Apparmor: Be more restrictive for chromium needs

author: Vincent43 <31109921+Vincent43@users.noreply.github.com> 2018-02-08 22:07:12 +0000
committer: GitHub <noreply@github.com> 2018-02-08 22:07:12 +0000
commit: ae853bb559cb657c9664a73e1dfed5a89942d80b (patch)
tree: ebdb7e8eed1ddcee07b65bb05e473e0781d30587 /etc/firejail-default
parent: Apparmor: fix various denials (diff)
download: firejail-ae853bb559cb657c9664a73e1dfed5a89942d80b.tar.gz
firejail-ae853bb559cb657c9664a73e1dfed5a89942d80b.tar.zst
firejail-ae853bb559cb657c9664a73e1dfed5a89942d80b.zip
1 files changed, 4 insertions, 4 deletions
diff --git a/etc/firejail-default b/etc/firejail-default
index 5ebdccc00..859f8683a 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -104,16 +104,16 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk,
 /proc/@{PID}/mem r,
 /proc/@{PID}/mounts r,
 /proc/@{PID}/mountinfo r,
-owner /proc/@{PID}/oom_adj w,
+deny /proc/@{PID}/oom_adj w,
 /proc/@{PID}/oom_score_adj r,
-owner /proc/@{PID}/oom_score_adj w,
+deny /proc/@{PID}/oom_score_adj w,
 /proc/@{PID}/auxv r,
 /proc/@{PID}/net/dev r,
 /proc/@{PID}/loginuid r,
 /proc/@{PID}/environ r,
-# Needed for chromium
+# Needed by chromium crash handler. Uncomment if you need it.
-ptrace (trace tracedby),
+#ptrace (trace tracedby),
 ##########
 # Allow running programs only from well-known system directories. If you need
author	Vincent43 <31109921+Vincent43@users.noreply.github.com>	2018-02-08 22:07:12 +0000
committer	GitHub <noreply@github.com>	2018-02-08 22:07:12 +0000
commit	ae853bb559cb657c9664a73e1dfed5a89942d80b (patch)
tree	ebdb7e8eed1ddcee07b65bb05e473e0781d30587 /etc/firejail-default
parent	Apparmor: fix various denials (diff)
download	firejail-ae853bb559cb657c9664a73e1dfed5a89942d80b.tar.gz firejail-ae853bb559cb657c9664a73e1dfed5a89942d80b.tar.zst firejail-ae853bb559cb657c9664a73e1dfed5a89942d80b.zip

diff --git a/etc/firejail-default b/etc/firejail-default index 5ebdccc00..859f8683a 100644 --- a/etc/firejail-default +++ b/etc/firejail-default
@@ -104,16 +104,16 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk,
104	/proc/@{PID}/mem r,	104	/proc/@{PID}/mem r,
105	/proc/@{PID}/mounts r,	105	/proc/@{PID}/mounts r,
106	/proc/@{PID}/mountinfo r,	106	/proc/@{PID}/mountinfo r,
107	owner /proc/@{PID}/oom_adj w,	107	deny /proc/@{PID}/oom_adj w,
108	/proc/@{PID}/oom_score_adj r,	108	/proc/@{PID}/oom_score_adj r,
109	owner /proc/@{PID}/oom_score_adj w,	109	deny /proc/@{PID}/oom_score_adj w,
110	/proc/@{PID}/auxv r,	110	/proc/@{PID}/auxv r,
111	/proc/@{PID}/net/dev r,	111	/proc/@{PID}/net/dev r,
112	/proc/@{PID}/loginuid r,	112	/proc/@{PID}/loginuid r,
113	/proc/@{PID}/environ r,	113	/proc/@{PID}/environ r,
114		114
115	# Needed for chromium	115	# Needed by chromium crash handler. Uncomment if you need it.
116	ptrace (trace tracedby),	116	#ptrace (trace tracedby),
117		117
118	##########	118	##########
119	# Allow running programs only from well-known system directories. If you need	119	# Allow running programs only from well-known system directories. If you need