reorganize github etc directory

author: netblue30 <netblue30@yahoo.com> 2020-04-21 08:24:28 -0400
committer: netblue30 <netblue30@yahoo.com> 2020-04-21 08:24:28 -0400
commit: 018d75775eab4a0f045949a9d069c57686ca2686 (patch)
tree: aac3a1a65cca0d4875795c55109a5c3e35efdefb /etc/apparmor
parent: small fixes (diff)
download: firejail-018d75775eab4a0f045949a9d069c57686ca2686.tar.gz
firejail-018d75775eab4a0f045949a9d069c57686ca2686.tar.zst
firejail-018d75775eab4a0f045949a9d069c57686ca2686.zip
1 files changed, 155 insertions, 0 deletions
diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default
new file mode 100644
index 000000000..e68e51c63
--- /dev/null
+++ b/etc/apparmor/firejail-default
@@ -0,0 +1,155 @@
+#########################################
+# Generic Firejail AppArmor profile
+#########################################
+##########
+# A simple PID declaration based on Ubuntu's @{pid}
+# Ubuntu keeps it under tunables/kernelvars and include it via tunables/global.
+# We don't know if this definition is available outside Debian and Ubuntu, so
+# we declare our own here.
+##########
+@{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]}
+profile firejail-default flags=(attach_disconnected,mediate_deleted) {
+##########
+# Allow D-Bus access. It may negatively affect security. Comment those lines or
+# use 'nodbus' option in profile if you don't need D-Bus functionality.
+##########
+#include <abstractions/dbus-strict>
+#include <abstractions/dbus-session-strict>
+dbus,
+##########
+# With ptrace it is possible to inspect and hijack running programs.
+##########
+# Uncomment this line to allow all ptrace access
+#ptrace,
+# Allow obtaining some process information, but not ptrace(2)
+ptrace (read,readby) peer=@{profile_name},
+##########
+# Allow read access to whole filesystem and control it from firejail.
+##########
+/{,**} rklm,
+##########
+# Allow write access to paths writable in firejail which aren't used for
+# executing programs. /run, /proc and /sys are handled separately.
+# Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes.
+##########
+/{,run/firejail/mnt/oroot/}{dev,etc,home,media,mnt,root,srv,tmp,var}/** w,
+##########
+# Whitelist writable paths under /run, /proc and /sys.
+##########
+owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w,
+owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w,
+owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w,
+# Allow writing to removable media
+owner /{,var/}run/media/** w,
+# Allow logging Firejail blacklist violations to journal
+/{,var/}run/systemd/journal/socket w,
+/{,var/}run/systemd/journal/dev-log w,
+# Allow access to cups printing socket.
+/{,var/}run/cups/cups.sock w,
+# Allow access to pcscd socket (smartcards)
+/{,var/}run/pcscd/pcscd.comm w,
+# Needed for browser self-sandboxing
+owner /proc/@{PID}/{uid_map,gid_map,setgroups} w,
+# Needed for electron apps
+/proc/@{PID}/comm w,
+# Needed for nslookup, dig, host
+/proc/@{PID}/task/@{PID}/comm w,
+# Used by chromium
+owner /proc/@{PID}/oom_score_adj w,
+owner /proc/@{PID}/clear_refs w,
+##########
+# Allow running programs only from well-known system directories. If you need
+# to run programs from your home directory, uncomment /home line.
+##########
+/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix,
+/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix,
+/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}games/** ix,
+/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64,exec}/** ix,
+/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}opt/** ix,
+#/{,run/firejail/mnt/oroot/}home/** ix,
+# Appimage support
+/{,run/firejail/mnt/oroot/}{,var/}run/firejail/appimage/** ix,
+##########
+# Blacklist specific sensitive paths.
+##########
+deny /**/.fscrypt/ rw,
+deny /**/.fscrypt/** rwklmx,
+deny /**/.snapshots/ rw,
+deny /**/.snapshots/** rwklmx,
+##########
+# Allow all networking functionality, and control it from Firejail.
+##########
+network inet,
+network inet6,
+network unix,
+network netlink,
+network raw,
+# needed for wireshark
+network packet,
+##########
+# There is no equivalent in Firejail for filtering signals.
+##########
+signal (send) peer=@{profile_name},
+signal (receive),
+##########
+# We let Firejail deal with capabilities, but ensure that
+# some AppArmor related capabilities will not be available.
+##########
+capability chown,
+capability dac_override,
+capability dac_read_search,
+capability fowner,
+capability fsetid,
+capability kill,
+capability setgid,
+capability setuid,
+capability setpcap,
+capability linux_immutable,
+capability net_bind_service,
+capability net_broadcast,
+capability net_admin,
+capability net_raw,
+capability ipc_lock,
+capability ipc_owner,
+capability sys_module,
+capability sys_rawio,
+capability sys_chroot,
+capability sys_ptrace,
+capability sys_pacct,
+capability sys_admin,
+capability sys_boot,
+capability sys_nice,
+capability sys_resource,
+capability sys_time,
+capability sys_tty_config,
+capability mknod,
+capability lease,
+#capability audit_write,
+#capability audit_control,
+capability setfcap,
+#capability mac_override,
+#capability mac_admin,
+# Site-specific additions and overrides. See local/README for details.
+#include <local/firejail-local>
+}
author	netblue30 <netblue30@yahoo.com>	2020-04-21 08:24:28 -0400
committer	netblue30 <netblue30@yahoo.com>	2020-04-21 08:24:28 -0400
commit	018d75775eab4a0f045949a9d069c57686ca2686 (patch)
tree	aac3a1a65cca0d4875795c55109a5c3e35efdefb /etc/apparmor
parent	small fixes (diff)
download	firejail-018d75775eab4a0f045949a9d069c57686ca2686.tar.gz firejail-018d75775eab4a0f045949a9d069c57686ca2686.tar.zst firejail-018d75775eab4a0f045949a9d069c57686ca2686.zip

diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default new file mode 100644 index 000000000..e68e51c63 --- /dev/null +++ b/etc/apparmor/firejail-default
@@ -0,0 +1,155 @@
	1	#########################################
	2	# Generic Firejail AppArmor profile
	3	#########################################
	4
	5	##########
	6	# A simple PID declaration based on Ubuntu's @{pid}
	7	# Ubuntu keeps it under tunables/kernelvars and include it via tunables/global.
	8	# We don't know if this definition is available outside Debian and Ubuntu, so
	9	# we declare our own here.
	10	##########
	11	@{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]}
	12
	13	profile firejail-default flags=(attach_disconnected,mediate_deleted) {
	14
	15	##########
	16	# Allow D-Bus access. It may negatively affect security. Comment those lines or
	17	# use 'nodbus' option in profile if you don't need D-Bus functionality.
	18	##########
	19	#include <abstractions/dbus-strict>
	20	#include <abstractions/dbus-session-strict>
	21	dbus,
	22
	23	##########
	24	# With ptrace it is possible to inspect and hijack running programs.
	25	##########
	26	# Uncomment this line to allow all ptrace access
	27	#ptrace,
	28	# Allow obtaining some process information, but not ptrace(2)
	29	ptrace (read,readby) peer=@{profile_name},
	30
	31	##########
	32	# Allow read access to whole filesystem and control it from firejail.
	33	##########
	34	/{,**} rklm,
	35
	36	##########
	37	# Allow write access to paths writable in firejail which aren't used for
	38	# executing programs. /run, /proc and /sys are handled separately.
	39	# Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes.
	40	##########
	41	/{,run/firejail/mnt/oroot/}{dev,etc,home,media,mnt,root,srv,tmp,var}/** w,
	42
	43	##########
	44	# Whitelist writable paths under /run, /proc and /sys.
	45	##########
	46	owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w,
	47	owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]/* w,
	48	owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w,
	49
	50	# Allow writing to removable media
	51	owner /{,var/}run/media/** w,
	52
	53	# Allow logging Firejail blacklist violations to journal
	54	/{,var/}run/systemd/journal/socket w,
	55	/{,var/}run/systemd/journal/dev-log w,
	56
	57	# Allow access to cups printing socket.
	58	/{,var/}run/cups/cups.sock w,
	59
	60	# Allow access to pcscd socket (smartcards)
	61	/{,var/}run/pcscd/pcscd.comm w,
	62
	63	# Needed for browser self-sandboxing
	64	owner /proc/@{PID}/{uid_map,gid_map,setgroups} w,
	65
	66	# Needed for electron apps
	67	/proc/@{PID}/comm w,
	68	# Needed for nslookup, dig, host
	69	/proc/@{PID}/task/@{PID}/comm w,
	70
	71	# Used by chromium
	72	owner /proc/@{PID}/oom_score_adj w,
	73	owner /proc/@{PID}/clear_refs w,
	74
	75	##########
	76	# Allow running programs only from well-known system directories. If you need
	77	# to run programs from your home directory, uncomment /home line.
	78	##########
	79	/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix,
	80	/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix,
	81	/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}games/** ix,
	82	/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64,exec}/** ix,
	83	/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}opt/** ix,
	84	#/{,run/firejail/mnt/oroot/}home/** ix,
	85
	86	# Appimage support
	87	/{,run/firejail/mnt/oroot/}{,var/}run/firejail/appimage/** ix,
	88
	89	##########
	90	# Blacklist specific sensitive paths.
	91	##########
	92	deny /**/.fscrypt/ rw,
	93	deny //.fscrypt/ rwklmx,
	94	deny /**/.snapshots/ rw,
	95	deny //.snapshots/ rwklmx,
	96
	97	##########
	98	# Allow all networking functionality, and control it from Firejail.
	99	##########
	100	network inet,
	101	network inet6,
	102	network unix,
	103	network netlink,
	104	network raw,
	105	# needed for wireshark
	106	network packet,
	107
	108	##########
	109	# There is no equivalent in Firejail for filtering signals.
	110	##########
	111	signal (send) peer=@{profile_name},
	112	signal (receive),
	113
	114	##########
	115	# We let Firejail deal with capabilities, but ensure that
	116	# some AppArmor related capabilities will not be available.
	117	##########
	118	capability chown,
	119	capability dac_override,
	120	capability dac_read_search,
	121	capability fowner,
	122	capability fsetid,
	123	capability kill,
	124	capability setgid,
	125	capability setuid,
	126	capability setpcap,
	127	capability linux_immutable,
	128	capability net_bind_service,
	129	capability net_broadcast,
	130	capability net_admin,
	131	capability net_raw,
	132	capability ipc_lock,
	133	capability ipc_owner,
	134	capability sys_module,
	135	capability sys_rawio,
	136	capability sys_chroot,
	137	capability sys_ptrace,
	138	capability sys_pacct,
	139	capability sys_admin,
	140	capability sys_boot,
	141	capability sys_nice,
	142	capability sys_resource,
	143	capability sys_time,
	144	capability sys_tty_config,
	145	capability mknod,
	146	capability lease,
	147	#capability audit_write,
	148	#capability audit_control,
	149	capability setfcap,
	150	#capability mac_override,
	151	#capability mac_admin,
	152
	153	# Site-specific additions and overrides. See local/README for details.
	154	#include <local/firejail-local>
	155	}