diff options
author | Reiner Herrmann <reiner@reiner-h.de> | 2019-01-27 16:18:41 +0100 |
---|---|---|
committer | Reiner Herrmann <reiner@reiner-h.de> | 2019-01-27 16:18:41 +0100 |
commit | 54c098270f6e726aa23b1606ffdaac2daca60b99 (patch) | |
tree | 8e6312d7ff2ca30534ec9984b311b655aa01b805 | |
parent | moving to 0.9.59 (diff) | |
download | firejail-54c098270f6e726aa23b1606ffdaac2daca60b99.tar.gz firejail-54c098270f6e726aa23b1606ffdaac2daca60b99.tar.zst firejail-54c098270f6e726aa23b1606ffdaac2daca60b99.zip |
Allow processes confined with AppArmor to obtain some process information
'firejail --apparmor chromium' logged a huge amount of apparmor denials,
because it wants to use read/readby permissions.
Allow those accesses, but keep full tracing disabled by default.
See also: https://bugs.debian.org/912587 and apparmor.d(5)
-rw-r--r-- | etc/firejail-default | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/etc/firejail-default b/etc/firejail-default index 88bf9aa44..02a241c34 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
@@ -21,10 +21,13 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) { | |||
21 | dbus, | 21 | dbus, |
22 | 22 | ||
23 | ########## | 23 | ########## |
24 | # With ptrace it is possible to inspect and hijack running programs. Usually this | 24 | # With ptrace it is possible to inspect and hijack running programs. |
25 | # is needed only for debugging. To allow ptrace, uncomment the following line. | 25 | # Some browsers are also using ptrace for their sandboxing. |
26 | ########## | 26 | ########## |
27 | # Uncomment this line to allow all ptrace access | ||
27 | #ptrace, | 28 | #ptrace, |
29 | # Allow obtaining some process information, but not ptrace(2) | ||
30 | ptrace (read,readby) peer=firejail-default, | ||
28 | 31 | ||
29 | ########## | 32 | ########## |
30 | # Allow read access to whole filesystem and control it from firejail. | 33 | # Allow read access to whole filesystem and control it from firejail. |