diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2024-05-12 17:45:47 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-05-12 17:45:47 +0000 |
commit | 6c91074fc90e774e3b40ad231bb178bea6ec5ae6 (patch) | |
tree | 084dedffb99f27540a35d5356b399d987bde9d75 /SECURITY.md | |
parent | landlock: fix misc alignment/newline (diff) | |
download | firejail-6c91074fc90e774e3b40ad231bb178bea6ec5ae6.tar.gz firejail-6c91074fc90e774e3b40ad231bb178bea6ec5ae6.tar.zst firejail-6c91074fc90e774e3b40ad231bb178bea6ec5ae6.zip |
profiles: loupe: harden and disable apparmor (#6333)
The profile currently does not include disable-common nor makes
`${HOME}` read-only, so the program can simply write to ~/.bashrc
directly[1].
disable-common.inc was commented due to it apparently breaking bwrap.
As discovered by @glitsj16, it seems that allowing the bwrap binary is
enough to make it work (and that apparmor breaks loupe)[2].
So disable apparmor, allow bwrap and include disable-common.inc, plus
other hardening by @glitsj16.
This amends commit 9a0db13e1 ("profiles: add loupe", 2024-04-30) /
PR #6327.
[1] https://github.com/netblue30/firejail/pull/6327#pullrequestreview-2033860865
[2] https://github.com/netblue30/firejail/pull/6333#issuecomment-2099805480
Diffstat (limited to 'SECURITY.md')
0 files changed, 0 insertions, 0 deletions