From fadaac29530845119e957d995c8d7e6470023c8c Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Wed, 13 Feb 2019 22:48:33 +0000 Subject: Refactor snap.profile --- etc/snap.profile | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 50 insertions(+), 5 deletions(-) diff --git a/etc/snap.profile b/etc/snap.profile index 6d95e719a..ef4f3d3a6 100644 --- a/etc/snap.profile +++ b/etc/snap.profile @@ -1,17 +1,62 @@ # Firejail profile for snap -# Description: generic Ubuntu snap application profile +# Description: Install, configure, refresh and remove snap packages # This file is overwritten after every install/update +quiet # Persistent local customizations include snap.local # Persistent global definitions include globals.local -# Generic Ubuntu snap application profile +# Note: Snap packages have their own confinement mechanism relying on snapd and apparmor. +# As such firejail is not able to deliver any additional sandboxing for snaps. This profile does sandbox +# the snap tool which is used to interact with snap packages. +# See https://docs.snapcraft.io/ for more detailed info. + +noblacklist ${HOME}/.snap +noblacklist ${HOME}/snap +noblacklist ${DOWNLOADS} + +noblacklist /var/cache/snapd +noblacklist /var/lib/snapd +noblacklist /var/snap + +mkdir ${HOME}/.snap +mkdir ${HOME}/snap +whitelist ${HOME}/.snap +whitelist ${HOME}/snap include disable-common.inc +include disable-devel.inc +include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +include disable-xdg.inc -whitelist ${DOWNLOADS} -whitelist ${HOME}/snap -include whitelist-common.inc +caps.drop all +ipc-namespace +machine-id +netfilter +no3d +nodbus +nodvd +nogroups +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +shell none + +disable-mnt +private-bin snap +private-dev +private-etc group,passwd +private-lib snapd +private-tmp + +memory-deny-write-execute +noexec ${HOME} +noexec /tmp -- cgit v1.2.3-70-g09d2