# Firejail profile for poi # This file is overwritten after every install/update # Persistent local customizations include /etc/firejail/poi.local # Persistent global definitions include /etc/firejail/globals.local # noblacklist: exclude from blacklist noblacklist ${HOME}/.cache/smolbote noblacklist ${HOME}/.config/smolbote noblacklist ${HOME}/.local/share/smolbote include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-xdg.inc mkdir ${HOME}/.cache/smolbote mkdir ${HOME}/.config/smolbote mkdir ${HOME}/.local/share/smolbote whitelist ${DOWNLOADS} whitelist ${HOME}/.cache/smolbote whitelist ${HOME}/.config/smolbote whitelist ${HOME}/.local/share/smolbote include /etc/firejail/whitelist-common.inc ## caps.drop all - Removes the ability to call programs usually run only by root. Ex - chown, setuid caps.drop all ## ipc-namespace - Enable a new IPC namespace if the sandbox was started as a regular user. # Breaks audio # ipc-namespace ## machine-id - Generates a random machine-id each time the program is run, rather than using the static system machine-id. # Breaks audio # machine-id ## netfilter - Creates a simple but restrictive iptables firewall for any --net device created. Does nothing if --net is not used. netfilter ## nodbus - Disable access to dbus. nodbus ## nodvd - Disable access to optical disk drives. nodvd ## nogroups - The program can only see the current user's main group. Always applied if the program is run as root. nogroups ## nownewprivs - Prevents Child processes from requesting additional priviledges. If --seccomp is enabled, --nonewprivs is redundant. nonewprivs ## noroot - The program can only see the current user. Requires kernel 3.8 or higher. Mutually exclusive with --chroot or --overlay or running as root. noroot ## notv - Disable access to DVB TV devices. notv # novideo - Disable access to video devices. novideo ## protocol - Only allows sockets of the following types. Not supported on i386 architecture. protocol unix,inet,inet6,netlink ## seccomp - Blacklists a large swath of syscalls from being accessible. #seccomp ## Use seccomp.drop for now as seccomp is broken with many programs. seccomp.drop @clock,@cpu-emulation,@module,@obsolete,@privileged,@raw-io,@reboot,@resources,@swap,ptrace # QtWebEngine require chroot syscall on AMD CPUS and/or ATI Graphics for some bizarre reason # Use the following seccomp.drop instead on such systems. #seccomp.drop @clock,@cpu-emulation,@module,@obsolete,@raw-io,@reboot,@resources,@swap,ptrace,mount,umount2,pivot_root ## shell - Run the program directly, without a user shell. # breaks secondary instances when using join-or-start after shell=none #shell none ## tracelog - Log all viloations to syslog. # tracelog segfaults QtWebEngine on AMD CPUS and/or ATI Graphics for some bizarre reason tracelog ## disable-mnt - Deny access to /mnt, /media, /run/mount, and /run/media disable-mnt ## private-bin - Creates a virtual /bin directory containing only temporary copies of the following executables. # bash required to launch from kde kickoff menu # breaks if installed to /usr/local #private-bin bash,poi ## private-dev - Create a virtual /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log and shm devices are available. private-dev ## private-etc - Creates a virtual /etc directory containing only temporary copies of the following files and directories. # Experimental support for only fonts, alsa audio, and dns resolution. private-etc fonts,group,machine-id,resolv.conf ## private-tmp - Creates a virtual /tmp directory to prevent the program from accessing the /tmp files from other programs. # breaks SingleApplication without join-or-start set private-tmp ## noexec - Prevent execution of files in the specified locations noexec ${HOME} noexec /tmp # join-or-start - Join the sandbox identified by name or start a new one join-or-start poi