diff options
author | netblue30 <netblue30@yahoo.com> | 2016-08-03 19:02:15 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-08-03 19:02:15 -0400 |
commit | 1351c4f7e62e7e123c4e9e33fdd071075c473103 (patch) | |
tree | bc8136bfbf9b8f9f53483d56539e1a5ad8484809 /etc/firejail-default | |
parent | firecfg fix (diff) | |
download | firejail-1351c4f7e62e7e123c4e9e33fdd071075c473103.tar.gz firejail-1351c4f7e62e7e123c4e9e33fdd071075c473103.tar.zst firejail-1351c4f7e62e7e123c4e9e33fdd071075c473103.zip |
apparmor
Diffstat (limited to 'etc/firejail-default')
-rw-r--r-- | etc/firejail-default | 87 |
1 files changed, 51 insertions, 36 deletions
diff --git a/etc/firejail-default b/etc/firejail-default index 609ab6c19..cf4524648 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
@@ -1,19 +1,36 @@ | |||
1 | #include <tunables/global> | 1 | ######################################### |
2 | # Generic Firejail AppArmor profile | ||
3 | ######################################### | ||
4 | |||
5 | ########## | ||
6 | # A simple PID declaration based on Ubuntu's @{pid} | ||
7 | # Ubuntu keeps it under tunables/kernelvars and include it via tunables/global. | ||
8 | # We don't know if this definition is available outside Debian and Ubuntu, so | ||
9 | # we declare our own here. | ||
10 | ########## | ||
11 | @{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]} | ||
2 | 12 | ||
3 | profile firejail-default { | 13 | profile firejail-default { |
4 | 14 | ||
5 | ##### | 15 | ########## |
6 | # D-Bus is a huge security hole, we disable it here. Uncomment this line if you | 16 | # D-Bus is a huge security hole. Uncomment this line if you need D-Bus |
7 | # need D-Bus functionality. | 17 | # functionality. |
8 | # | 18 | ########## |
9 | #dbus, | 19 | #dbus, |
10 | 20 | ||
11 | ##### | 21 | ########## |
12 | # Mask /proc and /sys information leakage. The configuration here is barely | 22 | # Mask /proc and /sys information leakage. The configuration here is barely |
13 | # enough to run "top" or "ps aux". | 23 | # enough to run "top" or "ps aux". |
14 | # | 24 | ########## |
15 | / r, | 25 | / r, |
16 | /[^proc,^sys]** mrwlk, | 26 | /[^proc,^sys]** mrwlk, |
27 | /{,var/}run/ r, | ||
28 | /{,var/}run/** r, | ||
29 | /{,var/}run/user/**/dconf/ rw, | ||
30 | /{,var/}run/user/**/dconf/user rw, | ||
31 | /{,var/}run/firejail/mnt/fslogger r, | ||
32 | /{run,dev}/shm/ r, | ||
33 | /{run,dev}/shm/** rmwk, | ||
17 | 34 | ||
18 | /proc/ r, | 35 | /proc/ r, |
19 | /proc/meminfo r, | 36 | /proc/meminfo r, |
@@ -22,14 +39,16 @@ profile firejail-default { | |||
22 | /proc/uptime r, | 39 | /proc/uptime r, |
23 | /proc/loadavg r, | 40 | /proc/loadavg r, |
24 | /proc/stat r, | 41 | /proc/stat r, |
25 | /proc/@{pid}/ r, | 42 | |
26 | /proc/@{pid}/fd/ r, | 43 | /proc/@{PID}/ r, |
27 | /proc/@{pid}/task/ r, | 44 | /proc/@{PID}/fd/ r, |
28 | /proc/@{pid}/cmdline r, | 45 | /proc/@{PID}/task/ r, |
29 | /proc/@{pid}/comm r, | 46 | /proc/@{PID}/cmdline r, |
30 | /proc/@{pid}/stat r, | 47 | /proc/@{PID}/comm r, |
31 | /proc/@{pid}/statm r, | 48 | /proc/@{PID}/stat r, |
32 | /proc/@{pid}/status r, | 49 | /proc/@{PID}/statm r, |
50 | /proc/@{PID}/status r, | ||
51 | /proc/@{PID}/task/@{PID}/stat r, | ||
33 | /proc/sys/kernel/pid_max r, | 52 | /proc/sys/kernel/pid_max r, |
34 | /proc/sys/kernel/shmmax r, | 53 | /proc/sys/kernel/shmmax r, |
35 | /sys/ r, | 54 | /sys/ r, |
@@ -40,19 +59,15 @@ profile firejail-default { | |||
40 | /sys/devices/ r, | 59 | /sys/devices/ r, |
41 | /sys/devices/** r, | 60 | /sys/devices/** r, |
42 | 61 | ||
43 | /proc/@{pid}/maps r, | 62 | /proc/@{PID}/maps r, |
44 | /proc/@{pid}/mounts r, | 63 | /proc/@{PID}/mounts r, |
45 | /proc/@{pid}/mountinfo r, | 64 | /proc/@{PID}/mountinfo r, |
46 | /proc/@{pid}/oom_score_adj r, | 65 | /proc/@{PID}/oom_score_adj r, |
47 | 66 | ||
48 | /{,var/}run/firejail/mnt/fslogger r, | 67 | ########## |
49 | /{,var/}run/user/**/dconf/ r, | ||
50 | /{,var/}run/user/**/dconf/user r, | ||
51 | |||
52 | ##### | ||
53 | # Allow running programs only from well-known system directories. If you need | 68 | # Allow running programs only from well-known system directories. If you need |
54 | # to run programs from your home directory, uncomment /home line. | 69 | # to run programs from your home directory, uncomment /home line. |
55 | # | 70 | ########## |
56 | /lib/** ix, | 71 | /lib/** ix, |
57 | /lib64/** ix, | 72 | /lib64/** ix, |
58 | /bin/** ix, | 73 | /bin/** ix, |
@@ -65,24 +80,23 @@ profile firejail-default { | |||
65 | /opt/** ix, | 80 | /opt/** ix, |
66 | #/home/** ix, | 81 | #/home/** ix, |
67 | 82 | ||
68 | ##### | 83 | ########## |
69 | # Allow all networking functionality, and control it from Firejail. | 84 | # Allow all networking functionality, and control it from Firejail. |
70 | # | 85 | ########## |
71 | network inet, | 86 | network inet, |
72 | network inet6, | 87 | network inet6, |
73 | network unix, | 88 | network unix, |
74 | network netlink, | 89 | network netlink, |
75 | network raw, | 90 | network raw, |
76 | 91 | ||
77 | ##### | 92 | ########## |
78 | # There is no equivalent in Firejail for filtering signals. | 93 | # There is no equivalent in Firejail for filtering signals. |
79 | # | 94 | ########## |
80 | signal, | 95 | signal, |
81 | 96 | ||
82 | ##### | 97 | ########## |
83 | # Disable all capabilities. If you run your sandbox as root, you might need to | 98 | # We let Firejail deal with capabilities. |
84 | # enable/uncomment some of them. | 99 | ########## |
85 | # | ||
86 | capability chown, | 100 | capability chown, |
87 | capability dac_override, | 101 | capability dac_override, |
88 | capability dac_read_search, | 102 | capability dac_read_search, |
@@ -118,12 +132,13 @@ capability setfcap, | |||
118 | capability mac_override, | 132 | capability mac_override, |
119 | capability mac_admin, | 133 | capability mac_admin, |
120 | 134 | ||
121 | ##### | 135 | ########## |
122 | # No mount/umount functionality when running as regular user. | 136 | # We let Firejail deal with mount/umount functionality. |
123 | # | 137 | ########## |
124 | mount, | 138 | mount, |
125 | remount, | 139 | remount, |
126 | umount, | 140 | umount, |
127 | pivot_root, | 141 | pivot_root, |
128 | 142 | ||
129 | } | 143 | } |
144 | |||