Allow processes confined with AppArmor to obtain some process information

'firejail --apparmor chromium' logged a huge amount of apparmor denials,
because it wants to use read/readby permissions.
Allow those accesses, but keep full tracing disabled by default.

See also: https://bugs.debian.org/912587 and apparmor.d(5)

1 files changed, 5 insertions, 2 deletions

diff --git a/etc/firejail-default b/etc/firejail-default
index 88bf9aa44..02a241c34 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -21,10 +21,13 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) {
 dbus,
 
 ##########
-# With ptrace it is possible to inspect and hijack running programs. Usually this
-# is needed only for debugging. To allow ptrace, uncomment the following line.
+# With ptrace it is possible to inspect and hijack running programs.
+# Some browsers are also using ptrace for their sandboxing.
 ##########
+# Uncomment this line to allow all ptrace access
 #ptrace,
+# Allow obtaining some process information, but not ptrace(2)
+ptrace (read,readby) peer=firejail-default,
 
 ##########
 # Allow read access to whole filesystem and control it from firejail.