diff options
Diffstat (limited to 'test/poi.profile')
| -rw-r--r-- | test/poi.profile | 27 | 
1 files changed, 20 insertions, 7 deletions
| diff --git a/test/poi.profile b/test/poi.profile index 94305e2..9e28868 100644 --- a/test/poi.profile +++ b/test/poi.profile @@ -1,31 +1,38 @@ -# Persistent global definitions go here +# Firejail profile for poi +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/poi.local +# Persistent global definitions  include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/poi.local  noblacklist ~/.cache/smolbote  noblacklist ~/.config/smolbote +noblacklist ~/.local/share/smolbote  include /etc/firejail/disable-common.inc  include /etc/firejail/disable-devel.inc  include /etc/firejail/disable-passwdmgr.inc  include /etc/firejail/disable-programs.inc +  whitelist ${DOWNLOADS}  mkdir ~/.cache/smolbote  whitelist ~/.cache/smolbote -mkdir ~/.config/smolbote/ -whitelist ~/.config/smolbote/ +mkdir ~/.config/smolbote +whitelist ~/.config/smolbote +mkdir ~/.local/share/smolbote +whitelist ~/.local/share/smolbote  ## caps.drop all - Removes the ability to call programs usually run only by root. Ex - chown, setuid  caps.drop all  ## netfilter - Creates a simple but restrictive iptables firewall for any --net device created. Does nothing if --net is not used. -## Commented out because netfliter somehow breaks smolbote if used alone.  netfilter +## nodvd - Disable access to optical disk drives. +nodvd +  ## nogroups - The program can only see the current user's main group. Always applied if the program is run as root.  nogroups @@ -35,6 +42,9 @@ nonewprivs  ## noroot - The program can only see the current user. Requires kernel 3.8 or higher. Mutually exclusive with --chroot or --overlay or running as root.  noroot +## notv - Disable access to DVB TV devices. +notv +  ## protocol - Only allows sockets of the following types. Not supported on i386 architecture.  protocol unix,inet,inet6,netlink @@ -48,6 +58,9 @@ shell none  tracelog +## disable-mnt - Deny access to /mnt, /media, /run/mount, and /run/media +disable-mnt +  ## private-bin - Creates a virtual /bin directory containing only temporary copies of the following executables.  # bash required to launch from kde kickoff menu  #private-bin bash,poi | 
