diff options
author | Vincent43 <31109921+Vincent43@users.noreply.github.com> | 2019-07-14 14:37:58 +0200 |
---|---|---|
committer | Vincent43 <31109921+Vincent43@users.noreply.github.com> | 2019-07-14 14:37:58 +0200 |
commit | 2eca1252e3491f098f036483855e3402882ebc54 (patch) | |
tree | 25cd65849adbc5067173b9342ae1cfc5b812f494 /etc | |
parent | homedirs: turn "informational error" into warning (diff) | |
download | firejail-2eca1252e3491f098f036483855e3402882ebc54.tar.gz firejail-2eca1252e3491f098f036483855e3402882ebc54.tar.zst firejail-2eca1252e3491f098f036483855e3402882ebc54.zip |
apparmor: allow writing to /proc/@{PID}/comm
This is needed by various electron apps, see:
https://github.com/netblue30/firejail/issues/2538
https://github.com/netblue30/firejail/issues/2854
Diffstat (limited to 'etc')
-rw-r--r-- | etc/firejail-default | 3 | ||||
-rw-r--r-- | etc/standardnotes-desktop.profile | 3 |
2 files changed, 4 insertions, 2 deletions
diff --git a/etc/firejail-default b/etc/firejail-default index 02a241c34..7735f2f80 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
@@ -66,6 +66,9 @@ owner /{,var/}run/media/** w, | |||
66 | # Needed for firefox sandbox | 66 | # Needed for firefox sandbox |
67 | /proc/[0-9]*/{uid_map,gid_map,setgroups} w, | 67 | /proc/[0-9]*/{uid_map,gid_map,setgroups} w, |
68 | 68 | ||
69 | # Needed for electron apps | ||
70 | /proc/@{PID}/comm w, | ||
71 | |||
69 | # Silence noise | 72 | # Silence noise |
70 | deny /proc/@{PID}/oom_adj w, | 73 | deny /proc/@{PID}/oom_adj w, |
71 | deny /proc/@{PID}/oom_score_adj w, | 74 | deny /proc/@{PID}/oom_score_adj w, |
diff --git a/etc/standardnotes-desktop.profile b/etc/standardnotes-desktop.profile index 7b89e1add..5703f932a 100644 --- a/etc/standardnotes-desktop.profile +++ b/etc/standardnotes-desktop.profile | |||
@@ -21,7 +21,7 @@ whitelist ${HOME}/Standard Notes Backups | |||
21 | whitelist ${HOME}/.config/Standard Notes | 21 | whitelist ${HOME}/.config/Standard Notes |
22 | include whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
23 | 23 | ||
24 | #apparmor | 24 | apparmor |
25 | caps.drop all | 25 | caps.drop all |
26 | machine-id | 26 | machine-id |
27 | netfilter | 27 | netfilter |
@@ -34,7 +34,6 @@ nosound | |||
34 | notv | 34 | notv |
35 | nou2f | 35 | nou2f |
36 | protocol unix,inet,inet6,netlink | 36 | protocol unix,inet,inet6,netlink |
37 | #seccomp | ||
38 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mincore,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 37 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mincore,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
39 | 38 | ||
40 | disable-mnt | 39 | disable-mnt |