1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
#include <tunables/global>
profile firejail-default {
#####
# D-Bus is a huge security hole, we disable it here. Uncomment this line if you
# need D-Bus functionality.
#
#dbus,
#####
# Mask /proc and /sys information leakage. The configuration here is barely
# enough to run "top" or "ps aux".
#
/ r,
/[^proc,^sys]** mrwlk,
/proc/ r,
/proc/meminfo r,
/proc/cpuinfo r,
/proc/filesystems r,
/proc/uptime r,
/proc/loadavg r,
/proc/stat r,
/proc/@{pid}/ r,
/proc/@{pid}/fd/ r,
/proc/@{pid}/task/ r,
/proc/@{pid}/cmdline r,
/proc/@{pid}/comm r,
/proc/@{pid}/stat r,
/proc/@{pid}/statm r,
/proc/@{pid}/status r,
/proc/sys/kernel/pid_max r,
/proc/sys/kernel/shmmax r,
/sys/ r,
/sys/bus/ r,
/sys/bus/** r,
/sys/class/ r,
/sys/class/** r,
/sys/devices/ r,
/sys/devices/** r,
/proc/@{pid}/maps r,
/proc/@{pid}/mounts r,
/proc/@{pid}/mountinfo r,
/proc/@{pid}/oom_score_adj r,
/{,var/}run/firejail/mnt/fslogger r,
/{,var/}run/user/**/dconf/ r,
/{,var/}run/user/**/dconf/user r,
#####
# Allow running programs only from well-known system directories. If you need
# to run programs from your home directory, uncomment /home line.
#
/lib/** ix,
/lib64/** ix,
/bin/** ix,
/sbin/** ix,
/usr/bin/** ix,
/usr/sbin/** ix,
/usr/local/** ix,
/usr/lib/** ix,
/usr/games/** ix,
/opt/** ix,
#/home/** ix,
#####
# Allow all networking functionality, and control it from Firejail.
#
network inet,
network inet6,
network unix,
network netlink,
network raw,
#####
# There is no equivalent in Firejail for filtering signals.
#
signal,
#####
# Disable all capabilities. If you run your sandbox as root, you might need to
# enable/uncomment some of them.
#
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability kill,
capability setgid,
capability setuid,
capability setpcap,
capability linux_immutable,
capability net_bind_service,
capability net_broadcast,
capability net_admin,
capability net_raw,
capability ipc_lock,
capability ipc_owner,
capability sys_module,
capability sys_rawio,
capability sys_chroot,
capability sys_ptrace,
capability sys_pacct,
capability sys_admin,
capability sys_boot,
capability sys_nice,
capability sys_resource,
capability sys_time,
capability sys_tty_config,
capability mknod,
capability lease,
capability audit_write,
capability audit_control,
capability setfcap,
capability mac_override,
capability mac_admin,
#####
# No mount/umount functionality when running as regular user.
#
mount,
remount,
umount,
pivot_root,
}
|
