diff options
author | Vincent43 <31109921+Vincent43@users.noreply.github.com> | 2018-01-21 16:50:21 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-01-21 16:50:21 +0000 |
commit | d2a18552e2141126c85ce2011c524c182043bddb (patch) | |
tree | 83c4f9fe4b07a6d8e7fb2bd7fc803e019ee567fb /etc | |
parent | Add whitelist-var-common to 4 profiles (diff) | |
download | firejail-d2a18552e2141126c85ce2011c524c182043bddb.tar.gz firejail-d2a18552e2141126c85ce2011c524c182043bddb.tar.zst firejail-d2a18552e2141126c85ce2011c524c182043bddb.zip |
Apparmor: restrict access
Access to writable files can be restricted to their owner only.
Diffstat (limited to 'etc')
-rw-r--r-- | etc/firejail-default | 50 |
1 files changed, 25 insertions, 25 deletions
diff --git a/etc/firejail-default b/etc/firejail-default index eb50d6c65..4d79f9b29 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
@@ -26,19 +26,19 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) { | |||
26 | /{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk, | 26 | /{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk, |
27 | /{,var/}run/ r, | 27 | /{,var/}run/ r, |
28 | /{,var/}run/** r, | 28 | /{,var/}run/** r, |
29 | /{,var/}run/user/**/dconf/ rw, | 29 | owner /{,var/}run/user/**/dconf/ rw, |
30 | /{,var/}run/user/**/dconf/user rw, | 30 | owner /{,var/}run/user/**/dconf/user rw, |
31 | /{,var/}run/user/**/pulse/ rw, | 31 | owner /{,var/}run/user/**/pulse/ rw, |
32 | /{,var/}run/user/**/pulse/** rw, | 32 | owner /{,var/}run/user/**/pulse/** rw, |
33 | /{,var/}run/user/**/*.slave-socket rwl, | 33 | owner /{,var/}run/user/**/*.slave-socket rwl, |
34 | /{,var/}run/user/**/#@{PID} rw, | 34 | owner /{,var/}run/user/**/#@{PID} rw, |
35 | /{,var/}run/user/**/orcexec.* rwkm, | 35 | owner /{,var/}run/user/**/orcexec.* rwkm, |
36 | /{,var/}run/firejail/mnt/fslogger r, | 36 | /{,var/}run/firejail/mnt/fslogger r, |
37 | /{,var/}run/firejail/appimage r, | 37 | /{,var/}run/firejail/appimage r, |
38 | /{,var/}run/firejail/appimage/** r, | 38 | /{,var/}run/firejail/appimage/** r, |
39 | /{,var/}run/firejail/appimage/** ix, | 39 | /{,var/}run/firejail/appimage/** ix, |
40 | /{run,dev}/shm/ r, | 40 | /{run,dev}/shm/ r, |
41 | /{run,dev}/shm/** rmwk, | 41 | owner /{run,dev}/shm/** rmwk, |
42 | 42 | ||
43 | /proc/ r, | 43 | /proc/ r, |
44 | /proc/meminfo r, | 44 | /proc/meminfo r, |
@@ -61,23 +61,23 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) { | |||
61 | /sys/devices/ r, | 61 | /sys/devices/ r, |
62 | /sys/devices/** r, | 62 | /sys/devices/** r, |
63 | 63 | ||
64 | /proc/@{PID}/ r, | 64 | owner /proc/@{PID}/ r, |
65 | /proc/@{PID}/fd/ r, | 65 | owner /proc/@{PID}/fd/ r, |
66 | /proc/@{PID}/task/ r, | 66 | owner /proc/@{PID}/task/ r, |
67 | /proc/@{PID}/cmdline r, | 67 | owner /proc/@{PID}/cmdline r, |
68 | /proc/@{PID}/comm r, | 68 | owner /proc/@{PID}/comm r, |
69 | /proc/@{PID}/stat r, | 69 | owner /proc/@{PID}/stat r, |
70 | /proc/@{PID}/statm r, | 70 | owner /proc/@{PID}/statm r, |
71 | /proc/@{PID}/status r, | 71 | owner /proc/@{PID}/status r, |
72 | /proc/@{PID}/task/@{PID}/stat r, | 72 | owner /proc/@{PID}/task/@{PID}/stat r, |
73 | /proc/@{PID}/maps r, | 73 | owner /proc/@{PID}/maps r, |
74 | /proc/@{PID}/mounts r, | 74 | owner /proc/@{PID}/mounts r, |
75 | /proc/@{PID}/mountinfo r, | 75 | owner /proc/@{PID}/mountinfo r, |
76 | /proc/@{PID}/oom_score_adj r, | 76 | owner /proc/@{PID}/oom_score_adj r, |
77 | /proc/@{PID}/auxv r, | 77 | owner /proc/@{PID}/auxv r, |
78 | /proc/@{PID}/net/dev r, | 78 | owner /proc/@{PID}/net/dev r, |
79 | /proc/@{PID}/loginuid r, | 79 | owner /proc/@{PID}/loginuid r, |
80 | /proc/@{PID}/environ r, | 80 | owner /proc/@{PID}/environ r, |
81 | 81 | ||
82 | ########## | 82 | ########## |
83 | # Allow running programs only from well-known system directories. If you need | 83 | # Allow running programs only from well-known system directories. If you need |