Improve profile.template

* uncomment .local includes * add options * ##ignore noexec /tmp * ##caps.keep CAPS * ##hostname NAME * ##writable-etc * ##writable-run-user * ##writable-var * ##writable-var-log * add disable x11 * x11 none * blacklist /tmp/.X11-unix * comment when which of the both option should be used * sort private-etc template Common * add comments * machine-id: breaks sound and sometime dbus related functions * private-bin: python should be added by 'python*' * protocol: auxiliary comment for protocol line * add 'packet' to protocol list * Sections structure: OPTIONS: now has seccomp* instead of seccomp
2026-05-21 06:45:29 -06:00 · 2019-06-20 12:46:24 +02:00 · 2019-06-20 12:46:24 +02:00 · 4429e6fcaf
commit 4429e6fcaf
parent dd0697a815
1 changed files with 23 additions and 5 deletions
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@ -30,7 +30,7 @@
 #   MKDIRS
 #   WHITELISTS
 #   WHITELIST INCLUDES
-#   OPTIONS (caps*, net*, no*, protocol, seccomp, shell none, tracelog)
+#   OPTIONS (caps*, net*, no*, protocol, seccomp*, shell none, tracelog)
 #   PRIVATE OPTIONS (disable-mnt, private-*, writable-*)
 #   SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start)
 #   REDIRECT INCLUDES
@ -49,13 +49,16 @@
 # --- CUT HERE ---
 ##quiet
 # Persistent local customizations
-#include PROFILE.local
+include PROFILE.local
 # Persistent global definitions
-#include globals.local
+include globals.local

 ##ignore noexec ${HOME}
+##ignore noexec /tmp

 ##blacklist PATH
+# Disable X11 (CLI only), see also 'x11 none' below
+#blacklist /tmp/.X11-unix

 # It is common practice to add files/dirs containing program-specific configuration
 # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc
@ -105,8 +108,11 @@

 #apparmor
 #caps.drop all
+##caps.keep CAPS
+##hostname NAME
 # CLI only
 ##ipc-namespace
+# breaks sound and sometime dbus related functions
 #machine-id
 # 'net none' or 'netfilter'
 #net none
@ -121,20 +127,28 @@
 #notv
 #nou2f
 #novideo
-#protocol unix,inet,inet6,netlink
+# Remove every not needed protocol
+#  - unix is usually needed
+#  - inet,inet6 only if internet access is requiered (see 'net none'/'netfilter' above)
+#  - netlink is rarely needed
+#  - packet almost never
+#protocol unix,inet,inet6,netlink,packet
 #seccomp
 ##seccomp.drop SYSCALLS (see also syscalls.txt)
 #shell none
 #tracelog
+# Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set
+##x11 none

 #disable-mnt
 ##private
+# It's common practice to refer to the python executable(s) in private-bin with `python*`, which covers both v2 and v3
 #private-bin PROGRAMS
 #private-cache
 #private-dev
 #private-etc FILES
 # private-etc templates (see also #1734, #2093)
-#  Common: ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,locale,locale.alias,locale.conf,localtime,alternatives,mime.types,xdg
+#  Common: alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg
 #    Extra: magic,magic.mgc,passwd,group
 #  Networking: ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf,hosts,host.conf,hostname,protocols,services,rpc
 #    Extra: proxychains.conf,gai.conf
@ -148,6 +162,10 @@
 ##private-lib LIBS
 ##private-opt NAME
 #private-tmp
+##writable-etc
+##writable-run-user
+##writable-var
+##writable-var-log

 ##env VAR=VALUE
 #memory-deny-write-execute