aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjc_gargma <jc_gargma@iserlohn-fortress.net>2017-08-04 08:11:04 -0700
committerjc_gargma <jc_gargma@iserlohn-fortress.net>2017-08-04 08:11:04 -0700
commita8e9e57abf3d1b0cc9980e8e64fca89d13db493e (patch)
tree7d01d0833cbf2406707ca76873deb0c06002f728
parentImplemented --default-config (diff)
downloadsmolbote-a8e9e57abf3d1b0cc9980e8e64fca89d13db493e.tar.xz
Updated firejail profile
-rw-r--r--test/poi.profile56
1 files changed, 37 insertions, 19 deletions
diff --git a/test/poi.profile b/test/poi.profile
index 9af4461..94305e2 100644
--- a/test/poi.profile
+++ b/test/poi.profile
@@ -1,52 +1,70 @@
-################################
-# Based on the Generic GUI application profile
-################################
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/poi.local
+
noblacklist ~/.cache/smolbote
-noblacklist ~/.local/share/smolbote
+noblacklist ~/.config/smolbote
include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
-include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
whitelist ${DOWNLOADS}
mkdir ~/.cache/smolbote
whitelist ~/.cache/smolbote
-mkdir ~/.local/share/smolbote
-whitelist ~/.local/share/smolbote
+mkdir ~/.config/smolbote/
+whitelist ~/.config/smolbote/
+
## caps.drop all - Removes the ability to call programs usually run only by root. Ex - chown, setuid
caps.drop all
## netfilter - Creates a simple but restrictive iptables firewall for any --net device created. Does nothing if --net is not used.
## Commented out because netfliter somehow breaks smolbote if used alone.
-#netfilter
+netfilter
+
+## nogroups - The program can only see the current user's main group. Always applied if the program is run as root.
+nogroups
-## newnewprivs - Prevents Child processes from requesting additional priviledges. If --seccomp is enabled, --nonewprivs is redundant.
+## nownewprivs - Prevents Child processes from requesting additional priviledges. If --seccomp is enabled, --nonewprivs is redundant.
nonewprivs
## noroot - The program can only see the current user. Requires kernel 3.8 or higher. Mutually exclusive with --chroot or --overlay or running as root.
noroot
-## nogroups - The program can only see the current user's main group. Always applied if the program is run as root.
-nogroups
-
## protocol - Only allows sockets of the following types. Not supported on i386 architecture.
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
## seccomp - Blacklists a large swath of syscalls from being accessible.
seccomp
+## shell - Run the program directly, without a user shell.
+shell none
+
+## tracelog - Log all viloations to syslog
+tracelog
+
+
## private-bin - Creates a virtual /bin directory containing only temporary copies of the following executables.
-## Commened out until an actually package is made.
-#private-bin poi
+# bash required to launch from kde kickoff menu
+#private-bin bash,poi
+
+## private-dev - Create a virtual /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log and shm devices are available.
+private-dev
## private-etc - Creates a virtual /etc directory containing only temporary copies of the following files and directories.
-private-etc nsswitch.conf,resolv.conf
+#private-etc nsswitch.conf,resolv.conf
## private-tmp - Creates a virtual /tmp directory to prevent the program from accessing the /tmp files from other programs.
private-tmp
-## tracelog - Log all viloations to syslog
-tracelog
+
+## noexec - Prevent execution of files in the specified locations
+noexec ${HOME}
+noexec /tmp
+
include /etc/firejail/whitelist-common.inc