diff options
| author |  Vincent43 <31109921+Vincent43@users.noreply.github.com> | 2019-11-24 23:05:00 +0100 |
|---|---|---|
| committer | Vincent43 <31109921+Vincent43@users.noreply.github.com> | 2019-11-24 23:05:00 +0100 |
| commit | c1af59c9f31816127b43d10109c005661dd96c32 (patch) | |
| tree | 59909eb0587e404ef0c2558fd86c9e1189d13196 /etc | |
| parent | apparmor: allow access to pcscd socket (smartcards) (diff) | |
| download | firejail-c1af59c9f31816127b43d10109c005661dd96c32.tar.gz firejail-c1af59c9f31816127b43d10109c005661dd96c32.tar.zst firejail-c1af59c9f31816127b43d10109c005661dd96c32.zip | |
apparmor: don't allow mounts and paths manipulation
AppArmor security relies on path based rules and rewriting paths
may allow to bypass them.
Those actions are priveliged so vast majority of apps shouldn't need
them anyway. If some app need those rules then it's better to
consider them as unsuitable for apparmor option rather than weaken
generic profile for all apps.
See related issue reported by apparmor usage in snap:
https://bugs.launchpad.net/snapd/+bug/1791711
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/firejail-default | 8 |
1 files changed, 0 insertions, 8 deletions
diff --git a/etc/firejail-default b/etc/firejail-default index 66be8ba9c..3321b72fb 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
| @@ -151,14 +151,6 @@ capability setfcap, | |||
| 151 | #capability mac_override, | 151 | #capability mac_override, |
| 152 | #capability mac_admin, | 152 | #capability mac_admin, |
| 153 | 153 | ||
| 154 | ########## | ||
| 155 | # We let Firejail deal with mount/umount functionality. | ||
| 156 | ########## | ||
| 157 | mount, | ||
| 158 | remount, | ||
| 159 | umount, | ||
| 160 | pivot_root, | ||
| 161 | |||
| 162 | # Site-specific additions and overrides. See local/README for details. | 154 | # Site-specific additions and overrides. See local/README for details. |
| 163 | #include <local/firejail-local> | 155 | #include <local/firejail-local> |
| 164 | } | 156 | } |