diff options
author | Vincent43 <31109921+Vincent43@users.noreply.github.com> | 2018-02-07 16:04:14 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-02-07 16:04:14 +0000 |
commit | bade3d03e0234685e1e9b52ea155392c153950f1 (patch) | |
tree | 4b6d865ef71303d9c526293c762028d4fd97080b /etc/firejail-default | |
parent | keep menu definitions read-only (diff) | |
download | firejail-bade3d03e0234685e1e9b52ea155392c153950f1.tar.gz firejail-bade3d03e0234685e1e9b52ea155392c153950f1.tar.zst firejail-bade3d03e0234685e1e9b52ea155392c153950f1.zip |
Apparmor: fix various denials
Fixes following erros:
wine:
AVC apparmor="DENIED" operation="unlink" profile="firejail-default" name="/run/firejail/profile/11526" pid=11533 comm="wine" requested_mask="d" denied_mask="d" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="unlink" profile="firejail-default" name="/run/firejail/profile/5807" pid=11533 comm="wine" requested_mask="d" denied_mask="d" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="unlink" profile="firejail-default" name="/run/firejail/profile/2017" pid=11533 comm="wine" requested_mask="d"
cups:
AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
chromium:
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/8/mem" pid=7858 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/8/oom_score_adj" pid=7858 comm="chromium" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/11/mem" pid=7861 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/sys/kernel/yama/ptrace_scope" pid=7861 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=7858 comm="chromium" requested_mask="trace" denied_mask="trace" peer="firejail-default"
AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=7858 comm="chromium" requested_mask="tracedby" denied_mask="tracedby" peer="firejail-default"
AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=7858 comm="TaskSchedulerBa" requested_mask="trace" denied_mask="trace" peer="firejail-default"
AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=7858 comm="TaskSchedulerBa" requested_mask="tracedby" denied_mask="tracedby" peer="firejail-default"
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/46/mem" pid=7897 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/46/oom_score_adj" pid=7897 comm="chromium" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/sys/kernel/yama/ptrace_scope" pid=7897 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/58/oom_score_adj" pid=7910 comm="chrome-sandbox" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/58/oom_adj" pid=7910 comm="chrome-sandbox" requested_mask="w"
Diffstat (limited to 'etc/firejail-default')
-rw-r--r-- | etc/firejail-default | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/etc/firejail-default b/etc/firejail-default index 842d5a0c4..5ebdccc00 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
@@ -61,6 +61,9 @@ owner /{run,dev}/shm/** rmwk, | |||
61 | /run/firejail/mnt/oroot/{run,dev}/shm/ r, | 61 | /run/firejail/mnt/oroot/{run,dev}/shm/ r, |
62 | owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, | 62 | owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, |
63 | 63 | ||
64 | # Needed for wine | ||
65 | /{,var/}run/firejail/profile/@{PID} w, | ||
66 | |||
64 | ########## | 67 | ########## |
65 | # Mask /proc and /sys information leakage. The configuration here is barely | 68 | # Mask /proc and /sys information leakage. The configuration here is barely |
66 | # enough to run "top" or "ps aux". | 69 | # enough to run "top" or "ps aux". |
@@ -74,6 +77,7 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, | |||
74 | /proc/stat r, | 77 | /proc/stat r, |
75 | /proc/sys/kernel/pid_max r, | 78 | /proc/sys/kernel/pid_max r, |
76 | /proc/sys/kernel/shmmax r, | 79 | /proc/sys/kernel/shmmax r, |
80 | /proc/sys/kernel/yama/ptrace_scope r, | ||
77 | /proc/sys/vm/overcommit_memory r, | 81 | /proc/sys/vm/overcommit_memory r, |
78 | /proc/sys/vm/overcommit_ratio r, | 82 | /proc/sys/vm/overcommit_ratio r, |
79 | /proc/sys/kernel/random/uuid r, | 83 | /proc/sys/kernel/random/uuid r, |
@@ -95,15 +99,22 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, | |||
95 | /proc/@{PID}/statm r, | 99 | /proc/@{PID}/statm r, |
96 | /proc/@{PID}/status r, | 100 | /proc/@{PID}/status r, |
97 | /proc/@{PID}/task/@{PID}/stat r, | 101 | /proc/@{PID}/task/@{PID}/stat r, |
102 | /proc/@{PID}/task/@{PID}/status r, | ||
98 | /proc/@{PID}/maps r, | 103 | /proc/@{PID}/maps r, |
104 | /proc/@{PID}/mem r, | ||
99 | /proc/@{PID}/mounts r, | 105 | /proc/@{PID}/mounts r, |
100 | /proc/@{PID}/mountinfo r, | 106 | /proc/@{PID}/mountinfo r, |
107 | owner /proc/@{PID}/oom_adj w, | ||
101 | /proc/@{PID}/oom_score_adj r, | 108 | /proc/@{PID}/oom_score_adj r, |
109 | owner /proc/@{PID}/oom_score_adj w, | ||
102 | /proc/@{PID}/auxv r, | 110 | /proc/@{PID}/auxv r, |
103 | /proc/@{PID}/net/dev r, | 111 | /proc/@{PID}/net/dev r, |
104 | /proc/@{PID}/loginuid r, | 112 | /proc/@{PID}/loginuid r, |
105 | /proc/@{PID}/environ r, | 113 | /proc/@{PID}/environ r, |
106 | 114 | ||
115 | # Needed for chromium | ||
116 | ptrace (trace tracedby), | ||
117 | |||
107 | ########## | 118 | ########## |
108 | # Allow running programs only from well-known system directories. If you need | 119 | # Allow running programs only from well-known system directories. If you need |
109 | # to run programs from your home directory, uncomment /home line. | 120 | # to run programs from your home directory, uncomment /home line. |
@@ -135,6 +146,11 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, | |||
135 | /run/firejail/mnt/oroot/opt/** ix, | 146 | /run/firejail/mnt/oroot/opt/** ix, |
136 | 147 | ||
137 | ########## | 148 | ########## |
149 | # Allow acces to cups printing socket | ||
150 | ########## | ||
151 | /run/cups/cups.sock w, | ||
152 | |||
153 | ########## | ||
138 | # Allow all networking functionality, and control it from Firejail. | 154 | # Allow all networking functionality, and control it from Firejail. |
139 | ########## | 155 | ########## |
140 | network inet, | 156 | network inet, |