diff options
author | netblue30 <netblue30@protonmail.com> | 2021-02-21 08:54:41 -0500 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2021-02-21 08:54:41 -0500 |
commit | e43bc70f269a82b744d0df5721394be103cf68f5 (patch) | |
tree | 489f64300d57960c4492f4e60cc4afd1761f55ea /etc/apparmor/firejail-default | |
parent | porting from main: mkasc.sh: fix typo of Calculating (diff) | |
download | firejail-e43bc70f269a82b744d0df5721394be103cf68f5.tar.gz firejail-e43bc70f269a82b744d0df5721394be103cf68f5.tar.zst firejail-e43bc70f269a82b744d0df5721394be103cf68f5.zip |
porting from main: apparmor capabilities fix
Diffstat (limited to 'etc/apparmor/firejail-default')
-rw-r--r-- | etc/apparmor/firejail-default | 42 |
1 files changed, 8 insertions, 34 deletions
diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default index ec87f1d2d..80d527e41 100644 --- a/etc/apparmor/firejail-default +++ b/etc/apparmor/firejail-default | |||
@@ -126,40 +126,14 @@ signal (receive), | |||
126 | # We let Firejail deal with capabilities, but ensure that | 126 | # We let Firejail deal with capabilities, but ensure that |
127 | # some AppArmor related capabilities will not be available. | 127 | # some AppArmor related capabilities will not be available. |
128 | ########## | 128 | ########## |
129 | capability chown, | 129 | # The list of recognized capabilities varies from one apparmor version to another. |
130 | capability dac_override, | 130 | # For example on Debian 10 (apparmor 2.13.2) checkpoint_restore, perfmon, bpf are not available |
131 | capability dac_read_search, | 131 | # We allow all caps by default and remove the ones we don't like: |
132 | capability fowner, | 132 | capability, |
133 | capability fsetid, | 133 | deny capability audit_write, |
134 | capability kill, | 134 | deny capability audit_control, |
135 | capability setgid, | 135 | deny capability mac_override, |
136 | capability setuid, | 136 | deny capability mac_admin, |
137 | capability setpcap, | ||
138 | capability linux_immutable, | ||
139 | capability net_bind_service, | ||
140 | capability net_broadcast, | ||
141 | capability net_admin, | ||
142 | capability net_raw, | ||
143 | capability ipc_lock, | ||
144 | capability ipc_owner, | ||
145 | capability sys_module, | ||
146 | capability sys_rawio, | ||
147 | capability sys_chroot, | ||
148 | capability sys_ptrace, | ||
149 | capability sys_pacct, | ||
150 | capability sys_admin, | ||
151 | capability sys_boot, | ||
152 | capability sys_nice, | ||
153 | capability sys_resource, | ||
154 | capability sys_time, | ||
155 | capability sys_tty_config, | ||
156 | capability mknod, | ||
157 | capability lease, | ||
158 | #capability audit_write, | ||
159 | #capability audit_control, | ||
160 | capability setfcap, | ||
161 | #capability mac_override, | ||
162 | #capability mac_admin, | ||
163 | 137 | ||
164 | # Site-specific additions and overrides. See local/README for details. | 138 | # Site-specific additions and overrides. See local/README for details. |
165 | #include <local/firejail-default> | 139 | #include <local/firejail-default> |