profiles: loupe: harden and disable apparmor (#6333) - firejail - Mirror of https://github.com/netblue30/firejail

diff options

author	Kelvin M. Klann <kmk3.code@protonmail.com>	2024-05-12 17:45:47 +0000
committer	GitHub <noreply@github.com>	2024-05-12 17:45:47 +0000
commit	6c91074fc90e774e3b40ad231bb178bea6ec5ae6 (patch)
tree	084dedffb99f27540a35d5356b399d987bde9d75 /.github/workflows/build.yml
parent	landlock: fix misc alignment/newline (diff)
download	firejail-6c91074fc90e774e3b40ad231bb178bea6ec5ae6.tar.gz firejail-6c91074fc90e774e3b40ad231bb178bea6ec5ae6.tar.zst firejail-6c91074fc90e774e3b40ad231bb178bea6ec5ae6.zip

profiles: loupe: harden and disable apparmor (#6333)

The profile currently does not include disable-common nor makes `${HOME}` read-only, so the program can simply write to ~/.bashrc directly[1]. disable-common.inc was commented due to it apparently breaking bwrap. As discovered by @glitsj16, it seems that allowing the bwrap binary is enough to make it work (and that apparmor breaks loupe)[2]. So disable apparmor, allow bwrap and include disable-common.inc, plus other hardening by @glitsj16. This amends commit 9a0db13e1 ("profiles: add loupe", 2024-04-30) / PR #6327. [1] https://github.com/netblue30/firejail/pull/6327#pullrequestreview-2033860865 [2] https://github.com/netblue30/firejail/pull/6333#issuecomment-2099805480

Diffstat (limited to '.github/workflows/build.yml')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: