diff options
author | netblue30 <netblue30@protonmail.com> | 2021-02-21 08:47:45 -0500 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2021-02-21 08:47:45 -0500 |
commit | 3fbdc9f59a099b960a3a74ccd3c1c29078ecdef3 (patch) | |
tree | a1374e83f208a9029aa0447a24ea411670930390 /etc | |
parent | jaitest - simple sandbox testing utility program (diff) | |
download | firejail-3fbdc9f59a099b960a3a74ccd3c1c29078ecdef3.tar.gz firejail-3fbdc9f59a099b960a3a74ccd3c1c29078ecdef3.tar.zst firejail-3fbdc9f59a099b960a3a74ccd3c1c29078ecdef3.zip |
apparmor capabilities fix
Diffstat (limited to 'etc')
-rw-r--r-- | etc/apparmor/firejail-default | 45 |
1 files changed, 8 insertions, 37 deletions
diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default index 397bf753b..80d527e41 100644 --- a/etc/apparmor/firejail-default +++ b/etc/apparmor/firejail-default | |||
@@ -126,43 +126,14 @@ signal (receive), | |||
126 | # We let Firejail deal with capabilities, but ensure that | 126 | # We let Firejail deal with capabilities, but ensure that |
127 | # some AppArmor related capabilities will not be available. | 127 | # some AppArmor related capabilities will not be available. |
128 | ########## | 128 | ########## |
129 | capability checkpoint_restore, | 129 | # The list of recognized capabilities varies from one apparmor version to another. |
130 | capability perfmon, | 130 | # For example on Debian 10 (apparmor 2.13.2) checkpoint_restore, perfmon, bpf are not available |
131 | capability bpf, | 131 | # We allow all caps by default and remove the ones we don't like: |
132 | capability chown, | 132 | capability, |
133 | capability dac_override, | 133 | deny capability audit_write, |
134 | capability dac_read_search, | 134 | deny capability audit_control, |
135 | capability fowner, | 135 | deny capability mac_override, |
136 | capability fsetid, | 136 | deny capability mac_admin, |
137 | capability kill, | ||
138 | capability setgid, | ||
139 | capability setuid, | ||
140 | capability setpcap, | ||
141 | capability linux_immutable, | ||
142 | capability net_bind_service, | ||
143 | capability net_broadcast, | ||
144 | capability net_admin, | ||
145 | capability net_raw, | ||
146 | capability ipc_lock, | ||
147 | capability ipc_owner, | ||
148 | capability sys_module, | ||
149 | capability sys_rawio, | ||
150 | capability sys_chroot, | ||
151 | capability sys_ptrace, | ||
152 | capability sys_pacct, | ||
153 | capability sys_admin, | ||
154 | capability sys_boot, | ||
155 | capability sys_nice, | ||
156 | capability sys_resource, | ||
157 | capability sys_time, | ||
158 | capability sys_tty_config, | ||
159 | capability mknod, | ||
160 | capability lease, | ||
161 | #capability audit_write, | ||
162 | #capability audit_control, | ||
163 | capability setfcap, | ||
164 | #capability mac_override, | ||
165 | #capability mac_admin, | ||
166 | 137 | ||
167 | # Site-specific additions and overrides. See local/README for details. | 138 | # Site-specific additions and overrides. See local/README for details. |
168 | #include <local/firejail-default> | 139 | #include <local/firejail-default> |