aboutsummaryrefslogtreecommitdiff
path: root/data/poi.profile
blob: 02c0ec4d33dee04883c12770d771291c10a5b2c6 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
# Firejail profile for poi
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/poi.local
# Persistent global definitions
include /etc/firejail/globals.local


noblacklist ${HOME}/.cache/smolbote
noblacklist ${HOME}/.config/smolbote
noblacklist ${HOME}/.local/share/smolbote

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-interpreters.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-xdg.inc

mkdir ${HOME}/.cache/smolbote
mkdir ${HOME}/.config/smolbote
mkdir ${HOME}/.local/share/smolbote

whitelist ${DOWNLOADS}
whitelist ${HOME}/.cache/smolbote
whitelist ${HOME}/.config/smolbote
whitelist ${HOME}/.local/share/smolbote
include /etc/firejail/whitelist-common.inc


## caps.drop all - Removes the ability to call programs usually run only by root. Ex - chown, setuid
caps.drop all

## ipc-namespace - Enable a new IPC namespace if the sandbox was started as a regular user.
# Breaks audio
# ipc-namespace

## machine-id - Generates a random machine-id each time the program is run, rather than using the static system machine-id.
# Breaks audio
# machine-id

## netfilter - Creates a simple but restrictive iptables firewall for any --net device created. Does nothing if --net is not used.
netfilter

## nodbus - Disable access to dbus.
nodbus

## nodvd - Disable access to optical disk drives.
nodvd

## nogroups - The program can only see the current user's main group. Always applied if the program is run as root.
nogroups

##  nownewprivs - Prevents Child processes from requesting additional priviledges. If --seccomp is enabled, --nonewprivs is redundant.
nonewprivs

## noroot - The program can only see the current user. Requires kernel 3.8 or higher. Mutually exclusive with --chroot or --overlay or running as root.
noroot

## notv - Disable access to DVB TV devices.
notv

# novideo - Disable access to video devices.
novideo

## protocol - Only allows sockets of the following types. Not supported on i386 architecture.
protocol unix,inet,inet6,netlink

## seccomp - Blacklists a large swath of syscalls from being accessible.
#seccomp
## Use seccomp.drop for now as seccomp is broken with many programs.
seccomp.drop @clock,@cpu-emulation,@module,@obsolete,@privileged,@raw-io,@reboot,@resources,@swap,ptrace

## shell - Run the program directly, without a user shell.
shell none

## tracelog - Log all viloations to syslog.
tracelog


## disable-mnt - Deny access to /mnt, /media, /run/mount, and /run/media
disable-mnt

## private-bin - Creates a virtual /bin directory containing only temporary copies of the following executables.
# bash required to launch from kde kickoff menu
private-bin bash,poi

## private-dev - Create a virtual /dev directory. Only dri,  null,  full,  zero,  tty,  pts, ptmx, random, snd, urandom, video, log and shm devices are available.
private-dev

## private-etc - Creates a virtual /etc directory containing only temporary copies of the following files and directories.
# Experimental support for only fonts, alsa audio, and dns resolution.
private-etc fonts,group,machine-id,resolv.conf

## private-tmp - Creates a virtual /tmp directory to prevent the program from accessing the /tmp files from other programs.
private-tmp


## noexec - Prevent execution of files in the specified locations
noexec ${HOME}
noexec /tmp