# Firejail profile for PROGRAM_NAME # Description: DESCRIPTION # This file is overwritten after every install/update # --- CUT HERE --- # This is a generic template to help you with creation of profiles # for new programs. PRs welcome at https://github.com/netblue30/firejail/ # # Rules to follow: # - lines with one # are often used in profiles # - lines with two ## are only needed in special situations # - make the profile as restrictive as possible while still keeping the program useful # (e. g. a program that is unable to save user's work is considered a bad practice) # - dedicate some time (based on how complex the application is) to profile testing before raising # a pull request # - keep the sections structure, use a single empty line as a separator # - entries within sections are alphabetically sorted # - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware # to not do this for essential utilities as this may *break* your OS! (related discussion: # https://github.com/netblue30/firejail/issues/2507) # - remove this comment section and any generic comment past 'Persistent global definitions' # # Sections structure # HEADER # COMMENTS # IGNORES # NOBLACKLISTS # ALLOW INCLUDES # BLACKLISTS # DISABLE INCLUDES # MKDIRS # WHITELISTS # WHITELIST INCLUDES # OPTIONS (no*) # PRIVATE OPTIONS (disable-mnt, private-*) # SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start) # REDIRECT INCLUDES # # --- CUT HERE --- ##quiet # Persistent local customizations #include PROFILE.local # Persistent global definitions #include globals.local ##ignore noexec ${HOME} ##blacklist PATH # It is common practice to add files/dirs containing program-specific configuration # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc # (keep list sorted) and then disable blacklisting below. # One way to retrieve the files a program uses is: # - launch binary with --private naming a sandbox # `firejail --name=test --ignore=private-bin [--profile=PROFILE] --private BINARY` # - work with the program, do some configuration changes and save them, open new documents, # install plugins if they exists, etc # - join the sandbox with bash: # `firejail --join=test bash` # - look what has changed and use that information to populate blacklist and whitelist sections # `ls -aR` #noblacklist PATH # Allow python (blacklisted by disable-interpreters.inc) #include allow-python2.inc #include allow-python3.inc # Allow perl (blacklisted by disable-interpreters.inc) #include allow-perl.inc # Allow java (blacklisted by disable-devel.inc) #include allow-java.inc # Allow lua (blacklisted by disable-interpreters.inc) include allow-lua.inc #include disable-common.inc #include disable-devel.inc #include disable-exec.inc #include disable-interpreters.inc #include disable-passwdmgr.inc #include disable-programs.inc #include disable-xdg.inc # This section often mirrors noblacklist section above. The idea is # that if a user feels too restricted (he's unable to save files into # home directory for instance) he/she may disable whitelist (nowhitelist) # in PROFILE.local but still be protected by BLACKLISTS section # (further explanation at https://github.com/netblue30/firejail/issues/1569) #mkdir PATH #mkfile PATH #whitelist PATH #include whitelist-common.inc #include whitelist-var-common.inc #apparmor #caps.drop all # CLI only ##ipc-namespace #machine-id # 'net none' or 'netfilter' #net none #netfilter #no3d #nodbus #nodvd #nogroups #nonewprivs #noroot #nosound #notv #nou2f #novideo #protocol unix,inet,inet6,netlink #seccomp ##seccomp.drop SYSCALLS #shell none #tracelog #disable-mnt ##private #private-bin PROGRAMS #private-cache #private-dev #private-etc FILES # private-etc templates (see also #1734) # Internet: ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl # Sound: alsa,asound.conf,machine-id,openal,pulse # GTK: dconf,fonts,gtk-2.0,gtk-3.0,pango,xdg # KDE/QT: fonts,kde4rc,kde5rc,ld.so.cache,machine-id,Trolltech.conf,xdg # GUIs: fonts # Alternatives: alternatives ##private-lib LIBS ##private-opt NAME #private-tmp ##env VAR=VALUE #memory-deny-write-execute ##read-only ${HOME} ##join-or-start NAME