mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 06:06:02 -06:00
151 lines
4.5 KiB
Text
151 lines
4.5 KiB
Text
# Firejail profile for PROGRAM_NAME
|
|
# Description: DESCRIPTION
|
|
# This file is overwritten after every install/update
|
|
# --- CUT HERE ---
|
|
# This is a generic template to help you with creation of profiles
|
|
# for new programs. PRs welcome at https://github.com/netblue30/firejail/
|
|
#
|
|
# Rules to follow:
|
|
# - lines with one # are often used in profiles
|
|
# - lines with two ## are only needed in special situations
|
|
# - make the profile as restrictive as possible while still keeping the program useful
|
|
# (e. g. a program that is unable to save user's work is considered a bad practice)
|
|
# - dedicate some time (based on how complex the application is) to profile testing before raising
|
|
# a pull request
|
|
# - keep the sections structure, use a single empty line as a separator
|
|
# - entries within sections are alphabetically sorted
|
|
# - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware
|
|
# to not do this for essential utilities as this may *break* your OS! (related discussion:
|
|
# https://github.com/netblue30/firejail/issues/2507)
|
|
# - remove this comment section and any generic comment past 'Persistent global definitions'
|
|
#
|
|
# Sections structure
|
|
# HEADER
|
|
# COMMENTS
|
|
# IGNORES
|
|
# NOBLACKLISTS
|
|
# ALLOW INCLUDES
|
|
# BLACKLISTS
|
|
# DISABLE INCLUDES
|
|
# MKDIRS
|
|
# WHITELISTS
|
|
# WHITELIST INCLUDES
|
|
# OPTIONS (no*)
|
|
# PRIVATE OPTIONS (disable-mnt, private-*)
|
|
# SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start)
|
|
# REDIRECT INCLUDES
|
|
#
|
|
# The following macros may be used in path names to substitute common locations:
|
|
# ${DESKTOP}
|
|
# ${DOCUMENTS}
|
|
# ${DOWNLOADS}
|
|
# ${HOME} (user's home)
|
|
# ${PATH} (contents of PATH envvar)
|
|
# ${MUSIC}
|
|
# ${VIDEOS}
|
|
#
|
|
# Check contents of ~/.config/user-dirs.dirs to see how they translate to actual paths.
|
|
#
|
|
# --- CUT HERE ---
|
|
##quiet
|
|
# Persistent local customizations
|
|
#include PROFILE.local
|
|
# Persistent global definitions
|
|
#include globals.local
|
|
|
|
##ignore noexec ${HOME}
|
|
|
|
##blacklist PATH
|
|
|
|
# It is common practice to add files/dirs containing program-specific configuration
|
|
# (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc
|
|
# (keep list sorted) and then disable blacklisting below.
|
|
# One way to retrieve the files a program uses is:
|
|
# - launch binary with --private naming a sandbox
|
|
# `firejail --name=test --ignore=private-bin [--profile=PROFILE] --private BINARY`
|
|
# - work with the program, do some configuration changes and save them, open new documents,
|
|
# install plugins if they exists, etc
|
|
# - join the sandbox with bash:
|
|
# `firejail --join=test bash`
|
|
# - look what has changed and use that information to populate blacklist and whitelist sections
|
|
# `ls -aR`
|
|
#noblacklist PATH
|
|
|
|
# Allow python (blacklisted by disable-interpreters.inc)
|
|
#include allow-python2.inc
|
|
#include allow-python3.inc
|
|
|
|
# Allow perl (blacklisted by disable-interpreters.inc)
|
|
#include allow-perl.inc
|
|
|
|
# Allow java (blacklisted by disable-devel.inc)
|
|
#include allow-java.inc
|
|
|
|
# Allow lua (blacklisted by disable-interpreters.inc)
|
|
#include allow-lua.inc
|
|
|
|
#include disable-common.inc
|
|
#include disable-devel.inc
|
|
#include disable-exec.inc
|
|
#include disable-interpreters.inc
|
|
#include disable-passwdmgr.inc
|
|
#include disable-programs.inc
|
|
#include disable-xdg.inc
|
|
|
|
# This section often mirrors noblacklist section above. The idea is
|
|
# that if a user feels too restricted (he's unable to save files into
|
|
# home directory for instance) he/she may disable whitelist (nowhitelist)
|
|
# in PROFILE.local but still be protected by BLACKLISTS section
|
|
# (further explanation at https://github.com/netblue30/firejail/issues/1569)
|
|
#mkdir PATH
|
|
#mkfile PATH
|
|
#whitelist PATH
|
|
#include whitelist-common.inc
|
|
#include whitelist-var-common.inc
|
|
|
|
#apparmor
|
|
#caps.drop all
|
|
# CLI only
|
|
##ipc-namespace
|
|
#machine-id
|
|
# 'net none' or 'netfilter'
|
|
#net none
|
|
#netfilter
|
|
#no3d
|
|
#nodbus
|
|
#nodvd
|
|
#nogroups
|
|
#nonewprivs
|
|
#noroot
|
|
#nosound
|
|
#notv
|
|
#nou2f
|
|
#novideo
|
|
#protocol unix,inet,inet6,netlink
|
|
#seccomp
|
|
##seccomp.drop SYSCALLS (see also syscalls.txt)
|
|
#shell none
|
|
#tracelog
|
|
|
|
#disable-mnt
|
|
##private
|
|
#private-bin PROGRAMS
|
|
#private-cache
|
|
#private-dev
|
|
#private-etc FILES
|
|
# private-etc templates (see also #1734)
|
|
# Internet: ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
|
|
# Sound: alsa,asound.conf,machine-id,openal,pulse
|
|
# GTK: dconf,fonts,gtk-2.0,gtk-3.0,pango,xdg
|
|
# KDE/QT: fonts,kde4rc,kde5rc,ld.so.cache,machine-id,Trolltech.conf,xdg
|
|
# GUIs: fonts
|
|
# Alternatives: alternatives
|
|
##private-lib LIBS
|
|
##private-opt NAME
|
|
#private-tmp
|
|
|
|
##env VAR=VALUE
|
|
#memory-deny-write-execute
|
|
##noexec PATH
|
|
##read-only ${HOME}
|
|
##join-or-start NAME
|