From a8e9e57abf3d1b0cc9980e8e64fca89d13db493e Mon Sep 17 00:00:00 2001 From: jc_gargma Date: Fri, 4 Aug 2017 08:11:04 -0700 Subject: Updated firejail profile --- test/poi.profile | 56 +++++++++++++++++++++++++++++++++++++------------------- 1 file changed, 37 insertions(+), 19 deletions(-) (limited to 'test') diff --git a/test/poi.profile b/test/poi.profile index 9af4461..94305e2 100644 --- a/test/poi.profile +++ b/test/poi.profile @@ -1,52 +1,70 @@ -################################ -# Based on the Generic GUI application profile -################################ +# Persistent global definitions go here +include /etc/firejail/globals.local + +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/poi.local + noblacklist ~/.cache/smolbote -noblacklist ~/.local/share/smolbote +noblacklist ~/.config/smolbote include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc whitelist ${DOWNLOADS} mkdir ~/.cache/smolbote whitelist ~/.cache/smolbote -mkdir ~/.local/share/smolbote -whitelist ~/.local/share/smolbote +mkdir ~/.config/smolbote/ +whitelist ~/.config/smolbote/ + ## caps.drop all - Removes the ability to call programs usually run only by root. Ex - chown, setuid caps.drop all ## netfilter - Creates a simple but restrictive iptables firewall for any --net device created. Does nothing if --net is not used. ## Commented out because netfliter somehow breaks smolbote if used alone. -#netfilter +netfilter + +## nogroups - The program can only see the current user's main group. Always applied if the program is run as root. +nogroups -## newnewprivs - Prevents Child processes from requesting additional priviledges. If --seccomp is enabled, --nonewprivs is redundant. +## nownewprivs - Prevents Child processes from requesting additional priviledges. If --seccomp is enabled, --nonewprivs is redundant. nonewprivs ## noroot - The program can only see the current user. Requires kernel 3.8 or higher. Mutually exclusive with --chroot or --overlay or running as root. noroot -## nogroups - The program can only see the current user's main group. Always applied if the program is run as root. -nogroups - ## protocol - Only allows sockets of the following types. Not supported on i386 architecture. -protocol unix,inet,inet6 +protocol unix,inet,inet6,netlink ## seccomp - Blacklists a large swath of syscalls from being accessible. seccomp +## shell - Run the program directly, without a user shell. +shell none + +## tracelog - Log all viloations to syslog +tracelog + + ## private-bin - Creates a virtual /bin directory containing only temporary copies of the following executables. -## Commened out until an actually package is made. -#private-bin poi +# bash required to launch from kde kickoff menu +#private-bin bash,poi + +## private-dev - Create a virtual /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log and shm devices are available. +private-dev ## private-etc - Creates a virtual /etc directory containing only temporary copies of the following files and directories. -private-etc nsswitch.conf,resolv.conf +#private-etc nsswitch.conf,resolv.conf ## private-tmp - Creates a virtual /tmp directory to prevent the program from accessing the /tmp files from other programs. private-tmp -## tracelog - Log all viloations to syslog -tracelog + +## noexec - Prevent execution of files in the specified locations +noexec ${HOME} +noexec /tmp + include /etc/firejail/whitelist-common.inc -- cgit v1.2.1