aboutsummaryrefslogtreecommitdiff
path: root/test/poi.profile
diff options
context:
space:
mode:
Diffstat (limited to 'test/poi.profile')
-rw-r--r--test/poi.profile27
1 files changed, 20 insertions, 7 deletions
diff --git a/test/poi.profile b/test/poi.profile
index 94305e2..9e28868 100644
--- a/test/poi.profile
+++ b/test/poi.profile
@@ -1,31 +1,38 @@
-# Persistent global definitions go here
+# Firejail profile for poi
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/poi.local
+# Persistent global definitions
include /etc/firejail/globals.local
-# This file is overwritten during software install.
-# Persistent customizations should go in a .local file.
-include /etc/firejail/poi.local
noblacklist ~/.cache/smolbote
noblacklist ~/.config/smolbote
+noblacklist ~/.local/share/smolbote
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
+
whitelist ${DOWNLOADS}
mkdir ~/.cache/smolbote
whitelist ~/.cache/smolbote
-mkdir ~/.config/smolbote/
-whitelist ~/.config/smolbote/
+mkdir ~/.config/smolbote
+whitelist ~/.config/smolbote
+mkdir ~/.local/share/smolbote
+whitelist ~/.local/share/smolbote
## caps.drop all - Removes the ability to call programs usually run only by root. Ex - chown, setuid
caps.drop all
## netfilter - Creates a simple but restrictive iptables firewall for any --net device created. Does nothing if --net is not used.
-## Commented out because netfliter somehow breaks smolbote if used alone.
netfilter
+## nodvd - Disable access to optical disk drives.
+nodvd
+
## nogroups - The program can only see the current user's main group. Always applied if the program is run as root.
nogroups
@@ -35,6 +42,9 @@ nonewprivs
## noroot - The program can only see the current user. Requires kernel 3.8 or higher. Mutually exclusive with --chroot or --overlay or running as root.
noroot
+## notv - Disable access to DVB TV devices.
+notv
+
## protocol - Only allows sockets of the following types. Not supported on i386 architecture.
protocol unix,inet,inet6,netlink
@@ -48,6 +58,9 @@ shell none
tracelog
+## disable-mnt - Deny access to /mnt, /media, /run/mount, and /run/media
+disable-mnt
+
## private-bin - Creates a virtual /bin directory containing only temporary copies of the following executables.
# bash required to launch from kde kickoff menu
#private-bin bash,poi