aboutsummaryrefslogtreecommitdiff
path: root/test/poi.profile
diff options
context:
space:
mode:
authorjc_gargma <jc_gargma@iserlohn-fortress.net>2017-01-14 17:22:35 -0800
committerjc_gargma <jc_gargma@iserlohn-fortress.net>2017-01-14 17:22:35 -0800
commitbb467396c864d6b1e830edd3cf4c580e114f4d18 (patch)
treea86fb75d767f8aafb4ece3ab3d3e1f992d82d9e4 /test/poi.profile
parentUpdated Contributing (diff)
downloadsmolbote-bb467396c864d6b1e830edd3cf4c580e114f4d18.tar.xz
Updated firejail profile
Diffstat (limited to 'test/poi.profile')
-rw-r--r--test/poi.profile51
1 files changed, 50 insertions, 1 deletions
diff --git a/test/poi.profile b/test/poi.profile
index 6a68fce..573a5ea 100644
--- a/test/poi.profile
+++ b/test/poi.profile
@@ -1 +1,50 @@
-################################
# Generic GUI application profile
################################
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc

#blacklist ${HOME}/.wine

caps.drop all
#netfilter
nonewprivs
noroot
protocol unix,inet,inet6
seccomp
+################################
+# Based on the Generic GUI application profile
+################################
+noblacklist ~/.cache/smolbote
+noblacklist ~/.local/share/smolbote
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+whitelist ${DOWNLOADS}
+mkdir ~/.cache/smolbote
+whitelist ~/.cache/smolbote
+mkdir ~/.local/share/smolbote
+whitelist ~/.local/share/smolbote
+
+#blacklist ${HOME}/.wine
+
+## caps.drop all - Removes the ability to call programs usually run only by root. Ex - chown, setuid
+caps.drop all
+
+## netfilter - Creates a simple but restrictive iptables firewall for any --net device created. Does nothing if --net is not used.
+## Commented out because netfliter somehow breaks smolbote if used alone.
+#netfilter
+
+## newnewprivs - Prevents Child processes from requesting additional priviledges. If --seccomp is enabled, --nonewprivs is redundant.
+nonewprivs
+
+## noroot - The program can only see the current user. Requires kernel 3.8 or higher. Mutually exclusive with --chroot or --overlay or running as root.
+noroot
+
+## nogroups - The program can only see the current user's main group. Always applied if the program is run as root.
+nogroups
+
+## protocol - Only allows sockets of the following types. Not supported on i386 architecture.
+protocol unix,inet,inet6
+
+## seccomp - Blacklists a large swath of syscalls from being accessible.
+seccomp
+
+## private-bin - Creates a virtual /bin directory containing only temporary copies of the following executables.
+## Commened out until an actually package is made.
+#private-bin poi
+
+## private-etc - Creates a virtual /etc directory containing only temporary copies of the following files and directories.
+private-etc nsswitch.conf,resolv.conf
+
+## private-tmp - Creates a virtual /tmp directory to prevent the program from accessing the /tmp files from other programs.
+private-tmp
+
+include /etc/firejail/whitelist-common.inc