integrate relevant options into server.profile (#3808)

* integrate relevant options into server.profile * relax mdwe and dbus-system in server.profile
2026-05-21 06:45:29 -06:00 · 2020-12-11 12:09:30 +00:00 · 2020-12-11 12:09:30 +00:00 · 5cbbafa686
commit 5cbbafa686
parent 917e48125e
1 changed files with 17 additions and 3 deletions
--- a/etc/profile-m-z/server.profile
+++ b/etc/profile-m-z/server.profile
@ -45,10 +45,17 @@ include disable-common.inc
 # include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-# include disable-xdg.inc
+include disable-write-mnt.inc
+include disable-xdg.inc

+# include whitelist-runuser-common.inc
+# include whitelist-usr-share-common.inc
+# include whitelist-var-common.inc
+
+apparmor
 caps
 # ipc-namespace
+machine-id
 # netfilter /etc/firejail/webserver.net
 no3d
 nodvd
@ -59,19 +66,26 @@ nosound
 notv
 nou2f
 novideo
+# protocol unix,inet,inet6,netlink
 seccomp
 # shell none

-# disable-mnt
+disable-mnt
 private
 # private-bin program
 # private-cache
 private-dev
+# see /usr/share/doc/firejail/profile.template for more common private-etc paths.
 # private-etc alternatives
 # private-lib
+# private-opt none
 private-tmp

-# dbus-user none
+dbus-user none
 # dbus-system none

 # memory-deny-write-execute
+# read-only ${HOME}
+# writable-run-user
+# writable-var
+# writable-var-log