diff options
author | Vincent43 <31109921+Vincent43@users.noreply.github.com> | 2018-02-14 17:17:25 +0000 |
---|---|---|
committer | Vincent43 <31109921+Vincent43@users.noreply.github.com> | 2018-02-19 15:57:00 +0000 |
commit | 20c1ecc0609874bcb090d3c7bed81639617520d4 (patch) | |
tree | ad77bc2c13207eed03fff304e475b319ef4bfb27 /etc | |
parent | Apparmor: don't duplicate userspace /run/user restrictions (diff) | |
download | firejail-20c1ecc0609874bcb090d3c7bed81639617520d4.tar.gz firejail-20c1ecc0609874bcb090d3c7bed81639617520d4.tar.zst firejail-20c1ecc0609874bcb090d3c7bed81639617520d4.zip |
Apparmor: blacklist /proc and /sys access from firejail
Firejail does blacklisting sensitive /proc and /sys files on its own: https://github.com/netblue30/firejail/blob/master/src/firejail/fs.c#L530
There is no need to duplicate this in apparmor using whitelisting approach which is much harder to do and needs never ending maintenance.
Diffstat (limited to 'etc')
-rw-r--r-- | etc/firejail-default | 48 |
1 files changed, 6 insertions, 42 deletions
diff --git a/etc/firejail-default b/etc/firejail-default index f96149bb7..3768e6970 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
@@ -57,52 +57,16 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, | |||
57 | /{,var/}run/firejail/profile/@{PID} w, | 57 | /{,var/}run/firejail/profile/@{PID} w, |
58 | 58 | ||
59 | ########## | 59 | ########## |
60 | # Mask /proc and /sys information leakage. The configuration here is barely | 60 | # Allow /proc and /sys read-only access. |
61 | # enough to run "top" or "ps aux". | 61 | # Blacklisting is controlled from Firejail. |
62 | ########## | 62 | ########## |
63 | /proc/ r, | 63 | /proc/ r, |
64 | /proc/meminfo r, | 64 | /proc/** r, |
65 | /proc/cpuinfo r, | 65 | deny /proc/** w, |
66 | /proc/filesystems r, | ||
67 | /proc/uptime r, | ||
68 | /proc/loadavg r, | ||
69 | /proc/stat r, | ||
70 | /proc/sys/kernel/pid_max r, | ||
71 | /proc/sys/kernel/shmmax r, | ||
72 | /proc/sys/kernel/yama/ptrace_scope r, | ||
73 | /proc/sys/vm/overcommit_memory r, | ||
74 | /proc/sys/vm/overcommit_ratio r, | ||
75 | /proc/sys/kernel/random/uuid r, | ||
76 | 66 | ||
77 | /sys/ r, | 67 | /sys/ r, |
78 | /sys/bus/ r, | 68 | /sys/** r, |
79 | /sys/bus/** r, | 69 | deny /sys/** w, |
80 | /sys/class/ r, | ||
81 | /sys/class/** r, | ||
82 | /sys/devices/ r, | ||
83 | /sys/devices/** r, | ||
84 | |||
85 | /proc/@{PID}/ r, | ||
86 | /proc/@{PID}/fd/ r, | ||
87 | /proc/@{PID}/task/ r, | ||
88 | /proc/@{PID}/cmdline r, | ||
89 | /proc/@{PID}/comm r, | ||
90 | /proc/@{PID}/stat r, | ||
91 | /proc/@{PID}/statm r, | ||
92 | /proc/@{PID}/status r, | ||
93 | /proc/@{PID}/task/@{PID}/stat r, | ||
94 | /proc/@{PID}/task/@{PID}/status r, | ||
95 | /proc/@{PID}/maps r, | ||
96 | /proc/@{PID}/mem r, | ||
97 | /proc/@{PID}/mounts r, | ||
98 | /proc/@{PID}/mountinfo r, | ||
99 | deny /proc/@{PID}/oom_adj w, | ||
100 | /proc/@{PID}/oom_score_adj r, | ||
101 | deny /proc/@{PID}/oom_score_adj w, | ||
102 | /proc/@{PID}/auxv r, | ||
103 | /proc/@{PID}/net/dev r, | ||
104 | /proc/@{PID}/loginuid r, | ||
105 | /proc/@{PID}/environ r, | ||
106 | 70 | ||
107 | # Needed by chromium crash handler. Uncomment if you need it. | 71 | # Needed by chromium crash handler. Uncomment if you need it. |
108 | #ptrace (trace tracedby), | 72 | #ptrace (trace tracedby), |