diff options
author | netblue30 <netblue30@yahoo.com> | 2018-03-16 11:00:08 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2018-03-16 11:00:08 -0400 |
commit | 971c62aa569d9161190705a0012b9ad02546822c (patch) | |
tree | f4f80dc06669568acf00f3269f765fa3150ded5c | |
parent | Add a LibreOffice profile alias for Base (diff) | |
download | firejail-971c62aa569d9161190705a0012b9ad02546822c.tar.gz firejail-971c62aa569d9161190705a0012b9ad02546822c.tar.zst firejail-971c62aa569d9161190705a0012b9ad02546822c.zip |
apparmor deployment
-rw-r--r-- | README.md | 16 | ||||
-rw-r--r-- | etc/atril.profile | 1 | ||||
-rw-r--r-- | etc/audacious.profile | 1 | ||||
-rw-r--r-- | etc/audacity.profile | 1 | ||||
-rw-r--r-- | etc/eog.profile | 1 | ||||
-rw-r--r-- | etc/eom.profile | 1 | ||||
-rw-r--r-- | etc/galculator.profile | 1 | ||||
-rw-r--r-- | etc/gimp.profile | 1 | ||||
-rw-r--r-- | etc/gnome-calculator.profile | 1 | ||||
-rw-r--r-- | etc/handbrake.profile | 1 | ||||
-rw-r--r-- | etc/inkscape.profile | 1 | ||||
-rw-r--r-- | etc/kdenlive.profile | 1 | ||||
-rw-r--r-- | etc/krita.profile | 1 | ||||
-rw-r--r-- | etc/openshot.profile | 1 | ||||
-rw-r--r-- | etc/qbittorrent.profile | 1 | ||||
-rw-r--r-- | etc/rhythmbox.profile | 1 | ||||
-rw-r--r-- | etc/totem.profile | 1 |
17 files changed, 25 insertions, 7 deletions
@@ -207,13 +207,15 @@ AppArmor features are supported on overlayfs and chroot sandboxes. | |||
207 | 207 | ||
208 | We are in the process of streamlining our AppArmor profile. The restrictions for /proc, /sys | 208 | We are in the process of streamlining our AppArmor profile. The restrictions for /proc, /sys |
209 | and /run/user directories were moved out of the profile into firejail executable. | 209 | and /run/user directories were moved out of the profile into firejail executable. |
210 | 210 | We are also adding a "apparmor yes/no" flag in /etc/firejail/firejail.config file allows the user to | |
211 | We intend to start apparmor by default for browsers, torrent clients and media players. | 211 | enable/disable apparmor functionality globally. By default the flag is enabled. |
212 | So far we cover Firefox (firefox-common.profile), Chromium (chromium-common.profile), | 212 | |
213 | transmission-qt, transmission-gtk, vlc and mpv. | 213 | AppArmor deployment: we are starting apparmor by default for the following programs: |
214 | 214 | - web browsers: firefox (firefox-common.profile), chromium (chromium-common.profile) | |
215 | "apparmor yes/no" flag in /etc/firejail/firejail.config file allows the user to enable/disable apparmor functionality globally | 215 | - torrent clients: transmission-qt, transmission-gtk, qbittorrent |
216 | By default the flag is enabled. | 216 | - media players: vlc, mpv, audacious, totem, rhythmbox |
217 | - media editing: kdenlive, audacity, handbrake, gimp, inkscape, krita, openshot | ||
218 | - etc.: atril, gnome-calculator, galculator, eom, eog | ||
217 | 219 | ||
218 | Checking apparmor status: | 220 | Checking apparmor status: |
219 | ````` | 221 | ````` |
diff --git a/etc/atril.profile b/etc/atril.profile index 215f0ab96..5d8cc54bd 100644 --- a/etc/atril.profile +++ b/etc/atril.profile | |||
@@ -31,6 +31,7 @@ protocol unix | |||
31 | seccomp | 31 | seccomp |
32 | shell none | 32 | shell none |
33 | tracelog | 33 | tracelog |
34 | apparmor | ||
34 | 35 | ||
35 | private-bin atril, atril-previewer, atril-thumbnailer | 36 | private-bin atril, atril-previewer, atril-thumbnailer |
36 | private-dev | 37 | private-dev |
diff --git a/etc/audacious.profile b/etc/audacious.profile index 9a11022e3..818d4455b 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile | |||
@@ -26,6 +26,7 @@ protocol unix,inet,inet6 | |||
26 | seccomp | 26 | seccomp |
27 | shell none | 27 | shell none |
28 | tracelog | 28 | tracelog |
29 | apparmor | ||
29 | 30 | ||
30 | # private-bin audacious | 31 | # private-bin audacious |
31 | private-dev | 32 | private-dev |
diff --git a/etc/audacity.profile b/etc/audacity.profile index ea1d38132..3575e297a 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile | |||
@@ -29,6 +29,7 @@ protocol unix | |||
29 | seccomp | 29 | seccomp |
30 | shell none | 30 | shell none |
31 | tracelog | 31 | tracelog |
32 | apparmor | ||
32 | 33 | ||
33 | private-bin audacity | 34 | private-bin audacity |
34 | private-dev | 35 | private-dev |
diff --git a/etc/eog.profile b/etc/eog.profile index 6d61dceac..e5302a84f 100644 --- a/etc/eog.profile +++ b/etc/eog.profile | |||
@@ -32,6 +32,7 @@ novideo | |||
32 | protocol unix | 32 | protocol unix |
33 | seccomp | 33 | seccomp |
34 | shell none | 34 | shell none |
35 | apparmor | ||
35 | 36 | ||
36 | private-bin eog | 37 | private-bin eog |
37 | private-dev | 38 | private-dev |
diff --git a/etc/eom.profile b/etc/eom.profile index c7af470c6..e5024a2bf 100644 --- a/etc/eom.profile +++ b/etc/eom.profile | |||
@@ -33,6 +33,7 @@ protocol unix | |||
33 | seccomp | 33 | seccomp |
34 | shell none | 34 | shell none |
35 | tracelog | 35 | tracelog |
36 | apparmor | ||
36 | 37 | ||
37 | private-bin eom | 38 | private-bin eom |
38 | private-dev | 39 | private-dev |
diff --git a/etc/galculator.profile b/etc/galculator.profile index 0923d7e55..c851e7038 100644 --- a/etc/galculator.profile +++ b/etc/galculator.profile | |||
@@ -32,6 +32,7 @@ protocol unix | |||
32 | seccomp | 32 | seccomp |
33 | shell none | 33 | shell none |
34 | tracelog | 34 | tracelog |
35 | apparmor | ||
35 | 36 | ||
36 | private-bin galculator | 37 | private-bin galculator |
37 | private-dev | 38 | private-dev |
diff --git a/etc/gimp.profile b/etc/gimp.profile index 2a0698cc3..1f15677a1 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile | |||
@@ -26,6 +26,7 @@ notv | |||
26 | protocol unix | 26 | protocol unix |
27 | seccomp | 27 | seccomp |
28 | shell none | 28 | shell none |
29 | apparmor | ||
29 | 30 | ||
30 | private-dev | 31 | private-dev |
31 | private-tmp | 32 | private-tmp |
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index 03e68a5cc..b6fcb0668 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile | |||
@@ -27,6 +27,7 @@ novideo | |||
27 | protocol unix,inet,inet6 | 27 | protocol unix,inet,inet6 |
28 | seccomp | 28 | seccomp |
29 | shell none | 29 | shell none |
30 | apparmor | ||
30 | 31 | ||
31 | disable-mnt | 32 | disable-mnt |
32 | private-bin gnome-calculator | 33 | private-bin gnome-calculator |
diff --git a/etc/handbrake.profile b/etc/handbrake.profile index f8554d50c..dd814222b 100644 --- a/etc/handbrake.profile +++ b/etc/handbrake.profile | |||
@@ -23,6 +23,7 @@ novideo | |||
23 | protocol unix,inet,inet6,netlink | 23 | protocol unix,inet,inet6,netlink |
24 | seccomp | 24 | seccomp |
25 | shell none | 25 | shell none |
26 | apparmor | ||
26 | 27 | ||
27 | private-dev | 28 | private-dev |
28 | private-tmp | 29 | private-tmp |
diff --git a/etc/inkscape.profile b/etc/inkscape.profile index d2929412b..924691743 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile | |||
@@ -28,6 +28,7 @@ novideo | |||
28 | protocol unix | 28 | protocol unix |
29 | seccomp | 29 | seccomp |
30 | shell none | 30 | shell none |
31 | apparmor | ||
31 | 32 | ||
32 | # private-bin inkscape,potrace - problems on Debian stretch | 33 | # private-bin inkscape,potrace - problems on Debian stretch |
33 | private-dev | 34 | private-dev |
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile index b6d48356d..a52cd832f 100644 --- a/etc/kdenlive.profile +++ b/etc/kdenlive.profile | |||
@@ -25,6 +25,7 @@ notv | |||
25 | protocol unix,netlink | 25 | protocol unix,netlink |
26 | seccomp | 26 | seccomp |
27 | shell none | 27 | shell none |
28 | apparmor | ||
28 | 29 | ||
29 | private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper | 30 | private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper |
30 | private-dev | 31 | private-dev |
diff --git a/etc/krita.profile b/etc/krita.profile index c621e2c72..9fddf2214 100644 --- a/etc/krita.profile +++ b/etc/krita.profile | |||
@@ -27,6 +27,7 @@ novideo | |||
27 | protocol unix | 27 | protocol unix |
28 | seccomp | 28 | seccomp |
29 | shell none | 29 | shell none |
30 | apparmor | ||
30 | 31 | ||
31 | private-dev | 32 | private-dev |
32 | private-tmp | 33 | private-tmp |
diff --git a/etc/openshot.profile b/etc/openshot.profile index 1463303b0..5d81df193 100644 --- a/etc/openshot.profile +++ b/etc/openshot.profile | |||
@@ -25,6 +25,7 @@ notv | |||
25 | protocol unix,inet,inet6,netlink | 25 | protocol unix,inet,inet6,netlink |
26 | seccomp | 26 | seccomp |
27 | shell none | 27 | shell none |
28 | apparmor | ||
28 | 29 | ||
29 | private-dev | 30 | private-dev |
30 | private-tmp | 31 | private-tmp |
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index da870ab76..60bcc73d2 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
@@ -39,6 +39,7 @@ novideo | |||
39 | protocol unix,inet,inet6,netlink | 39 | protocol unix,inet,inet6,netlink |
40 | seccomp | 40 | seccomp |
41 | shell none | 41 | shell none |
42 | apparmor | ||
42 | 43 | ||
43 | private-bin qbittorrent,python* | 44 | private-bin qbittorrent,python* |
44 | private-dev | 45 | private-dev |
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 9401f6681..b6f16cecf 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile | |||
@@ -25,6 +25,7 @@ protocol unix,inet,inet6 | |||
25 | seccomp | 25 | seccomp |
26 | shell none | 26 | shell none |
27 | tracelog | 27 | tracelog |
28 | apparmor | ||
28 | 29 | ||
29 | private-bin rhythmbox | 30 | private-bin rhythmbox |
30 | private-dev | 31 | private-dev |
diff --git a/etc/totem.profile b/etc/totem.profile index be0617024..2b591cc69 100644 --- a/etc/totem.profile +++ b/etc/totem.profile | |||
@@ -23,6 +23,7 @@ noroot | |||
23 | protocol unix,inet,inet6 | 23 | protocol unix,inet,inet6 |
24 | seccomp | 24 | seccomp |
25 | shell none | 25 | shell none |
26 | apparmor | ||
26 | 27 | ||
27 | private-bin totem | 28 | private-bin totem |
28 | private-dev | 29 | private-dev |