diff options
Diffstat (limited to 'data')
-rw-r--r-- | data/poi.profile | 101 |
1 files changed, 0 insertions, 101 deletions
diff --git a/data/poi.profile b/data/poi.profile deleted file mode 100644 index 02c0ec4..0000000 --- a/data/poi.profile +++ /dev/null @@ -1,101 +0,0 @@ -# Firejail profile for poi -# This file is overwritten after every install/update -# Persistent local customizations -include /etc/firejail/poi.local -# Persistent global definitions -include /etc/firejail/globals.local - - -noblacklist ${HOME}/.cache/smolbote -noblacklist ${HOME}/.config/smolbote -noblacklist ${HOME}/.local/share/smolbote - -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-interpreters.inc -include /etc/firejail/disable-passwdmgr.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-xdg.inc - -mkdir ${HOME}/.cache/smolbote -mkdir ${HOME}/.config/smolbote -mkdir ${HOME}/.local/share/smolbote - -whitelist ${DOWNLOADS} -whitelist ${HOME}/.cache/smolbote -whitelist ${HOME}/.config/smolbote -whitelist ${HOME}/.local/share/smolbote -include /etc/firejail/whitelist-common.inc - - -## caps.drop all - Removes the ability to call programs usually run only by root. Ex - chown, setuid -caps.drop all - -## ipc-namespace - Enable a new IPC namespace if the sandbox was started as a regular user. -# Breaks audio -# ipc-namespace - -## machine-id - Generates a random machine-id each time the program is run, rather than using the static system machine-id. -# Breaks audio -# machine-id - -## netfilter - Creates a simple but restrictive iptables firewall for any --net device created. Does nothing if --net is not used. -netfilter - -## nodbus - Disable access to dbus. -nodbus - -## nodvd - Disable access to optical disk drives. -nodvd - -## nogroups - The program can only see the current user's main group. Always applied if the program is run as root. -nogroups - -## nownewprivs - Prevents Child processes from requesting additional priviledges. If --seccomp is enabled, --nonewprivs is redundant. -nonewprivs - -## noroot - The program can only see the current user. Requires kernel 3.8 or higher. Mutually exclusive with --chroot or --overlay or running as root. -noroot - -## notv - Disable access to DVB TV devices. -notv - -# novideo - Disable access to video devices. -novideo - -## protocol - Only allows sockets of the following types. Not supported on i386 architecture. -protocol unix,inet,inet6,netlink - -## seccomp - Blacklists a large swath of syscalls from being accessible. -#seccomp -## Use seccomp.drop for now as seccomp is broken with many programs. -seccomp.drop @clock,@cpu-emulation,@module,@obsolete,@privileged,@raw-io,@reboot,@resources,@swap,ptrace - -## shell - Run the program directly, without a user shell. -shell none - -## tracelog - Log all viloations to syslog. -tracelog - - -## disable-mnt - Deny access to /mnt, /media, /run/mount, and /run/media -disable-mnt - -## private-bin - Creates a virtual /bin directory containing only temporary copies of the following executables. -# bash required to launch from kde kickoff menu -private-bin bash,poi - -## private-dev - Create a virtual /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log and shm devices are available. -private-dev - -## private-etc - Creates a virtual /etc directory containing only temporary copies of the following files and directories. -# Experimental support for only fonts, alsa audio, and dns resolution. -private-etc fonts,group,machine-id,resolv.conf - -## private-tmp - Creates a virtual /tmp directory to prevent the program from accessing the /tmp files from other programs. -private-tmp - - -## noexec - Prevent execution of files in the specified locations -noexec ${HOME} -noexec /tmp |