xpra.profile 1.54 KB
Newer Older
Tad's avatar
Tad committed
1
# Firejail profile for xpra
2
# Description: Tool to detach/reattach running X programs
Tad's avatar
Tad committed
3 4
# This file is overwritten after every install/update
# Persistent local customizations
5
include xpra.local
Tad's avatar
Tad committed
6
# Persistent global definitions
7
include globals.local
8 9 10

#
# This profile will sandbox Xpra server itself when used with firejail --x11=xpra.
11
# To enable it, create a firejail-xpra  symlink in /usr/local/bin:
12 13 14
#
#    $ sudo ln -s /usr/bin/firejail /usr/local/bin/xpra
#
15
# or run "sudo firecfg"
16

Tad's avatar
Tad committed
17 18
blacklist /media

19 20 21 22 23 24
# Allow python (blacklisted by disable-interpreters.inc)
noblacklist ${PATH}/python2*
noblacklist ${PATH}/python3*
noblacklist /usr/lib/python2*
noblacklist /usr/lib/python3*

25 26 27 28 29
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
Tad's avatar
Tad committed
30 31

whitelist /var/lib/xkb
netblue30's avatar
netblue30 committed
32 33
# whitelisting home directory, or including whitelist-common.inc
# will crash xpra on some platforms
valoq's avatar
valoq committed
34 35

caps.drop all
36
# xpra needs to be allowed access to the abstract Unix socket namespace.
Tad's avatar
Tad committed
37
nodvd
valoq's avatar
valoq committed
38 39
nogroups
nonewprivs
40 41
# In noroot mode, xpra cannot create a socket in the real /tmp/.X11-unix.
#noroot
valoq's avatar
valoq committed
42
nosound
netblue30's avatar
netblue30 committed
43
notv
44
nou2f
netblue30's avatar
netblue30 committed
45
novideo
46
protocol unix
Tad's avatar
Tad committed
47 48
seccomp
shell none
valoq's avatar
valoq committed
49

Tad's avatar
Tad committed
50 51 52
# private home directory doesn't work on some distros, so we go for a regular home
# private
# older Xpra versions also use Xvfb
53
# private-bin xpra,python*,Xvfb,Xorg,sh,xkbcomp,xauth,dbus-launch,pactl,ldconfig,which,strace,bash,cat,ls
valoq's avatar
valoq committed
54
private-dev
55
# private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname,machine-id,xpra,X11
valoq's avatar
valoq committed
56
private-tmp