From 7373cf31d4ba6638c0477a254f62552556921521 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Tue, 7 Apr 2020 19:52:56 -0400
Subject: fdns profile

---
 etc/fdns.profile   | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 etc/server.profile | 25 ++++++++++++++++++++++++-
 2 files changed, 76 insertions(+), 1 deletion(-)
 create mode 100644 etc/fdns.profile

(limited to 'etc')

diff --git a/etc/fdns.profile b/etc/fdns.profile
new file mode 100644
index 000000000..2ab69cd5b
--- /dev/null
+++ b/etc/fdns.profile
@@ -0,0 +1,52 @@
+# Firejail profile for server
+# This file is overwritten after every install/update
+# Persistent local customizations
+include server.local
+# Persistent global definitions
+include globals.local
+
+# generic server profile
+# it allows /sbin and /usr/sbin directories - this is where servers are installed
+# depending on your usage, you can enable some of the commands below:
+#
+noblacklist /sbin
+noblacklist /usr/sbin
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.keep chown,kill,setgid,setuid,net_bind_service,net_admin,sys_chroot,sys_admin,syslog
+
+ipc-namespace
+# netfilter /etc/firejail/webserver.net
+no3d
+nodvd
+nogroups
+nonewprivs
+# noroot
+nosound
+notv
+nou2f
+novideo
+#seccomp
+#shell none
+
+disable-mnt
+private
+private-bin fdns,bash,sh
+# private-cache
+private-dev
+# private-etc alternatives
+# private-lib
+private-tmp
+
+protocol unix,inet,inet6
+memory-deny-write-execute
diff --git a/etc/server.profile b/etc/server.profile
index bee8df932..5bc4735ae 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -1,4 +1,27 @@
-# Firejail profile for server
+# Generic Firejail profile for servers started as root
+#
+# This profile is used as a default when starting the sandbox as root.
+# Example:
+#
+#       $ sudo firejail
+#       [sudo] password for netblue:
+#       Reading profile /etc/firejail/server.profile
+#       Reading profile /etc/firejail/disable-common.inc
+#       Reading profile /etc/firejail/disable-passwdmgr.inc
+#       Reading profile /etc/firejail/disable-programs.inc
+#
+#       ** Note: you can use --noprofile to disable server.profile **
+#
+#       Parent pid 5347, child pid 5348
+#       The new log directory is /proc/5348/root/var/log
+#       Child process initialized in 64.43 ms
+#       root@debian:~#
+#
+# Customize the profile as usual. Examples: unbound.profile, fdns.profile.
+# All the rules for regular user profiles apply with the exception of
+# /usr/local/bin symlink redirection and firecfg tool. The redirection is disabled
+# by default for root user.
+
 # This file is overwritten after every install/update
 # Persistent local customizations
 include server.local
-- 
cgit v1.2.3-54-g00ecf