diff options
Diffstat (limited to 'linux/firejail/poi.profile')
| -rw-r--r-- | linux/firejail/poi.profile | 48 |
1 files changed, 22 insertions, 26 deletions
diff --git a/linux/firejail/poi.profile b/linux/firejail/poi.profile index a7d3005..1a644d7 100644 --- a/linux/firejail/poi.profile +++ b/linux/firejail/poi.profile @@ -1,21 +1,22 @@ # Firejail profile for poi # This file is overwritten after every install/update # Persistent local customizations -include /etc/firejail/poi.local +include poi.local # Persistent global definitions -include /etc/firejail/globals.local +include globals.local # noblacklist: exclude from blacklist noblacklist ${HOME}/.cache/smolbote noblacklist ${HOME}/.config/smolbote noblacklist ${HOME}/.local/share/smolbote -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-interpreters.inc -include /etc/firejail/disable-passwdmgr.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-xdg.inc +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc mkdir ${HOME}/.cache/smolbote mkdir ${HOME}/.config/smolbote @@ -25,7 +26,7 @@ whitelist ${DOWNLOADS} whitelist ${HOME}/.cache/smolbote whitelist ${HOME}/.config/smolbote whitelist ${HOME}/.local/share/smolbote -include /etc/firejail/whitelist-common.inc +include whitelist-common.inc ## caps.drop all - Removes the ability to call programs usually run only by root. Ex - chown, setuid @@ -43,7 +44,9 @@ caps.drop all netfilter ## nodbus - Disable access to dbus. -nodbus +#nodbus +dbus-user none +dbus-system none ## nodvd - Disable access to optical disk drives. nodvd @@ -60,6 +63,9 @@ noroot ## notv - Disable access to DVB TV devices. notv +## nou2f - Disable access to U2F devices. +nou2f + # novideo - Disable access to video devices. novideo @@ -67,20 +73,16 @@ novideo protocol unix,inet,inet6,netlink ## seccomp - Blacklists a large swath of syscalls from being accessible. -#seccomp -## Use seccomp.drop for now as seccomp is broken with many programs. -seccomp.drop @clock,@cpu-emulation,@module,@obsolete,@privileged,@raw-io,@reboot,@resources,@swap,ptrace -# QtWebEngine require chroot syscall on AMD CPUS and/or ATI Graphics for some bizarre reason -# Use the following seccomp.drop instead on such systems. -#seccomp.drop @clock,@cpu-emulation,@module,@obsolete,@raw-io,@reboot,@resources,@swap,ptrace,mount,umount2,pivot_root +# QtWebEngine requires chroot syscall on AMD and ATI Graphics for some bizarre reason +seccomp !name_to_handle_at,!chroot ## shell - Run the program directly, without a user shell. # breaks secondary instances when using join-or-start after shell=none -#shell none +shell none ## tracelog - Log all viloations to syslog. -# tracelog segfaults QtWebEngine on AMD CPUS and/or ATI Graphics for some bizarre reason -tracelog +# tracelog segfaults QtWebEngine on AMD and ATI Graphics for some bizarre reason +#tracelog ## disable-mnt - Deny access to /mnt, /media, /run/mount, and /run/media disable-mnt @@ -88,7 +90,7 @@ disable-mnt ## private-bin - Creates a virtual /bin directory containing only temporary copies of the following executables. # bash required to launch from kde kickoff menu # breaks if installed to /usr/local -#private-bin bash,poi +private-bin bash,poi ## private-dev - Create a virtual /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log and shm devices are available. private-dev @@ -101,12 +103,6 @@ private-etc fonts,group,machine-id,resolv.conf # breaks SingleApplication without join-or-start set private-tmp - -## noexec - Prevent execution of files in the specified locations -noexec ${HOME} -noexec /tmp - - # join-or-start - Join the sandbox identified by name or start a new one join-or-start poi |