mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
533db20e99
This closes the escape route discussed in #6357. It's left open for i3's own profile, so that people who run i3 itself sandboxed still have the option to use IPC with it at all. Reference for file paths: https://i3wm.org/docs/userguide.html#_interprocess_communication
23 lines
604 B
Text
23 lines
604 B
Text
# Firejail profile for i3
|
|
# Description: Standards-compliant, fast, light-weight and extensible window manager
|
|
# This file is overwritten after every install/update
|
|
# Persistent local customizations
|
|
include i3.local
|
|
# Persistent global definitions
|
|
include globals.local
|
|
|
|
# all applications started in i3 will run in this profile
|
|
noblacklist ${HOME}/.config/i3
|
|
noblacklist ${RUNUSER}/i3
|
|
noblacklist ${RUNUSER}/i3/ipc-socket.*
|
|
noblacklist /tmp/i3-*
|
|
noblacklist /tmp/i3-*/ipc-socket.*
|
|
include disable-common.inc
|
|
|
|
caps.drop all
|
|
netfilter
|
|
noroot
|
|
protocol unix,inet,inet6
|
|
seccomp !chroot
|
|
|
|
#restrict-namespaces
|