apparmor

author: netblue30 <netblue30@yahoo.com> 2016-08-03 19:02:15 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-08-03 19:02:15 -0400
commit: 1351c4f7e62e7e123c4e9e33fdd071075c473103 (patch)
tree: bc8136bfbf9b8f9f53483d56539e1a5ad8484809 /etc/firejail-default
parent: firecfg fix (diff)
download: firejail-1351c4f7e62e7e123c4e9e33fdd071075c473103.tar.gz
firejail-1351c4f7e62e7e123c4e9e33fdd071075c473103.tar.zst
firejail-1351c4f7e62e7e123c4e9e33fdd071075c473103.zip
1 files changed, 51 insertions, 36 deletions
diff --git a/etc/firejail-default b/etc/firejail-default
index 609ab6c19..cf4524648 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -1,19 +1,36 @@
-#include <tunables/global>
+#########################################
+# Generic Firejail AppArmor profile
+#########################################
+##########
+# A simple PID declaration based on Ubuntu's @{pid}
+# Ubuntu keeps it under tunables/kernelvars and include it via tunables/global.
+# We don't know if this definition is available outside Debian and Ubuntu, so
+# we declare our own here.
+##########
+@{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
 profile firejail-default {
-#####
+##########
-# D-Bus is a huge security hole, we disable it here. Uncomment this line if you
+# D-Bus is a huge security hole. Uncomment this line if you need D-Bus
-# need D-Bus functionality.
+# functionality.
-#
+##########
 #dbus,
-#####
+##########
 # Mask /proc and /sys information leakage. The configuration here is barely
 # enough to run "top" or "ps aux".
-#
+##########
 / r,
 /[^proc,^sys]** mrwlk,
+/{,var/}run/ r,
+/{,var/}run/** r,
+/{,var/}run/user/**/dconf/ rw,
+/{,var/}run/user/**/dconf/user rw,
+/{,var/}run/firejail/mnt/fslogger r,
+/{run,dev}/shm/ r,
+/{run,dev}/shm/** rmwk,
 /proc/ r,
 /proc/meminfo r,
@@ -22,14 +39,16 @@ profile firejail-default {
 /proc/uptime r,
 /proc/loadavg r,
 /proc/stat r,
-/proc/@{pid}/ r,
-/proc/@{pid}/fd/ r,
+/proc/@{PID}/ r,
-/proc/@{pid}/task/ r,
+/proc/@{PID}/fd/ r,
-/proc/@{pid}/cmdline r,
+/proc/@{PID}/task/ r,
-/proc/@{pid}/comm r,
+/proc/@{PID}/cmdline r,
-/proc/@{pid}/stat r,
+/proc/@{PID}/comm r,
-/proc/@{pid}/statm r,
+/proc/@{PID}/stat r,
-/proc/@{pid}/status r,
+/proc/@{PID}/statm r,
+/proc/@{PID}/status r,
+/proc/@{PID}/task/@{PID}/stat r,
 /proc/sys/kernel/pid_max r,
 /proc/sys/kernel/shmmax r,
 /sys/ r,
@@ -40,19 +59,15 @@ profile firejail-default {
 /sys/devices/ r,
 /sys/devices/** r,
-/proc/@{pid}/maps r,
+/proc/@{PID}/maps r,
-/proc/@{pid}/mounts r,
+/proc/@{PID}/mounts r,
-/proc/@{pid}/mountinfo r,
+/proc/@{PID}/mountinfo r,
-/proc/@{pid}/oom_score_adj r,
+/proc/@{PID}/oom_score_adj r,
-/{,var/}run/firejail/mnt/fslogger r,
+##########
-/{,var/}run/user/**/dconf/ r,
-/{,var/}run/user/**/dconf/user r,
-#####
 # Allow running programs only from well-known system directories. If you need
 # to run programs from your home directory, uncomment /home line.
-#
+##########
 /lib/** ix,
 /lib64/** ix,
 /bin/** ix,
@@ -65,24 +80,23 @@ profile firejail-default {
 /opt/** ix,
 #/home/** ix,
-#####
+##########
 # Allow all networking functionality, and control it from Firejail.
-#
+##########
 network inet,
 network inet6,
 network unix,
 network netlink,
 network raw,
-#####
+##########
 # There is no equivalent in Firejail for filtering signals.
-#
+##########
 signal,
-#####
+##########
-# Disable all capabilities. If you run your sandbox as root, you might need to
+# We let Firejail deal with capabilities.
-# enable/uncomment some of them.
+##########
-#
 capability chown,
 capability dac_override,
 capability dac_read_search,
@@ -118,12 +132,13 @@ capability setfcap,
 capability mac_override,
 capability mac_admin,
-#####
+##########
-# No mount/umount functionality when running as regular user.
+# We let Firejail deal with mount/umount functionality.
-#
+##########
 mount,
 remount,
 umount,
 pivot_root,
 }
author	netblue30 <netblue30@yahoo.com>	2016-08-03 19:02:15 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-08-03 19:02:15 -0400
commit	1351c4f7e62e7e123c4e9e33fdd071075c473103 (patch)
tree	bc8136bfbf9b8f9f53483d56539e1a5ad8484809 /etc/firejail-default
parent	firecfg fix (diff)
download	firejail-1351c4f7e62e7e123c4e9e33fdd071075c473103.tar.gz firejail-1351c4f7e62e7e123c4e9e33fdd071075c473103.tar.zst firejail-1351c4f7e62e7e123c4e9e33fdd071075c473103.zip

diff --git a/etc/firejail-default b/etc/firejail-default index 609ab6c19..cf4524648 100644 --- a/etc/firejail-default +++ b/etc/firejail-default
@@ -1,19 +1,36 @@
1	#include <tunables/global>	1	#########################################
		2	# Generic Firejail AppArmor profile
		3	#########################################
		4
		5	##########
		6	# A simple PID declaration based on Ubuntu's @{pid}
		7	# Ubuntu keeps it under tunables/kernelvars and include it via tunables/global.
		8	# We don't know if this definition is available outside Debian and Ubuntu, so
		9	# we declare our own here.
		10	##########
		11	@{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
2		12
3	profile firejail-default {	13	profile firejail-default {
4		14
5	#####	15	##########
6	# D-Bus is a huge security hole, we disable it here. Uncomment this line if you	16	# D-Bus is a huge security hole. Uncomment this line if you need D-Bus
7	# need D-Bus functionality.	17	# functionality.
8	#	18	##########
9	#dbus,	19	#dbus,
10		20
11	#####	21	##########
12	# Mask /proc and /sys information leakage. The configuration here is barely	22	# Mask /proc and /sys information leakage. The configuration here is barely
13	# enough to run "top" or "ps aux".	23	# enough to run "top" or "ps aux".
14	#	24	##########
15	/ r,	25	/ r,
16	/[^proc,^sys]** mrwlk,	26	/[^proc,^sys]** mrwlk,
		27	/{,var/}run/ r,
		28	/{,var/}run/** r,
		29	/{,var/}run/user/**/dconf/ rw,
		30	/{,var/}run/user/**/dconf/user rw,
		31	/{,var/}run/firejail/mnt/fslogger r,
		32	/{run,dev}/shm/ r,
		33	/{run,dev}/shm/** rmwk,
17		34
18	/proc/ r,	35	/proc/ r,
19	/proc/meminfo r,	36	/proc/meminfo r,
@@ -22,14 +39,16 @@ profile firejail-default {
22	/proc/uptime r,	39	/proc/uptime r,
23	/proc/loadavg r,	40	/proc/loadavg r,
24	/proc/stat r,	41	/proc/stat r,
25	/proc/@{pid}/ r,	42
26	/proc/@{pid}/fd/ r,	43	/proc/@{PID}/ r,
27	/proc/@{pid}/task/ r,	44	/proc/@{PID}/fd/ r,
28	/proc/@{pid}/cmdline r,	45	/proc/@{PID}/task/ r,
29	/proc/@{pid}/comm r,	46	/proc/@{PID}/cmdline r,
30	/proc/@{pid}/stat r,	47	/proc/@{PID}/comm r,
31	/proc/@{pid}/statm r,	48	/proc/@{PID}/stat r,
32	/proc/@{pid}/status r,	49	/proc/@{PID}/statm r,
		50	/proc/@{PID}/status r,
		51	/proc/@{PID}/task/@{PID}/stat r,
33	/proc/sys/kernel/pid_max r,	52	/proc/sys/kernel/pid_max r,
34	/proc/sys/kernel/shmmax r,	53	/proc/sys/kernel/shmmax r,
35	/sys/ r,	54	/sys/ r,
@@ -40,19 +59,15 @@ profile firejail-default {
40	/sys/devices/ r,	59	/sys/devices/ r,
41	/sys/devices/** r,	60	/sys/devices/** r,
42		61
43	/proc/@{pid}/maps r,	62	/proc/@{PID}/maps r,
44	/proc/@{pid}/mounts r,	63	/proc/@{PID}/mounts r,
45	/proc/@{pid}/mountinfo r,	64	/proc/@{PID}/mountinfo r,
46	/proc/@{pid}/oom_score_adj r,	65	/proc/@{PID}/oom_score_adj r,
47		66
48	/{,var/}run/firejail/mnt/fslogger r,	67	##########
49	/{,var/}run/user/**/dconf/ r,
50	/{,var/}run/user/**/dconf/user r,
51
52	#####
53	# Allow running programs only from well-known system directories. If you need	68	# Allow running programs only from well-known system directories. If you need
54	# to run programs from your home directory, uncomment /home line.	69	# to run programs from your home directory, uncomment /home line.
55	#	70	##########
56	/lib/** ix,	71	/lib/** ix,
57	/lib64/** ix,	72	/lib64/** ix,
58	/bin/** ix,	73	/bin/** ix,
@@ -65,24 +80,23 @@ profile firejail-default {
65	/opt/** ix,	80	/opt/** ix,
66	#/home/** ix,	81	#/home/** ix,
67		82
68	#####	83	##########
69	# Allow all networking functionality, and control it from Firejail.	84	# Allow all networking functionality, and control it from Firejail.
70	#	85	##########
71	network inet,	86	network inet,
72	network inet6,	87	network inet6,
73	network unix,	88	network unix,
74	network netlink,	89	network netlink,
75	network raw,	90	network raw,
76		91
77	#####	92	##########
78	# There is no equivalent in Firejail for filtering signals.	93	# There is no equivalent in Firejail for filtering signals.
79	#	94	##########
80	signal,	95	signal,
81		96
82	#####	97	##########
83	# Disable all capabilities. If you run your sandbox as root, you might need to	98	# We let Firejail deal with capabilities.
84	# enable/uncomment some of them.	99	##########
85	#
86	capability chown,	100	capability chown,
87	capability dac_override,	101	capability dac_override,
88	capability dac_read_search,	102	capability dac_read_search,
@@ -118,12 +132,13 @@ capability setfcap,
118	capability mac_override,	132	capability mac_override,
119	capability mac_admin,	133	capability mac_admin,
120		134
121	#####	135	##########
122	# No mount/umount functionality when running as regular user.	136	# We let Firejail deal with mount/umount functionality.
123	#	137	##########
124	mount,	138	mount,
125	remount,	139	remount,
126	umount,	140	umount,
127	pivot_root,	141	pivot_root,
128		142
129	}	143	}
		144