diff options
author | netblue30 <netblue30@yahoo.com> | 2018-01-24 08:47:37 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2018-01-24 08:47:37 -0500 |
commit | b78a33316d9232c1783391cb1d2537c2d41609da (patch) | |
tree | c63cb893b2533514e4705e8567329655554511e4 | |
parent | rpm: install all files in lib directory (diff) | |
download | firejail-b78a33316d9232c1783391cb1d2537c2d41609da.tar.gz firejail-b78a33316d9232c1783391cb1d2537c2d41609da.tar.zst firejail-b78a33316d9232c1783391cb1d2537c2d41609da.zip |
apparmor support for --overlay sandboxes
-rw-r--r-- | etc/firejail-default | 39 |
1 files changed, 37 insertions, 2 deletions
diff --git a/etc/firejail-default b/etc/firejail-default index e5010eaab..e532af430 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
@@ -19,13 +19,17 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) { | |||
19 | #dbus, | 19 | #dbus, |
20 | 20 | ||
21 | ########## | 21 | ########## |
22 | # Mask /proc and /sys information leakage. The configuration here is barely | 22 | # Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes |
23 | # enough to run "top" or "ps aux". | ||
24 | ########## | 23 | ########## |
25 | / r, | 24 | / r, |
26 | /{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk, | 25 | /{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk, |
26 | /run/firejail/mnt/oroot/{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk, | ||
27 | |||
27 | /{,var/}run/ r, | 28 | /{,var/}run/ r, |
28 | /{,var/}run/** r, | 29 | /{,var/}run/** r, |
30 | /run/firejail/mnt/oroot/{,var/}run/ r, | ||
31 | /run/firejail/mnt/oroot/{,var/}run/** r, | ||
32 | |||
29 | owner /{,var/}run/user/**/dconf/ rw, | 33 | owner /{,var/}run/user/**/dconf/ rw, |
30 | owner /{,var/}run/user/**/dconf/user rw, | 34 | owner /{,var/}run/user/**/dconf/user rw, |
31 | owner /{,var/}run/user/**/pulse/ rw, | 35 | owner /{,var/}run/user/**/pulse/ rw, |
@@ -33,13 +37,32 @@ owner /{,var/}run/user/**/pulse/** rw, | |||
33 | owner /{,var/}run/user/**/*.slave-socket rwl, | 37 | owner /{,var/}run/user/**/*.slave-socket rwl, |
34 | owner /{,var/}run/user/**/#@{PID} rw, | 38 | owner /{,var/}run/user/**/#@{PID} rw, |
35 | owner /{,var/}run/user/**/orcexec.* rwkm, | 39 | owner /{,var/}run/user/**/orcexec.* rwkm, |
40 | owner /run/firejail/mnt/oroot/{,var/}run/user/**/dconf/ rw, | ||
41 | owner /run/firejail/mnt/oroot/{,var/}run/user/**/dconf/user rw, | ||
42 | owner /run/firejail/mnt/oroot/{,var/}run/user/**/pulse/ rw, | ||
43 | owner /run/firejail/mnt/oroot/{,var/}run/user/**/pulse/** rw, | ||
44 | owner /run/firejail/mnt/oroot/{,var/}run/user/**/*.slave-socket rwl, | ||
45 | owner /run/firejail/mnt/oroot/{,var/}run/user/**/#@{PID} rw, | ||
46 | owner /run/firejail/mnt/oroot/{,var/}run/user/**/orcexec.* rwkm, | ||
47 | |||
36 | /{,var/}run/firejail/mnt/fslogger r, | 48 | /{,var/}run/firejail/mnt/fslogger r, |
37 | /{,var/}run/firejail/appimage r, | 49 | /{,var/}run/firejail/appimage r, |
38 | /{,var/}run/firejail/appimage/** r, | 50 | /{,var/}run/firejail/appimage/** r, |
39 | /{,var/}run/firejail/appimage/** ix, | 51 | /{,var/}run/firejail/appimage/** ix, |
52 | /run/firejail/mnt/oroot/{,var/}run/firejail/mnt/fslogger r, | ||
53 | /run/firejail/mnt/oroot/{,var/}run/firejail/appimage r, | ||
54 | /run/firejail/mnt/oroot/{,var/}run/firejail/appimage/** r, | ||
55 | /run/firejail/mnt/oroot/{,var/}run/firejail/appimage/** ix, | ||
56 | |||
40 | /{run,dev}/shm/ r, | 57 | /{run,dev}/shm/ r, |
41 | owner /{run,dev}/shm/** rmwk, | 58 | owner /{run,dev}/shm/** rmwk, |
59 | /run/firejail/mnt/oroot/{run,dev}/shm/ r, | ||
60 | owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, | ||
42 | 61 | ||
62 | ########## | ||
63 | # Mask /proc and /sys information leakage. The configuration here is barely | ||
64 | # enough to run "top" or "ps aux". | ||
65 | ########## | ||
43 | /proc/ r, | 66 | /proc/ r, |
44 | /proc/meminfo r, | 67 | /proc/meminfo r, |
45 | /proc/cpuinfo r, | 68 | /proc/cpuinfo r, |
@@ -96,6 +119,18 @@ owner /{run,dev}/shm/** rmwk, | |||
96 | /opt/** r, | 119 | /opt/** r, |
97 | /opt/** ix, | 120 | /opt/** ix, |
98 | #/home/** ix, | 121 | #/home/** ix, |
122 | /run/firejail/mnt/oroot/lib/** ix, | ||
123 | /run/firejail/mnt/oroot/lib64/** ix, | ||
124 | /run/firejail/mnt/oroot/bin/** ix, | ||
125 | /run/firejail/mnt/oroot/sbin/** ix, | ||
126 | /run/firejail/mnt/oroot/usr/bin/** ix, | ||
127 | /run/firejail/mnt/oroot/usr/sbin/** ix, | ||
128 | /run/firejail/mnt/oroot/usr/local/** ix, | ||
129 | /run/firejail/mnt/oroot/usr/lib/** ix, | ||
130 | /run/firejail/mnt/oroot/usr/games/** ix, | ||
131 | /run/firejail/mnt/oroot/opt/ r, | ||
132 | /run/firejail/mnt/oroot/opt/** r, | ||
133 | /run/firejail/mnt/oroot/opt/** ix, | ||
99 | 134 | ||
100 | ########## | 135 | ########## |
101 | # Allow all networking functionality, and control it from Firejail. | 136 | # Allow all networking functionality, and control it from Firejail. |