diff options
author | Vincent43 <31109921+Vincent43@users.noreply.github.com> | 2020-02-15 12:08:25 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-02-15 12:08:25 +0000 |
commit | 873a97a9b3442976a618333c1063da13d2a38025 (patch) | |
tree | fdf11d8913c1e3e0936a963b57dc6113529dad0e | |
parent | allow networking in openshot.profile (diff) | |
download | firejail-873a97a9b3442976a618333c1063da13d2a38025.tar.gz firejail-873a97a9b3442976a618333c1063da13d2a38025.tar.zst firejail-873a97a9b3442976a618333c1063da13d2a38025.zip |
apparmor: minor enhancements
Allow writing some proc paths used by browsers but restrict it to their owner.
-rw-r--r-- | etc/firejail-default | 13 |
1 files changed, 5 insertions, 8 deletions
diff --git a/etc/firejail-default b/etc/firejail-default index 2987e538c..1381056b1 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
@@ -60,18 +60,15 @@ owner /{,var/}run/media/** w, | |||
60 | # Allow access to pcscd socket (smartcards) | 60 | # Allow access to pcscd socket (smartcards) |
61 | /{,var/}run/pcscd/pcscd.comm w, | 61 | /{,var/}run/pcscd/pcscd.comm w, |
62 | 62 | ||
63 | # Needed for firefox sandbox | 63 | # Needed for browser self-sandboxing |
64 | /proc/@{PID}/{uid_map,gid_map,setgroups} w, | 64 | owner /proc/@{PID}/{uid_map,gid_map,setgroups} w, |
65 | 65 | ||
66 | # Needed for electron apps | 66 | # Needed for electron apps |
67 | /proc/@{PID}/comm w, | 67 | /proc/@{PID}/comm w, |
68 | 68 | ||
69 | # Silence noise | 69 | # Used by chromium |
70 | deny /proc/@{PID}/oom_adj w, | 70 | owner /proc/@{PID}/oom_score_adj w, |
71 | deny /proc/@{PID}/oom_score_adj w, | 71 | owner /proc/@{PID}/clear_refs w, |
72 | |||
73 | # Uncomment to silence all denied write warnings | ||
74 | #deny /sys/** w, | ||
75 | 72 | ||
76 | ########## | 73 | ########## |
77 | # Allow running programs only from well-known system directories. If you need | 74 | # Allow running programs only from well-known system directories. If you need |