with the program, make some configuration changes and save them, open new documents, |
70 | # install plugins if they exists, etc | 70 | # install plugins if they exists, etc. |
71 | # - join the sandbox with bash: | 71 | # - join the sandbox with bash: |
72 | # `firejail --join=test bash` | 72 | # `firejail --join=test bash` |
73 | # - look what has changed and use that information to populate blacklist and whitelist sections | 73 | # - look what has changed and use that information to populate blacklist and whitelist sections |
@@ -128,14 +128,14 @@ include globals.local | |||
128 | #notv | 128 | #notv |
129 | #nou2f | 129 | #nou2f |
130 | #novideo | 130 | #novideo |
131 | # Remove every not needed protocol | 131 | # Remove each unneeded protocol: |
132 | # - unix is usually needed | 132 | # - unix is usually needed |
133 | # - inet,inet6 only if internet access is requiered (see 'net none'/'netfilter' above) | 133 | # - inet,inet6 only if internet access is required (see 'net none'/'netfilter' above) |
134 | # - netlink is rarely needed | 134 | # - netlink is rarely needed |
135 | # - packet almost never | 135 | # - packet almost never |
136 | #protocol unix,inet,inet6,netlink,packet | 136 | #protocol unix,inet,inet6,netlink,packet |
137 | #seccomp | 137 | #seccomp |
138 | ##seccomp.drop SYSCALLS (see also syscalls.txt) | 138 | ##seccomp.drop SYSCALLS (see syscalls.txt) |
139 | #shell none | 139 | #shell none |
140 | #tracelog | 140 | #tracelog |
141 | # Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set | 141 | # Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set |
diff --git a/etc/templates/redirect_alias-profile.template b/etc/templates/redirect_alias-profile.template index 02df1776f..0c7ba0b72 100644 --- a/etc/templates/redirect_alias-profile.template +++ b/etc/templates/redirect_alias-profile.template | |||
@@ -6,38 +6,39 @@ include PROFILE.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | # added by included profile | 7 | # added by included profile |
8 | #include globals.local | 8 | #include globals.local |
9 | #NOTE: let include globals.local commented, except redirecting to a -common.profile | 9 | #NOTE: keep include globals.local commented, except when redirecting to a *-common.profile |
10 | 10 | ||
11 | # For more informations see profile.template | 11 | # For more information, see profile.template |
12 | 12 | ||
13 | # Ignore something that is in the included profile | 13 | # Ignoring option(s) from the included profile |
14 | #ignore net none | 14 | #ignore net none |
15 | #ignore private-bin | 15 | #ignore private-bin |
16 | #ignore seccomp | 16 | #ignore seccomp |
17 | #... | 17 | #... |
18 | 18 | ||
19 | # Additional noblacklisting (if needed) | 19 | # Additional noblacklisting (when needed) |
20 | #noblacklist PATH | 20 | #noblacklist PATH |
21 | 21 | ||
22 | # Additional allow includes (if needed) | 22 | # Additional allow includes (when needed) |
23 | 23 | ||
24 | # Additional blacklisting (if needed) | 24 | # Additional blacklisting (when needed) |
25 | #blacklist PATH | 25 | #blacklist PATH |
26 | 26 | ||
27 | # Additional whitelisting (if needed) | 27 | # Additional whitelisting (when needed) |
28 | #NOTE: never use mkdir/mkfile when 'private' is set (see https://github.com/netblue30/firejail/issues/903) | ||
28 | #mkdir PATH | 29 | #mkdir PATH |
29 | ##mkfile PATH | 30 | ##mkfile PATH |
30 | #whitelist PATH | 31 | #whitelist PATH |
31 | 32 | ||
32 | # Additional options (if needed) | 33 | # Additional options (when needed) |
33 | 34 | ||
34 | # Additional private-options (if needed) | 35 | # Additional private-options (when needed) |
35 | # Add programs to private-bin (if needed) | 36 | # Add programs to private-bin (when needed) |
36 | #private-bin PROGRAMS | 37 | #private-bin PROGRAMS |
37 | # Add files to private-etc (if needed) | 38 | # Add files to private-etc (when needed) |
38 | #private-etc FILES | 39 | #private-etc FILES |
39 | 40 | ||
40 | # Additional special options (if needed) | 41 | # Additional special options (when needed) |
41 | 42 | ||
42 | # Redirect | 43 | # Redirect |
43 | include PROFILE.profile | 44 | include PROFILE.profile |