diff options
author | Aqua-sama <aqua@iserlohn-fortress.net> | 2018-10-07 12:47:58 +0200 |
---|---|---|
committer | Aqua-sama <aqua@iserlohn-fortress.net> | 2018-10-07 12:49:32 +0200 |
commit | 84afec3e91da9f89f93a916a40f381f7cc290f6f (patch) | |
tree | ddfaf08a18ef2297392c91869e9c6afb8994719c /data/poi.profile | |
parent | mainwindow: keep maximized state when adding subwindows (diff) | |
parent | Updated firejail profile (diff) | |
download | smolbote-84afec3e91da9f89f93a916a40f381f7cc290f6f.tar.xz |
Merge branch 'master' of ssh://gitea/aqua/smolbote
Diffstat (limited to 'data/poi.profile')
-rw-r--r-- | data/poi.profile | 22 |
1 files changed, 15 insertions, 7 deletions
diff --git a/data/poi.profile b/data/poi.profile index acc49a0..02c0ec4 100644 --- a/data/poi.profile +++ b/data/poi.profile @@ -12,10 +12,10 @@ noblacklist ${HOME}/.local/share/smolbote include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc - -blacklist /run/user/*/bus +include /etc/firejail/disable-xdg.inc mkdir ${HOME}/.cache/smolbote mkdir ${HOME}/.config/smolbote @@ -31,6 +31,10 @@ include /etc/firejail/whitelist-common.inc ## caps.drop all - Removes the ability to call programs usually run only by root. Ex - chown, setuid caps.drop all +## ipc-namespace - Enable a new IPC namespace if the sandbox was started as a regular user. +# Breaks audio +# ipc-namespace + ## machine-id - Generates a random machine-id each time the program is run, rather than using the static system machine-id. # Breaks audio # machine-id @@ -38,6 +42,9 @@ caps.drop all ## netfilter - Creates a simple but restrictive iptables firewall for any --net device created. Does nothing if --net is not used. netfilter +## nodbus - Disable access to dbus. +nodbus + ## nodvd - Disable access to optical disk drives. nodvd @@ -60,12 +67,14 @@ novideo protocol unix,inet,inet6,netlink ## seccomp - Blacklists a large swath of syscalls from being accessible. -seccomp +#seccomp +## Use seccomp.drop for now as seccomp is broken with many programs. +seccomp.drop @clock,@cpu-emulation,@module,@obsolete,@privileged,@raw-io,@reboot,@resources,@swap,ptrace ## shell - Run the program directly, without a user shell. shell none -## tracelog - Log all viloations to syslog +## tracelog - Log all viloations to syslog. tracelog @@ -74,15 +83,14 @@ disable-mnt ## private-bin - Creates a virtual /bin directory containing only temporary copies of the following executables. # bash required to launch from kde kickoff menu -# QtWebEngine executes from /usr/lib which prevents usage of this option for now -#private-bin bash,poi +private-bin bash,poi ## private-dev - Create a virtual /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log and shm devices are available. private-dev ## private-etc - Creates a virtual /etc directory containing only temporary copies of the following files and directories. # Experimental support for only fonts, alsa audio, and dns resolution. -private-etc fonts,machine-id,resolv.conf +private-etc fonts,group,machine-id,resolv.conf ## private-tmp - Creates a virtual /tmp directory to prevent the program from accessing the /tmp files from other programs. private-tmp |