apparmor

author: netblue30 <netblue30@yahoo.com> 2016-08-02 10:03:28 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-08-02 10:03:28 -0400
commit: 355c86b0ff225bdc48b27fb4dfcb6232e4ec7b29 (patch)
tree: 4bc45dad2214b25b279a0d2475c5f7b38269e3d3 /etc
parent: Merge pull request #679 from manevich/xephyr (diff)
download: firejail-355c86b0ff225bdc48b27fb4dfcb6232e4ec7b29.tar.gz
firejail-355c86b0ff225bdc48b27fb4dfcb6232e4ec7b29.tar.zst
firejail-355c86b0ff225bdc48b27fb4dfcb6232e4ec7b29.zip
1 files changed, 129 insertions, 0 deletions
diff --git a/etc/firejail-default b/etc/firejail-default
new file mode 100644
index 000000000..609ab6c19
--- /dev/null
+++ b/etc/firejail-default
@@ -0,0 +1,129 @@
+#include <tunables/global>
+profile firejail-default {
+#####
+# D-Bus is a huge security hole, we disable it here. Uncomment this line if you
+# need D-Bus functionality.
+#
+#dbus,
+#####
+# Mask /proc and /sys information leakage. The configuration here is barely
+# enough to run "top" or "ps aux".
+#
+/ r,
+/[^proc,^sys]** mrwlk,
+/proc/ r,
+/proc/meminfo r,
+/proc/cpuinfo r,
+/proc/filesystems r,
+/proc/uptime r,
+/proc/loadavg r,
+/proc/stat r,
+/proc/@{pid}/ r,
+/proc/@{pid}/fd/ r,
+/proc/@{pid}/task/ r,
+/proc/@{pid}/cmdline r,
+/proc/@{pid}/comm r,
+/proc/@{pid}/stat r,
+/proc/@{pid}/statm r,
+/proc/@{pid}/status r,
+/proc/sys/kernel/pid_max r,
+/proc/sys/kernel/shmmax r,
+/sys/ r,
+/sys/bus/ r,
+/sys/bus/** r,
+/sys/class/ r,
+/sys/class/** r,
+/sys/devices/ r,
+/sys/devices/** r,
+/proc/@{pid}/maps r,
+/proc/@{pid}/mounts r,
+/proc/@{pid}/mountinfo r,
+/proc/@{pid}/oom_score_adj r,
+/{,var/}run/firejail/mnt/fslogger r,
+/{,var/}run/user/**/dconf/ r,
+/{,var/}run/user/**/dconf/user r,
+#####
+# Allow running programs only from well-known system directories. If you need
+# to run programs from your home directory, uncomment /home line.
+#
+/lib/** ix,
+/lib64/** ix,
+/bin/** ix,
+/sbin/** ix,
+/usr/bin/** ix,
+/usr/sbin/** ix,
+/usr/local/** ix,
+/usr/lib/** ix,
+/usr/games/** ix,
+/opt/** ix,
+#/home/** ix,
+#####
+# Allow all networking functionality, and control it from Firejail.
+#
+network inet,
+network inet6,
+network unix,
+network netlink,
+network raw,
+#####
+# There is no equivalent in Firejail for filtering signals.
+#
+signal,
+#####
+# Disable all capabilities. If you run your sandbox as root, you might need to
+# enable/uncomment some of them.
+#
+capability chown,
+capability dac_override,
+capability dac_read_search,
+capability fowner,
+capability fsetid,
+capability kill,
+capability setgid,
+capability setuid,
+capability setpcap,
+capability linux_immutable,
+capability net_bind_service,
+capability net_broadcast,
+capability net_admin,
+capability net_raw,
+capability ipc_lock,
+capability ipc_owner,
+capability sys_module,
+capability sys_rawio,
+capability sys_chroot,
+capability sys_ptrace,
+capability sys_pacct,
+capability sys_admin,
+capability sys_boot,
+capability sys_nice,
+capability sys_resource,
+capability sys_time,
+capability sys_tty_config,
+capability mknod,
+capability lease,
+capability audit_write,
+capability audit_control,
+capability setfcap,
+capability mac_override,
+capability mac_admin,
+#####
+# No mount/umount functionality when running as regular user.
+#
+mount,
+remount,
+umount,
+pivot_root,
+}
author	netblue30 <netblue30@yahoo.com>	2016-08-02 10:03:28 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-08-02 10:03:28 -0400
commit	355c86b0ff225bdc48b27fb4dfcb6232e4ec7b29 (patch)
tree	4bc45dad2214b25b279a0d2475c5f7b38269e3d3 /etc
parent	Merge pull request #679 from manevich/xephyr (diff)
download	firejail-355c86b0ff225bdc48b27fb4dfcb6232e4ec7b29.tar.gz firejail-355c86b0ff225bdc48b27fb4dfcb6232e4ec7b29.tar.zst firejail-355c86b0ff225bdc48b27fb4dfcb6232e4ec7b29.zip

diff --git a/etc/firejail-default b/etc/firejail-default new file mode 100644 index 000000000..609ab6c19 --- /dev/null +++ b/etc/firejail-default
@@ -0,0 +1,129 @@
	1	#include <tunables/global>
	2
	3	profile firejail-default {
	4
	5	#####
	6	# D-Bus is a huge security hole, we disable it here. Uncomment this line if you
	7	# need D-Bus functionality.
	8	#
	9	#dbus,
	10
	11	#####
	12	# Mask /proc and /sys information leakage. The configuration here is barely
	13	# enough to run "top" or "ps aux".
	14	#
	15	/ r,
	16	/[^proc,^sys]** mrwlk,
	17
	18	/proc/ r,
	19	/proc/meminfo r,
	20	/proc/cpuinfo r,
	21	/proc/filesystems r,
	22	/proc/uptime r,
	23	/proc/loadavg r,
	24	/proc/stat r,
	25	/proc/@{pid}/ r,
	26	/proc/@{pid}/fd/ r,
	27	/proc/@{pid}/task/ r,
	28	/proc/@{pid}/cmdline r,
	29	/proc/@{pid}/comm r,
	30	/proc/@{pid}/stat r,
	31	/proc/@{pid}/statm r,
	32	/proc/@{pid}/status r,
	33	/proc/sys/kernel/pid_max r,
	34	/proc/sys/kernel/shmmax r,
	35	/sys/ r,
	36	/sys/bus/ r,
	37	/sys/bus/** r,
	38	/sys/class/ r,
	39	/sys/class/** r,
	40	/sys/devices/ r,
	41	/sys/devices/** r,
	42
	43	/proc/@{pid}/maps r,
	44	/proc/@{pid}/mounts r,
	45	/proc/@{pid}/mountinfo r,
	46	/proc/@{pid}/oom_score_adj r,
	47
	48	/{,var/}run/firejail/mnt/fslogger r,
	49	/{,var/}run/user/**/dconf/ r,
	50	/{,var/}run/user/**/dconf/user r,
	51
	52	#####
	53	# Allow running programs only from well-known system directories. If you need
	54	# to run programs from your home directory, uncomment /home line.
	55	#
	56	/lib/** ix,
	57	/lib64/** ix,
	58	/bin/** ix,
	59	/sbin/** ix,
	60	/usr/bin/** ix,
	61	/usr/sbin/** ix,
	62	/usr/local/** ix,
	63	/usr/lib/** ix,
	64	/usr/games/** ix,
	65	/opt/** ix,
	66	#/home/** ix,
	67
	68	#####
	69	# Allow all networking functionality, and control it from Firejail.
	70	#
	71	network inet,
	72	network inet6,
	73	network unix,
	74	network netlink,
	75	network raw,
	76
	77	#####
	78	# There is no equivalent in Firejail for filtering signals.
	79	#
	80	signal,
	81
	82	#####
	83	# Disable all capabilities. If you run your sandbox as root, you might need to
	84	# enable/uncomment some of them.
	85	#
	86	capability chown,
	87	capability dac_override,
	88	capability dac_read_search,
	89	capability fowner,
	90	capability fsetid,
	91	capability kill,
	92	capability setgid,
	93	capability setuid,
	94	capability setpcap,
	95	capability linux_immutable,
	96	capability net_bind_service,
	97	capability net_broadcast,
	98	capability net_admin,
	99	capability net_raw,
	100	capability ipc_lock,
	101	capability ipc_owner,
	102	capability sys_module,
	103	capability sys_rawio,
	104	capability sys_chroot,
	105	capability sys_ptrace,
	106	capability sys_pacct,
	107	capability sys_admin,
	108	capability sys_boot,
	109	capability sys_nice,
	110	capability sys_resource,
	111	capability sys_time,
	112	capability sys_tty_config,
	113	capability mknod,
	114	capability lease,
	115	capability audit_write,
	116	capability audit_control,
	117	capability setfcap,
	118	capability mac_override,
	119	capability mac_admin,
	120
	121	#####
	122	# No mount/umount functionality when running as regular user.
	123	#
	124	mount,
	125	remount,
	126	umount,
	127	pivot_root,
	128
	129	}