blob: 9af446131354a04f7a9e87276d51e49983fea96b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
################################
# Based on the Generic GUI application profile
################################
noblacklist ~/.cache/smolbote
noblacklist ~/.local/share/smolbote
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-devel.inc
whitelist ${DOWNLOADS}
mkdir ~/.cache/smolbote
whitelist ~/.cache/smolbote
mkdir ~/.local/share/smolbote
whitelist ~/.local/share/smolbote
## caps.drop all - Removes the ability to call programs usually run only by root. Ex - chown, setuid
caps.drop all
## netfilter - Creates a simple but restrictive iptables firewall for any --net device created. Does nothing if --net is not used.
## Commented out because netfliter somehow breaks smolbote if used alone.
#netfilter
## newnewprivs - Prevents Child processes from requesting additional priviledges. If --seccomp is enabled, --nonewprivs is redundant.
nonewprivs
## noroot - The program can only see the current user. Requires kernel 3.8 or higher. Mutually exclusive with --chroot or --overlay or running as root.
noroot
## nogroups - The program can only see the current user's main group. Always applied if the program is run as root.
nogroups
## protocol - Only allows sockets of the following types. Not supported on i386 architecture.
protocol unix,inet,inet6
## seccomp - Blacklists a large swath of syscalls from being accessible.
seccomp
## private-bin - Creates a virtual /bin directory containing only temporary copies of the following executables.
## Commened out until an actually package is made.
#private-bin poi
## private-etc - Creates a virtual /etc directory containing only temporary copies of the following files and directories.
private-etc nsswitch.conf,resolv.conf
## private-tmp - Creates a virtual /tmp directory to prevent the program from accessing the /tmp files from other programs.
private-tmp
## tracelog - Log all viloations to syslog
tracelog
include /etc/firejail/whitelist-common.inc
|
