diff options
| author |  Vincent43 <31109921+Vincent43@users.noreply.github.com> | 2018-02-14 17:17:25 +0000 |
|---|---|---|
| committer | Vincent43 <31109921+Vincent43@users.noreply.github.com> | 2018-02-19 15:57:00 +0000 |
| commit | 20c1ecc0609874bcb090d3c7bed81639617520d4 (patch) | |
| tree | ad77bc2c13207eed03fff304e475b319ef4bfb27 /etc | |
| parent | Apparmor: don't duplicate userspace /run/user restrictions (diff) | |
| download | firejail-20c1ecc0609874bcb090d3c7bed81639617520d4.tar.gz firejail-20c1ecc0609874bcb090d3c7bed81639617520d4.tar.zst firejail-20c1ecc0609874bcb090d3c7bed81639617520d4.zip | |
Apparmor: blacklist /proc and /sys access from firejail
Firejail does blacklisting sensitive /proc and /sys files on its own: https://github.com/netblue30/firejail/blob/master/src/firejail/fs.c#L530
There is no need to duplicate this in apparmor using whitelisting approach which is much harder to do and needs never ending maintenance.
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/firejail-default | 48 |
1 files changed, 6 insertions, 42 deletions
diff --git a/etc/firejail-default b/etc/firejail-default index f96149bb7..3768e6970 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
| @@ -57,52 +57,16 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, | |||
| 57 | /{,var/}run/firejail/profile/@{PID} w, | 57 | /{,var/}run/firejail/profile/@{PID} w, |
| 58 | 58 | ||
| 59 | ########## | 59 | ########## |
| 60 | # Mask /proc and /sys information leakage. The configuration here is barely | 60 | # Allow /proc and /sys read-only access. |
| 61 | # enough to run "top" or "ps aux". | 61 | # Blacklisting is controlled from Firejail. |
| 62 | ########## | 62 | ########## |
| 63 | /proc/ r, | 63 | /proc/ r, |
| 64 | /proc/meminfo r, | 64 | /proc/** r, |
| 65 | /proc/cpuinfo r, | 65 | deny /proc/** w, |
| 66 | /proc/filesystems r, | ||
| 67 | /proc/uptime r, | ||
| 68 | /proc/loadavg r, | ||
| 69 | /proc/stat r, | ||
| 70 | /proc/sys/kernel/pid_max r, | ||
| 71 | /proc/sys/kernel/shmmax r, | ||
| 72 | /proc/sys/kernel/yama/ptrace_scope r, | ||
| 73 | /proc/sys/vm/overcommit_memory r, | ||
| 74 | /proc/sys/vm/overcommit_ratio r, | ||
| 75 | /proc/sys/kernel/random/uuid r, | ||
| 76 | 66 | ||
| 77 | /sys/ r, | 67 | /sys/ r, |
| 78 | /sys/bus/ r, | 68 | /sys/** r, |
| 79 | /sys/bus/** r, | 69 | deny /sys/** w, |
| 80 | /sys/class/ r, | ||
| 81 | /sys/class/** r, | ||
| 82 | /sys/devices/ r, | ||
| 83 | /sys/devices/** r, | ||
| 84 | |||
| 85 | /proc/@{PID}/ r, | ||
| 86 | /proc/@{PID}/fd/ r, | ||
| 87 | /proc/@{PID}/task/ r, | ||
| 88 | /proc/@{PID}/cmdline r, | ||
| 89 | /proc/@{PID}/comm r, | ||
| 90 | /proc/@{PID}/stat r, | ||
| 91 | /proc/@{PID}/statm r, | ||
| 92 | /proc/@{PID}/status r, | ||
| 93 | /proc/@{PID}/task/@{PID}/stat r, | ||
| 94 | /proc/@{PID}/task/@{PID}/status r, | ||
| 95 | /proc/@{PID}/maps r, | ||
| 96 | /proc/@{PID}/mem r, | ||
| 97 | /proc/@{PID}/mounts r, | ||
| 98 | /proc/@{PID}/mountinfo r, | ||
| 99 | deny /proc/@{PID}/oom_adj w, | ||
| 100 | /proc/@{PID}/oom_score_adj r, | ||
| 101 | deny /proc/@{PID}/oom_score_adj w, | ||
| 102 | /proc/@{PID}/auxv r, | ||
| 103 | /proc/@{PID}/net/dev r, | ||
| 104 | /proc/@{PID}/loginuid r, | ||
| 105 | /proc/@{PID}/environ r, | ||
| 106 | 70 | ||
| 107 | # Needed by chromium crash handler. Uncomment if you need it. | 71 | # Needed by chromium crash handler. Uncomment if you need it. |
| 108 | #ptrace (trace tracedby), | 72 | #ptrace (trace tracedby), |