mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
09329b990f
Changes: * Keep hostname by default (same as using `--keep-hostname`) * Add `--hostname-randomize` command to randomize the hostname * Ignore `--keep-hostname` command and print a warning if it is used Setting a different hostname inside of the sandbox may prevent X11 programs from authenticating to the X server and displaying windows at all (see #7062). To avoid breakage, keep the hostname as is by default and only set it to a random value if a new `hostname-randomize` command is used. This also avoids potentially surprising behavior, as the user might not expect the hostname to be changed inside of the sandbox, considering that usually the protections that are applied firejail involve restricting access to resources (like file paths), rather than modifying their values inside of the sandbox. Fixes #7062 Relates to #7048 #7069.
33 lines
887 B
Text
33 lines
887 B
Text
# This is the weakest possible firejail profile.
|
|
# If a program still fails with this profile, it is incompatible with firejail.
|
|
# (from https://gist.github.com/rusty-snake/bb234cb3e50e1e4e7429f29a7931cc72)
|
|
#
|
|
# Usage:
|
|
# $ firejail --profile=noprofile.profile /path/to/program
|
|
|
|
# Keep in mind that even with this profile some things are done
|
|
# which can break the program:
|
|
# - some env-vars are cleared;
|
|
# - /etc/firejail/firejail.config can contain options such as 'force-nonewprivs yes';
|
|
# - a new private pid-namespace is created;
|
|
# - a minimal hardcoded blacklist is applied;
|
|
# - ...
|
|
|
|
noblacklist /sys/fs
|
|
noblacklist /sys/module
|
|
nowhitelist /sys/module/nvidia*
|
|
ignore read-only /sys/module/nvidia*
|
|
|
|
allow-debuggers
|
|
allusers
|
|
keep-config-pulse
|
|
keep-dev-ntsync
|
|
keep-dev-shm
|
|
keep-dev-tpm
|
|
keep-fd all
|
|
keep-shell-rc
|
|
keep-var-tmp
|
|
writable-etc
|
|
writable-run-user
|
|
writable-var
|
|
writable-var-log
|