blob: 1d9ec5fa45861396d9f0c0296331c9e72db2141a (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
|
# Firejail profile for curl
# Description: Command line tool for transferring data with URL syntax
# This file is overwritten after every install/update
quiet
# Persistent local customizations
include curl.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.config/curlrc # since curl 7.73.0
# curl 7.74.0 introduces experimental support for HSTS cache
# https://daniel.haxx.se/blog/2020/11/03/hsts-your-curl/
# Technically this file can be anywhere but let's assume users have it in ${HOME}/.curl-hsts.
# If your setup diverts, add 'blacklist /path/to/curl/hsts/file' to your disable-programs.local
# and 'noblacklist /path/to/curl/hsts/file' to curl.local to keep the sandbox logic intact.
noblacklist ${HOME}/.curl-hsts
noblacklist ${HOME}/.curlrc
blacklist ${RUNUSER}
# If you use nvm, add the below lines to your curl.local
#ignore read-only ${HOME}/.nvm
#noblacklist ${HOME}/.nvm
include disable-common.inc
include disable-exec.inc
include disable-programs.inc
include disable-X11.inc
# Depending on workflow you can add 'include disable-xdg.inc' to your curl.local.
#include disable-xdg.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc
apparmor
caps.drop all
ipc-namespace
machine-id
netfilter
no3d
nodvd
nogroups
noinput
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol inet,inet6
seccomp
tracelog
#private-bin curl
private-cache
private-dev
#private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
private-etc @tls-ca
private-tmp
dbus-user none
dbus-system none
restrict-namespaces
|
