children¶
child-dpkg¶
We want to confine the dpkg(1) utility when it is invoked from other confined
applications, but not when it is used in regular (unconfined) shell scripts or
run directly by the user.
Note
This profile does not specify an attachment path because it is
intended to be used only via Px -> child-dpkg exec transitions from
other profiles.
Warning
This profile may be replaced in the future.
child-dpkg-divert¶
We want to confine the dpkg-divert(1) utility when it is invoked from other
confined applications, but not when it is used in regular (unconfined) shell
scripts or run directly by the user.
Note
This profile does not specify an attachment path because it is
intended to be used only via Px -> child-dpkg-divert exec transitions from
other profiles.
child-modprobe-nvidia¶
Personalised version of the upstream nvidia_modprobe profile as it had lead
to some issues. All validated changes will be pushed upstream.
nvidia-modprobe is a setuid executable that is used to create various device
and load the the nvidia kernel module.
Note
This profile does not specify an attachment path because it is
intended to be used only via Px -> child-modprobe-nvidia exec transitions
from other profiles.
child-open¶
This profile is designed to be used in a child profile to limit what confined application can invoke via xdg-open helper.
Instead of allowing the run of all software in @{bin}/, the purpose of
this profile is to list all GUI program that can open resources.
Ultimatelly, only sandbox manager program like bwrap, snap, flatpak, firejail should be present here. Until this day, this profile will be a controlled mess.
Note
This profile does not specify an attachment path because it is
intended to be used only via Px -> child-open exec transitions
from other profiles.
child-open-any¶
This profile is designed to be used in a child profile to limit what confined application can invoke via open helper.
This version of child-open allows to open any programs.
child-open-browsers¶
This profile is designed to be used in a child profile to limit what confined application can invoke via open helper.
This version of child-open only allow to open browsers.
child-open-editor¶
This profile is designed to be used in a child profile to limit what confined application can invoke via open helper.
This version of child-open only allow to open text editor.
child-open-strict¶
This profile is designed to be used in a child profile to limit what confined application can invoke via open helper.
This version of child-open only allows to open browsers & folders.
child-pager¶
We want to confine the pager(1) utility when it is invoked from other
confined applications, but not when it is used in regular (unconfined) shell
scripts or run directly by the user.
Note
This profile does not specify an attachment path because it is
intended to be used only via Px -> child-pager exec transitions from
other profiles.
child-systemctl¶
We want to confine the systemctl(1) utility when it is invoked from other
confined applications for light operations, but not when it is used in
regular (unconfined) shell scripts or run directly by the user.
Note
This profile does not specify an attachment path because it is
intended to be used only via Px -> child-systemctl exec transitions from
other profiles.
glycin¶
Confine glycin-loaders sandboxed with bwrap. It also confines bwrap itself. for this use case.
Note
This profile does not specify an attachment path because it is
intended to be used only via Px -> glycin exec transitions from
other profiles.