Skip to content

children

child-dpkg

We want to confine the dpkg(1) utility when it is invoked from other confined applications, but not when it is used in regular (unconfined) shell scripts or run directly by the user.

Note

This profile does not specify an attachment path because it is intended to be used only via Px -> child-dpkg exec transitions from other profiles.

Warning

This profile may be replaced in the future.

child-dpkg-divert

We want to confine the dpkg-divert(1) utility when it is invoked from other confined applications, but not when it is used in regular (unconfined) shell scripts or run directly by the user.

Note

This profile does not specify an attachment path because it is intended to be used only via Px -> child-dpkg-divert exec transitions from other profiles.

child-modprobe-nvidia

Personalised version of the upstream nvidia_modprobe profile as it had lead to some issues. All validated changes will be pushed upstream.

nvidia-modprobe is a setuid executable that is used to create various device and load the the nvidia kernel module.

Note

This profile does not specify an attachment path because it is intended to be used only via Px -> child-modprobe-nvidia exec transitions from other profiles.

child-open

This profile is designed to be used in a child profile to limit what confined application can invoke via xdg-open helper.

Instead of allowing the run of all software in @{bin}/, the purpose of this profile is to list all GUI program that can open resources.

Ultimatelly, only sandbox manager program like bwrap, snap, flatpak, firejail should be present here. Until this day, this profile will be a controlled mess.

Note

This profile does not specify an attachment path because it is intended to be used only via Px -> child-open exec transitions from other profiles.

child-open-any

This profile is designed to be used in a child profile to limit what confined application can invoke via open helper.

This version of child-open allows to open any programs.

child-open-browsers

This profile is designed to be used in a child profile to limit what confined application can invoke via open helper.

This version of child-open only allow to open browsers.

child-open-editor

This profile is designed to be used in a child profile to limit what confined application can invoke via open helper.

This version of child-open only allow to open text editor.

child-open-strict

This profile is designed to be used in a child profile to limit what confined application can invoke via open helper.

This version of child-open only allows to open browsers & folders.

child-pager

We want to confine the pager(1) utility when it is invoked from other confined applications, but not when it is used in regular (unconfined) shell scripts or run directly by the user.

Note

This profile does not specify an attachment path because it is intended to be used only via Px -> child-pager exec transitions from other profiles.

child-systemctl

We want to confine the systemctl(1) utility when it is invoked from other confined applications for light operations, but not when it is used in regular (unconfined) shell scripts or run directly by the user.

Note

This profile does not specify an attachment path because it is intended to be used only via Px -> child-systemctl exec transitions from other profiles.

glycin

Confine glycin-loaders sandboxed with bwrap. It also confines bwrap itself. for this use case.

Note

This profile does not specify an attachment path because it is intended to be used only via Px -> glycin exec transitions from other profiles.