diff options
| author |  smitsohu <smitsohu@gmail.com> | 2021-11-01 16:49:53 +0100 |
|---|---|---|
| committer | smitsohu <smitsohu@gmail.com> | 2021-11-01 16:59:23 +0100 |
| commit | 0022048aaa436ee861af6ea74a5797e2a6b0463b (patch) | |
| tree | f2371cf16eb922eea502b22faf6ef8cdc16eecd3 /etc/apparmor | |
| parent | improve detection of firejail login shell (diff) | |
| download | firejail-0022048aaa436ee861af6ea74a5797e2a6b0463b.tar.gz firejail-0022048aaa436ee861af6ea74a5797e2a6b0463b.tar.zst firejail-0022048aaa436ee861af6ea74a5797e2a6b0463b.zip | |
apparmor base drop-in: remove chroot/overlay paths
As the upstream AppArmor base abstraction does not
contain references to paths in /run/firejail/mnt/oroot
there is not much point to have them in our drop-in
Diffstat (limited to 'etc/apparmor')
| -rw-r--r-- | etc/apparmor/firejail-base | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/etc/apparmor/firejail-base b/etc/apparmor/firejail-base index 41e4ac2bf..6e286d4af 100644 --- a/etc/apparmor/firejail-base +++ b/etc/apparmor/firejail-base | |||
| @@ -1,26 +1,27 @@ | |||
| 1 | ######################################### | 1 | ######################################### |
| 2 | # Firejail base abstraction drop-in | 2 | # Firejail base abstraction drop-in |
| 3 | ######################################### | 3 | # |
| 4 | |||
| 5 | # Adds basic Firejail support to AppArmor profiles. | 4 | # Adds basic Firejail support to AppArmor profiles. |
| 6 | # Please note: Firejail's nonewprivs and seccomp options | 5 | # Please note: Firejail's nonewprivs and seccomp options |
| 7 | # are not compatible with AppArmor profile transitions. | 6 | # are not compatible with AppArmor profile transitions. |
| 7 | # Also there is no support for Firejail chroot options. | ||
| 8 | ######################################### | ||
| 8 | 9 | ||
| 9 | # Discovery of process names | 10 | # Discovery of process names |
| 10 | owner /{,run/firejail/mnt/oroot/}proc/@{pid}/comm r, | 11 | owner /proc/@{pid}/comm r, |
| 11 | 12 | ||
| 12 | ########## | 13 | ########## |
| 13 | # Following paths only exist inside a Firejail sandbox | 14 | # Following paths only exist inside a Firejail sandbox |
| 14 | ########## | 15 | ########## |
| 15 | 16 | ||
| 16 | # Library preloading | 17 | # Library preloading |
| 17 | /{,run/firejail/mnt/oroot/}{,var/}run/firejail/lib/*.so mr, | 18 | /{,var/}run/firejail/lib/*.so mr, |
| 18 | 19 | ||
| 19 | # Supporting seccomp | 20 | # Supporting seccomp |
| 20 | owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/seccomp/seccomp.postexec r, | 21 | owner /{,var/}run/firejail/mnt/seccomp/seccomp.postexec r, |
| 21 | 22 | ||
| 22 | # Supporting trace | 23 | # Supporting trace |
| 23 | owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w, | 24 | owner /{,var/}run/firejail/mnt/trace w, |
| 24 | 25 | ||
| 25 | # Supporting tracelog | 26 | # Supporting tracelog |
| 26 | /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/fslogger r, | 27 | /{,var/}run/firejail/mnt/fslogger r, |