From d0ae074854181d2900b2e8fc6fe5e963c0763a38 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 15 Nov 2017 08:14:46 -0500 Subject: makepkg profile for Arch platform, #1642 --- etc/makepkg.profile | 58 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 etc/makepkg.profile (limited to 'etc') diff --git a/etc/makepkg.profile b/etc/makepkg.profile new file mode 100644 index 000000000..96846592d --- /dev/null +++ b/etc/makepkg.profile @@ -0,0 +1,58 @@ +# Firejail profile for makepkg +# This file is overwritten after every install/update + +# Note: see this Arch forum discussion https://bbs.archlinux.org/viewtopic.php?pid=1743138 +# for potential issues and their solutions when Firejailing makepkg + +# This profile could be significantly strengthened by adding the following to makepkg.local +# whitelist ~/ +# whitelist ~/.gnupg + +quiet +# Persistent local customizations +include /etc/firejail/makepkg.local +# Persistent global definitions +include /etc/firejail/globals.local + + +# Enable severely restricted access to ${HOME}/.gnupg +noblacklist ~/.gnupg +read-only ~/.gnupg/gpg.conf +read-only ~/.gnupg/trustdb.gpg +read-only ~/.gnupg/pubring.kbx +blacklist ~/.gnupg/random_seed +blacklist ~/.gnupg/pubring.kbx~ +blacklist ~/.gnupg/private-keys-v1.d +blacklist ~/.gnupg/crls.d +blacklist ~/.gnupg/openpgp-revocs.d + + +# Need to be able to read /var/lib/pacman, {Note no capabilities so automatically read-only} +noblacklist /var/lib/pacman + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +caps.drop all +ipc-namespace +netfilter +no3d +nodvd +nogroups +nonewprivs +# noroot is only disabled to allow the creation of kernel headers from an official pckgbuild. +#noroot +nosound +notv +novideo +protocol unix,inet,inet6 +seccomp +shell none + +disable-mnt +private-tmp + +memory-deny-write-execute +noexec ${HOME} +noexec /tmp -- cgit v1.2.3-54-g00ecf