From b36563645353a637c10905b650fd78435b18339d Mon Sep 17 00:00:00 2001 From: jc_gargma Date: Fri, 1 Dec 2017 11:14:24 -0800 Subject: Updated firejail profile - ${HOME}, dbus, resolv.conf --- test/poi.profile | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/test/poi.profile b/test/poi.profile index f405a10..acc49a0 100644 --- a/test/poi.profile +++ b/test/poi.profile @@ -6,29 +6,35 @@ include /etc/firejail/poi.local include /etc/firejail/globals.local -noblacklist ~/.cache/smolbote -noblacklist ~/.config/smolbote -noblacklist ~/.local/share/smolbote +noblacklist ${HOME}/.cache/smolbote +noblacklist ${HOME}/.config/smolbote +noblacklist ${HOME}/.local/share/smolbote include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc -mkdir ~/.cache/smolbote -mkdir ~/.config/smolbote -mkdir ~/.local/share/smolbote +blacklist /run/user/*/bus + +mkdir ${HOME}/.cache/smolbote +mkdir ${HOME}/.config/smolbote +mkdir ${HOME}/.local/share/smolbote whitelist ${DOWNLOADS} -whitelist ~/.cache/smolbote -whitelist ~/.config/smolbote -whitelist ~/.local/share/smolbote +whitelist ${HOME}/.cache/smolbote +whitelist ${HOME}/.config/smolbote +whitelist ${HOME}/.local/share/smolbote include /etc/firejail/whitelist-common.inc ## caps.drop all - Removes the ability to call programs usually run only by root. Ex - chown, setuid caps.drop all +## machine-id - Generates a random machine-id each time the program is run, rather than using the static system machine-id. +# Breaks audio +# machine-id + ## netfilter - Creates a simple but restrictive iptables firewall for any --net device created. Does nothing if --net is not used. netfilter @@ -68,14 +74,15 @@ disable-mnt ## private-bin - Creates a virtual /bin directory containing only temporary copies of the following executables. # bash required to launch from kde kickoff menu +# QtWebEngine executes from /usr/lib which prevents usage of this option for now #private-bin bash,poi ## private-dev - Create a virtual /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log and shm devices are available. private-dev ## private-etc - Creates a virtual /etc directory containing only temporary copies of the following files and directories. -# Experimental support for only fonts and alsa audio -#private-etc fonts,machine-id +# Experimental support for only fonts, alsa audio, and dns resolution. +private-etc fonts,machine-id,resolv.conf ## private-tmp - Creates a virtual /tmp directory to prevent the program from accessing the /tmp files from other programs. private-tmp -- cgit v1.2.1