diff options
author | smitsohu <smitsohu@gmail.com> | 2019-11-12 19:14:17 +0100 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2019-11-12 19:14:17 +0100 |
commit | e8da6c2f487b52d4b8ad362c78d841047e46d9ec (patch) | |
tree | 76dd93b977f1283a69621747e3cc38b95507d6f0 /etc | |
parent | Merge branch 'master' of https://github.com/netblue30/firejail (diff) | |
download | firejail-e8da6c2f487b52d4b8ad362c78d841047e46d9ec.tar.gz firejail-e8da6c2f487b52d4b8ad362c78d841047e46d9ec.tar.zst firejail-e8da6c2f487b52d4b8ad362c78d841047e46d9ec.zip |
some apparmor profile cleanup
writing in /run/firejail/profile has always been restricted to root user,
and in addition this folder is blacklisted since recently; @{profile_name}
is built-in and adds a bit of flexibility; apparmor cannot be used to
restrict directory search permission, so add more rules for sensitive
paths
Diffstat (limited to 'etc')
-rw-r--r-- | etc/firejail-default | 18 |
1 files changed, 5 insertions, 13 deletions
diff --git a/etc/firejail-default b/etc/firejail-default index 56fce654c..5b63503fc 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
@@ -22,12 +22,11 @@ dbus, | |||
22 | 22 | ||
23 | ########## | 23 | ########## |
24 | # With ptrace it is possible to inspect and hijack running programs. | 24 | # With ptrace it is possible to inspect and hijack running programs. |
25 | # Some browsers are also using ptrace for their sandboxing. | ||
26 | ########## | 25 | ########## |
27 | # Uncomment this line to allow all ptrace access | 26 | # Uncomment this line to allow all ptrace access |
28 | #ptrace, | 27 | #ptrace, |
29 | # Allow obtaining some process information, but not ptrace(2) | 28 | # Allow obtaining some process information, but not ptrace(2) |
30 | ptrace (read,readby) peer=firejail-default, | 29 | ptrace (read,readby) peer=@{profile_name}, |
31 | 30 | ||
32 | ########## | 31 | ########## |
33 | # Allow read access to whole filesystem and control it from firejail. | 32 | # Allow read access to whole filesystem and control it from firejail. |
@@ -46,9 +45,6 @@ ptrace (read,readby) peer=firejail-default, | |||
46 | ########## | 45 | ########## |
47 | owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w, | 46 | owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w, |
48 | owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w, | 47 | owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w, |
49 | owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/*.slave-socket w, | ||
50 | owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/orcexec.* w, | ||
51 | |||
52 | owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w, | 48 | owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w, |
53 | 49 | ||
54 | # Allow writing to removable media | 50 | # Allow writing to removable media |
@@ -58,9 +54,6 @@ owner /{,var/}run/media/** w, | |||
58 | /{,var/}run/systemd/journal/socket w, | 54 | /{,var/}run/systemd/journal/socket w, |
59 | /{,var/}run/systemd/journal/dev-log w, | 55 | /{,var/}run/systemd/journal/dev-log w, |
60 | 56 | ||
61 | # Needed for wine | ||
62 | /{,var/}run/firejail/profile/@{PID} w, | ||
63 | |||
64 | # Allow access to cups printing socket. | 57 | # Allow access to cups printing socket. |
65 | /{,var/}run/cups/cups.sock w, | 58 | /{,var/}run/cups/cups.sock w, |
66 | 59 | ||
@@ -94,11 +87,10 @@ deny /proc/@{PID}/oom_score_adj w, | |||
94 | ########## | 87 | ########## |
95 | # Blacklist specific sensitive paths. | 88 | # Blacklist specific sensitive paths. |
96 | ########## | 89 | ########## |
97 | # Common backup directory | 90 | deny /**/.fscrypt/ rw, |
98 | deny /**/.snapshots/ rwx, | 91 | deny /**/.fscrypt/** rwklmx, |
99 | 92 | deny /**/.snapshots/ rw, | |
100 | # fscrypt | 93 | deny /**/.snapshots/** rwklmx, |
101 | deny /**/.fscrypt/ rwx, | ||
102 | 94 | ||
103 | ########## | 95 | ########## |
104 | # Allow all networking functionality, and control it from Firejail. | 96 | # Allow all networking functionality, and control it from Firejail. |