summaryrefslogtreecommitdiffstats
path: root/etc/firejail-default
diff options
context:
space:
mode:
authorLibravatar Vincent43 <31109921+Vincent43@users.noreply.github.com>2018-01-21 16:50:21 +0000
committerLibravatar GitHub <noreply@github.com>2018-01-21 16:50:21 +0000
commitd2a18552e2141126c85ce2011c524c182043bddb (patch)
tree83c4f9fe4b07a6d8e7fb2bd7fc803e019ee567fb /etc/firejail-default
parentAdd whitelist-var-common to 4 profiles (diff)
downloadfirejail-d2a18552e2141126c85ce2011c524c182043bddb.tar.gz
firejail-d2a18552e2141126c85ce2011c524c182043bddb.tar.zst
firejail-d2a18552e2141126c85ce2011c524c182043bddb.zip
Apparmor: restrict access
Access to writable files can be restricted to their owner only.
Diffstat (limited to 'etc/firejail-default')
-rw-r--r--etc/firejail-default50
1 files changed, 25 insertions, 25 deletions
diff --git a/etc/firejail-default b/etc/firejail-default
index eb50d6c65..4d79f9b29 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -26,19 +26,19 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) {
26/{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk, 26/{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk,
27/{,var/}run/ r, 27/{,var/}run/ r,
28/{,var/}run/** r, 28/{,var/}run/** r,
29/{,var/}run/user/**/dconf/ rw, 29owner /{,var/}run/user/**/dconf/ rw,
30/{,var/}run/user/**/dconf/user rw, 30owner /{,var/}run/user/**/dconf/user rw,
31/{,var/}run/user/**/pulse/ rw, 31owner /{,var/}run/user/**/pulse/ rw,
32/{,var/}run/user/**/pulse/** rw, 32owner /{,var/}run/user/**/pulse/** rw,
33/{,var/}run/user/**/*.slave-socket rwl, 33owner /{,var/}run/user/**/*.slave-socket rwl,
34/{,var/}run/user/**/#@{PID} rw, 34owner /{,var/}run/user/**/#@{PID} rw,
35/{,var/}run/user/**/orcexec.* rwkm, 35owner /{,var/}run/user/**/orcexec.* rwkm,
36/{,var/}run/firejail/mnt/fslogger r, 36/{,var/}run/firejail/mnt/fslogger r,
37/{,var/}run/firejail/appimage r, 37/{,var/}run/firejail/appimage r,
38/{,var/}run/firejail/appimage/** r, 38/{,var/}run/firejail/appimage/** r,
39/{,var/}run/firejail/appimage/** ix, 39/{,var/}run/firejail/appimage/** ix,
40/{run,dev}/shm/ r, 40/{run,dev}/shm/ r,
41/{run,dev}/shm/** rmwk, 41owner /{run,dev}/shm/** rmwk,
42 42
43/proc/ r, 43/proc/ r,
44/proc/meminfo r, 44/proc/meminfo r,
@@ -61,23 +61,23 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) {
61/sys/devices/ r, 61/sys/devices/ r,
62/sys/devices/** r, 62/sys/devices/** r,
63 63
64/proc/@{PID}/ r, 64owner /proc/@{PID}/ r,
65/proc/@{PID}/fd/ r, 65owner /proc/@{PID}/fd/ r,
66/proc/@{PID}/task/ r, 66owner /proc/@{PID}/task/ r,
67/proc/@{PID}/cmdline r, 67owner /proc/@{PID}/cmdline r,
68/proc/@{PID}/comm r, 68owner /proc/@{PID}/comm r,
69/proc/@{PID}/stat r, 69owner /proc/@{PID}/stat r,
70/proc/@{PID}/statm r, 70owner /proc/@{PID}/statm r,
71/proc/@{PID}/status r, 71owner /proc/@{PID}/status r,
72/proc/@{PID}/task/@{PID}/stat r, 72owner /proc/@{PID}/task/@{PID}/stat r,
73/proc/@{PID}/maps r, 73owner /proc/@{PID}/maps r,
74/proc/@{PID}/mounts r, 74owner /proc/@{PID}/mounts r,
75/proc/@{PID}/mountinfo r, 75owner /proc/@{PID}/mountinfo r,
76/proc/@{PID}/oom_score_adj r, 76owner /proc/@{PID}/oom_score_adj r,
77/proc/@{PID}/auxv r, 77owner /proc/@{PID}/auxv r,
78/proc/@{PID}/net/dev r, 78owner /proc/@{PID}/net/dev r,
79/proc/@{PID}/loginuid r, 79owner /proc/@{PID}/loginuid r,
80/proc/@{PID}/environ r, 80owner /proc/@{PID}/environ r,
81 81
82########## 82##########
83# Allow running programs only from well-known system directories. If you need 83# Allow running programs only from well-known system directories. If you need
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-08 13:19:17 +0000