some apparmor profile cleanup

writing in /run/firejail/profile has always been restricted to root user, and in addition this folder is blacklisted since recently; @{profile_name} is built-in and adds a bit of flexibility; apparmor cannot be used to restrict directory search permission, so add more rules for sensitive paths
author: smitsohu <smitsohu@gmail.com> 2019-11-12 19:14:17 +0100
committer: smitsohu <smitsohu@gmail.com> 2019-11-12 19:14:17 +0100
commit: e8da6c2f487b52d4b8ad362c78d841047e46d9ec (patch)
tree: 76dd93b977f1283a69621747e3cc38b95507d6f0 /etc/firejail-default
parent: Merge branch 'master' of https://github.com/netblue30/firejail (diff)
download: firejail-e8da6c2f487b52d4b8ad362c78d841047e46d9ec.tar.gz
firejail-e8da6c2f487b52d4b8ad362c78d841047e46d9ec.tar.zst
firejail-e8da6c2f487b52d4b8ad362c78d841047e46d9ec.zip
1 files changed, 5 insertions, 13 deletions
diff --git a/etc/firejail-default b/etc/firejail-default
index 56fce654c..5b63503fc 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -22,12 +22,11 @@ dbus,
 ##########
 # With ptrace it is possible to inspect and hijack running programs.
-# Some browsers are also using ptrace for their sandboxing.
 ##########
 # Uncomment this line to allow all ptrace access
 #ptrace,
 # Allow obtaining some process information, but not ptrace(2)
-ptrace (read,readby) peer=firejail-default,
+ptrace (read,readby) peer=@{profile_name},
 ##########
 # Allow read access to whole filesystem and control it from firejail.
@@ -46,9 +45,6 @@ ptrace (read,readby) peer=firejail-default,
 ##########
 owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w,
 owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w,
-owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/*.slave-socket w,
-owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/orcexec.* w,
 owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w,
 # Allow writing to removable media
@@ -58,9 +54,6 @@ owner /{,var/}run/media/** w,
 /{,var/}run/systemd/journal/socket w,
 /{,var/}run/systemd/journal/dev-log w,
-# Needed for wine
-/{,var/}run/firejail/profile/@{PID} w,
 # Allow access to cups printing socket.
 /{,var/}run/cups/cups.sock w,
@@ -94,11 +87,10 @@ deny /proc/@{PID}/oom_score_adj w,
 ##########
 # Blacklist specific sensitive paths.
 ##########
-# Common backup directory
+deny /**/.fscrypt/ rw,
-deny /**/.snapshots/ rwx,
+deny /**/.fscrypt/** rwklmx,
+deny /**/.snapshots/ rw,
-# fscrypt
+deny /**/.snapshots/** rwklmx,
-deny /**/.fscrypt/ rwx,
 ##########
 # Allow all networking functionality, and control it from Firejail.
author	smitsohu <smitsohu@gmail.com>	2019-11-12 19:14:17 +0100
committer	smitsohu <smitsohu@gmail.com>	2019-11-12 19:14:17 +0100
commit	e8da6c2f487b52d4b8ad362c78d841047e46d9ec (patch)
tree	76dd93b977f1283a69621747e3cc38b95507d6f0 /etc/firejail-default
parent	Merge branch 'master' of https://github.com/netblue30/firejail (diff)
download	firejail-e8da6c2f487b52d4b8ad362c78d841047e46d9ec.tar.gz firejail-e8da6c2f487b52d4b8ad362c78d841047e46d9ec.tar.zst firejail-e8da6c2f487b52d4b8ad362c78d841047e46d9ec.zip

diff --git a/etc/firejail-default b/etc/firejail-default index 56fce654c..5b63503fc 100644 --- a/etc/firejail-default +++ b/etc/firejail-default
@@ -22,12 +22,11 @@ dbus,
22		22
23	##########	23	##########
24	# With ptrace it is possible to inspect and hijack running programs.	24	# With ptrace it is possible to inspect and hijack running programs.
25	# Some browsers are also using ptrace for their sandboxing.
26	##########	25	##########
27	# Uncomment this line to allow all ptrace access	26	# Uncomment this line to allow all ptrace access
28	#ptrace,	27	#ptrace,
29	# Allow obtaining some process information, but not ptrace(2)	28	# Allow obtaining some process information, but not ptrace(2)
30	ptrace (read,readby) peer=firejail-default,	29	ptrace (read,readby) peer=@{profile_name},
31		30
32	##########	31	##########
33	# Allow read access to whole filesystem and control it from firejail.	32	# Allow read access to whole filesystem and control it from firejail.
@@ -46,9 +45,6 @@ ptrace (read,readby) peer=firejail-default,
46	##########	45	##########
47	owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w,	46	owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w,
48	owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]/* w,	47	owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]/* w,
49	owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]/.slave-socket w,
50	owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]/orcexec. w,
51
52	owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w,	48	owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w,
53		49
54	# Allow writing to removable media	50	# Allow writing to removable media
@@ -58,9 +54,6 @@ owner /{,var/}run/media/** w,
58	/{,var/}run/systemd/journal/socket w,	54	/{,var/}run/systemd/journal/socket w,
59	/{,var/}run/systemd/journal/dev-log w,	55	/{,var/}run/systemd/journal/dev-log w,
60		56
61	# Needed for wine
62	/{,var/}run/firejail/profile/@{PID} w,
63
64	# Allow access to cups printing socket.	57	# Allow access to cups printing socket.
65	/{,var/}run/cups/cups.sock w,	58	/{,var/}run/cups/cups.sock w,
66		59
@@ -94,11 +87,10 @@ deny /proc/@{PID}/oom_score_adj w,
94	##########	87	##########
95	# Blacklist specific sensitive paths.	88	# Blacklist specific sensitive paths.
96	##########	89	##########
97	# Common backup directory	90	deny /**/.fscrypt/ rw,
98	deny /**/.snapshots/ rwx,	91	deny //.fscrypt/ rwklmx,
99		92	deny /**/.snapshots/ rw,
100	# fscrypt	93	deny //.snapshots/ rwklmx,
101	deny /**/.fscrypt/ rwx,
102		94
103	##########	95	##########
104	# Allow all networking functionality, and control it from Firejail.	96	# Allow all networking functionality, and control it from Firejail.