diff options
author | Vincent43 <31109921+Vincent43@users.noreply.github.com> | 2018-02-14 16:01:22 +0000 |
---|---|---|
committer | Vincent43 <31109921+Vincent43@users.noreply.github.com> | 2018-02-19 15:56:11 +0000 |
commit | 7b76763298ccb9e3f9bb58cf1741e55e802f75b7 (patch) | |
tree | d93013419d3ef978f0e92486f17f45755f75240b | |
parent | enable apparmor for tranamission-gtk and transmission-qt (diff) | |
download | firejail-7b76763298ccb9e3f9bb58cf1741e55e802f75b7.tar.gz firejail-7b76763298ccb9e3f9bb58cf1741e55e802f75b7.tar.zst firejail-7b76763298ccb9e3f9bb58cf1741e55e802f75b7.zip |
Apparmor: don't duplicate userspace /run/user restrictions
Currently userspace firejail do blacklist approach to /run/user/ directory. By default it blacklist /run/user/**/systemd and /run/user/**/gnupg. Additional restrictions can be enabled in profiles like blacklisting /run/user/**/bus , etc. The blacklist can be extended or degraded by profile which allows for fine grained hardening.
In apparmor we do whitelist approach instead. It means we have to explicitly enable access to every file which firejail already allow access. This duplicates functionality and amount of work to do. Moreover we end up with same list of allowed files as every one of them is used by some app and appamror profile is global. It's even worse as firejail blacklist can be disabled with "writable-run-user" command which means we have to whitelist literally everything under /run/user/ to not cause breakages when using apparmor.
The solution for all above is to leave handling of /run/user to userspace firejail which is better tool to do this. In apparmor we should only handle things which firejail can't do.
-rw-r--r-- | etc/firejail-default | 20 |
1 files changed, 6 insertions, 14 deletions
diff --git a/etc/firejail-default b/etc/firejail-default index 859f8683a..f96149bb7 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
@@ -32,20 +32,12 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) { | |||
32 | /run/firejail/mnt/oroot/{,var/}run/ r, | 32 | /run/firejail/mnt/oroot/{,var/}run/ r, |
33 | /run/firejail/mnt/oroot/{,var/}run/** r, | 33 | /run/firejail/mnt/oroot/{,var/}run/** r, |
34 | 34 | ||
35 | owner /{,var/}run/user/**/dconf/ rw, | 35 | owner /{,var/}run/user/[0-9]*/** rw, |
36 | owner /{,var/}run/user/**/dconf/user rw, | 36 | owner /{,var/}run/user/[0-9]*/*.slave-socket rwl, |
37 | owner /{,var/}run/user/**/pulse/ rw, | 37 | owner /{,var/}run/user/[0-9]*/orcexec.* rwkm, |
38 | owner /{,var/}run/user/**/pulse/** rw, | 38 | owner /run/firejail/mnt/oroot/{,var/}run/user/[0-9]*/** rw, |
39 | owner /{,var/}run/user/**/*.slave-socket rwl, | 39 | owner /run/firejail/mnt/oroot/{,var/}run/user/[0-9]*/*.slave-socket rwl, |
40 | owner /{,var/}run/user/**/#@{PID} rw, | 40 | owner /run/firejail/mnt/oroot/{,var/}run/user/[0-9]*/orcexec.* rwkm, |
41 | owner /{,var/}run/user/**/orcexec.* rwkm, | ||
42 | owner /run/firejail/mnt/oroot/{,var/}run/user/**/dconf/ rw, | ||
43 | owner /run/firejail/mnt/oroot/{,var/}run/user/**/dconf/user rw, | ||
44 | owner /run/firejail/mnt/oroot/{,var/}run/user/**/pulse/ rw, | ||
45 | owner /run/firejail/mnt/oroot/{,var/}run/user/**/pulse/** rw, | ||
46 | owner /run/firejail/mnt/oroot/{,var/}run/user/**/*.slave-socket rwl, | ||
47 | owner /run/firejail/mnt/oroot/{,var/}run/user/**/#@{PID} rw, | ||
48 | owner /run/firejail/mnt/oroot/{,var/}run/user/**/orcexec.* rwkm, | ||
49 | 41 | ||
50 | /{,var/}run/firejail/mnt/fslogger r, | 42 | /{,var/}run/firejail/mnt/fslogger r, |
51 | /{,var/}run/firejail/appimage r, | 43 | /{,var/}run/firejail/appimage r, |