aboutsummaryrefslogtreecommitdiff
path: root/data
diff options
context:
space:
mode:
Diffstat (limited to 'data')
-rw-r--r--data/poi.profile101
1 files changed, 0 insertions, 101 deletions
diff --git a/data/poi.profile b/data/poi.profile
deleted file mode 100644
index 02c0ec4..0000000
--- a/data/poi.profile
+++ /dev/null
@@ -1,101 +0,0 @@
-# Firejail profile for poi
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/poi.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-noblacklist ${HOME}/.cache/smolbote
-noblacklist ${HOME}/.config/smolbote
-noblacklist ${HOME}/.local/share/smolbote
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-interpreters.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-include /etc/firejail/disable-xdg.inc
-
-mkdir ${HOME}/.cache/smolbote
-mkdir ${HOME}/.config/smolbote
-mkdir ${HOME}/.local/share/smolbote
-
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/smolbote
-whitelist ${HOME}/.config/smolbote
-whitelist ${HOME}/.local/share/smolbote
-include /etc/firejail/whitelist-common.inc
-
-
-## caps.drop all - Removes the ability to call programs usually run only by root. Ex - chown, setuid
-caps.drop all
-
-## ipc-namespace - Enable a new IPC namespace if the sandbox was started as a regular user.
-# Breaks audio
-# ipc-namespace
-
-## machine-id - Generates a random machine-id each time the program is run, rather than using the static system machine-id.
-# Breaks audio
-# machine-id
-
-## netfilter - Creates a simple but restrictive iptables firewall for any --net device created. Does nothing if --net is not used.
-netfilter
-
-## nodbus - Disable access to dbus.
-nodbus
-
-## nodvd - Disable access to optical disk drives.
-nodvd
-
-## nogroups - The program can only see the current user's main group. Always applied if the program is run as root.
-nogroups
-
-## nownewprivs - Prevents Child processes from requesting additional priviledges. If --seccomp is enabled, --nonewprivs is redundant.
-nonewprivs
-
-## noroot - The program can only see the current user. Requires kernel 3.8 or higher. Mutually exclusive with --chroot or --overlay or running as root.
-noroot
-
-## notv - Disable access to DVB TV devices.
-notv
-
-# novideo - Disable access to video devices.
-novideo
-
-## protocol - Only allows sockets of the following types. Not supported on i386 architecture.
-protocol unix,inet,inet6,netlink
-
-## seccomp - Blacklists a large swath of syscalls from being accessible.
-#seccomp
-## Use seccomp.drop for now as seccomp is broken with many programs.
-seccomp.drop @clock,@cpu-emulation,@module,@obsolete,@privileged,@raw-io,@reboot,@resources,@swap,ptrace
-
-## shell - Run the program directly, without a user shell.
-shell none
-
-## tracelog - Log all viloations to syslog.
-tracelog
-
-
-## disable-mnt - Deny access to /mnt, /media, /run/mount, and /run/media
-disable-mnt
-
-## private-bin - Creates a virtual /bin directory containing only temporary copies of the following executables.
-# bash required to launch from kde kickoff menu
-private-bin bash,poi
-
-## private-dev - Create a virtual /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log and shm devices are available.
-private-dev
-
-## private-etc - Creates a virtual /etc directory containing only temporary copies of the following files and directories.
-# Experimental support for only fonts, alsa audio, and dns resolution.
-private-etc fonts,group,machine-id,resolv.conf
-
-## private-tmp - Creates a virtual /tmp directory to prevent the program from accessing the /tmp files from other programs.
-private-tmp
-
-
-## noexec - Prevent execution of files in the specified locations
-noexec ${HOME}
-noexec /tmp