diff options
author | jc_gargma <jc_gargma@iserlohn-fortress.net> | 2017-12-01 11:14:24 -0800 |
---|---|---|
committer | jc_gargma <jc_gargma@iserlohn-fortress.net> | 2017-12-01 11:14:24 -0800 |
commit | b36563645353a637c10905b650fd78435b18339d (patch) | |
tree | 32dfb2f9d8d25d752d2f487dc1ddbf7ad7648813 | |
parent | libconfig test (diff) | |
download | smolbote-b36563645353a637c10905b650fd78435b18339d.tar.xz |
Updated firejail profile - ${HOME}, dbus, resolv.conf
-rw-r--r-- | test/poi.profile | 29 |
1 files changed, 18 insertions, 11 deletions
diff --git a/test/poi.profile b/test/poi.profile index f405a10..acc49a0 100644 --- a/test/poi.profile +++ b/test/poi.profile @@ -6,29 +6,35 @@ include /etc/firejail/poi.local include /etc/firejail/globals.local -noblacklist ~/.cache/smolbote -noblacklist ~/.config/smolbote -noblacklist ~/.local/share/smolbote +noblacklist ${HOME}/.cache/smolbote +noblacklist ${HOME}/.config/smolbote +noblacklist ${HOME}/.local/share/smolbote include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc -mkdir ~/.cache/smolbote -mkdir ~/.config/smolbote -mkdir ~/.local/share/smolbote +blacklist /run/user/*/bus + +mkdir ${HOME}/.cache/smolbote +mkdir ${HOME}/.config/smolbote +mkdir ${HOME}/.local/share/smolbote whitelist ${DOWNLOADS} -whitelist ~/.cache/smolbote -whitelist ~/.config/smolbote -whitelist ~/.local/share/smolbote +whitelist ${HOME}/.cache/smolbote +whitelist ${HOME}/.config/smolbote +whitelist ${HOME}/.local/share/smolbote include /etc/firejail/whitelist-common.inc ## caps.drop all - Removes the ability to call programs usually run only by root. Ex - chown, setuid caps.drop all +## machine-id - Generates a random machine-id each time the program is run, rather than using the static system machine-id. +# Breaks audio +# machine-id + ## netfilter - Creates a simple but restrictive iptables firewall for any --net device created. Does nothing if --net is not used. netfilter @@ -68,14 +74,15 @@ disable-mnt ## private-bin - Creates a virtual /bin directory containing only temporary copies of the following executables. # bash required to launch from kde kickoff menu +# QtWebEngine executes from /usr/lib which prevents usage of this option for now #private-bin bash,poi ## private-dev - Create a virtual /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log and shm devices are available. private-dev ## private-etc - Creates a virtual /etc directory containing only temporary copies of the following files and directories. -# Experimental support for only fonts and alsa audio -#private-etc fonts,machine-id +# Experimental support for only fonts, alsa audio, and dns resolution. +private-etc fonts,machine-id,resolv.conf ## private-tmp - Creates a virtual /tmp directory to prevent the program from accessing the /tmp files from other programs. private-tmp |