diff options
| author |  Vincent43 <31109921+Vincent43@users.noreply.github.com> | 2018-02-07 16:04:14 +0000 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2018-02-07 16:04:14 +0000 |
| commit | bade3d03e0234685e1e9b52ea155392c153950f1 (patch) | |
| tree | 4b6d865ef71303d9c526293c762028d4fd97080b /etc/firejail-default | |
| parent | keep menu definitions read-only (diff) | |
| download | firejail-bade3d03e0234685e1e9b52ea155392c153950f1.tar.gz firejail-bade3d03e0234685e1e9b52ea155392c153950f1.tar.zst firejail-bade3d03e0234685e1e9b52ea155392c153950f1.zip | |
Apparmor: fix various denials
Fixes following erros:
wine:
AVC apparmor="DENIED" operation="unlink" profile="firejail-default" name="/run/firejail/profile/11526" pid=11533 comm="wine" requested_mask="d" denied_mask="d" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="unlink" profile="firejail-default" name="/run/firejail/profile/5807" pid=11533 comm="wine" requested_mask="d" denied_mask="d" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="unlink" profile="firejail-default" name="/run/firejail/profile/2017" pid=11533 comm="wine" requested_mask="d"
cups:
AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
chromium:
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/8/mem" pid=7858 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/8/oom_score_adj" pid=7858 comm="chromium" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/11/mem" pid=7861 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/sys/kernel/yama/ptrace_scope" pid=7861 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=7858 comm="chromium" requested_mask="trace" denied_mask="trace" peer="firejail-default"
AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=7858 comm="chromium" requested_mask="tracedby" denied_mask="tracedby" peer="firejail-default"
AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=7858 comm="TaskSchedulerBa" requested_mask="trace" denied_mask="trace" peer="firejail-default"
AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=7858 comm="TaskSchedulerBa" requested_mask="tracedby" denied_mask="tracedby" peer="firejail-default"
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/46/mem" pid=7897 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/46/oom_score_adj" pid=7897 comm="chromium" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/sys/kernel/yama/ptrace_scope" pid=7897 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/58/oom_score_adj" pid=7910 comm="chrome-sandbox" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/58/oom_adj" pid=7910 comm="chrome-sandbox" requested_mask="w"
Diffstat (limited to 'etc/firejail-default')
| -rw-r--r-- | etc/firejail-default | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/etc/firejail-default b/etc/firejail-default index 842d5a0c4..5ebdccc00 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
| @@ -61,6 +61,9 @@ owner /{run,dev}/shm/** rmwk, | |||
| 61 | /run/firejail/mnt/oroot/{run,dev}/shm/ r, | 61 | /run/firejail/mnt/oroot/{run,dev}/shm/ r, |
| 62 | owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, | 62 | owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, |
| 63 | 63 | ||
| 64 | # Needed for wine | ||
| 65 | /{,var/}run/firejail/profile/@{PID} w, | ||
| 66 | |||
| 64 | ########## | 67 | ########## |
| 65 | # Mask /proc and /sys information leakage. The configuration here is barely | 68 | # Mask /proc and /sys information leakage. The configuration here is barely |
| 66 | # enough to run "top" or "ps aux". | 69 | # enough to run "top" or "ps aux". |
| @@ -74,6 +77,7 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, | |||
| 74 | /proc/stat r, | 77 | /proc/stat r, |
| 75 | /proc/sys/kernel/pid_max r, | 78 | /proc/sys/kernel/pid_max r, |
| 76 | /proc/sys/kernel/shmmax r, | 79 | /proc/sys/kernel/shmmax r, |
| 80 | /proc/sys/kernel/yama/ptrace_scope r, | ||
| 77 | /proc/sys/vm/overcommit_memory r, | 81 | /proc/sys/vm/overcommit_memory r, |
| 78 | /proc/sys/vm/overcommit_ratio r, | 82 | /proc/sys/vm/overcommit_ratio r, |
| 79 | /proc/sys/kernel/random/uuid r, | 83 | /proc/sys/kernel/random/uuid r, |
| @@ -95,15 +99,22 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, | |||
| 95 | /proc/@{PID}/statm r, | 99 | /proc/@{PID}/statm r, |
| 96 | /proc/@{PID}/status r, | 100 | /proc/@{PID}/status r, |
| 97 | /proc/@{PID}/task/@{PID}/stat r, | 101 | /proc/@{PID}/task/@{PID}/stat r, |
| 102 | /proc/@{PID}/task/@{PID}/status r, | ||
| 98 | /proc/@{PID}/maps r, | 103 | /proc/@{PID}/maps r, |
| 104 | /proc/@{PID}/mem r, | ||
| 99 | /proc/@{PID}/mounts r, | 105 | /proc/@{PID}/mounts r, |
| 100 | /proc/@{PID}/mountinfo r, | 106 | /proc/@{PID}/mountinfo r, |
| 107 | owner /proc/@{PID}/oom_adj w, | ||
| 101 | /proc/@{PID}/oom_score_adj r, | 108 | /proc/@{PID}/oom_score_adj r, |
| 109 | owner /proc/@{PID}/oom_score_adj w, | ||
| 102 | /proc/@{PID}/auxv r, | 110 | /proc/@{PID}/auxv r, |
| 103 | /proc/@{PID}/net/dev r, | 111 | /proc/@{PID}/net/dev r, |
| 104 | /proc/@{PID}/loginuid r, | 112 | /proc/@{PID}/loginuid r, |
| 105 | /proc/@{PID}/environ r, | 113 | /proc/@{PID}/environ r, |
| 106 | 114 | ||
| 115 | # Needed for chromium | ||
| 116 | ptrace (trace tracedby), | ||
| 117 | |||
| 107 | ########## | 118 | ########## |
| 108 | # Allow running programs only from well-known system directories. If you need | 119 | # Allow running programs only from well-known system directories. If you need |
| 109 | # to run programs from your home directory, uncomment /home line. | 120 | # to run programs from your home directory, uncomment /home line. |
| @@ -135,6 +146,11 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, | |||
| 135 | /run/firejail/mnt/oroot/opt/** ix, | 146 | /run/firejail/mnt/oroot/opt/** ix, |
| 136 | 147 | ||
| 137 | ########## | 148 | ########## |
| 149 | # Allow acces to cups printing socket | ||
| 150 | ########## | ||
| 151 | /run/cups/cups.sock w, | ||
| 152 | |||
| 153 | ########## | ||
| 138 | # Allow all networking functionality, and control it from Firejail. | 154 | # Allow all networking functionality, and control it from Firejail. |
| 139 | ########## | 155 | ########## |
| 140 | network inet, | 156 | network inet, |