From 4642e8a3017864f74620a7f2917a99c02539fa52 Mon Sep 17 00:00:00 2001 From: Tad Date: Sat, 22 Sep 2018 01:44:35 -0400 Subject: Add profile for spectre-meltdown-checker Will need to support allow-debuggers in profiles before it can be enabled in firecfg --- etc/spectre-meltdown-checker.profile | 53 ++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 etc/spectre-meltdown-checker.profile (limited to 'etc') diff --git a/etc/spectre-meltdown-checker.profile b/etc/spectre-meltdown-checker.profile new file mode 100644 index 000000000..18d3a0575 --- /dev/null +++ b/etc/spectre-meltdown-checker.profile @@ -0,0 +1,53 @@ +# Firejail profile for spectre-meltdown-checker +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include /etc/firejail/spectre-meltdown-checker.local +# Persistent global definitions +include /etc/firejail/globals.local + +# sudo firejail --allow-debuggers spectre-meltdown-checker + +noblacklist ${PATH}/mount +noblacklist ${PATH}/umount + +# Allow access to perl +noblacklist ${PATH}/cpan* +noblacklist ${PATH}/core_perl +noblacklist ${PATH}/perl +noblacklist /usr/lib/perl* +noblacklist /usr/share/perl* + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-xdg.inc + +include /etc/firejail/whitelist-var-common.inc + +caps.keep sys_rawio +ipc-namespace +net none +no3d +nodbus +nodvd +nogroups +nonewprivs +nosound +notv +novideo +protocol unix +seccomp.drop @clock,@cpu-emulation,@module,@obsolete,@reboot,@resources,@swap +shell none + +disable-mnt +private +private-bin awk,bzip2,cat,coreos-install,cpucontrol,cut,dd,dmesg,dnf,echo,grep,gunzip,gz,gzip,head,id,kldload,kldstat,liblz4-tool,lzop,mktemp,modinfo,modprobe,mount,nm,objdump,od,perl,printf,readelf,rm,sed,seq,sh,sort,spectre-meltdown-checker,spectre-meltdown-checker.sh,stat,strings,sysctl,tail,test,toolbox,tr,uname,which,xz-utils +private-cache +private-tmp + +memory-deny-write-execute +noexec ${HOME} +noexec /tmp -- cgit v1.2.3-70-g09d2