mirror of
https://github.com/overleaf/overleaf.git
synced 2024-11-07 20:31:06 -05:00
Add convert firejail profile
This commit is contained in:
James Allen
parent
be43330208
commit
92f5234580
1 changed files with 39 additions and 0 deletions
39
services/filestore/firejail/convert.profile
Normal file
39
services/filestore/firejail/convert.profile
Normal file
|
|
@ -0,0 +1,39 @@
|
||||||
|
# Convert (ImageMagick profile)
|
||||||
|
|
||||||
|
include /etc/firejail/disable-common.inc
|
||||||
|
include /etc/firejail/disable-devel.inc
|
||||||
|
include /etc/firejail/disable-mgmt.inc
|
||||||
|
include /etc/firejail/disable-secret.inc
|
||||||
|
|
||||||
|
read-only /bin
|
||||||
|
blacklist /boot
|
||||||
|
blacklist /dev
|
||||||
|
read-only /etc
|
||||||
|
read-only /home
|
||||||
|
read-only /lib
|
||||||
|
read-only /lib64
|
||||||
|
blacklist /media
|
||||||
|
blacklist /mnt
|
||||||
|
blacklist /opt
|
||||||
|
blacklist /root
|
||||||
|
blacklist /run
|
||||||
|
blacklist /sbin
|
||||||
|
blacklist /selinux
|
||||||
|
blacklist /src
|
||||||
|
blacklist /sys
|
||||||
|
read-only /usr
|
||||||
|
blacklist /var
|
||||||
|
|
||||||
|
caps.drop all
|
||||||
|
noroot
|
||||||
|
nogroups
|
||||||
|
protocol unix
|
||||||
|
net none
|
||||||
|
private-tmp
|
||||||
|
private-dev
|
||||||
|
shell none
|
||||||
|
seccomp.keep access,arch_prctl,brk,chown,clone,close,dup,execve,exit_group,fcntl,fstat,futex,getcwd,getdents,getrlimit,getrusage,lseek,mmap,mprotect,munmap,nanosleep,open,openat,prctl,read,readlink,rt_sigaction,rt_sigprocmask,sched_getaffinity,set_robust_list,set_tid_address,stat,symlink,times,unlink,unshare,wait4,write
|
||||||
|
|
||||||
|
rlimit-fsize 524288000 #500Mb
|
||||||
|
rlimit-nproc 100
|
||||||
|
rlimit-nofile 100
|
||||||
Loading…
Reference in a new issue