diff options
author | jc_gargma <jc_gargma@iserlohn-fortress.net> | 2017-01-14 17:22:35 -0800 |
---|---|---|
committer | jc_gargma <jc_gargma@iserlohn-fortress.net> | 2017-01-14 17:22:35 -0800 |
commit | bb467396c864d6b1e830edd3cf4c580e114f4d18 (patch) | |
tree | a86fb75d767f8aafb4ece3ab3d3e1f992d82d9e4 /test/poi.profile | |
parent | Updated Contributing (diff) | |
download | smolbote-bb467396c864d6b1e830edd3cf4c580e114f4d18.tar.xz |
Updated firejail profile
Diffstat (limited to 'test/poi.profile')
-rw-r--r-- | test/poi.profile | 51 |
1 files changed, 50 insertions, 1 deletions
diff --git a/test/poi.profile b/test/poi.profile index 6a68fce..573a5ea 100644 --- a/test/poi.profile +++ b/test/poi.profile @@ -1 +1,50 @@ -################################
# Generic GUI application profile
################################
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
#blacklist ${HOME}/.wine
caps.drop all
#netfilter
nonewprivs
noroot
protocol unix,inet,inet6
seccomp +################################ +# Based on the Generic GUI application profile +################################ +noblacklist ~/.cache/smolbote +noblacklist ~/.local/share/smolbote +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +whitelist ${DOWNLOADS} +mkdir ~/.cache/smolbote +whitelist ~/.cache/smolbote +mkdir ~/.local/share/smolbote +whitelist ~/.local/share/smolbote + +#blacklist ${HOME}/.wine + +## caps.drop all - Removes the ability to call programs usually run only by root. Ex - chown, setuid +caps.drop all + +## netfilter - Creates a simple but restrictive iptables firewall for any --net device created. Does nothing if --net is not used. +## Commented out because netfliter somehow breaks smolbote if used alone. +#netfilter + +## newnewprivs - Prevents Child processes from requesting additional priviledges. If --seccomp is enabled, --nonewprivs is redundant. +nonewprivs + +## noroot - The program can only see the current user. Requires kernel 3.8 or higher. Mutually exclusive with --chroot or --overlay or running as root. +noroot + +## nogroups - The program can only see the current user's main group. Always applied if the program is run as root. +nogroups + +## protocol - Only allows sockets of the following types. Not supported on i386 architecture. +protocol unix,inet,inet6 + +## seccomp - Blacklists a large swath of syscalls from being accessible. +seccomp + +## private-bin - Creates a virtual /bin directory containing only temporary copies of the following executables. +## Commened out until an actually package is made. +#private-bin poi + +## private-etc - Creates a virtual /etc directory containing only temporary copies of the following files and directories. +private-etc nsswitch.conf,resolv.conf + +## private-tmp - Creates a virtual /tmp directory to prevent the program from accessing the /tmp files from other programs. +private-tmp + +include /etc/firejail/whitelist-common.inc |