diff options
Diffstat (limited to 'test/poi.profile')
-rw-r--r-- | test/poi.profile | 27 |
1 files changed, 20 insertions, 7 deletions
diff --git a/test/poi.profile b/test/poi.profile index 94305e2..9e28868 100644 --- a/test/poi.profile +++ b/test/poi.profile @@ -1,31 +1,38 @@ -# Persistent global definitions go here +# Firejail profile for poi +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/poi.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/poi.local noblacklist ~/.cache/smolbote noblacklist ~/.config/smolbote +noblacklist ~/.local/share/smolbote include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc + whitelist ${DOWNLOADS} mkdir ~/.cache/smolbote whitelist ~/.cache/smolbote -mkdir ~/.config/smolbote/ -whitelist ~/.config/smolbote/ +mkdir ~/.config/smolbote +whitelist ~/.config/smolbote +mkdir ~/.local/share/smolbote +whitelist ~/.local/share/smolbote ## caps.drop all - Removes the ability to call programs usually run only by root. Ex - chown, setuid caps.drop all ## netfilter - Creates a simple but restrictive iptables firewall for any --net device created. Does nothing if --net is not used. -## Commented out because netfliter somehow breaks smolbote if used alone. netfilter +## nodvd - Disable access to optical disk drives. +nodvd + ## nogroups - The program can only see the current user's main group. Always applied if the program is run as root. nogroups @@ -35,6 +42,9 @@ nonewprivs ## noroot - The program can only see the current user. Requires kernel 3.8 or higher. Mutually exclusive with --chroot or --overlay or running as root. noroot +## notv - Disable access to DVB TV devices. +notv + ## protocol - Only allows sockets of the following types. Not supported on i386 architecture. protocol unix,inet,inet6,netlink @@ -48,6 +58,9 @@ shell none tracelog +## disable-mnt - Deny access to /mnt, /media, /run/mount, and /run/media +disable-mnt + ## private-bin - Creates a virtual /bin directory containing only temporary copies of the following executables. # bash required to launch from kde kickoff menu #private-bin bash,poi |