apparmor: allow writing to /proc/@{PID}/comm

This is needed by various electron apps, see:
https://github.com/netblue30/firejail/issues/2538
https://github.com/netblue30/firejail/issues/2854

2 files changed, 4 insertions, 2 deletions

diff --git a/etc/firejail-default b/etc/firejail-default
index 02a241c34..7735f2f80 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -66,6 +66,9 @@ owner /{,var/}run/media/** w,
 # Needed for firefox sandbox
 /proc/[0-9]*/{uid_map,gid_map,setgroups} w,
 
+# Needed for electron apps
+/proc/@{PID}/comm w,
+
 # Silence noise
 deny /proc/@{PID}/oom_adj w,
 deny /proc/@{PID}/oom_score_adj w,
diff --git a/etc/standardnotes-desktop.profile b/etc/standardnotes-desktop.profile
index 7b89e1add..5703f932a 100644
--- a/etc/standardnotes-desktop.profile
+++ b/etc/standardnotes-desktop.profile
@@ -21,7 +21,7 @@ whitelist ${HOME}/Standard Notes Backups
 whitelist ${HOME}/.config/Standard Notes
 include whitelist-var-common.inc
 
-#apparmor
+apparmor
 caps.drop all
 machine-id
 netfilter
@@ -34,7 +34,6 @@ nosound
 notv
 nou2f
 protocol unix,inet,inet6,netlink
-#seccomp
 seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mincore,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 
 disable-mnt