diff options
author | smitsohu <smitsohu@gmail.com> | 2018-02-27 00:21:10 +0100 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2018-02-27 00:21:10 +0100 |
commit | a052d9f2be1ae0c3d4c35677312c1058c02b6bee (patch) | |
tree | 481ac54da9467f76af6d38a51bd26ca367a5781e | |
parent | Merge pull request #1787 from joelazar/master (diff) | |
download | firejail-a052d9f2be1ae0c3d4c35677312c1058c02b6bee.tar.gz firejail-a052d9f2be1ae0c3d4c35677312c1058c02b6bee.tar.zst firejail-a052d9f2be1ae0c3d4c35677312c1058c02b6bee.zip |
drop cap_mac_admin in apparmor profile
-rw-r--r-- | etc/firejail-default | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/etc/firejail-default b/etc/firejail-default index f9a876f5c..5d116fbbc 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
@@ -113,7 +113,7 @@ deny /proc/@{PID}/oom_score_adj w, | |||
113 | /run/firejail/mnt/oroot/opt/** ix, | 113 | /run/firejail/mnt/oroot/opt/** ix, |
114 | 114 | ||
115 | ########## | 115 | ########## |
116 | # Allow acces to cups printing socket. | 116 | # Allow access to cups printing socket. |
117 | ########## | 117 | ########## |
118 | /run/cups/cups.sock w, | 118 | /run/cups/cups.sock w, |
119 | 119 | ||
@@ -132,7 +132,8 @@ network raw, | |||
132 | signal, | 132 | signal, |
133 | 133 | ||
134 | ########## | 134 | ########## |
135 | # We let Firejail deal with capabilities. | 135 | # We let Firejail deal with capabilities, |
136 | # but mac_admin should be dropped in any case. | ||
136 | ########## | 137 | ########## |
137 | capability chown, | 138 | capability chown, |
138 | capability dac_override, | 139 | capability dac_override, |
@@ -167,7 +168,7 @@ capability audit_write, | |||
167 | capability audit_control, | 168 | capability audit_control, |
168 | capability setfcap, | 169 | capability setfcap, |
169 | capability mac_override, | 170 | capability mac_override, |
170 | capability mac_admin, | 171 | #capability mac_admin, |
171 | 172 | ||
172 | ########## | 173 | ########## |
173 | # We let Firejail deal with mount/umount functionality. | 174 | # We let Firejail deal with mount/umount functionality. |