diff options
| author |  netblue30 <netblue30@protonmail.com> | 2021-02-21 08:54:41 -0500 |
|---|---|---|
| committer | netblue30 <netblue30@protonmail.com> | 2021-02-21 08:54:41 -0500 |
| commit | e43bc70f269a82b744d0df5721394be103cf68f5 (patch) | |
| tree | 489f64300d57960c4492f4e60cc4afd1761f55ea | |
| parent | porting from main: mkasc.sh: fix typo of Calculating (diff) | |
| download | firejail-e43bc70f269a82b744d0df5721394be103cf68f5.tar.gz firejail-e43bc70f269a82b744d0df5721394be103cf68f5.tar.zst firejail-e43bc70f269a82b744d0df5721394be103cf68f5.zip | |
porting from main: apparmor capabilities fix
| -rw-r--r-- | etc/apparmor/firejail-default | 42 |
1 files changed, 8 insertions, 34 deletions
diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default index ec87f1d2d..80d527e41 100644 --- a/etc/apparmor/firejail-default +++ b/etc/apparmor/firejail-default | |||
| @@ -126,40 +126,14 @@ signal (receive), | |||
| 126 | # We let Firejail deal with capabilities, but ensure that | 126 | # We let Firejail deal with capabilities, but ensure that |
| 127 | # some AppArmor related capabilities will not be available. | 127 | # some AppArmor related capabilities will not be available. |
| 128 | ########## | 128 | ########## |
| 129 | capability chown, | 129 | # The list of recognized capabilities varies from one apparmor version to another. |
| 130 | capability dac_override, | 130 | # For example on Debian 10 (apparmor 2.13.2) checkpoint_restore, perfmon, bpf are not available |
| 131 | capability dac_read_search, | 131 | # We allow all caps by default and remove the ones we don't like: |
| 132 | capability fowner, | 132 | capability, |
| 133 | capability fsetid, | 133 | deny capability audit_write, |
| 134 | capability kill, | 134 | deny capability audit_control, |
| 135 | capability setgid, | 135 | deny capability mac_override, |
| 136 | capability setuid, | 136 | deny capability mac_admin, |
| 137 | capability setpcap, | ||
| 138 | capability linux_immutable, | ||
| 139 | capability net_bind_service, | ||
| 140 | capability net_broadcast, | ||
| 141 | capability net_admin, | ||
| 142 | capability net_raw, | ||
| 143 | capability ipc_lock, | ||
| 144 | capability ipc_owner, | ||
| 145 | capability sys_module, | ||
| 146 | capability sys_rawio, | ||
| 147 | capability sys_chroot, | ||
| 148 | capability sys_ptrace, | ||
| 149 | capability sys_pacct, | ||
| 150 | capability sys_admin, | ||
| 151 | capability sys_boot, | ||
| 152 | capability sys_nice, | ||
| 153 | capability sys_resource, | ||
| 154 | capability sys_time, | ||
| 155 | capability sys_tty_config, | ||
| 156 | capability mknod, | ||
| 157 | capability lease, | ||
| 158 | #capability audit_write, | ||
| 159 | #capability audit_control, | ||
| 160 | capability setfcap, | ||
| 161 | #capability mac_override, | ||
| 162 | #capability mac_admin, | ||
| 163 | 137 | ||
| 164 | # Site-specific additions and overrides. See local/README for details. | 138 | # Site-specific additions and overrides. See local/README for details. |
| 165 | #include <local/firejail-default> | 139 | #include <local/firejail-default> |