aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjc_gargma <jc_gargma@iserlohn-fortress.net>2017-12-01 11:14:24 -0800
committerjc_gargma <jc_gargma@iserlohn-fortress.net>2017-12-01 11:14:24 -0800
commitb36563645353a637c10905b650fd78435b18339d (patch)
tree32dfb2f9d8d25d752d2f487dc1ddbf7ad7648813
parentlibconfig test (diff)
downloadsmolbote-b36563645353a637c10905b650fd78435b18339d.tar.xz
Updated firejail profile - ${HOME}, dbus, resolv.conf
-rw-r--r--test/poi.profile29
1 files changed, 18 insertions, 11 deletions
diff --git a/test/poi.profile b/test/poi.profile
index f405a10..acc49a0 100644
--- a/test/poi.profile
+++ b/test/poi.profile
@@ -6,29 +6,35 @@ include /etc/firejail/poi.local
include /etc/firejail/globals.local
-noblacklist ~/.cache/smolbote
-noblacklist ~/.config/smolbote
-noblacklist ~/.local/share/smolbote
+noblacklist ${HOME}/.cache/smolbote
+noblacklist ${HOME}/.config/smolbote
+noblacklist ${HOME}/.local/share/smolbote
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
-mkdir ~/.cache/smolbote
-mkdir ~/.config/smolbote
-mkdir ~/.local/share/smolbote
+blacklist /run/user/*/bus
+
+mkdir ${HOME}/.cache/smolbote
+mkdir ${HOME}/.config/smolbote
+mkdir ${HOME}/.local/share/smolbote
whitelist ${DOWNLOADS}
-whitelist ~/.cache/smolbote
-whitelist ~/.config/smolbote
-whitelist ~/.local/share/smolbote
+whitelist ${HOME}/.cache/smolbote
+whitelist ${HOME}/.config/smolbote
+whitelist ${HOME}/.local/share/smolbote
include /etc/firejail/whitelist-common.inc
## caps.drop all - Removes the ability to call programs usually run only by root. Ex - chown, setuid
caps.drop all
+## machine-id - Generates a random machine-id each time the program is run, rather than using the static system machine-id.
+# Breaks audio
+# machine-id
+
## netfilter - Creates a simple but restrictive iptables firewall for any --net device created. Does nothing if --net is not used.
netfilter
@@ -68,14 +74,15 @@ disable-mnt
## private-bin - Creates a virtual /bin directory containing only temporary copies of the following executables.
# bash required to launch from kde kickoff menu
+# QtWebEngine executes from /usr/lib which prevents usage of this option for now
#private-bin bash,poi
## private-dev - Create a virtual /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log and shm devices are available.
private-dev
## private-etc - Creates a virtual /etc directory containing only temporary copies of the following files and directories.
-# Experimental support for only fonts and alsa audio
-#private-etc fonts,machine-id
+# Experimental support for only fonts, alsa audio, and dns resolution.
+private-etc fonts,machine-id,resolv.conf
## private-tmp - Creates a virtual /tmp directory to prevent the program from accessing the /tmp files from other programs.
private-tmp