From 5cbbafa6867d85cdf94a266bbbc9965a755189fe Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Fri, 11 Dec 2020 12:09:30 +0000 Subject: integrate relevant options into server.profile (#3808) * integrate relevant options into server.profile * relax mdwe and dbus-system in server.profile --- etc/profile-m-z/server.profile | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) (limited to 'etc/profile-m-z/server.profile') diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile index 5bc4735ae..d47f1289a 100644 --- a/etc/profile-m-z/server.profile +++ b/etc/profile-m-z/server.profile @@ -45,10 +45,17 @@ include disable-common.inc # include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc -# include disable-xdg.inc +include disable-write-mnt.inc +include disable-xdg.inc +# include whitelist-runuser-common.inc +# include whitelist-usr-share-common.inc +# include whitelist-var-common.inc + +apparmor caps # ipc-namespace +machine-id # netfilter /etc/firejail/webserver.net no3d nodvd @@ -59,19 +66,26 @@ nosound notv nou2f novideo +# protocol unix,inet,inet6,netlink seccomp # shell none -# disable-mnt +disable-mnt private # private-bin program # private-cache private-dev +# see /usr/share/doc/firejail/profile.template for more common private-etc paths. # private-etc alternatives # private-lib +# private-opt none private-tmp -# dbus-user none +dbus-user none # dbus-system none # memory-deny-write-execute +# read-only ${HOME} +# writable-run-user +# writable-var +# writable-var-log -- cgit v1.2.3-70-g09d2