diff options
author | netblue30 <netblue30@yahoo.com> | 2018-02-14 08:09:42 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-02-14 08:09:42 -0500 |
commit | 576cb0775850b444bd738bc8a9c48742d6ad0897 (patch) | |
tree | a35a5bd4be8ebd33ab2551b5a32235e33d3eb6e7 /etc | |
parent | Merge pull request #1762 from soredake/qtox (diff) | |
parent | Apparmor: Be more restrictive for chromium needs (diff) | |
download | firejail-576cb0775850b444bd738bc8a9c48742d6ad0897.tar.gz firejail-576cb0775850b444bd738bc8a9c48742d6ad0897.tar.zst firejail-576cb0775850b444bd738bc8a9c48742d6ad0897.zip |
Merge pull request #1766 from Vincent43/patch-1
Apparmor: fix various denials
Diffstat (limited to 'etc')
-rw-r--r-- | etc/firejail-default | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/etc/firejail-default b/etc/firejail-default index 842d5a0c4..859f8683a 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
@@ -61,6 +61,9 @@ owner /{run,dev}/shm/** rmwk, | |||
61 | /run/firejail/mnt/oroot/{run,dev}/shm/ r, | 61 | /run/firejail/mnt/oroot/{run,dev}/shm/ r, |
62 | owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, | 62 | owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, |
63 | 63 | ||
64 | # Needed for wine | ||
65 | /{,var/}run/firejail/profile/@{PID} w, | ||
66 | |||
64 | ########## | 67 | ########## |
65 | # Mask /proc and /sys information leakage. The configuration here is barely | 68 | # Mask /proc and /sys information leakage. The configuration here is barely |
66 | # enough to run "top" or "ps aux". | 69 | # enough to run "top" or "ps aux". |
@@ -74,6 +77,7 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, | |||
74 | /proc/stat r, | 77 | /proc/stat r, |
75 | /proc/sys/kernel/pid_max r, | 78 | /proc/sys/kernel/pid_max r, |
76 | /proc/sys/kernel/shmmax r, | 79 | /proc/sys/kernel/shmmax r, |
80 | /proc/sys/kernel/yama/ptrace_scope r, | ||
77 | /proc/sys/vm/overcommit_memory r, | 81 | /proc/sys/vm/overcommit_memory r, |
78 | /proc/sys/vm/overcommit_ratio r, | 82 | /proc/sys/vm/overcommit_ratio r, |
79 | /proc/sys/kernel/random/uuid r, | 83 | /proc/sys/kernel/random/uuid r, |
@@ -95,15 +99,22 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, | |||
95 | /proc/@{PID}/statm r, | 99 | /proc/@{PID}/statm r, |
96 | /proc/@{PID}/status r, | 100 | /proc/@{PID}/status r, |
97 | /proc/@{PID}/task/@{PID}/stat r, | 101 | /proc/@{PID}/task/@{PID}/stat r, |
102 | /proc/@{PID}/task/@{PID}/status r, | ||
98 | /proc/@{PID}/maps r, | 103 | /proc/@{PID}/maps r, |
104 | /proc/@{PID}/mem r, | ||
99 | /proc/@{PID}/mounts r, | 105 | /proc/@{PID}/mounts r, |
100 | /proc/@{PID}/mountinfo r, | 106 | /proc/@{PID}/mountinfo r, |
107 | deny /proc/@{PID}/oom_adj w, | ||
101 | /proc/@{PID}/oom_score_adj r, | 108 | /proc/@{PID}/oom_score_adj r, |
109 | deny /proc/@{PID}/oom_score_adj w, | ||
102 | /proc/@{PID}/auxv r, | 110 | /proc/@{PID}/auxv r, |
103 | /proc/@{PID}/net/dev r, | 111 | /proc/@{PID}/net/dev r, |
104 | /proc/@{PID}/loginuid r, | 112 | /proc/@{PID}/loginuid r, |
105 | /proc/@{PID}/environ r, | 113 | /proc/@{PID}/environ r, |
106 | 114 | ||
115 | # Needed by chromium crash handler. Uncomment if you need it. | ||
116 | #ptrace (trace tracedby), | ||
117 | |||
107 | ########## | 118 | ########## |
108 | # Allow running programs only from well-known system directories. If you need | 119 | # Allow running programs only from well-known system directories. If you need |
109 | # to run programs from your home directory, uncomment /home line. | 120 | # to run programs from your home directory, uncomment /home line. |
@@ -135,6 +146,11 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, | |||
135 | /run/firejail/mnt/oroot/opt/** ix, | 146 | /run/firejail/mnt/oroot/opt/** ix, |
136 | 147 | ||
137 | ########## | 148 | ########## |
149 | # Allow acces to cups printing socket | ||
150 | ########## | ||
151 | /run/cups/cups.sock w, | ||
152 | |||
153 | ########## | ||
138 | # Allow all networking functionality, and control it from Firejail. | 154 | # Allow all networking functionality, and control it from Firejail. |
139 | ########## | 155 | ########## |
140 | network inet, | 156 | network inet, |