Xe1phix-[Firejail]-Comprehensive-[All-In-One]-Hybrid-{[Template]}-[v29.8.84]-(01-05-22).profile

## ------------------------------------------------------------ ##
##   [?] Firejail profile for $Profile
## ------------------------------------------------------------ ##
##
## ------------------------------------------------------------ ##
##   [?] This file is overwritten after every install/update
## ------------------------------------------------------------ ##
##
##
## ------------------------------------------------------- ##
##  [+] Persistent local customizations
## ------------------------------------------------------- ##
## include $Profile.local
##
## ------------------------------------------------------- ##
##  [+] Persistent global definitions
## ------------------------------------------------------- ##
## include $Globals.local
## ------------------------------------------------------- ##


## --------------------------------------------------------------- ##
noblacklist ${HOME}/.TelegramDesktop
noblacklist ${HOME}/.local/share/TelegramDesktop
noblacklist ${HOME}/.local/share/TelegramDesktop/DebugLogs
noblacklist ${HOME}/Downloads/Telegram Desktop/
noblacklist ${HOME}/Downloads/Telegram Desktop/Telegram-Queue
## --------------------------------------------------------------- ##
## read-write ${HOME}/Downloads/Telegram Desktop/
whitelist ${HOME}/Downloads/
whitelist ${HOME}/Downloads/Telegram Desktop/
read-only /usr/lib/parrot-skel
## --------------------------------------------------------------- ##
blacklist /etc/firefox
blacklist /etc/firefox-esr
blacklist ${HOME}/.mozilla
## --------------------------------------------------------------- ##
## firejail --read-only=~/.mozilla firefox
## firejail --read-write=${HOME}/Downloads/
## --------------------------------------------------------------- ##
read-only /run/resolvconf/resolv.conf
read-only /etc/resolv.conf
read-only /etc/resolv.conf.head
read-only /etc/firejail/
## --------------------------------------------------------------- ##
blacklist /mnt
blacklist /boot
blacklist /media
blacklist /run/media
blacklist /run/mount
## read-only /usr/local/bin
## --------------------------------------------------------------- ##


## --------------------------------- ##
## mkdir $Directory
## mkfile $File
## bind $File1,$File2
## bind $Directory1,$Directory2
## --------------------------------- ##


include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
include disable-write-mnt.inc
include disable-shell.inc


## ------------------------------------------------ ##
## include /etc/firejail/disable-common.inc
## include /etc/firejail/disable-devel.inc
## include /etc/firejail/disable-interpreters.inc
## include /etc/firejail/disable-passwdmgr.inc
## include /etc/firejail/disable-programs.inc
## include /etc/firejail/disable-xdg.inc
## include /etc/firejail/disable-exec.inc
## include /etc/firejail/disable-write-mnt.inc
## include /etc/firejail/disable-shell.inc
## ------------------------------------------------ ##


## ------------------------------------------------ ##
## include allow-bin-sh.inc
## include allow-common-devel.inc
## include whitelist-common.inc
## whitelist-player-common.inc
## include whitelist-runuser-common.inc
## include whitelist-usr-share-common.inc
## include whitelist-var-common.inc
## ------------------------------------------------ ##


## ------------------------------------------------ ##
##              Mullvad DNS Server
## ------------------------------------------------ ##
dns 193.138.218.74

## ------------------------------------------------ ##
##          Backplane OpenNIC DNS Server
## ------------------------------------------------ ##
dns 172.98.193.62


##-===================================================-##
##   [+] Run program inside of a Network_Namespace
##-===================================================-##
## --------------------------------------------------- ##
##   [?] Must first be created, then configured using "ip netns"
## --------------------------------------------------- ##

## -------------------------------------- ##
## netns $Namespace
## firejail --netns=
## -------------------------------------- ##


## -------------------------------------- ##
## firejail --netstats
## firejail --list
## firejail --tree
## firejail --top
## -------------------------------------- ##
## firejail --net.print=$PID
## firejail --netfilter.print=$PID
## firejail --netfilter6.print=$PID
## firejail --seccomp.print=$PID
## firejail --caps.print=$PID
## firejail --dns.print=$PID
## firejail --fs.print=$PID
## firejail --profile.print=$PID
## firejail --protocol.print=$PID
## -------------------------------------- ##
##
## ------------------------------------------- ##
##    [?] Print control group information
## ------------------------------------------- ##
##  firemon --cgroup


## ---------------------------------------------------------------------- ##
##   [?] Trace the syscalls being used during execution with STrace:
## ---------------------------------------------------------------------- ##
## sudo strace -u $USER $StraceOptions firejail $Syntax
##
##
## ---------------------------------------------------------------------- ##
##   [?] Trace the syscalls being used during execution with STrace:
## ---------------------------------------------------------------------- ##
##  firejail  --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox


## ---------------------------------------------------------------------------- ##
##   [?] Firejail uses Linux namespaces, seccomp-bpf and Linux capabilities
## ---------------------------------------------------------------------------- ##
##   [?] Firejail can work in a SELinux or AppArmor environment,
##   [?] Firejail integrates with Linux Control Groups.
## ---------------------------------------------------------------------------- ##


##-==============================================================-##
##    [+] firejail-ui - Firejail sandbox configuration wizard
##-==============================================================-##


##-=====================================================-##
##    [+] sandbox file manager (firemgr) application
##-=====================================================-##


## -------------------------------------------------- ##
##   [+] enable Firetools to start automatically
##   [?] when you log into your desktop by running:
## -------------------------------------------------- ##
##  firetools --autostart


## ----------------------------------------------------------------------- ##
##   [+] Segmentation faults
## ----------------------------------------------------------------------- ##
##  [?] Check your system logs. There may be blocked syscalls
##  [?] which are logged by audit when this profile uses seccomp.
## ----------------------------------------------------------------------- ##


## ----------------------------------------------------------------------- ##
##   [?] You can create, modify, and shape Firejails default profile.
## ----------------------------------------------------------------------- ##
##
## ------------------------------------------------------------ ##
##   [?] Firejails default profile (global) configuration
##        Can be found at the following location:
## ------------------------------------------------------------ ##
##   [+] /etc/firejail/default.profile
## ------------------------------------------------------------ ##
##
## ------------------------------------------------ ##
##   firejail --profile=default /usr/bin/$Binary
## ------------------------------------------------ ##


##-==========================-##
##    [+] firejail.config
##-==========================-##
##
## ------------------------------------------------------------ ##
##   [+] firejail.config
## ------------------------------------------------------------ ##
##   [+] firejail.config.dpkg-dist
## ------------------------------------------------------------ ##
##
## ------------------------------------------------------------ ##
##   [+] include /etc/firejail/$File.profile
## ------------------------------------------------------------ ##
##   [+] include ~/.config/firejail/
## ------------------------------------------------------------ ##
##   [+] include ~/.local/share/applications/
## ------------------------------------------------------------ ##
##
##
## ----------------------------------------------------------------------- ##
##   [?] Show the current configuration being used in firejail.config:
## ----------------------------------------------------------------------- ##
## grep overlayfs /etc/firejail/firejail.config


##-============================================-##
##   [+] Remove all firejail symbolic links:
##-============================================-##
##  sudo firecfg --debug --clean
##
##
##-===================================================================-##
##   [+] Firecfg - Desktop integration utility for Firejail software
##-===================================================================-##
## ------------------------------------------------------------------- ##
##   [?] Checks .desktop files in /usr/share/applications/
## ------------------------------------------------------------------- ##
##   [?] set or update the symbolic links for desktop integration
## ------------------------------------------------------------------- ##
##   [?] Fix .desktop files in $HOME/.local/share/applications/
## ------------------------------------------------------------------- ##
##   [?] Load and force the AppArmor profile "firejail-default"
## ------------------------------------------------------------------- ##
##  sudo firecfg --debug --fix
##
##
## ------------------------------------------- ##
##   [?] List all firejail symbolic links:
## ------------------------------------------- ##
##  firecfg --list


##-=========================================================-##
##    [+] firejail.users - Firejail user access database
##-=========================================================-##
##  cat /etc/firejail/firejail.users
##  sudo firecfg --add-users $user
##
##
##-==========================================-##
##   [+] Add the current user to the
##       Firejail user access database:
##-==========================================-##
## sudo firecfg --debug --add-users $User
##
##
##-===============================================-##
##   [+] Create  a special firejail user group:
##-===============================================-##
## ---------------------------------------------------------------- ##
##  [?] (Allowing only users in this group to run the sandbox)
## ---------------------------------------------------------------- ##
## addgroup --system firejail
## chown root:firejail /usr/bin/firejail
## chmod 4750 /usr/bin/firejail


##-======================================-##
##    [+] Regular Profiles (.profile)
##-======================================-##
##
## --------------------------------------------------------------------------------- ##
##  [?] Regular Profiles (.profile) use the firejail directory: /etc/firejail/
## --------------------------------------------------------------------------------- ##


##-===================================================-##
##    [+] Persistent global File (globals.local):
##-===================================================-##
## --------------------------------------------------------------------------------- ##
##  [?] globals.local is a special override file,
## --------------------------------------------------------------------------------- ##
##  [?] It overrides (.local) files, and affects every regular profile.
## --------------------------------------------------------------------------------- ##
##  include globals.local


##-==========================================================-##
##    [+] firejail --build - Automatic profile generation
##-==========================================================-##
## ---------------------------------------------------------- ##
##  [?] builds a whitelisted profile.
## ---------------------------------------------------------- ##
##  [?] The profile is printed on the screen.
## ---------------------------------------------------------- ##
##  [?] strace builds a whitelisted seccomp profile
## ---------------------------------------------------------- ##
##  Examples:
##  firejail --build vlc ~/Videos/test.mp4
##  firejail --build=vlc.profile vlc ~/Videos/test.mp4
## ---------------------------------------------------------- ##


##-====================================================-##
##    [+] Make A symbolic link to /usr/bin/firejail
##-====================================================-##
## ---------------------------------------------------- ##
##  [?] So when programs are ran, they will start
##  [?] using a Firejail sandbox by default.
## ---------------------------------------------------- ##
##  sudo ln -s /usr/bin/firejail /usr/local/bin/firefox
##
## ----------------------- ##
##    [?] Verify $PATH
## ----------------------- ##
##  which -a firefox /usr/local/bin/firefox /usr/bin/firefox


## ------------------------------------------------ ##
## firejail --net=eth0 --veth-name=eth0.vlan100
## ------------------------------------------------ ##
## net eth0
## veth-name eth0.vlan100


## ------------------------------------------------------------------------------ ##
## firejail --ip=192.168.1.68 --netmask=255.255.255.0 --defaultgw=192.168.1.1
## firejail --net=br0 --ip=10.10.20.5 --net=br1 --net=br2
## ------------------------------------------------------------------------------ ##
## ip 192.168.1.68
## defaultgw 192.168.1.1


## ------------------------------------------------------ ##
##   [+] Acquire an IP address and default gateway
## ------------------------------------------------------ ##
##  [?] Firejail uses ISC dhclient DHCP client
##
## ----------------------------------------------------------------------------- ##
##
##  ______________________________________________________________________
## |______________________________________________________________________|
##  |__DHCP Client__| |_DHCP-Server_| |_DHCP-Client_|   |__DHCP-Server___|
##    DHCP Discover --> DHCP Offer <-- DHCP Request -->  DHCP Acknowledge
##
## ----------------------------------------------------------------------------- ##
##
## ------------------------------------------------------ ##
## net br0
## ip dhcp
##
## ------------------------------------------------------ ##
##   [+] Acquire  an IPv6 address and default gateway from
## ------------------------------------------------------ ##
## net br0
## ip6 dhcp
## ------------------------------------------------------ ##


## -------------------------------------- ##
## interface eth0
## firejail --interface=eth0
## firejail --net=eth0 --ip=10.10.20.56
## -------------------------------------- ##
## mac $MacAddress
## firejail --mac=$MacAddress
## -------------------------------------- ##
## hostname $Hostname
## firejail --hostname=$Hostname
## -------------------------------------- ##
## iprange $IP,IP
## firejail --iprange=$IP,IP
## firejail --iprange=192.168.1.100,192.168.1.150
## -------------------------------------- ##
## netmask 255.255.255.0
## firejail --netmask=255.255.255.0
## -------------------------------------- ##


## -------------------------------------------------------- ##
## /usr/share/doc/firejail/syscalls.txt
## -------------------------------------------------------- ##
## firejail --seccomp=@clock,mkdir,unlinkat transmission-gtk
## firejail --seccomp=unlinkat:ENOENT,utimensat,utimes
## -------------------------------------------------------- ##
## firejail --seccomp.drop=utime,utimensat,utimes,@clock
## firejail --seccomp.drop=unlinkat:ENOENT,utimensat,utimes
## -------------------------------------------------------- ##
## seccomp.drop $Syscall
## -------------------------------------------------------- ##
## firejail --seccomp.keep=poll,select transmission-gtk
## seccomp.keep $Syscall
## -------------------------------------------------------- ##
## seccomp-error-action ERRNO
## seccomp-error-action kill
## seccomp-error-action log
## -------------------------------------------------------- ##
## firejail --seccomp-error-action=kill
## firejail --seccomp-error-action=log
## firejail --seccomp-error-action=ERRNO
## -------------------------------------------------------- ##
## seccomp.block-secondary
## firejail --seccomp.block-secondary
## -------------------------------------------------------- ##
seccomp


##-===============================================-##
##   [+] AppArmor Security Sandbox Confinement
##-===============================================-##
## ----------------------------------------------- ##
## apparmor
## firejail --apparmor
## ----------------------------------------------- ##


##-=====================================-##
##   [+] enable AppArmor confinement
##-=====================================-##
## ----------------------------------------------------------------- ##
##  [?] AppArmor support is disabled by default at compile time.
## ----------------------------------------------------------------- ##
##  [?] Use --enable-apparmor configuration option to enable it:
## ----------------------------------------------------------------- ##
##  ./configure --prefix=/usr --enable-apparmor
##
##
## --------------------------------- ##
##  systemctl enable apparmor
##  systemctl start apparmor
##  /etc/init.d/apparmor start
## --------------------------------- ##
##
##
## ----------------------------------------------------- ##
##  [?] The AppArmor profile file (firejail-default)
##  [?] is placed in /etc/apparmor.d
## ----------------------------------------------------- ##
##
##
## ----------------------------------------------------- ##
##  [?] The local customizations must be placed in
## ----------------------------------------------------- ##
##  [?] /etc/apparmor.d/local/firejail-local
##
##
## ----------------------------------------------------- ##
##  [?] The profile needs to be loaded into the kernel
##      by reloading apparmor.service.
## ----------------------------------------------------- ##
##  service apparmor reload
##  /etc/init.d/apparmor restart
##  systemctl enable restart
##
##
##-===================================================================-##
##   [+] apparmor_parser - loads AppArmor profiles into the kernel
##-===================================================================-##
## apparmor_parser --verbose -r /etc/apparmor.d/firejail-default
##
##
##-===============================================-##
##   [+] Enforce all of the AppArmor profiles
##       in the /etc/apparmor.d/ directory:
##-===============================================-##
##  apparmor_parser --verbose -r /etc/apparmor.d/*
##
##
##
## ---------------------------------------------------------------- ##
##    [?] You may need to mount the securityFS into the kernel:
## ---------------------------------------------------------------- ##
##  mount -tsecurityfs securityfs /sys/kernel/security
##
##
## ------------------------------------------------- ##
##   [?] see if AppArmor is loaded and enabled
##   [?]         (should print “Y”):
## ------------------------------------------------- ##
##  cat /sys/module/apparmor/parameters/enabled
##
##
## ---------------------------------------------------------------- ##
##  cat /sys/kernel/security/apparmor/profiles
## ---------------------------------------------------------------- ##
##  cat /sys/kernel/security/apparmor/policy/profiles/
## ---------------------------------------------------------------- ##
##  cat /sys/kernel/security/apparmor/profiles | grep firejail
## ---------------------------------------------------------------- ##
##
##
##-======================================================================-##
##   [+] aa-status - report the current state of AppArmor confinement
##-======================================================================-##
##  sudo apparmor_status --verbose
##
##
##-========================================================================-##
##   [+] aa-complain - set an AppArmor security profile to complain mode
##-========================================================================-##
## ------------------------------------------------------------------------ ##
##  [?] In complain mode, the security policy is not enforced
##  [?] but rather access violations are logged to the system log.
## ------------------------------------------------------------------------ ##
##
## -------------------------------------------------- ##
##   [+] Place all of the apparmor profiles
##       in /etc/apparmor.d/* into complain mode:
## -------------------------------------------------- ##
##  sudo aa-complain /etc/apparmor.d/*
##
##
##-======================================================================-##
##   [+] aa-enforce - set an AppArmor security profile to enforce mode
##-======================================================================-##
##
## -------------------------------------------------- ##
##   [+] Place all of the apparmor profiles
##       in /etc/apparmor.d/* into enforce mode:
## -------------------------------------------------- ##
##  sudo aa-enforce /etc/apparmor.d/*
##
##
##-===============================================-##
##   [+] Enforce the Firejail AppArmor profile:
##-===============================================-##
##  sudo aa-enforce firejail-default


## ------------------------------------------------ ##
##   [+]
## ------------------------------------------------ ##
##
## ------------------------------- ##
## caps.keep $Caps
## caps.drop $Caps
## ------------------------------- ##
##
## ------------------------------------------------------------------------------------------------------ ##
## firejail --caps.keep=chown,net_bind_service,setgid,setuid /etc/init.d/nginx start
## firejail --caps.keep=chown,sys_resource,net_bind_service,setuid,setgid /etc/init.d/apache2 start
## ------------------------------------------------------------------------------------------------------ ##
caps.drop all


## --------------------------------------------------- ##
##   [?] The sandbox is placed in g1 control group
## --------------------------------------------------- ##
## cgroup /sys/fs/cgroup/g1/tasks
## firejail --cgroup=/sys/fs/cgroup/g1/tasks
## --------------------------------------------------- ##


## ------------------------------- ##
##   [+] Enable IPC namespace
## ------------------------------- ##
## ipc-namespace
## firejail --ipc-namespace
## ------------------------------- ##


## ------------------------------------------------ ##
##   [+]
## ------------------------------------------------ ##
##
## ------------------------------- ##
## firejail --nonewprivs
## ------------------------------- ##
nonewprivs


## ------------------------------------------------ ##
##   [+] Run program inside of a User_Namespace
## ------------------------------------------------ ##
## firejail --noroot
## ------------------------------------------------ ##
noroot


## --------------------------------------------------- ##
##   [+]
## --------------------------------------------------- ##
## overlay
## firejail --overlay
## --------------------------------------------------- ##
## grep overlayfs /etc/firejail/firejail.config


## ----------------------- ##
##   [+] iptables.xml
## ----------------------- ##
##   [+] nolocal.net
## ----------------------- ##
##   [+] nolocal6.net
## ----------------------- ##
##   [+] webserver.net
## ----------------------- ##


## --------------------------------------------------- ##
## netfilter /etc/iptables/$File
## firejail --netfilter
## --------------------------------------------------- ##
## firejail --netfilter=/etc/iptables/$File
## firejail --netfilter=/etc/firejail/nolocal.net
## firejail --netfilter=/etc/firejail/nolocal6.net
## firejail --netfilter=/etc/firejail/webserver.net
## --------------------------------------------------- ##
## firejail --netfilter.print=
## firejail --netfilter6.print=
## --------------------------------------------------- ##


## ------------------------------------------ ##
##   [+]
## ------------------------------------------ ##
## machine-id
## firejail --machine-id
## ------------------------------------------ ##


## ------------------------------------------ ##
##   [+] Disable DVD and audio CD devices
## ------------------------------------------ ##
nodvd


## ------------------------------------------ ##
##   [+]
## ------------------------------------------ ##
##
## ------------------------------------------ ##
noroot


## ------------------------------------------ ##
##   [+]
## ------------------------------------------ ##
##
## ------------------------------------------ ##
notv


## ------------------------------------------ ##
##   [+]
## ------------------------------------------ ##
##
## ------------------------------------------ ##
nogroups


## ------------------------------------------ ##
##   [+]
## ------------------------------------------ ##
##
## ------------------------------------------ ##
## timeout hh:mm:ss
## firejail --timeout=hh:mm:ss
## ------------------------------------------ ##
## firejail --timeout=01:30:00 firefox
## ------------------------------------------ ##


## ------------------------------------------------ ##
##   [+]
## ------------------------------------------------ ##
## firejail --shell=none
## firejail --shell=/bin/dash script.sh
## ------------------------------------------------ ##
shell none


## ------------------------------------------------ ##
##   [+]
## ------------------------------------------------ ##
## firejail --protocol=unix,inet
## ------------------------------------------------ ##
protocol unix,inet,netlink


## ------------------------------------------------ ##
##   [+]
## ------------------------------------------------ ##
## net none
## firejail --net=none vlc
## firejail --protocol=unix,inet
## ------------------------------------------------ ##


## ------------------------------------------------ ##
##   [+]
## ------------------------------------------------ ##
## tracelog
## firejail --tracelog
## firejail --trace
## firejail --trace $Program
## ------------------------------------------------ ##


## ------------------------------------------------ ##
##   [+]
## ------------------------------------------------ ##
## read-only ${HOME}


## ------------------------------------------------ ##
##   [+]
## ------------------------------------------------ ##
noexec /tmp
noexec ${HOME}/


## ------------------------------------------------ ##
##   [+]
## ------------------------------------------------ ##
disable-mnt


## ------------------------------------------ ##
##   [+]
## ------------------------------------------ ##
## firejail --private
## firejail --private=$Dir
## firejail --private-home=$Dir
## ------------------------------------------------ ##
## firejail --private=/home/$User/firejail-home
## firejail --private-home=.mozilla firefox
## ------------------------------------------------ ##
## private


## ------------------------------------------ ##
##   [+]
## ------------------------------------------ ##
##  firejail --private-dev
## ------------------------------------------ ##
private-dev


## ------------------------------------------ ##
##   [+]
## ------------------------------------------ ##
##  firejail --private-cache
## ------------------------------------------ ##
private-cache


## ------------------------------------------ ##
##   [+]
## ------------------------------------------ ##
##  firejail --private-etc=
## ------------------------------------------ ##
## private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,machine-id,os-release,pki,pulse,resolv.conf,ssl,xdg


## ------------------------------------------ ##
##   [+]
## ------------------------------------------ ##
## firejail --private-tmp
## ------------------------------------------ ##
private-tmp


## ------------------------------------------ ##
##   [+]
## ------------------------------------------ ##
##
## ------------------------------------------ ##
##
## ----------------------------------------------------------------- ##
## firejail --dbus-user=none
## firejail --dbus-user=filter --dbus-user.log
## firejail --dbus-user=filter --dbus-user.own=org.gnome.foo.*
## ----------------------------------------------------------------- ##


## ------------------------------------------ ##
##   [+]
## ------------------------------------------ ##
## memory-deny-write-execute