add basic Firejail support to AppArmor base abstraction (#3226)

author: smitsohu <smitsohu@gmail.com> 2021-10-21 00:17:51 +0200
committer: smitsohu <smitsohu@gmail.com> 2021-10-21 00:32:03 +0200
commit: 92679041124ae39ff6ed03c4bd96e7ef5f4cc487 (patch)
tree: d7195506c4847cae5782a6772a3c03dc86714242
parent: Merge pull request #4585 from smitsohu/euid (diff)
download: firejail-92679041124ae39ff6ed03c4bd96e7ef5f4cc487.tar.gz
firejail-92679041124ae39ff6ed03c4bd96e7ef5f4cc487.tar.zst
firejail-92679041124ae39ff6ed03c4bd96e7ef5f4cc487.zip
2 files changed, 31 insertions, 1 deletions
diff --git a/Makefile.in b/Makefile.in
index c94d8c7a4..11193122d 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -144,9 +144,13 @@ ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR)
        # install apparmor profile
        sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;"
        install -m 0644 etc/apparmor/firejail-default $(DESTDIR)$(sysconfdir)/apparmor.d
-        sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;"
        # install apparmor profile customization file
+        sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;"
        sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default ]; then install -c -m 0644 etc/apparmor/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default; fi;"
+        # install apparmor base abstraction drop-in
+        sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions; fi;"
+        sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions/base.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions/base.d; fi;"
+        install -m 0644 etc/apparmor/firejail-base $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/base.d
 endif
 ifneq ($(HAVE_MAN),no)
        # man pages
diff --git a/etc/apparmor/firejail-base b/etc/apparmor/firejail-base
new file mode 100644
index 000000000..41e4ac2bf
--- /dev/null
+++ b/etc/apparmor/firejail-base
@@ -0,0 +1,26 @@
+#########################################
+# Firejail base abstraction drop-in
+#########################################
+# Adds basic Firejail support to AppArmor profiles.
+# Please note: Firejail's nonewprivs and seccomp options
+# are not compatible with AppArmor profile transitions.
+# Discovery of process names
+owner /{,run/firejail/mnt/oroot/}proc/@{pid}/comm r,
+##########
+# Following paths only exist inside a Firejail sandbox
+##########
+# Library preloading
+/{,run/firejail/mnt/oroot/}{,var/}run/firejail/lib/*.so mr,
+# Supporting seccomp
+owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/seccomp/seccomp.postexec r,
+# Supporting trace
+owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w,
+# Supporting tracelog
+/{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/fslogger r,
author	smitsohu <smitsohu@gmail.com>	2021-10-21 00:17:51 +0200
committer	smitsohu <smitsohu@gmail.com>	2021-10-21 00:32:03 +0200
commit	92679041124ae39ff6ed03c4bd96e7ef5f4cc487 (patch)
tree	d7195506c4847cae5782a6772a3c03dc86714242
parent	Merge pull request #4585 from smitsohu/euid (diff)
download	firejail-92679041124ae39ff6ed03c4bd96e7ef5f4cc487.tar.gz firejail-92679041124ae39ff6ed03c4bd96e7ef5f4cc487.tar.zst firejail-92679041124ae39ff6ed03c4bd96e7ef5f4cc487.zip

diff --git a/Makefile.in b/Makefile.in index c94d8c7a4..11193122d 100644 --- a/Makefile.in +++ b/Makefile.in
@@ -144,9 +144,13 @@ ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR)
144	# install apparmor profile	144	# install apparmor profile
145	sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;"	145	sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;"
146	install -m 0644 etc/apparmor/firejail-default $(DESTDIR)$(sysconfdir)/apparmor.d	146	install -m 0644 etc/apparmor/firejail-default $(DESTDIR)$(sysconfdir)/apparmor.d
147	sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;"
148	# install apparmor profile customization file	147	# install apparmor profile customization file
		148	sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;"
149	sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default ]; then install -c -m 0644 etc/apparmor/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default; fi;"	149	sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default ]; then install -c -m 0644 etc/apparmor/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default; fi;"
		150	# install apparmor base abstraction drop-in
		151	sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions; fi;"
		152	sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions/base.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions/base.d; fi;"
		153	install -m 0644 etc/apparmor/firejail-base $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/base.d
150	endif	154	endif
151	ifneq ($(HAVE_MAN),no)	155	ifneq ($(HAVE_MAN),no)
152	# man pages	156	# man pages


diff --git a/etc/apparmor/firejail-base b/etc/apparmor/firejail-base new file mode 100644 index 000000000..41e4ac2bf --- /dev/null +++ b/etc/apparmor/firejail-base
@@ -0,0 +1,26 @@
		1	#########################################
		2	# Firejail base abstraction drop-in
		3	#########################################
		4
		5	# Adds basic Firejail support to AppArmor profiles.
		6	# Please note: Firejail's nonewprivs and seccomp options
		7	# are not compatible with AppArmor profile transitions.
		8
		9	# Discovery of process names
		10	owner /{,run/firejail/mnt/oroot/}proc/@{pid}/comm r,
		11
		12	##########
		13	# Following paths only exist inside a Firejail sandbox
		14	##########
		15
		16	# Library preloading
		17	/{,run/firejail/mnt/oroot/}{,var/}run/firejail/lib/*.so mr,
		18
		19	# Supporting seccomp
		20	owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/seccomp/seccomp.postexec r,
		21
		22	# Supporting trace
		23	owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w,
		24
		25	# Supporting tracelog
		26	/{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/fslogger r,