1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
|
# Firejail profile for PROGRAM_NAME
# Description: DESCRIPTION
# This file is overwritten after every install/update
# --- CUT HERE ---
# This is a generic template to help you with creation of profiles
# for new programs. PRs welcome at https://github.com/netblue30/firejail/
#
# Rules to follow:
# - lines with one # are often used in profiles
# - lines with two ## are only needed in special situations
# - make the profile as restrictive as possible while still keeping the program useful
# (e. g. a program that is unable to save user's work is considered a bad practice)
# - dedicate some time (based on how complex the application is) to profile testing before raising
# a pull request
# - keep the sections structure, use a single empty line as a separator
# - entries within sections are alphabetically sorted
# - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware
# to not do this for essential utilities as this may *break* your OS! (related discussion:
# https://github.com/netblue30/firejail/issues/2507)
# - remove this comment section and any generic comment past 'Persistent global definitions'
#
# Sections structure
# HEADER
# COMMENTS
# IGNORES
# NOBLACKLISTS
# ALLOW INCLUDES
# BLACKLISTS
# DISABLE INCLUDES
# MKDIRS
# WHITELISTS
# WHITELIST INCLUDES
# OPTIONS (no*)
# PRIVATE OPTIONS (disable-mnt, private-*)
# SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start)
# REDIRECT INCLUDES
#
# --- CUT HERE ---
##quiet
# Persistent local customizations
#include PROFILE.local
# Persistent global definitions
#include globals.local
##ignore noexec ${HOME}
##blacklist PATH
# It is common practice to add files/dirs containing program-specific configuration
# (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc
# (keep list sorted) and then disable blacklisting below.
# One way to retrieve the files a program uses is:
# - launch binary with --private naming a sandbox
# `firejail --name=test --ignore=private-bin [--profile=PROFILE] --private BINARY`
# - work with the program, do some configuration changes and save them, open new documents,
# install plugins if they exists, etc
# - join the sandbox with bash:
# `firejail --join=test bash`
# - look what has changed and use that information to populate blacklist and whitelist sections
# `ls -aR`
#noblacklist PATH
# Allow python (blacklisted by disable-interpreters.inc)
#include allow-python2.inc
#include allow-python3.inc
# Allow perl (blacklisted by disable-interpreters.inc)
#include allow-perl.inc
# Allow java (blacklisted by disable-devel.inc)
#include allow-java.inc
# Allow lua (blacklisted by disable-interpreters.inc)
include allow-lua.inc
#include disable-common.inc
#include disable-devel.inc
#include disable-exec.inc
#include disable-interpreters.inc
#include disable-passwdmgr.inc
#include disable-programs.inc
#include disable-xdg.inc
# This section often mirrors noblacklist section above. The idea is
# that if a user feels too restricted (he's unable to save files into
# home directory for instance) he/she may disable whitelist (nowhitelist)
# in PROFILE.local but still be protected by BLACKLISTS section
# (further explanation at https://github.com/netblue30/firejail/issues/1569)
#mkdir PATH
#mkfile PATH
#whitelist PATH
#include whitelist-common.inc
#include whitelist-var-common.inc
#apparmor
#caps.drop all
# CLI only
##ipc-namespace
#machine-id
# 'net none' or 'netfilter'
#net none
#netfilter
#no3d
#nodbus
#nodvd
#nogroups
#nonewprivs
#noroot
#nosound
#notv
#nou2f
#novideo
#protocol unix,inet,inet6,netlink
#seccomp
##seccomp.drop SYSCALLS
#shell none
#tracelog
#disable-mnt
##private
#private-bin PROGRAMS
#private-cache
#private-dev
#private-etc FILES
# private-etc templates (see also #1734)
# Internet: ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
# Sound: alsa,asound.conf,machine-id,openal,pulse
# GTK: dconf,fonts,gtk-2.0,gtk-3.0,pango,xdg
# KDE/QT: fonts,kde4rc,kde5rc,ld.so.cache,machine-id,Trolltech.conf,xdg
# GUIs: fonts
# Alternatives: alternatives
##private-lib LIBS
##private-opt NAME
#private-tmp
##env VAR=VALUE
#memory-deny-write-execute
##read-only ${HOME}
##join-or-start NAME
|
