From bb467396c864d6b1e830edd3cf4c580e114f4d18 Mon Sep 17 00:00:00 2001 From: jc_gargma Date: Sat, 14 Jan 2017 17:22:35 -0800 Subject: Updated firejail profile --- test/poi.profile | 51 ++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 50 insertions(+), 1 deletion(-) (limited to 'test/poi.profile') diff --git a/test/poi.profile b/test/poi.profile index 6a68fce..573a5ea 100644 --- a/test/poi.profile +++ b/test/poi.profile @@ -1 +1,50 @@ -################################
# Generic GUI application profile
################################
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc

#blacklist ${HOME}/.wine

caps.drop all
#netfilter
nonewprivs
noroot
protocol unix,inet,inet6
seccomp +################################ +# Based on the Generic GUI application profile +################################ +noblacklist ~/.cache/smolbote +noblacklist ~/.local/share/smolbote +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +whitelist ${DOWNLOADS} +mkdir ~/.cache/smolbote +whitelist ~/.cache/smolbote +mkdir ~/.local/share/smolbote +whitelist ~/.local/share/smolbote + +#blacklist ${HOME}/.wine + +## caps.drop all - Removes the ability to call programs usually run only by root. Ex - chown, setuid +caps.drop all + +## netfilter - Creates a simple but restrictive iptables firewall for any --net device created. Does nothing if --net is not used. +## Commented out because netfliter somehow breaks smolbote if used alone. +#netfilter + +## newnewprivs - Prevents Child processes from requesting additional priviledges. If --seccomp is enabled, --nonewprivs is redundant. +nonewprivs + +## noroot - The program can only see the current user. Requires kernel 3.8 or higher. Mutually exclusive with --chroot or --overlay or running as root. +noroot + +## nogroups - The program can only see the current user's main group. Always applied if the program is run as root. +nogroups + +## protocol - Only allows sockets of the following types. Not supported on i386 architecture. +protocol unix,inet,inet6 + +## seccomp - Blacklists a large swath of syscalls from being accessible. +seccomp + +## private-bin - Creates a virtual /bin directory containing only temporary copies of the following executables. +## Commened out until an actually package is made. +#private-bin poi + +## private-etc - Creates a virtual /etc directory containing only temporary copies of the following files and directories. +private-etc nsswitch.conf,resolv.conf + +## private-tmp - Creates a virtual /tmp directory to prevent the program from accessing the /tmp files from other programs. +private-tmp + +include /etc/firejail/whitelist-common.inc -- cgit v1.2.1