-
Notifications
You must be signed in to change notification settings - Fork 567
/
profile.template
257 lines (235 loc) · 8.28 KB
/
profile.template
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
# Firejail profile for PROGRAM_NAME
# Description: DESCRIPTION OF THE PROGRAM
# This file is overwritten after every install/update
# --- CUT HERE ---
# This is a generic template to help you create profiles.
# PRs welcome at https://github.com/netblue30/firejail/.
#
# Rules to follow:
# - lines with one # are often used in profiles
# - lines with two ## are only needed in special situations
# - make the profile as restrictive as possible while still keeping the program useful
# (e.g. a program that is unable to save user's work is considered bad practice)
# - dedicate ample time (based on the complexity of the application) to profile testing before
# submitting a pull request
# - keep the sections structure, use a single empty line as separator
# - entries within sections are alphabetically sorted
# - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware
# to not do this for essential utilities as this may *break* your OS! (related discussion:
# https://github.com/netblue30/firejail/issues/2507)
# - remove this comment section and any generic comment past 'Persistent global definitions'
#
# Sections structure
# HEADER
# COMMENTS
# IGNORES
# NOBLACKLISTS
# ALLOW INCLUDES
# BLACKLISTS
# DISABLE INCLUDES
# NOWHITELISTS
# MKDIRS
# WHITELISTS
# WHITELIST INCLUDES
# OPTIONS (caps*, net*, no*, protocol, seccomp*, tracelog)
# PRIVATE OPTIONS (disable-mnt, private-*, writable-*)
# DBUS FILTER
# SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start)
# REDIRECT INCLUDES
#
# The following macros may be used in path names to substitute common locations:
# ${DESKTOP}
# ${DOCUMENTS}
# ${DOWNLOADS}
# ${HOME} (user's home)
# ${PATH} (contents of PATH env var)
# ${MUSIC}
# ${RUNUSER} (/run/user/UID)
# ${VIDEOS}
#
# Check contents of ~/.config/user-dirs.dirs to see how they translate to actual paths.
#
# --- CUT HERE ---
##quiet
# Persistent local customizations
include PROFILE.local
# Persistent global definitions
include globals.local
##ignore noexec ${HOME}
##ignore noexec /tmp
# It is common practice to add files/dirs containing program-specific configuration
# (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc
# (keep list sorted) and then disable blacklisting below.
# One way to retrieve the files a program uses is:
# - launch binary with --private naming a sandbox
# `firejail --name=test --ignore=private-bin [--profile=PROFILE] --private BINARY`
# - work with the program, make some configuration changes and save them, open new documents,
# install plugins if they exists, etc.
# - join the sandbox with bash:
# `firejail --join=test bash`
# - look what has changed and use that information to populate blacklist and whitelist sections
# `ls -aR`
#noblacklist PATH
# Allow /bin/sh (blacklisted by disable-shell.inc)
#include allow-bin-sh.inc
# Allows files commonly used by IDEs
#include allow-common-devel.inc
# Allow gjs (blacklisted by disable-interpreters.inc)
#include allow-gjs.inc
# Allow java (blacklisted by disable-devel.inc)
#include allow-java.inc
# Allow lua (blacklisted by disable-interpreters.inc)
#include allow-lua.inc
# Allow nodejs (blacklisted by disable-interpreters.inc)
#include allow-nodejs.inc
# Allow opengl-game wrapper script (distribution-specific)
#include allow-opengl-game.inc
# Allow perl (blacklisted by disable-interpreters.inc)
#include allow-perl.inc
# Allow php (blacklisted by disable-interpreters.inc)
#include allow-php.inc
# Allow python (blacklisted by disable-interpreters.inc)
#include allow-python2.inc
#include allow-python3.inc
# Allow ruby (blacklisted by disable-interpreters.inc)
#include allow-ruby.inc
# Allow ssh (blacklisted by disable-common.inc)
#include allow-ssh.inc
##blacklist PATH
# Disable Wayland
#blacklist ${RUNUSER}/wayland-*
# Disable RUNUSER (cli only; supersedes Disable Wayland)
#blacklist ${RUNUSER}
# Remove the next blacklist if your system has no /usr/libexec dir,
# otherwise try to add it.
#blacklist /usr/libexec
# disable-*.inc includes
# remove disable-write-mnt.inc if you set disable-mnt
#include disable-common.inc
#include disable-devel.inc
#include disable-exec.inc
#include disable-interpreters.inc
#include disable-proc.inc
#include disable-programs.inc
#include disable-shell.inc
#include disable-write-mnt.inc
#include disable-x11.inc
#include disable-xdg.inc
# This section often mirrors noblacklist section above. The idea is
# that if a user feels too restricted (e.g. unable to save files into
# home directory) they may disable whitelist (nowhitelist)
# in PROFILE.local but still be protected by BLACKLISTS section
# (explanation at https://github.com/netblue30/firejail/issues/1569)
#mkdir PATH
##mkfile PATH
#whitelist PATH
#include whitelist-common.inc
#include whitelist-run-common.inc
#include whitelist-runuser-common.inc
#include whitelist-usr-share-common.inc
#include whitelist-var-common.inc
# Landlock commands
##landlock.fs.read PATH
##landlock.fs.write PATH
##landlock.fs.makeipc PATH
##landlock.fs.makedev PATH
##landlock.fs.execute PATH
#include landlock-common.inc
##allusers
#apparmor
#caps.drop all
##caps.keep CAPS
##hostname NAME
# CLI only
##ipc-namespace
# breaks audio and sometimes dbus related functions
#machine-id
# 'net none' or 'netfilter'
#net none
#netfilter
#no3d
##nodbus (deprecated, use 'dbus-user none' and 'dbus-system none', see below)
#nodvd
#nogroups
#noinput
#nonewprivs
#noprinters
#noroot
#nosound
#notpm
#notv
#nou2f
#novideo
# Remove each unneeded protocol:
# - unix is usually needed
# - inet,inet6 only if internet access is required (see 'net none'/'netfilter' above)
# - netlink is rarely needed
# - packet and bluetooth almost never
#protocol unix,inet,inet6,netlink,packet,bluetooth
#seccomp
##seccomp !chroot
##seccomp.drop SYSCALLS (see syscalls.txt)
#seccomp.block-secondary
##seccomp-error-action log (only for debugging seccomp issues)
#tracelog
# Prefer 'x11 none' instead of 'disable-x11.inc' if 'net none' is set
##x11 none
#disable-mnt
##private
# It's common practice to refer to the python executable(s) in private-bin with `python*`, which covers both v2 and v3
#private-bin PROGRAMS
#private-cache
#private-dev
#private-etc FILES
# private-etc templates (see also #1734, #2093)
# Common: alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg
# Extra: group,magic,magic.mgc,passwd
# 3D: bumblebee,drirc,glvnd,nvidia
# Audio: alsa,asound.conf,machine-id,pulse
# D-Bus: dbus-1,machine-id
# GUI: fonts,pango,X11
# GTK: dconf,gconf,gtk-2.0,gtk-3.0
# KDE: kde4rc,kde5rc
# Networking: ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
# Extra: gai.conf,proxychains.conf
# Qt: Trolltech.conf
##private-lib LIBS
## Note: private-opt copies the entire path(s) to RAM, which may break
## file-copy-limit in firejail.config (see firejail(1)).
## For sizeable apps (if in doubt, do this):
## - never use 'private-opt NAME'
## - place 'whitelist /opt/NAME' in the whitelist section above
## For acceptable apps:
## - use 'private-opt NAME'
##private-opt NAME
#private-tmp
##writable-etc
##writable-run-user
##writable-var
##writable-var-log
# Since 0.9.63 also a more granular control of dbus is supported.
# To get the dbus-addresses an application needs access to you can
# check with flatpak (when the application is distributed that way):
# flatpak remote-info --show-metadata flathub <APP-ID>
# Notes:
# - flatpak implicitly allows an app to own <APP-ID> on the session bus
# - Some features like native notifications are implemented as portal too.
# - In order to make dconf work (when used by the app) you need to allow
# 'ca.desrt.dconf' even when not allowed by flatpak.
# Notes and policies about addresses can be found at
# <https://github.com/netblue30/firejail/wiki/Restrict-DBus>
#dbus-user filter
#dbus-user.own com.github.netblue30.firejail
#dbus-user.talk ca.desrt.dconf
#dbus-user.talk org.freedesktop.Notifications
#dbus-system none
# Note: read-only entries should usually go in disable-common.inc (especially
# entries for configuration files that allow arbitrary command execution).
##deterministic-shutdown
##env VAR=VALUE
##join-or-start NAME
#memory-deny-write-execute
##noexec PATH
##read-only ${HOME}
##read-write ${HOME}
#restrict-namespaces