Merge pull request #4628 from smitsohu/aa

add basic Firejail support to AppArmor base abstraction (#3226)
author: netblue30 <netblue30@protonmail.com> 2021-10-21 12:02:48 +0000
committer: GitHub <noreply@github.com> 2021-10-21 12:02:48 +0000
commit: 53fd8812c560305a3ff1f39058e42462961bea6a (patch)
tree: bca54549ec35a7f519d7acbff1e8e4616533ebdd /etc
parent: Merge pull request #4600 from crocket/master (diff)
parent: add basic Firejail support to AppArmor base abstraction (#3226) (diff)
download: firejail-53fd8812c560305a3ff1f39058e42462961bea6a.tar.gz
firejail-53fd8812c560305a3ff1f39058e42462961bea6a.tar.zst
firejail-53fd8812c560305a3ff1f39058e42462961bea6a.zip
1 files changed, 26 insertions, 0 deletions
diff --git a/etc/apparmor/firejail-base b/etc/apparmor/firejail-base
new file mode 100644
index 000000000..41e4ac2bf
--- /dev/null
+++ b/etc/apparmor/firejail-base
@@ -0,0 +1,26 @@
+#########################################
+# Firejail base abstraction drop-in
+#########################################
+# Adds basic Firejail support to AppArmor profiles.
+# Please note: Firejail's nonewprivs and seccomp options
+# are not compatible with AppArmor profile transitions.
+# Discovery of process names
+owner /{,run/firejail/mnt/oroot/}proc/@{pid}/comm r,
+##########
+# Following paths only exist inside a Firejail sandbox
+##########
+# Library preloading
+/{,run/firejail/mnt/oroot/}{,var/}run/firejail/lib/*.so mr,
+# Supporting seccomp
+owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/seccomp/seccomp.postexec r,
+# Supporting trace
+owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w,
+# Supporting tracelog
+/{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/fslogger r,
author	netblue30 <netblue30@protonmail.com>	2021-10-21 12:02:48 +0000
committer	GitHub <noreply@github.com>	2021-10-21 12:02:48 +0000
commit	53fd8812c560305a3ff1f39058e42462961bea6a (patch)
tree	bca54549ec35a7f519d7acbff1e8e4616533ebdd /etc
parent	Merge pull request #4600 from crocket/master (diff)
parent	add basic Firejail support to AppArmor base abstraction (#3226) (diff)
download	firejail-53fd8812c560305a3ff1f39058e42462961bea6a.tar.gz firejail-53fd8812c560305a3ff1f39058e42462961bea6a.tar.zst firejail-53fd8812c560305a3ff1f39058e42462961bea6a.zip

diff --git a/etc/apparmor/firejail-base b/etc/apparmor/firejail-base new file mode 100644 index 000000000..41e4ac2bf --- /dev/null +++ b/etc/apparmor/firejail-base
@@ -0,0 +1,26 @@
	1	#########################################
	2	# Firejail base abstraction drop-in
	3	#########################################
	4
	5	# Adds basic Firejail support to AppArmor profiles.
	6	# Please note: Firejail's nonewprivs and seccomp options
	7	# are not compatible with AppArmor profile transitions.
	8
	9	# Discovery of process names
	10	owner /{,run/firejail/mnt/oroot/}proc/@{pid}/comm r,
	11
	12	##########
	13	# Following paths only exist inside a Firejail sandbox
	14	##########
	15
	16	# Library preloading
	17	/{,run/firejail/mnt/oroot/}{,var/}run/firejail/lib/*.so mr,
	18
	19	# Supporting seccomp
	20	owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/seccomp/seccomp.postexec r,
	21
	22	# Supporting trace
	23	owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w,
	24
	25	# Supporting tracelog
	26	/{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/fslogger r,