mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-21 06:45:29 -06:00
04efbb2763
Replace all occurrences of `blacklist /tmp/.X11-unix` with
`include disable-X11.inc`, which blacklists more X11-related files.
Commands used to search and replace:
$ git grep -Ilz '^blacklist /tmp/.X11-unix' -- \
etc/profile*/*.profile | xargs -0 perl -0 -pi -e '\
s/\nblacklist \/tmp\/.X11-unix\n/\n/; \
s/(\ninclude disable-xdg.inc\n)/\ninclude disable-X11.inc$1/; \
s/(\ninclude disable-[^Xx\n]+\n)(\n|# )/$1include disable-X11.inc\n$2/'
Note: The following files were also edited manually:
* etc/profile-a-l/erd.profile
* etc/profile-a-l/links-common.profile
* etc/profile-m-z/termshark.profile
* etc/profile-m-z/tmux.profile
* etc/profile-m-z/tshark.profile
Relates to #4462 #4854.
95 lines
2.4 KiB
Text
95 lines
2.4 KiB
Text
# Generic Firejail profile for servers started as root
|
|
#
|
|
# This profile is used as a default when starting the sandbox as root.
|
|
# Example:
|
|
#
|
|
# $ sudo firejail
|
|
# [sudo] password for netblue:
|
|
# Reading profile /etc/firejail/server.profile
|
|
# Reading profile /etc/firejail/disable-common.inc
|
|
# Reading profile /etc/firejail/disable-programs.inc
|
|
#
|
|
# ** Note: you can use --noprofile to disable server.profile **
|
|
#
|
|
# Parent pid 5347, child pid 5348
|
|
# The new log directory is /proc/5348/root/var/log
|
|
# Child process initialized in 64.43 ms
|
|
# root@debian:~#
|
|
#
|
|
# Customize the profile as usual. Examples: unbound.profile, fdns.profile.
|
|
# All the rules for regular user profiles apply with the exception of
|
|
# /usr/local/bin symlink redirection and firecfg tool. The redirection is disabled
|
|
# by default for root user.
|
|
|
|
# This file is overwritten after every install/update
|
|
# Persistent local customizations
|
|
include server.local
|
|
# Persistent global definitions
|
|
include globals.local
|
|
|
|
# generic server profile
|
|
# it allows /sbin and /usr/sbin directories - this is where servers are installed
|
|
# depending on your usage, you can enable some of the commands below:
|
|
|
|
noblacklist /sbin
|
|
noblacklist /usr/sbin
|
|
noblacklist /etc/init.d
|
|
#noblacklist /var/opt
|
|
|
|
blacklist ${RUNUSER}/wayland-*
|
|
|
|
include disable-common.inc
|
|
#include disable-devel.inc
|
|
#include disable-exec.inc
|
|
#include disable-interpreters.inc
|
|
include disable-programs.inc
|
|
include disable-write-mnt.inc
|
|
include disable-X11.inc
|
|
include disable-xdg.inc
|
|
|
|
#include whitelist-runuser-common.inc
|
|
#include whitelist-usr-share-common.inc
|
|
#include whitelist-var-common.inc
|
|
|
|
# people use to install servers all over the place!
|
|
# apparmor runs executable only from default system locations
|
|
#apparmor
|
|
caps
|
|
#ipc-namespace
|
|
machine-id
|
|
#netfilter /etc/firejail/webserver.net
|
|
no3d
|
|
nodvd
|
|
#nogroups
|
|
noinput
|
|
nonewprivs
|
|
#noroot
|
|
nosound
|
|
notv
|
|
nou2f
|
|
novideo
|
|
protocol unix,inet,inet6,netlink,packet
|
|
seccomp
|
|
tab # allow tab completion
|
|
|
|
disable-mnt
|
|
private
|
|
#private-bin program
|
|
#private-cache
|
|
private-dev
|
|
# see /usr/share/doc/firejail/profile.template for more common private-etc paths.
|
|
#private-etc alternatives
|
|
#private-lib
|
|
#private-opt none
|
|
private-tmp
|
|
#writable-run-user
|
|
#writable-var
|
|
#writable-var-log
|
|
|
|
dbus-user none
|
|
#dbus-system none
|
|
|
|
#deterministic-shutdown
|
|
#memory-deny-write-execute
|
|
#read-only ${HOME}
|
|
#restrict-namespaces
|