diff options
| author |  Vincent43 <31109921+Vincent43@users.noreply.github.com> | 2018-02-19 16:14:15 +0000 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2018-02-19 16:14:15 +0000 |
| commit | 4796ca7b9a0cd75e5d42c48f1e3de1983d4de4f6 (patch) | |
| tree | 6df84465efa63842f2dd69e944e2c702d1810ef9 /etc | |
| parent | Log denied write access for easier debugging (diff) | |
| download | firejail-4796ca7b9a0cd75e5d42c48f1e3de1983d4de4f6.tar.gz firejail-4796ca7b9a0cd75e5d42c48f1e3de1983d4de4f6.tar.zst firejail-4796ca7b9a0cd75e5d42c48f1e3de1983d4de4f6.zip | |
Apparmor: Allow log Firejail blacklist violations
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/firejail-default | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/etc/firejail-default b/etc/firejail-default index 2f959d92a..f9a876f5c 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
| @@ -21,6 +21,12 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) { | |||
| 21 | #dbus, | 21 | #dbus, |
| 22 | 22 | ||
| 23 | ########## | 23 | ########## |
| 24 | # Allows to attach to a running program and modify the process memory. | ||
| 25 | # May be needed by chromium crash handler. Uncomment if you need it. | ||
| 26 | ########## | ||
| 27 | #ptrace (trace tracedby), | ||
| 28 | |||
| 29 | ########## | ||
| 24 | # Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes | 30 | # Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes |
| 25 | ########## | 31 | ########## |
| 26 | / r, | 32 | / r, |
| @@ -53,6 +59,10 @@ owner /{run,dev}/shm/** rmwk, | |||
| 53 | /run/firejail/mnt/oroot/{run,dev}/shm/ r, | 59 | /run/firejail/mnt/oroot/{run,dev}/shm/ r, |
| 54 | owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, | 60 | owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, |
| 55 | 61 | ||
| 62 | # Allow logging Firejail blacklist violations to journal | ||
| 63 | /{,var/}run/systemd/journal/socket w, | ||
| 64 | /{,var/}run/systemd/journal/dev-log w, | ||
| 65 | |||
| 56 | # Needed for wine | 66 | # Needed for wine |
| 57 | /{,var/}run/firejail/profile/@{PID} w, | 67 | /{,var/}run/firejail/profile/@{PID} w, |
| 58 | 68 | ||
| @@ -72,10 +82,6 @@ deny /proc/@{PID}/oom_score_adj w, | |||
| 72 | # Uncomment to silence all denied write warnings | 82 | # Uncomment to silence all denied write warnings |
| 73 | #deny /sys/** w, | 83 | #deny /sys/** w, |
| 74 | 84 | ||
| 75 | # Allows to attach to a running program and modify the process memory. | ||
| 76 | # May be needed by chromium crash handler. Uncomment if you need it. | ||
| 77 | #ptrace (trace tracedby), | ||
| 78 | |||
| 79 | ########## | 85 | ########## |
| 80 | # Allow running programs only from well-known system directories. If you need | 86 | # Allow running programs only from well-known system directories. If you need |
| 81 | # to run programs from your home directory, uncomment /home line. | 87 | # to run programs from your home directory, uncomment /home line. |
| @@ -107,7 +113,7 @@ deny /proc/@{PID}/oom_score_adj w, | |||
| 107 | /run/firejail/mnt/oroot/opt/** ix, | 113 | /run/firejail/mnt/oroot/opt/** ix, |
| 108 | 114 | ||
| 109 | ########## | 115 | ########## |
| 110 | # Allow acces to cups printing socket | 116 | # Allow acces to cups printing socket. |
| 111 | ########## | 117 | ########## |
| 112 | /run/cups/cups.sock w, | 118 | /run/cups/cups.sock w, |
| 113 | 119 | ||