more apparmor deployment

author: Vincent43 <31109921+Vincent43@users.noreply.github.com> 2018-03-17 15:55:48 +0100
committer: Vincent43 <31109921+Vincent43@users.noreply.github.com> 2018-03-17 15:55:48 +0100
commit: d8b4a633202a13a13c75779d1f40a99d6cc51dfb (patch)
tree: 03b35f4385984d147ac4fe175edb28bd2ab39b6b /etc
parent: apparmor deployment (diff)
download: firejail-d8b4a633202a13a13c75779d1f40a99d6cc51dfb.tar.gz
firejail-d8b4a633202a13a13c75779d1f40a99d6cc51dfb.tar.zst
firejail-d8b4a633202a13a13c75779d1f40a99d6cc51dfb.zip
9 files changed, 9 insertions, 0 deletions
diff --git a/etc/ark.profile b/etc/ark.profile
index 43c61f940..f3e366854 100644
--- a/etc/ark.profile
+++ b/etc/ark.profile
@@ -29,6 +29,7 @@ novideo
 protocol unix
 seccomp
 shell none
+apparmor
 private-dev
 private-tmp
diff --git a/etc/digikam.profile b/etc/digikam.profile
index 5557e5457..179204036 100644
--- a/etc/digikam.profile
+++ b/etc/digikam.profile
@@ -28,6 +28,7 @@ protocol unix,inet,inet6,netlink
 seccomp
 # seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group
 shell none
+apparmor
 # private-bin program
 # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device
diff --git a/etc/electron.profile b/etc/electron.profile
index 91e5cd3df..2ff61914e 100644
--- a/etc/electron.profile
+++ b/etc/electron.profile
@@ -20,3 +20,4 @@ noroot
 notv
 protocol unix,inet,inet6,netlink
 seccomp
+apparmor
diff --git a/etc/kate.profile b/etc/kate.profile
index 917be2b4c..d1cfef49b 100644
--- a/etc/kate.profile
+++ b/etc/kate.profile
@@ -35,6 +35,7 @@ protocol unix
 seccomp
 shell none
 tracelog
+apparmor
 # private-bin kate
 private-dev
diff --git a/etc/kodi.profile b/etc/kodi.profile
index 06db44132..4eb2c9df1 100644
--- a/etc/kodi.profile
+++ b/etc/kodi.profile
@@ -21,6 +21,7 @@ protocol unix,inet,inet6,netlink
 seccomp
 shell none
 tracelog
+apparmor
 private-dev
 private-tmp
diff --git a/etc/kwrite.profile b/etc/kwrite.profile
index 4fbb8aad4..386ef142c 100644
--- a/etc/kwrite.profile
+++ b/etc/kwrite.profile
@@ -36,6 +36,7 @@ protocol unix
 seccomp
 shell none
 tracelog
+apparmor
 private-bin kwrite,kbuildsycoca4,kdeinit4
 private-dev
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
index 220e0f02c..a67fafa30 100644
--- a/etc/libreoffice.profile
+++ b/etc/libreoffice.profile
@@ -28,6 +28,7 @@ protocol unix,inet,inet6
 seccomp
 shell none
 tracelog
+apparmor
 private-dev
 private-tmp
diff --git a/etc/okular.profile b/etc/okular.profile
index b26c3ab31..016316b29 100644
--- a/etc/okular.profile
+++ b/etc/okular.profile
@@ -40,6 +40,7 @@ protocol unix
 seccomp
 shell none
 tracelog
+apparmor
 private-bin okular,kbuildsycoca4,kdeinit4,lpr
 private-dev
diff --git a/etc/smplayer.profile b/etc/smplayer.profile
index 8c68cda1e..d0180e185 100644
--- a/etc/smplayer.profile
+++ b/etc/smplayer.profile
@@ -23,6 +23,7 @@ noroot
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
+apparmor
 private-bin smplayer,smtube,mplayer,mpv
 private-dev
author	Vincent43 <31109921+Vincent43@users.noreply.github.com>	2018-03-17 15:55:48 +0100
committer	Vincent43 <31109921+Vincent43@users.noreply.github.com>	2018-03-17 15:55:48 +0100
commit	d8b4a633202a13a13c75779d1f40a99d6cc51dfb (patch)
tree	03b35f4385984d147ac4fe175edb28bd2ab39b6b /etc
parent	apparmor deployment (diff)
download	firejail-d8b4a633202a13a13c75779d1f40a99d6cc51dfb.tar.gz firejail-d8b4a633202a13a13c75779d1f40a99d6cc51dfb.tar.zst firejail-d8b4a633202a13a13c75779d1f40a99d6cc51dfb.zip

diff --git a/etc/ark.profile b/etc/ark.profile index 43c61f940..f3e366854 100644 --- a/etc/ark.profile +++ b/etc/ark.profile
@@ -29,6 +29,7 @@ novideo
29	protocol unix	29	protocol unix
30	seccomp	30	seccomp
31	shell none	31	shell none
		32	apparmor
32		33
33	private-dev	34	private-dev
34	private-tmp	35	private-tmp


diff --git a/etc/digikam.profile b/etc/digikam.profile index 5557e5457..179204036 100644 --- a/etc/digikam.profile +++ b/etc/digikam.profile
@@ -28,6 +28,7 @@ protocol unix,inet,inet6,netlink
28	seccomp	28	seccomp
29	# seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group	29	# seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group
30	shell none	30	shell none
		31	apparmor
31		32
32	# private-bin program	33	# private-bin program
33	# private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device	34	# private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device


diff --git a/etc/electron.profile b/etc/electron.profile index 91e5cd3df..2ff61914e 100644 --- a/etc/electron.profile +++ b/etc/electron.profile
@@ -20,3 +20,4 @@ noroot
20	notv	20	notv
21	protocol unix,inet,inet6,netlink	21	protocol unix,inet,inet6,netlink
22	seccomp	22	seccomp
		23	apparmor


diff --git a/etc/kate.profile b/etc/kate.profile index 917be2b4c..d1cfef49b 100644 --- a/etc/kate.profile +++ b/etc/kate.profile
@@ -35,6 +35,7 @@ protocol unix
35	seccomp	35	seccomp
36	shell none	36	shell none
37	tracelog	37	tracelog
		38	apparmor
38		39
39	# private-bin kate	40	# private-bin kate
40	private-dev	41	private-dev


diff --git a/etc/kodi.profile b/etc/kodi.profile index 06db44132..4eb2c9df1 100644 --- a/etc/kodi.profile +++ b/etc/kodi.profile
@@ -21,6 +21,7 @@ protocol unix,inet,inet6,netlink
21	seccomp	21	seccomp
22	shell none	22	shell none
23	tracelog	23	tracelog
		24	apparmor
24		25
25	private-dev	26	private-dev
26	private-tmp	27	private-tmp


diff --git a/etc/kwrite.profile b/etc/kwrite.profile index 4fbb8aad4..386ef142c 100644 --- a/etc/kwrite.profile +++ b/etc/kwrite.profile
@@ -36,6 +36,7 @@ protocol unix
36	seccomp	36	seccomp
37	shell none	37	shell none
38	tracelog	38	tracelog
		39	apparmor
39		40
40	private-bin kwrite,kbuildsycoca4,kdeinit4	41	private-bin kwrite,kbuildsycoca4,kdeinit4
41	private-dev	42	private-dev


diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 220e0f02c..a67fafa30 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile
@@ -28,6 +28,7 @@ protocol unix,inet,inet6
28	seccomp	28	seccomp
29	shell none	29	shell none
30	tracelog	30	tracelog
		31	apparmor
31		32
32	private-dev	33	private-dev
33	private-tmp	34	private-tmp


diff --git a/etc/okular.profile b/etc/okular.profile index b26c3ab31..016316b29 100644 --- a/etc/okular.profile +++ b/etc/okular.profile
@@ -40,6 +40,7 @@ protocol unix
40	seccomp	40	seccomp
41	shell none	41	shell none
42	tracelog	42	tracelog
		43	apparmor
43		44
44	private-bin okular,kbuildsycoca4,kdeinit4,lpr	45	private-bin okular,kbuildsycoca4,kdeinit4,lpr
45	private-dev	46	private-dev


diff --git a/etc/smplayer.profile b/etc/smplayer.profile index 8c68cda1e..d0180e185 100644 --- a/etc/smplayer.profile +++ b/etc/smplayer.profile
@@ -23,6 +23,7 @@ noroot
23	protocol unix,inet,inet6,netlink	23	protocol unix,inet,inet6,netlink
24	seccomp	24	seccomp
25	shell none	25	shell none
		26	apparmor
26		27
27	private-bin smplayer,smtube,mplayer,mpv	28	private-bin smplayer,smtube,mplayer,mpv
28	private-dev	29	private-dev