diff options
author | smitsohu <smitsohu@gmail.com> | 2021-11-01 16:49:53 +0100 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2021-11-01 16:59:23 +0100 |
commit | 0022048aaa436ee861af6ea74a5797e2a6b0463b (patch) | |
tree | f2371cf16eb922eea502b22faf6ef8cdc16eecd3 | |
parent | improve detection of firejail login shell (diff) | |
download | firejail-0022048aaa436ee861af6ea74a5797e2a6b0463b.tar.gz firejail-0022048aaa436ee861af6ea74a5797e2a6b0463b.tar.zst firejail-0022048aaa436ee861af6ea74a5797e2a6b0463b.zip |
apparmor base drop-in: remove chroot/overlay paths
As the upstream AppArmor base abstraction does not
contain references to paths in /run/firejail/mnt/oroot
there is not much point to have them in our drop-in
-rw-r--r-- | etc/apparmor/firejail-base | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/etc/apparmor/firejail-base b/etc/apparmor/firejail-base index 41e4ac2bf..6e286d4af 100644 --- a/etc/apparmor/firejail-base +++ b/etc/apparmor/firejail-base | |||
@@ -1,26 +1,27 @@ | |||
1 | ######################################### | 1 | ######################################### |
2 | # Firejail base abstraction drop-in | 2 | # Firejail base abstraction drop-in |
3 | ######################################### | 3 | # |
4 | |||
5 | # Adds basic Firejail support to AppArmor profiles. | 4 | # Adds basic Firejail support to AppArmor profiles. |
6 | # Please note: Firejail's nonewprivs and seccomp options | 5 | # Please note: Firejail's nonewprivs and seccomp options |
7 | # are not compatible with AppArmor profile transitions. | 6 | # are not compatible with AppArmor profile transitions. |
7 | # Also there is no support for Firejail chroot options. | ||
8 | ######################################### | ||
8 | 9 | ||
9 | # Discovery of process names | 10 | # Discovery of process names |
10 | owner /{,run/firejail/mnt/oroot/}proc/@{pid}/comm r, | 11 | owner /proc/@{pid}/comm r, |
11 | 12 | ||
12 | ########## | 13 | ########## |
13 | # Following paths only exist inside a Firejail sandbox | 14 | # Following paths only exist inside a Firejail sandbox |
14 | ########## | 15 | ########## |
15 | 16 | ||
16 | # Library preloading | 17 | # Library preloading |
17 | /{,run/firejail/mnt/oroot/}{,var/}run/firejail/lib/*.so mr, | 18 | /{,var/}run/firejail/lib/*.so mr, |
18 | 19 | ||
19 | # Supporting seccomp | 20 | # Supporting seccomp |
20 | owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/seccomp/seccomp.postexec r, | 21 | owner /{,var/}run/firejail/mnt/seccomp/seccomp.postexec r, |
21 | 22 | ||
22 | # Supporting trace | 23 | # Supporting trace |
23 | owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w, | 24 | owner /{,var/}run/firejail/mnt/trace w, |
24 | 25 | ||
25 | # Supporting tracelog | 26 | # Supporting tracelog |
26 | /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/fslogger r, | 27 | /{,var/}run/firejail/mnt/fslogger r, |