#include <tunables/global>

profile firejail-default {

#####
# D-Bus is a huge security hole, we disable it here. Uncomment this line if you
# need D-Bus functionality.
#
#dbus,

#####
# Mask /proc and /sys information leakage. The configuration here is barely
# enough to run "top" or "ps aux".
#
/ r,
/[^proc,^sys]** mrwlk,

/proc/ r,
/proc/meminfo r,
/proc/cpuinfo r,
/proc/filesystems r,
/proc/uptime r,
/proc/loadavg r,
/proc/stat r,
/proc/@{pid}/ r,
/proc/@{pid}/fd/ r,
/proc/@{pid}/task/ r,
/proc/@{pid}/cmdline r,
/proc/@{pid}/comm r,
/proc/@{pid}/stat r,
/proc/@{pid}/statm r,
/proc/@{pid}/status r,
/proc/sys/kernel/pid_max r,
/proc/sys/kernel/shmmax r,
/sys/ r,
/sys/bus/ r,
/sys/bus/** r,
/sys/class/ r,
/sys/class/** r,
/sys/devices/ r,
/sys/devices/** r,

/proc/@{pid}/maps r,
/proc/@{pid}/mounts r,
/proc/@{pid}/mountinfo r,
/proc/@{pid}/oom_score_adj r,

/{,var/}run/firejail/mnt/fslogger r,
/{,var/}run/user/**/dconf/ r,
/{,var/}run/user/**/dconf/user r,

#####
# Allow running programs only from well-known system directories. If you need
# to run programs from your home directory, uncomment /home line.
#
/lib/** ix,
/lib64/** ix,
/bin/** ix,
/sbin/** ix,
/usr/bin/** ix,
/usr/sbin/** ix,
/usr/local/** ix,
/usr/lib/** ix,
/usr/games/** ix,
/opt/** ix,
#/home/** ix,

#####
# Allow all networking functionality, and control it from Firejail.
#
network inet,
network inet6,
network unix,
network netlink,
network raw,

#####
# There is no equivalent in Firejail for filtering signals.
#
signal,

#####
# Disable all capabilities. If you run your sandbox as root, you might need to
# enable/uncomment some of them.
#
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability kill,
capability setgid,
capability setuid,
capability setpcap,
capability linux_immutable,
capability net_bind_service,
capability net_broadcast,
capability net_admin,
capability net_raw,
capability ipc_lock,
capability ipc_owner,
capability sys_module,
capability sys_rawio,
capability sys_chroot,
capability sys_ptrace,
capability sys_pacct,
capability sys_admin,
capability sys_boot,
capability sys_nice,
capability sys_resource,
capability sys_time,
capability sys_tty_config,
capability mknod,
capability lease,
capability audit_write,
capability audit_control,
capability setfcap,
capability mac_override,
capability mac_admin,

#####
# No mount/umount functionality when running as regular user.
#
mount,
remount,
umount,
pivot_root,

}