server.profile 977 Bytes
Newer Older
Tad's avatar
Tad committed
1 2 3
# Firejail profile for server
# This file is overwritten after every install/update
# Persistent local customizations
4
include server.local
Tad's avatar
Tad committed
5
# Persistent global definitions
6
include globals.local
7

netblue30's avatar
netblue30 committed
8
# generic server profile
9
# it allows /sbin and /usr/sbin directories - this is where servers are installed
Tad's avatar
Tad committed
10 11 12 13
# depending on your usage, you can enable some of the commands below:

blacklist /tmp/.X11-unix

14 15
noblacklist /sbin
noblacklist /usr/sbin
Tad's avatar
Tad committed
16
# noblacklist /var/opt
Tad's avatar
Tad committed
17

18 19 20 21 22 23
include disable-common.inc
# include disable-devel.inc
# include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
#include disable-xdg.inc
netblue30's avatar
netblue30 committed
24

Tad's avatar
Tad committed
25
caps
26 27
# ipc-namespace
# netfilter /etc/firejail/webserver.net
Fred-Barclay's avatar
Fred-Barclay committed
28
no3d
29
# nodbus
Tad's avatar
Tad committed
30
nodvd
31 32 33
# nogroups
# nonewprivs
# noroot
Fred-Barclay's avatar
Fred-Barclay committed
34
nosound
netblue30's avatar
netblue30 committed
35
notv
36
nou2f
netblue30's avatar
netblue30 committed
37
novideo
netblue30's avatar
netblue30 committed
38
seccomp
39
# shell none
40

Tad's avatar
Tad committed
41
# disable-mnt
Fred-Barclay's avatar
Fred-Barclay committed
42
private
Tad's avatar
Tad committed
43
# private-bin program
44
# private-cache
Fred-Barclay's avatar
Fred-Barclay committed
45
private-dev
Tad's avatar
Tad committed
46 47
# private-etc none
# private-lib
Fred-Barclay's avatar
Fred-Barclay committed
48
private-tmp
Tad's avatar
Tad committed
49 50 51 52

# memory-deny-write-execute
# noexec ${HOME}
# noexec /tmp