diff options
| author |  netblue30 <netblue30@protonmail.com> | 2021-02-21 08:47:45 -0500 |
|---|---|---|
| committer | netblue30 <netblue30@protonmail.com> | 2021-02-21 08:47:45 -0500 |
| commit | 3fbdc9f59a099b960a3a74ccd3c1c29078ecdef3 (patch) | |
| tree | a1374e83f208a9029aa0447a24ea411670930390 /etc/apparmor | |
| parent | jaitest - simple sandbox testing utility program (diff) | |
| download | firejail-3fbdc9f59a099b960a3a74ccd3c1c29078ecdef3.tar.gz firejail-3fbdc9f59a099b960a3a74ccd3c1c29078ecdef3.tar.zst firejail-3fbdc9f59a099b960a3a74ccd3c1c29078ecdef3.zip | |
apparmor capabilities fix
Diffstat (limited to 'etc/apparmor')
| -rw-r--r-- | etc/apparmor/firejail-default | 45 |
1 files changed, 8 insertions, 37 deletions
diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default index 397bf753b..80d527e41 100644 --- a/etc/apparmor/firejail-default +++ b/etc/apparmor/firejail-default | |||
| @@ -126,43 +126,14 @@ signal (receive), | |||
| 126 | # We let Firejail deal with capabilities, but ensure that | 126 | # We let Firejail deal with capabilities, but ensure that |
| 127 | # some AppArmor related capabilities will not be available. | 127 | # some AppArmor related capabilities will not be available. |
| 128 | ########## | 128 | ########## |
| 129 | capability checkpoint_restore, | 129 | # The list of recognized capabilities varies from one apparmor version to another. |
| 130 | capability perfmon, | 130 | # For example on Debian 10 (apparmor 2.13.2) checkpoint_restore, perfmon, bpf are not available |
| 131 | capability bpf, | 131 | # We allow all caps by default and remove the ones we don't like: |
| 132 | capability chown, | 132 | capability, |
| 133 | capability dac_override, | 133 | deny capability audit_write, |
| 134 | capability dac_read_search, | 134 | deny capability audit_control, |
| 135 | capability fowner, | 135 | deny capability mac_override, |
| 136 | capability fsetid, | 136 | deny capability mac_admin, |
| 137 | capability kill, | ||
| 138 | capability setgid, | ||
| 139 | capability setuid, | ||
| 140 | capability setpcap, | ||
| 141 | capability linux_immutable, | ||
| 142 | capability net_bind_service, | ||
| 143 | capability net_broadcast, | ||
| 144 | capability net_admin, | ||
| 145 | capability net_raw, | ||
| 146 | capability ipc_lock, | ||
| 147 | capability ipc_owner, | ||
| 148 | capability sys_module, | ||
| 149 | capability sys_rawio, | ||
| 150 | capability sys_chroot, | ||
| 151 | capability sys_ptrace, | ||
| 152 | capability sys_pacct, | ||
| 153 | capability sys_admin, | ||
| 154 | capability sys_boot, | ||
| 155 | capability sys_nice, | ||
| 156 | capability sys_resource, | ||
| 157 | capability sys_time, | ||
| 158 | capability sys_tty_config, | ||
| 159 | capability mknod, | ||
| 160 | capability lease, | ||
| 161 | #capability audit_write, | ||
| 162 | #capability audit_control, | ||
| 163 | capability setfcap, | ||
| 164 | #capability mac_override, | ||
| 165 | #capability mac_admin, | ||
| 166 | 137 | ||
| 167 | # Site-specific additions and overrides. See local/README for details. | 138 | # Site-specific additions and overrides. See local/README for details. |
| 168 | #include <local/firejail-default> | 139 | #include <local/firejail-default> |