apparmor support for --overlay sandboxes

author: netblue30 <netblue30@yahoo.com> 2018-01-24 08:47:37 -0500
committer: netblue30 <netblue30@yahoo.com> 2018-01-24 08:47:37 -0500
commit: b78a33316d9232c1783391cb1d2537c2d41609da (patch)
tree: c63cb893b2533514e4705e8567329655554511e4 /etc/firejail-default
parent: rpm: install all files in lib directory (diff)
download: firejail-b78a33316d9232c1783391cb1d2537c2d41609da.tar.gz
firejail-b78a33316d9232c1783391cb1d2537c2d41609da.tar.zst
firejail-b78a33316d9232c1783391cb1d2537c2d41609da.zip
1 files changed, 37 insertions, 2 deletions
diff --git a/etc/firejail-default b/etc/firejail-default
index e5010eaab..e532af430 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -19,13 +19,17 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) {
 #dbus,
 ##########
-# Mask /proc and /sys information leakage. The configuration here is barely
+# Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes
-# enough to run "top" or "ps aux".
 ##########
 / r,
 /{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk,
+/run/firejail/mnt/oroot/{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk,
 /{,var/}run/ r,
 /{,var/}run/** r,
+/run/firejail/mnt/oroot/{,var/}run/ r,
+/run/firejail/mnt/oroot/{,var/}run/** r,
 owner /{,var/}run/user/**/dconf/ rw,
 owner /{,var/}run/user/**/dconf/user rw,
 owner /{,var/}run/user/**/pulse/ rw,
@@ -33,13 +37,32 @@ owner /{,var/}run/user/**/pulse/** rw,
 owner /{,var/}run/user/**/*.slave-socket rwl,
 owner /{,var/}run/user/**/#@{PID} rw,
 owner /{,var/}run/user/**/orcexec.* rwkm,
+owner /run/firejail/mnt/oroot/{,var/}run/user/**/dconf/ rw,
+owner /run/firejail/mnt/oroot/{,var/}run/user/**/dconf/user rw,
+owner /run/firejail/mnt/oroot/{,var/}run/user/**/pulse/ rw,
+owner /run/firejail/mnt/oroot/{,var/}run/user/**/pulse/** rw,
+owner /run/firejail/mnt/oroot/{,var/}run/user/**/*.slave-socket rwl,
+owner /run/firejail/mnt/oroot/{,var/}run/user/**/#@{PID} rw,
+owner /run/firejail/mnt/oroot/{,var/}run/user/**/orcexec.* rwkm,
 /{,var/}run/firejail/mnt/fslogger r,
 /{,var/}run/firejail/appimage r,
 /{,var/}run/firejail/appimage/** r,
 /{,var/}run/firejail/appimage/** ix,
+/run/firejail/mnt/oroot/{,var/}run/firejail/mnt/fslogger r,
+/run/firejail/mnt/oroot/{,var/}run/firejail/appimage r,
+/run/firejail/mnt/oroot/{,var/}run/firejail/appimage/** r,
+/run/firejail/mnt/oroot/{,var/}run/firejail/appimage/** ix,
 /{run,dev}/shm/ r,
 owner /{run,dev}/shm/** rmwk,
+/run/firejail/mnt/oroot/{run,dev}/shm/ r,
+owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk,
+##########
+# Mask /proc and /sys information leakage. The configuration here is barely
+# enough to run "top" or "ps aux".
+##########
 /proc/ r,
 /proc/meminfo r,
 /proc/cpuinfo r,
@@ -96,6 +119,18 @@ owner /{run,dev}/shm/** rmwk,
 /opt/** r,
 /opt/** ix,
 #/home/** ix,
+/run/firejail/mnt/oroot/lib/** ix,
+/run/firejail/mnt/oroot/lib64/** ix,
+/run/firejail/mnt/oroot/bin/** ix,
+/run/firejail/mnt/oroot/sbin/** ix,
+/run/firejail/mnt/oroot/usr/bin/** ix,
+/run/firejail/mnt/oroot/usr/sbin/** ix,
+/run/firejail/mnt/oroot/usr/local/** ix,
+/run/firejail/mnt/oroot/usr/lib/** ix,
+/run/firejail/mnt/oroot/usr/games/** ix,
+/run/firejail/mnt/oroot/opt/ r,
+/run/firejail/mnt/oroot/opt/** r,
+/run/firejail/mnt/oroot/opt/** ix,
 ##########
 # Allow all networking functionality, and control it from Firejail.
author	netblue30 <netblue30@yahoo.com>	2018-01-24 08:47:37 -0500
committer	netblue30 <netblue30@yahoo.com>	2018-01-24 08:47:37 -0500
commit	b78a33316d9232c1783391cb1d2537c2d41609da (patch)
tree	c63cb893b2533514e4705e8567329655554511e4 /etc/firejail-default
parent	rpm: install all files in lib directory (diff)
download	firejail-b78a33316d9232c1783391cb1d2537c2d41609da.tar.gz firejail-b78a33316d9232c1783391cb1d2537c2d41609da.tar.zst firejail-b78a33316d9232c1783391cb1d2537c2d41609da.zip

diff --git a/etc/firejail-default b/etc/firejail-default index e5010eaab..e532af430 100644 --- a/etc/firejail-default +++ b/etc/firejail-default
@@ -19,13 +19,17 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) {
19	#dbus,	19	#dbus,
20		20
21	##########	21	##########
22	# Mask /proc and /sys information leakage. The configuration here is barely	22	# Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes
23	# enough to run "top" or "ps aux".
24	##########	23	##########
25	/ r,	24	/ r,
26	/{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk,	25	/{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk,
		26	/run/firejail/mnt/oroot/{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk,
		27
27	/{,var/}run/ r,	28	/{,var/}run/ r,
28	/{,var/}run/** r,	29	/{,var/}run/** r,
		30	/run/firejail/mnt/oroot/{,var/}run/ r,
		31	/run/firejail/mnt/oroot/{,var/}run/** r,
		32
29	owner /{,var/}run/user/**/dconf/ rw,	33	owner /{,var/}run/user/**/dconf/ rw,
30	owner /{,var/}run/user/**/dconf/user rw,	34	owner /{,var/}run/user/**/dconf/user rw,
31	owner /{,var/}run/user/**/pulse/ rw,	35	owner /{,var/}run/user/**/pulse/ rw,
@@ -33,13 +37,32 @@ owner /{,var/}run/user//pulse/ rw,
33	owner /{,var/}run/user/*/.slave-socket rwl,	37	owner /{,var/}run/user/*/.slave-socket rwl,
34	owner /{,var/}run/user/**/#@{PID} rw,	38	owner /{,var/}run/user/**/#@{PID} rw,
35	owner /{,var/}run/user/*/orcexec. rwkm,	39	owner /{,var/}run/user/*/orcexec. rwkm,
		40	owner /run/firejail/mnt/oroot/{,var/}run/user/**/dconf/ rw,
		41	owner /run/firejail/mnt/oroot/{,var/}run/user/**/dconf/user rw,
		42	owner /run/firejail/mnt/oroot/{,var/}run/user/**/pulse/ rw,
		43	owner /run/firejail/mnt/oroot/{,var/}run/user//pulse/ rw,
		44	owner /run/firejail/mnt/oroot/{,var/}run/user/*/.slave-socket rwl,
		45	owner /run/firejail/mnt/oroot/{,var/}run/user/**/#@{PID} rw,
		46	owner /run/firejail/mnt/oroot/{,var/}run/user/*/orcexec. rwkm,
		47
36	/{,var/}run/firejail/mnt/fslogger r,	48	/{,var/}run/firejail/mnt/fslogger r,
37	/{,var/}run/firejail/appimage r,	49	/{,var/}run/firejail/appimage r,
38	/{,var/}run/firejail/appimage/** r,	50	/{,var/}run/firejail/appimage/** r,
39	/{,var/}run/firejail/appimage/** ix,	51	/{,var/}run/firejail/appimage/** ix,
		52	/run/firejail/mnt/oroot/{,var/}run/firejail/mnt/fslogger r,
		53	/run/firejail/mnt/oroot/{,var/}run/firejail/appimage r,
		54	/run/firejail/mnt/oroot/{,var/}run/firejail/appimage/** r,
		55	/run/firejail/mnt/oroot/{,var/}run/firejail/appimage/** ix,
		56
40	/{run,dev}/shm/ r,	57	/{run,dev}/shm/ r,
41	owner /{run,dev}/shm/** rmwk,	58	owner /{run,dev}/shm/** rmwk,
		59	/run/firejail/mnt/oroot/{run,dev}/shm/ r,
		60	owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk,
42		61
		62	##########
		63	# Mask /proc and /sys information leakage. The configuration here is barely
		64	# enough to run "top" or "ps aux".
		65	##########
43	/proc/ r,	66	/proc/ r,
44	/proc/meminfo r,	67	/proc/meminfo r,
45	/proc/cpuinfo r,	68	/proc/cpuinfo r,
@@ -96,6 +119,18 @@ owner /{run,dev}/shm/** rmwk,
96	/opt/** r,	119	/opt/** r,
97	/opt/** ix,	120	/opt/** ix,
98	#/home/** ix,	121	#/home/** ix,
		122	/run/firejail/mnt/oroot/lib/** ix,
		123	/run/firejail/mnt/oroot/lib64/** ix,
		124	/run/firejail/mnt/oroot/bin/** ix,
		125	/run/firejail/mnt/oroot/sbin/** ix,
		126	/run/firejail/mnt/oroot/usr/bin/** ix,
		127	/run/firejail/mnt/oroot/usr/sbin/** ix,
		128	/run/firejail/mnt/oroot/usr/local/** ix,
		129	/run/firejail/mnt/oroot/usr/lib/** ix,
		130	/run/firejail/mnt/oroot/usr/games/** ix,
		131	/run/firejail/mnt/oroot/opt/ r,
		132	/run/firejail/mnt/oroot/opt/** r,
		133	/run/firejail/mnt/oroot/opt/** ix,
99		134
100	##########	135	##########
101	# Allow all networking functionality, and control it from Firejail.	136	# Allow all networking functionality, and control it from Firejail.