github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-21 06:45:29 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 1
firejail/etc/profile-m-z/makepkg.profile
Kelvin M. Klann 0060b5105b
profiles: rename disable-X11.inc to disable-x11.inc (#6294) 
That is, make "X11" lowercase so that the order of the includes in the
disable- section remain the same when sorted with `LC_ALL=C`, as is the
case for most of the other sections.  That is also likely to be the
default in text editors (such as in vim on Arch), so this should make
the disable- section more consistent and easier to sort when editing the
profile.

Also, keep the old include as a redirect to the new one for now to avoid
breakage.

Commands used to search and replace:

    git mv etc/inc/disable-X11.inc etc/inc/disable-x11.inc
    git grep -Ilz 'disable-X11' -- etc | xargs -0 \
      perl -pi -e 's/disable-X11/disable-x11/'

Relates to #4462 #4854 #6070 #6289.

This is a follow-up to #6286.
2024-03-27 12:13:47 +00:00

60 lines
1.5 KiB
Text
Raw Blame History

# Firejail profile for makepkg
# Description: A utility to automate the building of Arch Linux packages
# This file is overwritten after every install/update
quiet
# Persistent local customizations
include makepkg.local
# Persistent global definitions
include globals.local
blacklist ${RUNUSER}/wayland-*
# Note: see this Arch forum discussion https://bbs.archlinux.org/viewtopic.php?pid=1743138
# for potential issues and their solutions when Firejailing makepkg
# This profile could be significantly strengthened by adding the following to makepkg.local
#whitelist ${HOME}/<Your Build Folder>
#whitelist ${HOME}/.gnupg
# Enable severely restricted access to ${HOME}/.gnupg
noblacklist ${HOME}/.gnupg
read-only ${HOME}/.gnupg/trustdb.gpg
read-only ${HOME}/.gnupg/pubring.kbx
blacklist ${HOME}/.gnupg/crls.d
blacklist ${HOME}/.gnupg/openpgp-revocs.d
blacklist ${HOME}/.gnupg/private-keys-v1.d
blacklist ${HOME}/.gnupg/pubring.kbx~
blacklist ${HOME}/.gnupg/random_seed
# Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only.
noblacklist /var/lib/pacman
include disable-common.inc
include disable-exec.inc
include disable-programs.inc
include disable-x11.inc
caps.drop all
ipc-namespace
machine-id
netfilter
no3d
nodvd
nogroups
nonewprivs
# noroot is only disabled to allow the creation of kernel headers from an official PKGBUILD.
#noroot
nosound
nou2f
notv
novideo
protocol unix,inet,inet6
seccomp
tracelog
disable-mnt
private-cache
private-tmp
memory-deny-write-execute
restrict-namespaces
Reference in a new issue View git blame Copy permalink