drop cap_mac_admin in apparmor profile

author: smitsohu <smitsohu@gmail.com> 2018-02-27 00:21:10 +0100
committer: smitsohu <smitsohu@gmail.com> 2018-02-27 00:21:10 +0100
commit: a052d9f2be1ae0c3d4c35677312c1058c02b6bee (patch)
tree: 481ac54da9467f76af6d38a51bd26ca367a5781e /etc/firejail-default
parent: Merge pull request #1787 from joelazar/master (diff)
download: firejail-a052d9f2be1ae0c3d4c35677312c1058c02b6bee.tar.gz
firejail-a052d9f2be1ae0c3d4c35677312c1058c02b6bee.tar.zst
firejail-a052d9f2be1ae0c3d4c35677312c1058c02b6bee.zip
1 files changed, 4 insertions, 3 deletions
diff --git a/etc/firejail-default b/etc/firejail-default
index f9a876f5c..5d116fbbc 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -113,7 +113,7 @@ deny /proc/@{PID}/oom_score_adj w,
 /run/firejail/mnt/oroot/opt/** ix,
 ##########
-# Allow acces to cups printing socket.
+# Allow access to cups printing socket.
 ##########
 /run/cups/cups.sock w,
@@ -132,7 +132,8 @@ network raw,
 signal,
 ##########
-# We let Firejail deal with capabilities.
+# We let Firejail deal with capabilities,
+# but mac_admin should be dropped in any case.
 ##########
 capability chown,
 capability dac_override,
@@ -167,7 +168,7 @@ capability audit_write,
 capability audit_control,
 capability setfcap,
 capability mac_override,
-capability mac_admin,
+#capability mac_admin,
 ##########
 # We let Firejail deal with mount/umount functionality.
author	smitsohu <smitsohu@gmail.com>	2018-02-27 00:21:10 +0100
committer	smitsohu <smitsohu@gmail.com>	2018-02-27 00:21:10 +0100
commit	a052d9f2be1ae0c3d4c35677312c1058c02b6bee (patch)
tree	481ac54da9467f76af6d38a51bd26ca367a5781e /etc/firejail-default
parent	Merge pull request #1787 from joelazar/master (diff)
download	firejail-a052d9f2be1ae0c3d4c35677312c1058c02b6bee.tar.gz firejail-a052d9f2be1ae0c3d4c35677312c1058c02b6bee.tar.zst firejail-a052d9f2be1ae0c3d4c35677312c1058c02b6bee.zip