apparmor: improve rules for filesystem access

* Make clear distinction for read, write and execute. * Don't allow write and execute at the same time. * Simplify and improve syntax to catch more exceptions with fewer rules
author: Vincent43 <31109921+Vincent43@users.noreply.github.com> 2018-08-27 17:23:57 +0100
committer: GitHub <noreply@github.com> 2018-08-27 17:23:57 +0100
commit: 1b309f879c52aecf5a867a70458bfa9f77f7ed45 (patch)
tree: 2c92536f329913231c46f8cd6ad0cd1665d5d248
parent: Add private-bin to 0ad (diff)
download: firejail-1b309f879c52aecf5a867a70458bfa9f77f7ed45.tar.gz
firejail-1b309f879c52aecf5a867a70458bfa9f77f7ed45.tar.zst
firejail-1b309f879c52aecf5a867a70458bfa9f77f7ed45.zip
1 files changed, 37 insertions, 66 deletions
diff --git a/etc/firejail-default b/etc/firejail-default
index 09dc896e6..d6aeac75b 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -22,42 +22,30 @@ dbus,
 ##########
 # With ptrace it is possible to inspect and hijack running programs. Usually this
-# is needed only for debugging. To allow ptrace, uncomment the following line
+# is needed only for debugging. To allow ptrace, uncomment the following line.
 ##########
 #ptrace,
 ##########
-# Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes
+# Allow read access to whole filesystem and control it from firejail.
 ##########
-/ r,
+/{,**} rklm,
-/{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk,
-/run/firejail/mnt/oroot/{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk,
-/{,var/}run/ r,
+##########
-/{,var/}run/** r,
+# Allow write access to paths writable in firejail which aren't used for
-/run/firejail/mnt/oroot/{,var/}run/ r,
+# executing programs. /run, /proc and /sys are handled separately.
-/run/firejail/mnt/oroot/{,var/}run/** r,
+# Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes.
+##########
-owner /{,var/}run/user/[0-9]*/** rw,
+/{,run/firejail/mnt/oroot/}{dev,etc,home,media,mnt,root,srv,tmp,var}/** w,
-owner /{,var/}run/user/[0-9]*/*.slave-socket rwl,
-owner /{,var/}run/user/[0-9]*/orcexec.* rwkm,
-owner /run/firejail/mnt/oroot/{,var/}run/user/[0-9]*/** rw,
-owner /run/firejail/mnt/oroot/{,var/}run/user/[0-9]*/*.slave-socket rwl,
-owner /run/firejail/mnt/oroot/{,var/}run/user/[0-9]*/orcexec.* rwkm,
-/{,var/}run/firejail/mnt/fslogger r,
+##########
-/{,var/}run/firejail/appimage r,
+# Whitelist writable paths under /run, /proc and /sys.
-/{,var/}run/firejail/appimage/** r,
+##########
-/{,var/}run/firejail/appimage/** ix,
+owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w,
-/run/firejail/mnt/oroot/{,var/}run/firejail/mnt/fslogger r,
+owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/*.slave-socket w,
-/run/firejail/mnt/oroot/{,var/}run/firejail/appimage r,
+owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/orcexec.* w,
-/run/firejail/mnt/oroot/{,var/}run/firejail/appimage/** r,
-/run/firejail/mnt/oroot/{,var/}run/firejail/appimage/** ix,
-/{run,dev}/shm/ r,
+owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w,
-owner /{run,dev}/shm/** rmwk,
-/run/firejail/mnt/oroot/{run,dev}/shm/ r,
-owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk,
 # Allow logging Firejail blacklist violations to journal
 /{,var/}run/systemd/journal/socket w,
@@ -66,58 +54,41 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk,
 # Needed for wine
 /{,var/}run/firejail/profile/@{PID} w,
-##########
+# Allow access to cups printing socket.
-# Allow /proc and /sys read-only access.
+/{,var/}run/cups/cups.sock w,
-# Blacklisting is controlled from userspace Firejail.
-##########
+# Needed for firefox sandbox
-/proc/ r,
-/proc/** r,
 /proc/[0-9]*/{uid_map,gid_map,setgroups} w,
-# Uncomment to silence all denied write warnings
-#deny /proc/** w,
+# Silence noise
 deny /proc/@{PID}/oom_adj w,
 deny /proc/@{PID}/oom_score_adj w,
-/sys/ r,
-/sys/** r,
 # Uncomment to silence all denied write warnings
-#deny /sys/** w,
+#deny /proc/** w,
-# Blacklist snapshots
+# Uncomment to silence all denied write warnings
-deny /**/.snapshots/ rwx,
+#deny /sys/** w,
 ##########
 # Allow running programs only from well-known system directories. If you need
 # to run programs from your home directory, uncomment /home line.
 ##########
-/lib/** ix,
+/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix,
-/lib64/** ix,
+/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix,
-/bin/** ix,
+/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}games/** ix,
-/sbin/** ix,
+/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64}/** ix,
-/usr/bin/** ix,
+/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}opt/** ix,
-/usr/sbin/** ix,
+/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}home/** ix,
-/usr/local/** ix,
-/usr/lib/** ix,
+# Appimage support
-/usr/lib64/** ix,
+/{,run/firejail/mnt/oroot/}{,var/}run/firejail/appimage/** ix,
-/usr/games/** ix,
-/opt/** ix,
-#/home/** ix,
-/run/firejail/mnt/oroot/lib/** ix,
-/run/firejail/mnt/oroot/lib64/** ix,
-/run/firejail/mnt/oroot/bin/** ix,
-/run/firejail/mnt/oroot/sbin/** ix,
-/run/firejail/mnt/oroot/usr/bin/** ix,
-/run/firejail/mnt/oroot/usr/sbin/** ix,
-/run/firejail/mnt/oroot/usr/local/** ix,
-/run/firejail/mnt/oroot/usr/lib/** ix,
-/run/firejail/mnt/oroot/usr/lib64/** ix,
-/run/firejail/mnt/oroot/usr/games/** ix,
-/run/firejail/mnt/oroot/opt/** ix,
 ##########
-# Allow access to cups printing socket.
+# Blacklist specific sensitive paths.
 ##########
-/run/cups/cups.sock w,
+# Common backup directory
+deny /**/.snapshots/ rwx,
 ##########
 # Allow all networking functionality, and control it from Firejail.
author	Vincent43 <31109921+Vincent43@users.noreply.github.com>	2018-08-27 17:23:57 +0100
committer	GitHub <noreply@github.com>	2018-08-27 17:23:57 +0100
commit	1b309f879c52aecf5a867a70458bfa9f77f7ed45 (patch)
tree	2c92536f329913231c46f8cd6ad0cd1665d5d248
parent	Add private-bin to 0ad (diff)
download	firejail-1b309f879c52aecf5a867a70458bfa9f77f7ed45.tar.gz firejail-1b309f879c52aecf5a867a70458bfa9f77f7ed45.tar.zst firejail-1b309f879c52aecf5a867a70458bfa9f77f7ed45.zip

diff --git a/etc/firejail-default b/etc/firejail-default index 09dc896e6..d6aeac75b 100644 --- a/etc/firejail-default +++ b/etc/firejail-default
@@ -22,42 +22,30 @@ dbus,
22		22
23	##########	23	##########
24	# With ptrace it is possible to inspect and hijack running programs. Usually this	24	# With ptrace it is possible to inspect and hijack running programs. Usually this
25	# is needed only for debugging. To allow ptrace, uncomment the following line	25	# is needed only for debugging. To allow ptrace, uncomment the following line.
26	##########	26	##########
27	#ptrace,	27	#ptrace,
28		28
29	##########	29	##########
30	# Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes	30	# Allow read access to whole filesystem and control it from firejail.
31	##########	31	##########
32	/ r,	32	/{,**} rklm,
33	/{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk,
34	/run/firejail/mnt/oroot/{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk,
35		33
36	/{,var/}run/ r,	34	##########
37	/{,var/}run/** r,	35	# Allow write access to paths writable in firejail which aren't used for
38	/run/firejail/mnt/oroot/{,var/}run/ r,	36	# executing programs. /run, /proc and /sys are handled separately.
39	/run/firejail/mnt/oroot/{,var/}run/** r,	37	# Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes.
40		38	##########
41	owner /{,var/}run/user/[0-9]/* rw,	39	/{,run/firejail/mnt/oroot/}{dev,etc,home,media,mnt,root,srv,tmp,var}/** w,
42	owner /{,var/}run/user/[0-9]/.slave-socket rwl,
43	owner /{,var/}run/user/[0-9]/orcexec. rwkm,
44	owner /run/firejail/mnt/oroot/{,var/}run/user/[0-9]/* rw,
45	owner /run/firejail/mnt/oroot/{,var/}run/user/[0-9]/.slave-socket rwl,
46	owner /run/firejail/mnt/oroot/{,var/}run/user/[0-9]/orcexec. rwkm,
47		40
48	/{,var/}run/firejail/mnt/fslogger r,	41	##########
49	/{,var/}run/firejail/appimage r,	42	# Whitelist writable paths under /run, /proc and /sys.
50	/{,var/}run/firejail/appimage/** r,	43	##########
51	/{,var/}run/firejail/appimage/** ix,	44	owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]/* w,
52	/run/firejail/mnt/oroot/{,var/}run/firejail/mnt/fslogger r,	45	owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]/.slave-socket w,
53	/run/firejail/mnt/oroot/{,var/}run/firejail/appimage r,	46	owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]/orcexec. w,
54	/run/firejail/mnt/oroot/{,var/}run/firejail/appimage/** r,
55	/run/firejail/mnt/oroot/{,var/}run/firejail/appimage/** ix,
56		47
57	/{run,dev}/shm/ r,	48	owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w,
58	owner /{run,dev}/shm/** rmwk,
59	/run/firejail/mnt/oroot/{run,dev}/shm/ r,
60	owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk,
61		49
62	# Allow logging Firejail blacklist violations to journal	50	# Allow logging Firejail blacklist violations to journal
63	/{,var/}run/systemd/journal/socket w,	51	/{,var/}run/systemd/journal/socket w,
@@ -66,58 +54,41 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk,
66	# Needed for wine	54	# Needed for wine
67	/{,var/}run/firejail/profile/@{PID} w,	55	/{,var/}run/firejail/profile/@{PID} w,
68		56
69	##########	57	# Allow access to cups printing socket.
70	# Allow /proc and /sys read-only access.	58	/{,var/}run/cups/cups.sock w,
71	# Blacklisting is controlled from userspace Firejail.	59
72	##########	60	# Needed for firefox sandbox
73	/proc/ r,
74	/proc/** r,
75	/proc/[0-9]*/{uid_map,gid_map,setgroups} w,	61	/proc/[0-9]*/{uid_map,gid_map,setgroups} w,
76	# Uncomment to silence all denied write warnings	62
77	#deny /proc/** w,	63	# Silence noise
78	deny /proc/@{PID}/oom_adj w,	64	deny /proc/@{PID}/oom_adj w,
79	deny /proc/@{PID}/oom_score_adj w,	65	deny /proc/@{PID}/oom_score_adj w,
80		66
81	/sys/ r,
82	/sys/** r,
83	# Uncomment to silence all denied write warnings	67	# Uncomment to silence all denied write warnings
84	#deny /sys/** w,	68	#deny /proc/** w,
85		69
86	# Blacklist snapshots	70	# Uncomment to silence all denied write warnings
87	deny /**/.snapshots/ rwx,	71	#deny /sys/** w,
88		72
89	##########	73	##########
90	# Allow running programs only from well-known system directories. If you need	74	# Allow running programs only from well-known system directories. If you need
91	# to run programs from your home directory, uncomment /home line.	75	# to run programs from your home directory, uncomment /home line.
92	##########	76	##########
93	/lib/** ix,	77	/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix,
94	/lib64/** ix,	78	/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix,
95	/bin/** ix,	79	/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}games/** ix,
96	/sbin/** ix,	80	/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64}/** ix,
97	/usr/bin/** ix,	81	/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}opt/** ix,
98	/usr/sbin/** ix,	82	/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}home/** ix,
99	/usr/local/** ix,	83
100	/usr/lib/** ix,	84	# Appimage support
101	/usr/lib64/** ix,	85	/{,run/firejail/mnt/oroot/}{,var/}run/firejail/appimage/** ix,
102	/usr/games/** ix,
103	/opt/** ix,
104	#/home/** ix,
105	/run/firejail/mnt/oroot/lib/** ix,
106	/run/firejail/mnt/oroot/lib64/** ix,
107	/run/firejail/mnt/oroot/bin/** ix,
108	/run/firejail/mnt/oroot/sbin/** ix,
109	/run/firejail/mnt/oroot/usr/bin/** ix,
110	/run/firejail/mnt/oroot/usr/sbin/** ix,
111	/run/firejail/mnt/oroot/usr/local/** ix,
112	/run/firejail/mnt/oroot/usr/lib/** ix,
113	/run/firejail/mnt/oroot/usr/lib64/** ix,
114	/run/firejail/mnt/oroot/usr/games/** ix,
115	/run/firejail/mnt/oroot/opt/** ix,
116		86
117	##########	87	##########
118	# Allow access to cups printing socket.	88	# Blacklist specific sensitive paths.
119	##########	89	##########
120	/run/cups/cups.sock w,	90	# Common backup directory
		91	deny /**/.snapshots/ rwx,
121		92
122	##########	93	##########
123	# Allow all networking functionality, and control it from Firejail.	94	# Allow all networking functionality, and control it from Firejail.