Merge pull request #1745 from Vincent43/patch-1

Apparmor: restrict access to writable files
author: smitsohu <smitsohu@gmail.com> 2018-01-23 14:11:47 +0100
committer: GitHub <noreply@github.com> 2018-01-23 14:11:47 +0100
commit: ded539c03b5f743aa8dcdff9aa68de793db9ef31 (patch)
tree: dfa4ce15948c4f748d727a9cf437adf4d9b50297
parent: Partial revert of f2fdcf7361f99d4b62d6427d078445c2ea1dc6cb for gedit (diff)
parent: Apparmor: Revert /proc changes (diff)
download: firejail-ded539c03b5f743aa8dcdff9aa68de793db9ef31.tar.gz
firejail-ded539c03b5f743aa8dcdff9aa68de793db9ef31.tar.zst
firejail-ded539c03b5f743aa8dcdff9aa68de793db9ef31.zip
1 files changed, 8 insertions, 8 deletions
diff --git a/etc/firejail-default b/etc/firejail-default
index eb50d6c65..e5010eaab 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -26,19 +26,19 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) {
 /{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk,
 /{,var/}run/ r,
 /{,var/}run/** r,
-/{,var/}run/user/**/dconf/ rw,
+owner /{,var/}run/user/**/dconf/ rw,
-/{,var/}run/user/**/dconf/user rw,
+owner /{,var/}run/user/**/dconf/user rw,
-/{,var/}run/user/**/pulse/ rw,
+owner /{,var/}run/user/**/pulse/ rw,
-/{,var/}run/user/**/pulse/** rw,
+owner /{,var/}run/user/**/pulse/** rw,
-/{,var/}run/user/**/*.slave-socket rwl,
+owner /{,var/}run/user/**/*.slave-socket rwl,
-/{,var/}run/user/**/#@{PID} rw,
+owner /{,var/}run/user/**/#@{PID} rw,
-/{,var/}run/user/**/orcexec.* rwkm,
+owner /{,var/}run/user/**/orcexec.* rwkm,
 /{,var/}run/firejail/mnt/fslogger r,
 /{,var/}run/firejail/appimage r,
 /{,var/}run/firejail/appimage/** r,
 /{,var/}run/firejail/appimage/** ix,
 /{run,dev}/shm/ r,
-/{run,dev}/shm/** rmwk,
+owner /{run,dev}/shm/** rmwk,
 /proc/ r,
 /proc/meminfo r,
author	smitsohu <smitsohu@gmail.com>	2018-01-23 14:11:47 +0100
committer	GitHub <noreply@github.com>	2018-01-23 14:11:47 +0100
commit	ded539c03b5f743aa8dcdff9aa68de793db9ef31 (patch)
tree	dfa4ce15948c4f748d727a9cf437adf4d9b50297
parent	Partial revert of f2fdcf7361f99d4b62d6427d078445c2ea1dc6cb for gedit (diff)
parent	Apparmor: Revert /proc changes (diff)
download	firejail-ded539c03b5f743aa8dcdff9aa68de793db9ef31.tar.gz firejail-ded539c03b5f743aa8dcdff9aa68de793db9ef31.tar.zst firejail-ded539c03b5f743aa8dcdff9aa68de793db9ef31.zip

diff --git a/etc/firejail-default b/etc/firejail-default index eb50d6c65..e5010eaab 100644 --- a/etc/firejail-default +++ b/etc/firejail-default
@@ -26,19 +26,19 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) {
26	/{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk,	26	/{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk,
27	/{,var/}run/ r,	27	/{,var/}run/ r,
28	/{,var/}run/** r,	28	/{,var/}run/** r,
29	/{,var/}run/user/**/dconf/ rw,	29	owner /{,var/}run/user/**/dconf/ rw,
30	/{,var/}run/user/**/dconf/user rw,	30	owner /{,var/}run/user/**/dconf/user rw,
31	/{,var/}run/user/**/pulse/ rw,	31	owner /{,var/}run/user/**/pulse/ rw,
32	/{,var/}run/user//pulse/ rw,	32	owner /{,var/}run/user//pulse/ rw,
33	/{,var/}run/user/*/.slave-socket rwl,	33	owner /{,var/}run/user/*/.slave-socket rwl,
34	/{,var/}run/user/**/#@{PID} rw,	34	owner /{,var/}run/user/**/#@{PID} rw,
35	/{,var/}run/user/*/orcexec. rwkm,	35	owner /{,var/}run/user/*/orcexec. rwkm,
36	/{,var/}run/firejail/mnt/fslogger r,	36	/{,var/}run/firejail/mnt/fslogger r,
37	/{,var/}run/firejail/appimage r,	37	/{,var/}run/firejail/appimage r,
38	/{,var/}run/firejail/appimage/** r,	38	/{,var/}run/firejail/appimage/** r,
39	/{,var/}run/firejail/appimage/** ix,	39	/{,var/}run/firejail/appimage/** ix,
40	/{run,dev}/shm/ r,	40	/{run,dev}/shm/ r,
41	/{run,dev}/shm/** rmwk,	41	owner /{run,dev}/shm/** rmwk,
42		42
43	/proc/ r,	43	/proc/ r,
44	/proc/meminfo r,	44	/proc/meminfo r,