From e0940e63e575d11cc5e8c3f6305b97265dd94f38 Mon Sep 17 00:00:00 2001
From: jc_gargma <jc_gargma@iserlohn-fortress.net>
Date: Sun, 7 Oct 2018 03:38:35 -0700
Subject: Updated firejail profile

---
 data/poi.profile | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

(limited to 'data')

diff --git a/data/poi.profile b/data/poi.profile
index acc49a0..02c0ec4 100644
--- a/data/poi.profile
+++ b/data/poi.profile
@@ -12,10 +12,10 @@ noblacklist ${HOME}/.local/share/smolbote
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-interpreters.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
-
-blacklist /run/user/*/bus
+include /etc/firejail/disable-xdg.inc
 
 mkdir ${HOME}/.cache/smolbote
 mkdir ${HOME}/.config/smolbote
@@ -31,6 +31,10 @@ include /etc/firejail/whitelist-common.inc
 ## caps.drop all - Removes the ability to call programs usually run only by root. Ex - chown, setuid
 caps.drop all
 
+## ipc-namespace - Enable a new IPC namespace if the sandbox was started as a regular user.
+# Breaks audio
+# ipc-namespace
+
 ## machine-id - Generates a random machine-id each time the program is run, rather than using the static system machine-id.
 # Breaks audio
 # machine-id
@@ -38,6 +42,9 @@ caps.drop all
 ## netfilter - Creates a simple but restrictive iptables firewall for any --net device created. Does nothing if --net is not used.
 netfilter
 
+## nodbus - Disable access to dbus.
+nodbus
+
 ## nodvd - Disable access to optical disk drives.
 nodvd
 
@@ -60,12 +67,14 @@ novideo
 protocol unix,inet,inet6,netlink
 
 ## seccomp - Blacklists a large swath of syscalls from being accessible.
-seccomp
+#seccomp
+## Use seccomp.drop for now as seccomp is broken with many programs.
+seccomp.drop @clock,@cpu-emulation,@module,@obsolete,@privileged,@raw-io,@reboot,@resources,@swap,ptrace
 
 ## shell - Run the program directly, without a user shell.
 shell none
 
-## tracelog - Log all viloations to syslog
+## tracelog - Log all viloations to syslog.
 tracelog
 
 
@@ -74,15 +83,14 @@ disable-mnt
 
 ## private-bin - Creates a virtual /bin directory containing only temporary copies of the following executables.
 # bash required to launch from kde kickoff menu
-# QtWebEngine executes from /usr/lib which prevents usage of this option for now
-#private-bin bash,poi
+private-bin bash,poi
 
 ## private-dev - Create a virtual /dev directory. Only dri,  null,  full,  zero,  tty,  pts, ptmx, random, snd, urandom, video, log and shm devices are available.
 private-dev
 
 ## private-etc - Creates a virtual /etc directory containing only temporary copies of the following files and directories.
 # Experimental support for only fonts, alsa audio, and dns resolution.
-private-etc fonts,machine-id,resolv.conf
+private-etc fonts,group,machine-id,resolv.conf
 
 ## private-tmp - Creates a virtual /tmp directory to prevent the program from accessing the /tmp files from other programs.
 private-tmp
-- 
cgit v1.2.1